Load-and-Act: Increasing Page Coverage of Web Applications
Pages 163 - 182
Abstract
Current solutions for automated vulnerability discovery increase coverage but typically do not interact with the web application. Thus, vulnerabilities in code for handling user interactions often remain undiscovered. This paper evaluates interactive strategies that simulate user interaction to increase client-side JavaScript code coverage. We exemplarily analyze 5 widely deployed, real-world web applications and find that simple random walks can double the number of covered branches compared to merely waiting for the page to be loaded (“load-and-wait”). Additionally, we propose novel approaches relying on state-independent models and demonstrate that these outperform the non-interactive baseline by in terms of covered branches and in terms of discovered data flows. Our interactive strategies have revealed a client-side data flow in SuiteCRM that is exploitable as a stored XSS and SSRF attack but cannot be found without user interaction.
References
[1]
Artzi, S., Dolby, J., Jensen, S.H., Møller, A., Tip, F.: A framework for automated testing of JavaScript web applications. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 571–580 (2011)
[2]
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P), pp. 332–345 (2010)
[3]
Bensalim, S., Klein, D., Barber, T., Johns, M.: Talking about my generation: targeted DOM-based XSS exploit generation using dynamic data flow analysis. In: Proceedings of the European Workshop on System Security (EUROSEC) (2021)
[4]
coder/code-server. https://github.com/coder/code-server
[5]
Demir, N., Große-Kampmann, M., Urban, T., Wressnegger, C., Holz, T., Pohlmann, N.: Reproducibility and replicability of web measurement studies. In: Proceedings of the ACM Web Conference (WWW) (2022)
[6]
Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the USENIX Security Symposium, pp. 523–538 (2012)
[7]
Eriksson, B., Pellegrino, G., Sabelfeld, A.: Black widow: blackbox data-driven web scanning. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P), pp. 1125–1142 (2021)
[8]
Facebook: “client-side” CSRF (2018). https://web.archive.org/web/20180513184714/https://www.facebook.com/notes/facebook-bug-bounty/client-side-csrf/2056804174333798/
[9]
Ferruci, F., Sarro, F., Ronca, D., Abrahão, S.: A Crawljax based approach to exploit traditional accessibility evaluation tools for AJAX applications. In: D’Atri, A., Ferrara, M., George, J.F., Spagnoletti, P. (eds.) Information Technology and Innovation Trends in Organizations. Physica, Heidelberg (2011)
[10]
Gross, F., Fraser, G., Zeller, A.: EXSYST: search-based GUI testing. In: Proceedings of the International Conference on Software Engineering (ICSE) (2012)
[11]
Ihm, S., Pai, V.S.: Towards understanding modern web traffic. In: Proceedings of the Internet Measurement Conference (IMC), pp. 295–312 (2011)
[12]
Istanbul, a JavaScript test coverage tool. https://istanbul.js.org/
[13]
jgraph/docker-drawio. https://github.com/jgraph/docker-drawio
[14]
Jonker, H., Karsch, S., Krumnow, B., Sleegers, M.: Shepherd: a generic approach to automating website login. In: MADWeb 2020 (2020)
[15]
Kang, Z., Song, D., Cao, Y.: Probe the proto: measuring client-side prototype pollution vulnerabilities of one million real-world websites. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2022)
[16]
Khodayari, S., Pellegrino, G.: JAW: studying client-side CSRF with hybrid property graphs and declarative traversals. In: Proceedings of the USENIX Security Symposium, pp. 2525–2542 (2021)
[17]
Khodayari, S., Pellegrino, G.: It’s (DOM) clobbering time: attack techniques, prevalence, and defenses. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P) (2023)
[18]
KirstenS: Cross site request forgery (CSRF). https://owasp.org/www-community/attacks/csrf
[19]
KirstenS: Cross site scripting (XSS). https://owasp.org/www-community/attacks/xss/
[20]
Klein, A.: DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium (2005)
[21]
Klein, D., Musch, M., Barber, T., Kopmann, M., Johns, M.: Accept all exploits: exploring the security impact of cookie banners. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 911–922 (2022)
[22]
Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)
[23]
Levenshtein VI Binary codes capable of correcting deletions, insertions, and reversals Doklady Phys. 1966 10 707-710
[24]
McAllister S, Kirda E, and Kruegel C Lippmann R, Kirda E, and Trachtenberg A Leveraging user interactions for in-depth testing of web applications Recent Advances in Intrusion Detection 2008 Heidelberg Springer 191-210
[25]
