New Approaches Towards Automated XSS Flaw Detection
| Název práce v češtině: | Nové přístupy k automatické detekci XSS chyb |
|---|---|
| Název v anglickém jazyce: | New Approaches Towards Automated XSS Flaw Detection |
| Klíčová slova: | XSS, context-sensitive, webpage, security, analysis |
| Klíčová slova anglicky: | XSS, context-sensitive, webpage, security, analysis |
| Akademický rok vypsání: | 2012/2013 |
| Typ práce: | disertační práce |
| Jazyk práce: | angličtina |
| Ústav: | Katedra distribuovaných a spolehlivých systémů (32-KDSS) |
| Vedoucí / školitel: | prof. Ing. Petr Tůma, Dr. |
| Řešitel: | RNDr. JUDr. Antonín Steinhauser, Ph.D. - zadáno a potvrzeno stud. odd. |
| Datum přihlášení: | 27.09.2013 |
| Datum zadání: | 27.09.2013 |
| Datum potvrzení stud. oddělením: | 22.01.2014 |
| Datum a čas obhajoby: | 15.09.2020 09:00 |
| Datum odevzdání elektronické podoby: | 16.04.2020 |
| Datum odevzdání tištěné podoby: | 22.04.2020 |
| Datum proběhlé obhajoby: | 15.09.2020 |
| Oponenti: | Kostyantyn Vorobyov |
| doc. Ing. Miroslav Bureš, Ph.D. | |
| Zásady pro vypracování |
| Cross-site scripting (XSS) flaws are a class of security flaws particular to web applications. XSS flaws generally allow an attacker to supply affected web application with a malicious input that is then included in an output page without being properly encoded (sanitized). Recent advances in web application technologies and web browsers introduced various prevention mechanisms, narrowing down the scope of possible XSS attacks, but those mechanisms are usually selective and prevent only a subset of XSS flaws.
Among the types of XSS flaws that are largely omitted are the context-sensitive XSS flaws. A context-sensitive XSS flaw occurs when the potentially malicious input is sanitized by the affected web-application before being included into the output page, but the sanitization is not appropriate for the browser contexts of the sanitized value. Another type of XSS flaws which is already better known, but still insufficiently fought against, are persistent XSS flaws. Applications affected by persistent XSS flaws store the unsafe client input in persistent storage and return it in another HTTP response to (possibly) another client. Our work is focused on advancing state-of-the-art automated detection of those two types of XSS flaws using various analysis techniques ranging from purely static analysis to dynamic blackbox analysis. In this context, the goal of the thesis is to advance state of the art in the domain of performance awareness through contribution to some of the open issues, such as the ones cited above. |
| Seznam odborné literatury |
| [1] Bureš T., Gerostathopoulos I., Hnětynka P., Keznikl J., Kit M., Plášil F.: DEECo - an Ensemble-Based Component System. CBSE 2013
[2] Bulej L., Bureš T., Horký V., Keznikl J.: Adaptive Deployment in Ad-Hoc Systems Using Emergent Component Ensembles: Vision Paper. ICPE 2013 [3] Keznikl J., Bureš T., Plášil F., Gerostathopoulos I., Hnětynka P., Nicklas Hoch: Design of Ensemble-Based Component Systems by Invariant Refinement. CBSE 2013 [4] Bulej L., Bureš T., Horký V., Keznikl J., Tůma P.: Performance Awareness in Component Systems: Vision Paper. COMPSAC CORCS 2012 [5] Bulej L., Bureš T., Keznikl J., Koubková A., Podzimek A., Tůma P.: Capturing Performance Assumptions using Stochastic Performance Logic. ICPE 2012 [6] ASCENS Project Deliverables, http://www.ascens-ist.eu/deliverables |