• DocumentCode
    2863573
  • Title

    Identifying cross site scripting vulnerabilities in Web applications

  • Author

    Di Lucca, G.A. ; Fasolino, A.R. ; Mastoianni, M. ; Tramontana, P.

  • Author_Institution
    Res. Centre on Software Technol., Sannio Univ., Benevento, Italy
  • fYear
    2004
  • fDate
    11-11 Sept. 2004
  • Firstpage
    71
  • Lastpage
    80
  • Abstract
    Cross site scripting (XSS) is a vulnerability of a Web application that is essentially caused by the failure of the application to check up on user input before returning it to the client´s Web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack. Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.
  • Keywords
    Internet; online front-ends; security of data; telecommunication security; Web applications; Web browser; XSS vulnerabilities; cross site scripting; dynamic analysis; malicious code; security attack; server pages; source code analysis; static analysis; vulnerability detection; Conferences;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Web Site Evolution, Sixth IEEE International Workshop on (WSE'04)
  • Conference_Location
    Chicago, IL, USA
  • ISSN
    1550-4441
  • Print_ISBN
    0-7695-2224-6
  • Type

    conf

  • DOI
    10.1109/WSE.2004.10013
  • Filename
    1410997