Visible to the public Cross Site Scripting (2014 Year in Review)

SoS Newsletter- Advanced Book Block

SoS Newsletter Logo

Cross Site Scripting
(2014 Year in Review)

A type of computer security vulnerability typically found in Web applications, cross-site scripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same origin policy. Consequences may range from petty nuisance to significant security risk, depending on the value of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. A frequent method of attack, research is being conducted on methods to prevent, detect, and mitigate XSS attacks. The articles cited here were published in 2014.

Gupta, M.K.; Govil, M.C.; Singh, G., "Static Analysis Approaches to Detect SQL Injection and Cross Site Scripting Vulnerabilities in Web Applications: A survey," Recent Advances and Innovations in Engineering (ICRAIE), 2014, pp. 1, 5, 9-11 May 2014. doi: 10.1109/ICRAIE.2014.6909173 Dependence on web applications is increasing very rapidly in recent time for social communications, health problem, financial transaction and many other purposes. Unfortunately, presence of security weaknesses in web applications allows malicious user's to exploit various security vulnerabilities and become the reason of their failure. Currently, SQL Injection (SQLI) and Cross-Site Scripting (XSS) vulnerabilities are most dangerous security vulnerabilities exploited in various popular web applications i.e. eBay, Google, Facebook, Twitter etc. Research on defensive programming, vulnerability detection and attack prevention techniques has been quite intensive in the past decade. Defensive programming is a set of coding guidelines to develop secure applications. But, mostly developers do not follow security guidelines and repeat same type of programming mistakes in their code. Attack prevention techniques protect the applications from attack during their execution in actual environment. The difficulties associated with accurate detection of SQLI and XSS vulnerabilities in coding phase of software development life cycle. This paper proposes a classification of software security approaches used to develop secure software in various phase of software development life cycle. It also presents a survey of static analysis based approaches to detect SQL Injection and cross-site scripting vulnerabilities in source code of web applications. The aim of these approaches is to identify the weaknesses in source code before their exploitation in actual environment. This paper would help researchers to note down future direction for securing legacy web applications in early phases of software development life cycle.

Keywords: Internet; SQL; program diagnostics; security of data; software maintenance; software reliability; source code (software);SQL injection; SQLI; Web applications; XSS; attack prevention; cross site scripting vulnerabilities; defensive programming; financial transaction; health problem; legacy Web applications; malicious users; programming mistakes; security vulnerabilities; security weaknesses; social communications; software development life cycle; source code; static analysis; vulnerability detection; Analytical models; Guidelines; Manuals; Programming; Servers; Software; Testing; SQL injection; cross site scripting; static analysi; vulnerabilities; web application (ID#: 15-3789)


Gupta, M.K.; Govil, M.C.; Singh, G., "A Context-Sensitive Approach For Precise Detection Of Cross-Site Scripting Vulnerabilities," Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on, pp.7,12, 9-11 Nov. 2014. doi: 10.1109/INNOVATIONS.2014.6987553 Currently, dependence on web applications is increasing rapidly for social communication, health services, financial transactions and many other purposes. Unfortunately, the presence of cross-site scripting vulnerabilities in these applications allows malicious user to steals sensitive information, install malware, and performs various malicious operations. Researchers proposed various approaches and developed tools to detect XSS vulnerability from source code of web applications. However, existing approaches and tools are not free from false positive and false negative results. In this paper, we propose a taint analysis and defensive programming based HTML context-sensitive approach for precise detection of XSS vulnerability from source code of PHP web applications. It also provides automatic suggestions to improve the vulnerable source code. Preliminary experiments and results on test subjects show that proposed approach is more efficient than existing ones.

Keywords: Internet; hypermedia markup languages; invasive software; source code (software);Web application; XSS vulnerability; cross-site scripting vulnerability; defensive programming based HTML context-sensitive approach; financial transaction; health services; malicious operation; malicious user; malware; precise detection; sensitive information; social communication; source code; taint analysis;Browsers;Context;HTML;Security;Servers;Software;Standards;Cross-Site Scripting; Software Development Life Cycle; Taint Analysis; Vulnerability Detection; XSS Attacks (ID#: 15-3790)


