Research And Implementation Of Grey Box XSS Vulnerability Detection Model Based On Crawler And Fuzzing

With the advent of Web2.0 era,Web application is more and more popular and greatly convenient for people’s lives,but the Web security problem is increasingly serious.One of the most dangerous types of Web security problems today is XSS attacks,which are aimed at obtaining user information and do a wide range of harm.The most fundamental and critical means to defense against XSS attacks is to detect and promptly fix XSS vulnerabilities in applications by developers.However,there is not yet specific XSS vulnerability detection method for developers.Based on the application scene for serving developers,a dedicated XSS vulnerability detection model is proposed in this thesis,which has certain practical significance for helping developers detect XSS vulnerabilities in web applications developed by themselves.Firstly,the current research status of XSS vulnerability detection is studied.The design ideas and advantages and disadvantages of existing white box detection methods and black box detection methods are compared and analyzed.The pure black box detection or white box detection in application scenarios for developers is discussed.Due to the incompatibility of detection,a gray box detection idea is proposed.Secondly,the objectives and pain points of XSS vulnerability detection were analyzed,and a detailed model design goal was formulated.Based on this goal,a multi-level gray box XSS vulnerability detection model based on Web crawler and Fuzzing is constructed,and the details of each layer of the model is introduced in detail.The design method of the Web crawler and the generation rules of the attack vector library as well as the classification and detection methods of vulnerabilities are mainly explained.Thirdly,combined with the hierarchical structure and design principles of the model framework,the key problems to be solved when implementing each layer of the model are analyzed,and the methods and key technologies used to solve the problems are given.It focuses on the method of processing source code and generating attack vectors based on ASP.NET framework and the method of extracting detection points and vulnerability detection based on Scrapy framework.Finally,the XSS vulnerability detection system is implemented according to the model,and a set of comparative test experiments are designed.The system and the commonly used detection tools are used to detect XSS vulnerabilities in the same Web application.The results of the two tests are counted,the detection efficiency and accuracy of the system are analyzed,and the effectiveness of the model is verified.