Abstract
Cross Site Scripting (XSS) is one of the most important vulnerabilities in web applications, has been in the top three position of OWASP TOP10 [1] security risks for a long time. In many web application components, RTF (Rich Text Format) Editor has a wide range of XSS attacks because of its own characteristics. With the development of XSS detection technology, Fuzz technique has become a popular approach to discover XSS in web applications except Rich Text Editor. Thus, this paper proposes a RTF Editor XSS fuzz framework, which works on a lexical based fuzz framework. This framework includes an attack vector template and a mutation engine. In this framework, we use a concept named “boundary” to build the template and use a method named “breaking boundaries” to generate mutated data. Experimental results of our fuzz framework are quite encouraging. We have run it over 12 real-world RTF Editor (including Webmail, Blog, Markdown editor, etc.) and found vulnerabilities in 8 of them. We have responsibly reported our findings to the respective developers of editors.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
