Research On Cross-Site Scripting Vulnerability Fuzzy Detection And Results Ayalysis

Cross Site Script(XSS)has long been a widespread threat to web applications.It have been ranked high in the annual web security reports of the Open Web Application Security Project(OWASP)and Acunetix for many years.Thera are lots of detection of XSS attacks,however,as web technologies evolving,XSS vulnerability detection systems is no longer effective.It is important that XSS vulnerability detection changes with the environment and technology.In this dissertation,Various XSS vulnerability detection techniques are compared and the principles,advantages and challenges are analyzed.The contributions are as follows:(1)An XSS vulnerability detection system is proposed that address the problem of process limitations of automated detection.Also,simulating submission requests is improved so that the XSS vulnerability detection system can cover more types of XSS attack categories.In addition,to cope with grey-box testing scenarios by security personnel,the system provides a series of interfaces to support the exploitation of external information by security personnel,thereby enhancing the usability of the system.With these improvements,the XSS vulnerability detection system for fuzzy testing can be made highly usable and scalable.(2)A method of storing XSS attack records is proposed to reuse of XSS attack records.Dynamic coding is used to pre-process the malicious script information.A cloud server is used to integrate the multi-source information to build an XSS attack information database with multi-dimensionality and high availability for subsequent research.(3)A method for evaluating attack vectors is proposed to reject outdated and inefficient attack vectors.The method estimates the attack strength of attack vectors with similar characteristics based on the historical performance of the attack vectors.The influence of time and sample size on the reliability of the score is considered.The final assessment score is adjusted by calculating the relevant weights.The method is used to filter the attack vectors used for fuzzy detection,rate the attack vectors,improve the efficiency of automated vulnerability detection and increase the ability to filter higher availability attack vectors in the current network environment.The method provided in this dissertation can effectively reuse the available processes in an outdated fuzzy testing system,reuse the less exploited XSS attack record and ensure that the detection system has the ability to obtain information and adjust it according to the network environment.