My thesis on “Eliminating SQL Injection and Cross Site Scripting Using Aspect Oriented Programming” (I know, it’s a mouthful) has been approved for publishing!
If anyone wants to discuss it, feel free to contact me. I’d love to hear your ideas.
I hope to further develop it to mitigate some of the other items in the OWASP top 10 in the near future and port it out to a few other programming languages besides Java.
Cross Site scripting (XSS) and SQL injection are two of the most common vulnerabilities found in applications. According to a study done by the Web Application Security Consortium (WASC) on 12,186 web applications, the percentage of sites with these vulnerabilities is 38 and 13 percent, respectively . The fundamental reason these vulnerabilities exist in web applications are critical design flaws which lead to security issues across entire projects. It is typical in the case of web applications that developers continue to write insecure code and only fix these issues when they are noticed or become a problem . Using Aspect Oriented Programming (AOP), modules can be created to address these security vulnerabilities across an entire application without modifying existing source code. This paper will explain in detail how the use of AOP and AspectJ in particular can be leveraged to create a tool for eliminating these two major security vulnerabilities in open source Java web applications. The implications of a tool for successfully eliminating these vulnerabilities would lead to a significant improvement in web application security by uncovering fundamental design flaws, providing sanity checks for programmers and architects, and make applications compliant with PCI DSS Standard with respect to XSS and SQL Injection.