Abstract
It has been found that almost 70% of the recent attacks in Web Applications have been carried out even when the systems have been protected with well laid Firewalls and Intrusion Detection Systems. Advisories sites report that more than 20% of the attacks have originated from Cross Site Scripting (XSS) vulnerabilities. Our analysis has shown that more than 40% of the vulnerabilities that are confirmed in Common Vulnerability Exposures (CVE), were based on PHP Script in the year 2006. Out of these PHP based vulnerabilities, 45% are classified under XSS. By organizing these errors into a simple taxonomy and mapping CVE with the Common Weakness Enumeration (CWE) of Mitre Corp, we have constructed a Common XSS vulnerability Enumeration (CXE). With the help of CXE, security practitioners can recognize the common types of developer patterns leading to coding errors in PHP, that result in XSS vulnerability, while developers can identify and rectify existing errors as they build software.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lucca, G.A., Fasolino, A.R., et al.: Identifying Cross Site Scripting Vulnerabilities in Web Applications. In: Proceedings of the Sixth IEEE International Workshop on Web Site Evolution, pp. 71–80
Huang, Y., Tsai, C., Lin, T., Huang, S., Kuo’, D.T.: A testing framework for Web application, security assessment. Computer Networks 48, 739–761 (2005)
McGraw, G., Chess, B., Tsipenyuk, K.: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors. In: NIST Workshop on Software Security Assurance Tools, Techniques and Metrics, Long Beach, CA, (November 2005)
Martin, R.A., Christey, S., Jarzombek, J.: The Case for Common Flaw Enumeration. In: NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics, Long Beach, CA (November 2005)
Weber, S., Karger, P.A., Paradkar, A.: A Software Flaw Taxonomy: Aiming Tools at Security. In: SESS 2005. ACM Software Engineering for Secure Systems - Building Trustworthy Applications, St. Louis, Missouri, USA (June 2004)
Dehlinger, J., Feng, Q., Hu, L.: SSVChecker: Unifying Static Security Vulnerability Detection Tools in an Eclipse Plug-In. In: ETX 2006. Eclipse Technology Exchange Workshop at OOPSLA 2006, Portland (October 22-23, 2006)
The Software Assurance Metrics and Tool Evaluation (SAMATE) project, National Institute of Science and Technology (NIST), http://samate.nist.gov
The OMG Software Assurance (SwA) Special Interest Group, http://swa.omg.org
The Common Weaknesses Enumeration (CWE) Initiative, MITRE Corporation, http://cve.mitre.org/cwe
The Preliminary List Of Vulnerability Examples for Researchers (PLOVER), MITRE Corporation, http://cve.mitre.org/docs/plover
The Common Vulnerabilities and Exposures (CVE) Initiative, MITRE Corporation, http://cve.mitre.org
OWASP Top Ten Most Critical Web Application Security Vulnerabilities, http://www.owasp.org/documentation/topten.html
Department of Homeland Security National Cyber Security Division’s Build Security In (BSI) web site, http://buildsecurityin.us-cert.gov
Klein, A.: Cross Site Scripting Explained, Sanctum Security Group, http://www.crypto.stanford.edu/cs155/CSS.pdf
Endler, D.: The Evolution of Cross-Site Scripting Attacks iDEFENSE Labs, http://www.cgisecurity.com/lib/XSS.pdf
Spett, K.: Are your web applications vulnerable, http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
Viega, J.: The CLASP Application Security Process, Secure Software, Inc., http://www.securesoftware.com
Mauw, S.: PHP vulnerabilities 2IF30. In: ECSS group, Eindhoven University of Technology, The Netherlands, http://www.win.tue.nl/_ecss
Christey, S.M.: Vulnerability Type Distributions in CVE Document version: 1.0 (October 4, 2006), http://cve.mitre.org/docs/docs-06/vuln-trends.html
Barnum, M.: Being Explicit About Security Weaknesses Robert
Managing Application Security in Business Processes, http://www.verisign.com/managed-security-services/information-security/vulnerabilty-assessment/index.html
Secunia vulnerability advisories Bugtraq, http://www.secunia.com
Vulnerability advisories, http://www.securityfocus.com
Certcoordination centre, http://www.cert.org
National Vulnerability Database, http://nvd.nist.gov
Common Vulnerability Scoring System, http://www.first.org/cvss
Open Source Vulnerability Database, http://osvdb.org
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sivakumar, K., Garg, K. (2007). Constructing a “Common Cross Site Scripting Vulnerabilities Enumeration (CXE)” Using CWE and CVE. In: McDaniel, P., Gupta, S.K. (eds) Information Systems Security. ICISS 2007. Lecture Notes in Computer Science, vol 4812. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77086-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-540-77086-2_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77085-5
Online ISBN: 978-3-540-77086-2
eBook Packages: Computer ScienceComputer Science (R0)