Identifying Cross Site Scripting Vulnerabilities in Web Applications
WSE '04 Proceedings of the Web Site Evolution, Sixth IEEE International Workshop
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks
PRDC '07 Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Resolving JavaScript Vulnerabilities in the Browser Runtime
ISSRE '08 Proceedings of the 2008 19th International Symposium on Software Reliability Engineering
The 5th international workshop on software engineering for secure systems (SESS'09)
ICSE '09 COMPANION Proceedings of the 2009 31st International Conference on Software Engineering: Companion Volume
Security mutation testing of the FileZilla FTP server
Proceedings of the 2011 ACM Symposium on Applied Computing
Automated removal of cross site scripting vulnerabilities in web applications
Information and Software Technology
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
| Hi-index | 0.00 |
Cross Site Scripting (XSS) is one of the worst vulnerabilities that allow malicious attacks such as cookie thefts and Web page defacements. Testing an implementation against XSS vulnerabilities (XSSVs) can avoid these consequences. Obtaining an adequate test data set is essential for testing of XSSVs. An adequate test data set contains effective test cases that can reveal XSSVs. Unfortunately, traditional testing techniques for XSSVs do not address the issue of adequate testing. In this work, we apply the idea of mutation-based testing technique to generate adequate test data sets for testing XSSVs. Our work addresses XSSVs related to Web-applications that use PHP and JavaScript code to generate dynamic HTML contents. We propose 11 mutation operators to force the generation of adequate test data set. A prototype mutation-based testing tool named MUTEC is developed to generate mutants automatically. The proposed operators are validated by using five open source applications having XSSVs. The results indicate that the proposed operators are effective for testing XSSVs.