DocumentCode :
492576
Title :
Static detection of cross-site scripting vulnerabilities
Author :
Wassermann, Gary ; Su, Zhendong
Author_Institution :
Univ. of California, Davis, CA
fYear :
2008
fDate :
10-18 May 2008
Firstpage :
171
Lastpage :
180
Abstract :
Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a Web client (browser) has for a trusted server and executes injected script on the browser with the server´s privileges. In 2006, XSS constituted the largest class of newly reported vulnerabilities making it the most prevalent class of attacks today. Web applications have XSS vulnerabilities because the validation they perform on untrusted input does not suffice to prevent that input from invoking a browser´s JavaScript interpreter, and this validation is particularly difficult to get right if it must admit some HTML mark-up. Most existing approaches to finding XSS vulnerabilities are taint-based and assume input validation functions to be adequate, so they either miss real vulnerabilities or report many false positives. This paper presents a static analysis for finding XSS vulnerabilities that directly addresses weak or absent input validation. Our approach combines work on tainted information flow with string analysis. Proper input validation is difficult largely because of the many ways to invoke the JavaScript interpreter; we face the same obstacle checking for vulnerabilities statically, and we address it by formalizing a policy based on the W3C recommendation, the Firefox source code, and online tutorials about closed-source browsers. We provide effective checking algorithms based on our policy. We implement our approach and provide an extensive evaluation that finds both known and unknown vulnerabilities in real-world web applications.
Keywords :
Internet; program diagnostics; program verification; security of data; Firefox source code; HTML mark-up; JavaScript interpreter; W3C recommendation; Web applications; Web client; closed-source browsers; cross-site scripting vulnerabilities; obstacle checking; static detection; string analysis; trusted server; Application software; Data analysis; Displays; HTML; Information analysis; Information filtering; Information filters; Internet; Java; MySpace; cross-site scripting; input validation; static analysis; web applications;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Software Engineering, 2008. ICSE '08. ACM/IEEE 30th International Conference on
Conference_Location :
Leipzig
ISSN :
0270-5257
Print_ISBN :
978-1-4244-4486-1
Electronic_ISBN :
0270-5257
Type :
conf
DOI :
10.1145/1368088.1368112
Filename :
4814128
Link To Document :
بازگشت