Rocha, T.S.; Souto, E., "ETSSDetector: A Tool to Automatically Detect Cross-Site Scripting Vulnerabilities," Network Computing and Applications (NCA), 2014 IEEE 13th International Symposium on,, pp.306,309, 21-23 Aug. 2014. doi: 10.1109/NCA.2014.53 The inappropriate use of features intended to improve usability and interactivity of web applications has resulted in the emergence of various threats, including Cross-Site Scripting(XSS) attacks. In this work, we developed ETSS Detector, a generic and modular web vulnerability scanner that automatically analyzes web applications to find XSS vulnerabilities. ETSS Detector is able to identify and analyze all data entry points of the application and generate specific code injection tests for each one. The results shows that the correct filling of the input fields with only valid information ensures a better effectiveness of the tests, increasing the detection rate of XSS attacks.

Keywords: Internet; interactive systems; security of data; ETSS Detector; Web applications; XSS attacks; cross-site scripting vulnerabilities; interactivity; Browsers; Data mining; Databases; Filling; Qualifications; Security; Testing; Cross-Site Scripting; ETSSDetector; vulnerabilities (ID#: 15-3791)


Mewara, B.; Bairwa, S.; Gajrani, J.; Jain, V., "Enhanced Browser Defense For Reflected Cross-Site Scripting," Reliability, Infocom Technologies and Optimization (ICRITO) (Trends and Future Directions), 2014 3rd International Conference on, pp. 1, 6, 8-10 Oct. 2014. doi: 10.1109/ICRITO.2014.7014761 Cross-Site Scripting (XSS) is a common attack technique that lets attackers insert the code in the output application of web page which is referred to the web browser of visitor and then the inserted code executes automatically and steals the sensitive information. In order to prevent the users from XSS attack, many client- side solutions have been implemented; most of them being used are the filters that sanitize the malicious input. However, many of these filters do not provide prevention to the newly designed sophisticated attacks such as multiple points of injection, injection into script etc. This paper proposes and implements an approach based on encoding unfiltered reflections for detecting vulnerable web applications which can be exploited using above mentioned sophisticated attacks. Results prove that the proposed approach provides accurate higher detection rate of exploits. In addition to this, an implementation of blocking the execution of malicious scripts have contributed to XSS-Me: an open source Mozilla Firefox security extension that detects for reflected XSS vulnerabilities which can be considered as an effective solution if it is integrated inside the browser rather than being enforced as an extension.

Keywords: Web sites; online front-ends; search engines; security of data; Web browser; Web page; XSS attack; XSS-Me; client-side solution; enhanced browser defense; malicious input; malicious script; open source Mozilla Firefox security extension; reflected XSS vulnerability; reflected cross-site scripting; sensitive information; sophisticated attack; unfiltered reflection; vulnerable Web application; Browsers; HTML; Information filters; Security; Testing; Vectors; XSS; attack vectors; defense; filter; special characters (ID#: 15-3792)


Mewara, B.; Bairwa, S.; Gajrani, J., "Browser's Defenses Against Reflected Cross-Site Scripting Attacks," Signal Propagation and Computer Technology (ICSPCT), 2014 International Conference on, pp. 662, 667, 12-13 July 2014. doi: 10.1109/ICSPCT.2014.6884928 Due to the frequent usage of online web applications for various day-to-day activities, web applications are becoming most suitable target for attackers. Cross-Site Scripting also known as XSS attack, one of the most prominent defacing web based attack which can lead to compromise of whole browser rather than just the actual web application, from which attack has originated. Securing web applications using server side solutions is not profitable as developers are not necessarily security aware. Therefore, browser vendors have tried to evolve client side filters to defend against these attacks. This paper shows that even the foremost prevailing XSS filters deployed by latest versions of most widely used web browsers do not provide appropriate defense. We evaluate three browsers - Internet Explorer 11, Google Chrome 32, and Mozilla Firefox 27 for reflected XSS attack against different type of vulnerabilities. We find that none of above is completely able to defend against all possible type of reflected XSS vulnerabilities. Further, we evaluate Firefox after installing an add-on named XSS-Me, which is widely used for testing the reflected XSS vulnerabilities. Experimental results show that this client side solution can shield against greater percentage of vulnerabilities than other browsers. It is witnessed to be more propitious if this add-on is integrated inside the browser instead being enforced as an extension.

