Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning

Cited 7 time in webofscience Cited 0 time in scopus
  • Hit : 112
  • Download : 0
DC FieldValueLanguage
dc.contributor.authorLee, Soyoungko
dc.contributor.authorWi, Seongilko
dc.contributor.authorSon, Sooelko
dc.date.accessioned2022-09-27T13:00:44Z-
dc.date.available2022-09-27T13:00:44Z-
dc.date.created2022-09-26-
dc.date.created2022-09-26-
dc.date.created2022-09-26-
dc.date.created2022-09-26-
dc.date.issued2022-04-27-
dc.identifier.citation31st ACM World Wide Web Conference, WWW 2022, pp.743 - 754-
dc.identifier.urihttp://hdl.handle.net/10203/298733-
dc.description.abstractBlack-box web scanners have been a prevalent means of performing penetration testing to find reflected cross-site scripting (XSS) vulnerabilities. Unfortunately, off-the-shelf black-box web scanners suffer from unscalable testing as well as false negatives that stem from a testing strategy that employs fixed attack payloads, thus disregarding the exploitation of contexts to trigger vulnerabilities. To this end, we propose a novel method of adapting attack payloads to a target reflected XSS vulnerability using reinforcement learning (RL). We present Link, a general RL framework whose states, actions, and a reward function are designed to find reflected XSS vulnerabilities in a black-box and fully automatic manner. Link finds 45, 213, and 60 vulnerabilities with no false positives in Firing-Range, OWASP, and WAVSEP benchmarks, respectively, outperforming state-of-the-art web scanners in terms of finding vulnerabilities and ending testing campaigns earlier. Link also finds 43 vulnerabilities in 12 real-world applications, demonstrating the promising efficacy of using RL in finding reflected XSS vulnerabilities.-
dc.languageEnglish-
dc.publisherAssociation for Computing Machinery, Inc-
dc.titleLink: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning-
dc.typeConference-
dc.identifier.wosid000852713000075-
dc.identifier.scopusid2-s2.0-85129800853-
dc.type.rimsCONF-
dc.citation.beginningpage743-
dc.citation.endingpage754-
dc.citation.publicationname31st ACM World Wide Web Conference, WWW 2022-
dc.identifier.conferencecountryFR-
dc.identifier.conferencelocationVirtual-
dc.identifier.doi10.1145/3485447.3512234-
dc.contributor.localauthorSon, Sooel-
dc.contributor.nonIdAuthorLee, Soyoung-
dc.contributor.nonIdAuthorWi, Seongil-
Appears in Collection
CS-Conference Papers(학술회의논문)
Files in This Item
There are no files associated with this item.
This item is cited by other documents in WoS
⊙ Detail Information in WoSⓡ Click to see webofscience_button
⊙ Cited 7 items in WoS Click to see citing articles in records_button

qr_code

  • mendeley

    citeulike


rss_1.0 rss_2.0 atom_1.0