Script late injection: a framework to introduce JavaScript into web pages
Abstract
Script injection is one type of fault present in web, which mostly utilizes user data to execute code without applying any type of filters. Script injection can impact both client and server making exposing them to vulnerabilities. Security and related products may need to execute logic on the client-side generally in a browser. In order to achieve this, proxy servers inject appropriate JavaScript code into the responses they proxy. Typically, the injection point is at the end of the body element. The framework introduced in this paper rather uses a stack-based approach to determine the injection point in the web page. Ten kilobytes from the end of a web page are given as a string input to the framework, after tokenization and construction of the vector of tokens. A stack is used to determine the injection point. Along with the position of the injection point, a warning flag is also estimated indicating the correctness of the injection point. Different types of web pages were considered for running the unit tests and fuzzy tests on the framework. These classes of pages are determined by crawling most used web pages. The injected scripts are executed once the body content is completely loaded. Hence, it can retrieve maximum information without affecting end-user performance. It also does the job at a low cost.
Keywords
Hypertext markup language tags; Injection parsers; Proxy servers; Script injection; Web security
Full Text:
PDFDOI: http://doi.org/10.11591/ijra.v13i1.pp96-104
Refbacks
- There are currently no refbacks.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
IAES International Journal of Robotics and Automation (IJRA)
ISSN 2089-4856, e-ISSN 2722-2586
This journal is published by the Institute of Advanced Engineering and Science (IAES) in collaboration with Intelektual Pustaka Media Utama (IPMU).