TY - JOUR AU - Hartono, AU - Sriyanto, PY - 2022/12/29 Y2 - 2024/03/28 TI - XSS Attack Detection and Mitigation Using Multi-Layer Security Mechanism (MLSM) JF - Sienna JA - sienna VL - 3 IS - 2 SE - Articles DO - UR - https://jurnal.umko.ac.id/index.php/sienna/article/view/669 SP - 1-14 AB - <p><em>BSSN stated that there were 12.9 million cyber threats in Indonesia during 2018. In January - April 2020, the number of cyber-attacks increased. In those four months, the number of cyberattacks reached 88 million. The methods, applications, and attack techniques used cannot be identified easily. However, according to data from the OWASP Top Ten in 2017 and 2021 (statistics-based proposal), there are 10 website security vulnerabilities that are most often exploited. XSS is one of the security holes included in the list. In addition to being a loophole that is often found, the impact of XSS is very fatal, because it allows attackers to do account takeovers, theft of personal data, and so on. There are several studies that have implemented mechanisms to detect and mitigate XSS attacks. However, the implementation has not yet obtained effective and holistic results. The mechanism tested by previous research still leaves a security problem that allows attackers to execute XSS attacks. One of the things that cause this problem is the use of a single-layer security mechanism. Therefore, the purpose of this study is to test the effectiveness of the multi-layer security (MLSM) mechanism in detecting and mitigating XSS attacks. MLSM consists of five layers, namely OWASP ModSecurity, Framework/CMS Security Feature, HTTP Middleware, Templating Engine, and Data Sanitizer. To test the security level of MLSM, the researchers conducted a simulation of attacks using the Arachni and ZAP applications on a sample website that had 170 XSS security vulnerabilities. Based on test attacks on non-MLSM websites, Arachni successfully executed 168 of 170 (98.82%), and ZAP executed 103 of 170 (60.58%) XSS attacks. However, after implementing the MLSM feature on the website, Arachni and ZAP attacks failed to perform XSS attacks, both stored, reflected, and DOM-based XSS. There is no single type of XSS attack that can be carried out on MLSM websites</em></p> ER -