Automated removal of cross site scripting vulnerabilities in web applications

Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious sc...

Full description

Saved in:
Bibliographic Details
Main Authors: SHAR, Lwin Khin, TAN, Hee Beng Kuan
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2011
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/4897
https://ink.library.smu.edu.sg/context/sis_research/article/5900/viewcontent/Automated___PV.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5900
record_format dspace
spelling sg-smu-ink.sis_research-59002020-02-13T08:16:47Z Automated removal of cross site scripting vulnerabilities in web applications SHAR, Lwin Khin TAN, Hee Beng Kuan Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. Objective: To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Method: Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. Results: We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Conclusion: Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. 2011-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4897 info:doi/10.1016/j.infsof.2011.12.006 https://ink.library.smu.edu.sg/context/sis_research/article/5900/viewcontent/Automated___PV.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Cross site scripting Injection vulnerability Character escaping Encoding Web security Automated bug fixing Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Cross site scripting
Injection vulnerability
Character escaping
Encoding
Web security
Automated bug fixing
Information Security
Software Engineering
spellingShingle Cross site scripting
Injection vulnerability
Character escaping
Encoding
Web security
Automated bug fixing
Information Security
Software Engineering
SHAR, Lwin Khin
TAN, Hee Beng Kuan
Automated removal of cross site scripting vulnerabilities in web applications
description Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. Objective: To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Method: Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. Results: We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Conclusion: Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects.
format text
author SHAR, Lwin Khin
TAN, Hee Beng Kuan
author_facet SHAR, Lwin Khin
TAN, Hee Beng Kuan
author_sort SHAR, Lwin Khin
title Automated removal of cross site scripting vulnerabilities in web applications
title_short Automated removal of cross site scripting vulnerabilities in web applications
title_full Automated removal of cross site scripting vulnerabilities in web applications
title_fullStr Automated removal of cross site scripting vulnerabilities in web applications
title_full_unstemmed Automated removal of cross site scripting vulnerabilities in web applications
title_sort automated removal of cross site scripting vulnerabilities in web applications
publisher Institutional Knowledge at Singapore Management University
publishDate 2011
url https://ink.library.smu.edu.sg/sis_research/4897
https://ink.library.smu.edu.sg/context/sis_research/article/5900/viewcontent/Automated___PV.pdf
_version_ 1770575089218093056