Research On XSS Vulnerability Detection Method Based On Dynamic Analysis

With the continuous development of Web technology, Web applications become more and more popular because of the advantages of rich functionality and strong interactivity,followed by the growing number of attacks against it. Among all attacks, the cross-site scripting(XSS) attacks have become a most popular attack method. The attacker injects malicious script code into input point of Web application to cheat user’s browser to perform them, so as to achieve the purpose of steal user’s private information. How to efficiently detect XSS vulnerability in Web application has become the hot point of current researches on security vulnerability detection.There are mainly three existing XSS vulnerability detection methods : static detection,dynamic detection and their combinations. But they are not perfect and have some shortcomings such as needing source code of program, high rate of false negative and false positives, and low detection efficiency. Therefore, the paper proposes a new vulnerabilities detection method based on dynamic analysis that is mainly divided into three modules: attack vector database, legal vector testing and attack vector testing. Attack vector database is used for storing attack vector to provide test data for future attack vector testing; Legal vector testing is to determine the input points that maybe exist XSS vulnerability and the corresponding output points; Attack vector testing is to send attack requests with attack vectors. Specifically, it makes use of the attack vector generation method based sorted rules to generate test data for attack vector testing, which is more targeted, can reduce the number of interactions with the server and detect more efficiently.It makes use of vulnerability detection method based subsequence matching to match test data, and this method is more accurate reducing the false negative rate.The experimental results show that the proposed method can effectively detect XSS vulnerability in Web application in the real world. And it has high efficiency, low rate offalse positive and false negative.