DocumentCode
2863573
Title
Identifying cross site scripting vulnerabilities in Web applications
Author
Di Lucca, G.A. ; Fasolino, A.R. ; Mastoianni, M. ; Tramontana, P.
Author_Institution
Res. Centre on Software Technol., Sannio Univ., Benevento, Italy
fYear
2004
fDate
11-11 Sept. 2004
Firstpage
71
Lastpage
80
Abstract
Cross site scripting (XSS) is a vulnerability of a Web application that is essentially caused by the failure of the application to check up on user input before returning it to the client´s Web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack. Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.
Keywords
Internet; online front-ends; security of data; telecommunication security; Web applications; Web browser; XSS vulnerabilities; cross site scripting; dynamic analysis; malicious code; security attack; server pages; source code analysis; static analysis; vulnerability detection; Conferences;
fLanguage
English
Publisher
ieee
Conference_Titel
Web Site Evolution, Sixth IEEE International Workshop on (WSE'04)
Conference_Location
Chicago, IL, USA
ISSN
1550-4441
Print_ISBN
0-7695-2224-6
Type
conf
DOI
10.1109/WSE.2004.10013
Filename
1410997
Link To Document