Automated Detecting and Repair of Cross-Site Scripting Vulnerabilities
This addresses security vulnerabilities in web applications, particularly for developers and users, but is incremental as it builds on existing encoder-based prevention methods.
The paper tackles the problem of detecting and repairing Cross-Site Scripting (XSS) vulnerabilities caused by improper encoding in web applications, presenting a security unit testing approach with automated test generation and repair, evaluated on an open-source medical record application with over 200 web pages.
The best practice to prevent Cross Site Scripting (XSS) attacks is to apply encoders to sanitize untrusted data. To balance security and functionality, encoders should be applied to match the web page context, such as HTML body, JavaScript, and style sheets. A common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable. We present a security unit testing approach to detect XSS vulnerabilities caused by improper encoding of untrusted data. Unit tests for the XSS vulnerability are constructed out of each web page and then evaluated by a unit test execution framework. A grammar-based attack generator is devised to automatically generate test inputs. We also propose a vulnerability repair technique that can automatically fix detected vulnerabilities in many situations. Evaluation of this approach has been conducted on an open source medical record application with over 200 web pages written in JSP.