Schuckert et al., 2019 - Google Patents
Difficult xss code patterns for static code analysis toolsSchuckert et al., 2019
- Document ID
- 16353756873355281012
- Author
- Schuckert F
- Katt B
- Langweg H
- Publication year
- Publication venue
- International Workshop on Information and Operational Technology Security Systems
External Links
Snippet
We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three …
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3612—Software analysis for verifying properties of programs by runtime analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/30—Information retrieval; Database structures therefor; File system structures therefor
- G06F17/30861—Retrieval from the Internet, e.g. browsers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/75—Structural analysis for program understanding
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for programme control, e.g. control unit
- G06F9/06—Arrangements for programme control, e.g. control unit using stored programme, i.e. using internal store of processing equipment to receive and retain programme
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2145—Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06N—COMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computer systems utilising knowledge based models
- G06N5/02—Knowledge representation
- G06N5/022—Knowledge engineering, knowledge acquisition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06Q—DATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11604883B2 (en) | Security risk identification in a secure software lifecycle | |
| Medeiros et al. | Automatic detection and correction of web application vulnerabilities using data mining to predict false positives | |
| Khodayari et al. | {JAW}: Studying client-side {CSRF} with hybrid property graphs and declarative traversals | |
| US9715593B2 (en) | Software vulnerabilities detection system and methods | |
| Chowdhury et al. | Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities | |
| US20160203330A1 (en) | Code repository intrusion detection | |
| Del Grosso et al. | Detecting buffer overflow via automatic test input data generation | |
| Zahan et al. | Do software security practices yield fewer vulnerabilities? | |
| Le et al. | Guruws: A hybrid platform for detecting malicious web shells and web application vulnerabilities | |
| Andreoli et al. | On the prevalence of software supply chain attacks: empirical study and investigative framework | |
| Chahar et al. | Code analysis for software and system security using open source tools | |
| Shen et al. | Understanding vulnerabilities in software supply chains | |
| George et al. | A preliminary study on common programming mistakes that lead to buffer overflow vulnerability | |
| Yan et al. | Detection method of the second-order SQL injection in web applications | |
| Charoenwet et al. | Toward effective secure code reviews: an empirical study of security-related coding weaknesses | |
| Kirschner et al. | Automatic derivation of vulnerability models for software architectures | |
| Zahan et al. | Leveraging large language models to detect npm malicious packages | |
| Zipperle et al. | PARGMF: A provenance-enabled automated rule generation and matching framework with multi-level attack description model | |
| Schuckert et al. | Difficult xss code patterns for static code analysis tools | |
| Chu et al. | SGDL: Smart contract vulnerability generation via deep learning | |
| Moffitt | A framework for legacy source code audit analytics | |
| McCoy | A relevance model for threat-centric ranking of cybersecurity vulnerabilities | |
| Huynh et al. | An empirical investigation into open source web applications’ implementation vulnerabilities | |
| Alqahtani | Enhancing Trust–A Unified Meta-Model for Software Security Vulnerability Analysis | |
| Sultana et al. | Using software metrics for predicting vulnerable classes in java and python based systems |