Skip to Main content Skip to Navigation
Conference papers

XSS PEEKER: Dissecting the XSS Exploitation Techniques and Fuzzing Mechanisms of Blackbox Web Application Scanners

Abstract : Black-box vulnerability scanners can miss a non-negligible portion of vulnerabilities. This is true even for cross-site scripting (XSS) vulnerabilities, which are relatively simple to spot. In this paper, we focus on this vulnerability class, and systematically explore 6 black-box scanners to uncover how they detect XSS vulnerabilities, and obtain useful insights to understand their limitations and design better detection methods. A novelty of our workflow is the retrofitting of the testbed so as to accommodate payloads that triggered no vulnerabilities in the initial set. This has the benefit of creating a systematic process to increase the number of test cases, which was not considered by previous testbed-driven approaches.
Complete list of metadatas

Cited literature [15 references]  Display  Hide  Download

https://hal.inria.fr/hal-01369557
Contributor : Hal Ifip <>
Submitted on : Wednesday, September 21, 2016 - 10:56:42 AM
Last modification on : Tuesday, August 13, 2019 - 11:10:03 AM
Document(s) archivé(s) le : Thursday, December 22, 2016 - 12:41:18 PM

File

421518_1_En_17_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Enrico Bazzoli, Claudio Criscione, Federico Maggi, Stefano Zanero. XSS PEEKER: Dissecting the XSS Exploitation Techniques and Fuzzing Mechanisms of Blackbox Web Application Scanners. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. pp.243-258, ⟨10.1007/978-3-319-33630-5_17⟩. ⟨hal-01369557⟩

Share

Metrics

Record views

155

Files downloads

315