Automated removal of cross site scripting vulnerabilities in web applications
Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in...
Uloženo v:
| Vydáno v: | Information and software technology Ročník 54; číslo 5; s. 467 - 478 |
|---|---|
| Hlavní autoři: | , |
| Médium: | Journal Article |
| Jazyk: | angličtina |
| Vydáno: |
Amsterdam
Elsevier B.V
01.05.2012
Elsevier Science Ltd |
| Témata: | |
| ISSN: | 0950-5849, 1873-6025 |
| On-line přístup: | Získat plný text |
| Tagy: |
Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Abstract | Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime.
To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications.
Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution.
We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications.
Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. |
|---|---|
| AbstractList | Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime.
To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications.
Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution.
We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications.
Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. Objective: To address this issue, this paper presents an approach for removing XSS vulnerabilities in web applications. Methods: Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. Results: We developed a tool, saferXSS, to implement the proposed approach. Using the tool, we evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based web applications. Conclusions: Our evaluation has shown that the tool can be applied to real-world web applications and it automatically removed all the real XSS vulnerabilities in the test subjects. Cross site scripting (XSS) vulnerability is among the top Web application vulnerabilities according to recent surveys. This vulnerability occurs when a Web application uses inputs received from users in Web pages without properly checking them. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. To address this issue, this paper presents an approach for removing XSS vulnerabilities in Web applications. Based on static analysis and pattern matching techniques, the approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution. The authors developed a tool, saferXSS, to implement the proposed approach. Using the tool, the authors evaluated the applicability and effectiveness of the proposed approach based on the experiments on five Java-based Web applications. |
| Author | Tan, Hee Beng Kuan Shar, Lwin Khin |
| Author_xml | – sequence: 1 givenname: Lwin Khin surname: Shar fullname: Shar, Lwin Khin email: shar0035@ntu.edu.sg – sequence: 2 givenname: Hee Beng Kuan surname: Tan fullname: Tan, Hee Beng Kuan email: ibktan@ntu.edu.sg |
| BookMark | eNqFkE1v1DAQhi3USmxb_gEHixOXpP5InIQDUlUBRSrqBc6WY4_RrLJ2sJ1F_Pu6XU49wGkO8z6vZp4LchZiAELectZyxtX1vsXgc_StYJy3XLSMqVdkx8dBNoqJ_ozs2NSzph-76TW5yHnPGB-YZDvy7WYr8WAKOJrgEI9modFTm2LONGMBmm3CtWD4SY_bEiCZGRcsCJlioL9hpmZdF7SmYAz5ipx7s2R483dekh-fP32_vWvuH758vb25b6xUqjS2M9IMg7GjnQDGXnZ2cGPd-U44r8TAZ8GUZ3M_C6dAuKkTYnDci14oB1Zekven3jXFXxvkog-YLSyLCRC3rLkQ9flxHFSNvnsR3ccthXqdnkTHpZTTWEPdKfT8eAKv14QHk_5ozvSTYr3XJ8X6SXHt11VxxT68wCyWZxMlGVz-B388wVBFHRGSzhYhWHCYwBbtIv674BEaqZzD |
