Implementasi Dan Pengujian Teknik Preventif Cross-Site Scripting (Xss) Pada Aplikasi Php Berdasarkan Xsstrike
DOI:
https://doi.org/10.35194/mji.v17i1.5268Keywords:
Cross-Site Scripting, XSStrike, PHP Native, Keamanan Web, CSPAbstract
Cross-Site Scripting (XSS) merupakan salah satu ancaman keamanan paling umum pada aplikasi web, khususnya pada aplikasi berbasis PHP Native yang belum menerapkan standar keamanan modern. Penelitian ini bertujuan untuk mengevaluasi efektivitas teknik preventif terhadap serangan XSS dengan menggunakan alat otomatis XSStrike. Metode penelitian yang digunakan adalah pendekatan eksperimen, di mana aplikasi PHP rentan diuji terhadap tiga jenis serangan XSS: Reflected, Stored, dan DOM-Based, baik secara otomatis maupun manual. Hasil pengujian menunjukkan bahwa serangan Reflected XSS dapat terdeteksi dengan confidence tinggi oleh XSStrike, sedangkan Stored dan DOM-Based XSS memerlukan teknik pengujian manual karena keterbatasan alat. Setelah implementasi validasi input, encoding output, dan Content Security Policy (CSP), injeksi skrip tidak lagi dieksekusi oleh browser dan hanya ditampilkan sebagai teks biasa. Kesimpulan dari penelitian ini adalah bahwa penerapan kombinasi teknik preventif secara signifikan dapat meningkatkan ketahanan aplikasi PHP Native terhadap berbagai bentuk serangan XSS.
References
[1] Oh, S., Lee, K., Park, S., Kim, D., & Kim, H. (2023). Poisoned ChatGPT Finds Work for Idle Hands: Exploring Developers’ Coding Practices with Insecure Suggestions from Poisoned AI Models. 2024 IEEE Symposium on Security and Privacy (SP), 1141-1159. https://doi.org/10.1109/SP54263.2024.00046.
[2] Khazal, I., & Hussain, M. (2021). Server Side Method to Detect and Prevent Stored XSS Attack. Iraqi Journal for Electrical and Electronic Engineering. https://doi.org/10.37917/ijeee.17.2.8.
[3] Su, H., Xu, L., Chao, H., Li, F., Yuan, Z., Zhou, J., & Huo, W. (2022). A Sanitizer-centric Analysis to Detect Cross-Site Scripting in PHP Programs. 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE), 355-365. https://doi.org/10.1109/ISSRE55969.2022.00042.
[4] Sethi, M., Verma, J., Snehi, M., Baggan, V., , V., & Chhabra, G. (2023). Web Server Security Solution for Detecting Cross-site Scripting Attacks in Real-time Using Deep Learning. 2023 International Conference on Artificial Intelligence and Applications (ICAIA) Alliance Technology Conference (ATCON-1), 1-5. https://doi.org/10.1109/ICAIA57370.2023.10169255.
[5] Su, H., Li, F., Xu, L., Hu, W., Sun, Y., Sun, Q., Chao, H., & Huo, W. (2023). Splendor: Static Detection of Stored XSS in Modern Web Applications. Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. https://doi.org/10.1145/3597926.3598116.
[6] Kumar, A., Gupta, A., Mittal, P., Gupta, P., & Varghese, S. (2021). Prevention of XSS attack using Cryptography & API integration with Web Security. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3833910.
[7] T'oth, R., Bisztray, T., & Erdodi, L. (2024). LLMs in Web-Development: Evaluating LLM-Generated PHP code unveiling vulnerabilities and limitations. ArXiv, abs/2404.14459. https://doi.org/10.48550/arXiv.2404.14459.
[8] Khoury, R., Avila, A., Brunelle, J., & Camara, B. (2023). How Secure is Code Generated by ChatGPT?. 2023 IEEE International Conference on Systems, Man, and Cybernetics (SMC), 2445-2451. https://doi.org/10.1109/SMC53992.2023.10394237.
[9] Mishra, A., & Juneja, S. (2023). Prevention of Website from Cross Site Scripting. 2023 International Conference on Computational Intelligence, Communication Technology and Networking (CICTN), 471-473. https://doi.org/10.1109/cictn57981.2023.10140659.
[10] Dora, J., & Nemoga, K. (2021). Ontology for Cross-Site-Scripting (XSS) Attack in Cybersecurity. J. Cybersecur. Priv. 1, 319-339. https://doi.org/10.3390/JCP1020018.
[11] Tolkachova, A., & Zhuravchak, D. (2024). Automate the verification of session cookie attributes. Collection "Information Technology and Security". https://doi.org/10.20535/2411-1031.2024.12.1.306260.
