Litcius/Paper detail

Combinatorially XSSing Web Application Firewalls

Bernhard Garn, Daniel Sebastian Lang, Manuel Leithner, D. Richard Kuhn, Raghu N. Kacker, Dimitris E. Simos

202112 citationsDOI

Abstract

Cross-Site scripting (XSS) is a common class of vulnerabilities in the domain of web applications. As it re-mains prevalent despite continued efforts by practitioners and researchers, site operators often seek to protect their assets using web application firewalls (WAFs). These systems employ filtering mechanisms to intercept and reject requests that may be suitable to exploit XSS flaws and related vulnerabilities such as SQL injections. However, they generally do not offer complete protection and can often be bypassed using specifically crafted exploits. In this work, we evaluate the effectiveness of WAFs to detect XSS exploits. We develop an attack grammar and use a combinatorial testing approach to generate attack vectors. We compare our vectors with conventional counterparts and their ability to bypass different WAFs. Our results show that the vectors generated with combinatorial testing perform equal or better in almost all cases. They further confirm that most of the rule sets evaluated in this work can be bypassed by at least one of these crafted inputs.

Topics & Concepts

Cross-site scriptingExploitComputer scienceSQL injectionScripting languageComputer securityWeb applicationWeb application securityFuzz testingThe InternetWorld Wide WebProgramming languageWeb developmentSearch engineSoftwareQuery by ExampleWeb search queryWeb Application Security VulnerabilitiesSecurity and Verification in ComputingSoftware Testing and Debugging Techniques