A multi-agent scanner to detect stored-XSS vulnerabilities

The cross-site scripting (XSS) has become a common vulnerability of many web sites and web applications. XSS consists in the exploitation of input validation flaws, with the purpose of injecting arbitrary script code which is later executed at the web browser of the victim. One interesting possibility to prevent this type of vulnerability is the use of vulnerability scanners. However, current scanners are capable of detecting just one of the two main modalities of XSS attacks. This paper introduces a novel multi-agent system for the automated scanning of web sites to detect the presence of XSS vulnerabilities exploitable by an stored-XSS attack. The rate of detection of the system is evaluated in two different scenarios.

[1]  Koichi Takeda,et al.  Information retrieval on the web , 2000, CSUR.

[2]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[3]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[4]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[5]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[6]  Christopher Krügel,et al.  SWAP: Mitigating XSS attacks using a reverse proxy , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[7]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[8]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[9]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[11]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[12]  Julie-Marie Foss,et al.  Web Application Security , 2005 .