Adaptive Random Testing for XSS Vulnerability

被引：12

作者：

Lv, Chengcheng ^{[1
]}

Zhang, Long ^{[2
,3
]}

Zeng, Fanping ^{[1
]}

Zhang, Jian ^{[2
,3
]}

机构：

[1] Univ Sci & Technol China, Sch Comp Sci & Technol, Hefei, Peoples R China

[2] Chinese Acad Sci, Inst Software, State Key Lab Comp Sci, Beijing, Peoples R China

[3] Univ Chinese Acad Sci, Beijing, Peoples R China

来源：

2019 26TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE (APSEC) | 2019年

基金：

国家重点研发计划; 中国国家自然科学基金;

关键词：

XSS Vulnerability; Adaptive Random Testing; Fuzzing;

D O I：

10.1109/APSEC48747.2019.00018

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

XSS is one of the common vulnerabilities in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected, but they are not very efficient. Previous research has paid less attention to how to improve the efficiency of black-box testing to detect XSS vulnerability. To improve the efficiency of testing, we develop an XSS testing tool. It collects 6128 payloads and uses a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with adaptive random testing method. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the adaptive random testing method. The experimental results indicate that the adaptive random testing method can effectively improve the fuzzing method by more than 27.1% in reducing the number of attempts before accomplishing a successful injection.

引用

页码：63 / 69

页数：7

共 50 条

[1] Automatic Web Security Unit Testing: XSS Vulnerability Detection
Mohammadi, Mahmoud
Chu, Bill
Lipford, Heather Richter
Murphy-Hill, Emerson
2016 IEEE/ACM 11TH INTERNATIONAL WORKSHOP IN AUTOMATION OF SOFTWARE TEST (AST), 2016, : 78 - 84
[2] Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks
Fonseca, Jose
Vieira, Marco
Madeira, Henrique
13TH PACIFIC RIM INTERNATIONAL SYMPOSIUM ON DEPENDABLE COMPUTING, PROCEEDINGS, 2007, : 365 - +
[3] Adaptive random testing
Chen, TY
Leung, H
Mak, IK
ADVANCES IN COMPUTER SCIENCE - ASIAN 2004, PROCEEDINGS, 2004, 3321 : 320 - 329
[4] Adaptive Random Testing
Chen, T. Y.
QSIC 2008: PROCEEDINGS OF THE EIGHTH INTERNATIONAL CONFERENCE ON QUALITY SOFTWARE, 2008, : 443 - 444
[5] Restricted random testing: Adaptive random testing by exclusion
Chan, Kwok Ping
Chen, Tsong Yueh
Towey, Dave
INTERNATIONAL JOURNAL OF SOFTWARE ENGINEERING AND KNOWLEDGE ENGINEERING, 2006, 16 (04) : 553 - 584
[6] An Empirical Comparison of Combinatorial Testing, Random Testing and Adaptive Random Testing
Wu, Huayao
Nie, Changhai
Petke, Justyna
Jia, Yue
Harman, Mark
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2020, 46 (03) : 302 - 320
[7] Adaptive random testing by localization
Chen, TY
Huang, DH
11TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE, PROCEEDINGS, 2004, : 292 - 298
[8] A Survey on Adaptive Random Testing
Huang, Rubing
Sun, Weifeng
Xu, Yinyin
Chen, Haibo
Towey, Dave
Xia, Xin
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2021, 47 (10) : 2052 - 2083
[9] Mirror adaptive random testing
Chen, TY
Kuo, FC
Merkel, RG
Ng, SP
THIRD INTERNATIONAL CONFERENCE ON QUALITY SOFTWARE, PROCEEDINGS, 2003, : 4 - 11
[10] Mirror adaptive random testing
Chen, TY
Kuo, FC
Merkel, RG
Ng, SP
INFORMATION AND SOFTWARE TECHNOLOGY, 2004, 46 (15) : 1001 - 1010

← 1 2 3 4 5 →