Title :
Reverse Analysis Method of Static XSS Defect Detection Technique Based on Database Query Language
Author :
Cui Baojiang ; Long Baolian ; Hou Tingting
Author_Institution :
Nat. Eng. Lab. for Mobile Network Security, Beijing Univ. of Posts & Telecommun., Beijing, China
Abstract :
Along with the wide use of web application, XSS vulnerability has become one of the most common security problems and caused many serious losses. In this paper, on the basis of database query language technique, we put forward a static analysis method of XSS defect detection of java web application by analyzing data flow reversely. This method first converts the JSP file to a Servlet file, and then uses the mock test method to generate calls for all Java code automatically for comprehensive analysis. Originated from the methods where XSS security defect may occur, we analyze the data flow reversely to detect XSS defect by judging whether it can be introduced by user input without filter. This reverse method has effectively reduced analyzing tasks which are necessary in forward ways. It was proved by experiments on artificially constructed Java web project with XSS flaws and some open source Java web projects, this method not only improved the efficiency of detection, but also improved the detection accuracy for XSS defect.
Keywords :
Internet; Java; query languages; query processing; security of data; JSP file; Java Web application; Servlet file; XSS vulnerability; data flow reverse analysis method; database query language; mock test method; static XSS defect detection technique; Accuracy; Browsers; Context; Databases; Educational institutions; Java; Security; JSP file; XSS defect; reverse analysis; static analysis; web application;
Conference_Titel :
P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on
Conference_Location :
Guangdong
DOI :
10.1109/3PGCIC.2014.99
