基於神經網絡語言模型的XSS載荷生成測試方法

Abstract

跨網站指令碼（Cross-Site Scripting，XSS）漏洞對網路應用程式構成重大威脅，因此需要開發強健的測試方法。本研究提出了一種基於神經網絡語言模型的黑盒XSS測試方法。我們利用語言模型的語意語法學習能力，自動產生針對不同XSS上下文自動產生不同的XSS載荷來做測試。為了評估我們方法的有效性，我們在有XSS弱點的網站上進行了實驗，包括Damn Vulnerable Web Application（DVWA）、Web Application Vulnerability Scanner Evaluation Project（WAVSEP）以及真實世界的網路應用程式。我們根據測試次數和XSS漏洞的檢測數量來評估我們的掃描方法的性能。結果顯示，相較於現有方法，我們的方法具有優勢。總而言之，我們的研究通過利用神經網絡語言模型，考慮XSS上下文並生成特定載荷，為XSS黑盒測試方法的進步做出了貢獻。我們的方法提供了一種高效且準確的檢測XSS漏洞的方式。

Cross-Site Scripting (XSS) vulnerabilities pose a significant threat to web applications, necessitating the development of robust testing methods. In this study, we propose a black-box XSS testing approach based on payload generation using a neural network language model. Our method leverages the semantic grammar learning ability of the language model to automatically generate XSS payloads tailored to different XSS contexts. To evaluate the effectiveness of our approach, we conducted extensive experiments on vulnerable websites, including the Damn Vulnerable Web Application (DVWA), the Web Application Vulnerability Scanner Evaluation Project (WAVSEP), and real-world web applications. The performance of our scanning method was assessed based on the number of trials and the detection of XSS vulnerabilities. The results demonstrate the superiority of our approach compared to existing methods. Overall, our research contributes to the advancement of XSS black-box testing methodologies by harnessing the power of neural network language models. By considering XSS context and generating tailored payloads, our approach offers an efficient and accurate means of detecting XSS vulnerabilities.