WAVSEP 7.We chose a course selection system as the Distribution of effective payloads actual website for the test.The site has two different XSS injection points.If exploited by an attacker,it can be Effective detrimental to the teachers and students who use the site.We record these two injection points as School_I and School_2. We tested these sites with the payloads.The results are shown in Table I. We can see that the number of valid payloads is different 02 in different websites.Some are dense (such as WFP_1 and DVWA_R_1)and some are sparse (such as WFP_7 and Average WAVSEP 2).How the effective payloads are distributed on these different sites and how efficient the ART method is will be discussed below. 0.d 02 04 06 0.8 10 TABLE I Fig.2.Distribution of effective payloads. PAYLOADS INJECTION RESULTS B.XSSART Vs Fuzzing Site Total Payloads Valid Payloads Ratio School_I 6128 0.096 From the previous section we know that for invalid pay- School 2 6128 0.042 loads,as the distance increases,the proportion of payloads WFP I 6128 1256 0.205 injected successfully increases first and then decreases.So WFP_2 6128 908 0.148 WFP 3 6128 814 0.133 we can select the next one based on the average distance WFP_4 6128 450 0.073 between invalid payloads and effective payloads.We use WFP_5 6128 359 0.059 the 7 websites of Web for Pentester as a "training set"to WFP 6 6128 131 0.021 WFP_7 6128 63 find a appropriate distance,to test the efficiency of the ART 0.00 DVWA R I 6128 1444 0236 method on other different benchmarks and actual websites. DVWA_R_2 6128 1082 0.177 We continue to use the relative distance,and the average DVWA R3 6128 531 0.087 DVWA S_I 6128 I505 0.246 distance between invalid payloads and effective payloads in DVWA_S_2 6128 1055 0.172 the 7 websites of Web for Pentester is 0.391.We increase DVWA_S_3 WAVSEP I 6128 0087 the priority of the 1/4 payloads each time,so we can set the 6128 0.242 distance interval to [0.265,0.5151. WAVSEP 2 6128 16 0.003 WAVSEP_3 6128 583 0.095 WAVSEP 4 6128 65 0.011 TABLE II WAVSEP 5 6128 174 0.028 XSSART Vs FUZZING WAVSEP_6 6128 272 0.044 WAVSEP 7 6128 261 0.043 Site Fuzzing XSSART Ratio Average 6128 628 0.02 School 1 10.24 6.7 34.60 School 2 23.83 11.88 50.5% WFP_1 4.86 4.27 12.1% WFP 2 6.76 5.68 16.0% WFP 3 7.4 5.94 9.7% WFP4 1372 9.03 34.2 A.Distribution of effective payloads WFP 5 17.09 15.35 10.2% WFP 6 46.48 34.5 25.8% We count the proportion of payloads injected successfully WFP_7 99.79 90.54 9.3% at different distances between invalid payloads and effective DVWA RI 425 372 12.5% payloads.The result is shown in Figure 2.Here,we use DVWA_R_2 5.63 4.71 16.3% DVWA R 3 11.4 8.4 26.3% the relative distance.For a target payload,we sort the other DVWA S I 408 3.67 10.0 payloads according to the Jaccard coefficient with the target DVWA S_2 5.69 5.01 12.0% payload,and divide the order by the value of the total DVWA S 3 11.61 8.45 27.2% WAVSEP_I 4.1 3.69 10.0% number of payloads as the distance value,so that the distance WAVSEP_2 358.84 173.56 51.60 from the target payload is evenly distributed. WAVSEP 3 10.69 6.88 35.6% WAVSEP 4 92.73 45.73 50.7% The line in Figure 2 represents the average proportion of WAVSEP S 34R2 20.67 40.6% effective payloads.We can see that,for effective payloads, WAVSEP 6 22.2 12.1i 45.5% the closer the payloads are,the more successfully they can be WAVSEP 7 23.48 12.65 46.1% injected.But for invalid payloads,as the distance increases, Average 37.26 22.41 27.1% the proportion of payloads injected successfully increases first and then decreases.Therefore,we can say that effective In the XSS detection,it is significant to find the first payloads cluster together and selecting a payload with an effective payload.We stop testing once that we find a appropriate distance from the invalid payload can increase payload which can be injected successfully,and record the the probability of successful injection. 