AUDITING THE DEFENSE AGAINST CROSS SITE SCRIPTING IN WEB APPLICATIONS

Lwin Khin Shar, Hee Beng Kuan Tan

2010

Abstract

Majority attacks to web applications today are mainly carried out through input manipulation in order to cause unintended actions of these applications. These attacks exploit the weaknesses of web applications in preventing the manipulation of inputs. Among these attacks, cross site scripting attack -- malicious input is submitted to perform unintended actions on a HTML response page -- is a common type of attacks. This paper proposes an approach for thorough auditing of code to defend against cross site scripting attack. Based on the possible methods of implementing defenses against cross site scripting attack, the approach extracts all such defenses implemented in code so that developers, testers or auditors could check the extracted output to examine its adequacy. We have also evaluated the feasibility and effectiveness of the proposed approach by applying it to audit a set of real-world applications.

References

  1. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2008). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In S&P 7808: Proceedings of the IEEE Symposium on Security and Privacy, 387-401.
  2. Bisht, P. and Venkatakrishnan, V. N. (2008). XSS-Guard: Precise dynamic prevention of cross-site scripting attacks. In DIMVA 7808: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 23-43.
  3. GotoCode (n.d.). Open source web applications. Retrieved August 23, 2009, from http://www.gotocode.com
  4. Hayes, J. H. and Offutt, J. (2006). Input validation analysis and testing. Empirical Software Engineering, 11, 493-522.
  5. Ismail O., Eto M., Kadobayashi Y., and Yamaguchi S. (2004). A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In AINA 7804: Proceedings of the 8th International Conference on Advanced Information Networking and Applications, 145-151.
  6. Jim, T., Swamy, N., and Hicks, M. (2007). Defeating script injection attacks with browser-enforced embedded policies. In WWW 7807: Proceedings of the 16th International conference on World Wide Web, 601-610.
  7. Johns, M., Engelmann, B., and Posegga, J. (2008). XSSDS: Server-side detection of cross-site scripting attacks. In ACSAC 7808: 2008 Annual Computer Security Applications Conference, 335-344.
  8. Jovanovic, N., Kruegel, C., and Kirda, E. (2006). Pixy: a static analysis tool for detecting web application vulnerabilities. In S&P 7806: Proceedings of the IEEE Symposium on Security and Privacy, 258-263.
  9. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N. (2009). Client-side cross-site scripting protection. Computers & Security, 28, 592-604.
  10. Kruegel C. and Vigna G. (2003). Anomaly detection of web-based attacks. In CCS 7803: Proceedings of the 10th ACM Conference on Computer and Communication Security, 251-261.
  11. Li, N., Wu, J., Jin, M. Z., and Liu, C. (2007). Web application model recovery for user input validation testing. In ICSEA 7807: 2nd International Conference on Software Engineering Advances, 85-90.
  12. Liu, H. and Tan, H. B. K. (2009). Covering code behavior on input validation in functional testing. Information and Software Technology, 51, 546-553.
  13. Livshits V. B. and Lam M. S. (2005). Finding security errors in Java programs with static analysis. In USENIX Security 7805: Proceedings of the 14th Usenix Security Symposium, 271-286.
  14. Louw, M. T., Venkatakrishnan, V. N. (2009). Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In S&P 7809: Proceedings of the 30th IEEE Symposium on Security and Privacy, 331- 346.
  15. OWASP (May 14, 2009). Reviewing Code for Cross-site scripting. Retrieved January 10, 2010, from http://www.owasp.org/index.php/Reviewing_Code_fo r_Cross-site_scripting
  16. OWASP (January 6, 2010). XSS Prevention Cheat Sheet. Retrieved January 10, 2010, from http://www.owasp.org/index.php/XSS_(Cross_Site_Sc ripting)_Prevention_Cheat_Sheet
  17. Sinha, S., Harrold M. J., and Rothermel G. (2001). Interprocedural control dependence. ACM Transactions on Software Engineering and Methodology, 10, 209-254.
  18. Soot (2008). Soot: a Java Optimization Framework. Retrieved February 12, 2009, from http://www.sable.mcgill.ca/soot/
  19. Wassermann, G. and Su, Z. (2008). Static detection of cross-site scripting vulnerabilities. In ICSE 7808: Proceedings of the 30th International Conference on Software Engineering, 171-180.
  20. Xie, Y. and Aiken, A. (2006). Static detection of security vulnerabilities in scripting languages. In USENIX Security 7806: Proceedings of the 15th USENIX Security Symposium, 179-192.
Download


Paper Citation


in Harvard Style

Khin Shar L. and Beng Kuan Tan H. (2010). AUDITING THE DEFENSE AGAINST CROSS SITE SCRIPTING IN WEB APPLICATIONS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 505-511. DOI: 10.5220/0002963905050511


in Bibtex Style

@conference{secrypt10,
author={Lwin Khin Shar and Hee Beng Kuan Tan},
title={AUDITING THE DEFENSE AGAINST CROSS SITE SCRIPTING IN WEB APPLICATIONS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={505-511},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002963905050511},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - AUDITING THE DEFENSE AGAINST CROSS SITE SCRIPTING IN WEB APPLICATIONS
SN - 978-989-8425-18-8
AU - Khin Shar L.
AU - Beng Kuan Tan H.
PY - 2010
SP - 505
EP - 511
DO - 10.5220/0002963905050511