Design And Implementation Of XSS Vulnerability Fuzz Testing Tool Based On Reinforcement Learning

With the vigorous development of Internet technology,the emergence of Web applications enables people to truly apply the actual functions of the Internet.However,in cyber security,most of the security threats come from hackers’ attacks on Web applications.Web vulnerability detection technology can prevent hackers from invading servers and reduce the risks faced by assets.Cross-Site Scripting(XSS)is a security vulnerability that is cheap to exploit but may allow attackers to obtain very high privileges.Therefore,how to effectively and automatically detect XSS vulnerabilities of Web applications,and quickly,comprehensively and deeply discover potential security vulnerabilities of Web applications still has very important research value.This thesis studies and analyzes the characteristics and shortcomings of the current Web application vulnerability scanning technology,and proposes a XSS vulnerability fuzz testing technology based on reinforcement learning.First of all,this method uses static analysis to collect comprehensive entry information for Web applications,helping fuzz testing to improve coverage.Secondly,this method uses test case generation technology based on network request functional unit division to make the generated fuzz test cases still highly effective.Finally,this method uses XSS payload selection technology based on the reinforcement learning model and the XSS payload deformation technology based on the bypass technique,so that the attack payload carried by the test case can have a higher XSS attack capability,effectively discovering potential XSS vulnerabilities in Web applications.Based on the research on XSS vulnerability fuzz testing,this thesis designs and implements the XSS vulnerability fuzzing tool named WebFuzzer based on reinforcement learning,explains the design and implementation of each main functional module in detail,and designs experiments to verify the usability and effectiveness of the fuzzing tool.The main work done in this thesis are:1.It proposes a static information collection method for Java Web applications according to the characteristics of Java Web application entry.Static scanning and information acquisition are performed on entry points,forms,and links.This enables the fuzz testing tool to understand the target Web application in advance and improve the coverage of the test cases.2.It proposes a XSS vulnerability fuzz test case generation and deformation algorithm based on reinforcement learning.In order to solve the problem that the test cases are too blind and random when the fuzz testing is applied to the Web vulnerability scanning technology.It converts the program information obtained in the static analysis into a test case with a network request syntax structure to ensure the validity of the test case.Then it uses the reinforcement learning model to guide the selection of the XSS payload,and finally apply the bypassing technique to the generated XSS payload,so that the attack payload of the test case has certain penetration capabilities of common defenses in web applications,and improve the vulnerability mining ability of the fuzz testing tool.3.Design and implement the fuzz testing tool named WebFuzzer,a fuzz testing tool for XSS vulnerability mining based on reinforcement learning.This thesis constructs the overall architecture of the tool,implements each functional module of the system,and finally verifies the function and performance of th WebFuzzer.Based on the above work and verification experiment results,it is shown that the XSS vulnerability fuzzing method based on reinforcement learning can effectively generate test cases with XSS vulnerability detecting capabilities.Compared with other security detection tools,WebFuzzer can effectively and automatically mine XSS vulnerabilities in web applications in actual scenarios,and the coverage and efficiency of fuzz testing are significantly improved.