Auditing the defense against cross site scripting in web applications

SECRYPT 2010 - Proceedings of the International Conference on Security and Cryptography

Volumn , Issue , 2010, Pages 505-511

  Shar, Lwin Khin ^a   Tan, Hee Beng Kuan ^a  

^a NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

Author keywords

Code auditing; Cross site scripting; Input validation and filtering; Static analysis

Indexed keywords

CODE AUDITING; CROSS SITE SCRIPTING; INPUT VALIDATION; REAL-WORLD APPLICATION; WEB APPLICATION;

CRYPTOGRAPHY; NETWORK SECURITY; WORLD WIDE WEB;

STATIC ANALYSIS;

EID: 78651471115     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (20)

1. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In S&P '08: Proceedings of the IEEE Symposium on Security and Privacy, 387-401.
2. Bisht, P. and Venkatakrishnan, V. N. (2008). XSS-Guard: Precise dynamic prevention of cross-site scripting attacks. In DIMVA '08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 23-43.
3. GotoCode (n.d.). Open source web applications. Retrieved August 23, 2009, from http://www.gotocode.com
4. Hayes, J. H. and Offutt, J. (2006). Input validation analysis and testing. Empirical Software Engineering, 11, 493-522.
5. Ismail O., Eto M., Kadobayashi Y., and Yamaguchi S. (2004). A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In AINA '04: Proceedings of the 8th International Conference on Advanced Information Networking and Applications, 145-151.
6. th International conference on World Wide Web, 601-610.
7. Johns, M., Engelmann, B., and Posegga, J. (2008). XSSDS: Server-side detection of cross-site scripting attacks. In ACSAC '08: 2008 Annual Computer Security Applications Conference, 335-344.
8. Jovanovic, N., Kruegel, C., and Kirda, E. (2006). Pixy: a static analysis tool for detecting web application vulnerabilities. In S&P '06: Proceedings of the IEEE Symposium on Security and Privacy, 258-263.
9. Kirda, E., Kraegel, C., Vigna, G., Jovanovic, N. (2009). Client-side cross-site scripting protection. Computers & Security, 28, 592-604.
10. Kruegel C and Vigna G. (2003). Anomaly detection of web-based attacks. In CCS '03: Proceedings of the 10th ACM Conference on Computer and Communication Security, 251-261.
11. Li, N., Wu, J., Jin, M. Z., and Liu, C. (2007). Web application model recovery for user input validation testing. In ICSEA '07: 2nd International Conference on Software Engineering Advances, 85-90.
12. Liu, H. and Tan, H. B. K. (2009). Covering code behavior on input validation in functional testing. Information and Software Technology, 51, 546-553.
13. Livshits V. B. and Lam M. S. (2005). Finding security errors in Java programs with static analysis. In USENIX Security '05: Proceedings of the 14th Usenix Security Symposium, 271-286.
14. Louw, M. T., Venkatakrishnan, V. N. (2009). Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In S&P '09: Proceedings of the 30th IEEE Symposium on Security and Privacy, 331-346.
15. OWASP (May 14, 2009). Reviewing Code for Cross-site scripting. Retrieved January 10, 2010, from http://www.owasp.org/index.php/Reviewing-Code-for-Cross- site-scripting
16. OWASP (January 6, 2010). XSS Prevention Cheat Sheet. Retrieved January 10, 2010, from http://www.owasp.org/index.php/XSS-(Cross-Site-Scripting)- Prevention-Cheat-Sheet
17. Sinha, S., Harrold M. J., and Rothermel G. (2001). Interprocedural control dependence. ACM Transactions on Software Engineering and Methodology, 10, 209-254.
18. Soot (2008). Soot: a Java Optimization Framework. Retrieved February 12, 2009, from http://www.sable.mcgill.ca/soot/
19. Wassermann, G. and Su, Z. (2008). Static detection of cross-site scripting vulnerabilities. In ICSE '08: Proceedings of the 30th International Conference on Software Engineering, 171-180.
20. Xie, Y. and Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX Security '06: Proceedings of the 15th USENIX Security Symposium, 179-192.