A Combinatorial Approach to Analyzing Cross-Site Scripting (XSS) Vulnerabilities in Web Application Security Testing

Abstract : Web applications typically employ sanitization functions to sanitize user inputs, independently whether this input is assumed to be legitimate, invalid or malicious. When such functions do not work correctly, a web application immediately becomes vulnerable to security attacks such as XSS. In this paper, we report a combinatorial approach to analyze XSS vulnerabilities in web applications. Our approach first performs combinatorial testing where a set of test vectors is executed against a subject application. If one or more XSS vulnerabilities are triggered during testing, we analyze the structure of each test vector to identify XSS-inducing combinations of its parameter model. If an attack vector contains an XSS-inducing combination, then the execution of this vector will successfully exploit an XSS vulnerability. Identification of XSS-inducing combinations provides insights about which kinds of user input might still be leverageable for XSS attacks and how to correct the function to provide better security guarantees. We conducted an experiment in which our approach was applied to four sanitization functions from the Web Application Vulnerability Scanner Evaluation Project (WAVSEP). The experimental results show that our approach can effectively identify XSS-inducing combinations for these sanitization functions.
Type de document :
Communication dans un congrès
Franz Wotawa; Mihai Nica; Natalia Kushik. 28th IFIP International Conference on Testing Software and Systems (ICTSS), Oct 2016, Graz, Austria. Springer International Publishing, Lecture Notes in Computer Science, LNCS-9976, pp.70-85, 2016, Testing Software and Systems. 〈10.1007/978-3-319-47443-4_5〉
Liste complète des métadonnées

Littérature citée [23 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01643723
Contributeur : Hal Ifip <>
Soumis le : mardi 21 novembre 2017 - 15:53:14
Dernière modification le : mardi 21 novembre 2017 - 15:55:57

Fichier

 Accès restreint
Fichier visible le : 2019-01-01

Connectez-vous pour demander l'accès au fichier

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Dimitris Simos, Kristoffer Kleine, Laleh Ghandehari, Bernhard Garn, Yu Lei. A Combinatorial Approach to Analyzing Cross-Site Scripting (XSS) Vulnerabilities in Web Application Security Testing. Franz Wotawa; Mihai Nica; Natalia Kushik. 28th IFIP International Conference on Testing Software and Systems (ICTSS), Oct 2016, Graz, Austria. Springer International Publishing, Lecture Notes in Computer Science, LNCS-9976, pp.70-85, 2016, Testing Software and Systems. 〈10.1007/978-3-319-47443-4_5〉. 〈hal-01643723〉

Partager

Métriques

Consultations de la notice

161