2018 International Conference on Modeling, Simulation and Analysis (ICMSA 2018) ISBN: 978-1-60595-544-5
An Improved XSS Vulnerability Detection Method
Based on Attack Vector
Jia-dong LIU
*and Yu-yi OU
Faculty of Computer, Guangdong University of Technology, Guangzhou, 510006 China *Corresponding author
Keywords: XSS Vulnerability, Web Crawler, Attack Vector, Vector Variation, Vulnerability Detection.
Abstract. The XSS vulnerability is one of the more damaging vulnerabilities of web applications, it could use to steal user accounts, horse attacks. The traditional XSS vulnerability detection tool is easier to be intercepted by the web filter, there is a big gap between the accuracy of the web application and the actual situation. To solve this problem, this paper analyzed the filtering rules of web system filters and security software, and an improved method for dynamic detection of XSS vulnerabilities based on attack vectors is proposed. This method bypasses the web system's filters and security software by way of mutating, obfuscating attack vectors, etc. The experimental results show that the proposed method improves the detection efficiency, and it has good performance in saving time and improving the vulnerability accuracy rate.
Introduction
Web technology is one of the most commonly used technologies on the Internet at present. It is a generic term for clients to submit requests to the server and get the appropriate resource pages. Web-based applications are platform-independent, and made it become one of the mainstream applications and its development has also contributed to the spread of the Internet. However, with the development of the Internet and web technologies, there are kinds of security problems and vulnerabilities in the web system that are gradually exposed. According to Symantec's 2017 "Symantec Internet Security Threat Report"[1] Although the number of cyber-attacks targeting websites dropped by 32% on a year-on-year basis, cyber-attacks are still a major issue based on cyber-systems. According to OWASP [2] statistics SQL Injection Vulnerability and Cross-Site Scripting Vulnerabilities have occupied the top 1 and top 3 vulnerabilities for years. Through these security issues, hackers can launch attacks based on requested URL links, request data, query strings, forms, cookies, and more. As a result, the web system suffers from malicious attacks such as website hang-up, identity theft, phishing, XSS creep, etc., which bring huge economic losses to the company and users. In some extreme cases, it can even bring losses to some social organizations. These security problems in the web system have seriously affected the normal development of the company and the normal life of the people.
XSS Vulnerability Characteristics and Detection Method Analysis
Analysis of Characteristics on XSS Vulnerability
There are three basic types of XSS vulnerabilities available: the Reflected / Non-persistent XSS, the Stored/Persistent XSS, and the Document object model based XSS (DOM-base XSS) [3]. Reflected/Non-persistent XSS is the result of a page rendered by a server error message, that is to say “reflected to the results page”. The resulting code is reflected on the results page, The biggest difference between the Reflected XSS and the Stored XSS is that the payload will be permanently stored in the server database which will be attacked, the client will be executed in the access to the payload, the customers will be attacked by XSS [4], DOM-based XSS attack is actually a special type of reflective XSS, a vulnerability based on the DOM Document Object Model that can be modified by editing the document object through JavaScript scripts to achieve the purpose of the attack[5].
For the above vulnerabilities, the mainstream method is through web crawler in the way of automated access, the high-efficiency crawler reptilian algorithm could find the input point of data quickly, and can build attack data according to the type of data input point and initiate get/post request action to the web system, then inject into the system, analyze the web System response results, if the response page contains the expected attack behavior corresponding to the attack vector, it can conclude that there is a XSS vulnerability in the web system. During the attack vector injection period, we need pay attention to the avoiding of legitimate web filters in the program at the same time.
XSS Vulnerability Detection Method
In the rapid development day of the Internet, web system security is increasingly valued by all parties. More and more people in academia are studying this field. Li Jie et al.[6] proposed a XSS vulnerability detection algorithm based on dynamic stain analysis; Liu Yi and Hong Junbin[7] proposed a dynamic detection method of XSS vulnerabilities based on web crawler and page code behavior. The method analyzes the XSS vulnerability under AJAX technology; Du Lei et al.[8] proposed a vulnerability detection technique based on rule base and web crawler. This method uses a combination of attack rule base and crawler to provide a large number of attack rules, which can comprehensively analyze various XSS vulnerabilities contained in the web system. However, this method has some problems that the attack rules are easily circumvented by web system filters and security software, Efficiency, low precision and other shortcomings. In this paper, through in-depth discussion of XSS vulnerabilities and research proposed mutation, confusion attack vector an improved attack vector based vulnerability detection method.
This Paper Improved a XSS Vulnerability Detection Method
WEB Crawler Module Design
Web crawler is a program that can automatically access the network and resource crawling, and can be used as a resource crawling and attacking module in vulnerability detection. The crawler uses the
breadth-first algorithm to crawl strategy [9]. This strategy can improve the parallel processing ability, improve the crawl rate, thereby enhancing the efficiency of the system. The crawler takes a multi-threaded approach to crawling the web system. Given an initial URL, the web downloader initiates a GET request to the target server to download the web page source code [10], Because many websites have their anti-crawl strategy, the crawler module needs to simulate browser access to bypass the web application's anti-crawl system and achieve the purpose of obtaining web resources. In analog browser access, a typical request is to build the packet header, join in the request message header:
This paper uses the hash table strategy to remove duplicate URLs in the web system. Figure 1 shows the Reptile system operation flow.
Crawler initialization
Init-URL
HTTP request
Get the page source
WEB system
Extract the URL
Remove duplicate URLs
push to URL queue Queue is empty?
END
[image:3.595.172.431.103.354.2]URL resolution NO YES
Figure 1. Reptile system operation flow chart.
Attack Module Design
Attack Vector Injection Process: Attack Vector Injection with Malicious Code.
