GAXSS: Effective Payload Generation Method to Detect XSS Vulnerabilities Based on Genetic Algorithm

Abstract

In the fields of social networking, media, and management, web applications on the Internet play a very indispensable role. A large amount of personal privacy information and login tokens make web applications often targeted by hackers. Cross-site scripting attacks are the most common method used to steal data from web applications. To solve the security risks caused by cross-site scripting vulnerabilities, security personnel need to actively discover these vulnerabilities to better defend against the harm. We proposed a novel genetic algorithm-based fuzzing scheme to address this problem. First, a small number of initial attack vectors are generated according to the interactive environment of the web application and then the attack vectors are sequenced into genes. Combined with the grammatical structure features of cross-site scripting and common bypass methods, the gene sequences are iteratively optimized and improved. Finally, the generated high-quality vectors are used to detect potential cross-site scripting threats in the application (we named the implementation of this approach GAXSS). The method we proposed can automatically detect the vulnerability of page interaction points and can obtain better detection results without a large number of test dictionaries, and the time cost is also reasonable. We have conducted vulnerability tests on many common open-source web applications, with a precision rate of 1.0 and an accuracy rate over 0.98. In addition, we also compared GAXSS with other well-known scanners and state-of-the-art detection methods. Its comprehensive performance is better, and it can effectively detect vulnerabilities.