在網站應用程式中，跨網站攻擊可以繞過其存取控制而得到提昇的權限，而這些
攻擊都源自於網站應用程式中含有不完整或不正確的過濾函式。即使是程式設計
師或安全專家皆使用自動測試工具來找出跨網站弱點，這類的工具卻缺少變形的
機制來協助發現潛在的跨網站弱點。
為了協助目前的跨網站弱點偵測技術，本文強調產生更具威脅性的跨網站攻
擊。我們提出一個完全自動化地攻擊向量的結構學習機制。變形攻擊的產生仰賴
於攻擊向量的分析及結構上的學習機制。在學習機制的核心方法上，為了捕捉攻
擊向量組成的潛在手法，利用了隱藏式馬可夫模型以呈現攻擊向量模型的結構。
利用由本文所提出的字符分解(Tokenize)機制，將跨網站攻擊標記為具有文法上
的抽象意義，這有益於所塑模出的手法更具代表性，此外，利用了貝氏理論來決
定攻擊向量模型的隱藏狀態節點的數量，使模型更具有泛用性。我們使用Burp
Intruder來檢驗我們所提出的方法，而實驗結果顯示跨網站變形攻擊可以識別出
潛在的跨網站弱點。
本文中所提出的技術著重於學習跨網站攻擊中的組成元素及隱含的結構。而
且，該技術能夠增加黑箱或白箱測試偵測到跨網站弱點的能力。本文的貢獻如下：
(1) 自動地從實際資料的分析到塑模一個攻擊向量的結構模型，以學習攻擊向量
的結構，(2) 模仿攻擊向量的組成手法及元素以擴展跨網站弱點測試工具的測試
能力，(3) 有助於驗證網站應用程式中以黑名單方式過濾輸入的函式的弱點。

Cross-site scripting (XSS) attacks inWeb applications can bypass the access control to
gain elevated access privileges and resulted from incomplete or incorrect input saniti-
zation. Either the programmers or the security experts use automatic testing tools that
are equipped predefined attack vectors or manually craft attack vectors for identify-
ing XSS vulnerabilities, it is short of mutation mechanism that helps the discovery of
diverse manifestation of potential vulnerabilities. Learning the structure of attack vec-
tors could enrich the variety of manifestations in generated XSS attacks for identifying
XSS vulnerabilities.
In this study, we focus on the generation of threatening XSS attacks for the state-
of-the-art detection approaches that can find potential XSS vulnerabilities in web ap-
plications. We proposed a structural learning mechanism for generating the mutated
XSS attacks in a fully automatic way. Mutated XSS attack generation depends on the
analysis of attack vectors and the structural learning mechanism. For the kernel of the
learning mechanism, the hidden Markov model (HMM) is applied to present the struc-
ture of the attack vector model for capturing the implicit manner of the attack vector.
These manners benefited from the syntax meanings that are labeled by the proposed
tokenizing mechanism. Bayes’ Theorem is used to determine the number of hidden states in the model for generalizing the attack vector model. We evaluate the proposed
mechanism by Burp Intruder with a dataset collected from public XSS archives. The
experimental results demonstrate that mutated XSS attack generation can identify potential
vulnerabilities.
The proposed technique aims at testing Web applications by learning the elements
and implicit structures existed in XSS attacks. Furthermore, this method could increase
the probability of finding XSS vulnerabilities in black-box or white-box testing. We
give the contributions of this study: (1) automatically learn the structure of attack
vectors from practical data analysis to modeling a structure model of attack vectors,
(2) mimic the manners and the elements of attack vectors to extend the ability of testing
tool for identifying XSS vulnerabilities, (3) be helpful to verify the flaws of blacklist
sanitization procedures of Web applications.

[1] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst, “Find-
ing bugs in dynamic web applications,” in Proceedings of the 2008 international
symposium on Software testing and analysis, July 20–24 2008, pp. 261–272.
[2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and
G. Vigna, “Saner: Composing static and dynamic analysis to validate sanitization
in web applications,” in Proceedings of the 2008 IEEE Symposium on Security
and Privacy, Oakland, California, USA, May 18–21 2008, pp. 387–401.
[3] J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, “State of the art: Automated
black-box web application vulnerability testing,” in Proceedings of the 2010
IEEE Symposium on Security and Privacy, Oakland, California, USA, May 16–
19 2010, pp. 332–345.
