Abstract
Cross Site Scripting (XSS) is one of the most important vulnerabilities in web applications, has been in the top three position of OWASP TOP10 [1] security risks for a long time. In many web application components, RTF (Rich Text Format) Editor has a wide range of XSS attacks because of its own characteristics. With the development of XSS detection technology, Fuzz technique has become a popular approach to discover XSS in web applications except Rich Text Editor. Thus, this paper proposes a RTF Editor XSS fuzz framework, which works on a lexical based fuzz framework. This framework includes an attack vector template and a mutation engine. In this framework, we use a concept named “boundary” to build the template and use a method named “breaking boundaries” to generate mutated data. Experimental results of our fuzz framework are quite encouraging. We have run it over 12 real-world RTF Editor (including Webmail, Blog, Markdown editor, etc.) and found vulnerabilities in 8 of them. We have responsibly reported our findings to the respective developers of editors.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Williams, J., Wichers, D.: OWASP top 10-2013. OWASP Foundation (2013)
Johns, M., Engelmann, B., Posegga, J.: XSSDS: server-side detection of cross-site scripting attacks. In: Computer Security Applications Conference, ACSAC 2008, Annual, pp. 335–344. IEEE (2008)
Klein, A.: DOM based cross site scripting or XSS of the third kind. In: Web Application Security Consortium, Articles, vol. 4 (2005)
Gupta, M.K., Govil, M.C., Singh, G.: Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: a survey. Recent Adv. Innov. Eng. (ICRAIE) 2014, 9–11 (2014)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2006
Doupé, A., Cova, M., Vigna, G.: Why johnny can’t pentest: an analysis of black- box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: IEEE/IFIP DSN, pp. 566–571, June 2009
Duchene, F., Groz, R., Rawat, S., Richier, J.-L.: XSS vulnerability detection using model inference assisted evolutionary fuzzing. In: 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, vol. 2, pp. 815–817 (2012)
Zhang, Y., Wang, X., Wang, P., Liu, L.: Detecting cross site scripting vulnerabilities introduced by HTML5. In: 2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE), pp. 319–323 (2014)
Acknowledgments
This work was supported by National Natural Science Foundation of China (No. U1536122) and the Fundamental Research Funds for the Central Universities (2014ZD03-03).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Yang, J., Tang, Q. (2018). RTF Editor XSS Fuzz Framework. In: Barolli, L., Enokido, T. (eds) Innovative Mobile and Internet Services in Ubiquitous Computing . IMIS 2017. Advances in Intelligent Systems and Computing, vol 612. Springer, Cham. https://doi.org/10.1007/978-3-319-61542-4_95
Download citation
DOI: https://doi.org/10.1007/978-3-319-61542-4_95
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-61541-7
Online ISBN: 978-3-319-61542-4
eBook Packages: EngineeringEngineering (R0)