[12] Rathod, P., Gowda, D., M, K., Talekar, P., Daddi, N., Bhairanallikar, A., & G, G. (2024). The Cross-Site Scripting (XSS) Attack: A Comprehensive Review. International Journal of Advanced Research in Science, Communication and Technology. https://doi.org/10.48175/ijarsct-19230.
[13] Karthika, S., Padmavathi, G., Roshni, A., & Varshini, S. (2024). Detecting Cross-Site Scripting Attack using Machine Learning Algorithms. 2024 11th International Conference on Computing for Sustainable Global Development (INDIACom), 991-995. https://doi.org/10.23919/INDIACom61295.2024.10499119.
[14] Pardomuan, C., Kurniawan, A., Darus, M., Ariffin, M., & Muliono, Y. (2023). Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor. Pertanika Journal of Science and Technology. https://doi.org/10.47836/pjst.31.3.14.
[15] Pazos, J., Légaré, J., & Beschastnikh, I. (2021). XSnare: Application-specific client-side cross-site scripting protection. 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 154-165. https://doi.org/10.1007/s10664-023-10323-w.
[16] KirstenS, Manico, J., Williams, J., Wichers, D., Weidman, A., Roman, Jex, A., Smith, A., Knutson, J., Imifos, Yalon, E., Kingthorin, Khanna, V., & Ongers, G. (n.d.). Cross Site Scripting (XSS). Retrieved December 16, 2024, from https://owasp.org/www-community/attacks/xss.
[17] s0md3v. (n.d.). XSStrike: Advanced XSS Detection Suite. Retrieved December 16, 2024, from https://github.com/s0md3v/XSStrike.
[18] Roy, R., Mandal, S., Kavya, S., Dedeepya, S., Singh, A., Reddy, E., Patil, R., & Ramamoorthi, J. (2023). Real-time XSS Vulnerability Detection. 2023 3rd International Conference on Intelligent Technologies (CONIT), 1-6. https://doi.org/10.1109/CONIT59222.2023.10205698.
[19] Arian, L., , N., Nugraha, L., & , “. (2024). Website Penetration Analysis Against XSS Attacks using Payload Method. Journal of Innovation Information Technology and Application (JINITA). https://doi.org/10.35970/jinita.v6i1.2225.
[20] Blancaflor, E., Araullo, E., Corcuera, J., Rivera, J., & Velarde, L. (2023). Vulnerability Assessment on Cross-site scripting attack in a simulated E-commerce platform using BeEF and XSStrike. 2023 13th International Conference on Software Technology and Engineering (ICSTE), 1-6. https://doi.org/10.1109/ICSTE61649.2023.00008.
[21] Anchan, A., Patil, A., S, S., N, S., & S, N. (2023). Dual-Layered Defence Mechanism For Prevention of XSS Attack. 2023 International Conference on Computer, Electronics & Electrical Engineering & their Applications (IC2E3), 1-6. https://doi.org/10.1109/IC2E357697.2023.10262414.
[22] Chandran, A. (2022, May 1). XSStrike: A tool to detect XSS. Medium. https://medium.com/@aswinchandran274/xsstrike-a-tool-to-detect-xss-e6b54b5f6f5b
[23] Alaoui, R., & Nfaoui, E. (2023). Generative Adversarial Network-based Approach for Automated Generation of Adversarial Attacks Against a Deep-Learning based XSS Attack Detection Model. International Journal of Advanced Computer Science and Applications. https://doi.org/10.14569/ijacsa.2023.0140797.
[2] Khazal, I., & Hussain, M. (2021). Server Side Method to Detect and Prevent Stored XSS Attack. Iraqi Journal for Electrical and Electronic Engineering. https://doi.org/10.37917/ijeee.17.2.8.
[3] Su, H., Xu, L., Chao, H., Li, F., Yuan, Z., Zhou, J., & Huo, W. (2022). A Sanitizer-centric Analysis to Detect Cross-Site Scripting in PHP Programs. 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE), 355-365. https://doi.org/10.1109/ISSRE55969.2022.00042.
[4] Sethi, M., Verma, J., Snehi, M., Baggan, V., , V., & Chhabra, G. (2023). Web Server Security Solution for Detecting Cross-site Scripting Attacks in Real-time Using Deep Learning. 2023 International Conference on Artificial Intelligence and Applications (ICAIA) Alliance Technology Conference (ATCON-1), 1-5. https://doi.org/10.1109/ICAIA57370.2023.10169255.
[5] Su, H., Li, F., Xu, L., Hu, W., Sun, Y., Sun, Q., Chao, H., & Huo, W. (2023). Splendor: Static Detection of Stored XSS in Modern Web Applications. Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. https://doi.org/10.1145/3597926.3598116.
[6] Kumar, A., Gupta, A., Mittal, P., Gupta, P., & Varghese, S. (2021). Prevention of XSS attack using Cryptography & API integration with Web Security. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3833910.
