Advertisement

The generation of XSS attacks developing in the detect detection

  • Baojiang Cui
  • Yang WeiEmail author
  • Songling Shan
  • Jinxin Ma
Conference paper
Part of the Lecture Notes on Data Engineering and Communications Technologies book series (LNDECT, volume 2)

Abstract

In recent years, the web security events emerge in endlessly, web security has been widely concerned. Cross-site scripting (XSS) attack is one of the most foremost threats which using malicious scripts injected into Web applications and executing the scripts in the client browsers. Moreover, attacker could also combine other means of attack with XSS vulnerabilities to do further attacks, which would lead to disclosure of user privacy and even property damage. Common detect detection methods include black-box testing and white-box testing. Black-box testing scans faster while it can not locate the specific codes which cause the vulnerabilities. White-box audit tools can locate the specific codes while it spends lots of time to analyze all codes. We propose a novel approach to locate the vulnerabilities which combines Fuzzing test and dynamic taint analysis, and design system prototype, then verification and testing.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Mariani L, Pezze M, Riganelli O, et al. Autoblacktest: Automatic black-box testing of interactive applications[C]//Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on. IEEE, 2012: 81-90Google Scholar
  2. 2.
    Ganesh V, Leek T, Rinard M. Taint-based directed whitebox fuzzing[C]//Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009: 474-484Google Scholar
  3. 3.
    Pai G J. A survey of software reliability models[J]. arXiv preprint arXiv:1304.4539, 2013
  4. 4.
    Emmi M, Majumdar R, Sen K. Dynamic test input generation for database applications[C]//Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 2007: 151-162Google Scholar
  5. 5.
    Fan J, Gao P, Shi C C, et al. Research on combine White-box testing and Black-box testing of Web Applications security[C]//Advanced Materials Research. Trans Tech Publications, 2014, 989: 4542-4546Google Scholar
  6. 6.
    Duchene F, Groz R, Rawat S, et al. XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]//SECTEST 2012-3rd International Workshop on Security Testing (affiliated with ICST). IEEE Computer Society, 2012: 815-817Google Scholar
  7. 7.
    Martin M, Lam M S. Automatic generation of XSS and SQL injection attacks with goal-directed model checking[C]//Proceedings of the 17th conference on Security symposium. USENIX Association, 2008: 31-43Google Scholar
  8. 8.
    Wassermann G, Su Z. Static detection of cross-site scripting vulnerabilities[C]//Software Engineering, 2008. ICSE’08. ACM/IEEE 30th International Conference on. IEEE, 2008: 171-180Google Scholar
  9. 9.
    Wassermann G, Yu D, Chander A, et al. Dynamic test input generation for web applications[C]//Proceedings of the 2008 international symposium on Software testing and analysis. ACM, 2008: 249-260Google Scholar
  10. 10.
    Hansen R. XSS (cross site scripting) cheat sheet esp: for filter evasion[J]. 2010-01-01]. http://ha. ckers. org/xss. html, 2010Google Scholar
  11. 11.
    An automatically detect XSS vulnerabilities in web-based applications named XSSer[EB/OL]. https://xsser.03c8.net/
  12. 12.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Baojiang Cui
    • 1
    • 2
  • Yang Wei
    • 1
    • 2
    Email author
  • Songling Shan
    • 3
  • Jinxin Ma
    • 4
  1. 1.School of Computer ScienceBeijing University of Posts and TelecommunicationsBeijingChina
  2. 2.National Engineering Laboratory for Mobile Network SecurityBeijingChina
  3. 3.China Electric Power Research InstituteBeijingChina
  4. 4.China Information Technology Security Evaluation CenterBeijingChina

Personalised recommendations