Capability of Security Scanners:

Abstract

Cross-site scripting is one of the biggest threats for websites and their users, and with the ever evolving technologies it can be hard for developers and users to know if they are vulnerable to cross-site scripting. In the last couple of years, server-side rendered frameworks have grown in popularity, though how vulnerable this technology is to cross-site scripting is not entirely clear. In this thesis, we evaluate how vulnerability scanners preform on different frameworks used in web development. As well as highlight what shortcomings they have along with potential problems this poses. We found that Remix especially does not have the support from the current tools that it needs, as Remix has server-side rendering, credence can then be put towards the speculation that it needs further focus. To mitigate this we propose an extension which extends CodeQL with custom queries to better suit the shortcomings we identified.