Step 1: From the crawler system queue, one by one to save the link URL to request, and analysis of the page code;
Step 2: Extract the form element in the page;
Step 3: According to the extracted form attributes (get / post), the code structure, the structure of the input area to build the index value;
Step 4: According to the index value associated with the attack vector library custom attack code splicing, build attack vector;
Step 5: Variations, confuses, or escapes attack vectors;
Crawler module PageCode Extract form elements
Calculate the form's hash value According to hash
value matching attack vector
Attack vector database
exist Extract attack
vectors Assign default
values Data request
Data to avoid success
Variants attack vectors Web system
data request Add vulnerability
information in the database Finished
YES NO
NO
[image:4.595.166.439.86.336.2]YES
Figure 2. Attack Vector Injection Flow Chart.
[image:4.595.102.489.413.527.2]Compile and Confuse Attack Vectors.
Table 1. Attack Vector Confusion and Variation.
Variation Types Description
T1 HTML special character escape
T2 Base64 encoding ASCII encoded characters
T3 ASCII encoding characters into 8/10/16 hex encoding T4 Insert a comment or a case conversion in sensitive characters
T5 JavaScript encoded characters
T6 Mixed use of the above types
Taking the attack vector <script> alert ('xss') </ script> as an example, and use table 1’s variation types to compile the example vector to become table 2.
Table 2. Compiled attack vector.
Variation Types Attack Vector Example
T1 <script>alert('xss')</script>
T2 PHNjcmlwdD5hbGVydCgieHNzIik8L3NjcmlwdD4=
T3
< s c r i p t > a l e r t ( ' x s s ' ) < / s c
r i p t > T4 <sCriPt>alert(‘xss’)</ScrIpT>
Vulnerability Detection and Determination.
[image:4.595.109.492.577.678.2]Fake Code:
for url in URLQueue: (Retrieve the request URL in the storage queue) BrowerRequests.get(url) (Get the url's page code)
BrowerControl.getForm() (Get the form element)
params = BuildParams() (Build the corresponding form attack parameters) BrowerRequests.get/post(url,params)
BooleanHasXSS <- CheckXSS(response) if hasXSS:
ChangeFlag()
WriteToDatabase(url)
Experimental Results and Analysis
In order to verify the feasibility and effectiveness of the improved XSS vulnerability detection method based on attack vectors proposed in this paper. In this paper, JetBrains PyCharm is used to implement the XSS Scanner tool by using the Python2.7 language programming method proposed in this paper. The mainstream IBM-PC compatible machine is used in the hardware and the MySQL database is used to test the vulnerability detection accuracy of the XSS Scanner tool. Scene under the site for vulnerability testing.
[image:5.595.144.453.428.572.2]This article uses the X5S and AWVS (Acunetix Web Vulnerability Scanner) tools and XSS Scanner comparison test, and select two sites, one is the official website of a university, the other is a city BBS forum. The three softwares respectively conducted XSS vulnerability scanning and detection on the two websites and compared the final results.Table 3 shows the Comparison of tool search results.
Table 3. Comparison of tool search results.
website tools XSS number Time-consuming
(unit:s)
A school official website
X5S 9 177
AWVS 12 223
XSS
Scanner 13 191
A city BBS forum
X5S 7 305
AWVS 4 261
XSS
Scanner 12 279
Experimental results show that this method can effectively detect XSS vulnerabilities in web applications. Compared with static analysis methods, this paper crawls web pages through web crawler and analyzes web applications, finds injection points and tracks "attack vector" response page. It doesn‘t need web system source code and wide applicability. At the same time in a secure dog and other security software web system can also detect hidden in the security software loopholes, accurate rate. This method of testing for the automatic process, without too many user settings, the user experience better.
Conclusion
detection of web system vulnerabilities. By testing the network system application on the Internet and cross-checking with the well-known XSS vulnerability detection software, the feasibility and efficiency of the detection system designed in this paper are verified. This paper also has some problems such as incompatibility of HTML5 pages and systems. In the further work, we will study the above problems in order to improve the detection system.
Acknowledgement
This work is supported by the science and technology project of Guangdong Province (No. 2014b090901053, 2015B010128014, 2015B090906015, 2015B090906016, 016B010107002) and the project of Guangzhou Science and Technology (No.201604016003).
References
[1] Symantec Corporation. Symantec Internet Security Threat Report, Volume 22, 2017.
[2] OWASP. Cross site scripting prevention cheat sheet [EB/OL]. (2017-12-26). https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.
[3] Sun W, Zhang K, Xue L, et al. A Review on Cross-Site Scripting[J]. Journal of Information Security Research, 2016.
[4] Shar L K, Tan H B K. Auditing the XSS defense features implemented in web application programs[J]. IET Software, 2012, 6(4):377-390.
[5] Pan G B. Finding XSS Vulnerabilities Based on Static Analysis and Dynamic Testing[J]. Computer Science, 2012.
[6] Li Jie, Yu Yan, WU Jiashun. Vulnerability detection algorithm of DOM XSS based on dynamic taint analysis[J]. Journal of Computer Applications, 2016, 3605:1246-1249+1278.
[7] Liu Y, Hong J, Computer F O. A dynamic detection method based on Web crawler and page code behavior for XSS vulnerability[J]. Telecommunications Science, 2016.
[8] Lei Du, Yang X, Center I S. Research and Implementation of Web Vulnerability Detection Technology Based on Rule Base and Web Crawler[J]. Netinfo Security, 2014.
[9] Juan Yu, Liu Q. Survey on topic-focused crawlers[J]. Computer Engineering & Science, 2015.
[10] Zhou D M. Survey of High-performance Web Crawler[J]. Computer Science, 2009.