[4] C. T. Company, “Paros 3.2.13,” Auguest 2006. [Online]. Available: http:
//www.parosproxy.org
[5] CPAN.ORG, “Html parser class,” April 2010. [Online]. Available: http:
//search.cpan.org/ gaas/HTML-Parser-3.65/
[6] CPAN.ORG, “Html::entities,” April 2010. [Online]. Available: http://search.
cpan.org/ gaas/HTML-Parser-3.65/lib/HTML/Entities.pm
[7] CPAN.ORG, “Uri::escape,” March 2010. [Online]. Available: http://search.cpan.
org/ gaas/URI-1.54/URI/Escape.pm
[8] P. Dupont, F. Denis, and Y. Esposito, “Links between probabilistic automata and
hidden markov models: Probability distributions, learning models and induction
algorithms,” Pattern Recognition, vol. 38, no. 9, pp. 1349–1371, September 2005.
[9] K. Fernandez and D. Pagkalos, “Xssed project,” February 2007. [Online].
Available: http://xssed.com
[10] P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, andW. Lee, “Polymorphic blending
attacks,” in Proceedings of the 15th USENIX Security Symposium, July 31–
August 4 2006, pp. 241–256.
[11] Fourthdimension, “Stealing cookie with xss,” April 2009. [Online]. Available:
http://www.go4expert.com/forums/showthread.php?t=17066
[12] W. G. J. Halfond, S. R. Choudhary, and A. Orso, “Penetration testing with improved
input vector identification,” in Proceedings of the 2009 International Conference
on Software Testing Verification and Validation, Denver, Colorado, USA,
April 1–4 2009, pp. 346–355.
[13] S. Hansman and R. Hunt, “A taxonomy of network and computer attacks,” Computers
and Security, vol. 24, no. 1, pp. 31–43, 2005.
[14] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application security
assessment by fault injection and behavior monitoring,” in Proceedings of the
12th international conference on World Wide Web, May 20–24 2003, pp. 148–
159.
[15] Y.-W. Huang, C.-H. Tsai, T.-P. Lin, S.-K. Huang, D.-T. Lee, and S.-Y. Kuo, “A
testing framework for web application security assessment,” Computer Network,
vol. 48, no. 5, pp. 739–761, 2005.
[16] G. Inc., “Sourceforge.net,” 2010. [Online]. Available: http://sourceforge.net
[17] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting
web application vulnerabilities (short paper),” in Proceedings of the 2006 IEEE
Symposium on Security and Privacy, Berkeley/Oakland, California, USA, May
21–24 2006, pp. 258–263.
[18] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “Secubat: A web vulnerability
scanner,” in Proceedings of the 15th international conference onWorldWideWeb,
Edinburgh, Scotland, UK, May 23–26 2006, pp. 247–256.
[19] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, “Automatic creation of sql
injection and cross-site scripting attacks,” in Proceedings of the 31st International
Conference on Software Engineering, Vancouver, Canada, May 16–24 2009, pp.
199–209.
[20] M. Martin and M. S. Lam, “Automatic generation of xss and sql injection attacks
with goal-directed model checking,” in Proceedings of the 17th conference on
Security symposium, Boston, Massachusetts, June 22–27 2008, pp. 31–43.
[21] S. McAllister, E. Kirda, and C. Kruegel, “Leveraging user interactions for indepth
testing of web applications,” in Proceedings of the 11th International
Symposium on Recent Advances in Intrusion Detection, Massachusetts, USA,
September 15–17 2008, pp. 191–210.
[22] Methodman and DP, “Xss, iframe injections and xmlhttp post request errors
on mcafee sites,” May 2009. [Online]. Available: http://xssed.com/news/92/
XSS Iframe injections and XMLHTTP post request errors on McAfee sites/
[23] Y. Minamide, “Static approximation of dynamically generated web pages,” in
Proceedings of the 14th international conference on World Wide Web, Chiba,
Japan, May 10–14 2005, pp. 432–441.
[24] Mrmunkey22, “Schoolmate 1.5.4,” November 2004. [Online]. Available:
http://sourceforge.net/projects/schoolmate/
[25] R. Naraine, “Strongwebmail ceo’s mail account hacked via xss,”
June 2009. [Online]. Available: http://www.zdnet.com/blog/security/
strongwebmail-ceos-mail-account-hacked-via-xss/3514
[26] Netcraft.com, “May 2010 web server survey,” May 2010. [Online]. Available:
http://news.netcraft.com/archives/category/web-server-survey/
[27] J. Offutt, Y. Wu, X. Du, and H. Huang, “Bypass testing of web applications,” in
Proceedings of the 15th International Symposium on Software Reliability Engineering,
St-Malo, France, November 02–05 2004, pp. 187–197.
