EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

Automatic and Context-Aware Cross-Site Scripting Filter Evasion

Fabrizio díAmore () and Mauro Gentile ()
Additional contact information
Fabrizio díAmore: Department of Computer, Control and Management Engineering, Universita' degli Studi di Roma "La Sapienza"
Mauro Gentile: Department of Computer, Control and Management Engineering, Universita' degli Studi di Roma "La Sapienza"

No 2012-04, DIAG Technical Reports from Department of Computer, Control and Management Engineering, Universita' degli Studi di Roma "La Sapienza"

Abstract: Cross-Site Scripting (XSS) is a pervasive vulnerability that involves a huge portion of modern web applications. Implementing a correct and complete XSS filter for user-generated content can really be a challenge for web developers. Many aspects have to be taken into account sincethe attackers may continuously show off a potentially unlimited armory. This work proposes an approach and a tool ñ named snuck ñ for web application penetration testing, which can definitely help in finding hard-to-spot and advanced XSS vulnerabilities. This methodology is based on the inspection of the inject ionís reflection context and relies on a set of specialized and obfuscated attack vectors for bypassing filter based protections, adopted against potentially harmful inputs. In addition, XSS testing is performed in-browser, this means that a web browser is driven in reproducing the attacker and possibly the victim behavior. Results of several tests on many popular Content Management Systems proved the benefits of this approach: no other web vulnerability scanner would have been able to discover some advanced ways to bypass robust XSS filters.

Keywords: Computer security; Network Security; Web Application Security; Browser Security; Vulnerability Detection; Cross-site Scripting; XSS (search for similar items in EconPapers)
Pages: 58 pages
Date: 2012-04
References: View complete reference list from CitEc
Citations:

Downloads: (external link)
http://www.dis.uniroma1.it/~bibdis/RePEc/aeg/report/2012-04.pdf First version, 2012 (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:aeg:report:2012-04

Access Statistics for this paper

More papers in DIAG Technical Reports from Department of Computer, Control and Management Engineering, Universita' degli Studi di Roma "La Sapienza" Contact information at EDIRC.
Bibliographic data for series maintained by Antonietta Angelica Zucconi ( this e-mail address is bad, please contact ).

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-04-14
Handle: RePEc:aeg:report:2012-04