KJCKorea
Journal Central

@article{ART002795068},
author={Nurul Atiqah Abu Talib and Doh, Kyung-Goo},
title={Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis},
journal={Journal of Software Assessment and Valuation},
issn={2092-8114},
year={2021},
volume={17},
number={2},
pages={125-142},
doi={10.29056/jsav.2021.12.14}

TY - JOUR
AU - Nurul Atiqah Abu Talib
AU - Doh, Kyung-Goo
TI - Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis
JO - Journal of Software Assessment and Valuation
PY - 2021
VL - 17
IS - 2
PB - Korea Software Assessment and Valuation Society
SP - 125
EP - 142
SN - 2092-8114
AB - Reports of rampant cross-site scripting (XSS) vulnerabilities raise growing concerns on the effectiveness of current Static Analysis Security Testing (SAST) tools as an internet security device. Attentive to these concerns, this study aims to examine seven open-source SAST tools in order to account for their capabilities in detecting XSS vulnerabilities in PHP applications and to determine their performance in terms of effectiveness and analysis runtime. The representative tools - categorized as either text-based or graph-based analysis tools - were all test-run using real-world PHP applications with known XSS vulnerabilities. The collected vulnerability detection reports of each tool were analyzed with the aid of PhpStorm's data flow analyzer. It is observed that the detection rates of the tools calculated from the total vulnerabilities in the applications can be as high as 0.968 and as low as 0.006. Furthermore, the tools took an average of less than a minute to complete an analysis. Notably, their runtime is independent of their analysis type.
KW - Cross-site scripting;Open-source Static Analysis Security Testing Tools;Detection
DO - 10.29056/jsav.2021.12.14
ER -

Nurul Atiqah Abu Talib and Doh, Kyung-Goo. (2021). Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis. Journal of Software Assessment and Valuation, 17(2), 125-142.

Nurul Atiqah Abu Talib and Doh, Kyung-Goo. 2021, "Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis", Journal of Software Assessment and Valuation, vol.17, no.2 pp.125-142. Available from: doi:10.29056/jsav.2021.12.14

Nurul Atiqah Abu Talib, Doh, Kyung-Goo "Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis" Journal of Software Assessment and Valuation 17.2 pp.125-142 (2021) : 125.

Nurul Atiqah Abu Talib, Doh, Kyung-Goo. Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis. 2021; 17(2), 125-142. Available from: doi:10.29056/jsav.2021.12.14

Nurul Atiqah Abu Talib and Doh, Kyung-Goo. "Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis" Journal of Software Assessment and Valuation 17, no.2 (2021) : 125-142.doi: 10.29056/jsav.2021.12.14

Nurul Atiqah Abu Talib; Doh, Kyung-Goo. Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis. Journal of Software Assessment and Valuation, 17(2), 125-142. doi: 10.29056/jsav.2021.12.14

Nurul Atiqah Abu Talib; Doh, Kyung-Goo. Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis. Journal of Software Assessment and Valuation. 2021; 17(2) 125-142. doi: 10.29056/jsav.2021.12.14

Nurul Atiqah Abu Talib, Doh, Kyung-Goo. Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis. 2021; 17(2), 125-142. Available from: doi:10.29056/jsav.2021.12.14

Nurul Atiqah Abu Talib and Doh, Kyung-Goo. "Static Analysis Tools Against Cross-site Scripting Vulnerabilities in Web Applications : An Analysis" Journal of Software Assessment and Valuation 17, no.2 (2021) : 125-142.doi: 10.29056/jsav.2021.12.14