DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection

With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both...

Full description

Saved in:
Bibliographic Details
Main Authors: Jinkun Pan, Xiaoguang Mao
Format: Conference Proceeding
Language:English
Subjects:
Benchmark testing
Browsers
Context
DOM-based XSS
HTML
micro benchmark
Servers
tool evaluation
Uniform resource locators
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both for developers and tool users, the benchmark plays an important role in evaluating the effectiveness of detection tools. However, no widely used standard benchmark exists in the domain of DOM-based XSS. In this paper, we present a micro benchmark named DomXssMicro. DomXssMicro is constructed based on a template extracted from representative vulnerabilities, consisting of six orthogonal components (i.e. Source, Propagation, Transformation, Sink, Trigger and Context). In DomXssMicro, there are 175 test cases in total, each one of which aims at testing a specific property of DOM-based XSS. To illustrate our micro benchmark, an empirical study is performed to evaluate six state-of-the-art DOM-based XSS detection tools, including both commercial and open-source ones. The results demonstrate that our micro benchmark is helpful in providing guidance and insight for tools selection and further improvement.
ISSN:2324-9013
DOI:10.1109/TrustCom.2016.0065