Detection and Removing Cross Site Scripting Vulnerability in PHP Web Application

Marashdih, Abdalla Wasef; Zaaba, Zarul Fitri

doi:10.1109/icpet.2017.11

Cited by 13 publications

(7 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To answer RQ2, we collected time consumption/memory consumption (TC/MC) data presented in the evaluation and information about whether some steps of the method are automatic (Auto) to measure the efficiency of the WAVD approaches. For measuring effectiveness, in addition to popular metrics [156] listed in Table B.1 in Appendix B, such as false positive rate (FPR), false negative rate (FNR), true negative rate (TNR), true positive rate (TPR), precision (P), accuracy (Acc), Recall (R), F-measure/F1-score, code coverage (CC) [124], detection rate (DR) (i.e., number of attacks detected as attacks / number of attacks [131,150]), metrics such as p-value and effect size [20], area under the receiver operating characteristic curve (AUC) [14], and fitness [123,131], are also presented in the evaluation of the WAVD approaches and are therefore summarized and compared. Seventy-eight out of the 105 studies focus on injection vulnerabilities, probably because injection vulnerabilities are top listed in OWASP 2013 and OWASP 2017.…”

Section: Results Of Rq2mentioning

confidence: 99%

“…More studies are needed to re-evaluate and compare existing WAVD approaches using test suites with known types and numbers of vulnerabilities. Code coverage(CC) [124], Detection rate(DR) [131,150], P-value and effect size [20], AUC [14], Fitness [123,131] TP: The prediction result is vulnerable, which is actually vulnerable. FP: The prediction result is vulnerable, which is actually benign.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

et al. 2021

View full text Add to dashboard Cite

Most existing surveys and reviews on web application vulnerability detection (WAVD) approaches focus on comparing and summarizing the approaches’ technical details. Although some studies have analyzed the efficiency and effectiveness of specific methods, there is a lack of a comprehensive and systematic analysis of the efficiency and effectiveness of various WAVD approaches. We conducted a systematic literature review (SLR) of WAVD approaches and analyzed their efficiency and effectiveness. We identified 105 primary studies out of 775 WAVD articles published between January 2008 and June 2019. Our study identified 10 categories of artifacts analyzed by the WAVD approaches and 8 categories of WAVD meta-approaches for analyzing the artifacts. Our study’s results also summarized and compared the effectiveness and efficiency of different WAVD approaches on detecting specific categories of web application vulnerabilities and which web applications and test suites are used to evaluate the WAVD approaches. To our knowledge, this is the first SLR that focuses on summarizing the effectiveness and efficiencies of WAVD approaches. Our study results can help security engineers choose and compare WAVD tools and help researchers identify research gaps.

show abstract

Section: Results Of Rq2mentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Finally, adequate escaping mechanisms of OWASP are identified by matching the OWASP XSS prevention rules and instrumented making use of the ESAPI API 7 . Marashdih and Zaaba [100] proposed an approach for the detection and removal of RXSS and SXSS vulnerabilities from PHP web applications. Static taint-analysis of Pixy tool [17] is used to examine the source code of web application pages and generate their correspondent control-flow graphs.…”

Section: Xss Vulnerability Detection and Removal Techniquesmentioning

confidence: 99%

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Hannousse¹,

Yahiouche²,

Nait-Hamoud³

2022

Preprint

View full text Add to dashboard Cite

Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks. The problem became worse with the emergence of advanced web technologies such as Web services and APIs and new programming styles such as AJAX, CSS3 and HTML5. While new technologies enable complex interactions and data exchanges between clients and servers in the network, new programming styles introduce new and complicate injection flaws to web applications. XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks became one of the major concerns of several web security communities. In this paper, we contribute by conducting a systematic mapping and a comprehensive survey. We summarize and categorize existent endeavors that aim to protect against XSS attacks and develop XSS-free web applications. The present review covers 147 high quality published studies since 1999 including early publications of 2022. A comprehensive taxonomy is drawn out describing the different techniques used to prevent, detect, protect and defend against XSS attacks. Although the diversity of XSS attack types and the scripting languages that can be used to state them, the systematic mapping revealed a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms. The survey highlighted the limitations, discussed the potentials of existing XSS attack defense mechanisms and identified potential gaps.

show abstract

“…a) Stored XSS (AKA Persistent or Type I) Stored XSS [7] all around happens when a client input is put away on the goal server, for instance, in a message gathering, in a database, visitor log, statement field and many more. What's more, after that a harmed individual can recoup the set away data from the web application.…”

Section: ) Security Misconfigurationmentioning

confidence: 99%

“…c) DOM Based XSS (AKA Type-0) In DOM Based XSS [7], the whole corrupted information spill out of source to sink happens in the program, that is, the wellspring of the information is in the DOM, the sink is comparatively in the DOM, and this information stream has not evacuated the program.…”

Section: ) Security Misconfigurationmentioning

confidence: 99%

Survey on Web Application Vulnerability

Patni¹,

Vaidya²

2019

helix

View full text Add to dashboard Cite

Web applications have turned into a fundamental piece of our day to day life. Since web applications contain important sensitive data, programmers attempt to discover vulnerabilities and endeavor them to imitate the client, take data, or damage the application. Web Security is a difficult issue and it can't be ignored. Over the most recent couple of years, the world has seen a phenomenal time of technological development. Unfortunately, alongside the technological development, the attacks have additionally expanded. This paper represents in detail the most overall and unsafe web application vulnerable attacks.

show abstract

Detection and Removing Cross Site Scripting Vulnerability in PHP Web Application

Cited by 13 publications

References 14 publications

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Survey on Web Application Vulnerability

Contact Info

Product

Resources

About