XSS Vulnerability Detection Based On Stain Analysis And Fuzzy Testing

With the rapid development of web2.0 technology and the popularity of the Internet,the security vulnerabilities of web applications have become more and more concerned.Cross-site scripting vulnerability is a research hotspot in recent years.The traditional XSS vulnerability detection method is mainly based on a single stain analysis or genetic algorithm detection technology,which is easy to cause user data leakage and low detection efficiency.Therefore,this thesis bases on the research status and characteristics of reflective XSS vulnerability,putting aside a single research technique.this thesis combines the existing theories and methods to improve the XSS vulnerability detection technology,and uses the combination of stain analysis and fuzzy testing technology to detect the detection of reflective XSS vulnerability.The main contents of this thesis are as follows:(1)Perform static method analysis on the data source and propagation path of the stain,specifically the static code audit analysis of the source code of the webpage,so that the area of the contaminated data source is further narrowed,making the analysis process of pollution transmission more efficient.(2)The vulnerability detection process for stain analysis is based on three aspects: firstly,the pollution data source is marked,then the pollution data is transmitted.finally,the pollution data is cleaned.(3)Using web crawler technology to analyze the target site and iterately crawling of web links until all links in the pages are successfully crawled,so that obtaining possible vulnerability injection points.In order to verify whether the webpage has filter interception,WAF detection is performed to check whether there is a defense-proof device.(4)Based on the WAF test results,the fuzzy testing technology is used to generate the test cases for vulnerability detection,and the test cases are modified by the 'variation' method.The new test samples are derived and the fuzzy data is viewed.At the same time,check whether the fuzzy data is valid,and test the actual detection effect of the sample.After the test samples are iterated several times,the detection efficiency of the fuzzy testing will be improved.Through the above methods and theoretical knowledge,this thesis breaks through the limitations of the traditional reflective XSS vulnerability detection method.Automated vulnerability detection bases on fuzzy test technology while narrowing the scope of vulnerability detection.The experimental results show that this method improves the level of vulnerability detection and the detection efficiency,it has high feasibility.