| CitedBy_id | crossref_primary_10_1002_cpe_5188 crossref_primary_10_1016_j_asoc_2020_106873 crossref_primary_10_1016_j_cose_2018_12_016 crossref_primary_10_1109_TDSC_2014_2373377 crossref_primary_10_1109_ACCESS_2019_2950849 crossref_primary_10_3233_JHS_230037 crossref_primary_10_1155_2018_8159548 crossref_primary_10_1016_j_infsof_2016_02_005 crossref_primary_10_1016_j_jksuci_2022_09_010 crossref_primary_10_1016_j_procs_2017_12_201 crossref_primary_10_1016_j_eswa_2020_114386 crossref_primary_10_1016_j_infsof_2013_04_002 crossref_primary_10_1016_j_cosrev_2024_100634 crossref_primary_10_1109_ACCESS_2021_3081567 crossref_primary_10_1007_s12652_018_1118_3 crossref_primary_10_1002_sec_1579 crossref_primary_10_1051_e3sconf_202022401040 crossref_primary_10_3389_fncom_2022_981739 crossref_primary_10_1016_j_infsof_2014_07_010 crossref_primary_10_1145_3474553 crossref_primary_10_1109_TR_2015_2457411 |
| Cites_doi | 10.1109/ICSE.2009.5070521 10.1109/SP.2008.22 10.1016/j.infsof.2008.08.002 10.5220/0002963905050511 10.1145/1368088.1368112 10.1145/1328408.1328410 10.1007/978-3-540-70542-0_2 10.1145/988672.988679 10.1109/SP.2006.29 10.1016/j.cose.2009.04.008 10.1109/ACSAC.2008.36 10.1109/IWSESS.2009.5068458 10.1016/j.jss.2007.05.007 10.1145/1390630.1390661 10.1007/s10664-006-9025-1 10.1145/1242572.1242654 10.1145/367008.367022 10.1145/1060745.1060809 10.1145/1629575.1629604 10.1016/j.infsof.2008.07.001 |
| ContentType | Journal Article |
| Copyright | 2011 Elsevier B.V. Copyright Elsevier Science Ltd. May 2012 |
| Copyright_xml | – notice: 2011 Elsevier B.V. – notice: Copyright Elsevier Science Ltd. May 2012 |
| DBID | AAYXX CITATION 7SC 8FD JQ2 L7M L~C L~D |
| DOI | 10.1016/j.infsof.2011.12.006 |
| DatabaseName | CrossRef Computer and Information Systems Abstracts Technology Research Database ProQuest Computer Science Collection Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Academic Computer and Information Systems Abstracts Professional |
| DatabaseTitle | CrossRef Computer and Information Systems Abstracts Technology Research Database Computer and Information Systems Abstracts – Academic Advanced Technologies Database with Aerospace ProQuest Computer Science Collection Computer and Information Systems Abstracts Professional |
| DatabaseTitleList | Computer and Information Systems Abstracts Computer and Information Systems Abstracts |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Business |
| EISSN | 1873-6025 |
| EndPage | 478 |
| ExternalDocumentID | 2598233021 10_1016_j_infsof_2011_12_006 S0950584911002503 |
| Genre | Feature |
| GroupedDBID | --K --M -~X .DC .~1 0R~ 1B1 1~. 1~5 29I 4.4 457 4G. 5GY 5VS 7-5 71M 77K 8P~ 9JN AABNK AACTN AAEDT AAEDW AAIAV AAIKJ AAKOC AALRI AAOAW AAQFI AAQXK AAXUO AAYFN AAYOK ABBOA ABFNM ABFRF ABJNI ABMAC ABTAH ABXDB ABYKQ ACDAQ ACGFO ACGFS ACGOD ACNNM ACRLP ACZNC ADBBV ADEZE ADJOM ADMUD AEBSH AEFWE AEKER AENEX AFKWA AFTJW AGHFR AGUBO AGYEJ AHHHB AHZHX AIALX AIEXJ AIKHN AITUG AJBFU AJOXV ALMA_UNASSIGNED_HOLDINGS AMFUW AMRAJ AOUOD ASPBG AVWKF AXJTR AZFZN BKOJK BKOMP BLXMC CS3 DU5 EBS EFJIC EFLBG EJD EO8 EO9 EP2 EP3 FDB FEDTE FGOYB FIRID FNPLU FYGXN G-Q G8K GBLVA GBOLZ HLZ HVGLF HZ~ IHE J1W KOM LG9 M41 MO0 MS~ N9A O-L O9- OAUVE OZT P-8 P-9 P2P PC. PQQKQ Q38 R2- RIG ROL RPZ SBC SDF SDG SDP SES SEW SPC SPCBC SSV SSZ T5K TWZ UHS UNMZH WH7 WUQ XFK ZY4 ~G- 77I 9DU AATTM AAXKI AAYWO AAYXX ABDPE ABWVN ACLOT ACRPL ACVFH ADCNI ADNMO AEIPS AEUPX AFJKZ AFPUW AGQPQ AIGII AIIUN AKBMS AKRWK AKYEP ANKPU APXCP CITATION EFKBS ~HD 7SC 8FD JQ2 L7M L~C L~D |
| ID | FETCH-LOGICAL-c366t-c4a3a77ac8c9ee8534c7d8c36f42df6271b206f0b5b2d6e2d94227d1f2526dec3 |