Keywords: online front-ends; security of data; Google Chrome 32;Internet Explorer 11;Mozilla Firefox 27;Web based attack; Web browsers; XSS attack; XSS filters; XSS-Me; online Web applications ; reflected cross-site scripting attacks; Browsers; Security; Thyristors; JavaScript; Reflected XSS;XSS-Me; attacker; bypass; exploit; filter (ID#: 15-3793)


Guowei Dong; Yan Zhang; Xin Wang; Peng Wang; Liangkun Liu, "Detecting Cross Site Scripting Vulnerabilities Introduced by HTML5," Computer Science and Software Engineering (JCSSE), 2014 11th International Joint Conference on, pp.319,323, 14-16 May 2014. doi: 10.1109/JCSSE.2014.6841888 Recent years, HTML5 is widely adopted in popular browsers. Unfortunately, as a new Web standard, HTML5 may expand the Cross Site Scripting (XSS) attack surface as well as improve the interactivity of the page. In this paper, we identified 14 XSS attack vectors related to HTML5 by a systematic analysis about new tags and attributes. Based on these vectors, a XSS test vector repository is constructed and a dynamic XSS vulnerability detection tool focusing on Webmail systems is implemented. By applying the tool to some popular Webmail systems, seven exploitable XSS vulnerabilities are found. The evaluation result shows that our tool can efficiently detect XSS vulnerabilities introduced by HTML5.

Keywords: Internet; Web sites; hypermedia markup languages; security of data;HTML5;Web standard; Webmail system; XSS attack surface; XSS attack vectors; XSS test vector repository; cross site scripting vulnerability detection; dynamic XSS vulnerability detection tool; systematic analysis;HTML5;attack surface; dynamic detection (ID#: 15-3794)


Abgrall, E.; Le Traon, Y.; Gombault, S.; Monperrus, M., "Empirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: An Urgent Need for Systematic Security Regression Testing," Software Testing, Verification and Validation Workshops (ICSTW), 2014 IEEE Seventh International Conference on, pp.34,41, March 31 2014-April 4 2014. doi: 10.1109/ICSTW.2014.63 One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have evolved to support new features. In this paper, we explore whether the evolution of web browsers is done using systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions. We use XSS attack vectors as unit test cases and we propose a new method supported by a tool to address this XSS vector testing issue. The analysis on a decade releases of most popular web browsers including mobile ones shows an urgent need of XSS regression testing. We advocate the use of a shared security testing benchmark as a good practice and propose a first set of publicly available XSS vectors as a basis to ensure that security is not sacrificed when a new version is delivered.

Keywords: online front-ends; regression analysis; security of data; Web applications; Web browser attack surface; XSS vector testing; cross-site scripting; systematic security regression testing; Browsers; HTML; Mobile communication;Payloads;Security;Testing;Vectors;XSS;browser;regression;security;testing;web}, (ID#: 15-3795)


Jinxin You; Fan Guo, "Improved CSRFGuard for CSRF Attacks Defense On Java EE Platform," Computer Science & Education (ICCSE), 2014 9th International Conference on, pp. 1115, 1120, 22-24 Aug. 2014. doi: 10.1109/ICCSE.2014.6926635 CSRFGuard is a tool running on the Java EE platform to defend Cross-Site Request Forgery (CSRF) attacks, but there are some shortcomings: scripts should be inserted manually, dynamically created requests cannot be effectively handled as well as defense can be bypassed through Cross-Site Scripting (XSS). Corresponding improvements were made according to the shortcomings. The Servlet filter was used to intercept responses, and responses of pages' source codes were stored by a custom response wrapper class to add script tags, so that scripts were automatically inserted. JavaScript event delegation mechanism was used to bind forms with onfocus and onsubmit events, then dynamically created requests were effectively handled. Token dynamically added through event triggered effectively prevented defense bypassed through XSS. The experimental results show that improved CSRFGuard can be effective to defend CSRF attacks.

