Abstract:

With the popularity of the Web2.0 applications, crosssite scripting vulnerability which can cause a serious threat to the safety of users exists in a wide range of websites, due to the lack of proper verification mechanisms. Currently, the mixture of the serverside and clientside codes makes accurate and effective detection of crosssite scripting vulnerability more difficult. In our study, based on a static data flow analysis combined with a string constraint solving technique, we design a whitebox testing framework for detecting crosssite scripting vulnerability. We implement our framework in a prototype tool called XSSExplore, and the experimental results show that the system can better generate a more effective attack vector and detect crosssite scripting attacks compared with similar products.

Key words: Web security;XSS;static analysis;fuzzing;whitebox testing