Current state of research on cross-site scripting (XSS) - A systematic literature review

被引:69
作者
Hydara, Isatou [1 ]
Sultan, Abu Bakar Md. [1 ]
Zulzalil, Hazura [1 ]
Admodisastro, Novia [1 ]
机构
[1] Univ Putra Malaysia, Fac Comp Sci & Informat Technol, Dept Software Engn & Informat Syst, Serdang 43400, Selangor, Malaysia
来源
INFORMATION AND SOFTWARE TECHNOLOGY | 2015年 / 58卷
关键词
Systematic literature review; Cross-site scripting; Security; Web applications; WEB APPLICATIONS; INPUT-VALIDATION; SQL INJECTION; ROBUST PREVENTION; SIDE DETECTION; VULNERABILITIES; ATTACKS; FRAMEWORK;
D O I
10.1016/j.infsof.2014.07.010
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Context: Cross-site scripting (XSS) is a security vulnerability that affects web applications. It occurs due to improper or lack of sanitization of user inputs. The security vulnerability caused many problems for users and server applications. Objective: To conduct a systematic literature review on the studies done on XSS vulnerabilities and attacks. Method: We followed the standard guidelines for systematic literature review as documented by Barbara Kitchenham and reviewed a total of 115 studies related to cross-site scripting from various journals and conference proceedings. Results: Research on XSS is still very active with publications across many conference proceedings and journals. Attack prevention and vulnerability detection are the areas focused on by most of the studies. Dynamic analysis techniques form the majority among the solutions proposed by the various studies. The type of XSS addressed the most is reflected XSS. Conclusion: XSS still remains a big problem for web applications, despite the bulk of solutions provided so far. There is no single solution that can effectively mitigate XSS attacks. More research is needed in the area of vulnerability removal from the source code of the applications before deployment. (C) 2014 Elsevier B.V. All rights reserved.
引用
收藏
页码:170 / 186
页数:17
相关论文
共 126 条
[1]  
Acker S.V., 2012, Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS), P12, DOI [10.1145/2414456.2414462, DOI 10.1145/2414456.2414462]
[2]   A design of a proxy inspired from human immune system to detect SQL Injection and Cross-Site Scripting [J].
Adi, Erwin .
INTERNATIONAL CONFERENCE ON ADVANCES SCIENCE AND CONTEMPORARY ENGINEERING 2012, 2012, 50 :19-28
[3]  
Agosta G., 2012, Proceedings of the 2012 Ninth International Conference on Information Technology: New Generations (ITNG), P189, DOI 10.1109/ITNG.2012.167
[4]  
Al-Amro H., 2012, 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), P329, DOI 10.1109/CyberSec.2012.6246175
[5]  
[Anonymous], 16 ANN NETW DISTR SY
[6]  
[Anonymous], 2012, P 7 ACM S INFORM COM, DOI DOI 10.1145/2414456.2414458
[7]  
Arulsuju D, 2011, 2011 THIRD INTERNATIONAL CONFERENCE ON ADVANCED COMPUTING (ICOAC), P13, DOI 10.1109/ICoAC.2011.6165172
[8]  
Athanasopoulos E., 2010, W2SP 2010
[9]  
Avancini A., 2012, 2012 Proceedings of 7th International Workshop on Automation of Software Test (AST 2012), P15, DOI 10.1109/IWAST.2012.6228984
[10]  
Avancini A., 2010, Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems. Cape Town, South Africa, P65, DOI DOI 10.1145/1809100.1809110
12345678910