Black widow: Blackbox data-driven web scanning
Paper i proceeding, 2021

Modern web applications are an integral part of our digital lives. As we put more trust in web applications, the need for security increases. At the same time, detecting vulnerabilities in web applications has become increasingly hard, due to the complexity, dynamism, and reliance on third-party components. Blackbox vulnerability scanning is especially challenging because (i) for deep penetration of web applications scanners need to exercise such browsing behavior as user interaction and asynchrony, and (ii) for detection of nontrivial injection attacks, such as stored cross-site scripting (XSS), scanners need to discover inter-page data dependencies.This paper illuminates key challenges for crawling and scanning the modern web. Based on these challenges we identify three core pillars for deep crawling and scanning: navigation modeling, traversing, and tracking inter-state dependencies. While prior efforts are largely limited to the separate pillars, we suggest an approach that leverages all three. We develop Black Widow, a blackbox data-driven approach to web crawling and scanning. We demonstrate the effectiveness of the crawling by code coverage improvements ranging from 63% to 280% compared to other crawlers across all applications. Further, we demonstrate the effectiveness of the web vulnerability scanning by featuring no false positives and finding more cross-site scripting vulnerabilities than previous methods. In older applications, used in previous research, we find vulnerabilities that the other methods miss. We also find new vulnerabili-ties in production software, including HotCRP, osCommerce, PrestaShop and WordPress.

Web crawling

Cross-site scripting

XSS

Security testing

Web application scanning

Författare

Benjamin Eriksson

Chalmers, Data- och informationsteknik, Informationssäkerhet

Giancarlo Pellegrino

CISPA - Helmholtz Center for Information Security

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Informationssäkerhet

Proceedings - IEEE Symposium on Security and Privacy

10816011 (ISSN)

Vol. 2021-May 1125-1142

42nd IEEE Symposium on Security and Privacy, SP 2021
Virtual, San Francisco, USA,

Ämneskategorier

Annan data- och informationsvetenskap

Datavetenskap (datalogi)

Datorsystem

DOI

10.1109/SP40001.2021.00022

Mer information

Senast uppdaterat

2021-10-13