2,776 research outputs found
Structural Learning of Attack Vectors for Generating Mutated XSS Attacks
Web applications suffer from cross-site scripting (XSS) attacks that
resulting from incomplete or incorrect input sanitization. Learning the
structure of attack vectors could enrich the variety of manifestations in
generated XSS attacks. In this study, we focus on generating more threatening
XSS attacks for the state-of-the-art detection approaches that can find
potential XSS vulnerabilities in Web applications, and propose a mechanism for
structural learning of attack vectors with the aim of generating mutated XSS
attacks in a fully automatic way. Mutated XSS attack generation depends on the
analysis of attack vectors and the structural learning mechanism. For the
kernel of the learning mechanism, we use a Hidden Markov model (HMM) as the
structure of the attack vector model to capture the implicit manner of the
attack vector, and this manner is benefited from the syntax meanings that are
labeled by the proposed tokenizing mechanism. Bayes theorem is used to
determine the number of hidden states in the model for generalizing the
structure model. The paper has the contributions as following: (1)
automatically learn the structure of attack vectors from practical data
analysis to modeling a structure model of attack vectors, (2) mimic the manners
and the elements of attack vectors to extend the ability of testing tool for
identifying XSS vulnerabilities, (3) be helpful to verify the flaws of
blacklist sanitization procedures of Web applications. We evaluated the
proposed mechanism by Burp Intruder with a dataset collected from public XSS
archives. The results show that mutated XSS attack generation can identify
potential vulnerabilities.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330
Statically Checking Web API Requests in JavaScript
Many JavaScript applications perform HTTP requests to web APIs, relying on
the request URL, HTTP method, and request data to be constructed correctly by
string operations. Traditional compile-time error checking, such as calling a
non-existent method in Java, are not available for checking whether such
requests comply with the requirements of a web API. In this paper, we propose
an approach to statically check web API requests in JavaScript. Our approach
first extracts a request's URL string, HTTP method, and the corresponding
request data using an inter-procedural string analysis, and then checks whether
the request conforms to given web API specifications. We evaluated our approach
by checking whether web API requests in JavaScript files mined from GitHub are
consistent or inconsistent with publicly available API specifications. From the
6575 requests in scope, our approach determined whether the request's URL and
HTTP method was consistent or inconsistent with web API specifications with a
precision of 96.0%. Our approach also correctly determined whether extracted
request data was consistent or inconsistent with the data requirements with a
precision of 87.9% for payload data and 99.9% for query data. In a systematic
analysis of the inconsistent cases, we found that many of them were due to
errors in the client code. The here proposed checker can be integrated with
code editors or with continuous integration tools to warn programmers about
code containing potentially erroneous requests.Comment: International Conference on Software Engineering, 201
Mutation analysis of dynamically typed programs
The increasing use of dynamically typed programming languages brings a new challenge to software testing. In these languages, types are not checked at compile-time. Type errors must be found by testing and in general, programs written in these languages require additional testing compared to statically typed languages.Mutation analysis (or mutation testing) has been shown to be effective in testing statically (or strongly) typed programs. In statically typed programs, the type information is essential to ensure only type-correct mutants are generated. Mutation analysis has not so far been fully used for dynamically typed programs. In dynamically typed programs, at compile-time, the types of the values held in variables are not known. Therefore, it is not clear if a variable should be mutated with number, Boolean, string, or object mutation operators.This thesis investigates and introduces new approaches for the mutation analysis of dynamically typed programs. The first approach is a static approach that employs the static type context of variables to determine, if possible, type information and generate mutants in the manner of traditional mutation analysis. With static mutation there is the danger that the type context does not allow the precise type to be determined and so type-mutations are produced. In a type-mutation, the original and mutant expressions have a different type. These mutants may be too easily killed and if they are then they represent incompetent mutants that do not force the tester to improve the test set. The second approach is designed to avoid type-mutations. This approach requires that the types of variables are discovered. The types of variables are discovered at run-time. Using type information, it is possible to generate only type-correct mutants. This dynamic approach, although more expensive computationally, is more likely to produce high quality, difficult to kill, mutants
- …