Secure Code Generation for Web Applications

Опубликовано 6 сентября 2016, 18:10

A large percentage of recent security problems, such as Cross-site Scripting or SQL injection, is caused by string-based code injection vulnerabilities. Most of these vulnerabilities exist because of implicit code creation through string serialization. Based on an analysis of the vulnerability classΓÇÖ underlying mechanisms, we propose a general approach to out?t modern programming languages with mandatory means for explicit and secure code generation which provide strict separation between data and code. Using an exemplified implementation for the languages Java and HTML/JavaScript respectively, we show how our approach can be realized and enforced.