| ISICitedReferencesCount | 52 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000301323000003&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| ISSN | 0950-5849 |
| IngestDate | Sun Sep 28 02:36:40 EDT 2025 Sun Nov 30 05:28:19 EST 2025 Tue Nov 18 21:12:23 EST 2025 Sat Nov 29 08:06:49 EST 2025 Fri Feb 23 02:23:56 EST 2024 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 5 |
| Keywords | Injection vulnerability Encoding Web security Character escaping Automated bug fixing Cross site scripting |
| Language | English |
| License | https://www.elsevier.com/tdm/userlicense/1.0 |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-c366t-c4a3a77ac8c9ee8534c7d8c36f42df6271b206f0b5b2d6e2d94227d1f2526dec3 |
| Notes | SourceType-Scholarly Journals-1 ObjectType-Feature-1 content type line 14 ObjectType-Article-2 content type line 23 |
| PQID | 924133398 |
| PQPubID | 41979 |
| PageCount | 12 |
| ParticipantIDs | proquest_miscellaneous_1221878876 proquest_journals_924133398 crossref_primary_10_1016_j_infsof_2011_12_006 crossref_citationtrail_10_1016_j_infsof_2011_12_006 elsevier_sciencedirect_doi_10_1016_j_infsof_2011_12_006 |
| PublicationCentury | 2000 |
| PublicationDate | 2012-05-01 |
| PublicationDateYYYYMMDD | 2012-05-01 |
| PublicationDate_xml | – month: 05 year: 2012 text: 2012-05-01 day: 01 |
| PublicationDecade | 2010 |
| PublicationPlace | Amsterdam |
| PublicationPlace_xml | – name: Amsterdam |
| PublicationTitle | Information and software technology |
| PublicationYear | 2012 |
| Publisher | Elsevier B.V Elsevier Science Ltd |
| Publisher_xml | – name: Elsevier B.V – name: Elsevier Science Ltd |
| References | (accessed January 2010). G. Wassermann, Z. Su, Static detection of cross-site scripting vulnerabilities, in: Proceedings of the 30th International Conference on Software Engineering (ICSE’08), 2008, pp. 171–180. Y. Minamide, Static approximation of dynamically generated web pages, in: Proceedings of the 14th International Conference on World Wide Web (WWW’05), 2005, pp. 432–441. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, Z. Su, Dynamic test input generation for web applications, in: Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’10), 2008, 249–260. A. Yip, X. Wang, N. Zeldovich, M.F. Kaashoek, Improving application Security with Data Flow Assertions, in: Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP’09), 2009, pp. 291–304. H. Shahriar, M. Zulkernine, MUTEC: mutation-based testing of cross site scripting, in: Proceedings of the 5th International Workshop on Software Engineering for Secure Systems (SESS’09), 2009, pp. 47–53. (accessed February 2009). (accessed September 2009). Thomas, Williams, Xie (b0090) 2009; 51 Liu, Tan (b0100) 2008; 81 Kirda, Kruegel, Vigna, Jovanovic (b0195) 2009; 28 Soot, June 2008. Soot: a Java Optimization Framework. OWASP, November 2009, OWASP Top Ten project 2010. A. Mueller, Cross Site Scripting (XSS), May 2009. (accessed June 2010). GotoCode, Open source website. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, S.