Automated removal of cross site scripting vulnerabilities in web applications

Information and Software Technology

Volumn 54, Issue 5, 1970, Pages 467-478

  Shar, Lwin Khin ^a   Tan, Hee Beng Kuan ^a  

^a NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

Author keywords

Automated bug fixing; Character escaping; Cross site scripting; Encoding; Injection vulnerability; Web security

Indexed keywords

ENCODING (SYMBOLS); PATTERN MATCHING; WEBSITES;

BUG-FIXING; CHARACTER ESCAPING; CROSS SITE SCRIPTING; PATTERN-MATCHING TECHNIQUE; PROGRAM SOURCE CODES; SECURITY VIOLATIONS; WEB APPLICATION VULNERABILITY; WEB SECURITY;

STATIC ANALYSIS;

EID: 84855479474     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2011.12.006     Document Type: Article

References (39)

1. OWASP, November 2009, OWASP Top Ten project 2010. < http://www.owasp.org> (accessed January 2010).
2. CWE/SANS, 2010, Top 25 Most Dangerous Programming Errors. < http://www.applicure.com/blog/cwe-sans-top-25-dangerous-programming-errors> (accessed June 2010).
3. CWE, June 2010, CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). < http://cwe.mitre.org/data/definitions/79.html> (accessed June 2010).
4. OWASP, June 2010, XSS (Cross Site Scripting) Prevention Cheat Sheet. < http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet> (accessed January 2010).
5. US-CERT, Microsoft.NET Framework Contains a Cross-Site Scripting Vulnerability, October 2006. < http://www.kb.cert.org/vuls/id/455604> (accessed January 2010).
6. May 2010, Vodafone.com XSS helps you trace unregistered “Pay As You Go” subscribers. < http://www.xssed.com/newslist> (accessed June 2010).
7. A. Mueller, Cross Site Scripting (XSS), May 2009. < http://elegantcode.com/2009/05/28/cross-site-scripting-xss/> (accessed January 2010).
8. ESAPI, OWASP Enterprise Security API, 2009. < http://www.owasp.org/index.php/ESAPI#tab=Project_Details> (accessed February 2010).
9. A. Klein, July 2005, DOM based Cross Site Scripting or XSS of the Third Kind. < http://www.webappsec.org/projects/articles/071105.shtml> (accessed April 2010).
10. L.K. Shar, H.B.K. Tan, Auditing the defense against cross site scripting in web applications, in: Proceedings of the 5th International Conference on Security and Cryptography (SECRYPT’10), 2010, pp. 505–511.
11. Sinha, S., Harrold, M.J., Rothermel, G., Interprocedural control dependence. ACM Trans Softw Eng Methodol 10:2 (2001), 209–254.
12. Soot, June 2008. Soot: a Java Optimization Framework. < http://www.sable.mcgill.ca/soot/> (accessed February 2009).
13. W3C, 1999, HTML 4.01 Specification. < http://www.w3.org/TR/html401/> (accessed April 2010).
14. W3C, 2002, XHTML 1.0 Specification. < http://www.w3.org/TR/xhtml1/> (accessed August 2011).
15. Sourceforge, Open source website. < http://www.sourceforge.net> (accessed February 2009).
16. GotoCode, Open source website. < http://www.gotocode.com> (accessed September 2009).
17. RSnake, XSS (Cross Site Scripting) Cheat Sheet. < http://ha.ckers.org/xss.html> (accessed March 2010).
18. Thomas, S., Williams, L., Xie, T., On automated prepared statement generation to remove SQL injection vulnerabilities. Inform. Softw. Technol. 51:3 (2009), 589–598.
19. Hayes, J.H., Offutt, A.J., Input validation analysis and testing. Empirical Softw. Eng. 11:4 (2006), 493–522.
20. Liu, H., Tan, H.B.K., Testing input validation in web applications through automated model recovery. J. Syst. Softw. 81:2 (2008), 222–233.
21. Liu, H., Tan, H.B.K., Covering code behavior on input validation in functional testing. Inform. Softw. Technol. 51:2 (2009), 546–553.
22. H. Shahriar, M. Zulkernine, MUTEC: mutation-based testing of cross site scripting, in: Proceedings of the 5th International Workshop on Software Engineering for Secure Systems (SESS’09), 2009, pp. 47–53.
23. V.B. Livshits, M.S. Lam, Finding security errors in Java programs with static analysis, in: Proceedings of the 14th Usenix Security Symposium (USENIX Security’05), 2005, pp. 271–286.
24. Y. Xie, A. Aiken, Static detection of security vulnerabilities in scripting languages, in: Proceedings of the 15th USENIX Security Symposium (USENIX Security’06), 2006, pp. 179–192.
25. N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting web application vulnerabilities, in: Proceedings of the IEEE Symposium on Security and Privacy (S&P’06), 2006, pp. 258–263.
26. Y. Minamide, Static approximation of dynamically generated web pages, in: Proceedings of the 14th International Conference on World Wide Web (WWW’05), 2005, pp. 432–441.
27. G. Wassermann, Z. Su, Static detection of cross-site scripting vulnerabilities, in: Proceedings of the 30th International Conference on Software Engineering (ICSE’08), 2008, pp. 171–180.
28. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, S.-Y. Kuo, Securing web application code by static analysis and runtime protection, in: Proceedings of the 13th International Conference on World Wide Web (WWW’04), 2004, pp. 40–52.
29. M. Martin, M.S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking, in: Proceedings of the 17th USENIX Security Symposium (USENIX Security’08), 2008, pp. 31–43.
30. M.S. Lam, M. Martin, B. Livshits, J. Whaley, Securing web applications with static and dynamic information flow tracking, in: Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, 2008, pp. 3–12.
31. D. Balzarotti, et al., Saner: composing static and dynamic analysis to validate sanitization in web applications, in: Proceedings of the IEEE Symposium on Security and Privacy, 2008, pp. 387–401.
32. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, Z. Su, Dynamic test input generation for web applications, in: Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’10), 2008, 249–260.
33. A. Kieżun, P.J. Guo, K. Jayaraman, M.D. Ernst, Automatic creation of SQL injection and cross-site scripting attacks, in: Proceedings of the 31st International Conference on Software Engineering (ICSE’09), 2009, pp. 199–209.
34. M. Johns, B. Engelmann, J. Posegga, XSSDS: server-side detection of cross-site scripting attacks, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC’08), 2008, pp. 335–344.
35. P. Bisht, V.N. Venkatakrishnan, XSS-Guard: precise dynamic prevention of cross-site scripting attacks, in: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08), 2008, pp. 23–43.
36. W. Robertson, G. Vigna, Static enforcement of web application integrity through strong typing, in: Proceedings of the 18th USENIX Security Symposium (USENIX Security’09), 2009, pp. 283–298.
37. A. Yip, X. Wang, N. Zeldovich, M.F. Kaashoek, Improving application Security with Data Flow Assertions, in: Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP’09), 2009, pp. 291–304.
38. T. Jim, N. Swamy, M. Hicks, Defeating script injection attacks with browser-enforced embedded policies, in: Proceedings of the 16th International Conference on World Wide Web (WWW’07), 2007, pp. 601–610.
39. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N., Client-side cross-site scripting protection. Comput. Security 28 (2009), 592–604.