iea19 Garn, Bernhard Radavelli, Marco Gargantini, Angelo Leithner, Manuel Simos, Dimitris E.

A Fault-Driven Combinatorial Process for Model Evolution in XSS Vulnerability Detection

in Advances and Trends in Artificial Intelligence. From Theory to Practice. Proceeding of the 32nd International Conference on Industrial, Engineering & Other Applications of Applied Intelligent Systems (IEA/AIE 2019) (Eds. Wotawa, Franz and Friedrich, Gerhard and Pill, Ingo and Koitz-Hristov, Roxane and Ali, Moonis) , Springer International Publishing, Lecture Notes in Computer Science, n. 11606 (2019): 207--215 ISBN 978-3-030-22999-3

Abstract
We consider the case where a knowledge base consists of interactions among parameter values in an input parameter model for web application security testing. The input model gives rise to attack strings to be used for exploiting XSS vulnerabilities, a critical threat towards the security of web applications. Testing results are then annotated with a vulnerability triggering or non-triggering classification, and such security knowledge findings are added back to the knowledge base, making the resulting attack capabilities superior for newly requested input models. We present our approach as an iterative process that evolves an input model for security testing. Empirical evaluation on six real-world web application shows that the process effectively evolves a knowledge base for XSS vulnerability detection, achieving on average 78.8\% accuracy.


[download the pdf file] [DOI]

My sw links