Visible to the public Practical Combinatorial Testing for XSS Detection using Locally Optimized Attack Models

TitlePractical Combinatorial Testing for XSS Detection using Locally Optimized Attack Models
Publication TypeConference Paper
Year of Publication2019
AuthorsSimos, Dimitris E., Garn, Bernhard, Zivanovic, Jovan, Leithner, Manuel
Conference Name2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)
Date Publishedapr
Keywordsapplication security, Black box testing, black-box security testing, combinatorial testing, combinatorial testing methodology, Cross Site Scripting, cross-site scripting, cross-site scripting vulnerabilities, formal verification, Grammar, Human Behavior, Internet, JavaScript, locally optimized attack models, modelling approach, modelling scheme, program testing, pubcrawl, Resiliency, Scalability, security of data, security testing, security testing tool, test case generation, test oracle, Tools, Verification Framework, Web application, Web applications, XSS, XSS attack vectors, XSS detection, XSSInjector
AbstractIn this paper, we present a combinatorial testing methodology for automated black-box security testing of complex web applications. The focus of our work is the identification of Cross-site Scripting (XSS) vulnerabilities. We introduce a new modelling scheme for test case generation of XSS attack vectors consisting of locally optimized attack models. The modelling approach takes into account the response and behavior of the web application and is particularly efficient when used in conjunction with combinatorial testing. In addition to the modelling scheme, we present a research prototype of a security testing tool called XSSInjector, which executes attack vectors generated from our methodology against web applications. The tool also employs a newly developed test oracle for detecting XSS which allow us to precisely identify whether injected JavaScript is actually executed and thus eliminate false positives. Our testing methodology is sufficiently generic to be applied to any web application that returns HTML code. We describe the foundations of our approach and validate it via an extensive case study using a verification framework and real world web applications. In particular, we have found several new critical vulnerabilities in popular forum software, library management systems and gallery packages.
Citation Keysimos_practical_2019