more quickly. 1)Word tokenizing:In order to measure the distance The main contributions of this paper are as follows. between the payloads more accurately,we need to tokenize We convert each payload into a collection of words the XSS payloads for identifying sensitive strings and tags of based on the defined rules and calculate the distance HTML or JavaScript language [10].So we define the rules between two payloads. as follows and use the Natural Language ToolKit [11]for We find that in XSS testing.the distribution of effective processing the XSS payloads. payloads is uneven.Based on this observation,we The contents of single and double quotes,such as 'XSS' develop an XSS testing tool.It collects 6128 payloads <>tag,such as '<script' and use a headless browser to detect XSS vulnerability. parameter name,such as 'href=' The tool can discover XSS vulnerability quickly with Function body,such as 'alert( the ART method. 。Http/https link We conduct an experiment using 3 extensively adopted Common words composed of alphanumeric characters. open source vulnerable benchmarks and 2 actual web- such as 'javascript' sites to evaluate the ART method.The experimental Special encoding format,such as \u003c' results indicate that there is a 27.1%improvement over Special keywords,such as' Fuzzing method. 2)Distance calculation:We have defined the rules for The rest of this paper is organized as follows.Section II XSS payloads and eventually convert each payload into describes our approach.Section IlI describes the implemen- a collection of words.We use the ratio of the keywords tation of the testing tool.Section IV evaluates our approach shared by the two payloads to measure the similarity through experiments.Section V introduces related work. between the two payloads,that is,the distance between Section VI summarizes the paper. two payloads.In this section,we use the Jaccard distance [12],[13]to calculate the distance between two payloads. IⅡ.APPROACH Suppose we are given two payloads P and Pi.which have word collection W;and W;.The Jaccard distance measures Black-box testing is a common way to mitigate the threat the similarity between two samples using the proportion of of XSS vulnerability in web applications.Fuzzing is a the different elements in the two sets.The formula is: popular effective black-box testing method to detect such vulnerabilities [6].A security expert or an attacker often Distance(P,P3)=Jaccard(Wi,W3)=wuwl-Iwnwjl has a prepared collection of attack payloads in hand,and traverses these payloads to find an effective payload,which B.Payloads selection can successfully inject the web application.These tasks are The distribution of effective payloads in the state space very simple and easy to be automated,but the existing tools is often uneven and tend to cluster together.So we propose are inefficient [7. To improve the efficiency of testing in the sense,adaptive an XSS payloads selection algorithm XSSART,which can improve efficiency with the method of adaptive random random testing (ART)[8].[9]has been proposed.Based on the observation,we find that failure-causing inputs tend to testing.We select a payload randomly as the first test case. When the payload cannot be successfully injected,increase be clustered together,ART tries to evenly spread the ran- the priority of the payloads whose distance from this invalid domly generated test cases for improving the fault-detection capability [8],[9]. payload is in the interval [dl,dr](The specific values of dl, We observe that the distribution of effective payloads dr are specifically determined in the next section).Then the in the state space is often uneven and tend to cluster highest priority payload would be selected as the next test case.The specific process of XSSART is shown in algorithm together.So we can try to improve efficiency with the 1. method of adaptive random testing.We found that there The input of the algorithm is the payloads collection Pe usually are some identical keywords in invalid payloads and valid payloads,and some mutation in invalid payloads may and the appropriate distance interval [d,dr].And the output of the algorithm is True or False,indicating whether an result in successful injection.So when a payload cannot XSS vulnerability exists in the system.The Rank value of be successfully injected,we can select a payload with an appropriate distance from the invalid payload.It is equivalent a payload indicates the selected priority.First,the Rank value of the payloads are all set to 0,and the Candidate is to making a mutation on the invalid payload.The main problem is the distance measure between the payloads and set to all the payloads Pc(1.2 lines of algorithm 1).Then how to select the next payload.We will explain separately a payload Peleeted is randomly selected from Candidate below. and Pselected is removed from Pc (4,5 lines of algorithm 1).If Pseleeted can be injected successfully.the algorithm will return True (6,7 lines of algorithm 1).If not,the A.Distance Measure algorithm will set Candidate to 0 and set Max Rank to Distance measure is mainly divided into word tokenizing 0(10 line of the algorithm).For each payload Pimp in the and distance calculation. Pc,if the distance between Pimp and Pselected is within the 64more quickly. The main contributions of this paper