nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Bidirectional Analysis Method of Static XSS Defect Detection Technique Based On Database Query Language

verfasst von : Baojiang Cui, Tingting Hou, Baolian Long, Lingling Xu

Erschienen in: Transactions on Computational Collective Intelligence XIX

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Along with the wide use of web application, XSS vulnerability has become one of the most common security problems and caused many serious losses. In this paper, on the basis of database query language technique, we put forward a static analysis method of XSS defect detection of Java web application by analyzing data flow reversely. This method first converts the JSP file to a Servlet file, and then uses the mock test method to generate calls for all Java code automatically for comprehensive analysis. We get the methods where XSS security defect may occur by big data analysis. Originated from the methods where XSS security defect may occur, we analyze the data flow and program semantic reversely to detect XSS defect by judging whether it can be introduced by user input without filter. Moreover, to trace the taint path and to improve the analysis precision, we put forward bidirectional analysis. Originated from the results of the reverse analysis, we analyze the data flow forward to trace the taint path. These two methods have effectively reduced analyzing tasks which are necessary in forward ways. It was proved by experiments on some open source Java web projects, bidirectional and reverse methods not only improved the efficiency of detection, but also improved the detection accuracy for XSS defect.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Improved Recommendation System Using Friend Relationship in SNS

Nächstes Kapitel A Multilevel Security Model for Search Engine Over Integrated Data

Yawen, W.: Defect model based software testing technology. Beijing Univ. Posts Telecommun. (2009)

Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P.: Identifying cross site scripting vulnerabilities in Web applications. In: 26th Annual International Telecommunications Energy Conference, INTELEC 2004, pp. 71–80, 11 September 2004

Open Web Application Security Project. Types of Cross-Site. October 2013 Scripting (2013). https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

Zhong Chenming, X.S.: Web Front-endReveal Hacking Techniques. Electronic Industry Press, Beijing (2013)

Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the 17th Conference on Security Symposium, (pp. 31–43). USENIX Association (2008)

Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008) CrossRef

Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing Web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on Dependable Computing, 2007, PRDC 2007, pp. 365–372. IEEE (2007)

Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: Mitigating XSS attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 33–39. IEEE Computer Society (2009)

Klein, A.: DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium, Articles, 4 (2005)

10.

11.

Paros, Y.: Paros Proxy [DB/OL] (2006). http://sourceforge.net/projects/paros/

12.

Mozilla. XSS-Me [DB/OL] (2012). http://labs.securitycompass.com/exploit-me/xss-me/

13.

Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross Site scripting prevention with dynamic data tainting and static analysis. In: NDSS (2007)

14.

Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ACM/IEEE 30th International Conference on Software Engineering, 2008, ICSE 2008, pp. 171–180. IEEE (2008)

15.

Benjamin Livshits, V., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: USENLX Technology Symposiu (2005)

16.

Kirkegaard, C., Møller, A.: Static analysis for java servlets and JSP. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 336–352. Springer, Heidelberg (2006) CrossRef

17.

Chess, B., West, J.: Secure Programming with Static Analysis. Pearson Education, USA (2007)

18.

Haviv, Y.A., Tripp, O., Weisman, O.U.S.: Patent No. 8,726,245. Washington, DC: U.S. Patent and Trademark Office (2014)

19.

Whaley, J., Dzintars, A., et al.: Using datalog with binary decision diagrams for program analysis. In: Third Asian Symposium (2005)

20.

Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI) (2004)

21.

Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: ACM SIGPLAN Notices, vol. 39, no. 6, pp. 131–144. ACM (2004)

22.

Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.: Andromeda: accurate and scalable security analysis of web applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013 (ETAPS 2013). LNCS, vol. 7793, pp. 210–225. Springer, Heidelberg (2013) CrossRef

23.

Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code. Wiley, New York (2007) MATH

Titel: Bidirectional Analysis Method of Static XSS Defect Detection Technique Based On Database Query Language
verfasst von: Baojiang Cui
Tingting Hou
Baolian Long
Lingling Xu
Verlag: Springer Berlin Heidelberg
Buch: Transactions on Computational Collective Intelligence XIX
Print ISBN: 978-3-662-49016-7

Electronic ISBN: 978-3-662-49017-4

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-662-49017-4_3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"