An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

Authors

  • Author papers Institute of Information System & Research Cent
  • Shafi Alassmi Concordia University College of Alberta, Edmonton
  • Pavol Zavarsky Concordia University College of Alberta, Edmonton
  • Dale Lindskog Concordia University College of Alberta, Edmonton
  • Ron Ruhl Concordia University College of Alberta, Edmonton
  • Ahmed Alasiri Concordia University College of Alberta, Edmonton
  • Muteb Alzaidi Concordia University College of Alberta, Edmonton

Keywords:

Stored Cross-Site Scripting Injection, XSSI vulnerabilities, black-box scanners

Abstract

Stored Cross-Site Scripting (XSS) vulnerabilities are difficult to detect and state-of-the-art black-box scanners have low detection rates [1, 2]. Both Bau et al. and Doupe et al. investigated blackbox web application security scanners, and this paper extends their analyses of state-of-the-art black-box detection of stored XSS. We use our own custom testbed, SimplifiedTB, which is available upon request. Weaknesses and limitations of black-box scanners identified in our study confirm weaknesses and limitations discussed by Bau et al. [1] and Doupé et al. [2]. The paper provides a list of recommendations for improving black-box detection of stored XSS vulnerabilities.

Author Biographies

Shafi Alassmi, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Pavol Zavarsky, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Dale Lindskog, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Ron Ruhl, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Ahmed Alasiri, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Muteb Alzaidi, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

References

Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, “State of the Art: Automated black-box Web Application Vulnerability Testing” May 2010.

Adam Doupé, Marco Cova, and Giovanni Vigna, “Why Johnny Can‟t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, July 2010.

Open Web Application Security Project. (2010). [Online]. Available: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Qianjie Zhang, Hao Chen, Jianhua Sun, “An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks” June 2010.

Sean McAllister, Engin Kirda, and Christopher Kruegel, “Leveraging User Interactions for In-Depth Testing of Web Applications”, 2008.

Nidal Khoury, Pavol Zavarsky, Dale Lindskog, and Ron Ruhl, “An Analysis of black-box Web Application

Security Scanners against Stored SQL Injection”, 2010

CENZIC Enterprise Application Security (2012) http://www.cenzic.com/downloads/Whitebox_VS_Blackbox_WP.pdf

Michael Brooks, “Bypassing Internet Explorer‟s XSS Filter”, 2011

John B. Dickson, “Black Box versus White-Box: Different App Testing Strategies”

Jeremiah Grossman, “Cross-Site Scripting Worms & Viruses: The Impending Threat & the Best Defense”, June 2007.

OWASP Broken Web Applications Virtual Machine. http://code.google.com/p/owaspbwa/wiki/Downloads

Published

2020-08-30

How to Cite

papers, A., Alassmi, S. ., Zavarsky, P. ., Lindskog, D. ., Ruhl, R. ., Alasiri, A. ., & Alzaidi, M. (2020). An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities. International Journal on Information Technology and Computer Science, 4(1). Retrieved from http://ijitcs.info/index.php/ijitcs/article/view/11

Issue

Section

Research Articles

Most read articles by the same author(s)

1 2 > >>