New Approaches Towards Automated XSS Flaw Detection
| Thesis title in Czech: | Nové přístupy k automatické detekci XSS chyb |
|---|---|
| Thesis title in English: | New Approaches Towards Automated XSS Flaw Detection |
| Key words: | XSS, context-sensitive, webpage, security, analysis |
| English key words: | XSS, context-sensitive, webpage, security, analysis |
| Academic year of topic announcement: | 2012/2013 |
| Thesis type: | dissertation |
| Thesis language: | angličtina |
| Department: | Department of Distributed and Dependable Systems (32-KDSS) |
| Supervisor: | prof. Ing. Petr Tůma, Dr. |
| Author: | RNDr. JUDr. Antonín Steinhauser, Ph.D. - assigned and confirmed by the Study Dept. |
| Date of registration: | 27.09.2013 |
| Date of assignment: | 27.09.2013 |
| Confirmed by Study dept. on: | 22.01.2014 |
| Date and time of defence: | 15.09.2020 09:00 |
| Date of electronic submission: | 16.04.2020 |
| Date of submission of printed version: | 22.04.2020 |
| Date of proceeded defence: | 15.09.2020 |
| Opponents: | Kostyantyn Vorobyov |
| doc. Ing. Miroslav Bureš, Ph.D. | |
| Guidelines |
| Cross-site scripting (XSS) flaws are a class of security flaws particular to web applications. XSS flaws generally allow an attacker to supply affected web application with a malicious input that is then included in an output page without being properly encoded (sanitized). Recent advances in web application technologies and web browsers introduced various prevention mechanisms, narrowing down the scope of possible XSS attacks, but those mechanisms are usually selective and prevent only a subset of XSS flaws.
Among the types of XSS flaws that are largely omitted are the context-sensitive XSS flaws. A context-sensitive XSS flaw occurs when the potentially malicious input is sanitized by the affected web-application before being included into the output page, but the sanitization is not appropriate for the browser contexts of the sanitized value. Another type of XSS flaws which is already better known, but still insufficiently fought against, are persistent XSS flaws. Applications affected by persistent XSS flaws store the unsafe client input in persistent storage and return it in another HTTP response to (possibly) another client. Our work is focused on advancing state-of-the-art automated detection of those two types of XSS flaws using various analysis techniques ranging from purely static analysis to dynamic blackbox analysis. In this context, the goal of the thesis is to advance state of the art in the domain of performance awareness through contribution to some of the open issues, such as the ones cited above. |
| References |
| [1] Bureš T., Gerostathopoulos I., Hnětynka P., Keznikl J., Kit M., Plášil F.: DEECo - an Ensemble-Based Component System. CBSE 2013
[2] Bulej L., Bureš T., Horký V., Keznikl J.: Adaptive Deployment in Ad-Hoc Systems Using Emergent Component Ensembles: Vision Paper. ICPE 2013 [3] Keznikl J., Bureš T., Plášil F., Gerostathopoulos I., Hnětynka P., Nicklas Hoch: Design of Ensemble-Based Component Systems by Invariant Refinement. CBSE 2013 [4] Bulej L., Bureš T., Horký V., Keznikl J., Tůma P.: Performance Awareness in Component Systems: Vision Paper. COMPSAC CORCS 2012 [5] Bulej L., Bureš T., Keznikl J., Koubková A., Podzimek A., Tůma P.: Capturing Performance Assumptions using Stochastic Performance Logic. ICPE 2012 [6] ASCENS Project Deliverables, http://www.ascens-ist.eu/deliverables |