Efficient Detection of Multi-step Cross-Site Scripting Vulnerabilities

  • Alexandre Vernotte
  • Frédéric Dadeau
  • Franck Lebeau
  • Bruno Legeard
  • Fabien Peureux
  • François Piat
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)


Cross-Site Scripting (XSS) vulnerability is one of the most critical breaches that may compromise the security of Web applications. Reflected XSS is usually easy to detect as the attack vector is immediately executed, and classical Web application scanners are commonly efficient to detect it. However, they are less efficient to discover multi-step XSS, which requires behavioral knowledge to be detected. In this paper, we propose a Pattern-driven and Model-based Vulnerability Testing approach (PMVT) to improve the capability of multi-step XSS detection. This approach relies on generic vulnerability test patterns, which are applied on a behavioral model of the application under test, in order to generate vulnerability test cases. A toolchain, adapted from an existing Model-Based Testing tool, has been developed to implement this approach. This prototype has been experimented and validated on real-life Web applications, showing a strong improvement of detection ability w.r.t. Web application scanners for this kind of vulnerabilities.


Vulnerability Testing Model-Based Testing Vulnerability Test Patterns Web Applications Multi-step Cross-Site Scripting 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xJS: practical XSS prevention for web application development. In: Proc. of the USENIX Conference on Web Application Development (WebApps 2010), pp. 147–158. USENIX Association, Boston (2010)Google Scholar
  2. 2.
    Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-Box Web Application Vulnerability Testing. In: Proc. of the 31st Int. Symp. on Security and Privacy (SP 2010), pp. 332–345. IEEE CS, Oakland (2010)CrossRefGoogle Scholar
  3. 3.
    Bernard, E., Bouquet, F., Charbonnier, A., Legeard, B., Peureux, F., Utting, M., Torreborre, E.: Model-based Testing from UML Models. In: Proc. of the Int. Workshop on Model-Based Testing (MBT 2006). LNI, vol. 94, pp. 223–230. GI, Dresden (2006)Google Scholar
  4. 4.
    Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Blome, A., Ochoa, M., Li, K., Peroli, M., Dashti, M.: Vera: A flexible model-based vulnerability testing tool. In: 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), pp. 471–478. IEEE CS, Luxembourg (2013)CrossRefGoogle Scholar
  6. 6.
    Botella, J., Bouquet, F., Capuron, J.-F., Lebeau, F., Legeard, B., Schadle, F.: Model-Based Testing of Cryptographic Components – Lessons Learned from Experience. In: Proc. of the 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), pp. 192–201. IEEE CS, Luxembourg (2013)CrossRefGoogle Scholar
  7. 7.
    Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F.: A test generation solution to automate software testing. In: Proc. of the 3rd Int. Workshop on Automation of Software Test (AST 2008), pp. 45–48. ACM Press, Leipzig (2008)Google Scholar
  8. 8.
    Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F., Vacelet, N., Utting, M.: A subset of precise UML for model-based testing. In: Proc. of the 3rd Int. Workshop on Advances in Model-Based Testing (AMOST 2007), pp. 95–104. ACM Press, London (2007)CrossRefGoogle Scholar
  9. 9.
    Buchler, M., Oudinet, J., Pretschner, A.: Semi-Automatic Security Testing of Web Applications from a Secure Model. In: 6th Int. Conference on Software Security and Reliability (SERE 2012), pp. 253–262. IEEE, Gaithersburg (2012)CrossRefGoogle Scholar
  10. 10.
    Doupé, A., Cova, M., Vigna, G.: Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the State: A State-aware Black-box Web Vulnerability Scanner. In: Proc. of the 21st USENIX Conference on Security Symposium (Security 2012), pp. 523–537. USENIX Association, Bellevue (2012)Google Scholar
  12. 12.
    Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: toward preventing server-side XSS via automatic code and data separation. In: Proc. of the 20th ACM SIGSAC Conference on Computer and Cummunications Security (CCS 2013), pp. 1205–1216. ACM, Berlin (2013)CrossRefGoogle Scholar
