{"title":"L-WMxD:基于词法的Webmail XSS发现者","authors":"Zhushou Tang, Haojin Zhu, Z. Cao, Shuai Zhao","doi":"10.1109/INFCOMW.2011.5928954","DOIUrl":null,"url":null,"abstract":"XSS (Cross-Site Scripting) is a major security threat for web applications. Due to lack of source code of web application, fuzz technique has become a popular approach to discover XSS in web application except Webmail. This paper proposes a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer). L-WMxD , which works on a lexical based mutation engine, is an active defense system to discover XSS before the Webmail application is online for service. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Two prototype tools are realized by us to send the newly-generated test cases to various Webmail servers to discover XSS vulnerability. Experimental results of L-WMxD are quite encouraging. We have run L-WMxD over 26 real-world Webmail applications and found vulnerabilities in 21 Webmail services, including some of the most widely used Yahoo!Mail, Mirapoint Webmail and ORACLE' Collaboration Suite Mail.","PeriodicalId":402219,"journal":{"name":"2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":"{\"title\":\"L-WMxD: Lexical based Webmail XSS Discoverer\",\"authors\":\"Zhushou Tang, Haojin Zhu, Z. Cao, Shuai Zhao\",\"doi\":\"10.1109/INFCOMW.2011.5928954\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"XSS (Cross-Site Scripting) is a major security threat for web applications. Due to lack of source code of web application, fuzz technique has become a popular approach to discover XSS in web application except Webmail. This paper proposes a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer). L-WMxD , which works on a lexical based mutation engine, is an active defense system to discover XSS before the Webmail application is online for service. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Two prototype tools are realized by us to send the newly-generated test cases to various Webmail servers to discover XSS vulnerability. Experimental results of L-WMxD are quite encouraging. We have run L-WMxD over 26 real-world Webmail applications and found vulnerabilities in 21 Webmail services, including some of the most widely used Yahoo!Mail, Mirapoint Webmail and ORACLE' Collaboration Suite Mail.\",\"PeriodicalId\":402219,\"journal\":{\"name\":\"2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)\",\"volume\":\"41 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-04-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"15\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/INFCOMW.2011.5928954\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INFCOMW.2011.5928954","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 15
摘要
跨站点脚本(XSS)是web应用程序的主要安全威胁。由于web应用程序缺乏源代码,模糊技术已成为除Webmail外的web应用程序中发现跨站攻击的常用方法。本文提出了一种基于词法的Webmail跨站探测器L-WMxD (Lexical based Webmail跨站探测器)。L-WMxD工作在基于词法的突变引擎上,是一个主动防御系统,可以在Webmail应用程序在线服务之前发现XSS。该引擎由称为seed的普通JavaScript代码初始化。然后,规则应用于种子中的敏感字符串,这些字符串是通过词法解析器挑选出来的。之后,突变引擎发出多个测试用例。新生成的测试用例用于XSS测试。我们实现了两种原型工具,将新生成的测试用例发送到各种Webmail服务器,以发现跨站攻击漏洞。L-WMxD的实验结果令人鼓舞。我们在26个真实的Webmail应用程序上运行了L-WMxD,并在21个Webmail服务中发现了漏洞,其中包括一些最广泛使用的Yahoo!邮件,Mirapoint Webmail和ORACLE的协作套件邮件。
XSS (Cross-Site Scripting) is a major security threat for web applications. Due to lack of source code of web application, fuzz technique has become a popular approach to discover XSS in web application except Webmail. This paper proposes a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer). L-WMxD , which works on a lexical based mutation engine, is an active defense system to discover XSS before the Webmail application is online for service. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Two prototype tools are realized by us to send the newly-generated test cases to various Webmail servers to discover XSS vulnerability. Experimental results of L-WMxD are quite encouraging. We have run L-WMxD over 26 real-world Webmail applications and found vulnerabilities in 21 Webmail services, including some of the most widely used Yahoo!Mail, Mirapoint Webmail and ORACLE' Collaboration Suite Mail.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