66WAVSEP 7. We chose a course selection system as the actual website for the test. The site has two different XSS injection points. If exploited by an attacker, it can be detrimental to the teachers and students who use the site. We record these two injection points as School 1 and School 2. We tested these sites with the payloads. The results are shown in Table I. We can see that the number of valid payloads is different in different websites. Some are dense (such as WFP 1 and DVWA R 1) and some are sparse (such as WFP 7 and WAVSEP 2). How the effective payloads are distributed on these different sites and how efficient the ART method is will be discussed below. TABLE I PAYLOADS INJECTION RESULTS Site Total Payloads Valid Payloads Ratio School 1 6128 587 0.096 School 2 6128 256 0.042 WFP 1 6128 1256 0.205 WFP 2 6128 908 0.148 WFP 3 6128 814 0.133 WFP 4 6128 450 0.073 WFP 5 6128 359 0.059 WFP 6 6128 131 0.021 WFP 7 6128 63 0.010 DVWA R 1 6128 1444 0.236 DVWA R 2 6128 1082 0.177 DVWA R 3 6128 531 0.087 DVWA S 1 6128 1505 0.246 DVWA S 2 6128 1055 0.172 DVWA S 3 6128 535 0.087 WAVSEP 1 6128 1484 0.242 WAVSEP 2 6128 16 0.003 WAVSEP 3 6128 583 0.095 WAVSEP 4 6128 65 0.011 WAVSEP 5 6128 174 0.028 WAVSEP 6 6128 272 0.044 WAVSEP 7 6128 261 0.043 Average 6128 628 0.102 A. Distribution of effective payloads We count the proportion of payloads injected successfully at different distances between invalid payloads and effective payloads. The result is shown in Figure 2. Here, we use the relative distance. For a target payload, we sort the other payloads according to the Jaccard coefficient with the target payload, and divide the order by the value of the total number of payloads as the distance value, so that the distance from the target payload is evenly distributed. The line in Figure 2 represents the average proportion of effective payloads. We can see that, for effective payloads, the closer the payloads are, the more successfully they can be injected. But for invalid payloads, as the distance increases, the proportion of payloads injected successfully increases first and then decreases. Therefore, we can say that effective payloads cluster together and selecting a payload with an appropriate distance from the invalid payload can increase the probability of successful injection. Fig. 2. Distribution of effective payloads. B. XSSART Vs Fuzzing From the previous section we know that for invalid pay￾loads, as the distance increases, the proportion of payloads injected successfully increases first and then decreases. So we can select the next one based on the average distance between invalid payloads and effective payloads. We use the 7 websites of Web for Pentester as a “training set” to find a appropriate distance, to test the efficiency of the ART method on other different benchmarks and actual websites. We continue to use the relative distance, and the average distance between invalid payloads and effective payloads in the 7 websites of Web for Pentester is 0.391. We increase the priority of the 1/4 payloads each time, so we can set the distance interval to [0.265,0.515]. TABLE II XSSART VS FUZZING Site Fuzzing XSSART Ratio School 1 10.24 6.7 34.6% School 2 23.83 11.88 50.5% WFP 1 4.86 4.27 12.1% WFP 2 6.76 5.68 16.0% WFP 3 7.4 5.94 19.7% WFP 4 13.72 9.03 34.2% WFP 5 17.09 15.35 10.2% WFP 6 46.48 34.5 25.8% WFP 7 99.79 90.54 9.3% DVWA R 1 4.25 3.72 12.5% DVWA R 2 5.63 4.71 16.3% DVWA R 3 11.4 8.4 26.3% DVWA S 1 4.08 3.67 10.0% DVWA S 2 5.69 5.01 12.0% DVWA S 3 11.61 8.45 27.2% WAVSEP 1 4.1 3.69 10.0% WAVSEP 2 358.84 173.56 51.6% WAVSEP 3 10.69 6.88 35.6% WAVSEP 4 92.73 45.73 50.7% WAVSEP 5 34.82 20.67 40.6% WAVSEP 6 22.2 12.11 45.5% WAVSEP 7 23.48 12.65 46.1% Average 37.26 22.41 27.1% In the XSS detection, it is significant to find the first effective payload. We stop testing once that we find a payload which can be injected successfully, and record the 66