Article (Scientific journals)
Automated removal of cross site scripting vulnerabilities in web applications
SHAR, Lwin Khin; Tan, Hee Beng Kuan
2012In Information and Software Technology, 54 (5), p. 467-478
Peer reviewed
 

Files


Full Text
IST_Removal.pdf
Publisher postprint (582.76 kB)
Request a copy

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
cross site scripting; automated bug fixing; escaping
Abstract :
[en] Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects.
Disciplines :
Computer science
Author, co-author :
SHAR, Lwin Khin ;  Nanyang Technological University > Information Engineering
Tan, Hee Beng Kuan;  Nanyang Technological University > Information Engineering
External co-authors :
yes
Language :
English
Title :
Automated removal of cross site scripting vulnerabilities in web applications
Publication date :
2012
Journal title :
Information and Software Technology
Volume :
54
Issue :
5
Pages :
467-478
Peer reviewed :
Peer reviewed
Available on ORBilu :
since 24 June 2014

Statistics


Number of views
105 (5 by Unilu)
Number of downloads
1 (1 by Unilu)

Scopus citations®
 
74
Scopus citations®
without self-citations
71
OpenCitations
 
46
OpenAlex citations
 
78
WoS citations
 
51

Bibliography


Similar publications



Contact ORBilu