An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

Authors

Author papers Institute of Information System & Research Cent
Shafi Alassmi Concordia University College of Alberta, Edmonton
Pavol Zavarsky Concordia University College of Alberta, Edmonton
Dale Lindskog Concordia University College of Alberta, Edmonton
Ron Ruhl Concordia University College of Alberta, Edmonton
Ahmed Alasiri Concordia University College of Alberta, Edmonton
Muteb Alzaidi Concordia University College of Alberta, Edmonton

Keywords:

Stored Cross-Site Scripting Injection, XSSI vulnerabilities, black-box scanners

Abstract

Stored Cross-Site Scripting (XSS) vulnerabilities are difficult to detect and state-of-the-art black-box scanners have low detection rates [1, 2]. Both Bau et al. and Doupe et al. investigated blackbox web application security scanners, and this paper extends their analyses of state-of-the-art black-box detection of stored XSS. We use our own custom testbed, SimplifiedTB, which is available upon request. Weaknesses and limitations of black-box scanners identified in our study confirm weaknesses and limitations discussed by Bau et al. [1] and Doupé et al. [2]. The paper provides a list of recommendations for improving black-box detection of stored XSS vulnerabilities.

Author Biographies

Shafi Alassmi, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Pavol Zavarsky, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Dale Lindskog, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Ron Ruhl, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Ahmed Alasiri, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

Muteb Alzaidi, Concordia University College of Alberta, Edmonton

Master of Information Systems Security Management

References

Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, “State of the Art: Automated black-box Web Application Vulnerability Testing” May 2010.

Adam Doupé, Marco Cova, and Giovanni Vigna, “Why Johnny Can‟t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, July 2010.

Open Web Application Security Project. (2010). [Online]. Available: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Qianjie Zhang, Hao Chen, Jianhua Sun, “An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks” June 2010.

Sean McAllister, Engin Kirda, and Christopher Kruegel, “Leveraging User Interactions for In-Depth Testing of Web Applications”, 2008.

Nidal Khoury, Pavol Zavarsky, Dale Lindskog, and Ron Ruhl, “An Analysis of black-box Web Application

Security Scanners against Stored SQL Injection”, 2010

CENZIC Enterprise Application Security (2012) http://www.cenzic.com/downloads/Whitebox_VS_Blackbox_WP.pdf

Michael Brooks, “Bypassing Internet Explorer‟s XSS Filter”, 2011

John B. Dickson, “Black Box versus White-Box: Different App Testing Strategies”

Jeremiah Grossman, “Cross-Site Scripting Worms & Viruses: The Impending Threat & the Best Defense”, June 2007.

OWASP Broken Web Applications Virtual Machine. http://code.google.com/p/owaspbwa/wiki/Downloads

Published

2020-08-30

How to Cite

papers, A., Alassmi, S. ., Zavarsky, P. ., Lindskog, D. ., Ruhl, R. ., Alasiri, A. ., & Alzaidi, M. (2020). An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities. International Journal on Information Technology and Computer Science, 4(1). Retrieved from http://ijitcs.info/index.php/ijitcs/article/view/11

Download Citation

Issue

Vol. 4 No. 1 (2012): Volume 4 issue 1

Section

Research Articles

License

Copyright (c) 2020 International Journal on Information Technology and Computer Science

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Most read articles by the same author(s)

Author papers, Ahmed Alasiri, Muteb Alzaidi, Dale Lindskog, Pavol Zavarsky, Ron Ruhl, Shafi Alassmi, The Comparative Analysis of Operational Malware Dynamic Link Library (DLL) Injection Live Response vs. Memory Image , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Hesham Naser Elzentani, An Open-Source Based Application for Creating and Verifying Digital Signatures for XML documents , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Natia Sirbiladze, Sara Paiva, Rui Gomes, An Evaluation of Business Activity monitoring tools , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Misbahu Na’Iya Katsina, An Use of Mobile Phones among Informal Microenterprises in Katsina, Nigeria , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Sugandha Aggarwal, Prabhjot Kaur, The Characteristic Parameters Evaluation for MIMO based Communication Systems , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Foilagi Maua Faamau, The Managment of Telecommunications Networks is an integral part of it governance, Hence what should be the role of the CIO and the ICT unit in implementing IT managment practices inline with the overall organanal IT goverance ? , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Purnima Lala, Prabhjot Kaur, Optimization of Power In Cellular Networks using Fuzzy Logic , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Saria Safdar, Shoab Ahmad Khan, Fahim Arif, Analysis of ECGs Survey Data Using Threshold Inference Engine , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Z.Faizal Khan, Dr.V. Kavitha, The Segmentation of Computer Tomography Lung Images using Contextual Clustering , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1
Author papers, Erasmus Addae, A Supporting Reflection-in-action with Lightweight Collaborative Tools in Student Multimedia Development Project , International Journal on Information Technology and Computer Science: Vol. 4 No. 1 (2012): Volume 4 issue 1

1 2 > >>