research-article

Static detection of cross-site scripting vulnerabilities

Authors:
Gary Wassermann

University of California, Davis, Davis, CA, USA

University of California, Davis, Davis, CA, USA
View Profile

,
Zhendong Su

University of California, Davis, Davis, CA, USA

University of California, Davis, Davis, CA, USA
View Profile

ICSE '08: Proceedings of the 30th international conference on Software engineeringMay 2008Pages 171–180https://doi.org/10.1145/1368088.1368112

Published:10 May 2008Publication History

ICSE '08: Proceedings of the 30th international conference on Software engineering

Pages 171–180

ABSTRACT

Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted server and executes injected script on the browser with the server's privileges. In 2006, XSS constituted the largest class of newly reported vulnerabilities making it the most prevalent class of attacks today. Web applications have XSS vulnerabilities because the validation they perform on untrusted input does not suffice to prevent that input from invoking a browser's JavaScript interpreter, and this validation is particularly difficult to get right if it must admit some HTML mark-up. Most existing approaches to finding XSS vulnerabilities are taint-based and assume input validation functions to be adequate, so they either miss real vulnerabilities or report many false positives.

This paper presents a static analysis for finding XSS vulnerabilities that directly addresses weak or absent input validation. Our approach combines work on tainted information flow with string analysis. Proper input validation is difficult largely because of the many ways to invoke the JavaScript interpreter; we face the same obstacle checking for vulnerabilities statically, and we address it by formalizing a policy based on the W3C recommendation, the Firefox source code, and online tutorials about closed-source browsers. We provide effective checking algorithms based on our policy. We implement our approach and provide an extensive evaluation that finds both known and unknown vulnerabilities in real-world web applications.

References

A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS ?03, volume 2694 of LNCS, pages 1--18. Springer-Verlag, June 2003. Available from http://www.brics.dk/JSA/. Google ScholarDigital Library
S. Christey. Vulnerability type distributions in CVE, Oct. 2006. http://cwe.mitre.org/documents/vuln-trends.html.Google Scholar
R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. Transactions on Programming Languages and Systems, 13(4):451--490, Oct 1991. Google ScholarDigital Library
J. Foster, M. Fähndrich, and A. Aiken. A theory of type qualifiers. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 192--203, Atlanta, Georgia, May 1?4, 1999. Google ScholarDigital Library
J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In PLDI ?02: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, pages 1--12, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
C. Gould, Z. Su, and P. Devanbu. Static checking of dynamically generated queries in database applications. In Proceedings of the 25th International Conference on Software Engineering (ICSE), pages 645--654, May 2004. Google ScholarDigital Library
O. Hallaraker and G. Vigna. Detecting malicious JavaScript code in Mozilla. In ICECCS ?05: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS?05), pages 85--94, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
K. J. Higgins. Cross-site scripting: Attackers? new favorite flaw, September 2006. http://www.darkreading.com/document.asp?doc_id=103774&WT.svl=news1_1.Google Scholar
J. E. Hopcroft, R. Motwani, and J. D. Ullman. Introduction to Automata Theory, Languages and Computability. Addison-Wesley, Boston, MA, 2000. Google ScholarDigital Library
H. Hosoya and B. C. Pierce. Xduce: A typed xml processing language (preliminary report). In Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases, pages 226--244, London, UK, 2001. Springer-Verlag. Google ScholarDigital Library
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW ?04: Proceedings of the 13th international conference on World Wide Web, pages 40--52, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW ?04: Proceedings of the 13th international conference on World Wide Web, pages 40--52, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006. Google ScholarDigital Library
N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for syntactic detection of web application vulnerabilities. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottowa, Canada, June 2006. Google ScholarDigital Library
E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross site scripting attacks. In SAC ?06: Proceedings of the 2006 ACM symposium on Applied computing, pages 330--337, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Proceedings of the Twenty-fourth ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems. ACM, June 2005. Google ScholarDigital Library
V. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271--286, Aug. 2005. Google ScholarDigital Library
Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW?05: Proceedings of the 14th International Conference on the World Wide Web, pages 432--441, 2005. Google ScholarDigital Library
M. Mohri and M. Nederhof. Regular approximation of context-free grammars through transformation. Robustness in Language and Speech Technology, pages 153--163, 2001.Google ScholarCross Ref
M. Mohri and R. Sproat. An efficient compiler for weighted rewrite rules. In Meeting of the Association for Computational Linguistics, pages 231--238, 1996. Google ScholarDigital Library
C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. In OSDI ?06: Proceedings of the 7th symposium on Operating systems design and implementation, pages 61--74, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL ?95: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 49--61, New York, NY, USA, 1995. ACM. Google ScholarDigital Library
N. Tabuchi, E. Sumii, and A. Yonezawa. Regular expression types for strings in a text processing language (extended abstract). In Proceedings of TIP?02 Workshop on Types in Programming, pages 1--18, July 2002.Google Scholar
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2007.Google Scholar
G. Wassermann and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, CA, June 2007. ACM Press New York, NY, USA. Google ScholarDigital Library
J. Whaley and M. S. Lam. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In PLDI ?04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 131--144, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium, pages 179--192, July 2006. Google ScholarDigital Library
D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In POPL ?07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 237--249, New York, NY, USA, 2007. ACM. Google ScholarDigital Library

Index Terms

Static detection of cross-site scripting vulnerabilities
1. General and reference
  1. Cross-computing tools and techniques
    1. Validation
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Empirical software validation
      2. Process validation

Recommendations

Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Read More
Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
COMPSAC '12: Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and criticial vulnerabilities such as cross-site scripting and SQL injection are still ...
Read More
Securing web applications with static and dynamic information flow tracking
PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation

SQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '08: Proceedings of the 30th international conference on Software engineering
May 2008
558 pages
ISBN:9781605580791
DOI:10.1145/1368088
General Chair:
Wilhelm Schäfer
University of Paderborn
,
Program Chairs:
Matthew B. Dwyer
University of Nebraska
,
Volker Gruhn
University of Leipzig
Copyright © 2008 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 10 May 2008
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cross-site scripting
input validation
static analysis
web applications
Qualifiers
- research-article
Conference

Acceptance Rates
ICSE '08 Paper Acceptance Rate56of370submissions,15%Overall Acceptance Rate276of1,856submissions,15%
More

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 308
  Total Citations
  View Citations
- 3,015
  Total Downloads
- Downloads (Last 12 months)152
- Downloads (Last 6 weeks)21
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Static detection of cross-site scripting vulnerabilities

ICSE '08: Proceedings of the 30th international conference on Software engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Static analysis for detecting taint-style vulnerabilities in web applications

Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis

Securing web applications with static and dynamic information flow tracking