Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking
Saved in:
| Title: | Automatic Detection and Fixing of Java XXE Vulnerabilities Using Static Source Code Analysis and Instance Tracking |
|---|---|
| Authors: | Molland, Torstein, Nesbakken, Andreas, Li, Jingyue |
| Source: | Norsk Informatikkonferanse (NIK); Nr 3 (2022): NISK Norsk informasjonssikkerhetskonferanse ; Norsk IKT-konferanse for forskning og utdanning; No. 3 (2022): NISK Norsk informasjonssikkerhetskonferanse ; 1892-0721 |
| Publisher Information: | NIKT Foundation |
| Publication Year: | 2023 |
| Collection: | BIBSYS: Open Journals Systems |
| Description: | Web security is an important part of any web-based software system. XML External Entity (XXE) attacks are one of web applications’ most significant security risks. A successful XXE attack can have severe consequences like Denial-of-Service (DoS), remote code execution, and information extraction. Many Java codes are vulnerable to XXE due to missing the proper setting of the parser’s security attributes after initializing the instance of the parser. To fix such vulnerabilities, we invented a novel instance tracking approach to detect Java XXE vulnerabilities and integrated the approach into a vulnerability detection plugin of Integrated Development Environment (IDE). We have also implemented auto-fixes for the identified XXE vulnerabilities by modifying the source code’s Abstract Syntax Tree (AST). The detection and auto-fixing approaches were evaluated using typical Java code vulnerable to XXE. The evaluation results showed that our detection approach provided 100% precision and recall in detecting the XXE vulnerabilities and correctly fixed 86% of the identified vulnerabilities. |
| Document Type: | article in journal/newspaper |
| File Description: | application/pdf |
| Language: | English |
| Relation: | https://ojs.bibsys.no/index.php/NIK/article/view/1018/875; https://ojs.bibsys.no/index.php/NIK/article/view/1018 |
| Availability: | https://ojs.bibsys.no/index.php/NIK/article/view/1018 |
| Rights: | Copyright (c) 2023 Norsk IKT-konferanse for forskning og utdanning |
| Accession Number: | edsbas.58BA26E |
| Database: | BASE |
Nájsť tento článok vo Web of Science Be the first to leave a comment!