Journal of Software Assessment and Valuation (한국소프트웨어감정평가학회 논문지)

Korea Software Assessment and Valuation Society (한국소프트웨어감정평가학회)
권호 표지
DOI QR코드

DOI QR Code

Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis

  • Talib, Nurul Atiqah Abu (Department of Computer Science and Engineering, Hanyang University ERICA) ;
  • Doh, Kyung-Goo (Department of Computer Science and Engineering, Hanyang University ERICA)
  • Received : 2021.11.30
  • Accepted : 2021.12.20
  • Published : 2021.12.31
⟨ Previous Next ⟩

Abstract

Reports of rampant cross-site scripting (XSS) vulnerabilities raise growing concerns on the effectiveness of current Static Analysis Security Testing (SAST) tools as an internet security device. Attentive to these concerns, this study aims to examine seven open-source SAST tools in order to account for their capabilities in detecting XSS vulnerabilities in PHP applications and to determine their performance in terms of effectiveness and analysis runtime. The representative tools - categorized as either text-based or graph-based analysis tools - were all test-run using real-world PHP applications with known XSS vulnerabilities. The collected vulnerability detection reports of each tool were analyzed with the aid of PhpStorm's data flow analyzer. It is observed that the detection rates of the tools calculated from the total vulnerabilities in the applications can be as high as 0.968 and as low as 0.006. Furthermore, the tools took an average of less than a minute to complete an analysis. Notably, their runtime is independent of their analysis type.

