Combinatorial Methods for HTML']HTML Sanitizer Security Testing

被引：1

作者：

Zivanovic, Jovan ^{[1
]}

Leithner, Manuel ^{[1
]}

Simos, Dimitris E. ^{[1
]}

Pitzer, Michael ^{[2
]}

Slanina, Peter J. ^{[2
]}

机构：

[1] SBA Res, MATRIS Res Grp, Vienna, Austria

[2] Mobimed Software GmbH, Vienna, Austria

来源：

2023 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS, ICSTW | 2023年

关键词：

Terms combinatorial testing; security testing; !text type='HTML']HTML[!/text] filter; cross -site scripting; XSS;

D O I：

10.1109/ICSTW58534.2023.00051

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

HTML sanitization is an essential security feature for web services that incorporate user-generated content, removing the ability of malicious actors to perform injection attacks such as cross -site scripting. Exercising additional scrutiny when choosing such filters is prudent, as any insufficiencies in their design or implementation may lead to widespread exploitation of vulnerabilities. This work presents an approach for applying combinatorial security testing, which offers the unique capability to provide mathematically guaranteed coverage of the language defined by an attack grammar, to HTML sanitizers.

引用

页码：255 / 259

页数：5

共 23 条

[1]

Ceponis J, 2013, COMM COM INF SC, V403, P345

[2]

Duchene Fabien., 2014, P 4 ACM C DATA APPL, P37, DOI DOI 10.1145/2557547.2557550

[3]

Erin M, 2013, PURIFIER

[4] Combinatorial methods for dynamic gray-box SQL injection testing [J].

Garn, Bernhard ;

Zivanovic, Jovan ;

Leithner, Manuel ;

Simos, Dimitris E. .

SOFTWARE TESTING VERIFICATION & RELIABILITY, 2022, 32 (06)

[5] A Fault-Driven Combinatorial Process for Model Evolution in XSS Vulnerability Detection [J].

Garn, Bernhard ;

Radavelli, Marco ;

Gargantini, Angelo ;

Leithner, Manuel ;

Simos, Dimitris E. .

ADVANCES AND TRENDS IN ARTIFICIAL INTELLIGENCE: FROM THEORY TO PRACTICE, 2019, 11606 :207-215

[6]

GROSSMAN J., 2006, Ph.D. Thesis, P4

[7]

Gruber J, 2012, MARKDOWN SYNTAX, V24, P640

[8] Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art [J].

Gupta S. ;

Gupta B.B. .

International Journal of System Assurance Engineering and Management, 2017, 8 (Suppl 1) :512-530

[9] DOMPurify: Client-Side Protection Against XSS and Markup Injection [J].

Heiderich, Mario ;

Spaeth, Christopher ;

Schwenk, Joerg .

COMPUTER SECURITY - ESORICS 2017, PT II, 2017, 10493 :116-134

[10]

Hooimeijer P., 2011, USENIX SEC S 2011 US

← 1 2 3 →