Research On Detection Method Of Stored-XSS Vulnerability In Web Applications

With the rapid development of Internet technology, web applications are being developed to provide various services to make people's life more convenient. But attacks aimed at web application security vulnerabilities have become a serious threat to the safety of all kinds of sites. Nowadays, XSS(cross-site scripting) has received widespread attention by people as it's the largest number of attack way in the Internet. Cross site scripting is divided into two types: reflected-XSS and stored-XSS. With regard to reflected-XSS attack, many effective methods and tools have been proposed to detect and defense it, however, for stored-XSS which store malicious script in the back-end database, these methods contains lots of shortcomings.In this paper, we introduce the principle of stored-XSS attack, define the Backus-Naur Form(BNF) grammar of attack vectors, and put forward a dynamic method using techniques, such as automatically generate initial attack vectors by using BNF generator, variation to initial attack vectors and auxiliary marker to detect stored-XSS vulnerability automatically. Our method is consisted of static crawling and dynamic testing. We crawl web application to find all injection points and pages which show injected information in static crawling stage; in dynamic testing stage, we use attack vectors to construct malicious data package for those injection points, and we match vectors in the displaying pages so as to judge whether vulnerability exists. Finally, we make detection and evaluation on real web applications, the analysis of the experimental results proved the effectiveness and feasibility of our method.This method can detect stored-XSS effectively, make up for the disadvantages of other methods. Compared with static analysis methods, the method crawl web application to find injection points, ascend “spies” vector to find displaying page, so it don't have the need of source code, it's applicability is much broader. Our method have the advantages of full-automatic process, no intervention of the user, good user experience, no overhead and higher efficiency in comparing with run-time monitoring methods.