Title :
Program Slicing Stored XSS Bugs in Web Application
Author :
Wang, Yi ; Li, Zhoujun ; Guo, Tao
Author_Institution :
Sch. of Comput. Sci. & Eng., BeiHang Univ., Beijing, China
Abstract :
Web applications are vulnerable targets of security attacks. Among the well known attack type - XSS(Cross-Site Scripting), the most threatening is Stored XSS. Since most static analysis methods refer to Reflected XSS but few concentrate on Stored XSS which is more devastating, plus the fact that pure static analysis offers high false positive rate, we present a static Stored XSS detection algorithm integrated with program slicing method to generate the slices of web application related to possible Stored XSS. The slices are composed of two parts, threat injection and threat release, which reconstruct a Stored XSS attack scenario. They are of great value for later manual checking or other dynamic analysis. For manual checking, the programmer can directly check the code related to possible vulnerabilities. For dynamic analysis or model checking, the program coverage can be large or even complete because of the small size of these slices.
Keywords :
Internet; formal verification; program debugging; program slicing; security of data; Web applications; cross-site scripting; dynamic analysis; high false positive rate; manual checking; model checking; program slicing stored XSS bugs; pure static analysis; reflected XSS; security attacks; static stored XSS detection algorithm; threat injection; threat release; Algorithm design and analysis; Arrays; Browsers; Computer bugs; Databases; Detection algorithms; Security; Program Slicing; Static Analysis; Stored Cross-Site Scripting; Web Application;
Conference_Titel :
Theoretical Aspects of Software Engineering (TASE), 2011 Fifth International Symposium on
Conference_Location :
Xi´an, Shaanxi
Print_ISBN :
978-1-4577-1487-0
DOI :
10.1109/TASE.2011.43
