Détection des vulnérabilités des applications Web aux attaques XSS

Abstract

Cross-site scripting (XSS) is one of the most dangerous attacks menacing the navigation in the Web since its reveal in late 1999. Since then, several techniques have been developed in the aim to secure web applications against diverse types of XSS attacks. In this project, we contribute by designing a hybrid approach for the detection of web application vulnerabilities to XSS attacks. This way, vulnerable applications can be detected and hence updated to defend against XSS attacks. The hybrid approach combines static and dynamic analysis. While static analysis is used to detect of all the injection points included in individual pages through analyzing their contents, dynamic analysis is used to confirm the vulnerability of such points to XSS payload injection. A prototype named XSS Checker is developed in Node.js implementing the proposed approach. Conducted experiments, with the developed prototype, showed the ability of the proposed approach to detect vulnerabilities in real world applications.