Résumé:
Cross-site scripting (XSS) is one of the most dangerous attacks menacing the
navigation in the Web since its reveal in late 1999. Since then, several techniques have
been developed in the aim to secure web applications against diverse types of XSS
attacks. In this project, we contribute by designing a hybrid approach for the detection
of web application vulnerabilities to XSS attacks. This way, vulnerable applications can
be detected and hence updated to defend against XSS attacks. The hybrid approach
combines static and dynamic analysis. While static analysis is used to detect of all the
injection points included in individual pages through analyzing their contents,
dynamic analysis is used to confirm the vulnerability of such points to XSS payload
injection. A prototype named XSS Checker is developed in Node.js implementing the
proposed approach. Conducted experiments, with the developed prototype, showed
the ability of the proposed approach to detect vulnerabilities in real world applications.