The generation of XSS attacks developing in the detect detection
In recent years, the web security events emerge in endlessly, web security has been widely concerned. Cross-site scripting (XSS) attack is one of the most foremost threats which using malicious scripts injected into Web applications and executing the scripts in the client browsers. Moreover, attacker could also combine other means of attack with XSS vulnerabilities to do further attacks, which would lead to disclosure of user privacy and even property damage. Common detect detection methods include black-box testing and white-box testing. Black-box testing scans faster while it can not locate the specific codes which cause the vulnerabilities. White-box audit tools can locate the specific codes while it spends lots of time to analyze all codes. We propose a novel approach to locate the vulnerabilities which combines Fuzzing test and dynamic taint analysis, and design system prototype, then verification and testing.
Unable to display preview. Download preview PDF.
- 1.Mariani L, Pezze M, Riganelli O, et al. Autoblacktest: Automatic black-box testing of interactive applications[C]//Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on. IEEE, 2012: 81-90Google Scholar
- 2.Ganesh V, Leek T, Rinard M. Taint-based directed whitebox fuzzing[C]//Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009: 474-484Google Scholar
- 3.Pai G J. A survey of software reliability models[J]. arXiv preprint arXiv:1304.4539, 2013
- 4.Emmi M, Majumdar R, Sen K. Dynamic test input generation for database applications[C]//Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 2007: 151-162Google Scholar
- 5.Fan J, Gao P, Shi C C, et al. Research on combine White-box testing and Black-box testing of Web Applications security[C]//Advanced Materials Research. Trans Tech Publications, 2014, 989: 4542-4546Google Scholar
- 6.Duchene F, Groz R, Rawat S, et al. XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]//SECTEST 2012-3rd International Workshop on Security Testing (affiliated with ICST). IEEE Computer Society, 2012: 815-817Google Scholar
- 7.Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking[C]//Proceedings of the 17th conference on Security symposium. USENIX Association, 2008: 31-43Google Scholar
- 8.Wassermann G, Su Z. Static detection of cross-site scripting vulnerabilities[C]//Software Engineering, 2008. ICSE’08. ACM/IEEE 30th International Conference on. IEEE, 2008: 171-180Google Scholar
- 9.Wassermann G, Yu D, Chander A, et al. Dynamic test input generation for web applications[C]//Proceedings of the 2008 international symposium on Software testing and analysis. ACM, 2008: 249-260Google Scholar
- 10.Hansen R. XSS (cross site scripting) cheat sheet esp: for filter evasion[J]. 2010-01-01]. http://ha. ckers. org/xss. html, 2010Google Scholar
- 11.An automatically detect XSS vulnerabilities in web-based applications named XSSer[EB/OL]. https://xsser.03c8.net/
- 12.Burp Suite Walkthrough[EB/OL]. http://resources.infosecinstitute.com/burp-suite-walkthrough/