WAVE: Black Box Detection of XSS, CSRF and Information Leakage Vulnerabilities

Abstract

In this paper we propose a black-box method to detect web application vulnerabilities including XSS, CSRF and information leakage, for which existing vulnerability scanners have little power to detect. Cross Site Scripting (XSS) involves echoing attacker-supplied code into a user's browser instance, and Cross Site Request Forgery (CSRF) forces the user’s browser to request actions without user awareness. Information flow due to client-server interactions is the root cause of these vulnerabilities as well as of information leakage. According to this, in our method, we first analyze information flow between users of the web application under evaluation to extract potentially vulnerable flows. Then, we examine the flows by sending special requests to discover XSS and CSRF vulnerabilities. In addition, we qualitatively discuss on the risk of the discovered vulnerabilities with respect to the analysis of the flow as the vulnerability origin.The proposed method is implemented as a Web Application Vulnerability dEtection tool, called WAVE. The evaluation results show that WAVE, having a low rate of false negative, can be reliably used for security analysis of web applications when static analysis is not possible.