XSS DETECTION METHOD AND DEVICE
First Claim
1. A XSS detection method for detecting XSS vulnerabilities in a web page, comprising steps of:
- determining a set of parameter-value pairs that can be accepted by the web page; and
for each parameter-value pair in the set;
constructing a parameter-value pair in which a dedicated script is inserted;
assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted;
acquiring the dynamic web page content corresponding to the assembled URL; and
simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.
74 Citations
14 Claims
-
1. A XSS detection method for detecting XSS vulnerabilities in a web page, comprising steps of:
-
determining a set of parameter-value pairs that can be accepted by the web page; and for each parameter-value pair in the set; constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. - View Dependent Claims (2, 3, 4, 5, 13, 14)
-
-
6. A XSS detection device for detecting XSS vulnerabilities in a web page, comprising:
-
a web page parameter-value pair set determining unit being configured to determine a set of parameter-value pairs that can be accepted by the web page; a testing URL assembler being configured to assemble a testing URL for each parameter-value pair in the set of parameter-value pairs, wherein a dedicated script is inserted in the value during the assembly of the testing URL; a communicator being configured to send the testing URL to the web server and receive the web page content returned form the web server; and a simulator being configured to simulate the execution of the web page content and determine the existence of XSS vulnerabilities in the corresponding parameter if the dedicated script has been executed. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
Specification