Skip to main content
SpringerLink
Log in

Efficient Detection of Multi-step Cross-Site Scripting Vulnerabilities

  • Conference paper
Book cover Information Systems Security (ICISS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8880))

Included in the following conference series:

Abstract

Cross-Site Scripting (XSS) vulnerability is one of the most critical breaches that may compromise the security of Web applications. Reflected XSS is usually easy to detect as the attack vector is immediately executed, and classical Web application scanners are commonly efficient to detect it. However, they are less efficient to discover multi-step XSS, which requires behavioral knowledge to be detected. In this paper, we propose a Pattern-driven and Model-based Vulnerability Testing approach (PMVT) to improve the capability of multi-step XSS detection. This approach relies on generic vulnerability test patterns, which are applied on a behavioral model of the application under test, in order to generate vulnerability test cases. A toolchain, adapted from an existing Model-Based Testing tool, has been developed to implement this approach. This prototype has been experimented and validated on real-life Web applications, showing a strong improvement of detection ability w.r.t. Web application scanners for this kind of vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proc. of the USENIX Conference on Web Application Development (WebApps 2010), pp. 147–158. USENIX Association, Boston (2010)

    Google Scholar 

  2. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-Box Web Application Vulnerability Testing. In: Proc. of the 31st Int. Symp. on Security and Privacy (SP 2010), pp. 332–345. IEEE CS, Oakland (2010)

    Chapter  Google Scholar 

  3. Bernard, E., Bouquet, F., Charbonnier, A., Legeard, B., Peureux, F., Utting, M., Torreborre, E.: Model-based Testing from UML Models. In: Proc. of the Int. Workshop on Model-Based Testing (MBT 2006). LNI, vol. 94, pp. 223–230. GI, Dresden (2006)

    Google Scholar 

  4. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Blome, A., Ochoa, M., Li, K., Peroli, M., Dashti, M.: Vera: A flexible model-based vulnerability testing tool. In: 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), pp. 471–478. IEEE CS, Luxembourg (2013)

    Chapter  Google Scholar 

  6. Botella, J., Bouquet, F., Capuron, J.-F., Lebeau, F., Legeard, B., Schadle, F.: Model-Based Testing of Cryptographic Components – Lessons Learned from Experience. In: Proc. of the 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), pp. 192–201. IEEE CS, Luxembourg (2013)

    Chapter  Google Scholar 

  7. Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F.: A test generation solution to automate software testing. In: Proc. of the 3rd Int. Workshop on Automation of Software Test (AST 2008), pp. 45–48. ACM Press, Leipzig (2008)

    Google Scholar 

  8. Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F., Vacelet, N., Utting, M.: A subset of precise UML for model-based testing. In: Proc. of the 3rd Int. Workshop on Advances in Model-Based Testing (AMOST 2007), pp. 95–104. ACM Press, London (2007)

    Chapter  Google Scholar 

  9. Buchler, M., Oudinet, J., Pretschner, A.: Semi-Automatic Security Testing of Web Applications from a Secure Model. In: 6th Int. Conference on Software Security and Reliability (SERE 2012), pp. 253–262. IEEE, Gaithersburg (2012)

    Chapter  Google Scholar 

  10. Doupé, A., Cova, M., Vigna, G.: Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  11. Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the State: A State-aware Black-box Web Vulnerability Scanner. In: Proc. of the 21st USENIX Conference on Security Symposium (Security 2012), pp. 523–537. USENIX Association, Bellevue (2012)

    Google Scholar 

  12. Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: toward preventing server-side XSS via automatic code and data separation. In: Proc. of the 20th ACM SIGSAC Conference on Computer and Cummunications Security (CCS 2013), pp. 1205–1216. ACM, Berlin (2013)

    Chapter  Google Scholar 

  13. Duchene, F., Groz, R., Rawat, S., Richier, J.L.: XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing. In: Proc. of the 5th Int. Conference on Software Testing, Verification and Validation (ICST 2012), pp. 815–817. IEEE CS, Montreal (2012)

    Chapter  Google Scholar 

  14. Gálan, E.C., Alcaide, A., Orfila, A., Alís, J.B.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: 5th Int. Conference for Internet Technology and Secured Transactions (ICITST 2010), pp. 1–6. IEEE, London (2010)

    Google Scholar 

  15. Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: 31st Int. Conference on Software Engineering (ICSE 2009), pp. 199–209. IEEE, Vancouver (2009)

