Abstract
Script injection vulnerabilities are popular vulnerabilities in dynamic web applications. Necessary conditions were analyzed for the generation and exploitation of script injection vulnerabilities to provide protection against different injection types. Combined with the analysis of the host language and the object language, the statements were located with their types in the HTML statements. Based on the control flow graph, the data dependency relation subgraph containing source points and sink points was built. A filter insertion algorithm is designed for this sub-graph to define different input data type filtering strategies. Then a solution was implemented based on data flow analysis and automatic insertion of filters before relevant sink statements.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
OWASP Top 10-2017. http://www.owasp.org.cn/owasp-project/OWASPTop102017v1.1.pdf. Accessed 17 Mar 2018
Chang, J., et al.: Analyzing and defending against web-based malware. ACM Comput. Surv. 45(4), 49 (2013)
Engebretson, P.: Web-Based Exploitation. The Basics of Hacking and Penetration Testing (2013)
Weichselbaum, L., Spagnuolo, M., Janc, A.: Adopting strict content security policy for XSS protection. In: Cybersecurity Development. IEEE (2017)
Feng, G.L., Li, Z.-N.: Research on the application of web application firewall in university website system. In: Modern Computer (2017)
Appelt, D., et al.: A machine learning-driven evolutionary approach for testing web application firewalls. IEEE Trans. Reliab. 99, 1–25 (2018)
Parvez, M., Zavarsky, P., Khoury, N.: Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities. In: Internet Technology and Secured Transactions, pp. 186–191. IEEE (2016)
Rathore, S., et al.: XSSClassifier: an efficient XSS attack detection approach based on machine learning classifier on SNSs. J. Inf. Process. Syst. 13(4), 1014–1028 (2017)
Jong, K.D.: A new geodynamic model for the betic cordilleras based on P-T-t paths and structural data from the eastern betic. Física De La Tierra 4, 77–108 (1992)
Čisar, P., Čisar, S.M.: The framework of runtime application self-protection technology. In: IEEE International Symposium on Computational Intelligence and Informatics, pp. 000081–000086. IEEE (2017)
Yan, M.M., et al.: The analysis of function calling path in java based on soot. Appl. Mech. Mater. 568–570, 1479–1487 (2014)
Feldthaus, A., Møller, A.: The Big Manual for the Java String Analyzer. Department of Computer Science (2009)
WebCastellum. https://sourceforge.net/projects/webcastellum/. Accessed 17 Mar 2018
Acknowledgements
This work was supported by National Key Research And Development Plan (Grant Nos. 2016QY07X1404) and National Natural Science Foundation of China (Grant Nos. 61402526).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Yin, Z., Li, Z., Cao, Y. (2018). A Web Application Runtime Application Self-protection Scheme against Script Injection Attacks. In: Sun, X., Pan, Z., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2018. Lecture Notes in Computer Science(), vol 11064. Springer, Cham. https://doi.org/10.1007/978-3-030-00009-7_51
Download citation
DOI: https://doi.org/10.1007/978-3-030-00009-7_51
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00008-0
Online ISBN: 978-3-030-00009-7
eBook Packages: Computer ScienceComputer Science (R0)