Melicher, W., Das, A., Sharif, M., Bauer, L., Jia, L.: Riding out DOMsday: towards detecting and preventing DOM cross-site scripting. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2018)
[26]
Melicher, W., Fung, C., Bauer, L., Jia, L.: Towards a lightweight, hybrid approach for detecting DOM XSS vulnerabilities with machine learning. In: Proceedings of the ACM Web Conference (WWW), pp. 2684–2695 (2021)
[27]
Mesbah A, van Deursen A, and Lenselink S Crawling Ajax-based web applications through dynamic analysis of user interface state changes ACM Trans. Web 2012 6 1 1-30
[28]
Mesbah, A., Prasad, M.R.: Automated cross-browser compatibility testing. In: Proceedings of the International Conference on Software Engineering (ICSE) (2011)
[29]
Odoo: Open source ERP and CRM. https://www.odoo.com
[30]
ownCloud GmbH: ownCloud. https://owncloud.com
[31]
Parameshwaran, I., Budianto, E., Shinde, S., Dang, H., Sadhu, A., Saxena, P.: DexterJS: robust testing platform for DOM-based XSS vulnerabilities. In: Proceedings of the Joint Meeting on Foundations of Software Engineering, pp. 946–949 (2015)
[32]
Park, J., Lim, I., Ryu, S.: Battles with false positives in static analysis of JavaScript web applications in the wild. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 61–70 (2016)
[33]
Pellegrino G, Tschürtz C, Bodden E, and Rossow C Bos H, Monrose F, and Blanc G jÄk: using dynamic analysis to crawl and test modern web applications Research in Attacks, Intrusions, and Defenses 2015 Cham Springer 295-316
[34]
Ratanaworabhan, P., Livshits, B., Zorn, B.G.: JSMeter: comparing the behavior of JavaScript benchmarks with real web applications. In: USENIX Conference on Web Application Development (WebApps) (2010)
[35]
Ratcliff JW and Metzener DE Pattern-matching - the gestalt approach Dr. Dobbs J. 1988 13 7 46
[36]
Richards, G., Lebresne, S., Burg, B., Vitek, J.: An analysis of the dynamic behavior of JavaScript programs. In: Proceedings of the ACM SIGPLAN International Conference on Programming Languages Design and Implementation (PLDI), pp. 1–12 (2010)
[37]
Roest, D., Mesbah, A., van Deursen, A.: Regression testing ajax applications: coping with dynamism. In: Proceedings of the International Conference on Software Testing, Verification and Validation (ICST), pp. 127–136 (2010)
[38]
SalesAgility: SuiteCRM. https://suitecrm.com
[39]
SAP/project-foxhound. https://github.com/SAP/project-foxhound
[40]
Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: systematic discovery of client-side validation vulnerabilities in rich web applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2010)
[41]
Steffens, M., Rossow, C., Johns, M., Stock, B.: Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2019)
[42]
Stewart, S., Burns, D.: WebDriver. W3C working draft, W3C (2022)
[43]
Stock, B., Johns, M., Steffens, M., Backes, M.: How the web tangled itself: uncovering the history of client-side web (in)security. In: Proceedings of the USENIX Security Symposium, pp. 971–987 (2017)
[44]
Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Proceedings of the USENIX Security Symposium, pp. 655–670 (2014)
[45]
Stock, B., Pfistner, S., Kaiser, B., Lekies, S., Johns, M.: From facepalm to brain bender: exploring client-side cross-site scripting. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 1419–1430 (2015)
[46]
The Selenium Project: Selenium (2022). https://www.selenium.dev/
[47]
WHATWG: HTML living standard (2022). https://html.spec.whatwg.org/
[48]
Zheng, Y., et al.: Automatic web testing using curiosity-driven reinforcement learning. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 423–435 (2021)
Index Terms
- Load-and-Act: Increasing Page Coverage of Web Applications
Index terms have been assigned to the content through auto-classification.
Recommendations
Intelligent crawling of web applications for web archiving
WWW '12 Companion: Proceedings of the 21st International Conference on World Wide WebThe steady growth of the World Wide Web raises challenges regarding the preservation of meaningful Web data. Tools used currently by Web archivists blindly crawl and store Web pages found while crawling, disregarding the kind of Web site currently ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Automated removal of cross site scripting vulnerabilities in web applications
Context: Cross site scripting (XSS) vulnerability is among the top web application vulnerabilities according to recent surveys. This vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Nov 2023
598 pages
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 December 2023
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 26 Sep 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in