ETSSDetector: uma ferramenta para detecção automática de vulnerabilidades de Cross-Site Scripting em aplicações web
Abstract
The inappropriate use of features intended to improve usability and interactivity of web applications resulted in the emergence of various threats, including Cross-Site Scripting (XSS) attacks. In this work, we developed ETSSDetector, a generic and modular web vulnerability scanner that automatically analyzes web applications with the aim of find XSS vulnerabilities. ETSSDetector is able to identify and analyze the data entry points of the application and generate specific code injection tests for each point. The results show that the correct filling of the input fields with only valid information ensures a better effectiveness of the tests, increasing the detection rate of XSS attacks.
References
Shelly, D. (2010) “Using a Web Server Test Bed to Analyze the Limitations of Web” [link], Julho.
Su, Z., e Wassermann, G. (2006) “The Essence of Command Injection Attacks in Web Applications”, 33rd ACM Symposium on Principles of Programming Languages, páginas 1-6.
Grossman, J., Hansen, R., Petkov, P., Rager, A. e Fogie, S. (2007) “Cross site scripting attacks:XSS Exploits and defense.”, Syngress,Elsevier, páginas 67-179.
Martin, J., Bjorn, E. e Joachim, P. (2008) “XSSDS: Server-side Detection of Cross-Site Scripting Attacks,” IEEE Computer Security Applications Conference, páginas 1-10.
Bau, J., Bursztein, E., Gupta, D. e Mitchell, J. (2010) “State of the Art: Automated Black-Box Web Application,” IEEE Symposium on Security and Privacy Vulnerability Testing, páginas 2-5.
Doupe, A., Cova, M. e Vigna, G. (2010) “Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners,” Seventh Conference on Detection of Intrusions and Malware and Vulnerability Assessment, páginas 1-10.
McAllister, S., Kirda, E. e Kruegel, C. (2008) “Leveraging User Interactions for InDepth Testing of Web Applications,” ACM international symposium on Recent Advances in Intrusion Detection, páginas 1-2.
Kosuga, Y. (2011) “A Study on Dynamic Detection of Web Application Vulnerabilities” [link], Janeiro.
Saha, S. (2009) “Consideration Points: Detecting Cross-Site Scripting,” International Journal of Computer Science and Information Security, páginas 1-8.
Kirda, E., Kruegel, C., Vigna, G. e Jovanovic, N. (2006) “Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks,” ACM symposium on Applied computing, páginas 1-8.
Pietraszek, T. e Berghe, C. V. (2005) “Defending against Injection Attacks through Context-Sensitive String Evaluation,” Proceedings of Recent Advances in Intrusion Detection, páginas 1-15.
Klein, A. (2012) “DOM Based Cross Site Scripting or XSS of the Third Kind”, http://www.webappsec.org/projects/articles/071105.shtml, Outubro.
Shalini, S. e Usha, S. (2011) “Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side,” IJCSI International Journal of Computer Science Issues, páginas 1-5.
Bisht, P. e Venkatakrishnan, V.N. (2006) “XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks,” ACM Symposium on Applied Computing, páginas 1-10.
Selvamani, K., Duraisamy, A. e Kannan, A. (2010) “Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side,” (IJCSIS) International Journal of Computer Science and Information Security, páginas 1-8.
Ismail, O., Eto, M., Kadobayashi, Y. e Yamaguchi, S. (2004) “A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability,” International Conference on Advanced Information Networking and Applications (AINA04), páginas 1-7.
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S. e Markatos, E. P. (2010) “xJS: Practical XSS Prevention for Web Application Development,” In: Proceedings of the 2010 USENIX Conference on Web Application Development, páginas 1-8.
AppScan. (2012) “Download IBM AppScan,” http://www.ibm.com/developerworks/downloads/r/appscan/, Junho.
Acunetix. (2011) “Website Security with Acunetix Web Vulnerability Scanner,” http://www.acunetix.com/, Agosto.
N-Stalker. (2012) “N-Stalker The Web Security Specialists,” http://www.nstalker.com/, Abril.
WebCruiser. (2012) “Download WebCruiser,” http://sec4app.com/download.htm, Fevereiro.
Kals, S., Kirda, E., Kruegel, C. e Jovanovic, N. (2006) “SecuBat: A Web Vulnerability Scanner,” International World Wide Web Conference (WWW2006), páginas 1-10.
PowerFuzzer. (2012) “PowerFuzzer a fuzzer that introduces powerfull and easy web fuzzing,” http://www.powerfuzzer.com/, Julho.
WebSecurify. (2012) “WebSecurify Online Web Application Security Scanner and Web Security Testing Tool,” http://www.websecurify.com/, Julho.
Jia, X. (2006) “Design, Implementation and Evaluation of an Automated Testing Tool for Cross-Site Scripting Vulnerabilities,” [link], Março.
