원문정보
초록
영어
Cross-site scripting(XSS) is one of the major threats in web services. Many legacy web applications, which are prevalent in industry, are vulnerable to XSS. This paper proposes dynamic taint analysis scheme by using concolic execution to prevent XSS. Our proposed scheme has no false alarm, at the same time, minimizes required dynamic taint analysis time to cover all execution path. In this manner we can find the exact input data set, which causes the XSS threat. We defined instrumentation scheme for taint analysis and concolic executions. The instrumentation phase for the Java servlet code is automated. The experimental results on test set of SecuriBench Micro, demonstrated the validity of proposed scheme. It detects 90.63% of XSS threats while showing 0% of false positive.
목차
I. INTRODUCTION
II. TAINT ANALYSIS USING CONCOLIC EXECTUTION
A. Motivating Example
B. Extened Tomcat Servelet Runner for Concolic Executions
C. Instrumentation Module
III. XSS DETECTION APPROACH
IV. EXPERIMENTAL RESULTS
V. RELATED RESEARCHES
VI. CONCLUSIONS AND DISCUSSIONS
REFERENCES