The best practice to prevent Cross Site Scripting (XSS) attacks is to apply encoders to sanitize untrusted data. To balance security and functionality, encoders should be applied to match the web page context, such as HTML body, JavaScript, and style sheets. A common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable. We present a security unit testing approach to detect XSS vulnerabilities caused by improper encoding of untrusted data. Unit tests for the XSS vulnerability are constructed out of each web page and then evaluated by a unit test execution framework. A grammar-based attack generator is devised to automatically generate test inputs. We also propose a vulnerability repair technique that can automatically fix detected vulnerabilities in many situations. Evaluation of this approach has been conducted on an open source medical record application with over 200 web pages written in JSP.
Objective: To determine the reliability and validity of Persian version of "BEARS" (B=Bedtime Issues, E= Excessive Daytime Sleepiness, A=Night Awakenings, R=Regularity and Duration of Sleep, S=Snoring) pediatric sleep questionnaire. Setting: Two primary care pediatric clinics in Tehran, IRAN Methods: In the first step BEARS sleep questionnaire filled and in a 2 to 4 week period BEARS completed again (by another questioner) and all of the subjects visited by sleep specialists for diagnosis of sleep problem. To determine test-retest reliability findings of BEARS compared during the time and between different questioners. To determine criteria validity, findings of BEARS compared with experts' diagnosis. Results: A total of 215 children (2-12 years old) were studied. From these 101 were in preschool age group (2-6 years old) and 114 in primary school age group (7-12 years old). All of the BEARS items in preschool age group and most of the items in school aged group had good to excellent test-retest reliability (P<0.05). Approximate to half of items in both age groups were valid (P<0.05). Conclusion: This study suggests that the use of BEARS (a simple brief screening tool for pediatric sleep problems) is a reliable and relatively valid sleep screening tool in children especially in Persian language.
Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.