Abstract
We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three commercial and two open source static code analysis tools. Based on the reported vulnerabilities we discovered code patterns that appear to be difficult to classify by static analysis. The results show that code analysis tools are helpful, but still have problems with specific source code patterns. These patterns should be a focus in training for developers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Juliet Test Suite. http://samate.nist.gov/SRD/testsuite.php
PHP static code analysis tools list. https://github.com/exakat/php-static-analysis-tools
CWE - Common Weakness Enumeration (2015). http://cwe.mitre.org/
Exakat (2019). https://www.exakat.io/
HTMLPurifier (2019). http://htmlpurifier.org/
PHP manual (2019). https://www.php.net/manual/de/function.unserialize.php
Software assurance reference dataset Testsuite (2019). https://samate.nist.gov/SARD/testsuite.php
Difficult source code patterns (2019). https://github.com/fschuckert/sca_patterns
Sonarcloud (2019). https://sonarcloud.io
AlBreiki, H.H., Mahmoud, Q.H.: Evaluation of static analysis tools for software security. In: 2014 10th International Conference on Innovations in Information Technology (IIT), pp. 93–98 (2014). https://doi.org/10.1109/INNOVATIONS.2014.6987569
Basso, T., Fernandes, P.C.S., Jino, M., Moraes, R.: Analysis of the effect of Java software faults on security vulnerabilities and their detection by commercial web vulnerability scanner tool. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 150–155 (2010). https://doi.org/10.1109/DSNW.2010.5542602
Delaitre, A., Stivalet, B., Fong, E., Okun, V.: Evaluating bug finders - test and measurement of static code analyzers. In: 2015 IEEE/ACM 1st International Workshop on Complex Faults and Failures in Large Software Systems (COUFLESS), pp. 14–20 (2015). https://doi.org/10.1109/COUFLESS.2015.10
Díaz, G., Bermejo, J.R.: Static analysis of source code security: assessment of tools against SAMATE tests. Inf. Softw. Technol. 55(8), 1462–1476 (2013). https://doi.org/10.1016/j.infsof.2013.02.005. ISSN 09505849
Goseva-Popstojanova, K., Perhinschi, A.: On the capability of static code analysis to detect security vulnerabilities. Inf. Softw. Technol. 68, 18–33 (2015). ISSN 09505849
Khare, S., Saraswat, S., Kumar, S.: Static program analysis of large embedded code base: an experience. In: Proceedings of the 4th India Software Engineering Conference 2011, pp. 99–102 (2011)
Schuckert, F., Hildner, M., Katt, B., Langweg, H.: Source code patterns of cross site scripting in PHP open source projects. In: Proceedings of the 11th Norwegian Information Security Conference (2018)
Van Rijsbergen, C.J.: Information Retrieval, 2nd edn. Butterworth, London (1979)
Zhioua, Z., Short, S., Roudier, Y.: Static code analysis for software security verification: problems and approaches. In: 2014 IEEE 38th International Computer Software and Applications Conference Workshops (COMPSACW), pp. 102–109 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Schuckert, F., Katt, B., Langweg, H. (2020). Difficult XSS Code Patterns for Static Code Analysis Tools. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-42051-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42050-5
Online ISBN: 978-3-030-42051-2
eBook Packages: Computer ScienceComputer Science (R0)