论文信息 - HXD: Hybrid XSS detection by using a headless browser

HXD: Hybrid XSS detection by using a headless browser

Cross-Site Scripting (XSS) is the most prevalent web application vulnerability that occurs when a web application implements insufficient input validation or output sanitation. Adversaries can use XSS to deliver a malicious script which leads to session hijacking, credential theft, privilege escalation, etc. In order to detect XSS attacks, several works have been proposed and implemented. Although the detection of XSS vulnerability is fairly easy via static or dynamic analysis, it still remains nontrivial because most approaches fall into three problems: (1) too slow to analyze tons of URLs, (2) have some missing cases (i.e., false negatives), (3) produce unignorable number of false positives. In this paper, we propose a hybrid XSS detection (HXD) system, a black-box based XSS detection approach using both static string analysis and dynamic browser rendering. We extract URLs from web logs and refine them as proper input URLs. Therefore, HXD does not need to crawl or fuzz URL inputs. HXD uses PhantomJS, a headless browser to execute a javascript and detect XSS flaws so it can detect XSS vulnerabilities in javascript frameworks. The static analyzer of HXD utilizes string analysis based approach to accelerate the detection speed. We evaluate HXD by using web logs of Korean major internet portal (i.e., Naver). Our evaluation result demonstrates that HXD has low false positives and detects XSS flaws missed by other black-box based detectors.

Young-Gab Kim | Sanghyun Cho | Hyunsang Choi | Seongjin Hong

[1] Ben Stock,et al. Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[2] Yasuhiko Minamide,et al. Static approximation of dynamically generated Web pages , 2005, WWW '05.

[3] Thorsten Holz,et al. Static Detection of Second-Order Vulnerabilities in Web Applications , 2014, USENIX Security Symposium.

[4] Collin Jackson,et al. Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[5] Sanjay Rawat,et al. KameleonFuzz: evolutionary fuzzing for black-box XSS detection , 2014, CODASPY '14.

[6] Christopher Krügel,et al. Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7] Shih-Kun Huang,et al. Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[8] Jeffrey H. Meyerson,et al. The Go Programming Language , 2014, IEEE Softw..

[9] Brian W. Kernighan,et al. The Go Programming Language , 2015 .