Alternative Approach to Automate Detection of DOM-XSS Vulnerabilities
Name
Wael Mohamed Fathi Ahmed AbuSeada
Abstract
This thesis proposes an alternative methodology to detect DOM-XSS by building-up on the existing approach used by web scanners in detecting general XSS. Web scanners general approach is to inject payload in the web page inputs and check the recieved HTML repsonse for possible cross-site scripting vulnerabilties. The thesis proposes to add an extra scan layer which is an actual browser that would be resonsible for sending any request and render the recieved HTML response from webserver. Rendering the response causes any script in the page to be executed, hence any code that alters the page dynamic content causing DOM-XSS will reflect on the rendered response. Then the rendered response is checked for XSS vulnerabilties. The thesis methodology allows detecting both DOM-XSS and other types of XSS. To provide a proof of concept for this methodology, the thesis author created a web-based tool on that premises. The tool can open and control a browser which allows automated loading of web pages and scanning the rendered response for vulnerabilties. Finally, the tool provides detailed scan report that points out possible inputs that might cause XSS in order to assist penetration testers who prefer manual scans.
Graduation Thesis language
English
Graduation Thesis type
Master - Cyber Security
Supervisor(s)
Olaf Manuel Maennel, Raimundas Matulevičius
Defence year
2017