| Nowadays, JSP is increasingly being used to develop dynamic websites. As a big security hazard vulnerability, XSS vulnerability is also present in JSP web site. Once the XSS vulnerability exists in JSP sites, it can be exploited Hackers can intrude web host, spread a worm or a virus, through injecting codes and executing.In this paper, the principles of its formation, classification, and preventive measures of the XSS are analyzed firstly. At the same time, review the main current detection methods, and analyze their advantages and disadvantages. Then introduced several static analysis technologies and consider the application vulnerability detection.First, the XSS vulnerability is analyzed by author and designed a set of conditions used to determine the XSS vulnerability exists. Then a static detection approach based on control flow analysis and data flow analysis is proposed to detect the XSS vulnerability in JSP programs. First, approach obtains the control flow and the data flow information between the relevant statements of information by analyzing JSP source code. Then use the information to determine the conditions. Finally, use these conditions to determine the test results. Approach considers two XSS vulnerabilities, vulnerability of a web application and the vulnerability of a server page. The vulnerability of a server page is a necessary condition for the vulnerability of a web application, but it is not a sufficient condition. The vulnerability of a web application is extracted from the results of the vulnerability of a server page.Finally a system achieving the method proposed above is presented, which can detecting XSS vulnerabilities effectively. |
PDF Full Text Request