-Y. Kuo, Securing web application code by static analysis and runtime protection, in: Proceedings of the 13th International Conference on World Wide Web (WWW’04), 2004, pp. 40–52. P. Bisht, V.N. Venkatakrishnan, XSS-Guard: precise dynamic prevention of cross-site scripting attacks, in: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08), 2008, pp. 23–43. ESAPI, OWASP Enterprise Security API, 2009. A. Klein, July 2005, DOM based Cross Site Scripting or XSS of the Third Kind. V.B. Livshits, M.S. Lam, Finding security errors in Java programs with static analysis, in: Proceedings of the 14th Usenix Security Symposium (USENIX Security’05), 2005, pp. 271–286. N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting web application vulnerabilities, in: Proceedings of the IEEE Symposium on Security and Privacy (S&P’06), 2006, pp. 258–263. CWE, June 2010, CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). W3C, 1999, HTML 4.01 Specification. M.S. Lam, M. Martin, B. Livshits, J. Whaley, Securing web applications with static and dynamic information flow tracking, in: Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, 2008, pp. 3–12. L.K. Shar, H.B.K. Tan, Auditing the defense against cross site scripting in web applications, in: Proceedings of the 5th International Conference on Security and Cryptography (SECRYPT’10), 2010, pp. 505–511. Y. Xie, A. Aiken, Static detection of security vulnerabilities in scripting languages, in: Proceedings of the 15th USENIX Security Symposium (USENIX Security’06), 2006, pp. 179–192. ESAPI#tab=Project_Details> (accessed February 2010). Hayes, Offutt (b0095) 2006; 11 (accessed April 2010). D. Balzarotti, et al., Saner: composing static and dynamic analysis to validate sanitization in web applications, in: Proceedings of the IEEE Symposium on Security and Privacy, 2008, pp. 387–401. W. Robertson, G. Vigna, Static enforcement of web application integrity through strong typing, in: Proceedings of the 18th USENIX Security Symposium (USENIX Security’09), 2009, pp. 283–298. XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet> (accessed January 2010). OWASP, June 2010, XSS (Cross Site Scripting) Prevention Cheat Sheet. Sinha, Harrold, Rothermel (b0055) 2001; 10 US-CERT, Microsoft .NET Framework Contains a Cross-Site Scripting Vulnerability, October 2006. May 2010, Vodafone.com XSS helps you trace unregistered “Pay As You Go” subscribers. Liu, Tan (b0105) 2009; 51 (accessed March 2010). A. Kieżun, P.J. Guo, K. Jayaraman, M.D. Ernst, Automatic creation of SQL injection and cross-site scripting attacks, in: Proceedings of the 31st International Conference on Software Engineering (ICSE’09), 2009, pp. 199–209. W3C, 2002, XHTML 1.0 Specification. Sourceforge, Open source website. (accessed August 2011). CWE/SANS, 2010, Top 25 Most Dangerous Programming Errors. M. Johns, B. Engelmann, J. Posegga, XSSDS: server-side detection of cross-site scripting attacks, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC’08), 2008, pp. 335–344. T. Jim, N. Swamy, M. Hicks, Defeating script injection attacks with browser-enforced embedded policies, in: Proceedings of the 16th International Conference on World Wide Web (WWW’07), 2007, pp. 601–610. RSnake, XSS (Cross Site Scripting) Cheat Sheet. M. Martin, M.S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking, in: Proceedings of the 17th USENIX Security Symposium (USENIX Security’08), 2008, pp. 31–43. 