Auditing the defense against cross site scripting in web applications

Author

Lwin Khin SHAR, Singapore Management UniversityFollow
Hee Beng Kuan TAN

Publication Type

Conference Paper

Version

publishedVersion

Publication Date

7-2010

Abstract

Majority attacks to web applications today are mainly carried out through input manipulation in order to cause unintended actions of these applications. These attacks exploit the weaknesses of web applications in preventing the manipulation of inputs. Among these attacks, cross site scripting attack -- malicious input is submitted to perform unintended actions on a HTML response page -- is a common type of attacks. This paper proposes an approach for thorough auditing of code to defend against cross site scripting attack. Based on the possible methods of implementing defenses against cross site scripting attack, the approach extracts all such defenses implemented in code so that developers, testers or auditors could check the extracted output to examine its adequacy. We have also evaluated the feasibility and effectiveness of the proposed approach by applying it to audit a set of real-world applications.

Keywords

Cross Site Scripting, Static Analysis, Code Auditing, Input Validation and Filtering

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

International Conference on Security and Cryptography

City or Country

Greece

Citation

SHAR, Lwin Khin and TAN, Hee Beng Kuan. Auditing the defense against cross site scripting in web applications. (2010). International Conference on Security and Cryptography.
Available at: https://ink.library.smu.edu.sg/sis_research/4783

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://ieeexplore.ieee.org/document/5741657