more than 27.1%in reducing the number of attempts before [14]PhantomJS,"Scriptable headless browser,"https://phantomjs.org/. accomplishing a successful injection. 2018. We have developed a black-box testing tool to detect XSS [15]O.Tripp.O.Weisman,and L.Guy,"Finding your way in the testing jungle:a learning approach to web security testing."in Proceedings of vulnerability and current work can still be improved.DOM- the 2013 International Symposium on Software Testing and Analysis. based XSS attacks are out of our range,and we will deal with ACM,2013.Pp.347-357. [16]J.Bozic.B.Garn,I.Kapsalis,D.Simos.S.Winkler,and F.Wotawa. them in the next stage.The payloads we collect are partially "Attack pattern-based combinatorial testing with constraints for web redundant and not comprehensive enough.In the future security testing."in 2015 IEEE International Conference on Software work,we will focus on the more comprehensive and efficient Quality,Reliability and Security.IEEE,2015,pp.207-212. 117]D.E.Simos,K.Kleine,L.S.G.Ghandehari,B.Garn,and Y.Lei."A XSS payload generation approaches,which can detect XSS combinatorial approach to analyzing cross-site scripting (XSS)vul- vulnerability more thoroughly.At the same time,we will try nerabilities in web application security testing."in IFIP Intemational to extract features from payloads and use machine learning Conference on Testing Software and Systems.Springer,2016,pp.70- 85 clustering algorithms to select more effective payloads. [18]D.Bates,A.Barth,and C.Jackson,"Regular expressions considered harmful in client-side XSS filters,"in Proceedings of the 19th inter- ACKNOWLEDGMENT national conference on World wide web.ACM,2010,pp.91-100. This work is supported partly by the National Key R&D [19]X.Guo,S.Jin,and Y.Zhang,"XSS vulnerability detection using Program of China 2018YFB2100303.2018YFB0803400: optimized attack vector repertory,"in 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. the Key Research Program of Frontier Sciences,Chi- EEE2015,pp.29-36. nese Academy of Sciences (CAS).Grant No.QYZDJ-SSW- [20]S.Goswami,N.Hoque,D.K.Bhattacharyya,and J.Kalita,"An un- JSC036;and National Natural Science Foundation of China supervised method for detection of XSS attack."IJ Network Security, vol.19,no.5,pp.761-775,2017. (NSFC)under grant 61772487. [21]N.Jovanovic.C.Kruegel,and E.Kirda,"Pixy:A static analysis tool for detecting web application vulnerabilities,"in 2006 IEEE references Symposium on Security and Privacy(SP'06).IEEE,2006,pp.6-pp [1]U.Sarmah,D.Bhattacharyya,and J.Kalita."A survey of detection 122]A.Abraham."Detecting and exploiting XSS with xenotix XSS methods for XSS attacks,"Journal of Network and Computer Appli- exploit framework."https://www.exploit-db.com/docs/english/21223 cations.2018. detecting-and-exploiting-xss-vulnerabilities-with-xenotix-xss-exploit- [2]T.OWASP."Top 10-2017 the ten most critical web application secu- framework.pdf,2012. rity risks,"URL:owasp.org/images/7/72/OWASP Top 10-2017%28en vol.29.2017. [3]J.Fonseca,M.Vieira,and H.Madeira,"Testing and comparing web vulnerability scanning tools for sql injection and XSS attacks,"in 13th Pacific Rim intemational symposium on dependable computing (PRDC2007).EEE.2007,Pp.365-372 [4]H.Choi.S.Hong,S.Cho,and Y.-G.Kim,"Hxd:Hybrid XSS detection by using a headless browser,"in 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT).IEEE,2017,pp.1-4. [5]J.Chen,L.Zhu,T.Y.Chen,R.Huang.D.Towey,F.-C.Kuo. and Y.Guo."An adaptive sequence approach for oos test case prioritization,"n2016 IEEE Intemational Symposium on Software Reliability Engineering Workshops (ISSREW).IEEE,2016.pp.205- 212 [6]P.Godefroid,"Random testing for security:blackbox vs.white- box fuzzing."in Proceedings of the 2nd international workshop on Random testing:co-located with the 22nd IEEE/ACM Internationa Conference on Automated Software Engineering (ASE 2007).ACM, 2007.Pp.1-L [7]J.Bozic,D.E.Simos,and F.Wotawa,"Attack pattern-based combi- natorial testing."in Proceedings of the 9th international workshop on automation of software test.ACM,2014.pp.1-7. [8]T.Chen,D.H.Huang.and F.-C.Kuo."Adaptive random testing by balancing."in Proceedings of the 2nd international workshop on Random testing:co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007).ACM. 2007,pp.2-9. [9]T.Y.Chen,T.Tse,and Y.-T.Yu."Proportional sampling strategy:a compendium and some insights,"Journal of Systems and Software, vol.58.no.1,pp.65-81,2001. [10]Z.Tang.H.Zhu,Z.Cao,and S.Zhao,"L-wmxd:Lexical based webmail XSS discoverer,"in 2011 IEEE Conference on Computer Communications Workshops(INFOCOM WKSHPS).IEEE,2011.pp. 976-981. [11]E.Loper and S.Bird,"NLTK:the natural language toolkit,"arXiv preprint cs/0205028.2002. [12]S.-H.Cha,"Comprehensive survey on distance/similarity measures between probability density functions."City,vol.1.no.2.p.1.2007 [13]S.Niwattanakul.J.Singthongchai.E.Naenudorn.and S.Wanapu. "Using of jaccard coefficient for keywords similarity."in Proceed- ings of the international multiconference of engineers and computer scientists,vol.1,no.6.2013,pp.380-384. 