Web Vulnerability Through Cross Site Scripting (XSS) Detection with OWASP Security Shepherd

. Web applications are needed as a solution to the use of internet technology that is easy to use and capable of displaying information that is rich in content, cost-effective, and accessible. In the second quarter of 2020, Wearesocial released information that around 4.54 billion people in the world used the internet with 59% penetration. People become very dependent on the internet and technology. This condition was also triggered by the Covid-19 pandemic. One thing that becomes an issue on website application security is internet attacks on website platforms and the vulnerability. One type of attack or security threat that often arises and occurs is Cross-Site Scripting (XSS). XSS is one of the Top 10 Open Web Application Security Projects (OWASP) list. Several alternatives can be used to prevent cyber-attack like OWASP Security Shepherd. The OWASP Security Shepherd project allows users to learn or develop their manual penetration testing skills. In this research, there are several case examples of challenges that we can use as a simulation of the role of OWASP Security Shepherd to detect this XSS. The purpose of this paper is to conduct a brief and clear review


Introduction
In the second quarter of 2020 in April, an institution, focusing on research related to digital data, technology, and the internet, released that 4.54 billion people in the world used the internet with 59% penetration [1]. According to Wearesocial Data (Digital Around the world, April 2020), the Internet has made rapid progress in 2020 and people in the world have a high dependency on Internet technology with increasing Web application services. People become very dependent on the internet and technology. This condition is also triggered by the Covid-19 pandemic or also known as Corona Virus.
This makes the technology that emerges and is created in network applications becomes sensitive and vulnerable to cyber-attacks that appear on the internet. In 2017 Open Web Application Security Project (OWASP) published the Top 10 list of vulnerabilities that often appear on the internet [2][3] [5]. Cross Site Scripting, also known as XSS, is the 7th most frequent and most critical web application security risk, which means detection of attacks of XSS must still be considered and is important in terms of cybersecurity.
XSS attacks insert injection scripts that are dangerous and are most encountered in this type of attack, which occurs when an attacker in cyberspace injects destroyers of similar content such as JavaScript into a webpage to be executed by browser users [3] [5].
This type of script is quite dangerous and unwittingly the victim will execute and attempt a type of piracy of user sessions, the appearance of misinformation, and damage to web pages. Other cases are phishing attacks, accessing the user's business data, and controlling the user's browser [4] [5]. What is even scarier is that XSS is combined with other types of attacks or other vulnerabilities such as Remote Code Execution (RCE), and Cross Site Request Forgery (CSRF) which threatens internet users [1][2][3][4][5].
Several alternatives can be done to prevent cyber-attack. In this paper, the author chooses OWASP Security Shepherd. OWASP Security Shepherd can be used to prevent the effects of XSS attacks. The OWASP Security Shepherd project allows users to learn or develop their manual penetration testing skills. In this research, there are several case examples of challenges that can be used as a simulation of the role of OWASP Security Shepherd to detect XSS. The purpose of this detection is to find out the type of XSS that can be learned as a step to create a secure Website. The purpose of this paper is to conduct a brief and clear review of technology on OWASP Security Shepherd. Hopefully, this tool can be useful and help overcome the existence of XSS.

OWASP
The Open Web Application Security Project (OWASP) is a non-profit organization that helps organizations create, buy, and manage trusted software applications. OWASP offers convenience and ease of access to free and open source for [ OWASP aims to inform developers, designers, architects, and business owners about the risks associated with the most growing security vulnerabilities in web applications [2]. OWASP has published a famous Top Ten List that describes the most dangerous security vulnerabilities in web applications and makes suggestions about how to deal with those flaws. Table 1 shows OWASP Top 10 -2017 (Ten Most Important Security Threats for Web Application).

OWASP Security Shepherd
The OWASP Security Shepherd project is a website and mobile security training program for applications. Security Shepherd has been developed to cultivate and improve security knowledge across a wide variety of demographic skills. The goal of this project is to sharpen the penetration testing skills of AppSec novices or seasoned engineers to the level of security experts [2]. The reasons for using Shepherd Security is that this tool provides Broad Topic Scope, Gentle Learning Curve, Real-World Examples, Scalability, Highly Scalable, User Management, and Robust Service. The OWASP Security Shepherd project allows users to learn or develop their manual penetration testing skills. This is done by introducing safety risk principles to users in lessons followed by challenges [2] [10]. A lesson from OWASP provides a layman with the help of a user on a particular security problem and allows them to manipulate the textbook version of the issue [2]. The challenges include weak security protection for vulnerabilities that have left scope for users to exploit [2] [8].
By using the OWASP Top Ten as a challenging testbed, the security vulnerabilities can be explored and their effect on the system can be understood [2]. The by-product of this competitive game is the learned ability to harden the player's world from OWASP's top ten security threats. The modules have been developed to not only challenge security novices, but also security professionals [2][6].
The safety risks of Shepherd are borne by hardened actual vulnerabilities that cannot be exploited to compromise the application or its environment. Shepherd does not model security threats in such a way that all and all attack vectors can work to ensure real-world response [2].

