Bernhard Garn, Daniel S. Lang, Manuel Leithner, D. Richard Kuhn, Raghu N. Kacker, Dimitris Simos
Cross-Site scripting (XSS) is a common class of vulnerabilities in the domain of web applications. As it remains prevalent despite continued efforts by practitioners and researchers, site operators often seek to protect their assets using web application firewalls (WAFs). These systems employ filtering mechanisms to intercept and reject requests that may be suitable to exploit XSS flaws and related vulnerabilities such as SQL injections. However, they generally do not offer complete protection and can often be bypassed using specifically crafted exploits. In this work, we evaluate the effectiveness of WAFs to detect XSS exploits. We develop an attack grammar and use a combinatorial testing approach to generate attack vectors. We compare our vectors with conventional counterparts and their ability to bypass different WAFs. Our results show that the vectors generated with combinatorial testing perform equal or better in almost all cases. They further confirm that most of the rule sets evaluated in this work can be bypassed by at least one of these crafted inputs.
2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)
April 12-16, 2021
Porto de Galinhas, BR
IEEE International Conference on Software Testing, Verification and Validation (ICST)
, Lang, D.
, Leithner, M.
, Kuhn, D.
, Kacker, R.
and Simos, D.
Combinatorially XSSing Web Application Firewalls, 2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), Porto de Galinhas, BR, [online], https://doi.org/10.1109/ICSTW52544.2021.00026, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=931831
(Accessed January 21, 2022)