Cross-Site Scripting Vulnerability Detection Based On Event Listening

The rapid development of the Internet has brought tremendous changes to people's lives.Online shopping,mobile payment and other technologies have greatly facilitated our daily life.While enjoying the dividend of the Internet,people are also paying more and more attention to the security problems that may be brought about by web applications.Cross-Site Scripting(XSS)is a very common web security vulnerability,which is flexible,diverse and harmful,and creates a serious threat to the security of the personal information and property of users.Therefore,it is of great practical significance to detect potential XSS vulnerabilities and ensure the security of web applications.However,the current detection technology for XSS vulnerability is not insufficient,the traditional detection methods mainly aim to the detection of static web pages,and the injection point is single.However,with the popularity of HTML5 and asynchronous interaction,XSS attacks have taken more forms.To solve the above issues,we propose a vulnerability detection method based on event listening,design and implement a detection system for XSS vulnerabilities named XSSD,which can parse the dynamic web pages.By driving the headless browser,it can render the web pages,simulate user interaction,and detect the potential injection points.It makes up the defect of the traditional crawler in dealing with the dynamic content of web pages.XSSD can also detect the hidden injection points and verify the XSS vulnerabilities based on event listening.In addition,it can bypass the defense measures of the browser by submitting requests directly,which can improve the success rate of the simulated attacks.In addition,XSSD is user-friendly.Users can customize their detection tasks.By configuring authorization information,it can also crawl the web applications that require user permissions.Based on a cyberwar range,we test XSSD and compared it to other XSS detection tools.Experimental results show that XSSD can effectively handle dynamic web pages and asynchronous requests,and can effectively detect reflected and stored XSS vulnerabilities.Compared with other similar detection tools,the false alarm rate and missing alarm rate are significantly reduced,and the accuracy rate is significantly improved.