10.1016/j.infsof.2011.12.006_b0190 10.1016/j.infsof.2011.12.006_b0070 10.1016/j.infsof.2011.12.006_b0170 10.1016/j.infsof.2011.12.006_b0050 Hayes (10.1016/j.infsof.2011.12.006_b0095) 2006; 11 10.1016/j.infsof.2011.12.006_b0150 10.1016/j.infsof.2011.12.006_b0030 Thomas (10.1016/j.infsof.2011.12.006_b0090) 2009; 51 10.1016/j.infsof.2011.12.006_b0075 10.1016/j.infsof.2011.12.006_b0130 10.1016/j.infsof.2011.12.006_b0010 10.1016/j.infsof.2011.12.006_b0175 10.1016/j.infsof.2011.12.006_b0110 10.1016/j.infsof.2011.12.006_b0155 10.1016/j.infsof.2011.12.006_b0035 Liu (10.1016/j.infsof.2011.12.006_b0100) 2008; 81 10.1016/j.infsof.2011.12.006_b0135 10.1016/j.infsof.2011.12.006_b0015 10.1016/j.infsof.2011.12.006_b0115 Kirda (10.1016/j.infsof.2011.12.006_b0195) 2009; 28 Liu (10.1016/j.infsof.2011.12.006_b0105) 2009; 51 10.1016/j.infsof.2011.12.006_b0080 10.1016/j.infsof.2011.12.006_b0180 10.1016/j.infsof.2011.12.006_b0060 10.1016/j.infsof.2011.12.006_b0160 10.1016/j.infsof.2011.12.006_b0040 10.1016/j.infsof.2011.12.006_b0085 10.1016/j.infsof.2011.12.006_b0140 10.1016/j.infsof.2011.12.006_b0020 10.1016/j.infsof.2011.12.006_b0185 10.1016/j.infsof.2011.12.006_b0065 10.1016/j.infsof.2011.12.006_b0120 10.1016/j.infsof.2011.12.006_b0165 10.1016/j.infsof.2011.12.006_b0045 10.1016/j.infsof.2011.12.006_b0145 10.1016/j.infsof.2011.12.006_b0025 10.1016/j.infsof.2011.12.006_b0125 10.1016/j.infsof.2011.12.006_b0005 Sinha (10.1016/j.infsof.2011.12.006_b0055) 2001; 10 |
| References_xml | – reference: A. Klein, July 2005, DOM based Cross Site Scripting or XSS of the Third Kind. < – reference: W3C, 1999, HTML 4.01 Specification. < – reference: M. Johns, B. Engelmann, J. Posegga, XSSDS: server-side detection of cross-site scripting attacks, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC’08), 2008, pp. 335–344. – reference: A. Mueller, Cross Site Scripting (XSS), May 2009. < – reference: G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, Z. Su, Dynamic test input generation for web applications, in: Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’10), 2008, 249–260. – reference: CWE/SANS, 2010, Top 25 Most Dangerous Programming Errors. < – reference: Soot, June 2008. Soot: a Java Optimization Framework. < – reference: A. Kieżun, P.J. Guo, K. Jayaraman, M.D. Ernst, Automatic creation of SQL injection and cross-site scripting attacks, in: Proceedings of the 31st International Conference on Software Engineering (ICSE’09), 2009, pp. 199–209. – reference: ESAPI, OWASP Enterprise Security API, 2009. < – volume: 51 start-page: 546 year: 2009 end-page: 553 ident: b0105 article-title: Covering code behavior on input validation in functional testing publication-title: Inform. Softw. Technol. – reference: M.S. Lam, M. Martin, B. Livshits, J. Whaley, Securing web applications with static and dynamic information flow tracking, in: Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation, 2008, pp. 3–12. – reference: ESAPI#tab=Project_Details> (accessed February 2010). – reference: OWASP, November 2009, OWASP Top Ten project 2010. < – reference: US-CERT, Microsoft .NET Framework Contains a Cross-Site Scripting Vulnerability, October 2006. < – reference: T. Jim, N. Swamy, M. Hicks, Defeating script injection attacks with browser-enforced embedded policies, in: Proceedings of the 16th International Conference on World Wide Web (WWW’07), 2007, pp. 601–610. – volume: 28 start-page: 592 year: 2009 end-page: 604 ident: b0195 article-title: Client-side cross-site scripting protection publication-title: Comput. Security – reference: CWE, June 2010, CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). < – reference: P. Bisht, V.N. Venkatakrishnan, XSS-Guard: precise dynamic prevention of cross-site scripting