• PDF / 454,393 Bytes
• 16 Pages / 439.37 x 666.142 pts Page_size
• 38 Downloads / 173 Views

DOWNLOAD

REPORT

SBA Research, 1040 Vienna, Austria {dsimos,kkleine,bgarn}@sba-research.org 2 Department of Computer Science and Engineering, University of Texas at Arlington, Arlington, TX 76019, USA [email protected], [email protected]

Abstract. Web applications typically employ sanitization functions to sanitize user inputs, independently whether this input is assumed to be legitimate, invalid or malicious. When such functions do not work correctly, a web application immediately becomes vulnerable to security attacks such as XSS. In this paper, we report a combinatorial approach to analyze XSS vulnerabilities in web applications. Our approach first performs combinatorial testing where a set of test vectors is executed against a subject application. If one or more XSS vulnerabilities are triggered during testing, we analyze the structure of each test vector to identify XSS-inducing combinations of its parameter model. If an attack vector contains an XSS-inducing combination, then the execution of this vector will successfully exploit an XSS vulnerability. Identification of XSSinducing combinations provides insights about which kinds of user input might still be leverageable for XSS attacks and how to correct the function to provide better security guarantees. We conducted an experiment in which our approach was applied to four sanitization functions from the Web Application Vulnerability Scanner Evaluation Project (WAVSEP). The experimental results show that our approach can effectively identify XSS-inducing combinations for these sanitization functions. Keywords: Combinatorial testing testing

1

· XSS · Fault localization · Security

Introduction

Web application security is as important as ever but pervasive ubiquitous computing, bundled with 24/7 network access, makes any connected web application especially susceptible to attacks. Naturally, injection attacks are remote exploits c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing AG 2016. All Rights Reserved F. Wotawa et al. (Eds.): ICTSS 2016, LNCS 9976, pp. 70–85, 2016. DOI: 10.1007/978-3-319-47443-4 5

A Combinatorial Approach to Analyzing XSS Vulnerabilities

71

which can cause security breaches. Cross-site scripting (XSS) falls into this category and constitutes the third serious vulnerability according to the Open Web Application Security Project (OWASP) [22]. We focus on analyzing XSS vulnerabilities where we distinguish between two different types of XSS, namely reflected XSS and stored XSS. In the former case the web server response contains some data from the corresponding request, while the latter case includes data stored permanently on the server (e.g., in a database). In line of this work we are concerned only for reflected XSS vulnerabilities. In this paper, we apply for the first time a fault-localization technique based on combinatorial methods to identify one or more combinations of input parameter values that would definitely trigger an XSS vulnerability for a given system under tes

Recommend Documents

Detection of XSS Vulnerabilities of Web Application Using Security Testing Approaches

143 11 25MB

Scripting and Security in Computer Networks and Web Browsers

143 26 9MB

Shell Scripting Recipes A Problem-Solution Approach

178 82 4MB

Pro Apache JMeter Web Application Performance Testing

405 153 21MB

A Combinatorial Approach to Quantum Random Functions

168 47 24MB

Revisiting Security Vulnerabilities in Commercial Password Managers

187 102 24MB

A Machine Learning Approach to Dataset Imputation for Software Vulnerabilities

198 77 45MB

Using Model Driven Security Approaches in Web Application Development

157 9 480KB

A Systematic Approach to Analyzing Perception Architectures in Autonomous Vehicles

165 81 29MB

A Novel Approach to Detect XSS Attacks in Real Time Online Social Networking

173 8 174KB

Grey Box Approach for Mobile Application Testing

182 29 29MB

Prevention of Cross-Site Scripting Attacks on Current Web Applications

148 91 456KB