Abstract
Cross-Site Scripting (XSS) is one of the most popular methods of current network attacks. The attackers mainly put malicious script into a web page through the vulnerabilities of the web application. This paper proposes an improved approach based on reverse code audit and static analysis to detect and extract the XSS vulnerabilities in the source code of the web application. In this paper, we give the theoretical definition and implementation algorithm related to this method. Also, our method can find the location of the vulnerability and the vulnerability of data source through the data link, so that testers and developers can fix vulnerabilities in Web applications immediately. Finally, the method is verified by experiment, which show that the method can not only effectively detect the potential XSS vulnerabilities in the code, but also significantly improve the detection efficiency of XSS vulnerabilities based on static analysis.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Open Web application security project. OWASP top 10-2013. The Ten Most Critical Web Application Security Risks (2013). https://www.owasp.org/index.php/Top_10_2013
Wang, W., Li, J.: Web Application Security Threats and Prevention: Based on OWASP Top 10 and ESAPI, vol. 1. Electronic Industry Press, Beijing (2013)
Soot. Soot: a Java Optimization Framework. http://www.sable.mcgill.ca/soot/. Accessed 12 Feb. 2009
Dorigo, M., Caro, G.D., Gambardella, L.M.: Ant algorithms for discrete optimization. Artif. Life 5(2), 137–172 (1999)
Hydara, I., Sultan, A.B.M., Zulzalil, H., et al.: Current state of research on cross-site scripting (XSS)–a systematic literature review. Inf. Softw. Technol. 58, 170–186 (2014)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities (short paper). In: 2006 IEEE Symposium on Security and Privacy, pp. 258–263 (2006)
Anley, C.: Advanced SQL injection in SQL server applications. Insight Security Research (2002)
Dahse, J.: A vulnerability scanner for different kinds of vulnerabilities. http://rips-scanner.sourceforge.net
Newsome, J., Song, D.: Dynamic taint analysis for automatic dedection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium (NDSS) (2005)
Shar, L.K., Tan, H.B.K.: Auditing the defense against cross site scripting in web applications. In: Proceedings of the 2010 International Conference on Security and Cryptography (SECRYPT), pp. 1–7. IEEE (2010)
Sinha, S., Harrold, M.J., Rothermel, G.: Interprocedural control dependence. ACM Trans. Softw. Eng. Methodol. 10(2), 209–254 (2001)
Chen, J.F., Wang, Y.D., Zhang, Y.Q., et al.: Automatic generation of attack vectors for stored-XSS. J. Grad. Univ. Chin. Acad. Sci. 29(6), 815–820 (2012)
Tarr, P.L., Wolf, A.L.: Engineering of Software: The Continuing Contributions of Leon J, p. 58. Osterweil. Springer, Heidelberg (2011). ISBN 978-3-642-19823
WebGoat, OWASP WebGoat Project. https://www.owasp.org/index.php/Category
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Yan, F., Qiao, T. (2016). Study on the Detection of Cross-Site Scripting Vulnerabilities Based on Reverse Code Audit. In: Yin, H., et al. Intelligent Data Engineering and Automated Learning – IDEAL 2016. IDEAL 2016. Lecture Notes in Computer Science(), vol 9937. Springer, Cham. https://doi.org/10.1007/978-3-319-46257-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-46257-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46256-1
Online ISBN: 978-3-319-46257-8
eBook Packages: Computer ScienceComputer Science (R0)