Hunting Cross-Site Scripting Attacks in the Network

Cross-site Scripting (XSS) attacks in web applications are considered a major threat. In a yearly basis, large IT security vendors export statistics that highlight the need for designing and implementing more efficient countermeasures for securing modern web applications and web users. So far, all these studies are carried out by IT security vendors. The academic community lacks of the tools for performing similar studies for quantifying various properties of XSS attacks. In this paper, we present xHunter, a tool that takes as input a web trace and scans it for identifying possible XSS exploits. xHunter does not provide any defenses against attacks in web applications and browsers. The tool is designed for processing thousands of URLs and isolating XSS exploits. Using xHunter one can see how real XSS exploits look like, what is the geographical distribution of web browsers that trigger XSS exploits, and other valuable properties, which if combined can draw a better picture of the XSS landscape today. xHunter is based on two assumptions. The first one is that a significant fraction of XSS attacks is carried out using URLs and the second one is that these URLs contain parts that produce a valid JavaScript syntax tree with high depth. Thus, the basic operation of xHunter is to process URLs and identify parts that can be parsed in JavaScript. In this paper, we analyze all design choices and challenges for implementing xHunter. We evaluate a preliminary prototype of xHunter using about 11,000 URLs collected by a realworld XSS repository, XSSed.com, and 1,000 URLs collected from a monitoring point in an educational organization with about 1,000 users. The results suggest that xHunter has less than 3.2% of false negatives and about 2% of false positives.