Structural Learning of Attack Vectors for Generating Mutated XSS Attacks

Web applications suffer from cross-site scripting (XSS) attacks that resulting from incomplete or incorrect input sanitization. Learning the structure of attack vectors could enrich the variety of manifestations in generated XSS attacks. In this study, we focus on generating more threatening XSS attacks for the state-of-the-art detection approaches that can find potential XSS vulnerabilities in Web applications, and propose a mechanism for structural learning of attack vectors with the aim of generating mutated XSS attacks in a fully automatic way. Mutated XSS attack generation depends on the analysis of attack vectors and the structural learning mechanism. For the kernel of the learning mechanism, we use a Hidden Markov model (HMM) as the structure of the attack vector model to capture the implicit manner of the attack vector, and this manner is benefited from the syntax meanings that are labeled by the proposed tokenizing mechanism. Bayes theorem is used to determine the number of hidden states in the model for generalizing the structure model. The paper has the contributions as following: (1) automatically learn the structure of attack vectors from practical data analysis to modeling a structure model of attack vectors, (2) mimic the manners and the elements of attack vectors to extend the ability of testing tool for identifying XSS vulnerabilities, (3) be helpful to verify the flaws of blacklist sanitization procedures of Web applications. We evaluated the proposed mechanism by Burp Intruder with a dataset collected from public XSS archives. The results show that mutated XSS attack generation can identify potential vulnerabilities.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330

Statically Checking Web API Requests in JavaScript

Many JavaScript applications perform HTTP requests to web APIs, relying on the request URL, HTTP method, and request data to be constructed correctly by string operations. Traditional compile-time error checking, such as calling a non-existent method in Java, are not available for checking whether such requests comply with the requirements of a web API. In this paper, we propose an approach to statically check web API requests in JavaScript. Our approach first extracts a request's URL string, HTTP method, and the corresponding request data using an inter-procedural string analysis, and then checks whether the request conforms to given web API specifications. We evaluated our approach by checking whether web API requests in JavaScript files mined from GitHub are consistent or inconsistent with publicly available API specifications. From the 6575 requests in scope, our approach determined whether the request's URL and HTTP method was consistent or inconsistent with web API specifications with a precision of 96.0%. Our approach also correctly determined whether extracted request data was consistent or inconsistent with the data requirements with a precision of 87.9% for payload data and 99.9% for query data. In a systematic analysis of the inconsistent cases, we found that many of them were due to errors in the client code. The here proposed checker can be integrated with code editors or with continuous integration tools to warn programmers about code containing potentially erroneous requests.Comment: International Conference on Software Engineering, 201

Mutation analysis of dynamically typed programs

The increasing use of dynamically typed programming languages brings a new challenge to software testing. In these languages, types are not checked at compile-time. Type errors must be found by testing and in general, programs written in these languages require additional testing compared to statically typed languages.Mutation analysis (or mutation testing) has been shown to be effective in testing statically (or strongly) typed programs. In statically typed programs, the type information is essential to ensure only type-correct mutants are generated. Mutation analysis has not so far been fully used for dynamically typed programs. In dynamically typed programs, at compile-time, the types of the values held in variables are not known. Therefore, it is not clear if a variable should be mutated with number, Boolean, string, or object mutation operators.This thesis investigates and introduces new approaches for the mutation analysis of dynamically typed programs. The first approach is a static approach that employs the static type context of variables to determine, if possible, type information and generate mutants in the manner of traditional mutation analysis. With static mutation there is the danger that the type context does not allow the precise type to be determined and so type-mutations are produced. In a type-mutation, the original and mutant expressions have a different type. These mutants may be too easily killed and if they are then they represent incompetent mutants that do not force the tester to improve the test set. The second approach is designed to avoid type-mutations. This approach requires that the types of variables are discovered. The types of variables are discovered at run-time. Using type information, it is possible to generate only type-correct mutants. This dynamic approach, although more expensive computationally, is more likely to produce high quality, difficult to kill, mutants