Untitled Document
   
You are from : ( )  
     
Untitled Document
Untitled Document
 

International Journal of Information Technology & Computer Science ( IJITCS )

Abstract :

Stored Cross-Site Scripting (XSS) vulnerabilities are difficult to detect and state-of-the-art black-box scanners have low detection rates [1, 2]. Both Bau et al. and Doupe et al. investigated blackbox web application security scanners, and this paper extends their analyses of state-of-the-art black-box detection of stored XSS. We use our own custom testbed, SimplifiedTB, which is available upon request. Weaknesses and limitations of black-box scanners identified in our study confirm weaknesses and limitations discussed by Bau et al. [1] and Doupé et al. [2]. The paper provides a list of recommendations for improving black-box detection of stored XSS vulnerabilities .

Keywords :

: Stored Cross-Site Scripting Injection; XSSI vulnerabilities; black-box scanners

References :

  1. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, “State of the Art: Automated black-box Web Application Vulnerability Testing” May 2010.
  2. Adam Doupé, Marco Cova, and Giovanni Vigna, “Why Johnny Can‟t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, July 2010.
  3. Open Web Application Security Project. (2010). [Online]. Available: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 12
  4. Qianjie Zhang, Hao Chen, Jianhua Sun, “An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks” June 2010.
  5. Sean McAllister, Engin Kirda, and Christopher Kruegel, “Leveraging User Interactions for In-Depth Testing of Web Applications”, 2008.
  6. Nidal Khoury, Pavol Zavarsky, Dale Lindskog, and Ron Ruhl, “An Analysis of black-box Web Application Security Scanners against Stored SQL Injection”, 2010
  7. CENZIC Enterprise Application Security (2012) http://www.cenzic.com/downloads/Whitebox_VS_Blackbox_WP.pdf
  8. Michael Brooks, “Bypassing Internet Explorer‟s XSS Filter”, 2011
  9. John B. Dickson, “Black Box versus White-Box: Different App Testing Strategies”
  10. Jeremiah Grossman, “Cross-Site Scripting Worms & Viruses: The Impending Threat & the Best Defense”, June 2007.
  11. OWASP Broken Web Applications Virtual Machine. http://code.google.com/p/owaspbwa/wiki/Downloads

Untitled Document
     
Untitled Document
   
  Copyright © 2013 IJITCS.  All rights reserved. IISRC® is a registered trademark of IJITCS Properties.