基于模糊测试的反射型跨站脚本漏洞检测

doi:10.11772/j.issn.1001-9081.2020111770

计算机应用 ›› 2021, Vol. 41 ›› Issue (9): 2594-2601.DOI: 10.11772/j.issn.1001-9081.2020111770

所属专题：网络空间安全

基于模糊测试的反射型跨站脚本漏洞检测

倪萍, 陈伟

南京邮电大学计算机学院, 南京 210023

收稿日期:2020-11-13 修回日期:2021-01-13 出版日期:2021-09-10 发布日期:2021-05-08
通讯作者: 陈伟
作者简介:倪萍(1995-),女,江苏南通人,硕士研究生,主要研究方向:Web安全;陈伟(1979-),男,江苏淮安人,教授,博士,CCF会员,主要研究方向:僵尸网络、无线通信网安全。
基金资助:
国家重点研发计划项目（2019YFB2101704）。

Reflective cross-site scripting vulnerability detection based on fuzzing test

NI Ping, CHEN Wei

School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing Jiangsu 210023, China

Received:2020-11-13 Revised:2021-01-13 Online:2021-09-10 Published:2021-05-08
Supported by:
This work is partially supported by the National Key Research and Development Program of China (2019YFB2101704)

摘要/Abstract

摘要： 针对目前现代万维网（WWW）应用程序中跨站脚本（XSS）漏洞检测技术存在的效率低，以及漏报率、误报率高等问题，提出了一个基于模糊测试的反射型XSS漏洞检测系统。首先，通过网络爬虫技术爬取整站指定深度的网页链接并对其进行分析，从而提取出潜在的用户注入点；其次，根据攻击载荷的语法形式构造模糊测试用例，并为每个元素设置初始权重，依据注入探子向量来获取输出点类型，从而选择对应的攻击语法模式来构造较有潜力的攻击载荷，并对其进行变异操作以形成变异攻击载荷来作为请求参数；然后，对网站响应进行分析，并调整元素的权重，以便生成更加高效的攻击载荷；最后，将该系统与ZAP、Wapiti系统做横向对比。实验结果表明，所提系统能够发现的潜在用户注入点数提升了12.5%，漏洞误报率下降至0.37%，漏报率低于2.23%；同时减少了请求次数，节约了检测时间。

关键词: 跨站脚本漏洞检测, 爬虫, 模糊测试, 探子向量, 攻击载荷, 权重调整

Abstract: In view of the low efficiency, high false negative rate and high false positive rate of Cross-Site Scripting (XSS) vulnerability detection technology in current World Wide Web (WWW) applications, a reflective XSS vulnerability detection system based on fuzzing test was proposed. First, the Web crawler technology was used to crawl the Web page links with specified depth in the whole website and analyze them, so as to extract the potential user injection points. Secondly, a fuzzing test case was constructed according to the grammatical form of the attack payload, and an initial weights was set for each element, according to the injected probe vector, the output point type was obtained to select the corresponding attack grammatical form for constructing potential attack payload, and it was mutated to form a mutated attack payload as the request parameter. Thirdly, the website response was analyzed and the weights of the elements were adjusted to generate a more efficient attack payload. Finally, this proposed system was compared horizontally with OWASP Zed Attack Proxy (ZAP) and Wapiti systems. Experimental results show that the number of potential user injection points found by the proposed system is increased by more than 12.5%, the false positive rate of the system is dropped to 0.37%, and the false negative rate of the system is lower than 2.23%. At the same time, this system reduces the number of requests and saves the detection time.

Key words: Cross-Site Scripting (XSS) vulnerability detection, crawler, fuzzing test, probe vector, attack payload, weight adjustment

中图分类号:

TP393

倪萍, 陈伟. 基于模糊测试的反射型跨站脚本漏洞检测[J]. 计算机应用, 2021, 41(9): 2594-2601.

NI Ping, CHEN Wei. Reflective cross-site scripting vulnerability detection based on fuzzing test[J]. Journal of Computer Applications, 2021, 41(9): 2594-2601.

