A XSS Vulnerability Detection Approach based on Simulating Browser Behavior

摘要

Aiming at the XSS vulnerability detection, this paper presents a dynamic detection method based on simulating browser behavior, and designs a web crawler based on a headless browser, which can interpret the JavaScript code and retrieve Ajax content to find the hidden injection points in pages, with full consideration of the web pages containing complex scripts under Web 2.0 environment. Besides, this paper provides a more accurate method to identify XSS vulnerability with XSS attack vectors by examining the runtime behavior of web application, and decides whether the XSS vulnerability exists with black-box test. The experiment results prove that this method works.