attacks, in: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08), 2008, pp. 23–43. – reference: G. Wassermann, Z. Su, Static detection of cross-site scripting vulnerabilities, in: Proceedings of the 30th International Conference on Software Engineering (ICSE’08), 2008, pp. 171–180. – reference: </xssed>, May 2010, Vodafone.com XSS helps you trace unregistered “Pay As You Go” subscribers. < – reference: H. Shahriar, M. Zulkernine, MUTEC: mutation-based testing of cross site scripting, in: Proceedings of the 5th International Workshop on Software Engineering for Secure Systems (SESS’09), 2009, pp. 47–53. – volume: 11 start-page: 493 year: 2006 end-page: 522 ident: b0095 article-title: Input validation analysis and testing publication-title: Empirical Softw. Eng. – reference: RSnake, XSS (Cross Site Scripting) Cheat Sheet. < – reference: W3C, 2002, XHTML 1.0 Specification. < – reference: OWASP, June 2010, XSS (Cross Site Scripting) Prevention Cheat Sheet. < – reference: > (accessed March 2010). – volume: 51 start-page: 589 year: 2009 end-page: 598 ident: b0090 article-title: On automated prepared statement generation to remove SQL injection vulnerabilities publication-title: Inform. Softw. Technol. – reference: > (accessed June 2010). – reference: D. Balzarotti, et al., Saner: composing static and dynamic analysis to validate sanitization in web applications, in: Proceedings of the IEEE Symposium on Security and Privacy, 2008, pp. 387–401. – volume: 81 start-page: 222 year: 2008 end-page: 233 ident: b0100 article-title: Testing input validation in web applications through automated model recovery publication-title: J. Syst. Softw. – reference: > (accessed February 2009). – reference: M. Martin, M.S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking, in: Proceedings of the 17th USENIX Security Symposium (USENIX Security’08), 2008, pp. 31–43. – reference: > (accessed September 2009). – reference: > (accessed January 2010). – reference: XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet> (accessed January 2010). – reference: > (accessed April 2010). – reference: L.K. Shar, H.B.K. Tan, Auditing the defense against cross site scripting in web applications, in: Proceedings of the 5th International Conference on Security and Cryptography (SECRYPT’10), 2010, pp. 505–511. – reference: V.B. Livshits, M.S. Lam, Finding security errors in Java programs with static analysis, in: Proceedings of the 14th Usenix Security Symposium (USENIX Security’05), 2005, pp. 271–286. – reference: N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting web application vulnerabilities, in: Proceedings of the IEEE Symposium on Security and Privacy (S&P’06), 2006, pp. 258–263. – reference: Y. Xie, A. Aiken, Static detection of security vulnerabilities in scripting languages, in: Proceedings of the 15th USENIX Security Symposium (USENIX Security’06), 2006, pp. 179–192. – reference: > (accessed August 2011). – reference: GotoCode, Open source website. < – reference: W. Robertson, G. Vigna, Static enforcement of web application integrity through strong typing, in: Proceedings of the 18th USENIX Security Symposium (USENIX Security’09), 2009, pp. 283–298. – reference: Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, S.