XSS PEEKER: Dissecting the XSS Exploitation Techniques and Fuzzing Mechanisms of Blackbox Web Application Scanners

Abstract : Black-box vulnerability scanners can miss a non-negligible portion of vulnerabilities. This is true even for cross-site scripting (XSS) vulnerabilities, which are relatively simple to spot. In this paper, we focus on this vulnerability class, and systematically explore 6 black-box scanners to uncover how they detect XSS vulnerabilities, and obtain useful insights to understand their limitations and design better detection methods. A novelty of our workflow is the retrofitting of the testbed so as to accommodate payloads that triggered no vulnerabilities in the initial set. This has the benefit of creating a systematic process to increase the number of test cases, which was not considered by previous testbed-driven approaches.
Type de document :
Communication dans un congrès
Jaap-Henk Hoepman; Stefan Katzenbeisser. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. IFIP Advances in Information and Communication Technology, AICT-471, pp.243-258, 2016, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-33630-5_17〉
Liste complète des métadonnées

Littérature citée [15 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01369557
Contributeur : Hal Ifip <>
Soumis le : mercredi 21 septembre 2016 - 10:56:42
Dernière modification le : mercredi 21 septembre 2016 - 11:20:34
Document(s) archivé(s) le : jeudi 22 décembre 2016 - 12:41:18

Fichier

 Accès restreint
Fichier visible le : 2019-01-01

Connectez-vous pour demander l'accès au fichier

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Enrico Bazzoli, Claudio Criscione, Federico Maggi, Stefano Zanero. XSS PEEKER: Dissecting the XSS Exploitation Techniques and Fuzzing Mechanisms of Blackbox Web Application Scanners. Jaap-Henk Hoepman; Stefan Katzenbeisser. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. IFIP Advances in Information and Communication Technology, AICT-471, pp.243-258, 2016, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-319-33630-5_17〉. 〈hal-01369557〉

Partager

Métriques

Consultations de la notice

72