Assisting Programmers Resolving Vulnerabilities in Java Web Applications

Bathia, Pranjal; Beerelli, Bharath Reddy; Laverdière, Marc-André

doi:10.1007/978-3-642-17881-8_26

Cited by 7 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There is a huge body of research done on the field of XSS attacks [7,22,23,24,25,26,27,28,29]. Previous research has proposed and discussed various methods for XSS attack implementation [22,23], XSS attack detection [24,25], XSS attack prevention [26,27] and XSS vulnerability detection [28,29]. Various methods have been proposed to prevent XSS attacks by developing applications that are not vulnerable to XSS attacks [7,26,27].…”

Section: Related Workmentioning

confidence: 99%

“…Previous research has proposed and discussed various methods for XSS attack implementation [22,23], XSS attack detection [24,25], XSS attack prevention [26,27] and XSS vulnerability detection [28,29]. Various methods have been proposed to prevent XSS attacks by developing applications that are not vulnerable to XSS attacks [7,26,27]. However, the most commonly practiced method for XSS prevention is the output encoding of untrusted data [8].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Wijayarathna¹,

Arachchilage²

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Cross Site Scripting (XSS) is one of the most critical vulnerabilities exist in web applications. XSS can be prevented by encoding untrusted data that are loaded into browser content of web applications. Security Application Programming Interfaces (APIs) such as OWASP ESAPI provide output encoding functionalities for programmers to use to protect their applications from XSS attacks. However, XSS still being ranked as one of the most critical vulnerabilities in web applications suggests that programmers are not effectively using those APIs to encode untrusted data. Therefore, we conducted an experimental study with 10 programmers where they attempted to fix XSS vulnerabilities of a web application using the output encoding functionality of OWASP ESAPI. Results revealed 3 types of mistakes that programmers made which resulted in them failing to fix the application by removing XSS vulnerabilities. We also identified 16 usability issues of OWASP ESAPI. We identified that some of these usability issues as the reason for mistakes that programmers made. Based on these results, we provided suggestions on how the usability of output encoding APIs should be improved to give a better experience to programmers.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Wijayarathna¹,

Arachchilage²

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…In information security testing [2][3][4], the majority of methods cantered on preventing XSS attacks in web applications. There have been few research activities on its detection [5][6].…”

Section: Introductionmentioning

confidence: 99%

Handling Vulnerable Script Code in Web Engineering

Deshbhratar¹,

Srivastava²

2021

IRJEAS

View full text Add to dashboard Cite

Abstract- Network protection in our everyday lives is becoming increasingly critical today. Since we cannot live without the Internet, it is important to have a good and security environment for networking. Cross site scripting (XSS) does, however, attack millions of websites. We can use XSS to insert malicious scripting code into apps and then return it to the customer side. If users are using the web browser to visit the injecting place of the malicious script code, it is directly run on the customer machine. The main words of XSS are commonly found in the JavaScript browser or on the server component to filter malicious code. However, it is difficult to collect all keywords in the detecting-list in order to prevent XSS attack. However, it is possible to create various forms of malicious scripting. It is also worthwhile for more people to work on XSS and find more ways to prevent XSS attacks.

show abstract

“…Most of the approaches focused on preventing XSS attacks in web applications during software security testing [2][3][4]. Few research activities have addressed their detection [5][6][7].…”

Section: Introductionmentioning

confidence: 99%

Detecting Cross-Site Scripting in Web Applications Using Fuzzy Inference System

Ayeni

Sahalu

Adeyanju

2018

Journal of Computer Networks and Communications

View full text Add to dashboard Cite

With improvement in computing and technological advancements, web-based applications are now ubiquitous on the Internet. However, these web applications are becoming prone to vulnerabilities which have led to theft of confidential information, data loss, and denial of data access in the course of information transmission. Cross-site scripting (XSS) is a form of web security attack which involves the injection of malicious codes into web applications from untrusted sources. Interestingly, recent research studies on the web application security centre focus on attack prevention and mechanisms for secure coding; recent methods for those attacks do not only generate high false positives but also have little considerations for the users who oftentimes are the victims of malicious attacks. Motivated by this problem, this paper describes an "intelligent" tool for detecting cross-site scripting flaws in web applications. is paper describes the method implemented based on fuzzy logic to detect classic XSS weaknesses and to provide some results on experimentations. Our detection framework recorded 15% improvement in accuracy and 0.01% reduction in the false-positive rate which is considerably lower than that found in the existing work by Koli et al. Our approach also serves as a decision-making tool for the users.

show abstract

Assisting Programmers Resolving Vulnerabilities in Java Web Applications

Cited by 7 publications

References 11 publications

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Handling Vulnerable Script Code in Web Engineering

Detecting Cross-Site Scripting in Web Applications Using Fuzzy Inference System

Contact Info

Product

Resources

About