Title :
L-WMxD: Lexical based Webmail XSS Discoverer
Author :
Tang, Zhushou ; Zhu, Haojin ; Cao, Zhenfu ; Zhao, Shuai
Author_Institution :
Dept. of Comput. Sci. & Eng., Shanghai Jiao Tong Univ., Shanghai, China
Abstract :
XSS (Cross-Site Scripting) is a major security threat for web applications. Due to lack of source code of web application, fuzz technique has become a popular approach to discover XSS in web application except Webmail. This paper proposes a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer). L-WMxD , which works on a lexical based mutation engine, is an active defense system to discover XSS before the Webmail application is online for service. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Two prototype tools are realized by us to send the newly-generated test cases to various Webmail servers to discover XSS vulnerability. Experimental results of L-WMxD are quite encouraging. We have run L-WMxD over 26 real-world Webmail applications and found vulnerabilities in 21 Webmail services, including some of the most widely used Yahoo!Mail, Mirapoint Webmail and ORACLE´ Collaboration Suite Mail.
Keywords :
Java; electronic mail; grammars; security of data; JavaScript code; L-WMxD; Mirapoint Webmail; ORACLE collaboration suite mail; Webmail XSS fuzzer; Webmail services; Yahoo Mail; active defense system; cross-site scripting; lexical based Webmail XSS discoverer; lexical based mutation engine; lexical parser; prototype tools; seed; Browsers; Electronic mail; Encoding; HTML; Security; Servers; Transforms; L-WMxD; Webmail; XSS; fuzzer;
Conference_Titel :
Computer Communications Workshops (INFOCOM WKSHPS), 2011 IEEE Conference on
Conference_Location :
Shanghai
Print_ISBN :
978-1-4577-0249-5
Electronic_ISBN :
978-1-4577-0248-8
DOI :
10.1109/INFCOMW.2011.5928954