-Y. Kuo, Securing web application code by static analysis and runtime protection, in: Proceedings of the 13th International Conference on World Wide Web (WWW’04), 2004, pp. 40–52. – volume: 10 start-page: 209 year: 2001 end-page: 254 ident: b0055 article-title: Interprocedural control dependence publication-title: ACM Trans Softw Eng Methodol – reference: Y. Minamide, Static approximation of dynamically generated web pages, in: Proceedings of the 14th International Conference on World Wide Web (WWW’05), 2005, pp. 432–441. – reference: A. Yip, X. Wang, N. Zeldovich, M.F. Kaashoek, Improving application Security with Data Flow Assertions, in: Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP’09), 2009, pp. 291–304. – reference: Sourceforge, Open source website. < – ident: 10.1016/j.infsof.2011.12.006_b0115 – ident: 10.1016/j.infsof.2011.12.006_b0165 doi: 10.1109/ICSE.2009.5070521 – ident: 10.1016/j.infsof.2011.12.006_b0155 doi: 10.1109/SP.2008.22 – ident: 10.1016/j.infsof.2011.12.006_b0010 – ident: 10.1016/j.infsof.2011.12.006_b0075 – ident: 10.1016/j.infsof.2011.12.006_b0035 – volume: 51 start-page: 589 issue: 3 year: 2009 ident: 10.1016/j.infsof.2011.12.006_b0090 article-title: On automated prepared statement generation to remove SQL injection vulnerabilities publication-title: Inform. Softw. Technol. doi: 10.1016/j.infsof.2008.08.002 – ident: 10.1016/j.infsof.2011.12.006_b0180 – ident: 10.1016/j.infsof.2011.12.006_b0050 doi: 10.5220/0002963905050511 – ident: 10.1016/j.infsof.2011.12.006_b0065 – ident: 10.1016/j.infsof.2011.12.006_b0135 doi: 10.1145/1368088.1368112 – ident: 10.1016/j.infsof.2011.12.006_b0150 doi: 10.1145/1328408.1328410 – ident: 10.1016/j.infsof.2011.12.006_b0175 doi: 10.1007/978-3-540-70542-0_2 – ident: 10.1016/j.infsof.2011.12.006_b0140 doi: 10.1145/988672.988679 – ident: 10.1016/j.infsof.2011.12.006_b0125 doi: 10.1109/SP.2006.29 – volume: 28 start-page: 592 year: 2009 ident: 10.1016/j.infsof.2011.12.006_b0195 article-title: Client-side cross-site scripting protection publication-title: Comput. Security doi: 10.1016/j.cose.2009.04.008 – ident: 10.1016/j.infsof.2011.12.006_b0040 – ident: 10.1016/j.infsof.2011.12.006_b0025 – ident: 10.1016/j.infsof.2011.12.006_b0080 – ident: 10.1016/j.infsof.2011.12.006_b0005 – ident: 10.1016/j.infsof.2011.12.006_b0030 – ident: 10.1016/j.infsof.2011.12.006_b0170 doi: 10.1109/ACSAC.2008.36 – ident: 10.1016/j.infsof.2011.12.006_b0110 doi: 10.1109/IWSESS.2009.5068458 – ident: 10.1016/j.infsof.2011.12.006_b0120 – ident: 10.1016/j.infsof.2011.12.006_b0145 – ident: 10.1016/j.infsof.2011.12.006_b0015 – volume: 81 start-page: 222 issue: 2 year: 2008 ident: 10.1016/j.infsof.2011.12.006_b0100 article-title: Testing input validation in web applications through automated model recovery publication-title: J. Syst. Softw. doi: 10.1016/j.jss.2007.05.007 – ident: 10.1016/j.infsof.2011.12.006_b0070 – ident: 10.1016/j.infsof.2011.12.006_b0160 doi: 10.1145/1390630.1390661 – volume: 11 start-page: 493 issue: 4 year: 2006 ident: 10.1016/j.infsof.2011.12.006_b0095 article-title: Input validation analysis and testing publication-title: Empirical Softw. Eng. doi: 10.1007/s10664-006-9025-1 – ident: 10.1016/j.infsof.2011.12.006_b0190 doi: 10.1145/1242572.1242654 – ident: 10.1016/j.infsof.2011.12.006_b0020 – volume: 10 start-page: 209 issue: 2 year: 2001 ident: 10.1016/j.infsof.2011.12.006_b0055 article-title: Interprocedural control dependence publication-title: ACM Trans Softw Eng Methodol doi: 10.1145/367008.367022 – ident: 10.1016/j.infsof.2011.12.006_b0130 doi: 10.1145/1060745.1060809 – ident: 10.1016/j.infsof.2011.12.006_b0085 – ident: 10.1016/j.infsof.2011.12.006_b0185 doi: 10.1145/1629575.1629604 – ident: 10.1016/j.infsof.2011.12.006_b0045 – volume: 51 start-page: 546 issue: 2 year: 2009 ident: 10.1016/j.infsof.2011.12.006_b0105 article-title: Covering code behavior on input validation in functional testing publication-title: Inform. Softw. Technol. doi: 10.1016/j.infsof.2008.07.001 – ident: 10.1016/j.infsof.2011.12.006_b0060 |
