Research On Vulnerability Detection Of Cross-site Scripting Based On Penetration Testing

With the speedy development of the Internet technology, Web applications are becoming richer in recent years. Web applications, such as online shopping, social networking, are more widely used in real life. On the other hand, web security problems also appear constantly. More and more network attacks occur in our Web site, and web application security vulnerabilities have also gotten more attention. The cross site scripting(XSS) vulnerability is one of the most popular injection vulnerability, and its harmfulness and rapid dissemination capabilities are increasingly serious. At present, for detecting cross site scripting vulnerability, it focuses on the server side, client side, server and client side, and the detection technology is mainly static vulnerability detection, dynamic vulnerability, dynamic method and static method combination detection. In this paper, the improvement method based on penetration test is proposed to improve the efficiency for detecting the XSS vulnerability automatically, and the completed work is as flows:(1) Through studying the existing way of cross site scripting attacks and learning and studying the structure of attack vector, a strategy of generating the attack test script automatically based on HMM for penetration testing is proposed and then the machine learning algorithm is used to optimize and classify the attack vector. What’s more, the attack vector is classified according to the output position of data submitted in pages.(2) A method to improve the efficiency of penetration testing is proposed. To reduce the pressure of server, the probe request technology is used to reduce the numbers of request and response between server and client in testing. Using the probe request technology to locate the DOM path of the output point and detect the classification of the output point, the corresponding types of attack vectors databases are easily chosen in the subsequent vulnerability detection, which can reduce the unnecessary testing request.(3) In the process of extracting the vulnerability injection point, a method of removing the same injection point is proposed. The Bloom Filter algorithm is used to remove the same injection point, in order to avoid the problem of repeating to detect the same injection point in different pages which leads to the low efficiency of detection. In addition, in the analysis of the results of the vulnerability detection, the XPath path location technology is used to improve the efficiency of the analysis of the results of vulnerability detection.(4) The prototype of XSS vulnerability detection system is designed and implemented based on the method above. On this basis, the performance of the related methods is evaluated in this paper. The experimental results show that the proposed method can effectively improve the detection deficiency of XSS vulnerability.