69more than 27.1% in reducing the number of attempts before accomplishing a successful injection. We have developed a black-box testing tool to detect XSS vulnerability and current work can still be improved. DOMbased XSS attacks are out of our range, and we will deal with them in the next stage. The payloads we collect are partially redundant and not comprehensive enough. In the future work, we will focus on the more comprehensive and efficient XSS payload generation approaches, which can detect XSS vulnerability more thoroughly. At the same time, we will try to extract features from payloads and use machine learning clustering algorithms to select more effective payloads. ACKNOWLEDGMENT This work is supported partly by the National Key R&D Program of China 2018YFB2100303, 2018YFB0803400; the Key Research Program of Frontier Sciences, Chinese Academy of Sciences (CAS), Grant No.QYZDJ-SSWJSC036; and National Natural Science Foundation of China (NSFC) under grant 61772487. REFERENCES [1] U. Sarmah, D. Bhattacharyya, and J. Kalita, “A survey of detection methods for XSS attacks,” Journal of Network and Computer Applications, 2018. [2] T. OWASP, “Top 10-2017 the ten most critical web application security risks,” URL: owasp.org/images/7/72/OWASP Top 10-2017%28en, vol. 29, 2017. [3] J. Fonseca, M. Vieira, and H. Madeira, “Testing and comparing web vulnerability scanning tools for sql injection and XSS attacks,” in 13th Pacific Rim international symposium on dependable computing (PRDC 2007). IEEE, 2007, pp. 365-372. [4] H. Choi, S. Hong, S. Cho, and Y.-G. Kim, “Hxd: Hybrid XSS detection by using a headless browser,” in 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT). IEEE, 2017, pp. 1-4. [5] J. Chen, L. Zhu, T. Y. Chen, R. Huang, D. Towey, F.-C. Kuo, and Y. Guo, “An adaptive sequence approach for oos test case prioritization,” in 2016 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). IEEE, 2016, pp. 205- 212. [6] P. Godefroid, “Random testing for security: blackbox vs. whitebox fuzzing,” in Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007). ACM, 2007, pp. 1-1. [7] J. Bozic, D. E. Simos, and F. Wotawa, “Attack pattern-based combinatorial testing,” in Proceedings of the 9th international workshop on automation of software test. ACM, 2014, pp. 1-7. [8] T. Chen, D. H. Huang, and F.-C. Kuo, “Adaptive random testing by balancing,” in Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007). ACM, 2007, pp. 2-9. [9] T. Y. Chen, T. Tse, and Y.-T. Yu, “Proportional sampling strategy: a compendium and some insights,” Journal of Systems and Software, vol. 58, no. 1, pp. 65-81, 2001. [10] Z. Tang, H. Zhu, Z. Cao, and S. Zhao, “L-wmxd: Lexical based webmail XSS discoverer,” in 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 2011, pp. 976-981. [11] E. Loper and S. Bird, “NLTK: the natural language toolkit,” arXiv preprint cs/0205028, 2002. [12] S.-H. Cha, “Comprehensive survey on distance/similarity measures between probability density functions,” City, vol. 1, no. 2, p. 1, 2007. [13] S. Niwattanakul, J. Singthongchai, E. Naenudorn, and S. Wanapu, “Using of jaccard coefficient for keywords similarity,” in Proceedings of the international multiconference of engineers and computer scientists, vol. 1, no. 6, 2013, pp. 380-384. [14] PhantomJS, “Scriptable headless browser,” https://phantomjs.org/, 2018. [15] O. Tripp, O. Weisman, and L. Guy, “Finding your way in the testing jungle: a learning approach to web security testing,” in Proceedings of the 2013 International Symposium on Software Testing and Analysis. ACM, 2013, pp. 347-357. [16] J. Bozic, B. Garn, I. Kapsalis, D. Simos, S. Winkler, and F. Wotawa, “Attack pattern-based combinatorial testing with constraints for web security testing,” in 2015 IEEE International Conference on Software Quality, Reliability and Security. IEEE, 2015, pp. 207-212. [17] D. E. Simos, K. Kleine, L. S. G. Ghandehari, B. Garn, and Y. Lei, “A combinatorial approach to analyzing cross-site scripting (XSS) vulnerabilities in web application security testing,” in IFIP International Conference on Testing Software and Systems. Springer, 2016, pp. 70- 85. [18] D. Bates, A. Barth, and C. Jackson, “Regular expressions considered harmful in client-side XSS filters,” in Proceedings of the 19th international conference on World wide web. ACM, 2010, pp. 91-100. [19] X. Guo, S. Jin, and Y. Zhang, “XSS vulnerability detection using optimized attack vector repertory,” in 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. IEEE, 2015, pp. 29-36. [20] S. Goswami, N. Hoque, D. K. Bhattacharyya, and J. Kalita, “An unsupervised method for detection of XSS attack,” IJ Network Security, vol. 19, no. 5, pp. 761-775, 2017. [21] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting web application vulnerabilities,” in 2006 IEEE Symposium on Security and Privacy (SP‘‘06). IEEE, 2006, pp. 6-pp. [22] A. Abraham, “Detecting and exploiting XSS with xenotix XSS exploit framework,” https://www.exploit-db.com/docs/english/21223- detecting-and-exploiting-xss-vulnerabilities-with-xenotix-xss-exploitframework.pdf, 2012. 69