Program Slicing Stored XSS Bugs in Web Application

Author

Wang, Yi ; Li, Zhoujun ; Guo, Tao

Author_Institution

Sch. of Comput. Sci. & Eng., BeiHang Univ., Beijing, China

fYear

2011

Firstpage

191

Lastpage

194

Abstract

Web applications are vulnerable targets of security attacks. Among the well known attack type - XSS(Cross-Site Scripting), the most threatening is Stored XSS. Since most static analysis methods refer to Reflected XSS but few concentrate on Stored XSS which is more devastating, plus the fact that pure static analysis offers high false positive rate, we present a static Stored XSS detection algorithm integrated with program slicing method to generate the slices of web application related to possible Stored XSS. The slices are composed of two parts, threat injection and threat release, which reconstruct a Stored XSS attack scenario. They are of great value for later manual checking or other dynamic analysis. For manual checking, the programmer can directly check the code related to possible vulnerabilities. For dynamic analysis or model checking, the program coverage can be large or even complete because of the small size of these slices.

Keywords

Internet; formal verification; program debugging; program slicing; security of data; Web applications; cross-site scripting; dynamic analysis; high false positive rate; manual checking; model checking; program slicing stored XSS bugs; pure static analysis; reflected XSS; security attacks; static stored XSS detection algorithm; threat injection; threat release; Algorithm design and analysis; Arrays; Browsers; Computer bugs; Databases; Detection algorithms; Security; Program Slicing; Static Analysis; Stored Cross-Site Scripting; Web Application;

fLanguage

English

Publisher

ieee

Conference_Titel

Theoretical Aspects of Software Engineering (TASE), 2011 Fifth International Symposium on

Conference_Location

Xi´an, Shaanxi

Print_ISBN

978-1-4577-1487-0

Type

conf

DOI

10.1109/TASE.2011.43

Filename

6041609