Cross Site Scripting (XSS) is a vulnerability of a Web Application that is essentially caused by the failure of the application to check up on user input before returning it to the client's web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack. Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.
Identifying Cross Site Scripting Vulnerabilities in Web Applications / G. A., Di Lucca; Fasolino, ANNA RITA; M., Mastroianni; Tramontana, Porfirio. - STAMPA. - (2004), pp. 71-80. (Intervento presentato al convegno WSE 2004 tenutosi a Chicago, IL, US nel 11 Settembre 2004) [10.1109/WSE.2004.10013].
Identifying Cross Site Scripting Vulnerabilities in Web Applications
FASOLINO, ANNA RITA;TRAMONTANA, PORFIRIO
2004
Abstract
Cross Site Scripting (XSS) is a vulnerability of a Web Application that is essentially caused by the failure of the application to check up on user input before returning it to the client's web browser. Without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack. Techniques to prevent this type of attacks require that all application input must be checked up and filtered, encoded, or validated before sending them to any user. In order to discover the XSS vulnerabilities in a Web application, traditional source code analysis techniques can be exploited. In this paper, in order to assess the XSS vulnerability of a Web application, an approach that combines static and dynamic analysis of the Web application is presented. Static analysis based criteria have been defined to detect potential vulnerabilities in the server pages of a Web application, while a process of dynamic analysis has been proposed in order to detect actual vulnerabilities. Some case studies have been carried out, giving encouraging results.| File | Dimensione | Formato | |
|---|---|---|---|
|
DiLucca_G.pdf
non disponibili
Tipologia:
Documento in Post-print
Licenza:
Accesso privato/ristretto
Dimensione
418.89 kB
Formato
Adobe PDF
|
418.89 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