Keywords: Java; security of data; CSRF attack defense; CSRFGuard; Java EE platform; JavaScript event delegation mechanism; Servlet filter; XSS; cross-site request forgery attack; cross-site scripting ;custom response wrapper; script tags; Browsers; Computers; HTML; Security; Welding; CSRFGuard; Cross-Site Scripting; Cross-site Request Forgery; Event Delegation; Java EE (ID#: 15-3796)


Bozic, J.; Wotawa, F., "Security Testing Based on Attack Patterns," Software Testing, Verification and Validation Workshops (ICSTW), 2014 IEEE Seventh International Conference on, pp .4, 11, March 31 2014-April 4 2014. doi: 10.1109/ICSTW.2014.58 Testing for security related issues is an important task of growing interest due to the vast amount of applications and services available over the internet. In practice testing for security often is performed manually with the consequences of higher costs, and no integration of security testing with today's agile software development processes. In order to bring security testing into practice, many different approaches have been suggested including fuzz testing and model-based testing approaches. Most of these approaches rely on models of the system or the application domain. In this paper we suggest to formalize attack patterns from which test cases can be generated and even executed automatically. Hence, testing for known attacks can be easily integrated into software development processes where automated testing, e.g., for daily builds, is a requirement. The approach makes use of UML state charts. Besides discussing the approach, we illustrate the approach using a case study.

Keywords: Internet; Unified Modeling Language; program testing; security of data; software prototyping; Internet; UML state charts; agile software development processes; attack patterns; security testing; Adaptation models; Databases; HTML; Security; Software; Testing; Unified modeling language; Attack pattern; SQL injection; UML state machine; cross-site scripting; model-based testing; security testing (ID#: 15-3797)


Wenmin Xiao; Jianhua Sun; Hao Chen; Xianghua Xu, "Preventing Client Side XSS with Rewrite Based Dynamic Information Flow," Parallel Architectures, Algorithms and Programming (PAAP), 2014 Sixth International Symposium on, pp.238,243, 13-15 July 2014. doi: 10.1109/PAAP.2014.10 This paper presents the design and implementation of an information flow tracking framework based on code rewrite to prevent sensitive information leaks in browsers, combining the ideas of taint and information flow analysis. Our system has two main processes. First, it abstracts the semantic of JavaScript code and converts it to a general form of intermediate representation on the basis of JavaScript abstract syntax tree. Second, the abstract intermediate representation is implemented as a special taint engine to analyze tainted information flow. Our approach can ensure fine-grained isolation for both confidentiality and integrity of information. We have implemented a proof-of-concept prototype, named JSTFlow, and have deployed it as a browser proxy to rewrite web applications at runtime. The experiment results show that JSTFlow can guarantee the security of sensitive data and detect XSS attacks with about 3x performance overhead. Because it does not involve any modifications to the target system, our system is readily deployable in practice.

Keywords: Internet; Java; data flow analysis; online front-ends; security of data; JSTFlow; JavaScript abstract syntax tree; JavaScript code; Web applications; XSS attacks; abstract intermediate representation; browser proxy; browsers; client side XSS; code rewrite; fine-grained isolation; information flow tracking framework; performance overhead; rewrite based dynamic information flow; sensitive information leaks; taint engine; tainted information flow; Abstracts; Browsers; Data models;Engines;Security;Semantics;Syntactics;JavaScript;cross-site scripting; information flow analysis; information security; taint model (ID#: 15-3798)


Sayed, B.; Traore, I., "Protection Against Web 2.0 Client-Side Web Attacks Using Information Flow Control," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on, pp. 261, 268, 13-16 May 2014. doi: 10.1109/WAINA.2014.52 The dynamic nature of the Web 2.0 and the heavy obfuscation of web-based attacks complicate the job of the traditional protection systems such as Firewalls, Anti-virus solutions, and IDS systems. It has been witnessed that using ready-made toolkits, cyber-criminals can launch sophisticated attacks such as cross-site scripting (XSS), cross-site request forgery (CSRF) and botnets to name a few. In recent years, cyber-criminals have targeted legitimate websites and social networks to inject malicious scripts that compromise the security of the visitors of such websites. This involves performing actions using the victim browser without his/her permission. This poses the need to develop effective mechanisms for protecting against Web 2.0 attacks that mainly target the end-user. In this paper, we address the above challenges from information flow control perspective by developing a framework that restricts the flow of information on the client-side to legitimate channels. The proposed model tracks sensitive information flow and prevents information leakage from happening. The proposed model when applied to the context of client-side web-based attacks is expected to provide a more secure browsing environment for the end-user.

