skip to main content
10.1145/2993600.2993606acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

JSPChecker: Static Detection of Context-Sensitive Cross-Site Scripting Flaws in Legacy Web Applications

Published: 24 October 2016 Publication History

Abstract

JSPChecker is a static analysis tool that detects context-sensitive cross-site scripting vulnerabilities in legacy web applications. While cross-site scripting flaws can be mitigated through sanitisation, a process that removes dangerous characters from input values, proper sanitisation requires knowledge about the output context of input values. Indeed, web pages are built using a mix of different languages (e.g. HTML, CSS, JavaScript and others) that call for different sanitisation routines. Context-sensitive cross-site scripting vulnerabilities occur when there is a mismatch between sanitisation routines and output contexts.
JSPChecker uses data-flow analysis to track the sanitisation routines that are applied to an input value, a combination of string analysis and fault-tolerant parsing to approximate the output context of sanitised values, and uses this information to detect context-sensitive cross-site scripting vulnerabilities. We demonstrate the effectiveness of our approach by analysing five open-source applications and showing how JSPChecker can identify several context-sensitive XSS flaws in real world applications with a precision ranging from 96% to 100%.

References

[1]
Apache Tomcat. http://tomcat.apache.org. Accessed: 25-05-2016.
[2]
CSS Parser. http://cssparser.sourceforge.net/. Accessed: 25-05-2016.
[3]
Java Dependency Analysis Tool. https://wiki.openjdk.java.net/display/JDK8/Java+Dependency+Analysis+Tool. Accessed: 25-05-2016.
[4]
jsoup: Java HTML Parser. https://jsoup.org. Accessed: 25-05-2016.
[5]
Open Web Application Security Project. https://www.owasp.org/. Accessed: 25-05-2016.
[6]
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. ACM SIGPLAN Notices (PLDI '14), 49(6):259--269, 2014.
[7]
D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Symposium on Security and Privacy (S&P'08), pages 387--401. IEEE, 2008.
[8]
K. H. Bennett and V. T. Rajlich. Software Maintenance and Evolution: A Roadmap. In Conference on the Future of Software Engineering '00, pages 73--87. ACM, 2000.
[9]
A. S. Christensen, A. Muller, and M. I. Schwartzbach. Precise Analysis of String Expressions. In Static Analysis Symposium (SAS '03), pages 1--18. Springer, 2003. Available from http://www.brics.dk/JSA/.
[10]
C. Cifuentes, N. Keynes, L. Li, N. Hawes, M. Valdiviezo, A. Browne, J. Zimmermann, A. Craik, D. Teoh, and C. Hoermann. Static Deep Error Checking in Large System Applications Using Parfait. In European conference on Foundations of Software Engineering (FSE '11), pages 432--435. ACM, September 2011.
[11]
J. R. Cordy. Comprehending Reality-Practical Barriers to Industrial Adoption of Software Maintenance Automation. In International Workshop on Program Comprehension (IWPC '03), pages 196--205. IEEE, 2003.
[12]
M. Feathers. Working E ectively With Legacy Code. Prentice Hall Professional, 2004.
[13]
C. Gould, Z. Su, and P. Devanbu. Static Checking of Dynamically Generated Queries in Database Applications. In International Conference on Software Engineering (ICSE '04), pages 645--654. IEEE, 2004.
[14]
V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation for Java. In Annual Computer Security Applications Conference (ACSAC'05), pages 311--319. IEEE, 2005.
[15]
P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and Precise Sanitizer Analysis with BEK. In USENIX Security Symposium '11, pages 1--1, 2011.
[16]
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In International Conference on World Wide Web (WWW '04), pages 40--52. ACM, 2004.
[17]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Symposium on Security and Privacy (S&P'06), pages 263--268. IEEE, 2006.
[18]
C. Kirkegaard and A. Moller. Static Analysis for Java Servlets and JSP. BRICS Report Series, 2006.
[19]
P. Lam, E. Bodden, O. Lhoták, and L. Hendren. The Soot Framework for Java Program Analysis: A Retrospective. 2011.
[20]
B. Livshits and S. Chong. Towards Fully Automatic Placement of Security Sanitizers and Declassi ers. In Symposium on Principles of Programming Languages (POPL '13), pages 385--398. ACM, 2013.
[21]
B. Livshits and U. Erlingsson. Using Web Application Construction Frameworks to Protect Against Code Injection Attacks. In Workshop on Programming Languages and Analysis for Security (PLAS '07), pages 95--104. ACM, 2007.
[22]
B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification Inference for Explicit Information Flow Problems. ACM SIGPLAN Notices (PLDI '09), pages 75--86, 2009.
[23]
B. Livshits, M. Sridharan, Y. Smaragdakis, O. Lhoták, J. N. Amaral, B.-Y. E. Chang, S. Z. Guyer, U. P. Khedker, A. Møller, and D. Vardoulakis. In defense of soundiness: a manifesto. Communications of the ACM, 58(2):44--46, 2015.
[24]
V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security Symposium '13, volume 2013, 2005.
[25]
Z. Luo, T. Rezk, and M. Serrano. Automated Code Injection Prevention for Web Applications. In Workshop on Theory of Security and Applications, pages 186--204. Springer, 2011.
[26]
D. Melski and T. Reps. Interconvertbility of Set Constraints and Context-Free Language Reachability, volume 32. ACM, 1997.
[27]
Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In International Conference on World Wide Web (WWW '05), pages 432--441. ACM, 2005.
[28]
A. Moller and M. Schwarz. HTML Validation of Context-Free Languages, pages 426--440. Springer, 2011.
[29]
W. K. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In USENIX Security Symposium '09, pages 283--298, 2009.
[30]
H. Samimi, M. Schafer, S. Artzi, T. Millstein, F. Tip, and L. Hendren. Automated Repair of HTML Generation Errors in PHP Applications Using String Constraint Solving. In International Conference on Software Engineering (ICSE '12), pages 277--287. IEEE, 2012.
[31]
M. Samuel, P. Saxena, and D. Song. Context-sensitive Auto-sanitization in Web Templating Languages Using Type Quali ers. In Conference on Computer and Communications Security (CCS '11), pages 587--600. ACM, October 2011.
[32]
P. Saxena, D. Molnar, and B. Livshits. SCRIPTGARD: Automatic Context-sensitive Sanitization for Large-scale Legacy Web Applications. In Conference on Computer and Communications Security (CCS '11), pages 601--614. ACM, October 2011.
[33]
H. M. Sneed. Risks Involved in Reengineering Projects. In Working Conference on Reverse Engineering (WCRE '99), pages 204--211. IEEE, 1999.
[34]
T. Tateishi, M. Pistoia, and O. Tripp. Path- and Index-sensitive String Analysis Based on Monadic Second-order Logic. ACM Trans. Softw. Eng. Methodol., 22(4):33:1--33:33, Oct. 2013.
[35]
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective Taint Analysis of Web Applications. ACM SIGPLAN Notices (PLDI '09), pages 87--97, 2009.
[36]
G. Wassermann and Z. Su. Static Setection of Cross-Site Scripting Vulnerabilities. In International Conference on Software Engineering (ICSE '08), pages 171--180, May 2008.
[37]
J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A Systematic Analysis of XSS Sanitization in Web Application Frameworks. In European Symposium on Research in Computer Security (ESORICS 2011), pages 150--171. Springer, 2011.

