MFXSS: An effective XSS vulnerability detection method in JavaScript based on multi-feature model

Abstract

The widespread use of web applications has also made them more vulnerable to hackers, resulting in the leakage of large amounts of application and personal privacy data. Cross-site scripting (XSS) attacks are one of the most significant threats to web applications. Attackers can inject scripts to control the victim’s browser to send data or execute commands, leading to the theft of privacy or the hijacking of login tokens. Therefore, we proposed a multi-feature fusion-based neural network vulnerability detection model for detecting XSS vulnerabilities in the JavaScript source code of websites (We termed our implementation of this approach MFXSS). We combine abstract syntax tree (AST) and code control flow graph (CFG) to convert the generalized sample data into graph structure and code string structure. Then, through the graph convolutional neural network, weighted aggregation, and the bidirectional recurrent neural network, the logical call features and the context execution relationship features of the source code are extracted and fused respectively. Finally, the fused feature vectors are used to detect and predict XSS vulnerabilities in JavaScript. In the experiment, we designed multiple control experiments to verify that the model construction is optimal, and the accuracy rates in the standard and variant datasets are 0.997 and 0.986. Moreover, in comparing similar detection schemes, MFXSS also performs better. Applying the model to an actual web environment, we successfully detected the presence of XSS vulnerabilities in websites.