Keywords: Internet; computer crime; data protection; invasive software; IDS systems; Web 2.0 client-side Web attacks; antivirus solutions; botnets; cross-site request forgery; cross-site scripting; cyber-criminals; firewalls; information flow control ;information leakage; legitimate Web sites; malicious script injection ;protection systems; secure browsing environment; social networks; Browsers; Feature extraction; Security; Semantics; Servers; Web 2.0;Web pages; AJAX; Client-side web attacks; Information Flow Control; Web 2.0 (ID#: 15-3799)


Buja, G.; Bin Abd Jalil, K.; Bt Hj Mohd Ali, F.; Rahman, T.F.A., "Detection Model For SQL Injection Attack: An Approach For Preventing A Web Application From The SQL Injection Attack," Computer Applications and Industrial Electronics (ISCAIE), 2014 IEEE Symposium on, pp. 60, 64, 7-8 April 2014. doi: 10.1109/ISCAIE.2014.7010210 Since the past 20 years the uses of web in daily life is increasing and becoming trend now. As the use of the web is increasing, the use of web application is also increasing. Apparently most of the web application exists up to today have some vulnerability that could be exploited by unauthorized person. Some of well-known web application vulnerabilities are Structured Query Language (SQL) Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). By compromising with these web application vulnerabilities, the system cracker can gain information about the user and lead to the reputation of the respective organization. Usually the developers of web applications did not realize that their web applications have vulnerabilities. They only realize them when there is an attack or manipulation of their code by someone. This is normal as in a web application, there are thousands of lines of code, therefore it is not easy to detect if there are some loopholes. Nowadays as the hacking tools and hacking tutorials are easier to get, lots of new hackers are born. Even though SQL injection is very easy to protect against, there are still large numbers of the system on the internet are vulnerable to this type of attack because there will be a few subtle condition that can go undetected. Therefore, in this paper we propose a detection model for detecting and recognizing the web vulnerability which is; SQL Injection based on the defined and identified criteria. In addition, the proposed detection model will be able to generate a report regarding the vulnerability level of the web application. As the consequence, the proposed detection model should be able to decrease the possibility of the SQL Injection attack that can be launch onto the web application.

Keywords: Internet; SQL; authorisation; computer crime; CSRF; SQL injection attack; Web application; Web application vulnerabilities; Web vulnerability detection model; XSS; cross-site request forgery; cross-site scripting; hacking tools; hacking tutorials; structured query language injection; system cracker; Computational modeling; Databases; Internet; Security; Testing; Uniform resource locators; Web pages; CSRF; SQL injection; XSS; vulnerabilities; web application (ID#: 15-3800)


Blankstein, A.; Freedman, M.J., "Automating Isolation and Least Privilege in Web Services," Security and Privacy (SP), 2014 IEEE Symposium on, pp. 133,148, 18-21 May 2014. doi: 10.1109/SP.2014.16 In many client-facing applications, a vulnerability in any part can compromise the entire application. This paper describes the design and implementation of Passe, a system that protects a data store from unintended data leaks and unauthorized writes even in the face of application compromise. Passe automatically splits (previously shared-memory-space) applications into sandboxed processes. Passe limits communication between those components and the types of accesses each component can make to shared storage, such as a backend database. In order to limit components to their least privilege, Passe uses dynamic analysis on developer-supplied end-to-end test cases to learn data and control-flow relationships between database queries and previous query results, and it then strongly enforces those relationships. Our prototype of Passe acts as a drop-in replacement for the Django web framework. By running eleven unmodified, off-the-shelf applications in Passe, we demonstrate its ability to provide strong security guarantees-Passe correctly enforced 96% of the applications' policies-with little additional overhead. Additionally, in the web-specific setting of the prototype, we also mitigate the cross-component effects of cross-site scripting (XSS) attacks by combining browser HTML5 sandboxing techniques with our automatic component separation.

Keywords: Web services; security of data; Django web framework; HTML5 sandboxing techniques; Passe system; Web services; XSS attack; client-facing applications; control-flow relationship; cross-site scripting attack; data-flow relationship; database queries; query results; sandboxed process; security guarantee; shared-memory-space application; Browsers; Databases; Libraries; Prototypes; Runtime; Security; Servers; capabilities; isolation; principle of least privilege; security policy inference; web security (ID#: 15-3801)


