Study On The Detection Technology Of Cross-Site Scripting Attack Based On Web Client

With the arrival of WEB2.0, more and more interactive features were added into Web applications. In such a context, a large number of cross-site scripting vulnerabilities were excavated by hackers, which was highly evaluated by companies and research institutions.Currently, main excavating methods of cross-site scripting vulnerability is to use automated scanning tools or audit source codes. Automated scanning tools primarily using crawler technology to scan potential application vulnerabilities, they are cannot well detect the storage-type cross-site scripting vulnerabilities that exist in applications, which reduced vulnerability detection rate. The code audit is a manual operations, although the detection rate can be ensured, but vulnerability detection efficiency is very low, and it also requires the testers to have certain operational capacity. Therefore, this paper under the environment of Web client, guided by penetration testing rules, use Burp Suite tool to collect input and output data of the websites, and then analyze these data to determine the possible position of cross-site scripting vulnerability. Then conduct manual test in the position of these sensitive, to make sure whether a Web application exists cross-site scripting vulnerability. In this way, the accuracy of vulnerability can be higher than using automated scanning tools due to the manual testing method. At the same time, the vulnerability detection efficiency is highly improved compared to code audit.In addition, since most of the currently selected test case during the infiltration process was chosen randomly, it mainly rely on personal testing experience, which has a bad influence on testing efficiency. Therefore, this paper analyzed the cause of all three types of cross-site scripting vulnerabilities, starting with the data pollution sources, presented the test case selecting model that based on data pollution sources scenario, combined with Web-based client penetration testing. In such way, not only the test case can be effectively reduced, test inputs missing situation can also be avoid, which improved the accuracy of the test.Finally, by comparing the model system and automated vulnerability scanning tools over the scanning of open source vulnerability site DVWA, and compare the results, the validity of the model system was verified, and it proved to be efficient on improving the success rate of testing vulnerability.