We consider the case where a knowledge base consists of interactions among parameter values in an input parameter model for web application security testing. The input model gives rise to attack strings to be used for exploiting XSS vulnerabilities, a critical threat towards the security of web applications. Testing results are then annotated with a vulnerability triggering or non-triggering classification, and such security knowledge findings are added back to the knowledge base, making the resulting attack capabilities superior for newly requested input models. We present our approach as an iterative process that evolves an input model for security testing. Empirical evaluation on six real-world web application shows that the process effectively evolves a knowledge base for XSS vulnerability detection, achieving on average 78.8% accuracy.

(2019). A fault-driven combinatorial process for model evolution in XSS vulnerability detection . Retrieved from http://hdl.handle.net/10446/151156

A fault-driven combinatorial process for model evolution in XSS vulnerability detection

Radavelli, Marco;Gargantini, Angelo;
2019-01-01

Abstract

We consider the case where a knowledge base consists of interactions among parameter values in an input parameter model for web application security testing. The input model gives rise to attack strings to be used for exploiting XSS vulnerabilities, a critical threat towards the security of web applications. Testing results are then annotated with a vulnerability triggering or non-triggering classification, and such security knowledge findings are added back to the knowledge base, making the resulting attack capabilities superior for newly requested input models. We present our approach as an iterative process that evolves an input model for security testing. Empirical evaluation on six real-world web application shows that the process effectively evolves a knowledge base for XSS vulnerability detection, achieving on average 78.8% accuracy.
WOS:000494939200019
2-s2.0-85068602641
2019
Inglese
Advances and Trends in Artificial Intelligence. From Theory to Practice: 32nd International Conference on Industrial, Engineering and Other Applications of Applied Intelligent Systems, IEA/AIE 2019, Graz, Austria, July 9–11, 2019, Proceedings
Wotava, Franz; Friedrich, Gerhard; Pill, Ingo; Koitz-Hristov, Roxane; Ali, Moonis
978-3-030-22998-6
11606
207
215
cartaceo
online
Switzerland
Cham
Springer
IEA/AIE 2019: 32nd International Conference on Industrial, Engineering and Other Applications of Applied Intelligent Systems, Graz, Austria, 9-11 July 2019
32nd
Graz (Austria)
9-11 September 2019
internazionale
contributo
Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni
Combinatorial testing; Model evolution; Security testing; XSS vulnerability
info:eu-repo/semantics/conferenceObject
5
Garn, Bernhard; Radavelli, Marco; Gargantini, Angelo Michele; Leithner, Manuel; Simos Dimitris, E.
1.4 Contributi in atti di convegno - Contributions in conference proceedings::1.4.01 Contributi in atti di convegno - Conference presentations
reserved
Non definito
273
(2019). A fault-driven combinatorial process for model evolution in XSS vulnerability detection . Retrieved from http://hdl.handle.net/10446/151156
File allegato/i alla scheda:
File Dimensione del file Formato  
xssvulnerabilities_ieaaie19_cameraReady.pdf

Solo gestori di archivio

Versione: postprint - versione referata/accettata senza referaggio
Licenza: Licenza default Aisberg
Dimensione del file 291.08 kB
Formato Adobe PDF
  Visualizza/Apri
291.08 kB Adobe PDF   Visualizza/Apri
Pubblicazioni consigliate

Aisberg ©2008 Servizi bibliotecari, Università degli studi di Bergamo | Terms of use/Condizioni di utilizzo

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10446/151156
Citazioni
  • Scopus 8
  • ???jsp.display-item.citation.isi??? 8
social impact