Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Information and Operational Technology Security Systems

International Workshop on Model-Driven Simulation and Training Environments for Cybersecurity

International Workshop on Security for Financial Critical Infrastructures and Services

IOSEC 2019, MSTEC 2019, FINSEC 2019: Computer Security pp 123–139Cite as

Difficult XSS Code Patterns for Static Code Analysis Tools

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11981))

Abstract

We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three commercial and two open source static code analysis tools. Based on the reported vulnerabilities we discovered code patterns that appear to be difficult to classify by static analysis. The results show that code analysis tools are helpful, but still have problems with specific source code patterns. These patterns should be a focus in training for developers.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Juliet Test Suite. http://samate.nist.gov/SRD/testsuite.php

  2. PHP static code analysis tools list. https://github.com/exakat/php-static-analysis-tools

  3. CWE - Common Weakness Enumeration (2015). http://cwe.mitre.org/

  4. Exakat (2019). https://www.exakat.io/

  5. HTMLPurifier (2019). http://htmlpurifier.org/

  6. PHP manual (2019). https://www.php.net/manual/de/function.unserialize.php

  7. Software assurance reference dataset Testsuite (2019). https://samate.nist.gov/SARD/testsuite.php

  8. Difficult source code patterns (2019). https://github.com/fschuckert/sca_patterns

  9. Sonarcloud (2019). https://sonarcloud.io

  10. AlBreiki, H.H., Mahmoud, Q.H.: Evaluation of static analysis tools for software security. In: 2014 10th International Conference on Innovations in Information Technology (IIT), pp. 93–98 (2014). https://doi.org/10.1109/INNOVATIONS.2014.6987569

  11. Basso, T., Fernandes, P.C.S., Jino, M., Moraes, R.: Analysis of the effect of Java software faults on security vulnerabilities and their detection by commercial web vulnerability scanner tool. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 150–155 (2010). https://doi.org/10.1109/DSNW.2010.5542602

  12. Delaitre, A., Stivalet, B., Fong, E., Okun, V.: Evaluating bug finders - test and measurement of static code analyzers. In: 2015 IEEE/ACM 1st International Workshop on Complex Faults and Failures in Large Software Systems (COUFLESS), pp. 14–20 (2015). https://doi.org/10.1109/COUFLESS.2015.10

  13. Díaz, G., Bermejo, J.R.: Static analysis of source code security: assessment of tools against SAMATE tests. Inf. Softw. Technol. 55(8), 1462–1476 (2013). https://doi.org/10.1016/j.infsof.2013.02.005. ISSN 09505849

    Article  Google Scholar 

  14. Goseva-Popstojanova, K., Perhinschi, A.: On the capability of static code analysis to detect security vulnerabilities. Inf. Softw. Technol. 68, 18–33 (2015). ISSN 09505849

    Article  Google Scholar 

  15. Khare, S., Saraswat, S., Kumar, S.: Static program analysis of large embedded code base: an experience. In: Proceedings of the 4th India Software Engineering Conference 2011, pp. 99–102 (2011)

    Google Scholar 

  16. Schuckert, F., Hildner, M., Katt, B., Langweg, H.: Source code patterns of cross site scripting in PHP open source projects. In: Proceedings of the 11th Norwegian Information Security Conference (2018)

    Google Scholar 

  17. Van Rijsbergen, C.J.: Information Retrieval, 2nd edn. Butterworth, London (1979)

    MATH  Google Scholar 

  18. Zhioua, Z., Short, S., Roudier, Y.: Static code analysis for software security verification: problems and approaches. In: 2014 IEEE 38th International Computer Software and Applications Conference Workshops (COMPSACW), pp. 102–109 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, HTWG Konstanz, Alfred-Wachtel-Straße 8, 78462, Konstanz, Germany

    Felix Schuckert & Hanno Langweg

  2. Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, NTNU, Norwegian University of Science and Technology, Teknologivegen 22, 2815, Gjøvik, Norway

    Felix Schuckert, Basel Katt & Hanno Langweg

Authors
  1. Felix Schuckert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Basel Katt
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hanno Langweg
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Felix Schuckert .

Editor information

Editors and Affiliations

  1. Industrial Systems Institute/Research Center ATHENA, Patras, Greece

    Apostolos P. Fournaris

  2. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Manos Athanatos

  3. University of Patras, Patras, Greece

    Konstantinos Lampropoulos

  4. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Sotiris Ioannidis

  5. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    George Hatzivasilis

  6. University of Milan, Milan, Italy

    Ernesto Damiani

  7. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  8. Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  9. University of Genoa, Genoa, Italy

    Luca Verderame

  10. Fondazione Bruno Kessler, Trento, Italy

    Alberto Siena

  11. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schuckert, F., Katt, B., Langweg, H. (2020). Difficult XSS Code Patterns for Static Code Analysis Tools. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42051-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42050-5

  • Online ISBN: 978-3-030-42051-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation