We are increasingly relying on web, and performing important transactions online through it. At the same time, quantity and impact of security vulnerabilities in such applications has grown as well. This work presents a survey of web security research which is the emerging domain that implements various detection prevention techniques for hinder content injection attacks on web applications. This paper provides a classification of the research areas on the content injection attacks. In this paper, we analyze important aspects in content injection attacks. In addition, this paper presents a survey of various security mechanisms adopted by web browsers to defend content injection attacks. The goals of this survey paper are two-fold: i) Serve as a guideline for researchers, who are new to web security and want to contribute to this research area, and ii) Provides further research directions required into content injection attack prevention.

XSS(Cross-site scripting), SQLI(Structural Query Language Injection),Content Injection,SQL queries

[1] G. Buehrer, B.W. Weide, and P.A.G. Sivilotti. “Using parse tree validation to prevent sql injection attacks”. In Proceedings of the 5th International Workshop on Software Engineering and Middleware, 2005.
[2] CGIsecurity. The cross-site scripting (xss) faq. http://www.cgisecurity.com/xss-faq.html.
[3] S. Crites, F. Hsu, and H. Chen. Omash: “Enabling secure web mashups via object abstractions”. In Proceedings of the International Conference on Computer and Communications Security (CCS), 2008.
[4] Xinshu Dong, Kailas Patil, Xuhui Liu, Jian Mao, and Zhenkai Liang. “An entensible security framework in web browsers”. Technical Report TR-SEC-2012-01, Systems Security Group, School of Computing, National University of Singapore, 2012.
[5] Xinshu Dong,Kailas Patil, Jian Mao, and Zenkai Liang.
“A comprehensive client-side behavior model for diagnosing attacks in ajax applications”. In proceedings of the 18th International Conference on Engineering of Complex Computer systems (ICECSS), 2013.
[6] Dennis Fisher. Persistent XSS bug on twitter exploited by worm http://threatpost.com/en us/blogs/persistent-xss-bug-twitter-being-exploited-092110
[7] W.G.J.Halfond and A. Orso. “Amnesia: analysis and monitoring for neutralizing sql-injection attacks”. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, 2005.
[8] W.G.J. Halfond and A. Orso. “Combining static analysis and runtime monitoring to counter sql-injection attacks”. In Proceed-ings of the Third International Workshop on Dynamic Analysis, 2005.
[9] W.G.J. Halfond, A. Orso, and P. Manolios. “Using positive tainting and syntax-aware evaluation to counter sql-injection at-tacks”. In Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2006.
[10] Mark Hofman. Sql injection attack happening atm. isc.sans.org/diary/SQL+Injection+Attack+happening+ATM/12127.
[11] Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. “Protecting browser state from web privacy attacks”. In Proceedings of the International Conference on World Wide Web (WWW), 2006.
[12] Patil Kailas, Dong Xinshu, Li Xiaolei, Liang Zhenkai, and Jiang Xuxian. “Towards fine-grained access control in javascript contexts”. In Proceedings of the International Conference on Distributed Computing Systems, 2011.
[13] Ziqing Mao, Ninghui Li, and Ian Molloy. “Defeating cross-site request forgery attacks with browser-enforced authenticity protection”. In Financial Cryptography and Data Security, 13th International Conference, 2009.
[14] Leo A. Meyerovich and Benjamin Livshits. “ConScript: Specify-ing and enforcing fine-grained security policies for javascript in the browser”. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S & P), 2010.
[15] Mozilla Same origin policy for javascript. https://developer.mozilla.org/En/Same_origin_policy_for_javascript.
[16] The clickjacking meets xss: a state of art. http://www.milw0rm.com/papers/265, 2008.
[17] Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. “Automatically hardening web appli-cations using precise tainting”. In Proceeding of the 20th IFIP International Information Security Conference, 2005.
[18] National Institute of standards and technology. National vulnerability database (nvd) http://web.nvd.nist.gov/view/vuln/search
[19] Kailas Patil Ensuring session integrity in the browser environment http://scholarbank.nus.edu.sg/bitstream/
handle/10635/49161/ThesisHT080141L.pdf?sequence=1, 2013.
[20] Kailas Patil, Tanvi Vyas, Fredrik Braun, and Mark Goodwin. “Usercsp- user specified content security policies”. SOUPS’13 POSTER, 2013.
[21] Tadeusz Pietraszek, Chris V, and En Berghe. “Defending against injection attacks through context-sensitive string evaluation”. In Proceeding of the Recent Advances in Intrusion Detection, 2005.
[22] Cristian Pinzn, Javier Bajo Juan F. De Paz, lvaro Herrero, and Emilio Corchado. “Aiida-sql: An adaptive intelligent intrusion detector agent for detecting sql injection attacks”. In Proceedings of the 10th International Conference on Hybrid Intelligent systems 2010.
[23] OWASP-The open web application security project. OWASP top ten project. https://www.owasp.org/index.php/Top_10_2013-Top_10
[24] Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. “Browsershield: Vulnerability-driven filtering of dynamic html”. In Proceedings of the Symposium on Oper-ating Systems Design and Implementation (OSDI), 2006.
[25] RSnake. Xss(cross site scripting) cheat sheet esp: for filter evasion. http://ha.ckers.org/xss.html.
[26] Jesse Ruderman. Signed scripts in mozilla. http://www.mozilla.org/projects/security/components/signed-scripts.html.
[27] Michelle Ruse, Tanmoy Sarkar, and Samik Basu. “Analysis & detection of sql injection vulnerabilities via automatic test case generation of programs”. In Proceedings of the Annual International Symposium on Applications and the Internet, 2010.
[28] Zhendong Su and Gary Wassermann. “The essence of command injection attacks in web applications”. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), 2006.
[29] Symantec. Internet security threat report volume 20. https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932 GA-internet-security-threat-report-volume-20-2015-social v2.pdfg, April 2015.
[30] Stephen Thomas, Laurie Williams, and Tao Xie. “On auto-mated prepared statement generation to remove sql injection vulnerabilities”. In Proceedings of the Elsevier Journal on the Information and Software Technology, 2009.
[31] H. J. Wang, X. Fan, J. Howell, and C. Jackson. “Protection and communication abstractions for web browsers in mashupos”. In Proceeding of the SOSP, 2007.
[32] Wikipedia Cross site scripting. https://en.wikipedia.org/wiki/Cross-site_scripting
[33] Wikipedia SQL injection https://en.wikipedia.org/wiki/SQL_injection
[34] Yichen Xie and Alex Aiken. “Static detection of security vulnerabilities in scripting languages”. In Proceedings of the USENIX Security Symposium, 2006.
[35] xssed.com. Myspace.com hit by a permanent xss. http://www. xssed.com/news/83/Myspace.com hit by a Permanent XSS/.
[36] xssed.com. New orkut xss worm by brazilian web secu-rity group. http://www.xssed.com/news/77/New Orkut XSS worm by Brazilian web security group/.
[37] K.S.Wagh, Vishal Jotshi, Harshal Dalvi, Manish Kamble. “Reversed proxy based XSS filtering”. In Proceeding of the International Journal on Computer Science and Engineering (IJCSE). Vol -3, Issue-5,Page No(175-180) May 2015.
[38] Jyotsnamayee Upadhyaya, Namita Panda, Arup Abhinna Acharya. “Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection”. In Proceeding of the International Journal on Computer Science and Engineering (IJCSE). Vol -2, Issue-3,Page No(167-173) March 2014.