Using Unit Testing to Detect Sanitization Flaws
This addresses security vulnerabilities for software developers, but it is incremental as it builds on existing static and dynamic analysis techniques.
The paper tackled the problem of detecting security flaws in input sanitization functions by proposing a unit testing approach that automatically extracts and evaluates these functions against generated attack vectors, showing it can detect flaws missed by static analysis tools.
Input sanitization mechanisms are widely used to mitigate vulnerabilities to injection attacks such as cross-site scripting. Static analysis tools and techniques commonly used to ensure that applications utilize sanitization functions. Dynamic analysis must be to evaluate the correctness of sanitization functions. The proposed approach is based on unit testing to bring the advantages of both static and dynamic techniques to the development time. Our approach introduces a technique to automatically extract the sanitization functions and then evaluate their effectiveness against attacks using automatically generated attack vectors. The empirical results show that the proposed technique can detect security flaws cannot find by the static analysis tools.