TY - CHAP A1 - Schuckert, Felix A1 - Hildner, Max A1 - Katt, Basel A1 - Langweg, Hanno T1 - Source Code Patterns of Buffer Overflow Vulnerabilities in Firefox T2 - Sicherheit 2018 : Sicherheit, Schutz und Zuverlässigkeit : Konferenzband der 9. Jahrestagung des Fachbereichs Sicherheit in der Gesellschaft für Informatik e. V. (GI) : 25. - 27. April 2018 in Konstanz N2 - We investigated 50 randomly selected buffer overflow vulnerabilities in Firefox. The source code of these vulnerabilities and the corresponding patches were manually reviewed and patterns were identified. Our main contribution are taxonomies of errors, sinks and fixes seen from a developer's point of view. The results are compared to the CWE taxonomy with an emphasis on vulnerability details. Additionally, some ideas are presented on how the taxonomy could be used to improve the software security education. Y1 - 2018 UR - https://dl.gi.de/bitstream/handle/20.500.12116/16298/sicherheit2018-08.pdf SN - 978-3-88579-675-6 U6 - http://dx.doi.org/10.18420/sicherheit2018_08 SP - 107 EP - 118 PB - Gesellschaft für Informatik e.V. CY - Bonn ER - TY - CHAP A1 - Schuckert, Felix A1 - Hildner, Max A1 - Katt, Basel A1 - Langweg, Hanno T1 - Source Code Patterns of Cross Site Scripting in PHP Open Source Projects T2 - Proceedings of the 11th Norwegian Information Security Conference (NISK 2018), Sep. 19-20, 2018, Longyearbyen, Svalbard, Norway (NISK Journal ; Vol. 11) N2 - To get a better understanding of Cross Site Scripting vulnerabilities, we investigated 50 randomly selected CVE reports which are related to open source projects. The vulnerable and patched source code was manually reviewed to find out what kind of source code patterns were used. Source code pattern categories were found for sources, concatenations, sinks, html context and fixes. Our resulting categories are compared to categories from CWE. A source code sample which might have led developers to believe that the data was already sanitized is described in detail. For the different html context categories, the necessary Cross Site Scripting prevention mechanisms are described. Y1 - 2018 UR - http://ojs.bibsys.no/index.php/NISK/article/view/576/492 SN - 1893-6563 SN - 1894-7735 ER -