参考文献

[1] ANTUNES N,VIEIRA M. Defending against Web application vulnerabilities[J]. Computer,2012,45(2):66-72.
[2] 李威, 李晓红. Web应用存储型XSS漏洞检测方法及实现[J]. 计算机应用与软件,2016,33(1):24-27,37.(LI W,LI X H. detection method for stored-XSS vulnerability in Web applications and its implementation[J]. Computer Applications and Software, 2016,33(1):24-27,37.)
[3] OWSAP. OWASP TOP 10.[2020-08-29]https://owasp.org/wwwproject-top-ten/.
[4] 顾明昌, 王丹, 赵文兵, 等. 一种基于攻击向量自动生成的XSS漏洞渗透测试方法[J]. 软件导刊,2016,15(7):173-177.(GU M C,WANG D,ZHAO W B,et al. A penetration testing method for XSS vulnerabilities based on automatic generation of attack vectors[J]. Software Guide,2016,15(7):173-177.)
[5] SIVANESAN A P, MATHUR A, JAVAID A Y. A Google Chromium browser extension for detecting XSS attack in HTML5 based websites[C]//Proceedings of the 2018 IEEE International Conference on Electro/Information Technology. Piscataway:IEEE, 2018:302-304.
[6] LIU Y, ZHAO W B, WANG D, et al. A XSS vulnerability detection approach based on simulating browser behavior[C]//Proceedings of the 2nd International Conference on Information Science and Security. Piscataway:IEEE,2015:1-4.
[7] WANG R,XU G Q,ZENG X J,et al. TT-XSS:a novel taint tracking based dynamic detection framework for DOM Cross-Site Scripting[J]. Journal of Parallel and Distributed Computing,2017, 118(Pt 1):100-106.
[8] SIMOS D E, GARN B, ZIVANOVIC J, et al. Practical combinatorial testing for XSS detection using locally optimized attack models[C]//Proceedings of the 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops. Piscataway:IEEE,2019:122-130.
[9] LIU M,ZHANG B Y,CHEN W B,et al. A survey of exploitation and detection methods of XSS vulnerabilities[J]. IEEE Access, 2019,7:182004-182016.
[10] SARMAH U,BHATTACHARYYA D K,KALITA J K. A survey of detection methods for XSS attacks[J]. Journal of Network and Computer Applications,2018,118:113-143.
[11] ZHENG Y H,ZHANG X Y. Path sensitive static analysis of web applications for remote code execution vulnerability detection[C]//Proceedings of the 35th International Conference on Software Engineering. Piscataway:IEEE,2013:652-661.
[12] MEDEIROS I,NEVES N,CORREIA M. Detecting and removing web application vulnerabilities with static analysis and data mining[J]. IEEE Transactions on Reliability,2016,65(1):54-69.
[13] DUCHENE F,RAWAT S,RICHIER J L,et al. KameleonFuzz:evolutionary fuzzing for black-box XSS detection[C]//Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. New York:ACM,2014:37-48.
[14] 程诚, 周彦晖. 基于模糊测试和遗传算法的XSS漏洞挖掘[J]. 计算机科学,2016,43(6A):328-331,364.(CHENG C,ZHOU Y H. Findding XSS vulnerabilities based on fuzzing test and genetic algorithm[J]. Computer Science,2016,43(6A):328-331,364.)
[15] 黄文锋, 李晓伟, 霍占强. 基于EBNF和二次爬取策略的XSS漏洞检测技术[J]. 计算机应用研究,2019,36(8):2458-2463. (HUANG W F,LI X W,HUO Z Q. XSS vulnerability detection technology based on EBNF and secondary crawling strategy[J]. Application Research of Computers,2019,36(8):2458-2463.)
[16] 维基百科. 网络爬虫[EB/OL].[2020-09-02]. https://zh.wikipedia.org/wiki/网络爬虫. (Wikipedia. Web crawler[EB/OL].[2020-09-02]. https://zh.wikipedia.org/wiki/网络爬虫.)
[17] Wikipedia. Fuzzing[EB/OL].[2020-09-02]. https://en.wikipedia.org/wiki/Fuzzing.
[18] Software Freedom Conservancy. About Selenium[EB/OL].[2020-09-02]. https://www.selenium.dev/about.
[19] MANICO J,HANSEN R R. XSS filter evasion cheat sheet[EB/OL].[2020-09-02]. https://owasp.org/www-community/xssfilter-evasion-cheatsheet.

基于模糊测试的反射型跨站脚本漏洞检测

Reflective cross-site scripting vulnerability detection based on fuzzing test

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 13

编辑推荐

Metrics

[1]	刘景发, 顾瑶平, 刘文杰. 融合本体和改进禁忌搜索策略的气象灾害主题爬虫方法[J]. 计算机应用, 2020, 40(8): 2255-2261.
[2]	张瀚方, 周安民, 贾鹏, 刘露平, 刘亮. 面向二进制程序的导向性模糊测试方法[J]. 计算机应用, 2019, 39(5): 1389-1393.
[3]	鄂世嘉, 林培裕, 向阳. 自动化构建的中文知识图谱系统[J]. 计算机应用, 2016, 36(4): 992-996.
[4]	王景中, 邱铜相. 基于TF-IDF改进算法的聚焦主题网络爬虫[J]. 计算机应用, 2015, 35(10): 2901-2904.
[5]	陈衍铃赵静. 基于虚拟化技术的动态污点分析[J]. 计算机应用, 2011, 31(09): 2367-2372.
[6]	范纯龙袁滨余周华徐蕾. 基于陷阱技术的网络爬虫检测[J]. 计算机应用, 2010, 30(07): 1782-1784.
[7]	徐文杰陈庆奎. 增量更新并行Web爬虫系统[J]. 计算机应用, 2009, 29(4): 1117-1119.
[8]	王海舟陈兴蜀王文贤. PPLive网络电视系统的测量研究[J]. 计算机应用, 2009, 29(07): 1988-1991.
[9]	尹江尹治本黄洪. 网络爬虫效率瓶颈的分析与解决方案[J]. 计算机应用, 2008, 28(5): 1114-1116.
[10]	蒋宗礼徐学可李帅. 一种基于HITS的主题敏感爬行方法[J]. 计算机应用, 2008, 28(4): 942-944.
[11]	孙晓妍王洋祝跃飞武东英. 基于客户端蜜罐的恶意网页检测系统的设计与实现[J]. 计算机应用, 2007, 27(7): 1613-1615.
[12]	刘金红陆余良 . 一种基于锚文本和改进C4.5决策树算法的主题爬行方法[J]. 计算机应用, 2006, 26(12): 3012-3014.
[13]	周立柱，林玲. 聚焦爬虫技术研究综述[J]. 计算机应用, 2005, 25(09): 1965-1969.