Technology Research On Stored XSS Vulnerability Detection Based On Fuzzing

With the rapid development of Internet technology,Web applications are becoming more and more popular.Web applications bring convenience to users,at the same time there are also a variety of security risks.It brings potential threats to the user's personal information and property security.XSS(Cross-Site Scripting)cross-site scripting is a security vulnerability that often appears in Web applications,it can cause data theft,answering calls hijacking,fishing deception,such as web-linked Trojan attacks for Web applications.In order to ensure the safety of Web applications,it is very important to detect the vulnerabilities before Web application goes online.As a vulnerability mining technology,Fuzzing(Fuzzing)is widely used in the testing of Web applications by constantly sending anomalous data to the target program and monitoring the anomalies of the program to discover the vulnerability in the target program.However,most of the Fuzzing testing techniques are based on the process of "getting input vectors-generating test cases-doing fuzzy testing-monitoring abnormalities".There is a Low test case coverage leading to under-reporting,Vulnerability response can not be validated to lead to false positives and other issues.As low coverage rate of test cases lead to a high false negative rate,this paper presents an optimization algorithm based on genetic algorithm to generate XSS attack samples,and uses the generated XSS attack samples as Fuzzing test cases to improve the coverage of test cases,Thus reducing the false negative rate.This paper deeply studies the basic principles,defensive strategies and mutation rules of XSS.By classifying and analyzing a large number of XSS attack test cases,this paper presents the XSS vulnerability feature model and the XSS attack feature model.This paper defines the XSS defensive rate,the XSS defensive bypass rate.The genetic algorithm coding design was based out on the XSS attack feature model,improved the basic genetic algorithm,and added the repair operation.Use the modified genetic algorithm to optimize the XSS attack samples so as to improve the quality of test cases and reducing the false negative rate.As the vulnerability response can not effectively verify leading to a high false positive rate,this paper uses HttpClient and web crawler to monitor the vulnerability response in real time.When simulating attack on an injection point,analyze the result of the response using the web crawler whether an XSS attack vector causes the attackfor the response page,to accurately locate injection points,attack vectors,attack page,so as to reducing the rate of false positives.Combining the above two,this paper designs a storage-based XSS vulnerability detection and analysis method based on Fuzzing technology.The method is divided into four parts: web crawler crawling injection point,genetic algorithm generating test cases,simulation attacks,vulnerability analysis.The experimental results show that the vulnerability mining algorithm and method design in this paper are feasible.The detection speed is fast and the false negative rate is low in the detection of stored XSS vulnerabilities.