Difficult XSS Code Patterns for Static Code Analysis Tools

被引：3

作者：

Schuckert, Felix ^{[1
,2
]}

Katt, Basel ^{[2
]}

Langweg, Hanno ^{[1
,2
]}

机构：

[1] HTWG Konstanz, Dept Comp Sci, Alfred Wachtel Str 8, D-78462 Constance, Germany

[2] Norwegian Univ Sci & Technol, Dept Informat Secur & Commun Technol, Fac Informat Technol & Elect Engn, NTNU, Teknol Vegen 22, N-2815 Gjovik, Norway

来源：

COMPUTER SECURITY: ESORICS 2019 INTERNATIONAL WORKSHOPS, IOSEC, MSTEC, AND FINSEC | 2020年 / 11981卷

关键词：

Static code analysis; Source code patterns; Cross site scripting; Vulnerabilities; PHP;

D O I：

10.1007/978-3-030-42051-2_9

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three commercial and two open source static code analysis tools. Based on the reported vulnerabilities we discovered code patterns that appear to be difficult to classify by static analysis. The results show that code analysis tools are helpful, but still have problems with specific source code patterns. These patterns should be a focus in training for developers.

引用

下载

页码：123 / 139

页数：17

共 50 条

[21] Static analysis for Guarded code
Hu, P
LANGUAGES, COMPILERS, AND RUN-TIME SYSTEMS FOR SCALABLE COMPUTERS, 2000, 1915 : 44 - 56
[22] Static disassembly and code analysis
Vigna, Giovanni
MALWARE DETECTION, 2007, : 19 - 41
[23] Specifying code analysis tools
Canfora, G
Cimitile, A
DeLucia, A
INTERNATIONAL CONFERENCE ON SOFTWARE MAINTENANCE, PROCEEDINGS, 1996, : 95 - 103
[24] Facilitating Reuse of Code Checking Rules in Static Code Analysis
Shekhovtsov, Vladimir A.
Tomilko, Yuriy
Godlevskiy, Mikhail D.
INFORMATION SYSTEMS: MODELING, DEVELOPMENT, AND INTEGRATION: THIRD INTERNATIONAL UNITED INFORMATION SYSTEMS CONFERENCE, UNISCON 2009, 2009, 20 : 91 - 102
[25] Use of SQALE and tools for analysis and identification of code technical debt through static analysis
Guaman, Daniel
Alejandro Quezada-Sarmiento, Pablo
Barba-Guaman, Luis
Enciso, Liliana
2017 12TH IBERIAN CONFERENCE ON INFORMATION SYSTEMS AND TECHNOLOGIES (CISTI), 2017,
[26] Static analysis of source code security: Assessment of tools against SAMATE tests
Diaz, Gabriel
Ramon Bermejo, Juan
INFORMATION AND SOFTWARE TECHNOLOGY, 2013, 55 (08) : 1462 - 1476
[27] Analyzing False Positive Source Code Vulnerabilities Using Static Analysis Tools
Cheirdari, Foteini
Karabatis, George
2018 IEEE INTERNATIONAL CONFERENCE ON BIG DATA (BIG DATA), 2018, : 4782 - 4788
[28] Evaluating How Static Analysis Tools Can Reduce Code Review Effort
Singh, Devarshi
Sekar, Varun Ramachandra
Stolee, Kathryn T.
Johnson, Brittany
2017 IEEE SYMPOSIUM ON VISUAL LANGUAGES AND HUMAN-CENTRIC COMPUTING (VL/HCC), 2017, : 101 - 105
[29] Using Software Engineering Metrics to Evaluate the Quality of Static Code Analysis Tools
Alikhashashneh, Enas A.
Raje, Rajeev R.
Hill, James H.
2018 1ST INTERNATIONAL CONFERENCE ON DATA INTELLIGENCE AND SECURITY (ICDIS 2018), 2018, : 65 - 72
[30] Malicious XSS Code Detection with Decision Tree
Kasim, Omer
JOURNAL OF POLYTECHNIC-POLITEKNIK DERGISI, 2020, 23 (01): : 67 - 72

← 1 2 3 4 5 →