TY - GEN
T1 - Program slicing stored XSS bugs in web application
AU - Wang, Yi
AU - Li, Zhoujun
AU - Guo, Tao
PY - 2011
Y1 - 2011
N2 - Web applications are vulnerable targets of security attacks. Among the well known attack type - XSS(Cross-Site Scripting), the most threatening is Stored XSS. Since most static analysis methods refer to Reflected XSS but few concentrate on Stored XSS which is more devastating, plus the fact that pure static analysis offers high false positive rate, we present a static Stored XSS detection algorithm integrated with program slicing method to generate the slices of web application related to possible Stored XSS. The slices are composed of two parts, threat injection and threat release, which reconstruct a Stored XSS attack scenario. They are of great value for later manual checking or other dynamic analysis. For manual checking, the programmer can directly check the code related to possible vulnerabilities. For dynamic analysis or model checking, the program coverage can be large or even complete because of the small size of these slices.
AB - Web applications are vulnerable targets of security attacks. Among the well known attack type - XSS(Cross-Site Scripting), the most threatening is Stored XSS. Since most static analysis methods refer to Reflected XSS but few concentrate on Stored XSS which is more devastating, plus the fact that pure static analysis offers high false positive rate, we present a static Stored XSS detection algorithm integrated with program slicing method to generate the slices of web application related to possible Stored XSS. The slices are composed of two parts, threat injection and threat release, which reconstruct a Stored XSS attack scenario. They are of great value for later manual checking or other dynamic analysis. For manual checking, the programmer can directly check the code related to possible vulnerabilities. For dynamic analysis or model checking, the program coverage can be large or even complete because of the small size of these slices.
KW - Program Slicing
KW - Static Analysis
KW - Stored Cross-Site Scripting
KW - Web Application
UR - https://www.scopus.com/pages/publications/80055117760
U2 - 10.1109/TASE.2011.43
DO - 10.1109/TASE.2011.43
M3 - 会议稿件
AN - SCOPUS:80055117760
SN - 9780769545066
T3 - Proceedings - 5th International Conference on Theoretical Aspects of Software Engineering, TASE 2011
SP - 191
EP - 194
BT - Proceedings - 5th International Conference on Theoretical Aspects of Software Engineering, TASE 2011
T2 - 5th International Conference on Theoretical Aspects of Software Engineering, TASE 2011
Y2 - 29 August 2011 through 31 August 2011
ER -