Keywords

References

  1. "Vulnerability distribution of cve security vulnerabilities by types", https://www.cvedetails.com/vulnerabilities-by-types.php, Accessed: Oct. 10, 2017.
  2. "CVE - Search Results", https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS, Accessed: Oct. 10, 2017.
  3. OWASP, "Source Code Analysis Tools - OWASP", URL: https://www.owasp.org/index.php/Source_Code_Analysis_Tools, Accessed: Feb. 24, 2018.
  4. Floe, "Phpcs-security-audit", URL: https://github.com/FloeDesignTechnologies/phpcs-security-audit,
  5. Bob, "CodeSniffer Part 4: How does CodeSniffer Work | King Kludge", URL: http://www.kingkludge.net/2009/02/codesniffer-part-4-how-does-codesniffer-work/, Accessed: Feb. 19, 2018.
  6. Paulo Nunes, Jose Fonseca, and Marco Vieira, "PhpSAFE: A Security Analysis Tool for OOP Web Application Plugins", Proc. Int. Conf. Dependable Syst. Networks, vol. 2015-Septe, pp. 299-306, 2015. DOI: http://doi.org/10.1109/DSN.2015.16
  7. Nenad Jovanovic, C. Kruegel, and E. Kirda, "Pixy: a static analysis tool for detecting Web application vulnerabilities", in 2006 IEEE Symp. Secur. Priv., 2006, pp. 6 pp. - 263. DOI: http://doi.org/10.1109/SP.2006.29
  8. Johannes Dahse, "RIPS-A static source code analyser for vulnerabilities in PHP scripts", Retrieved Febr., vol. 28, p. 2012, 2010.URL: http://www.nds.rub.de/media/nds/attachments/files/2010/09/rips-paper.pdf
  9. Nick Dunn and John Murray, "Visual Code Grepper".URL: https://github.com/nccgroup/VCG
  10. Iberia Medeiros, Nuno F. Neves, and Miguel Correia, "Automatic detection and correction of web application vulnerabilities using data mining to predict false positives", in Proc. 23rd Int. Conf. World wide web - WWW '14, 2014, pp. 63-74. DOI: http://doi.org/10.1145/2566486.2568024
  11. Michael V. Scovetta, "Yasca: Yet Another Source Code Analyzer".URL: http://scovetta.github.io/yasca/
  12. "PMD", URL: https://pmd.github.io/, Accessed: Feb. 19, 2018.
  13. Jakob Kallin and Irene Lobo Valbuena, "Excess XSS: A comprehensive tutorial on cross-site scripting", URL: https://excess-xss.com/, Accessed: Mar. 22, 2017.
  14. Andreas Gohr and DokuWiki, "DokuWiki", URL: https://github.com/splitbrain/dokuwiki
  15. "PHPMyWind",URL: http://phpmywind.com/
  16. PHP Outburst, "Ultimate PHP Board". URL: https://github.com/PHP-Outburst/MyUPB
  17. Bobcares, "Gift Certificate Creator", URL: https://wordpress.org/plugins/gift-certificate-creator/,
  18. Robot with Emotions, "Slideshow Gallery Pro - WordPress Plugins", URL: https://wordpress.org/plugins/slideshow-gallery-pro/, Accessed: Feb. 13, 2018.
  19. Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman, "Compilers: Principles, Techniques, and Tools", 2006. ISBN: 978-0321486813, 2006.
  20. Flemming Nielson, Hanne R. Nielson, and Chris Hankin, "Principles of Program Analysis", Berlin, Heidelberg: Springer Berlin Heidelberg, 1999. DOI: http://doi.org/10.1007/978-3-662-03811-6
  21. Misha Zitser, Richard Lippmann, and Tim Leek, "Testing static analysis tools using exploitable buffer overflows from open source code", ACM SIGSOFT Softw. Eng. Notes, vol. 29, no. 6, p. 97, 2004. DOI: http://doi.org/10.1145/1041685.1029911
  22. Nurul. Atiqah. A. Talib and Kyung-Goo Doh, "Assessment of dynamic open-source cross-site scripting filters for web application", KSII Trans. Internet Inf. Syst., vol. 15, no. 10, pp. 3750-3770, 2021. DOI: http://doi.org/10.3837/tiis.2021.10.015
  23. Davide Pasetto, Fabrizio Petrini, and Virat Agarwal, "Tools for very fast regular expression matching", Computer (Long. Beach. Calif)., vol. 43, no. 3, pp. 50-58, 2010. DOI: http://doi.org/10.1109/MC.2010.80
  24. Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo, "Securing web application code by static analysis and runtime protection", Proc. 13th Conf. World Wide Web - WWW '04, p. 40, 2004. DOI: http://doi.org/10.1145/988672.988679
  25. H. G. Rice, "Classes of recursively enumerable sets and their decision problems", Trans. Am. Math. Soc., vol. 74, no. 2, pp. 358-358, 1953. DOI: http://doi.org/10.1090/S0002-9947-1953-0053041-6
  26. Brian V. Chess and Gary E. McGraw, "Static analysis for security", IEEE Secur. Priv., vol. 2, no. 6, pp. 76-79, 2004. DOI: http://doi.org/10.1109/MSP.2004.111
  27. Michael Buckland and Fredric Gey, "The relationship between Recall and Precision", J. Am. Soc. Inf. Sci., vol. 45, no. 1, pp. 12-19, Jan. 1994. DOI: http://doi.org/10.1002/(SICI)1097-4571(199401)45:1<12::AID-ASI2>3.0.CO;2-L
  28. Mikhail Belyaev and Vladimir Itsykson, "Fast and Safe Concrete Code Execution for Reinforcing Static Analysis and Verification", Model. Anal. Inf. Syst., vol. 22, no. 6, pp. 763-772, Jan. 2016. DOI: http://doi.org/10.18255/1818-1015-2015-6-763-772
  29. Gorel Hedin, "Compiler Construction", vol. 9031, 2015. DOI: http://doi.org/10.1007/978-3-662-46663-6
  30. Lucas Torri, Guilherme Fachini, et al., "An evaluation of free/open source static analysis tools applied to embedded software", in 2010 11th Lat. Am. Test Work., Mar. 2010, pp. 1-6. DOI: http://doi.org/10.1109/LATW.2010.5550368
  31. Aniqua Z. Baset and Tamara Denning, "IDE Plugins for Detecting Input-Validation Vulnerabilities", 2017. DOI: http://doi.org/10.1109/SPW.2017.37
  32. Larry Suto, "Analyzing the Accuracy and Time Costs of Web Application Security Scanners", 2010. Accessed: Sep. 22, 2017. URL: https://www.beyondtrust.com/wp-content/uploads/Analyzing-the-Accuracy-and-Time-Costs-of-Web-Application-Security-Scanners.pdf
  33. Mansour Alsaleh, Noura Alomar, Monirah Alshreef, Abdulrahman Alarifi, and AbdulMalik Al-Salman, "Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners", Secur. Commun. Networks, vol. 2017, pp. 1-14, 2017. DOI: http://doi.org/10.1155/2017/6158107
  34. Nuno Antunes and Marco Vieira, "Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services", in 2009 15th IEEE Pacific Rim Int. Symp. Dependable Comput., Nov. 2009, pp. 301-306. DOI: http://doi.org/10.1109/PRDC.2009.54
  35. Nuno Antunes and Marco Vieira, "Security Testing in SOAs: Techniques and Tools BT - Innovative Technologies for Dependable OTS-Based Critical Systems: Challenges and Achievements of the CRITICAL STEP Project", D. Cotroneo, Ed. Milano: Springer Milan, 2013, pp. 159-174. DOI: http://doi.org/10.1007/978-88-470-2772-5_12