Research On Cross-site Scripting Detection Based On Dynamic Analysis

As web applications become more prevalent,web applications have become an indispensable part of people's lives.In order to meet people's needs,web applications need to interact with people a lot.However,due to some negligence in the development process,most web applications have security vulnerabilities.Cross-site scripting vulnerability abbreviated as XSS is a kind of vulnerabilities that occur frequently in web applications.The exploitation of XSS vulnerabilities can hijack users' sessions,modify,read and delete business data of web applications,place malicious codes in web applications,and control victims to attack other targeted servers.This paper discusses classification of XSS,and designs a demo web site to demonstrate attack processes of some common XSS exploitation scenarios,further illustrating the dangers of XSS vulnerabilities.This paper discusses the principles of common XSS vulnerability detection methods,and compares and analyzes the research results of XSS detection in recent years.According to the detection mechanism,they are divided into three categories.These three categories are static analysis,dynamic analysis and hybrid analysis.All methods are comprehensively analyzed,and lists their strengths and weaknesses and the types of XSS vulnerabilities detected.This paper also proposes two methods for detecting XSS vulnerabilities and XSS attack scripts.The first XSS vulnerability detection method is based on crawler.First,it crawls links of the entire website,and then analyzes possible attack injection points in these links and corresponding pages and injects a special string into each page that has an injection point to determine if the URL of this page is associated with the URL of another page.Finally,it injects attack vectors and observes HTTP response to determine whether the attack is triggered to determine whether there is a XSS vulnerability in the page.The method pre-establishes the association between URLs,effectively reducing the time to detect XSS vulnerabilities.The second method uses a deep learning algorithm combined convolutional neural network(CNN),long-and short-term memory neural network(LSTM)and attention model to construct a new neural network CLAttention to detect XSS attack scripts.First,it decodes the data,and then preprocesses the data,splitting the data into words.After that,it utilizes word2 vec to convert the words in the XSS payloads into word vectors.The data are then trained and tested using the CLAttention model.The precision of this method is 99.89%,and the recall rate is 98.50%.We compare our work with the work of others to objectively evaluate the performance of the proposed method.The experimental results show that the proposed method has achieved good detection results.