Fighting Against XSS  Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Wijayarathna, Chamila; Arachchilage, Nalin Asanka Gamagedara

doi:10.24251/hicss.2019.877

Cited by 6 publications

(4 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• 4 distinct scenarios are identified showing how client-side storage is used in an insecure manner. Wijayarathna and Arachchilage [122] check the usability of OWASP ESAPI sanitizers to prevent XSS attacks from developers' perspectives.…”

Section: Results Of the Search And Selection Processesmentioning

confidence: 99%

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Hannousse¹,

Yahiouche²,

Nait-Hamoud³

2022

Preprint

View full text Add to dashboard Cite

Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks. The problem became worse with the emergence of advanced web technologies such as Web services and APIs and new programming styles such as AJAX, CSS3 and HTML5. While new technologies enable complex interactions and data exchanges between clients and servers in the network, new programming styles introduce new and complicate injection flaws to web applications. XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks became one of the major concerns of several web security communities. In this paper, we contribute by conducting a systematic mapping and a comprehensive survey. We summarize and categorize existent endeavors that aim to protect against XSS attacks and develop XSS-free web applications. The present review covers 147 high quality published studies since 1999 including early publications of 2022. A comprehensive taxonomy is drawn out describing the different techniques used to prevent, detect, protect and defend against XSS attacks. Although the diversity of XSS attack types and the scripting languages that can be used to state them, the systematic mapping revealed a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms. The survey highlighted the limitations, discussed the potentials of existing XSS attack defense mechanisms and identified potential gaps.

show abstract

Section: Results Of the Search And Selection Processesmentioning

confidence: 99%

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Hannousse¹,

Yahiouche²,

Nait-Hamoud³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…They should use the API for a while, so evaluators can evaluate the experience of the participant programmers. As potential users of an security API would be software developers/programmers, this can be somewhat costly [6], [7], [30].…”

Section: Limitations Of the Proposed Methodologymentioning

confidence: 99%

“…These APIs that provide security related functionalities are known as security APIs [3], [4]. When security APIs that programmers use are not usable, it is difficult for programmers to learn and use APIs and hence, leads them to make mistakes that would result in introducing security vulnerabilities to applications they develop [4], [7], [30].…”

Section: Introductionmentioning

confidence: 99%

A methodology to Evaluate the Usability of Security APIs

Wijayarathna

Arachchilage

2018

2018 IEEE International Conference on Information and Automation for Sustainability (ICIAfS)

Self Cite

View full text Add to dashboard Cite

Increasing number of cyber-attacks demotivate people to use Information and Communication Technology (ICT) for industrial as well as day to day work. A main reason for the increasing number of cyber-attacks is mistakes that programmers make while developing software applications that are caused by usability issues exist in security Application Programming Interfaces (APIs). These mistakes make software vulnerable to cyber-attacks. In this paper, we attempt to take a step closer to solve this problem by proposing a methodology to evaluate the usability and identify usability issues exist in security APIs. By conducting a review of previous research, we identified 5 usability evaluation methodologies that have been proposed to evaluate the usability of general APIs and characteristics of those methodologies that would affect when using these methodologies to evaluate security APIs. Based on the findings, we propose a methodology to evaluate the usability of security APIs.

show abstract

“…Previous work employs surveys, design studies, and programming tasks to evaluate, e.g., the impact of developers' information sources on code security [11], the usability of security-related information in API documentations [22], [56], and the impact of console warnings on the use of security-related APIs [19], [20]. Our work uses similar methods, but instead focuses on understanding developers' overall awareness of the web security controls.…”

Section: Related Workmentioning

confidence: 99%

Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

Şahin¹,

Unlu

Hebert³

et al. 2022

2022 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand the developers' familiarity with a number of web attack and defense mechanisms. In particular, we conduct two different experiments: First, we employ a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we design a Capture the Flag challenge that aims to push the participants to discover as many attack points as possible on a given web application. Among several other observations, we find that one third of developers are not aware of the client's ability to intercept and modify all parts of an HTTP request. Moreover, developers' attack awareness focus on a limited set of attacks (such as Crosssite scripting and SQL injection), overlooking a large part of the attack surface.

show abstract

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Cited by 6 publications

References 21 publications

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

A methodology to Evaluate the Usability of Security APIs

Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

Contact Info

Product

Resources

About