Computer Science Speaking Skills Talks
In Person - Traffic21 Classrooms, Gates Hillman 6501
NUNO SABINO , Ph.D. Student, Computer Science Department, Carnegie Mellon University
Fuzzing user interactions to improve DOM-XSS detection
DOM-based cross-site scripting (DOM-XSS) vulnerabilities are a type of security flaw that allows attackers to inject malicious code into a web page by exploiting client-side scripts. This class of vulnerabilities remains a major security concern for websites and, if left unaddressed, attackers can leverage these vulnerabilities to steal sensitive information and compromise user accounts. On the other hand, it is increasingly common for developers to use event handlers to add interaction to the websites, and such functions can also contain vulnerabilities.
Considering that existing approaches for DOM-XSS detection might miss these vulnerabilities by solely analyzing the web page without actively interacting with it, our approach instead tries to actively interact with the page during analysis. To generate user interactions, our work uses fuzzing, a random testing technique commonly used to generate inputs to programs. We found cases where some inputs would be hard to generate randomly as they need to satisfy complex constraints, and decided to also use symbolic execution, a technique that allows collecting and solving constraints found in the code. In this talk, I will discuss our methodology, challenges, and the background to understanding it.
Presented in Partial Fulfillment of the CSD Speaking Skills Requirement.