Coelho Martins da Fonseca, J.C.; Amorim Vieira, M.P., "A Practical Experience on the Impact of Plugins in Web Security," Reliable Distributed Systems (SRDS), 2014 IEEE 33rd International Symposium on, pp. 21, 30, 6-9 Oct. 2014. doi: 10.1109/SRDS.2014.20 In an attempt to support customization, many web applications allow the integration of third-party server-side plugins that offer diverse functionality, but also open an additional door for security vulnerabilities. In this paper we study the use of static code analysis tools to detect vulnerabilities in the plugins of the web application. The goal is twofold: 1) to study the effectiveness of static analysis on the detection of web application plugin vulnerabilities, and 2) to understand the potential impact of those plugins in the security of the core web application. We use two static code analyzers to evaluate a large number of plugins for a widely used Content Manage-ment System. Results show that many plugins that are current-ly deployed worldwide have dangerous Cross Site Scripting and SQL Injection vulnerabilities that can be easily exploited, and that even widely used static analysis tools may present disappointing vulnerability coverage and false positive rates.

Keywords: Internet; content management; program diagnostics; security of data; SQL injection vulnerabilities; Web application plugin vulnerabilities; Web security; content management system; cross site scripting; false positive rates; static code analysis tools; Content management; Databases; Manuals; Security; Testing; Web pages; Web applications; plugins; security; static analysis; vulnerabilities (ID#: 15-3802)


Kumar, A.; Reddy, K., "Constructing Secure Web Applications With Proper Data Validations," Recent Advances and Innovations in Engineering (ICRAIE), 2014, pp.1 ,5, 9-11 May 2014. doi: 10.1109/ICRAIE.2014.6909304 With the advent of World Wide Web, information sharing through internet increased drastically. So web applications security is today's most significant battlefield between attackers and resources of web service. It is likely to remain so for the foreseeable future. By considering recent attacks it has been found that major attacks in Web Applications have been carried out even when system having most significant network level security. Poor input validation mechanisms that using in Web Applications shall causes to launching vulnerable web applications, which easy to exploit easy in future stages. Critical Web Application Vulnerabilities like Cross Site Scripting (XSS) and Injections (SQL, PHP, LDAP, SSL, XML, Command, and Code) are happen because of base level Validations, and it is enough to update system in unauthorized way or may be causes to exploit the system. In this paper we present those issues in data validations strategies, to avoid deployment of vulnerable web applications.

Keywords: Internet; computer network security; critical web application vulnerabilities; cross site scripting; data validations; injections; secure Web applications; Computational modeling; HTML; XML; injection; security; validation; vulnerability; xss (ID#: 15-3803)


Aydin, A.; Alkhalaf, M.; Bultan, T., "Automated Test Generation from Vulnerability Signatures," Software Testing, Verification and Validation (ICST), 2014 IEEE Seventh International Conference on, pp.193,202, March 31 2014-April 4 2014. doi: 10.1109/ICST.2014.32 Web applications need to validate and sanitize user inputs in order to avoid attacks such as Cross Site Scripting (XSS) and SQL Injection. Writing string manipulation code for input validation and sanitization is an error-prone process leading to many vulnerabilities in real-world web applications. Automata-based static string analysis techniques can be used to automatically compute vulnerability signatures (represented as automata) that characterize all the inputs that can exploit a vulnerability. However, there are several factors that limit the applicability of static string analysis techniques in general: 1) undesirability of static string analysis requires the use of approximations leading to false positives, 2) static string analysis tools do not handle all string operations, 3) dynamic nature of the scripting languages makes static analysis difficult. In this paper, we show that vulnerability signatures computed for deliberately insecure web applications (developed for demonstrating different types of vulnerabilities) can be used to generate test cases for other applications. Given a vulnerability signature represented as an automaton, we present algorithms for test case generation based on state, transition, and path coverage. These automatically generated test cases can be used to test applications that are not analyzable statically, and to discover attack strings that demonstrate how the vulnerabilities can be exploited.

