Automated removal of cross site scripting vulnerabilities in web applications
Context Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious...
Saved in:
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2013
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/101332 http://hdl.handle.net/10220/16725 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-101332 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1013322020-03-07T14:02:44Z Automated removal of cross site scripting vulnerabilities in web applications Shar, Lwin Khin Tan, Hee Beng Kuan School of Electrical and Electronic Engineering DRNTU::Engineering::Electrical and electronic engineering Context Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. Objective To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Method Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. Results We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Conclusion Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. 2013-10-23T07:02:35Z 2019-12-06T20:36:49Z 2013-10-23T07:02:35Z 2019-12-06T20:36:49Z 2011 2011 Journal Article Shar, L. K., & Tan, H. B. K. (2012). Automated removal of cross site scripting vulnerabilities in web applications. Information and Software Technology, 54(5), 467-478. 0950-5849 https://hdl.handle.net/10356/101332 http://hdl.handle.net/10220/16725 10.1016/j.infsof.2011.12.006 en Information and software technology |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| country |
Singapore |
| collection |
DR-NTU |
| language |
English |
| topic |
DRNTU::Engineering::Electrical and electronic engineering |
| spellingShingle |
DRNTU::Engineering::Electrical and electronic engineering Shar, Lwin Khin Tan, Hee Beng Kuan Automated removal of cross site scripting vulnerabilities in web applications |
| description |
Context
Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime.
Objective
To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications.
Method
Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution.
Results
We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications.
Conclusion
Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. |
| author2 |
School of Electrical and Electronic Engineering |
| author_facet |
School of Electrical and Electronic Engineering Shar, Lwin Khin Tan, Hee Beng Kuan |
| format |
Article |
| author |
Shar, Lwin Khin Tan, Hee Beng Kuan |
| author_sort |
Shar, Lwin Khin |
| title |
Automated removal of cross site scripting vulnerabilities in web applications |
| title_short |
Automated removal of cross site scripting vulnerabilities in web applications |
| title_full |
Automated removal of cross site scripting vulnerabilities in web applications |
| title_fullStr |
Automated removal of cross site scripting vulnerabilities in web applications |
| title_full_unstemmed |
Automated removal of cross site scripting vulnerabilities in web applications |
| title_sort |
automated removal of cross site scripting vulnerabilities in web applications |
| publishDate |
2013 |
| url |
https://hdl.handle.net/10356/101332 http://hdl.handle.net/10220/16725 |
| _version_ |
1681045129511567360 |