An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities
Keywords:Stored Cross-Site Scripting Injection, XSSI vulnerabilities, black-box scanners
Stored Cross-Site Scripting (XSS) vulnerabilities are difficult to detect and state-of-the-art black-box scanners have low detection rates [1, 2]. Both Bau et al. and Doupe et al. investigated blackbox web application security scanners, and this paper extends their analyses of state-of-the-art black-box detection of stored XSS. We use our own custom testbed, SimplifiedTB, which is available upon request. Weaknesses and limitations of black-box scanners identified in our study confirm weaknesses and limitations discussed by Bau et al.  and Doupé et al. . The paper provides a list of recommendations for improving black-box detection of stored XSS vulnerabilities.
Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, “State of the Art: Automated black-box Web Application Vulnerability Testing” May 2010.
Adam Doupé, Marco Cova, and Giovanni Vigna, “Why Johnny Can‟t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, July 2010.
Open Web Application Security Project. (2010). [Online]. Available: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Qianjie Zhang, Hao Chen, Jianhua Sun, “An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks” June 2010.
Sean McAllister, Engin Kirda, and Christopher Kruegel, “Leveraging User Interactions for In-Depth Testing of Web Applications”, 2008.
Nidal Khoury, Pavol Zavarsky, Dale Lindskog, and Ron Ruhl, “An Analysis of black-box Web Application
Security Scanners against Stored SQL Injection”, 2010
CENZIC Enterprise Application Security (2012) http://www.cenzic.com/downloads/Whitebox_VS_Blackbox_WP.pdf
Michael Brooks, “Bypassing Internet Explorer‟s XSS Filter”, 2011
John B. Dickson, “Black Box versus White-Box: Different App Testing Strategies”
Jeremiah Grossman, “Cross-Site Scripting Worms & Viruses: The Impending Threat & the Best Defense”, June 2007.
OWASP Broken Web Applications Virtual Machine. http://code.google.com/p/owaspbwa/wiki/Downloads
How to Cite
Copyright (c) 2020 International Journal on Information Technology and Computer Science
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.