Keywords: Web services; authoring languages; automata theory; digital signatures; program diagnostics; program testing; attack string discovery; automata-based static string analysis techniques; automated test case generation; automatic vulnerability signature computation; insecure Web applications; path coverage; scripting languages ;state; static string analysis undecidability; transition; Algorithm design and analysis; Approximation methods; Automata; Databases; HTML; Security; Testing; automata-based test generation; string analysis; validation and sanitization; vulnerability signatures (ID#: 15-3804)


SHAR, L.; Briand, L.; Tan, H., "Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning," Dependable and Secure Computing, IEEE Transactions on, vol. PP, no. 99, pp.1, 1, 20 November 2014. doi: 10.1109/TDSC.2014.2373377 Due to limited time and resources, web software engineers need support in identifying vulnerable code. A practical approach to predicting vulnerable code would enable them to prioritize security auditing efforts. In this paper, we propose using a set of hybrid (static+dynamic) code attributes that characterize input validation and input sanitization code patterns and are expected to be significant indicators of web application vulnerabilities. Because static and dynamic program analyses complement each other, both techniques are used to extract the proposed attributes in an accurate and scalable way. Current vulnerability prediction techniques rely on the availability of data labeled with vulnerability information for training. For many real world applications, past vulnerability data is often not available or at least not complete. Hence, to address both situations where labeled past data is fully available or not, we apply both supervised and semi-supervised learning when building vulnerability predictors based on hybrid code attributes. Given that semi-supervised learning is entirely unexplored in this domain, we describe how to use this learning scheme effectively for vulnerability prediction. We performed empirical case studies on seven open source projects where we built and evaluated supervised and semi-supervised models. When cross validated with fully available labeled data, the supervised models achieve an average of 77% recall and 5% probability of false alarm for predicting SQL injection, cross site scripting, remote code execution and file inclusion vulnerabilities. With a low amount of labeled data, when compared to the supervised model, the semi-supervised model showed an average improvement of 24% higher recall and 3% lower probability of false alarm, thus suggesting semi-supervised learning may be a preferable solution for many real world applications where vulnerability data is missing.

Keywords: Data models; HTML; Security; Semisupervised learning; Servers; Software; Training; Vulnerability prediction; empirical study; input validation and sanitization; program analysis; security measures (ID#: 15-3805)


Quirolgico, Steve, "App Vetting Systems: Issues And Challenges," IT Professional Conference (IT Pro), 2014, pp.1,13, 22-22 May 2014. doi: 10.1109/ITPRO.2014.7029287 App vetting is the process of approving or rejecting an app prior to deployment on a mobile device. The decision to approve or reject an app is based on the organization's security requirements and the type and severity of security vulnerabilities found in the app. * Security vulnerabilities including Cross Site Scripting (XSS), information leakage, authentication and authorization, session management, and SQL injection can be exploited to steal information or control a device.

Keywords: Computer security; Information technology; Laboratories; Mobile communication; Mobile handsets; NIST (ID#: 15-3806)


Ferguson, B.; Tall, A.; Olsen, D., "National Cyber Range Overview," Military Communications Conference (MILCOM), 2014 IEEE, pp.123,128, 6-8 Oct. 2014. doi: 10.1109/MILCOM.2014.27 The National Cyber Range (NCR) is an innovative Department of Defense (DoD) resource originally established by the Defense Advanced Research Projects Agency (DARPA) and now under the purview of the Test Resource Management Center (TRMC). It provides a unique environment for cyber security testing throughout the program development life cycle using unique methods to assess resiliency to advanced cyberspace security threats. This paper describes what a cyber security range is, how it might be employed, and the advantages a program manager (PM) can gain in applying the results of range events. Creating realism in a test environment isolated from the operational environment is a special challenge in cyberspace. Representing the scale and diversity of the complex DoD communications networks at a fidelity detailed enough to realistically portray current and anticipated attack strategies (e.g., Malware, distributed denial of service attacks, cross-site scripting) is complex. The NCR addresses this challenge by representing an Internet-like environment by employing a multitude of virtual machines and physical hardware augmented with traffic emulation, port/protocol/service vulnerability scanning, and data capture tools. Coupled with a structured test methodology, the PM can efficiently and effectively engage with the Range to gain cyberspace resiliency insights. The NCR capability, when applied, allows the DoD to incorporate cyber security early to avoid high cost integration at the end of the development life cycle. This paper provides an overview of the resources of the NCR which may be especially helpful for DoD PMs to find the best approach for testing the cyberspace resiliency of their systems under development.

Keywords: computer network security; virtual machines; Department of Defense; DoD communication networks; NCR; National Cyber Range; cyberspace resiliency testing; cyberspace security threats; traffic emulation; virtual machines; Cyberspace; Malware; Resource management; Testing; US Department of Defense; cyberspace; range; security; test (ID#: 15-3807)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.