We found a match
Your institution may have rights to this item. Sign in to continue.
- Title
State-Sensitive Black-Box Web Application Scanning for Cross-Site Scripting Vulnerability Detection.
- Authors
Zhang, Tianxiang; Huang, Hui; Lu, Yuliang; Zhu, Kailong; Zhao, Jiazhen
- Abstract
Black-box web application scanning has been a popular technique to detect Cross-Site Scripting (XSS) vulnerabilities without prior knowledge of the application. However, several limitations lead to low efficiency of current black-box scanners, including (1) the scanners waste time by repetitively visiting similar states, such as similar HTML forms of two different products, and (2) using a First-In-First-Out (FIFO) fuzzing order for the collected forms has led to low efficiency in detecting XSS vulnerabilities, as different forms have different potential possibilities of XSS vulnerability. In this paper, we present a state-sensitive black-box web application scanning method, including a filtering method for excluding similar states and a heuristic ranking method for optimizing the fuzzing order of forms. The filtering method excludes similar states by comparing readily available characteristic information that does not require visiting the states. The ranking method sorts forms based on the number of injection points since it is commonly observed that forms with a greater number of injection points have a higher probability of containing XSS vulnerabilities. To demonstrate the effectiveness of our scanning method, we implement it in our black-box web scanner and conduct experimental evaluations on eight real-world web applications within a limited scanning time. Experimental results demonstrate that the filtering method improves the code coverage about 17% on average and the ranking method helps detect 53 more XSS vulnerabilities. The combination of the filtering and ranking methods helps detect 81 more XSS vulnerabilities.
- Subjects
WEB-based user interfaces; OPTICAL scanners; HEURISTIC; FIRST in, first out (Queuing theory); SCANNING systems; KALMAN filtering
- Publication
Applied Sciences (2076-3417), 2023, Vol 13, Issue 16, p9212
- ISSN
2076-3417
- Publication type
Article
- DOI
10.3390/app13169212