Automatic and Context-Aware Cross-Site Scripting Filter Evasion

d'Amore, Fabrizio and Gentile, Mauro (2012) Automatic and Context-Aware Cross-Site Scripting Filter Evasion. Technical Report. Department of Computer, Control, and Management Engineering Antonio Ruberti.

[img]
Preview
PDF
AUTOMATIC_AND_CONTEXT-AWARE.pdf

Download (943kB)
Official URL: http://www.dis.uniroma1.it/~bibdis/techreport/inde...

Abstract

Cross-Site Scripting (XSS) is a pervasive vulnerability that involves a huge portion of modern web applications. Implementing a correct and complete XSS filter for user-generated content can really be a challenge for web developers. Many aspects have to be taken into account since the attackers may continuously show off a potentially unlimited armory. This work proposes an approach and a tool – named snuck – for web application penetration testing, which can definitely help in finding hard-to-spot and advanced XSS vulnerabilities. This methodology is based on the inspection of the injection’s reflection context and relies on a set of specialized and obfuscated attack vectors for bypassing filter based protections, adopted against potentially harmful inputs. In addition, XSS testing is performed in-browser, this means that a web browser is driven in reproducing the attacker and possibly the victim behavior. Results of several tests on many popular Content Management Systems proved the benefits of this approach: no other web vulnerability scanner would have been able to discover some advanced ways to bypass robust XSS filters.

Item Type: Monograph (Technical Report)
Uncontrolled Keywords: computer security; network security; web application security; browser security; vulnerability detection; cross-site scripting; XSS
Subjects: 000 Scienza degli elaboratori - Scienze dell’informazione - Scienze archivistiche, librarie e dell'informazione documentaria – opere generali > 004 Elaborazione dei dati, Scienza degli elaboratori, Informatica (Data processing, Computer science)
Depositing User: Sapienza Università di Roma Dipartimento di Ingegneria informatica, automatica e gestionale
Date Deposited: 05 Feb 2013 16:47
Last Modified: 05 Feb 2013 16:47
URI: http://eprints.bice.rm.cnr.it/id/eprint/4396

Actions (login required)

View Item View Item