DOM XSS Testing Technology Vulnerabilities

Authors: Aleksandr Kovalenko, Anna Kovalenko, Aleksey Smirnov, Sergey Smirnov
Affiliation: Kirovohrad National Technical University

Category:

Keywords: DOM CSS, vulnerability GERT-network, security vulnerability, testing
ABSTRACT. The article presents research results and vulnerability testing algorithms for one of the most common types of attacks on Web-based applications - cross-site scripting - CSS (Cross Site Scripting) - DOM CSS. Cross-site scripting is the error of validating user data, which allows you to pass JavaScript code to execution in the user's browser. Attacks of this kind are often called HTML injections, because the implementation mechanism is very similar to SQL injections, but unlike the latter, the implemented code is executed in the user's browser. The approach of mathematical modeling based on GERT-networks is argued. Studies have shown that GERT (Graphical Evaluation and Review Technique) is a method of studying and analyzing stochastic networks used to describe the logical relationship between parts of a project or process steps. The main goal of GERT is to evaluate the logic of the network and the duration of activity and to receive an opinion on the need to perform certain activities. The technology of testing Web-applications and the corresponding complex of mathematical models are developed. The basis of mathematical modeling is the approach of GERT-network synthesis. As a result, mathematical models of DOM CSS testing technology have been developed. The mathematical model of the DOM CSS testing technology vulnerability differs from the known, taking into account the execution or analysis of the DOM structure. The developed method can be used when testing for the vulnerability of a Web application.

References:

About The Open Web Application Security Project – OWASP
OWASP Top 10 – 2017 RC1
OSSTMM 3 – The Open Source Security Testing Methodology Manual. Contemporary Security Testing And Analysis
Testing for DOM-based Cross-site scripting (OTG-CLIENT-001) – OWASP
Testing for SQL Injection (OTG-INPVAL-005) – OWASP
Cohen W., Ravikumar P., Fienberg S. A Comparison of String Metrics for Matching Names and Records
Kevin Dreßler a , Axel-Cyrille Ngonga Ngomo On the Efficient Execution of Bounded Jaro-Winkler Distances / Semantic Web – Interoperability, Usability, Applicability an IOS Press Journal
Pritsker, A. A. ȼ. Modeling and analysis using Q-GERT networks / Pritsker, A. A. ȼ. – New York: Wiley : Distributed by Halsted Press, 1979 – 435 p.
Semenov S.G., Zmiyevskaya V N., Kassem Khalife Development of Gert model of management system by using test cases // Journal of Qafqaz university-mathematics and computer science 2016, Vol.(4), № 1 C. 52-59