DC Field | Value | Language |
---|---|---|
dc.contributor.author | Lee, Soyoung | ko |
dc.contributor.author | Wi, Seongil | ko |
dc.contributor.author | Son, Sooel | ko |
dc.date.accessioned | 2022-09-27T13:00:44Z | - |
dc.date.available | 2022-09-27T13:00:44Z | - |
dc.date.created | 2022-09-26 | - |
dc.date.created | 2022-09-26 | - |
dc.date.created | 2022-09-26 | - |
dc.date.created | 2022-09-26 | - |
dc.date.issued | 2022-04-27 | - |
dc.identifier.citation | 31st ACM World Wide Web Conference, WWW 2022, pp.743 - 754 | - |
dc.identifier.uri | http://hdl.handle.net/10203/298733 | - |
dc.description.abstract | Black-box web scanners have been a prevalent means of performing penetration testing to find reflected cross-site scripting (XSS) vulnerabilities. Unfortunately, off-the-shelf black-box web scanners suffer from unscalable testing as well as false negatives that stem from a testing strategy that employs fixed attack payloads, thus disregarding the exploitation of contexts to trigger vulnerabilities. To this end, we propose a novel method of adapting attack payloads to a target reflected XSS vulnerability using reinforcement learning (RL). We present Link, a general RL framework whose states, actions, and a reward function are designed to find reflected XSS vulnerabilities in a black-box and fully automatic manner. Link finds 45, 213, and 60 vulnerabilities with no false positives in Firing-Range, OWASP, and WAVSEP benchmarks, respectively, outperforming state-of-the-art web scanners in terms of finding vulnerabilities and ending testing campaigns earlier. Link also finds 43 vulnerabilities in 12 real-world applications, demonstrating the promising efficacy of using RL in finding reflected XSS vulnerabilities. | - |
dc.language | English | - |
dc.publisher | Association for Computing Machinery, Inc | - |
dc.title | Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning | - |
dc.type | Conference | - |
dc.identifier.wosid | 000852713000075 | - |
dc.identifier.scopusid | 2-s2.0-85129800853 | - |
dc.type.rims | CONF | - |
dc.citation.beginningpage | 743 | - |
dc.citation.endingpage | 754 | - |
dc.citation.publicationname | 31st ACM World Wide Web Conference, WWW 2022 | - |
dc.identifier.conferencecountry | FR | - |
dc.identifier.conferencelocation | Virtual | - |
dc.identifier.doi | 10.1145/3485447.3512234 | - |
dc.contributor.localauthor | Son, Sooel | - |
dc.contributor.nonIdAuthor | Lee, Soyoung | - |
dc.contributor.nonIdAuthor | Wi, Seongil | - |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.