Zobraziť v EDS

Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking

Uložené v:
Podrobná bibliografia
Názov: Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking
Autori: Molland, Torstein, Nesbakken, Andreas, Li, Jingyue
Zdroj: Norsk Informatikkonferanse (NIK); Nr 3 (2022): NISK Norsk informasjonssikkerhetskonferanse ; Norsk IKT-konferanse for forskning og utdanning; No. 3 (2022): NISK Norsk informasjonssikkerhetskonferanse ; 1892-0721
Informácie o vydavateľovi: NIKT Foundation
Rok vydania: 2023
Zbierka: BIBSYS: Open Journals Systems
Popis: Web security is an important part of any web-based software system. XML External Entity (XXE) attacks are one of web applications’ most significant security risks. A successful XXE attack can have severe consequences like Denial-of-Service (DoS), remote code execution, and information extraction. Many Java codes are vulnerable to XXE due to missing the proper setting of the parser’s security attributes after initializing the instance of the parser. To fix such vulnerabilities, we invented a novel instance tracking approach to detect Java XXE vulnerabilities and integrated the approach into a vulnerability detection plugin of Integrated Development Environment (IDE). We have also implemented auto-fixes for the identified XXE vulnerabilities by modifying the source code’s Abstract Syntax Tree (AST). The detection and auto-fixing approaches were evaluated using typical Java code vulnerable to XXE. The evaluation results showed that our detection approach provided 100% precision and recall in detecting the XXE vulnerabilities and correctly fixed 86% of the identified vulnerabilities.
Druh dokumentu: article in journal/newspaper
Popis súboru: application/pdf
Jazyk: English
Relation: https://ojs.bibsys.no/index.php/NIK/article/view/1018/875; https://ojs.bibsys.no/index.php/NIK/article/view/1018
Dostupnosť: https://ojs.bibsys.no/index.php/NIK/article/view/1018
Rights: Copyright (c) 2023 Norsk IKT-konferanse for forskning og utdanning
Prístupové číslo: edsbas.58BA26E
Databáza: BASE
FullText Text:
  Availability: 0
CustomLinks:
  – Url: https://ojs.bibsys.no/index.php/NIK/article/view/1018#
    Name: EDS - BASE (s4221598)
    Category: fullText
    Text: View record from BASE
  – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Molland%20T
    Name: ISI
    Category: fullText
    Text: Nájsť tento článok vo Web of Science
    Icon: https://imagesrvr.epnet.com/ls/20docs.gif
    MouseOverText: Nájsť tento článok vo Web of Science
Header DbId: edsbas
DbLabel: BASE
An: edsbas.58BA26E
RelevancyScore: 939
AccessLevel: 3
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 938.929138183594
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Molland%2C+Torstein%22">Molland, Torstein</searchLink><br /><searchLink fieldCode="AR" term="%22Nesbakken%2C+Andreas%22">Nesbakken, Andreas</searchLink><br /><searchLink fieldCode="AR" term="%22Li%2C+Jingyue%22">Li, Jingyue</searchLink>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: Norsk Informatikkonferanse (NIK); Nr 3 (2022): NISK Norsk informasjonssikkerhetskonferanse ; Norsk IKT-konferanse for forskning og utdanning; No. 3 (2022): NISK Norsk informasjonssikkerhetskonferanse ; 1892-0721
– Name: Publisher
  Label: Publisher Information
  Group: PubInfo
  Data: NIKT Foundation
– Name: DatePubCY
  Label: Publication Year
  Group: Date
  Data: 2023
– Name: Subset
  Label: Collection
  Group: HoldingsInfo
  Data: BIBSYS: Open Journals Systems
– Name: Abstract
  Label: Description
  Group: Ab
  Data: Web security is an important part of any web-based software system. XML External Entity (XXE) attacks are one of web applications’ most significant security risks. A successful XXE attack can have severe consequences like Denial-of-Service (DoS), remote code execution, and information extraction. Many Java codes are vulnerable to XXE due to missing the proper setting of the parser’s security attributes after initializing the instance of the parser. To fix such vulnerabilities, we invented a novel instance tracking approach to detect Java XXE vulnerabilities and integrated the approach into a vulnerability detection plugin of Integrated Development Environment (IDE). We have also implemented auto-fixes for the identified XXE vulnerabilities by modifying the source code’s Abstract Syntax Tree (AST). The detection and auto-fixing approaches were evaluated using typical Java code vulnerable to XXE. The evaluation results showed that our detection approach provided 100% precision and recall in detecting the XXE vulnerabilities and correctly fixed 86% of the identified vulnerabilities.
– Name: TypeDocument
  Label: Document Type
  Group: TypDoc
  Data: article in journal/newspaper
– Name: Format
  Label: File Description
  Group: SrcInfo
  Data: application/pdf
– Name: Language
  Label: Language
  Group: Lang
  Data: English
– Name: NoteTitleSource
  Label: Relation
  Group: SrcInfo
  Data: https://ojs.bibsys.no/index.php/NIK/article/view/1018/875; https://ojs.bibsys.no/index.php/NIK/article/view/1018
– Name: URL
  Label: Availability
  Group: URL
  Data: https://ojs.bibsys.no/index.php/NIK/article/view/1018
– Name: Copyright
  Label: Rights
  Group: Cpyrght
  Data: Copyright (c) 2023 Norsk IKT-konferanse for forskning og utdanning
– Name: AN
  Label: Accession Number
  Group: ID
  Data: edsbas.58BA26E
PLink https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsbas&AN=edsbas.58BA26E
RecordInfo BibRecord:
  BibEntity:
    Languages:
      – Text: English
    Titles:
      – TitleFull: Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Molland, Torstein
      – PersonEntity:
          Name:
            NameFull: Nesbakken, Andreas
      – PersonEntity:
          Name:
            NameFull: Li, Jingyue
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 01
              Type: published
              Y: 2023
          Identifiers:
            – Type: issn-locals
              Value: edsbas
            – Type: issn-locals
              Value: edsbas.oa
          Titles:
            – TitleFull: Norsk Informatikkonferanse (NIK
              Type: main
ResultId 1