A XSS Vulnerability Detection Approach Based on Simulating Browser Behavior

This paper presents a dynamic detection method based on simulating browser behavior, and designs a web crawler based on a headless browser, which can interpret the JavaScript code and retrieve Ajax content to find the hidden injection points in pages, with full consideration of the web pages containing complex scripts under Web 2.0 environment. In implementation, this paper uses dynamic analysis in XSS vulnerability detection by examining the runtime behavior of web application, and decide whether the XSS vulnerability exists with black-box test. The experiment results prove that this method works.