[28] O. S. V. D. (OSVDB), “phpmyadmin xss protection string blacklist bypass,”
March 2007. [Online]. Available: http://osvdb.org/show/osvdb/35048
[29] OWASP, “Owasp cal9000 project,” December 2009. [Online]. Available:
http://www.owasp.org/index.php/Category:OWASP CAL9000 Project
[30] OWASP, “Cross-site scripting (xss),” 2 2010. [Online]. Available: http:
//www.owasp.org/index.php/Cross-site Scripting (XSS)
[31] OWASP, “Owasp top 10 project,” 2010. [Online]. Available: http://www.owasp.
org/index.php/Category:OWASP$ $Top$ $Ten$ $Project
[32] Php.net, “htmlspecialchars,” 2001. [Online]. Available: http://php.net/manual/
en/function.htmlspecialchars.php
[33] PortSwigger, “Burp intruder 1.3.03,” May 2010. [Online]. Available: http:
//portswigger.net/intruder/
[34] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, “All your iframes point
to us,” in Proceedings of the 17th conference on USENIX Security Symposium,
San Jose, CA, July 28August 1 2008, pp. 1–15.
[35] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, “The
ghost in the browser analysis of web-based malware,” in Proceedings of the first
conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge,
MA, April 20 2007, p. 4.
[36] L. R. Rabiner and B.-H. Juang, “An introduction to hidden markov models,”
ASSP Magazine, IEEE, vol. 3, no. 1, pp. 4–16, January 1986.
[37] Roflo1 and Sandking, “Webchess 0.9.0,” September 2004. [Online]. Available:
http://sourceforge.net/projects/webchess/
[38] RSnake, “Xss (cross site scripting) cheat sheet,” 2009. [Online]. Available:
http://ha.ckers.org/xss.html
[39] SearchSecurity.com, “Security definition-attack vector,” Jan 2007. [Online].
Available: http://searchsecurity.techtarget.com/dictionary/definition/1005812/
attack-vector.html
[40] H. Shahriar and M. Zulkernine, “Automatic testing of program security vulnerabilities,”
in Proceedings of the 33rd Annual IEEE International Computer Software
and Applications Conference, vol. 2, Seattle,Washington, USA, July 20–24
2009, pp. 550–555.
[41] spamnews.com, “Websites of who and mi5 hacked using xss attacks,”
Auguest 2009. [Online]. Available: http://spamnews.com/The-News/Latest/
Websites-of-WHO-and-MI5-Hacked-Using-XSS-Attacks-2009081211637/
[42] A. Stolcke, “Bayesian learning of probabilistic language models,” Ph.D. dissertation,
Berkeley, CA: University of California, 1994.
[43] A. Stolcke and S. Omohundro, “Hidden markov model induction by bayesian
model merging,” in Advances in Neural Information Processing Systems, vol. 5,
San Mateo, CA, 1993, pp. 11–18.
[44] A. Stolcke and S. M. Omohundro, “Best-first model merging for hidden markov
model induction,” International Computer Science Institute, Berkeley, Ca, Tech.
Rep., 1994.
[45] N. Surribas, “Wapiti 2.2.1,” December 2009. [Online]. Available: http:
//wapiti.sourceforge.net/
[46] R. T. F. Tim Berners-Lee and L. Masinter, RFC3986-Uniform Resource
Identifiers (URI): Generic Syntax, Std., January 2005. [Online]. Available:
http://tools.ietf.org/html/rfc3986
[47] URL, “Wikipedia.” [Online]. Available: http://en.wikipedia.org/wiki/Uniform
Resource Locator
[48] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-based intrusion detection
signatures using mutant exploits,” in Proceedings of the ACM Conference
on Computer and Communication Security, Washington, DC, USA, October 25–
29 2004, pp. 21–30.
[49] A. J. Viterbi, “Error bounds for convolutional codes and an asymptotically optimum
decoding algorithm,” IEEE Transactions on Information Theory, vol. 13,
no. 2, pp. 260–269, April 1967.
[50] w3schools.com, “Html tutorial.” [Online]. Available: http://www.w3schools.
com/html/default.asp
[51] Y.-H. Wang, C.-H. Mao, and H.-M. Lee, “Structural learning of attack vectors
for generating mutated xss attacks,” in being appearing in the fourth International
Workshop on Testing, Analysis and Verification of Web Software, Antwerp,
Belgium, September 21 2010.
[52] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for
injection vulnerabilities,” SIGPLAN Notice, vol. 42, no. 6, pp. 32–41, 2007.
[53] G. Wassermann and Z. Su, “Static detection of cross-site scripting vulnerabilities,”
in Proceedings of the 30th International Conference on Software Engineering,
Leipzig, Germany, May 10-18 2008, pp. 171–180.