Automatic Web Security Unit Testing: XSS Vulnerability Detection. Mohammadi, M., Chu, B., Lipford, H. R., & Murphy-Hill, E. In Proceedings of the 11th International Workshop on Automation of Software Test, of AST '16, pages 78–84, New York, NY, USA, 2016. ACM.
Automatic Web Security Unit Testing: XSS Vulnerability Detection [link]Paper  doi  abstract   bibtex   
Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.
@inproceedings{Mohammadi2016Automatic,
    abstract = {{Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.}},
    address = {New York, NY, USA},
    author = {Mohammadi, Mahmoud and Chu, Bill and Lipford, Heather R. and Murphy-Hill, Emerson},
    booktitle = {Proceedings of the 11th International Workshop on Automation of Software Test},
    citeulike-article-id = {14104186},
    citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=2896921.2896929},
    citeulike-linkout-1 = {http://dx.doi.org/10.1145/2896921.2896929},
    doi = {10.1145/2896921.2896929},
    howpublished = {4. Workshop},
    isbn = {978-1-4503-4151-6},
    keywords = {security},
    location = {Austin, Texas},
    pages = {78--84},
    posted-at = {2016-07-29 18:23:41},
    priority = {2},
    publisher = {ACM},
    series = {AST '16},
    title = {{Automatic Web Security Unit Testing: XSS Vulnerability Detection}},
    url = {http://dx.doi.org/10.1145/2896921.2896929},
    year = {2016}
}
Downloads: 0