Research And Design Of XSS Vulnerability Detection System Based On Generating Attack Vectors Automatically

With the continuous development of Web technology,Web applications have become indispensable tools in people's daily life,based on which people can chat,shop,transfer,etc.However,Web security issues are becoming increasingly prominent.Among them,XSS(Cross-site scripting)vulnerability has become one of the most common and serious security issue in Web applications.XSS vulnerabilities are widely appeared in various types of Web applications.Attackers can use XSS vulnerabilities to conduct information stealing and session hijacking.Therefore,how to automatically detect XSS vulnerabilities in Web applications is of great significance to protect user privacy data and ensure Web security.This paper chooses the fuzzing test method for vulnerability detection.Compared to white-box testing,fuzzing test does not require obtaining the application's implementation code,and it analyzes the existence of a vulnerability by generating attack vectors and observing the returned response.In order to solve the problem that the existing attack vector libraries are large and untargeted,this paper proposes an optimization scheme for automatic generation of attack vectors.Firstly,propose to construct the basic attack vectors in a modular way,define the basic attack vector syntax with the Backus-Naur form,and generate the basic attack vector library.Subsequently,optimize the generation method of attack vectors from two aspects:the selection of basic attack vectors and the generation of mutation attack vectors:1.Propose to optimize the selection of basic attack vectors from two aspects.On the one hand,sort the basic attack vectors and rank them in ascending order according to the number of sensitive characters and sensitive strings,in order to generate the selection order of the basic attack vectors which is most likely to bypass the server filter.On the other hand,inject the corresponding types of basic attack vectors for different output contexts,and agree the mapping relationship between the two.2.Propose to optimize the generation of mutation attack vectors from two aspects.On the one hand,summarize the existing mutation rules,and correspond the mutation rules to the modules of basic attack vectors to use the corresponding mutation rules for specific modules.On the other hand,propose a method for optimizing the generation of mutation attack vectors based on the website filtering mechanism.This method constructs the mutation attack vector to be used next by analyzing the filtered vector modules in the response content.This paper designs and implements the XSS vulnerability detection system,which uses a web crawler based on headless browser and obtains hidden DOM nodes by trying page triggering.The system is divided into four modules:page crawling and parsing module,output context determining module,attack vectors constructing module and attack result detecting module.The experimental result shows that the XSS vulnerability detection system can effectively detect XSS vulnerabilities in Web applications.The number of injection points was effectively increased by finding hidden nodes,and one vulnerability was discovered in them.The attack vectors generation method proposed in this paper can generate a small number of highly accurate attack vectors.