Cross-site scripting (XSS) vulnerability is a widespread and latent web security threat, its harm can be accompanied by the occurrence and development of other web vulnerabilities, such as occurring together with SQL injection vulnerabilities and buffer overflow vulnerabilities, evolving into worms and so on. Attackers can exploit XSS vulnerabilities to forge requests that contain malicious scripts, causing the web application to mistakenly assume that the request from the client is made by a legitimate user, resulting in genuinely legitimate users being attacked. XSS attacks are the most common type of network attacks today. Therefore, it is necessary to detect XSS vulnerabilities in web applications accurately.

Common detection methods include dynamic analysis based on black box testing, static analysis based on white box testing and fuzzing test. White-box testing methods detect potential exploits by analyzing the source code of web applications. Viktoria Felmetsger developed a white-box tool to evaluate the logic flaws in real-world web applications. Prithvi Bisht et al. described a tool involved a new approach to white-box analysis of the server’s code, which could automatically identify parameter tampering vulnerabilities and generate exploits by construction to demonstrate those vulnerabilities. In general, this detection method is quite comprehensive and accurate, but difficult to achieve, and the software system applying this method is usually bulky. Fuzzing-based detection methods determine the system for defects by automatically and repeatedly generating input samples and constantly monitoring the reaction of the target system. Duchene, Fabien et al presented a black-box GA driven fuzzer targeting XSS, which can not only generate malicious inputs to exploit XSS, but also detect how close it is revealing a vulnerability. They chose genetic algorithm using the learned formal model to automatically generate inputs with better fitness values towards triggering an instance of the given vulnerability. Kim et al proposed a novel test case generation method for fuzzing test. Before creating test cases, they classified the protocol fields into three categories by its characteristics, then test case could be easily created based on the categories without considering each field. Dynamic black box detection constructs malformed input to simulate attack, and then judge vulnerabilities by monitoring whether there are pre-set features in the output. The application of black-box testing in vulnerability detection is to simulate the way an attacker exploits the vulnerability to detect possible flaws in the target program. Fan J et al proposed a dynamic detection framework (TT-XSS) for DOM-XSS by means of taint tracking at client side. They rewrote all JavaScript features and DOM APIs to taint the rendering process of browsers.

In order to facilitate XSS vulnerability detection based on black-box testing, thinking about the HTML static tagging mechanism, we divide XSS vulnerabilities into two kinds according to different locations of HTML tags where malicious scripts inject, script-tags-inside and attribute-tags-inside.  Script-tags-inside XSS vulnerability refers to the use of HTML language script tag <script> </ script> to complete the script. Reflected XSS and DOM-based XSS vulnerabilities in traditional classification fall into this category. Attribute-tags-inside XSS vulnerability exploits the “javascript:” pseudo-protocol in resource property tags to trigger the execution of scripts. Stored XSS vulnerabilities in traditional classification falls into this category. As for script-tags-inside XSS vulnerabilities, attackers need to insert malicious scripts into URLs, generate test cases to launch attacks on the target web program. As for attribute-tags-inside XSS vulnerabilities, attackers first inject the script as a pseudo-resource and then trigger its execution. According to the mechanism above, we refine the dynamic black box model into a dynamic detection model specifically for XSS vulnerabilities, the model is divided into five specific modules: target analysis, attack generation, attack sending, result monitoring, report generation. Target analysis: this part mainly contains two aspects: first, analyze the principles and features of XSS attacks to design black-box test cases and methods for determining vulnerabilities. Second, obtain all the basic URLs of the target web application to provide the address basis for subsequent implementation of simulated attacks. 

Attack generation: inject default test cases set by the program developer or specified test cases designed by program user into the basic URL obtained in target analysis phase, generate attack requests. Location of test cases’ insertion and the way for synthesis are key elements of this module. Attack sending: in general, the target web system to be tested contains a lot of base URLs, all these possible URLs should be attacked when simulating a network attack. All the attacks form an attack sequence as a certain order, each attack will be sent only once, and the next attack won’t be sent until the following two steps are executed. Result monitoring: if the server returns normally, the attack is considered as successful. Otherwise, the attack is considered as failed. In the event of an attack succeeds, if return characteristics of the injected script is found, then this web program may exist XSS vulnerabilities, else there is no cross-site scripting vulnerability. Regular match can be used to verify that the eigenvalues in the returned result. Report generation: write result of each attack into the report. Where there is a suspected cross-site scripting vulnerability, not only statistics on the number of attacks, but also the suspected places and all attack requests will be written into the report. If no XSS vulnerability is detected, report records the number of attacks only. The final report is generated after all attacks are finished.

The XSS vulnerability detection method designed in this paper has low environmental requirements, high detection efficiency and more flexible approach. The method based on black box dynamic detection constructs feature attack vector according to the principle of vulnerability generation and send it to the server to launch simulation attack, then monitor the server’s return results and make judgments, the use of this method is more extensive. Compared with similar dynamic cross-site scripting vulnerability detection tools, it has the characteristics of high vulnerability coverage, fast detection and flexible interaction. In view of the cross-site scripting vulnerability detection model above, testing experiments are designed to verify the validity of the model. From the test results, this model is effective in constructing the malformed attack features, but it still lacks the detection of injection-triggered cross-site scripting vulnerabilities, and there are still many defects in coverage and automation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here