Gargoyle. (2012) “HtmlUnit Welcome to HtmlUnit,” Gargoyle, http://htmlunit.sourceforge.net/, Janeiro.
OWASP. (2011) “XSS Filter Evasion Cheat Sheet,” https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet, Outubro.
Su, Z., e Wassermann, G. (2006) “The Essence of Command Injection Attacks in Web Applications”, 33rd ACM Symposium on Principles of Programming Languages, páginas 1-6.
Grossman, J., Hansen, R., Petkov, P., Rager, A. e Fogie, S. (2007) “Cross site scripting attacks:XSS Exploits and defense.”, Syngress,Elsevier, páginas 67-179.
Martin, J., Bjorn, E. e Joachim, P. (2008) “XSSDS: Server-side Detection of Cross-Site Scripting Attacks,” IEEE Computer Security Applications Conference, páginas 1-10.
Bau, J., Bursztein, E., Gupta, D. e Mitchell, J. (2010) “State of the Art: Automated Black-Box Web Application,” IEEE Symposium on Security and Privacy Vulnerability Testing, páginas 2-5.
Doupe, A., Cova, M. e Vigna, G. (2010) “Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners,” Seventh Conference on Detection of Intrusions and Malware and Vulnerability Assessment, páginas 1-10.
McAllister, S., Kirda, E. e Kruegel, C. (2008) “Leveraging User Interactions for InDepth Testing of Web Applications,” ACM international symposium on Recent Advances in Intrusion Detection, páginas 1-2.
Kosuga, Y. (2011) “A Study on Dynamic Detection of Web Application Vulnerabilities” [link], Janeiro.
Saha, S. (2009) “Consideration Points: Detecting Cross-Site Scripting,” International Journal of Computer Science and Information Security, páginas 1-8.
Kirda, E., Kruegel, C., Vigna, G. e Jovanovic, N. (2006) “Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks,” ACM symposium on Applied computing, páginas 1-8.
Pietraszek, T. e Berghe, C. V. (2005) “Defending against Injection Attacks through Context-Sensitive String Evaluation,” Proceedings of Recent Advances in Intrusion Detection, páginas 1-15.
Klein, A. (2012) “DOM Based Cross Site Scripting or XSS of the Third Kind”, http://www.webappsec.org/projects/articles/071105.shtml, Outubro.
Shalini, S. e Usha, S. (2011) “Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side,” IJCSI International Journal of Computer Science Issues, páginas 1-5.
Bisht, P. e Venkatakrishnan, V.N. (2006) “XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks,” ACM Symposium on Applied Computing, páginas 1-10.
Selvamani, K., Duraisamy, A. e Kannan, A. (2010) “Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side,” (IJCSIS) International Journal of Computer Science and Information Security, páginas 1-8.
Ismail, O., Eto, M., Kadobayashi, Y. e Yamaguchi, S. (2004) “A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability,” International Conference on Advanced Information Networking and Applications (AINA04), páginas 1-7.
Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S. e Markatos, E. P. (2010) “xJS: Practical XSS Prevention for Web Application Development,” In: Proceedings of the 2010 USENIX Conference on Web Application Development, páginas 1-8.
AppScan. (2012) “Download IBM AppScan,” http://www.ibm.com/developerworks/downloads/r/appscan/, Junho.
Acunetix. (2011) “Website Security with Acunetix Web Vulnerability Scanner,” http://www.acunetix.com/, Agosto.
N-Stalker. (2012) “N-Stalker The Web Security Specialists,” http://www.nstalker.com/, Abril.
WebCruiser. (2012) “Download WebCruiser,” http://sec4app.com/download.htm, Fevereiro.
Kals, S., Kirda, E., Kruegel, C. e Jovanovic, N. (2006) “SecuBat: A Web Vulnerability Scanner,” International World Wide Web Conference (WWW2006), páginas 1-10.
PowerFuzzer. (2012) “PowerFuzzer a fuzzer that introduces powerfull and easy web fuzzing,” http://www.powerfuzzer.com/, Julho.
WebSecurify. (2012) “WebSecurify Online Web Application Security Scanner and Web Security Testing Tool,” http://www.websecurify.com/, Julho.
Jia, X. (2006) “Design, Implementation and Evaluation of an Automated Testing Tool for Cross-Site Scripting Vulnerabilities,” [link], Março.
Gargoyle. (2012) “HtmlUnit Welcome to HtmlUnit,” Gargoyle, http://htmlunit.sourceforge.net/, Janeiro.
OWASP. (2011) “XSS Filter Evasion Cheat Sheet,” https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet, Outubro.
Published
2013-11-11
How to Cite
ROCHA, Thiago de Souza; SOUTO, Eduardo; MARTINS, Gilbert Breves.
ETSSDetector: uma ferramenta para detecção automática de vulnerabilidades de Cross-Site Scripting em aplicações web. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 58-71.
DOI: https://doi.org/10.5753/sbseg.2013.19536.
