Reference : Empirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting:...
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/26528
Empirical Investigation of the Web Browser Attack Surface under Cross-Site Scripting: an Urgent Need for Systematic Security Regression Testing
-
Abgrall, Erwan mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Engineering Research Unit]
Le Traon, Yves mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
Gombault, Sylvain [Inst Mines Telecom & Telecom Bretagne RSM, Rennes, France.]
Monperrus, Martin [Univ Lille, Lille, France.]
2014
7th IEEE International Conference on Software Testing, Verification and Validation (ICST)- Workshop SECTEST
Ieee
34-41
Yes
International
New York
7th IEEE International Conference on Software Testing, Verification and Validation (ICST)
MAR 31-APR 04, 2014
IEEE Comp Soc, IEEE, ABB
Cleveland
OH
[en] One of the major threats against web applications is Cross-Site Scripting (XSS). The final target of XSS attacks is the client running a particular web browser. During this last decade, several competing web browsers (IE, Netscape, Chrome, Firefox) have evolved to support new features. In this paper, we explore whether the evolution of web browsers is done using systematic security regression testing. Beginning with an analysis of their current exposure degree to XSS, we extend the empirical study to a decade of most popular web browser versions. We use XSS attack vectors as unit test cases and we propose a new method supported by a tool to address this XSS vector testing issue. The analysis on a decade releases of most popular web browsers including mobile ones shows an urgent need of XSS regression testing. We advocate the use of a shared security testing benchmark as a good practice and propose a first set of publicly available XSS vectors as a basis to ensure that security is not sacrificed when a new version is delivered.
http://hdl.handle.net/10993/26528
10.1109/ICSTW.2014.63
978-0-7695-5194-4

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
empirical investigation.pdfPublisher postprint862.39 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.