d'Amore, Fabrizio and Gentile, Mauro (2012) Automatic and Context-Aware Cross-Site Scripting Filter Evasion. Technical Report. Department of Computer, Control, and Management Engineering Antonio Ruberti.
|
PDF
AUTOMATIC_AND_CONTEXT-AWARE.pdf Download (943kB) |
Abstract
Cross-Site Scripting (XSS) is a pervasive vulnerability that involves a huge portion of modern web applications. Implementing a correct and complete XSS filter for user-generated content can really be a challenge for web developers. Many aspects have to be taken into account since the attackers may continuously show off a potentially unlimited armory. This work proposes an approach and a tool – named snuck – for web application penetration testing, which can definitely help in finding hard-to-spot and advanced XSS vulnerabilities. This methodology is based on the inspection of the injection’s reflection context and relies on a set of specialized and obfuscated attack vectors for bypassing filter based protections, adopted against potentially harmful inputs. In addition, XSS testing is performed in-browser, this means that a web browser is driven in reproducing the attacker and possibly the victim behavior. Results of several tests on many popular Content Management Systems proved the benefits of this approach: no other web vulnerability scanner would have been able to discover some advanced ways to bypass robust XSS filters.
Item Type: | Monograph (Technical Report) |
---|---|
Uncontrolled Keywords: | computer security; network security; web application security; browser security; vulnerability detection; cross-site scripting; XSS |
Subjects: | 000 Scienza degli elaboratori - Scienze dell’informazione - Scienze archivistiche, librarie e dell'informazione documentaria – opere generali > 004 Elaborazione dei dati, Scienza degli elaboratori, Informatica (Data processing, Computer science) |
Depositing User: | Sapienza Università di Roma Dipartimento di Ingegneria informatica, automatica e gestionale |
Date Deposited: | 05 Feb 2013 16:47 |
Last Modified: | 05 Feb 2013 16:47 |
URI: | http://eprints.bice.rm.cnr.it/id/eprint/4396 |
Actions (login required)
View Item |