DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection

With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both...

Full description

Saved in:
Bibliographic Details
Main Authors: Jinkun Pan, Xiaoguang Mao
Format: Conference Proceeding
Language:English
Subjects:
Benchmark testing
Browsers
Context
DOM-based XSS
HTML
micro benchmark
Servers
tool evaluation
Uniform resource locators
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 215
container_issue
container_start_page 208
container_title
container_volume
creator Jinkun Pan
Xiaoguang Mao
description With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both for developers and tool users, the benchmark plays an important role in evaluating the effectiveness of detection tools. However, no widely used standard benchmark exists in the domain of DOM-based XSS. In this paper, we present a micro benchmark named DomXssMicro. DomXssMicro is constructed based on a template extracted from representative vulnerabilities, consisting of six orthogonal components (i.e. Source, Propagation, Transformation, Sink, Trigger and Context). In DomXssMicro, there are 175 test cases in total, each one of which aims at testing a specific property of DOM-based XSS. To illustrate our micro benchmark, an empirical study is performed to evaluate six state-of-the-art DOM-based XSS detection tools, including both commercial and open-source ones. The results demonstrate that our micro benchmark is helpful in providing guidance and insight for tools selection and further improvement.
doi_str_mv 10.1109/TrustCom.2016.0065
format conference_proceeding
fullrecord <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_7846948</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>7846948</ieee_id><sourcerecordid>7846948</sourcerecordid><originalsourceid>FETCH-LOGICAL-i90t-62795cd54e739b5c6af4c13ad7d4735962441ef8a36f9c162f12ebbf9c31ba03</originalsourceid><addsrcrecordid>eNotjl1LwzAYRqMgOGb_gN7kD6S--Wzj3dbND9jYRYd4N9I00ejajqQT_PcO59U5cODhQeiWQk4p6PttPKaxGrqcAVU5gJIXKNNFSSVo4AwkvUQTxpkgGii_RllKnwDAmNJclhP0uhi6t5TWwcbhAc_wn-C56-1HZ-IX9kPEy2-zP5ox9O94sVmTuUmuxVUcUiJ1GB2ubQyHc3ajs2MY-ht05c0-ueyfU1Q_LrfVM1ltnl6q2YoEDSNRrNDStlK4gutGWmW8sJSbtmhFwaVWTAjqfGm48tpSxTxlrmlOzmljgE_R3Xk1OOd2hxhOl392RSmUFiX_BVquUhA</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection</title><source>IEEE Xplore All Conference Series</source><creator>Jinkun Pan ; Xiaoguang Mao</creator><creatorcontrib>Jinkun Pan ; Xiaoguang Mao</creatorcontrib><description>With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both for developers and tool users, the benchmark plays an important role in evaluating the effectiveness of detection tools. However, no widely used standard benchmark exists in the domain of DOM-based XSS. In this paper, we present a micro benchmark named DomXssMicro. DomXssMicro is constructed based on a template extracted from representative vulnerabilities, consisting of six orthogonal components (i.e. Source, Propagation, Transformation, Sink, Trigger and Context). In DomXssMicro, there are 175 test cases in total, each one of which aims at testing a specific property of DOM-based XSS. To illustrate our micro benchmark, an empirical study is performed to evaluate six state-of-the-art DOM-based XSS detection tools, including both commercial and open-source ones. The results demonstrate that our micro benchmark is helpful in providing guidance and insight for tools selection and further improvement.</description><identifier>EISSN: 2324-9013</identifier><identifier>EISBN: 9781509032051</identifier><identifier>EISBN: 1509032053</identifier><identifier>DOI: 10.1109/TrustCom.2016.0065</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Benchmark testing ; Browsers ; Context ; DOM-based XSS ; HTML ; micro benchmark ; Servers ; tool evaluation ; Uniform resource locators</subject><ispartof>2016 IEEE Trustcom/BigDataSE/ISPA, 2016, p.208-215</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/7846948$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,27925,54555,54932</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/7846948$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Jinkun Pan</creatorcontrib><creatorcontrib>Xiaoguang Mao</creatorcontrib><title>DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection</title><title>2016 IEEE Trustcom/BigDataSE/ISPA</title><addtitle>TrustCom</addtitle><description>With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both for developers and tool users, the benchmark plays an important role in evaluating the effectiveness of detection tools. However, no widely used standard benchmark exists in the domain of DOM-based XSS. In this paper, we present a micro benchmark named DomXssMicro. DomXssMicro is constructed based on a template extracted from representative vulnerabilities, consisting of six orthogonal components (i.e. Source, Propagation, Transformation, Sink, Trigger and Context). In DomXssMicro, there are 175 test cases in total, each one of which aims at testing a specific property of DOM-based XSS. To illustrate our micro benchmark, an empirical study is performed to evaluate six state-of-the-art DOM-based XSS detection tools, including both commercial and open-source ones. The results demonstrate that our micro benchmark is helpful in providing guidance and insight for tools selection and further improvement.