Cross site scripting (XSS) vulnerability is mainly caused by the failure of webapplications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability det...
详细信息
Cross site scripting (XSS) vulnerability is mainly caused by the failure of webapplications in sanitising user inputs embedded in web pages. Even though state-of-the-art defensive coding methods and vulnerability detection methods are often used by developers and security auditors, XSS flaws still remain in many applications because of (i) the difficulty of adopting these methods, (ii) the inadequate implementation of these methods, and/or (iii) the lack of understanding of XSS problem. To address this issue, this study proposes a code-auditing approach that recovers the defence model implemented in program source code and suggests guidelines for checking the adequacy of recovered model against XSS attacks. On the basis of the possible implementation patterns of defensive coding methods, our approach extracts all such defences implemented for securing each potentially vulnerable HTML output. It then introduces a variant of control flow graph, called tainted-information flow graph, as a model to audit the adequacy of XSS defence artefacts. The authors evaluated the proposed method based on the experiments on seven java-based web applications. In the auditing experiments, our approach was effective in recovering all the XSS defence features implemented in the test subjects. The extracted artefacts were also shown to be useful for filtering the false-positive cases reported by a vulnerability detection method and helpful in fixing the vulnerable code sections.
This paper describes a distributed system which aggregates the unused and usually wasted processing capacity of idle workstations. The aggregation is achieved through the use of now ubiquitous internet infrastructure ...
详细信息
ISBN:
(纸本)0889864209
This paper describes a distributed system which aggregates the unused and usually wasted processing capacity of idle workstations. The aggregation is achieved through the use of now ubiquitous internet infrastructure and web technology. And, it delivers a powerful yet inexpensive execution environment for computationally intensive applications. The prototype system described here makes use of Sun Microsystems Jini technology, particularly javaSpaces, along with javaweb Start, to produce a dynamic, flexible and reliable system. Two example applications used to evaluate the system are described: (a) the n-Queens. problem and (b) a parallel sorting (shearsort) application. The results of the evaluation clearly show that, for certain classes of applications, the system is capable of delivering significant performance.
暂无评论