    Google Scholar 

  16. Kirda, E., Jovanovic, N., Kruegel, C., Vigna, G.: Client-side cross-site scripting protection. Computers & Security 28(7), 592–604 (2009)

    Article  Google Scholar 

  17. Korscheck, C.: Automatic Detection of Second-Order Cross Site Scripting Vulnerabilities. Diploma thesis, Wilhelm-Schickard-Institut für Informatik, Universität auf Tübingen (December 2010)

    Google Scholar 

  18. Legeard, B., Bouzy, A.: Smartesting CertifyIt: Model-Based Testing for Enterprise IT. In: Proc. of the 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), pp. 391–397. IEEE CS, Luxembourg (2013)

    Chapter  Google Scholar 

  19. Mahapatra, R.P., Saini, R., Saini, N.: A pattern based approach to secure web applications from XSS attacks. Int. Journal of Computer Technology and Electronics Engineering (IJCTEE) 2(3) (June 2012)

    Google Scholar 

  20. MITRE: Common weakness enumeration (October 2013), http://cwe.mitre.org/ (last visited: February 2014)

  21. Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proc. of the Network and Distributed System Security Symposium (NDSS 2007), pp. 1–12. The Internet Society, San Diego (2007)

    Google Scholar 

  22. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. Journal on Selected Areas in Communications Archive 21(1), 5–19 (2006)

    Article  Google Scholar 

  23. Shar, L.K., Tan, H.B.K.: Automated removal of cross site scripting vulnerabilities in web applications. Information and Software Technology 54(5), 467–478 (2012)

    Article  Google Scholar 

  24. Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Information and Software Technology 55(10), 1767–1780 (2013)

    Article  Google Scholar 

  25. Smith, B., Williams, L.: On the Effective Use of Security Test Patterns. In: Proc. of the 6th Int. Conference on Software Security and Reliability (SERE 2012), pp. 108–117. IEEE CS, Washington, DC (2012)

    Chapter  Google Scholar 

  26. Vouffo Feudjio, A.G.: Initial Security Test Pattern Catalog. Public Deliverable D3.WP4.T1, Diamonds Project, Berlin, Germany (June 2012), http://publica.fraunhofer.de/documents/N-212439.html (last visited: February 2014)

  27. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proc. of the 30th Int. Conference on Software Engineering (ICSE 2008), pp. 171–180. IEEE, Leipzig (2008)

    Google Scholar 

  28. Whitehat: Website security statistics report (October 2013), https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf (last visited: February 2014)

  29. Wichers, D.: Owasp top 10 (October 2013), https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (last visited: February 2014)

  30. Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: mitigating XSS attacks using a reverse proxy. In: 5th Int. Workshop on Software Engineering for Secure Systems (SESS 2009), pp. 33–39. IEEE, Vancouver (2009)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. UMR CNRS 6174, Institut FEMTO-ST, Route de Gray, 25030, Besançon, France

    Alexandre Vernotte, Frédéric Dadeau, Bruno Legeard, Fabien Peureux & François Piat

  2. INRIA Nancy Grand Est, BP 239, 54506, Vandoeuvre-lès-Nancy, France

    Frédéric Dadeau

  3. Erdil, 9, Avenue des Montboucons, 25000, Besançon, France

    Franck Lebeau

  4. Smartesting R&D Center, 2G, Avenue des Montboucons, 25000, Besançon, France

    Bruno Legeard

Authors
  1. Alexandre Vernotte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frédéric Dadeau
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Franck Lebeau
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bruno Legeard
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Fabien Peureux
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. François Piat
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of EECS, University of Michigan, 48109-2121, Ann Arbor, MI, USA

    Atul Prakash

  2. Faculty of Technology and Computer Science, Tata Institute of Fundamental Research, Homi Bhabha Road, 400005, Mumbai, India

    Rudrapatna Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Vernotte, A., Dadeau, F., Lebeau, F., Legeard, B., Peureux, F., Piat, F. (2014). Efficient Detection of Multi-step Cross-Site Scripting Vulnerabilities. In: Prakash, A., Shyamasundar, R. (eds) Information Systems Security. ICISS 2014. Lecture Notes in Computer Science, vol 8880. Springer, Cham. https://doi.org/10.1007/978-3-319-13841-1_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-13841-1_20

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-13840-4

  • Online ISBN: 978-3-319-13841-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation