A XSS Vulnerability Detection Approach Based On Simulating Browser Behavior

With the popularity of Web applications and HTML5 in recent years, the web security issues have become increasingly prominent. In the top 10 most critical web application security risks that OWASP published in 2013, the XSS(cross site scripting) vulnerability ranked third, which means it has become one of the common security risks that all web applications need to work together to deal with. At present, the research on automatic XSS vulnerability scanners is not enough, the traditional method based on static crawler has a low coverage of injection points, and it also has problems when dealing with a variety of ways to generate injection points in complex web page format. For example, some injection points are generated by user's operations, such as clicking a button causes the browser to parse Java Script or load Ajax content; Also, some injection points are not in the form elements, the scanner need to analyze the structure of the web page to find them. What's more, the traditional process of detecting XSS vulnerability is not capable of analyzing the response of the target site dynamically, therefore, it is not able to identify the XSS vulnerability accurately.In view of the above problems, this paper carries out a thorough study on the main procedures of automatic XSS vulnerability detection such as crawling page, extracting injection points, detecting XSS vulnerability and analysis results. The main research contents are as follows:(1) Design and implement a method that can extract injection points automatically. This method solved the problem that traditional static crawler has a low coverage of injection points, it's built on a web page crawler frame based on a headless browser containing the browser kernel, which can simulate the browser's behavior in order to interpret Java Script and load Ajax content for obtaining the hidden injection points. Besides, it can analyze the DOM of the web page to get the unformatted injection points. Conclusion by analyzing the possible characteristics of injection points and the interaction points, the dynamic crawler module of this system can obtain a large number of unformatted injection points resulting from the increasing diversity of web pages, including ones that are not in the form and are not submitted in the traditional way, but through the Java Script.(2) Propose an efficient method to detect XSS vulnerability by submitting the attack vector to server. Design and implement detection module that can identify XSS vulnerability dynamically. After submitting the attack vector, this module can determine whether the response page has abnormal browser's behavior, and with the help of the third party server, this module will submit attack vectors containing request to the third party server, then the system automatically analyze the status of the third party server, judge whether the response page has executed the request and identify the XSS vulnerability. In addition, this system is fully coded in Python language which is easy to maintain and redevelop, so it has a very important application value for the XSS vulnerability detection and research.(3) Design and implement a user-friendly interactive interface. The user interface of the system is based on the Py Qt library, which makes the module cross-platform and display a unified user interface on various operating systems. At the same time, the interface can report the result in a rich format when system is crawling the page, or detecting the injection points. In addition, this module provides user-custom attack vectors. Moreover, this module provides a feature that user can log in the target page and save the log-in state when system is running, which means the system can crawl the correct content with the correct cookie.