基于EBNF和二次爬取策略的XSS漏洞检测技术

ross-site scripting (XSS) attacks have been one of the biggest threats to Internet security. Aiming at the problems of traditional vulnerability detection method based on penetration testing technology, such as attack vectors of low complexity easy to filter and overall detection process cumbersome, this paper proposed a new attack vectors automatic generation method which based on extended Backus-naur form (EBNF) and a XSS vulnerability twice crawling strategy. By defining the EBNF rule, the method generated a rule-parsing tree, and then traversed hierarchically the tree to obtain high-complexity attack vectors. In the first page crawling, the strategy inserted input point information to attack vectors and requested injection. Then it carried on the second crawling and requested legal parameters to get the return page. In the final, this paper designed and implemented a prototype system, and used two platforms for vulnerability detection. The comparative experiments prove that the system has a simple detection process, and to a certain extent, improves the number of vulnerability detection and reduces the false positive rate.