Efficient Detection of Multi-step Cross-Site Scripting Vulnerabilities

نویسندگان

  • Alexandre Vernotte
  • Frédéric Dadeau
  • Franck Lebeau
  • Bruno Legeard
  • Fabien Peureux
  • François Piat
چکیده

Cross-Site Scripting (XSS) vulnerability is one of the most critical breaches that may compromise the security of Web applications. Reflected XSS is usually easy to detect as the attack vector is immediately executed, and classical Web application scanners are commonly efficient to detect it. However, they are less efficient to discover multi-step XSS, which requires behavioral knowledge to be detected. In this paper, we propose a Pattern-driven and Model-based Vulnerability Testing approach (PMVT) to improve the capability of multi-step XSS detection. This approach relies on generic vulnerability test patterns, which are applied on a behavioral model of the application under test, in order to generate vulnerability test cases. A toolchain, adapted from an existing Model-Based Testing tool, has been developed to implement this approach. This prototype has been experimented and validated on reallife Web applications, showing a strong improvement of detection ability w.r.t. Web application scanners for this kind of vulnerabilities.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side

Cross Site Scripting (XSS) Flaws are currently the most popular security problems in modern web applications. These Flaws make use of vulnerabilities in the code of web-applications, resulting in serious consequences, such as theft of cookies, passwords and other personal credentials.Cross-Site scripting Flaws occur when accessing information in intermediate trusted sites. Client side solution ...

متن کامل

Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities

Since 2002, over half of reported cyber vulnerabilities are caused by input validation vulnerabilities . Over 50 % of input validation vulnerabilities were cross-site scripting and SQL injection vulnerabilities in 2006, based on the (US) National Vulnerability Database. Techniques to mitigate cross-site scripting and SQL injection vulnerabilities have been proposed. However, applying those tech...

متن کامل

Cross Site Scripting Vulnerabilities and Defences: A Review

With the advancement in the internet technology since last two decades, the dependence on web applications has increased rapidly. All the facilities are nowadays available online at the ease of just one click. As a result, Web applications are prone to cyber-attacks which has major consequences such as theft of personal secure data and information tampering by 'Cookie stealing' or 'Session Hija...

متن کامل

A Study of Existing Cross Site Scripting Detection and Prevention Techniques in Web Applications

Web Applications provide wide range of services to its users in an efficient manner. Web based attacks are increasing with the intent to harm the users or the reputation of particular organization. Most of these attacks occur through the exploitation of security vulnerabilities found in web applications. These vulnerabilities exists because developer focuses more on the development of the appli...

متن کامل

Automatic Detection of Vulnerabilities in Web Applications using Fuzzing

Automatic detection of vulnerabilities is a problem studied in literature and a very important concern in application development with security requirements. Fuzzing is a software testing technique, automated or semi-automated, that involves injecting a massive quantity of semi-random inputs in software in order to find security vulnerabilities. Many vulnerability detection techniques need manu...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2014