Auditing the XSS defence features implemented in web application programs

Lwin Khin Shar, Hee Beng Kuan Tan
{"title":"Auditing the XSS defence features implemented in web application programs","authors":"Lwin Khin Shar, Hee Beng Kuan Tan","doi":"10.1049/iet-sen.2011.0084","DOIUrl":null,"url":null,"abstract":"Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections.","PeriodicalId":13395,"journal":{"name":"IET Softw.","volume":"56 1","pages":"377-390"},"PeriodicalIF":0.0000,"publicationDate":"2012-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"40","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Softw.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1049/iet-sen.2011.0084","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 40

Abstract

Cross site scripting (XSS) vulnerability is mainly caused by the failure of web applications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven Java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections.
审计web应用程序中实现的XSS防御特性
跨站脚本(XSS)漏洞主要是由于web应用程序无法对嵌入在网页中的用户输入进行过滤而导致的。尽管开发人员和安全审计员经常使用最先进的防御编码方法和漏洞检测方法,但由于(i)采用这些方法的困难,(ii)这些方法的实现不足,和/或(iii)缺乏对XSS问题的理解,XSS缺陷仍然存在于许多应用程序中。为了解决这个问题,本研究提出了一种代码审计方法,该方法可以恢复在程序源代码中实现的防御模型,并提出了检查恢复模型是否足以抵御XSS攻击的指导方针。基于防御性编码方法的可能实现模式,我们的方法提取了为保护每个潜在易受攻击的HTML输出而实现的所有此类防御。然后介绍了控制流图的一种变体,称为污染信息流图,作为审计XSS防御工件的充分性的模型。作者在七个基于java的web应用程序上进行了实验,对所提出的方法进行了评估。在审计实验中,我们的方法有效地恢复了在测试对象中实现的所有XSS防御功能。提取的工件还被证明对过滤漏洞检测方法报告的假阳性情况很有用,并有助于修复易受攻击的代码部分。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信