Adaptive Random Testing for XSS Vulnerability

被引：12

作者：

Lv, Chengcheng ^{[1
]}

Zhang, Long ^{[2
,3
]}

Zeng, Fanping ^{[1
]}

Zhang, Jian ^{[2
,3
]}

机构：

[1] Univ Sci & Technol China, Sch Comp Sci & Technol, Hefei, Peoples R China

[2] Chinese Acad Sci, Inst Software, State Key Lab Comp Sci, Beijing, Peoples R China

[3] Univ Chinese Acad Sci, Beijing, Peoples R China

来源：

2019 26TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE (APSEC) | 2019年

基金：

国家重点研发计划; 中国国家自然科学基金;

关键词：

XSS Vulnerability; Adaptive Random Testing; Fuzzing;

D O I：

10.1109/APSEC48747.2019.00018

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

XSS is one of the common vulnerabilities in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected, but they are not very efficient. Previous research has paid less attention to how to improve the efficiency of black-box testing to detect XSS vulnerability. To improve the efficiency of testing, we develop an XSS testing tool. It collects 6128 payloads and uses a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with adaptive random testing method. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the adaptive random testing method. The experimental results indicate that the adaptive random testing method can effectively improve the fuzzing method by more than 27.1% in reducing the number of attempts before accomplishing a successful injection.

引用

页码：63 / 69

页数：7

共 22 条

[1] Abraham A., 2012, DETECTING EXPLOITING
[2] [Anonymous], 2013, P INT MULT ENG COMP
[3] Bates D., 2010, P 19 INT C WORLD WID, P91, DOI [DOI 10.1145/1772690.1772701, 10.1145/1772690.1772701]
[4] Attack Pattern-Based Combinatorial Testing with Constraints for Web Security Testing
Bozic, Josip
Garn, Bernhard
Kapsalis, Ioannis
Simos, Dimitris E.
Winkler, Severin
Wotawa, Franz
[J]. 2015 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE SECURITY AND RELIABILITY (QRS 2015), 2015, : 207 - 212
[5] Security Testing Based on Attack Patterns
Bozic, Josip
Wotawa, Franz
[J]. 2014 SEVENTH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS (ICSTW 2014), 2014, : 4 - 11
[6] Cha S. H., 2007, INT J MATH MODELS ME, V1
[7] Adaptive Sequence Approach for OOS Test Case Prioritization
Chen, Jinfu
Zhu, Lili
Chen, Tsong Yueh
Huang, Rubing
Towey, Dave
Kuo, Fei-Ching
Guo, Yuchi
[J]. 2016 IEEE 27TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING WORKSHOPS (ISSREW), 2016, : 205 - 212
[8] Chen T. Y., 2007, P 2 ACM INT WORKSH R, P2
[9] Proportional sampling strategy: a compendium and some insights
Chen, TY
Tse, TH
Yu, YT
[J]. JOURNAL OF SYSTEMS AND SOFTWARE, 2001, 58 (01) : 65 - 81
[10] Choi H., 2017, P 2017 4 INT C COMP, P1

← 1 2 3 →