Litcius/Paper detail

Splendor: Static Detection of Stored XSS in Modern Web Applications

He Su, Feng Li, Lili Xu, Wenbo Hu, Sun Yujie, Qing Sun, Huina Chao, Wei Huo

202311 citationsDOI

Abstract

In modern websites, stored Cross-Site Scripting (XSS) is the most dangerous XSS vulnerability, which can store payloads in the web system and be triggered directly by the victim. Database (DB) as the most commonly used storage medium for data on websites is therefore also the most common place where stored XSS occurs. Due to the modularity of modern programming architectures, the complex underlying database operations will often be encapsulated and abstracted as a Data Access Layer (DAL) to provide unified data access services to the business layer. The heavy use of Object-Oriented (OO) and dynamic language features involved in the encapsulation makes it increasingly challenging for static taint analysis tools to understand how tainted data flows between the source code and the exact locations in database.

Topics & Concepts

Cross-site scriptingComputer scienceScripting languageWeb applicationDatabaseWorld Wide WebTaint checkingEncapsulation (networking)Static analysisProgramming languageComputer securityWeb application securityWeb serviceWeb developmentSoftwareWeb Application Security VulnerabilitiesSecurity and Verification in ComputingAdvanced Malware Detection Techniques