[7] T'oth, R., Bisztray, T., & Erdodi, L. (2024). LLMs in Web-Development: Evaluating LLM-Generated PHP code unveiling vulnerabilities and limitations. ArXiv, abs/2404.14459. https://doi.org/10.48550/arXiv.2404.14459.
[8] Khoury, R., Avila, A., Brunelle, J., & Camara, B. (2023). How Secure is Code Generated by ChatGPT?. 2023 IEEE International Conference on Systems, Man, and Cybernetics (SMC), 2445-2451. https://doi.org/10.1109/SMC53992.2023.10394237.
[9] Mishra, A., & Juneja, S. (2023). Prevention of Website from Cross Site Scripting. 2023 International Conference on Computational Intelligence, Communication Technology and Networking (CICTN), 471-473. https://doi.org/10.1109/cictn57981.2023.10140659.
[10] Dora, J., & Nemoga, K. (2021). Ontology for Cross-Site-Scripting (XSS) Attack in Cybersecurity. J. Cybersecur. Priv. 1, 319-339. https://doi.org/10.3390/JCP1020018.
[11] Tolkachova, A., & Zhuravchak, D. (2024). Automate the verification of session cookie attributes. Collection "Information Technology and Security". https://doi.org/10.20535/2411-1031.2024.12.1.306260.
[12] Rathod, P., Gowda, D., M, K., Talekar, P., Daddi, N., Bhairanallikar, A., & G, G. (2024). The Cross-Site Scripting (XSS) Attack: A Comprehensive Review. International Journal of Advanced Research in Science, Communication and Technology. https://doi.org/10.48175/ijarsct-19230.
[13] Karthika, S., Padmavathi, G., Roshni, A., & Varshini, S. (2024). Detecting Cross-Site Scripting Attack using Machine Learning Algorithms. 2024 11th International Conference on Computing for Sustainable Global Development (INDIACom), 991-995. https://doi.org/10.23919/INDIACom61295.2024.10499119.
[14] Pardomuan, C., Kurniawan, A., Darus, M., Ariffin, M., & Muliono, Y. (2023). Server-side Cross-site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor. Pertanika Journal of Science and Technology. https://doi.org/10.47836/pjst.31.3.14.
[15] Pazos, J., Légaré, J., & Beschastnikh, I. (2021). XSnare: Application-specific client-side cross-site scripting protection. 2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 154-165. https://doi.org/10.1007/s10664-023-10323-w.
[16] KirstenS, Manico, J., Williams, J., Wichers, D., Weidman, A., Roman, Jex, A., Smith, A., Knutson, J., Imifos, Yalon, E., Kingthorin, Khanna, V., & Ongers, G. (n.d.). Cross Site Scripting (XSS). Retrieved December 16, 2024, from https://owasp.org/www-community/attacks/xss.
[17] s0md3v. (n.d.). XSStrike: Advanced XSS Detection Suite. Retrieved December 16, 2024, from https://github.com/s0md3v/XSStrike.
[18] Roy, R., Mandal, S., Kavya, S., Dedeepya, S., Singh, A., Reddy, E., Patil, R., & Ramamoorthi, J. (2023). Real-time XSS Vulnerability Detection. 2023 3rd International Conference on Intelligent Technologies (CONIT), 1-6. https://doi.org/10.1109/CONIT59222.2023.10205698.
[19] Arian, L., , N., Nugraha, L., & , “. (2024). Website Penetration Analysis Against XSS Attacks using Payload Method. Journal of Innovation Information Technology and Application (JINITA). https://doi.org/10.35970/jinita.v6i1.2225.
[20] Blancaflor, E., Araullo, E., Corcuera, J., Rivera, J., & Velarde, L. (2023). Vulnerability Assessment on Cross-site scripting attack in a simulated E-commerce platform using BeEF and XSStrike. 2023 13th International Conference on Software Technology and Engineering (ICSTE), 1-6. https://doi.org/10.1109/ICSTE61649.2023.00008.
[21] Anchan, A., Patil, A., S, S., N, S., & S, N. (2023). Dual-Layered Defence Mechanism For Prevention of XSS Attack. 2023 International Conference on Computer, Electronics & Electrical Engineering & their Applications (IC2E3), 1-6. https://doi.org/10.1109/IC2E357697.2023.10262414.
[22] Chandran, A. (2022, May 1). XSStrike: A tool to detect XSS. Medium. https://medium.com/@aswinchandran274/xsstrike-a-tool-to-detect-xss-e6b54b5f6f5b
[23] Alaoui, R., & Nfaoui, E. (2023). Generative Adversarial Network-based Approach for Automated Generation of Adversarial Attacks Against a Deep-Learning based XSS Attack Detection Model. International Journal of Advanced Computer Science and Applications. https://doi.org/10.14569/ijacsa.2023.0140797.
Downloads
Additional Files
Published
2025-06-23
Issue
Section
Articles