are as follows. • We convert each payload into a collection of words based on the defined rules and calculate the distance between two payloads. • We find that in XSS testing, the distribution of effective payloads is uneven. Based on this observation, we develop an XSS testing tool. It collects 6128 payloads and use a headless browser to detect XSS vulnerability. The tool can discover XSS vulnerability quickly with the ART method. • We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual web￾sites to evaluate the ART method. The experimental results indicate that there is a 27.1% improvement over Fuzzing method. The rest of this paper is organized as follows. Section II describes our approach. Section III describes the implemen￾tation of the testing tool. Section IV evaluates our approach through experiments. Section V introduces related work. Section VI summarizes the paper. II. APPROACH Black-box testing is a common way to mitigate the threat of XSS vulnerability in web applications. Fuzzing is a popular effective black-box testing method to detect such vulnerabilities [6]. A security expert or an attacker often has a prepared collection of attack payloads in hand, and traverses these payloads to find an effective payload, which can successfully inject the web application. These tasks are very simple and easy to be automated, but the existing tools are inefficient [7]. To improve the efficiency of testing in the sense, adaptive random testing (ART) [8], [9] has been proposed. Based on the observation, we find that failure-causing inputs tend to be clustered together, ART tries to evenly spread the ran￾domly generated test cases for improving the fault-detection capability [8], [9]. We observe that the distribution of effective payloads in the state space is often uneven and tend to cluster together. So we can try to improve efficiency with the method of adaptive random testing. We found that there usually are some identical keywords in invalid payloads and valid payloads, and some mutation in invalid payloads may result in successful injection. So when a payload cannot be successfully injected, we can select a payload with an appropriate distance from the invalid payload. It is equivalent to making a mutation on the invalid payload. The main problem is the distance measure between the payloads and how to select the next payload. We will explain separately below. A. Distance Measure Distance measure is mainly divided into word tokenizing and distance calculation. 1) Word tokenizing: In order to measure the distance between the payloads more accurately, we need to tokenize the XSS payloads for identifying sensitive strings and tags of HTML or JavaScript language [10]. So we define the rules as follows and use the Natural Language ToolKit [11] for processing the XSS payloads. • The contents of single and double quotes, such as ‘XSS’ • <>tag, such as ‘<script’ • parameter name, such as ‘href=’ • Function body, such as ‘alert(’ • Http/https link • Common words composed of alphanumeric characters, such as ‘javascript’ • Special encoding format, such as ‘\u003c’ • Special keywords, such as ‘\\’ 2) Distance calculation: We have defined the rules for XSS payloads and eventually convert each payload into a collection of words. We use the ratio of the keywords shared by the two payloads to measure the similarity between the two payloads, that is, the distance between two payloads. In this section, we use the Jaccard distance [12], [13] to calculate the distance between two payloads. Suppose we are given two payloads Pi and Pj , which have word collection Wi and Wj . The Jaccard distance measures the similarity between two samples using the proportion of the different elements in the two sets. The formula is: Distance(Pi, Pj ) = Jaccard(Wi, Wj ) = |Wi∪Wj |−|Wi∩Wj | |Wi∪Wj | B. Payloads selection The distribution of effective payloads in the state space is often uneven and tend to cluster together. So we propose an XSS payloads selection algorithm XSSART, which can improve efficiency with the method of adaptive random testing. We select a payload randomly as the first test case. When the payload cannot be successfully injected, increase the priority of the payloads whose distance from this invalid payload is in the interval [dl, dr] (The specific values of dl, dr are specifically determined in the next section). Then the highest priority payload would be selected as the next test case. The specific process of XSSART is shown in algorithm 1. The input of the algorithm is the payloads collection P c and the appropriate distance interval [dl, dr]. And the output of the algorithm is True or False, indicating whether an XSS vulnerability exists in the system. The Rank value of a payload indicates the selected priority. First, the Rank value of the payloads are all set to 0, and the Candidate is set to all the payloads P c (1, 2 lines of algorithm 1). Then a payload Pselected is randomly selected from Candidate and Pselected is removed from P c (4, 5 lines of algorithm 1). If Pselected can be injected successfully, the algorithm will return T rue (6, 7 lines of algorithm 1). If not, the algorithm will set Candidate to ∅ and set M ax Rank to 0 (10 line of the algorithm). For each payload Ptmp in the P c, if the distance between Ptmp and Pselected is within the 64