XSS Vulnerability Detection Using Optimized Attack Vector Repertory

In order to detect the Cross-Site Script (XSS) vulnerabilities in the web applications, this paper proposes a method of XSS vulnerability detection using optimal attack vector repertory. This method generates an attack vector repertory automatically, optimizes the attack vector repertory using an optimization model, and detects XSS vulnerabilities in web applications dynamically. To optimize the attack vector repertory, an optimization model is built in this paper with a machine learning algorithm, reducing the size of the attack vector repertory and improving the efficiency of XSS vulnerability detection. Based on this method, an XSS vulnerability detector is implemented, which is tested on 50 real-world websites. The testing results show that the detector can detect a total of 848 XSS vulnerabilities effectively in 24 websites.

[1]  Yan Zhang,et al.  Detecting cross site scripting vulnerabilities introduced by HTML5 , 2014, 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[2]  Sanjay Rawat,et al.  XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[3]  Zhenfu Cao,et al.  L-WMxD: Lexical based Webmail XSS Discoverer , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[4]  Girdhari Singh,et al.  Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey , 2014, International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2014).

[5]  Didier Colle,et al.  2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) , 2015 .

[6]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Lwin Khin Shar,et al.  Predicting common web application vulnerabilities from input validation and sanitization code patterns , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[8]  Lwin Khin Shar,et al.  Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[9]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.