| Title | Automated Repair of Cross-Site Scripting Vulnerabilities through Unit Testing |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Mohammadi, Mahmoud, Chu, Bill, Richter Lipford, Heather |
| Conference Name | 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) |
| Keywords | application vulnerable, commit frauds, common programming error, Cross Site Scripting, Cross Site Scripting attacks, cross site scripting(XSS), cross-site scripting vulnerabilities, detecting vulnerable web pages, dynamic program analysis, fraud, Human Behavior, injection attacks, Internet, online front-ends, open source medical record application, program analysis, program diagnostics, program testing, pubcrawl, Resiliency, Scalability, security of data, sensitive information, software debugging, software maintenance, software reliability, static program analysis, suggested encoder, Unit testing, untrusted data, untrusted dynamic content, vulnerability repair, vulnerable codes, Web applications, Web pages, Web sites, XSS vulnerability |
| Abstract | Many web applications are vulnerable to Cross Site Scripting (XSS) attacks enabling attackers to steal sensitive information and commit frauds. Much research in this area have focused on detecting vulnerable web pages using static and dynamic program analysis. The best practice to prevent XSS vulnerabilities is to encode untrusted dynamic content. However, a common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable. We propose a new approach that can automatically fix this common type of XSS vulnerability in many situations. This approach is integrated into the software maintenance life cycle through unit testing. Vulnerable codes are refactored to reflect the suggested encoder and then verified using an attack evaluating mechanism to find a proper repair. Evaluation of this approach has been conducted on an open source medical record application with over 200 web pages written in JSP. |
| DOI | 10.1109/ISSREW.2019.00098 |
| Citation Key | mohammadi_automated_2019 |
Automated Repair of Cross-Site Scripting Vulnerabilities through Unit Testing