论文信息 - A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability

A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability

Cross-site scripting (XSS) attacks target Web sites with cookie-based session management, resulting in the leakage of privacy information. Although several server-side countermeasures for XSS attacks do exist, such techniques have not been applied in a universal manner, because of their deployment overhead and the poor understanding of XSS problems. This paper proposes a client-side system that automatically detects XSS vulnerability by manipulating either request or server response. The system also shares the indication of vulnerability via a central repository. The purpose of the proposed system is twofold: to protect users from XSS attacks, and to warn the Web servers with XSS vulnerabilities.

[1] Shih-Kun Huang,et al. Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[2] Richard Sharp,et al. Abstracting application-level web security , 2002, WWW.

[3] Yao-Wen Huang,et al. WebApplication Assessment by Fault Injection and Behavior Monitoring , 2003, WWW 2003.

[4] Ravi S. Sandhu,et al. Secure Cookies on the Web , 2000, IEEE Internet Comput..

[5] Wael Hassan,et al. Security Technologies for the World Wide Web , 2000 .