Difficult XSS Code Patterns for Static Code Analysis Tools

被引:3
|
作者
Schuckert, Felix [1 ,2 ]
Katt, Basel [2 ]
Langweg, Hanno [1 ,2 ]
机构
[1] HTWG Konstanz, Dept Comp Sci, Alfred Wachtel Str 8, D-78462 Constance, Germany
[2] Norwegian Univ Sci & Technol, Dept Informat Secur & Commun Technol, Fac Informat Technol & Elect Engn, NTNU, Teknol Vegen 22, N-2815 Gjovik, Norway
来源
COMPUTER SECURITY: ESORICS 2019 INTERNATIONAL WORKSHOPS, IOSEC, MSTEC, AND FINSEC | 2020年 / 11981卷
关键词
Static code analysis; Source code patterns; Cross site scripting; Vulnerabilities; PHP;
D O I
10.1007/978-3-030-42051-2_9
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three commercial and two open source static code analysis tools. Based on the reported vulnerabilities we discovered code patterns that appear to be difficult to classify by static analysis. The results show that code analysis tools are helpful, but still have problems with specific source code patterns. These patterns should be a focus in training for developers.
引用
收藏
页码:123 / 139
页数:17
相关论文
共 50 条
  • [1] Analysis of the Tools for Static Code Analysis
    Nikolic, Danilo
    Stefanovic, Darko
    Dakic, Dusanka
    Sladojevic, Srdan
    Ristic, Sonja
    [J]. 2021 20TH INTERNATIONAL SYMPOSIUM INFOTEH-JAHORINA (INFOTEH), 2020,
  • [2] Comparison of Static Code Analysis Tools
    Mantere, Matti
    Uusitalo, Ilkka
    Roning, Juha
    [J]. 2009 THIRD INTERNATIONAL CONFERENCE ON EMERGING SECURITY INFORMATION, SYSTEMS, AND TECHNOLOGIES, 2009, : 15 - +
  • [3] Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools
    Reynolds, Zachary P.
    Jayanth, Abhinandan B.
    Koc, Ugur
    Porter, Adam A.
    Raje, Rajeev R.
    Hill, James H.
    [J]. 2017 IEEE/ACM 4TH INTERNATIONAL WORKSHOP ON SOFTWARE ENGINEERING RESEARCH AND INDUSTRIAL PRACTICE (SER&IP 2017), 2017, : 55 - 61
  • [4] Probing into Code Analysis Tools A Comparison of C# Supporting Static Code Analyzers
    Shaukat, Rida
    Shahoor, Arooba
    Urooj, Aniqa
    [J]. PROCEEDINGS OF 2018 15TH INTERNATIONAL BHURBAN CONFERENCE ON APPLIED SCIENCES AND TECHNOLOGY (IBCAST), 2018, : 455 - 464
  • [5] Systematic Generation of XSS and SQLi Vulnerabilities in PHP as Test Cases for Static Code Analysis
    Schuckert, Felix
    Langweg, Hanno
    Katt, Basel
    [J]. 2022 IEEE 15TH INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS (ICSTW 2022), 2022, : 261 - 268
  • [6] Identifying Security Relevant Warnings from Static Code Analysis Tools through Code Tainting
    Baca, Dejan
    [J]. FIFTH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY, AND SECURITY: ARES 2010, PROCEEDINGS, 2010, : 386 - 390
  • [7] Using code reviews to automatically configure static analysis tools
    Zampetti, Fiorella
    Mudbhari, Saghan
    Arnaoudova, Venera
    Di Penta, Massimiliano
    Panichella, Sebastiano
    Antoniol, Giuliano
    [J]. EMPIRICAL SOFTWARE ENGINEERING, 2022, 27 (01)
  • [8] Would Static Analysis Tools Help Developers with Code Reviews?
    Panichella, Sebastiano
    Arnaoudova, Venera
    Di Penta, Massimiliano
    Antoniol, Giuliano
    [J]. 2015 22ND INTERNATIONAL CONFERENCE ON SOFTWARE ANALYSIS, EVOLUTION, AND REENGINEERING (SANER), 2015, : 161 - 170
  • [9] Using code reviews to automatically configure static analysis tools
    Fiorella Zampetti
    Saghan Mudbhari
    Venera Arnaoudova
    Massimiliano Di Penta
    Sebastiano Panichella
    Giuliano Antoniol
    [J]. Empirical Software Engineering, 2022, 27
  • [10] Static code analysis
    Louridas, P
    [J]. IEEE SOFTWARE, 2006, 23 (04) : 58 - 61
12345