| SSID | ssj0017030 |
| Score | 2.2925332 |
| Snippet | Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web... Cross site scripting (XSS) vulnerability is among the top Web application vulnerabilities according to recent surveys. This vulnerability occurs when a Web... Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when... |
| SourceID | proquest crossref elsevier |
| SourceType | Aggregation Database Enrichment Source Index Database Publisher |
| StartPage | 467 |
| SubjectTerms | Automated bug fixing Character escaping Codes Computer programs Cross site scripting Cybersecurity Encoding Injection vulnerability Internet Java (programming language) Mathematical analysis Scripts Software engineering Studies Systems development Vectors (mathematics) Web security Websites World Wide Web |
| Title | Automated removal of cross site scripting vulnerabilities in web applications |
| URI | https://dx.doi.org/10.1016/j.infsof.2011.12.006 https://www.proquest.com/docview/924133398 https://www.proquest.com/docview/1221878876 |
| Volume | 54 |
| WOSCitedRecordID | wos000301323000003&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVESC databaseName: Elsevier SD Freedom Collection Journals 2021 customDbUrl: eissn: 1873-6025 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0017030 issn: 0950-5849 databaseCode: AIEXJ dateStart: 19950101 isFulltext: true titleUrlDefault: https://www.sciencedirect.com providerName: Elsevier |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1Lb9QwELZQixAXxFMsLchI3KJIWdux4-NSFRUqKg5F2psVJw5s1SZVk2z78xk_kka7QOmBS7RK1o6d-TwezxOhD9oQKqhmcU4Ej1mhs1jzysQJ0zQjYp6WVLtiE-LkJFsu5begym5dOQFR19nNjbz8r6SGe0BsGzp7D3KPncIN-A1EhyuQHa7_RPhF3zUghhoblnLRrL2w6TbDyFqKo8An6h_Ruj-3Oaede-zKOWZFNnJxatOeyq4hcqkbHJhb4ODX1nGs21LP2zTQ7sR_DX0e_1zdevt6feuRMdFHA0M47gM6g-LBenAMbn6jBjGJQX6RU2bqM0IH0KQTzsh81Y2wyTJft2eLf3tVwpk9dMAkfIZVq61NfpMue2MbG50LB7-1M-V7UbYXNSfKpWbfJSKVwP52F58Pl19Gg5NlfD4to5_TEGXpXAG3R_MnKWZjP3dCyulT9CScLvDCo-IZemDq5-jRENzwAn0dwYEDOHBTYfcObMGBR3DgDXDgVY0BHHgKjpfo-6fD04OjOBTUiAvKeRcXLKe5EHmRFdIYENRYIcoMnlWMlBWHpalJwqtEp5qU3JBSMkJEOa9ISnhpCvoK7dRNbV4jTEE0hMMZA_mbM8lLnSVpWopSZqmeS1nNEB0-kCpCtnlb9ORc_Y08MxSPrS59tpU7_i-Gb6-CxOglQQWAuqPl3kAqFRZvq6Q1MlMqsxl6Pz4FdmttaHltmr6F1jBx64HL39xzrHvo8e0q2kc73VVv3qKHxbpbtVfvAh5_AUjGpuQ |
| linkProvider | Elsevier |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Automated+removal+of+cross+site+scripting+vulnerabilities+in+web+applications&rft.jtitle=Information+and+software+technology&rft.au=Shar%2C+Lwin+Khin&rft.au=Tan%2C+Hee+Beng+Kuan&rft.date=2012-05-01&rft.issn=0950-5849&rft.volume=54&rft.issue=5&rft.spage=467&rft.epage=478&rft_id=info:doi/10.1016%2Fj.infsof.2011.12.006&rft.externalDBID=n%2Fa&rft.externalDocID=10_1016_j_infsof_2011_12_006 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0950-5849&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0950-5849&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0950-5849&client=summon |