Automated Detecting and Repair of Cross-Site Scripting Vulnerabilities

TL;DR

This paper introduces an automated approach combining security unit testing, attack generation, and automatic repair to detect and fix Cross-Site Scripting vulnerabilities caused by improper data encoding in web applications.

Contribution

It presents a novel security testing and repair framework specifically targeting XSS vulnerabilities due to encoding errors, with automatic vulnerability detection and fixing capabilities.

Findings

Effective detection of XSS vulnerabilities in real web applications

Automatic repair reduces manual effort and errors

Validated on a large open source medical application

Abstract

The best practice to prevent Cross Site Scripting (XSS) attacks is to apply encoders to sanitize untrusted data. To balance security and functionality, encoders should be applied to match the web page context, such as HTML body, JavaScript, and style sheets. A common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable. We present a security unit testing approach to detect XSS vulnerabilities caused by improper encoding of untrusted data. Unit tests for the XSS vulnerability are constructed out of each web page and then evaluated by a unit test execution framework. A grammar-based attack generator is devised to automatically generate test inputs. We also propose a vulnerability repair technique that can automatically fix detected vulnerabilities in many situations. Evaluation of this approach has been conducted on an open source medical record application with over 200 web pages written in JSP.