Automated removal of cross site scripting vulnerabilities in web applications

Author

Lwin Khin SHAR, Singapore Management UniversityFollow
Hee Beng Kuan TAN

Publication Type

Journal Article

Version

publishedVersion

Publication Date

12-2011

Abstract

Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. Objective: To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Method: Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. Results: We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Conclusion: Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects.

Keywords

Cross site scripting, Injection vulnerability, Character escaping, Encoding, Web security, Automated bug fixing

Discipline

Information Security | Software Engineering

Research Areas

Cybersecurity

Publication

Information and Software Technology

Volume

54

Issue

5

First Page

467

Last Page

478

ISSN

0950-5849

Identifier

10.1016/j.infsof.2011.12.006

Publisher

Elsevier

Citation

SHAR, Lwin Khin and TAN, Hee Beng Kuan. Automated removal of cross site scripting vulnerabilities in web applications. (2011). Information and Software Technology. 54, (5), 467-478.
Available at: https://ink.library.smu.edu.sg/sis_research/4897

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1016/j.infsof.2011.12.006