JSPChecker: Static Detection of Context-Sensitive Cross-Site Scripting Flaws in Legacy Web Applications
Abstract
JSPChecker is a static analysis tool that detects context-sensitive cross-site scripting vulnerabilities in legacy web applications. While cross-site scripting flaws can be mitigated through sanitisation, a process that removes dangerous characters from input values, proper sanitisation requires knowledge about the output context of input values.
Indeed, web pages are built using a mix of different languages (e.g. HTML, CSS, JavaScript and others) that call for different sanitisation routines.
Context-sensitive cross-site scripting vulnerabilities occur when there is a mismatch between sanitisation routines and output contexts. JSPChecker uses data-flow analysis to track the sanitisation routines that are applied to an input value, a combination of string analysis and fault-tolerant parsing to approximate the output context of sanitised values, and uses this information to detect context-sensitive cross-site scripting vulnerabilities.
We demonstrate the effectiveness of our approach by analysing five open-source applications and showing how JSPChecker can identify several context-sensitive XSS flaws in real world applications with a precision ranging from 96% to 100%.