A model for adversarial attacks on cross-site script execution detection systems

Alexey Gusarov

Abstract


This article discusses the topic of attacks that exploit cross-site scripting vulnerabilities, which are one of the main threats to web security. The article presents a classification of this attack and describes the different variants of the attack vector. An example of attack execution is given. It also analyzes the increasing use of machine/deep learning techniques to detect cross-site scripting attacks and the vulnerability of this technique to adversarial attacks. The paper is a useful resource for developers who are interested in the security of cross-site scripting detection systems based on machine/deep learning. It provides a description of a model for applying an evasion attack to such systems, based on the reinforcement learning paradigm. The paper proposes various options for fitting the parameters described by the model, such as a modification selection algorithm or the modifications themselves of the original attack code. By using the implementation of such a model, it is possible to test existing cross-site scripting detection systems as well as gain additional information for better training them.

Full Text:

PDF (Russian)

References


Gupta S., Gupta B. B. Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art //International Journal of System Assurance Engineering and Management. – 2017. – T. 8. – #. 1. – S. 512-530.

Uroki po XSS: Urok 3. Konteksty vnedrenija XSS. URL: https://hackware.ru/?p=1234

XSS-payload-list. URL: https://github.com/payloadbox/xss-payload-list

XSS Filter Evasion Cheat Sheet [HTML] (https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)

Cross-site scripting (XSS) cheat sheet. URL: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Khan N., Johari A., Adnan S. A Taxonomy Study of XSS Vulnerabilities //Asian J. Inf. Technol. – 2017. – T. 16. – S. 169-177.

Fang Y. et al. DeepXSS: Cross site scripting detection based on deep learning //Proceedings of the 2018 international conference on computing and artificial intelligence. – 2018. – S. 47-51.

Mokbal F. M. M. et al. MLPXSS: an integrated XSS-based attack detection scheme in web applications using multilayer perceptron technique //IEEE Access. – 2019. – T. 7. – S. 100567-100580.

Tekerek A. A novel architecture for web-based attack detection using convolutional neural network //Computers & Security. – 2021. – T. 100. – S. 102096.

Liu Z. et al. GraphXSS: an efficient XSS payload detection approach based on graph convolutional network //Computers & Security. – 2022. – T. 114. – S. 102597.

Fang Y. et al. RLXSS: Optimizing XSS detection model to defend against adversarial attacks based on reinforcement learning //Future Internet. – 2019. – T. 11. – #. 8. – S. 177.

Wang Q. et al. Black-box adversarial attacks on XSS attack detection model //Computers & Security. – 2022. – T. 113. – S. 102554.

Chen L. et al. XSS adversarial example attacks based on deep reinforcement learning //Computers & Security. – 2022. – T. 120. – S. 102831.

Namiot D. E., Il'jushin E. A., Chizhov I. V. ATAKI NA SISTEMY MAShINNOGO OBUChENIJa-OBShhIE PROBLEMY I METODY //International Journal of Open Information Technologies. – 2022. – T. 10. – #. 3. – S. 17-22.

Chakraborty A. et al. Adversarial attacks and defences: A survey //arXiv preprint arXiv:1810.00069. – 2018.

Mondal B., Banerjee A., Gupta S. XSS Filter detection using Trust Region Policy Optimization //2023 1st International Conference on Advanced Innovations in Smart Cities (ICAISC). – IEEE, 2023. – S. 1-4.

DL_for_xss, 2017. URL: https://github.com/SparkSharly/DL_for_xss

RL — Reinforcement Learning Algorithms Comparison. URL: https://jonathan-hui.medium.com/rl-reinforcement-learning-algorithms-comparison-76df90f180cf

Ivanov S. Reinforcement Learning Textbook //arXiv preprint arXiv:2201.09746. – 2022.


Refbacks

  • There are currently no refbacks.


Abava  Кибербезопасность FRUCT 2024

ISSN: 2307-8162