Skip to main content
SpringerLink
Log in

Bidirectional Analysis Method of Static XSS Defect Detection Technique Based On Database Query Language

  • Chapter
  • First Online:
Book cover Transactions on Computational Collective Intelligence XIX

Part of the book series: Lecture Notes in Computer Science ((TCCI,volume 9380))

  • 518 Accesses

Abstract

Along with the wide use of web application, XSS vulnerability has become one of the most common security problems and caused many serious losses. In this paper, on the basis of database query language technique, we put forward a static analysis method of XSS defect detection of Java web application by analyzing data flow reversely. This method first converts the JSP file to a Servlet file, and then uses the mock test method to generate calls for all Java code automatically for comprehensive analysis. We get the methods where XSS security defect may occur by big data analysis. Originated from the methods where XSS security defect may occur, we analyze the data flow and program semantic reversely to detect XSS defect by judging whether it can be introduced by user input without filter. Moreover, to trace the taint path and to improve the analysis precision, we put forward bidirectional analysis. Originated from the results of the reverse analysis, we analyze the data flow forward to trace the taint path. These two methods have effectively reduced analyzing tasks which are necessary in forward ways. It was proved by experiments on some open source Java web projects, bidirectional and reverse methods not only improved the efficiency of detection, but also improved the detection accuracy for XSS defect.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Yawen, W.: Defect model based software testing technology. Beijing Univ. Posts Telecommun. (2009)

    Google Scholar 

  2. Di Lucca, G.A., Fasolino, A.R., Mastoianni, M., Tramontana, P.: Identifying cross site scripting vulnerabilities in Web applications. In: 26th Annual International Telecommunications Energy Conference, INTELEC 2004, pp. 71–80, 11 September 2004

    Google Scholar 

  3. Open Web Application Security Project. Types of Cross-Site. October 2013 Scripting (2013). https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

  4. Zhong Chenming, X.S.: Web Front-endReveal Hacking Techniques. Electronic Industry Press, Beijing (2013)

    Google Scholar 

  5. Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In: Proceedings of the 17th Conference on Security Symposium, (pp. 31–43). USENIX Association (2008)

    Google Scholar 

  6. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing Web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on Dependable Computing, 2007, PRDC 2007, pp. 365–372. IEEE (2007)

    Google Scholar 

  8. Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: Mitigating XSS attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, pp. 33–39. IEEE Computer Society (2009)

    Google Scholar 

  9. Klein, A.: DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium, Articles, 4 (2005)

    Google Scholar 

  10. Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing Web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on Dependable Computing, 2007, PRDC 2007, pp. 365–372. IEEE (2007)

    Google Scholar 

  11. Paros, Y.: Paros Proxy [DB/OL] (2006). http://sourceforge.net/projects/paros/

  12. Mozilla. XSS-Me [DB/OL] (2012). http://labs.securitycompass.com/exploit-me/xss-me/

  13. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross Site scripting prevention with dynamic data tainting and static analysis. In: NDSS (2007)

    Google Scholar 

  14. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ACM/IEEE 30th International Conference on Software Engineering, 2008, ICSE 2008, pp. 171–180. IEEE (2008)

    Google Scholar 

  15. Benjamin Livshits, V., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: USENLX Technology Symposiu (2005)

    Google Scholar 

  16. Kirkegaard, C., Møller, A.: Static analysis for java servlets and JSP. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 336–352. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Chess, B., West, J.: Secure Programming with Static Analysis. Pearson Education, USA (2007)

    Google Scholar 

  18. Haviv, Y.A., Tripp, O., Weisman, O.U.S.: Patent No. 8,726,245. Washington, DC: U.S. Patent and Trademark Office (2014)

    Google Scholar 

  19. Whaley, J., Dzintars, A., et al.: Using datalog with binary decision diagrams for program analysis. In: Third Asian Symposium (2005)

    Google Scholar 

  20. Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation (PLDI) (2004)

    Google Scholar 

  21. Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: ACM SIGPLAN Notices, vol. 39, no. 6, pp. 131–144. ACM (2004)

    Google Scholar 

  22. Tripp, O., Pistoia, M., Cousot, P., Cousot, R., Guarnieri, S.: Andromeda: accurate and scalable security analysis of web applications. In: Cortellessa, V., Varró, D. (eds.) FASE 2013 (ETAPS 2013). LNCS, vol. 7793, pp. 210–225. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  23. Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code. Wiley, New York (2007)

    MATH  Google Scholar 

Download references

Acknowledgments

This work was supported by National Natural Science? Foundation of China (No.61170268, 61100047, 61272493)

Author information

Authors and Affiliations

  1. National Engineering Laboratory for Mobile Network Security, Beijing, China

    Baojiang Cui

  2. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing, China

    Baojiang Cui, Tingting Hou & Baolian Long

  3. Department of Computer Science, South China University of Technology, Guangzhou, China

    Lingling Xu

Authors
  1. Baojiang Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tingting Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Baolian Long
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lingling Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Baojiang Cui .

Editor information

Editors and Affiliations

  1. Department of Information Systems, Wrocław University of Technology, Wrocław, Poland

    Ngoc Thanh Nguyen

  2. Swinburne University of Technology, Hawthorn, Victoria, Australia

    Ryszard Kowalczyk

  3. Universitat Politècnica de Catalunya, Barcelona, Spain

    Fatos Xhafa

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Cui, B., Hou, T., Long, B., Xu, L. (2015). Bidirectional Analysis Method of Static XSS Defect Detection Technique Based On Database Query Language. In: Nguyen, N., Kowalczyk, R., Xhafa, F. (eds) Transactions on Computational Collective Intelligence XIX . Lecture Notes in Computer Science(), vol 9380. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49017-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49017-4_3

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49016-7

  • Online ISBN: 978-3-662-49017-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation