Abstract
In recent years, the web security events emerge in endlessly, web security has been widely concerned. Cross-site scripting (XSS) attack is one of the most foremost threats which using malicious scripts injected into Web applications and executing the scripts in the client browsers. Moreover, attacker could also combine other means of attack with XSS vulnerabilities to do further attacks, which would lead to disclosure of user privacy and even property damage. Common detect detection methods include black-box testing and white-box testing. Black-box testing scans faster while it can not locate the specific codes which cause the vulnerabilities. White-box audit tools can locate the specific codes while it spends lots of time to analyze all codes. We propose a novel approach to locate the vulnerabilities which combines Fuzzing test and dynamic taint analysis, and design system prototype, then verification and testing.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Mariani L, Pezze M, Riganelli O, et al. Autoblacktest: Automatic black-box testing of interactive applications[C]//Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on. IEEE, 2012: 81-90
Ganesh V, Leek T, Rinard M. Taint-based directed whitebox fuzzing[C]//Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009: 474-484
Pai G J. A survey of software reliability models[J]. arXiv preprint arXiv:1304.4539, 2013
Emmi M, Majumdar R, Sen K. Dynamic test input generation for database applications[C]//Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 2007: 151-162
Fan J, Gao P, Shi C C, et al. Research on combine White-box testing and Black-box testing of Web Applications security[C]//Advanced Materials Research. Trans Tech Publications, 2014, 989: 4542-4546
Duchene F, Groz R, Rawat S, et al. XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]//SECTEST 2012-3rd International Workshop on Security Testing (affiliated with ICST). IEEE Computer Society, 2012: 815-817
Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking[C]//Proceedings of the 17th conference on Security symposium. USENIX Association, 2008: 31-43
Wassermann G, Su Z. Static detection of cross-site scripting vulnerabilities[C]//Software Engineering, 2008. ICSE’08. ACM/IEEE 30th International Conference on. IEEE, 2008: 171-180
Wassermann G, Yu D, Chander A, et al. Dynamic test input generation for web applications[C]//Proceedings of the 2008 international symposium on Software testing and analysis. ACM, 2008: 249-260
Hansen R. XSS (cross site scripting) cheat sheet esp: for filter evasion[J]. 2010-01-01]. http://ha. ckers. org/xss. html, 2010
An automatically detect XSS vulnerabilities in web-based applications named XSSer[EB/OL]. https://xsser.03c8.net/
Burp Suite Walkthrough[EB/OL]. http://resources.infosecinstitute.com/burp-suite-walkthrough/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Cui, B., Wei, Y., Shan, S., Ma, J. (2017). The generation of XSS attacks developing in the detect detection. In: Barolli, L., Xhafa, F., Yim, K. (eds) Advances on Broad-Band Wireless Computing, Communication and Applications. BWCCA 2016. Lecture Notes on Data Engineering and Communications Technologies, vol 2. Springer, Cham. https://doi.org/10.1007/978-3-319-49106-6_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-49106-6_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49105-9
Online ISBN: 978-3-319-49106-6
eBook Packages: EngineeringEngineering (R0)