Auditing the XSS defence features implemented in web application programs
Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2012
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4928 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5931 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-59312020-02-13T06:24:03Z Auditing the XSS defence features implemented in web application programs SHAR, Lwin Khin TAN, Hee Beng Kuan Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections. 2012-08-31T07:00:00Z text https://ink.library.smu.edu.sg/sis_research/4928 info:doi/10.1049/iet-sen.2011.0084 Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Programming Languages and Compilers Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Programming Languages and Compilers Software Engineering |
| spellingShingle |
Programming Languages and Compilers Software Engineering SHAR, Lwin Khin TAN, Hee Beng Kuan Auditing the XSS defence features implemented in web application programs |
| description |
Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections. |
| format |
text |
| author |
SHAR, Lwin Khin TAN, Hee Beng Kuan |
| author_facet |
SHAR, Lwin Khin TAN, Hee Beng Kuan |
| author_sort |
SHAR, Lwin Khin |
| title |
Auditing the XSS defence features implemented in web application programs |
| title_short |
Auditing the XSS defence features implemented in web application programs |
| title_full |
Auditing the XSS defence features implemented in web application programs |
| title_fullStr |
Auditing the XSS defence features implemented in web application programs |
| title_full_unstemmed |
Auditing the XSS defence features implemented in web application programs |
| title_sort |
auditing the xss defence features implemented in web application programs |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2012 |
| url |
https://ink.library.smu.edu.sg/sis_research/4928 |
| _version_ |
1770575098101628928 |