Using Unit Testing to Detect Sanitization Flaws

Mahmoud Mohammadi; Bill Chu; Heather Richter Lipford

arXiv:1804.00753·cs.CR·April 4, 2018

Using Unit Testing to Detect Sanitization Flaws

Mahmoud Mohammadi, Bill Chu, Heather Richter Lipford

PDF

TL;DR

This paper presents a unit testing approach that combines static and dynamic analysis to detect sanitization flaws in input handling, effectively identifying security vulnerabilities missed by static tools.

Contribution

It introduces an automated method to extract sanitization functions and evaluate their effectiveness against generated attack vectors during development.

Findings

01

Detects security flaws missed by static analysis

02

Automates extraction of sanitization functions

03

Effective against injection attack vectors

Abstract

Input sanitization mechanisms are widely used to mitigate vulnerabilities to injection attacks such as cross-site scripting. Static analysis tools and techniques commonly used to ensure that applications utilize sanitization functions. Dynamic analysis must be to evaluate the correctness of sanitization functions. The proposed approach is based on unit testing to bring the advantages of both static and dynamic techniques to the development time. Our approach introduces a technique to automatically extract the sanitization functions and then evaluate their effectiveness against attacks using automatically generated attack vectors. The empirical results show that the proposed technique can detect security flaws cannot find by the static analysis tools.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.