Fighting Against XSS Attacks: A Usability Evaluation of OWASP ESAPI Output Encoding

by   Chamila Wijayarathna, et al.

Cross Site Scripting (XSS) is one of the most critical vulnerabilities exist in web applications. XSS can be prevented by encoding untrusted data that are loaded into browser content of web applications. Security Application Programming Interfaces (APIs) such as OWASP ESAPI provide output encoding functionalities for programmers to use to protect their applications from XSS attacks. However, XSS still being ranked as one of the most critical vulnerabilities in web applications suggests that programmers are not effectively using those APIs to encode untrusted data. Therefore, we conducted an experimental study with 10 programmers where they attempted to fix XSS vulnerabilities of a web application using the output encoding functionality of OWASP ESAPI. Results revealed 3 types of mistakes that programmers made which resulted in them failing to fix the application by removing XSS vulnerabilities. We also identified 16 usability issues of OWASP ESAPI. We identified that some of these usability issues as the reason for mistakes that programmers made. Based on these results, we provided suggestions on how the usability of output encoding APIs should be improved to give a better experience to programmers.


page 1

page 2

page 3

page 4


Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing

Lack of usability of security Application Programming In- terfaces (APIs...

Usability, Accessibility and Web Security Assessment of E-government Websites in Tanzania

In spite of the fact that e-government agency (ega) in Tanzania emphasiz...

Understanding The Top 10 OWASP Vulnerabilities

Understanding the common vulnerabilities in web applications help busine...

Controlled Update of Software Components using Concurrent Exection of Patched and Unpatched Versions

Software patching is a common method of removing vulnerabilities in soft...

A methodology to Evaluate the Usability of Security APIs

Increasing number of cyber-attacks demotivate people to use Information ...

Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey

Cross-site scripting (XSS) is one of the major threats menacing the priv...

Database Traffic Interception for Graybox Detection of Stored and Context-Sensitive XSS

XSS is a security vulnerability that permits injecting malicious code in...

Please sign up or login with your details

Forgot password? Click here to reset