</description><subject>Benchmark testing</subject><subject>Browsers</subject><subject>Context</subject><subject>DOM-based XSS</subject><subject>HTML</subject><subject>micro benchmark</subject><subject>Servers</subject><subject>tool evaluation</subject><subject>Uniform resource locators</subject><issn>2324-9013</issn><isbn>9781509032051</isbn><isbn>1509032053</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2016</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotjl1LwzAYRqMgOGb_gN7kD6S--Wzj3dbND9jYRYd4N9I00ejajqQT_PcO59U5cODhQeiWQk4p6PttPKaxGrqcAVU5gJIXKNNFSSVo4AwkvUQTxpkgGii_RllKnwDAmNJclhP0uhi6t5TWwcbhAc_wn-C56-1HZ-IX9kPEy2-zP5ox9O94sVmTuUmuxVUcUiJ1GB2ubQyHc3ajs2MY-ht05c0-ueyfU1Q_LrfVM1ltnl6q2YoEDSNRrNDStlK4gutGWmW8sJSbtmhFwaVWTAjqfGm48tpSxTxlrmlOzmljgE_R3Xk1OOd2hxhOl392RSmUFiX_BVquUhA</recordid><startdate>201608</startdate><enddate>201608</enddate><creator>Jinkun Pan</creator><creator>Xiaoguang Mao</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201608</creationdate><title>DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection</title><author>Jinkun Pan ; Xiaoguang Mao</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i90t-62795cd54e739b5c6af4c13ad7d4735962441ef8a36f9c162f12ebbf9c31ba03</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2016</creationdate><topic>Benchmark testing</topic><topic>Browsers</topic><topic>Context</topic><topic>DOM-based XSS</topic><topic>HTML</topic><topic>micro benchmark</topic><topic>Servers</topic><topic>tool evaluation</topic><topic>Uniform resource locators</topic><toplevel>online_resources</toplevel><creatorcontrib>Jinkun Pan</creatorcontrib><creatorcontrib>Xiaoguang Mao</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Xplore (Online service)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Jinkun Pan</au><au>Xiaoguang Mao</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection</atitle><btitle>2016 IEEE Trustcom/BigDataSE/ISPA</btitle><stitle>TrustCom</stitle><date>2016-08</date><risdate>2016</risdate><spage>208</spage><epage>215</epage><pages>208-215</pages><eissn>2324-9013</eissn><eisbn>9781509032051</eisbn><eisbn>1509032053</eisbn><coden>IEEPAD</coden><abstract>With the prevalence of JavaScript, Cross-site Scripting based on Document Object Model (DOM-based XSS) has become one of critical threats to client-side Web applications. To detect DOM-based XSS vulnerabilities, a variety of tools have been developed, providing different features and abilities. Both for developers and tool users, the benchmark plays an important role in evaluating the effectiveness of detection tools. However, no widely used standard benchmark exists in the domain of DOM-based XSS. In this paper, we present a micro benchmark named DomXssMicro. DomXssMicro is constructed based on a template extracted from representative vulnerabilities, consisting of six orthogonal components (i.e. Source, Propagation, Transformation, Sink, Trigger and Context). In DomXssMicro, there are 175 test cases in total, each one of which aims at testing a specific property of DOM-based XSS. To illustrate our micro benchmark, an empirical study is performed to evaluate six state-of-the-art DOM-based XSS detection tools, including both commercial and open-source ones. The results demonstrate that our micro benchmark is helpful in providing guidance and insight for tools selection and further improvement.</abstract><pub>IEEE</pub><doi>10.1109/TrustCom.2016.0065</doi><tpages>8</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2324-9013
ispartof 2016 IEEE Trustcom/BigDataSE/ISPA, 2016, p.208-215
issn 2324-9013
language eng
recordid cdi_ieee_primary_7846948
source IEEE Xplore All Conference Series
subjects Benchmark testing
Browsers
Context
DOM-based XSS
HTML
micro benchmark
Servers
tool evaluation
Uniform resource locators
title DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-02T13%3A43%3A23IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=DomXssMicro:%20A%20Micro%20Benchmark%20for%20Evaluating%20DOM-Based%20Cross-Site%20Scripting%20Detection&rft.btitle=2016%20IEEE%20Trustcom/BigDataSE/ISPA&rft.au=Jinkun%20Pan&rft.date=2016-08&rft.spage=208&rft.epage=215&rft.pages=208-215&rft.eissn=2324-9013&rft.coden=IEEPAD&rft_id=info:doi/10.1109/TrustCom.2016.0065&rft.eisbn=9781509032051&rft.eisbn_list=1509032053&rft_dat=%3Cieee_CHZPO%3E7846948%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i90t-62795cd54e739b5c6af4c13ad7d4735962441ef8a36f9c162f12ebbf9c31ba03%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=7846948&rfr_iscdi=true