Grey-Box Fuzzing Based on Reinforcement Learning for XSS Vulnerabilities-Reference-Cited by-同舟云学术

Grey-Box Fuzzing Based on Reinforcement Learning for XSS Vulnerabilities

Published:2023-02-15 Issue:4 Volume:13 Page:2482
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Song Xuyan¹,Zhang Ruxian²,Dong Qingqing¹,Cui Baojiang¹

Affiliation:

1. School of Cyber Security, Beijing University of Posts and Telecommunications, Beijing 100876, China

2. School of Computer Science (National Pilot Software Engineering School), Beijing University of Posts and Telecommunications, Beijing 100876, China

Abstract

Cross-site scripting (XSS) vulnerabilities are significant threats to web applications. The number of XSS vulnerabilities reported has increased annually for the past three years, posing a considerable challenge to web application maintainers. Black-box scanners are mainstream tools for security engineers to perform penetration testing and detect XSS vulnerabilities. Unfortunately, black-box scanners rely on crawlers to find input points of web applications and cannot guarantee all input points are tested. To this end, we propose a grey-box fuzzing method based on reinforcement learning, which can detect reflected and stored XSS vulnerabilities for Java web applications. We first use static analysis to identify potential input points from components (i.e., Java code, configuration files, and HTML files) of the Java web application. Then, an XSS vulnerability payload generation method is proposed, which is used together with the reinforcement learning model. We define the state, action, and reward functions of three reinforcement learning models for XSS vulnerability detection scenarios so that the fuzz loop can be performed automatically. To demonstrate the effectiveness of the proposed method, we compare it against four state-of-the-art web scanners. Experimental results show that our method finds all XSS vulnerabilities and has no false positives.

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/4/2482/pdf

Reference46 articles.

1. DIAVA: A traffic-based framework for detection of SQL injection attacks and vulnerability analysis of leaked data;Gu;IEEE Trans. Reliab.,2019

2. Review of recent detection methods for HTTP DDoS attack;Jaafar;J. Comput. Netw. Commun.,2019

3. Khodayari, S., and Pellegrino, G. (2021, January 11–13). JAW: Studying Client-Side CSRF with Hybrid Property Graphs and Declarative Traversals. Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Online.

4. Steffens, M., Rossow, C., Johns, M., and Stock, B. (2019, January 24–27). Don’t Trust the Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. Proceedings of the 26th Annual Network and Distributed System Security Symposium, San Diego, CA, USA.

5. (2022, November 30). Cross-Site Scripting Prevention Cheat Sheet Series. Available online: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html.

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Sniping at web applications to discover input-handling vulnerabilities;Journal of Computer Virology and Hacking Techniques;2024-04-12

2. State-Sensitive Black-Box Web Application Scanning for Cross-Site Scripting Vulnerability Detection;Applied Sciences;2023-08-13