{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,7]],"date-time":"2025-11-07T09:51:30Z","timestamp":1762509090377,"version":"build-2065373602"},"reference-count":37,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2024,1,12]],"date-time":"2024-01-12T00:00:00Z","timestamp":1705017600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Software"],"abstract":"<jats:p>Internet-based distributed systems dominate contemporary software applications. To enable these applications to operate securely, software developers must mitigate the threats posed by malicious actors. For instance, the developers must identify vulnerabilities in the software and eliminate them. However, to do so manually is a costly and time-consuming process. To reduce these costs, we designed and implemented Code Auto-Remediation for Enhanced Security (CARES), a web application that automatically identifies and remediates the two most common types of vulnerabilities in Java-based web applications: SQL injection (SQLi) and Cross-Site Scripting (XSS). As is shown by a case study presented in this paper, CARES mitigates these vulnerabilities by refactoring the Java code using the Intercepting Filter design pattern. The flexible, microservice-based CARES design can be readily extended to support other injection vulnerabilities, remediation design patterns, and programming languages.<\/jats:p>","DOI":"10.3390\/software3010002","type":"journal-article","created":{"date-parts":[[2024,1,12]],"date-time":"2024-01-12T09:24:11Z","timestamp":1705051451000},"page":"28-46","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Automating SQL Injection and Cross-Site Scripting Vulnerability Remediation in Code"],"prefix":"10.3390","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-5779-1221","authenticated-orcid":false,"given":"Kedar","family":"Sambhus","sequence":"first","affiliation":[{"name":"Department of Computer and Information Science, University of Massachusetts Dartmouth, 285 Old Westport Road, Dartmouth, MA 02747, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1571-5442","authenticated-orcid":false,"given":"Yi","family":"Liu","sequence":"additional","affiliation":[{"name":"Department of Computer and Information Science, University of Massachusetts Dartmouth, 285 Old Westport Road, Dartmouth, MA 02747, USA"}]}],"member":"1968","published-online":{"date-parts":[[2024,1,12]]},"reference":[{"key":"ref_1","unstructured":"Edgescan (2024, January 01). 2023 Vulnerability Statistics Report. Available online: https:\/\/www.edgescan.com\/intel-hub\/stats-report\/."},{"key":"ref_2","unstructured":"Veracode (2024, January 01). State of Software Security 2023: Annual Report on the State of Application Security. Available online: https:\/\/www.veracode.com\/state-of-software-security-report."},{"key":"ref_3","unstructured":"Edgescan (2024, January 01). 2021 Vulnerability Statistic Report Press Release. Available online: https:\/\/www.edgescan.com\/2020-vulnerability-statistic-report-press-release\/."},{"key":"ref_4","unstructured":"O\u2019Driscoll, A. (2024, January 01). 25+ Cyber Security Vulnerability Statistics and Facts of 2023. Available online: https:\/\/www.comparitech.com\/blog\/information-security\/cybersecurity-vulnerability-statistics\/."},{"key":"ref_5","unstructured":"(2024, January 01). Vulnerability Scanning Tools. Available online: https:\/\/owasp.org\/www-community\/Vulnerability_Scanning_Tools."},{"key":"ref_6","unstructured":"Wapiti (2024, January 01). The Web-Application Vulnerability Scanner. Available online: https:\/\/wapiti-scanner.github.io\/."},{"key":"ref_7","unstructured":"Higgins, J.K. (2024, January 01). The Cost of Fixing an Application Vulnerability. Available online: https:\/\/www.darkreading.com\/risk\/the-cost-of-fixing-an-application-vulnerability\/d\/d-id\/113104."},{"key":"ref_8","unstructured":"Ross, A. (2024, January 01). Why Fixing Security Vulnerabilities Is Not That Simpley. Available online: https:\/\/securityintelligence.com\/posts\/why-fixing-security-vulnerabilities-is-not-that-simple\/."},{"key":"ref_9","unstructured":"CWE-89: Improper Neutralization of Special Elements Used in an SQL Command (\u2018SQL Injection\u2019) (2024, January 01). Common Weakness Enumeration. Available online: https:\/\/cwe.mitre.org\/data\/definitions\/89.html."},{"key":"ref_10","unstructured":"Mathis, B. (2024, January 01). The \u201cUnified Platform\u201d That Delivers All-in-One EHR\/PHR\/HIE. Available online: https:\/\/www.openhealthnews.com\/articles\/2014\/tolven-%E2%80%9Cunified-platform%E2%80%9D-delivers-all-one-ehrphrhie."},{"key":"ref_11","unstructured":"Janot, E., and Zavarsky, P. (2008, January 19\u201322). Preventing SQL injections in online applications: Study, recommendations and Java solution prototype based on the SQL DOM. Proceedings of the OWASP Application Security Conference, Ghent, Belgium."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Wei, K., Muthuprasanna, M., and Kothari, S. (2006, January 18\u201321). Preventing SQL Injection Attacks in Stored Procedures. Proceedings of the Australian Software Engineering Conference (ASWEC\u201906), Sydney, Australia.","DOI":"10.1109\/ASWEC.2006.40"},{"key":"ref_13","unstructured":"CWE-79: Improper Neutralization of Input During Web Page Generation (`Cross-Site Scripting\u2019). Common Weakness Enumeration (2024, January 01). Available online: https:\/\/cwe.mitre.org\/data\/definitions\/79.html."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"182004","DOI":"10.1109\/ACCESS.2019.2960449","article-title":"A Survey of Exploitation and Detection Methods of XSS Vulnerabilities","volume":"7","author":"Liu","year":"2019","journal-title":"IEEE Access"},{"key":"ref_15","unstructured":"Franken, G., Van Goethem, T., Desmet, L., and Joosen, W. (2023, January 9\u201311). A Bug\u2019s Life: Analyzing the Lifecycle and Mitigation Process of Content Security Policy Bugs. Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA, USA."},{"key":"ref_16","unstructured":"Chen, J., Jiang, J., Duan, H., Wan, T., Chen, S., Paxson, V., and Yang, M. (2018, January 15\u201317). We still {Don\u2019t} have secure {Cross-Domain} requests: An empirical study of {CORS}. Proceedings of the 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, USA."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Khodayari, S., and Pellegrino, G. (2022, January 22\u201326). The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP46214.2022.9833637"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Dougherty, C., Sayre, K., Seacord, R.C., Svoboda, D., and Togashi, K. (2009). Secure Design Patterns, Software Engineering Institution, Carnegie-Mellon University.","DOI":"10.21236\/ADA501670"},{"key":"ref_19","unstructured":"Fernandez, E.B. (2013). Security Patterns in Practice: Designing Secure Architectures Using Software Patterns, John Wiley & Sons."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Ratnaparkhi, A., Ezenwoye, O., and Liu, Y. (2021, January 1\u201310). From Vulnerability Anti-Patterns to Secure Design Patterns. Proceedings of the International Conference on Software Engineering and Knowledge Engineering, Pittsburgh, PA, USA.","DOI":"10.18293\/SEKE2021-179"},{"key":"ref_21","unstructured":"Alur, D., Crupi, J., and Malks, D. (2003). Core J2EE Patterns: Best Practices and Design Strategies, Gulf Professional Publishing."},{"key":"ref_22","unstructured":"Fowler, M. (2024, January 01). Microservices: A Definition of This New Architectural Term. Available online: https:\/\/martinfowler.com\/articles\/microservices.html."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Cern\u00fd, T., Donahoo, M.J., and Pechanec, J. (2017, January 20\u201323). Disambiguation and Comparison of SOA, Microservices and Self-Contained Systems. Proceedings of the International Conference on Research in Adaptive and Convergent Systems, Krakow, Poland.","DOI":"10.1145\/3129676.3129682"},{"key":"ref_24","unstructured":"Google (2024, January 01). Introduction to gRPC. Available online: https:\/\/grpc.io\/docs\/what-is-grpc\/introduction\/."},{"key":"ref_25","unstructured":"Fernando, R. (2024, January 01). Evaluating Performance of REST vs. gRPC. Available online: https:\/\/medium.com\/@EmperorRXF\/evaluating-performance-of-rest-vs-grpc-1b8bdf0b22da."},{"key":"ref_26","unstructured":"Barnea, B., and Harpaz, O. (2024, January 01). Critical Remote Code Execution Vulnerabilities in Windows RPC Runtime. Available online: https:\/\/www.akamai.com\/blog\/security\/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime."},{"key":"ref_27","unstructured":"(2024, January 01). Baracuda. Available online: https:\/\/www.barracuda.com\/."},{"key":"ref_28","unstructured":"(2024, January 01). Barracuda Automates Web Application Vulnerability Remediation and Security Policy Enforcement. Available online: https:\/\/solutionsreview.com\/backup-disaster-recovery\/barracuda-automates-web-application-vulnerability-remediation-and-security-policy-enforcement\/."},{"key":"ref_29","unstructured":"(2024, January 01). Software Assurance, Available online: https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/infosheet_SoftwareAssurance.pdf."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Courant, J. (2020, January 1\u20133). Developer-Proof Prevention of SQL Injections. Proceedings of the International Symposium on Foundations and Practice of Security, Montreal, QC, Canada.","DOI":"10.1007\/978-3-030-70881-8_6"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Ratnaparkhi, A., and Liu, Y. (2021, January 14\u201315). Towards Tackling Common Web Application Vulnerabilities Using Secure Design Patterns. Proceedings of the IEEE International Conference on Electro Information Technology, Mt. Pleasant, MI, USA.","DOI":"10.1109\/EIT51626.2021.9491919"},{"key":"ref_32","unstructured":"(2024, January 01). Spring Boot. Available online: https:\/\/spring.io\/projects\/spring-boot."},{"key":"ref_33","unstructured":"Eclipse Foundation (2024, January 01). JGit: Java Implementation of Git. Available online: https:\/\/www.eclipse.org\/jgit\/."},{"key":"ref_34","unstructured":"Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software, Addison-Wesley Professional."},{"key":"ref_35","unstructured":"KirstenS (2024, January 01). Cross Site Scripting (XSS). Available online: https:\/\/owasp.org\/www-community\/attacks\/xss\/."},{"key":"ref_36","unstructured":"Tolven (2024, January 01). Tolven Health Record. Available online: https:\/\/sourceforge.net\/projects\/tolven\/."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"198","DOI":"10.1016\/j.procs.2016.05.211","article-title":"CSSXC: Context-sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments","volume":"85","author":"Gupta","year":"2016","journal-title":"Procedia Comput. Sci."}],"container-title":["Software"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2674-113X\/3\/1\/2\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T13:45:36Z","timestamp":1760103936000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2674-113X\/3\/1\/2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,1,12]]},"references-count":37,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,3]]}},"alternative-id":["software3010002"],"URL":"https:\/\/doi.org\/10.3390\/software3010002","relation":{},"ISSN":["2674-113X"],"issn-type":[{"type":"electronic","value":"2674-113X"}],"subject":[],"published":{"date-parts":[[2024,1,12]]}}}