Author : Kishan Babu T D 1
Date of Publication :14th June 2017
Abstract: In this paper, the prediction and analysis of cross-site scripting (XSS) security vulnerabilities in web application’s source code is demonstrated. Cross-site scripting (XSS) is a security vulnerability that affects the web applications and it occurs due to improper or lack of sanitization of user inputs. There is no single solution that can effectively mitigate XSS attacks. More research is needed in the area of vulnerability removal from the source code of the applications before deployment. Security inspection and testing require experts in security who think like an attacker and locating vulnerable code locations is a challenging task. Alternatively, there are also vulnerability prediction approaches based on machine learning techniques which showed that static code attributes such as code complexity measures are cheap and useful predictors. The main focus is on prediction of XSS vulnerabilities and extracts the relevant features to classify vulnerable source code file from benign one. Attack prevention and vulnerability detection are the areas focused in this study
Reference :
-
- M. K. Gupta, M. C. Govil and G. Singh, "Predicting Cross-Site Scripting (XSS) security vulnerabilities in web applications," 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE), Songkhla, 2015, pp. 162-167.
- WhiteHatSecurity. Web statistics report. https://whitehatsec.com/categories/statistics-report, 2013. Accessed: 2013-06-26.
- Isatou Hydara, Abu Bakar Md. Sultan, Hazura Zulzalil, and Novia Admodisastro. Current state of research on crosssite scripting a systematic literature review. Information and Software Technology, 58(0):170 – 186, 2015.
- Yonghee Shin, A. Meneely, L. Williams, and J.A. Osborne. Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering, 37(6):772– 787, Nov 2011.
- Istehad Chowdhury and Mohammad Zulkernine. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture, 57(3):294 – 313, 2011. Special Issue on Security and Dependability Assurance of Software Architectures.
- J. Walden, J. Stuckman, and R. Scandariato. Predicting vulnerable components: Software metrics vs text mining. IEEE 25th International Symposium on Software Reliability Engineering (ISSRE), pages 23–33, Nov 2014.
- Lwin Khin Shar and Hee Beng Kuan Tan. Predicting sql injection and cross site scripting vulnerabilities through mining input sanitization patterns. Information and Software Technology, 55(10):1767 – 1780, 2013.
- R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen. Predicting vulnerable software components via text mining. IEEE Transactions on Software Engineering, 40(10):993–1006, Oct 2014.
- Lwin Khin Shar and Hee Beng Kuan Tan. Automated removal of cross site scripting vulnerabilities in web applications. Information and Software Technology, 54:467–478, 2012.
- Prateek Saxena, David Molnar, and Benjamin Livshits. Scriptgard: Automatic context-sensitive sanitization for large-scale legacy web applications. Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 601–614, 2011.
- Lwin Khin Shar, Hee Beng Kuan Tan, and Lionel C. Briand. Mining sql injection and cross site scripting vulnerabilities using hybrid program analysis. Proceedings of the 2013 International Conference on Software Engineering, pages 642–651, 2013.
- Aram Hovsepyan, Riccardo Scandariato, Wouter Joosen, and James Walden. Software vulnerability prediction using text analysis techniques. Proceedings of the 4th International Workshop on Security Measurements and Metrics, pages 7–10, 2012.
- Lwin Khin Shar and Hee Beng Kuan Tan. Predicting common web application vulnerabilities from input validation and sanitization code patterns. Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pages 310–313, 2012.
- Ibéria Medeiros, Nuno F. Neves, and Miguel Correia. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. Proceedings of the 23rd International Conference on World Wide Web, pages 63–74, 2014.
- Bertrand STIVALET Aurelien DELAITRE. Php vulnerabilities test suite. https://github.com/stivalet/PHP-Vulnerability-test-suite , 2014. Accessed: 2014-07-13.
- Peter Reutemann Eibe Frank, Mark Hall and Len Trigg.