Detecção automática de ataques de Cross-Site Scripting em páginas Web

Abstract

The evolution in web applications development favored the emergence of dynamic pages. This development was made possible through the creation of new technologies like script functions and web browser advanced features that provided the insertion of new features and creation of interactive services, such as Internet banking, social networks, e-commerce, blogs and forums. The use of these new resources and features has gradually improved the interactivity and usability of web applications. Moreover, the inappropriate use of these features resulted in the emergence of several attacks, including, Cross-Site Scripting (XSS) that is highlighted at the top of lists and reports of the greatest threats to web applications in recent years. This works demonstrates the feasibility of using a methodology that is capable to detect XSS attacks by analyzing the information contained in applications. A prototype of the methodology, called ETSSDetector, was developed and compared with similar tools. The results show that by analyzing the input fields, it is possible to generate more effective tests, decreasing the amount of requests made in the application. Furthermore, the ability to fill the fields with only valid information ensures the submission of forms on pages, increasing the detection rate of XSS attacks.