An Empirical Analysis of XSS Sanitization in Web Application Frameworks
نویسندگان
چکیده
Filtering or sanitization is the predominant mechanism in today’s applications to defend against cross-site scripting (XSS) attacks. XSS sanitization can be difficult to get right as it ties in closely with the parsing behavior of the browser. This paper explains some of the subtleties of ensuring correct sanitization, as well as common pitfalls. We study several emerging web application frameworks including those presently used for development of commercial web applications. We evaluate how effective these frameworks are in guarding against the common pitfalls of sanitization. We find that while some web frameworks safeguard against the empirically relevant use cases, most do not. In addition, some of the security features in present web frameworks provide a false sense of security.
منابع مشابه
A Systematic Analysis of XSS Sanitization in Web Application Frameworks
While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web framewo...
متن کاملDefending against Web Vulnerabilities and Cross-site Scripting
Researchers have devised multiple solutions to cross-site scripting, but vulnerabilities persists in many Web applications due to developer‟s lack of expertise in the problem identification and their unfamiliarity with the current mechanisms. As proclaimed by the experts, cross-site scripting is among the serious and widespread threats in Web applications these days more than buffer overflows. ...
متن کاملStructural Learning of Attack Vectors for Generating Mutated XSS Attacks
Web applications suffer from cross-site scripting (XSS) attacks that resulting from incomplete or incorrect input sanitization. Learning the structure of attack vectors could enrich the variety of manifestations in generated XSS attacks. In this study, we focus on generating more threatening XSS attacks for the state-of-the-art detection approaches that can find potential XSS vulnerabilities in...
متن کاملCurrent state of research on cross-site scripting (XSS) - A systematic literature review
Keywords: Systematic literature review Cross-site scripting Security Web applications a b s t r a c t Context: Cross-site scripting (XSS) is a security vulnerability that affects web applications. It occurs due to improper or lack of sanitization of user inputs. The security vulnerability caused many problems for users and server applications. Objective: To conduct a systematic literature revie...
متن کاملInput Validation Vulnerabilities (SQLIA) and Defenses in Web Applications Security
-The internet has evolved into a critical delivery pipeline for institutions to interact with Customers, partners and employees. Peoples use web sites to send and receive Information via Hypertext Markup Language (HTML) messages to web applications reside on web servers. Generally this information, expected as legitimate messages, can be used illegitimately by the unauthorized persons to compro...
متن کامل