Cross Site Scripting (XSS)
Cross Site Scripting (XSS) attacks [3][4][5][6] are the most common vulnerabilities found in web applications. The injection occurs at the client-side by embedding a file. XSS attacks can cause sensitive data to be tampered with and exposed. The most popular method is accessing sessions or stealing cookies to collect confidential information. We can see XSS impact and weakness from Figure 1 and Figure 2  Cross-Site Scripting (XSS) is a known web-based attack. It happens when malicious web code is sent or executed, usually in script form, from a victim's computer browser using their web applications. With this execution, personal information can be filtered, or the cookies can be stolen from the user [4] to hijack the identity in a fraudulent session. This also gives attackers the possibility of stealing confidential data or even taking control of other computers. XSS poses 40% attack attempts, SQL injection (SQLi) 24%, and attack called cross-section 7%, the inclusion of local files (LFI) 4%, and in the last place, the DDoS (Denial of Distributed Services). According to Imperva [19][20][21] results, XSS attacks reflect the highest number of web application vulnerabilities in 2017. Their number has doubled in comparison to 2016. Also, according to Imperva's projections, the most frequent offensives would occur in 2018.
The 25 most dangerous software errors [13] are classified into three groups according to the Specific Weakness Enumeration (CWE / SANS): 1. Unsafe interaction of components (6 errors) 2. Risky resource management (8 bugs) 3. Porous protections (11 bugs). XSS also happens when [14]: 1. Untrusted data enters a web application. 2. The same web application continuously produces untrusted data. 3. A victim visits the website that has been created by a web browser and has been infected with a malicious XSS script containing untrusted data.

Wibowo, Sulaksono (Web Vulnerability Through Cross Site Scripting (XSS) Detection with OWASP Security Shepherd)
4. An XSS-type script sent by a server is executed on a web page, i.e. in the same sense as the domain of a web server. This attack does not exploit the vulnerabilities of a single browser, it affects web servers where web applications are hosted.
According to Elhakeem and Barry [15], the impact of cross-site scripts can be described as follows: 1. The content of a web application may be changed by inserting scripts that show false advertising, affect the credibility of commercial websites or deceive the consumer 2. The theft of session cookies could be carried out in open sessions to collect information while such sessions remain online 3. Possibility of hijacking the identity of legitimate users, stealing sensitive personal information.

Experimental Tools
OWASP Security Shepherd as we know is an application security training platform. This platform is designed to train and increase the security awareness of web technology users with various levels of knowledge. We use this platform because the author feels it can be used to sharpen penetration capabilities. We ran this experiment on the Ubuntu operating system. We do this because we believe OWASP Security Shepherd is a license-free application and runs well on Ubuntu Linux. We use Cross-Site Scripting (XSS) because it is known as one of the web-based attacks. XSS attacks reflect the highest number of web application vulnerabilities in 2017 [21].

Simulation with OWASP Security Shepherd
OWASP where we can do a simulation directly on OWAS Security Shepherd. The first step to do the simulation is to install Shepherd on your computer. Shepherd can be downloaded at Clone the Github repository (https://github.com/OWASP/SecurityShepherd.git). A successful installation can be seen in Figure 3 and Figure 4.  In Figure 18 it can be seen the function 'cd' on the Security Shepherd that creates a new directory and calls Security Shepherd. Whereas in Figure 19 Docker is formed and processed. If the process is successful there will be information regarding Pull Complete. If the process is successful, there are steps to determine the package that is patched and the process of viewing the database. The next step is to open the package and set up the patch.

Figure 5. Docker Compose to call Shepherd
After the steps are completed, Shepherd can be called on the localhost computer and do a simulation. The results can be seen in Figure 6 -8. In the first process, if the previous step was successful, a login area will appear on localhost and users can start creating a new account by selecting Register. After the registration process is completed, the next step is to return to the login menu to enter the username and password (shown in Figure 6).   Then, users can write this script in search term: <script> alert (123) </script>. The results or the numbers dialog box will appear if successful. Then, the Result Key will appear. The users should copy the result key on Submission Area. The results will appear if the process is successful ( Figure  10).  Figure 10. Write a script on the submission area After completing the process, a message will appear and show Congratulation which means Shepherd has been successful. Testing other challenges of XSS can be done by selecting the options ( Figure  11).

Conclusion
For Preventing XSS Attack, and some of the method: the input data of the XSS Attacks filter. Encode the data when printing to display. To ensure that you do not run HTML code, always use text-type headers to ensure that your browsers interpret the answers in the way you want.
The research that has the most impact and uses advanced technology and is needed is OWASP so we use this research [6] [8] [19] [27]. Shepherd offers technology and support that is not inferior. If the technology is used, it can help prevent vulnerabilities on the Web in the XSS case. Henceforth we can combine Shepherd or with other technologies such as ZAP to measure other web security. We can also use ISO or other security methods that can check the evaluation process precisely and accurately [28]. Further research is evaluating Shepherd, testing accuracy and comparison, and combining to optimal preventive measures for cyber-attacks.