





















Cross-site scripting (XSS) flaws are a class of security flaws that permit the injection of malicious code into a web application. In simple situations, these flaws can be caused by missing input sanitizations. Sometimes, however, all application inputs are sanitized, but the sanitizations are not appropriate for the browser contexts of the sanitized values. Using an incorrect sanitizer can make the application look protected, when it is in fact vulnerable as if no sanitization was used, creating a context-sensitive XSS flaw. To discover context-sensitive XSS flaws, we introduce DjangoChecker. DjangoChecker combines extended dynamic taint tracking with a model browser for context analysis. We demonstrate the practical application of DjangoChecker on eight mature web applications based on Django, discovering previously unknown flaws in seven of the eight applications, including highly severe flaws that allow arbitrary JavaScript execution in the seven flawed applications.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。