Detecting Command Injection and Cross-site Scripting Vulnerabilities Using Graph Representations
Uloženo v:
| Vydáno v: | The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Conference Proceedings (2023) |
|---|---|
| Hlavní autor: | |
| Další autoři: | |
| Vydáno: |
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
|
| Témata: | |
| On-line přístup: | Citation/Abstract |
| Tagy: |
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
|
| Abstrakt: | Conference Title: 2023 IEEE International Conference on Data and Software Engineering (ICoDSE)Conference Start Date: 2023, Sept. 7 Conference End Date: 2023, Sept. 8 Conference Location: Toba, IndonesiaWeb-based applications, such as JavaScript-based applications, have vastly grown in scope and features. As web-based applications grow, the potential of vulnerabilities emerging inside such applications also grows. One of the ways to detect vulnerabilities inside web-based applications is to perform a static code analysis. Several static code analysis tools have been developed and are able to detect vulnerabilities inside JavaScript-based applications. However, these tools use abstract syntax tree representations in their analysis, therefore the analysis can't be performed efficiently. This paper proposes a static code analysis to detect vulnerabilities inside JavaScript-based applications using data-flow graph, control-flow graph, and call graph representations. Using taint analysis, a static code analysis tool is able to detect vulnerabilities in the form of command injection, and cross-site scripting (XSS). Test results showed that the static code analysis tool successfully detected vulnerabilities from four open-source projects. |
|---|---|
| DOI: | 10.1109/ICoDSE59534.2023.10291446 |
| Zdroj: | Science Database |