Cited By

View all
  • (2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
  • (2022)Adapting Static Taint Analyzers to Software MarketplacesProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564553(73-82)Online publication date: 11-Nov-2022
  • (2022)A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability ScannersIEEE Access10.1109/ACCESS.2022.316152210(33200-33219)Online publication date: 2022
  • Show More Cited By

Index Terms

  1. JSPChecker: Static Detection of Context-Sensitive Cross-Site Scripting Flaws in Legacy Web Applications

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    PLAS '16: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security
    October 2016
    116 pages
    ISBN:9781450345743
    DOI:10.1145/2993600
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 24 October 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. cross-site scripting
    2. data-flow
    3. security
    4. string analysis
    5. web application

    Qualifiers

    • Research-article

    Conference

    CCS'16
    Sponsor:

    Acceptance Rates

    PLAS '16 Paper Acceptance Rate 6 of 11 submissions, 55%;
    Overall Acceptance Rate 43 of 77 submissions, 56%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)18
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Twenty-two years since revealing cross-site scripting attacksComputer Science Review10.1016/j.cosrev.2024.10063452:COnline publication date: 18-Jul-2024
    • (2022)Adapting Static Taint Analyzers to Software MarketplacesProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564553(73-82)Online publication date: 11-Nov-2022
    • (2022)A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability ScannersIEEE Access10.1109/ACCESS.2022.316152210(33200-33219)Online publication date: 2022
    • (2021)A Review on Detection of Cross-Site Scripting Attacks (XSS) in Web SecurityAdvances in Cyber Security10.1007/978-981-33-6835-4_45(685-709)Online publication date: 5-Feb-2021
    • (2020)Maybe tainted dataJournal of Computer Security10.3233/JCS-19134228:3(295-335)Online publication date: 1-Jan-2020
    • (2019)A Survey of Exploitation and Detection Methods of XSS VulnerabilitiesIEEE Access10.1109/ACCESS.2019.29604497(182004-182016)Online publication date: 2019
    • (2018)DjangoChecker: Applying extended taint tracking and server side parsing for detection of context‐sensitive XSS flawsSoftware: Practice and Experience10.1002/spe.264949:1(130-148)Online publication date: 23-Oct-2018
    • (2017)The Impact of Defensive Programming on I/O Cybersecurity AttacksProceedings of the 2017 ACM Southeast Conference10.1145/3077286.3077571(102-111)Online publication date: 13-Apr-2017

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media