  13. 13.
    Duchene, F., Groz, R., Rawat, S., Richier, J.L.: XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing. In: Proc. of the 5th Int. Conference on Software Testing, Verification and Validation (ICST 2012), pp. 815–817. IEEE CS, Montreal (2012)CrossRefGoogle Scholar
  14. 14.
    Gálan, E.C., Alcaide, A., Orfila, A., Alís, J.B.: A multi-agent scanner to detect stored-XSS vulnerabilities. In: 5th Int. Conference for Internet Technology and Secured Transactions (ICITST 2010), pp. 1–6. IEEE, London (2010)Google Scholar
  15. 15.
    Kieżun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: 31st Int. Conference on Software Engineering (ICSE 2009), pp. 199–209. IEEE, Vancouver (2009)Google Scholar
  16. 16.
    Kirda, E., Jovanovic, N., Kruegel, C., Vigna, G.: Client-side cross-site scripting protection. Computers & Security 28(7), 592–604 (2009)CrossRefGoogle Scholar
  17. 17.
    Korscheck, C.: Automatic Detection of Second-Order Cross Site Scripting Vulnerabilities. Diploma thesis, Wilhelm-Schickard-Institut für Informatik, Universität auf Tübingen (December 2010)Google Scholar
  18. 18.
    Legeard, B., Bouzy, A.: Smartesting CertifyIt: Model-Based Testing for Enterprise IT. In: Proc. of the 6th Int. Conference on Software Testing, Verification and Validation (ICST 2013), pp. 391–397. IEEE CS, Luxembourg (2013)CrossRefGoogle Scholar
  19. 19.
    Mahapatra, R.P., Saini, R., Saini, N.: A pattern based approach to secure web applications from XSS attacks. Int. Journal of Computer Technology and Electronics Engineering (IJCTEE) 2(3) (June 2012)Google Scholar
  20. 20.
    MITRE: Common weakness enumeration (October 2013), http://cwe.mitre.org/ (last visited: February 2014)
  21. 21.
    Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proc. of the Network and Distributed System Security Symposium (NDSS 2007), pp. 1–12. The Internet Society, San Diego (2007)Google Scholar
  22. 22.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. Journal on Selected Areas in Communications Archive 21(1), 5–19 (2006)CrossRefGoogle Scholar
  23. 23.
    Shar, L.K., Tan, H.B.K.: Automated removal of cross site scripting vulnerabilities in web applications. Information and Software Technology 54(5), 467–478 (2012)CrossRefGoogle Scholar
  24. 24.
    Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Information and Software Technology 55(10), 1767–1780 (2013)CrossRefGoogle Scholar
  25. 25.
    Smith, B., Williams, L.: On the Effective Use of Security Test Patterns. In: Proc. of the 6th Int. Conference on Software Security and Reliability (SERE 2012), pp. 108–117. IEEE CS, Washington, DC (2012)CrossRefGoogle Scholar
  26. 26.
    Vouffo Feudjio, A.G.: Initial Security Test Pattern Catalog. Public Deliverable D3.WP4.T1, Diamonds Project, Berlin, Germany (June 2012), http://publica.fraunhofer.de/documents/N-212439.html (last visited: February 2014)
  27. 27.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proc. of the 30th Int. Conference on Software Engineering (ICSE 2008), pp. 171–180. IEEE, Leipzig (2008)Google Scholar
  28. 28.
    Whitehat: Website security statistics report (October 2013), https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf (last visited: February 2014)
  29. 29.
    Wichers, D.: Owasp top 10 (October 2013), https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (last visited: February 2014)
  30. 30.
    Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: mitigating XSS attacks using a reverse proxy. In: 5th Int. Workshop on Software Engineering for Secure Systems (SESS 2009), pp. 33–39. IEEE, Vancouver (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Alexandre Vernotte
    • 1
  • Frédéric Dadeau
    • 1
    • 2
  • Franck Lebeau
    • 3
  • Bruno Legeard
    • 1
    • 4
  • Fabien Peureux
    • 1
  • François Piat
    • 1
  1. 1.UMR CNRS 6174Institut FEMTO-STBesançonFrance
  2. 2.INRIA Nancy Grand EstVandoeuvre-lès-NancyFrance
  3. 3.ErdilBesançonFrance
  4. 4.Smartesting R&D CenterBesançonFrance

Personalised recommendations