The Mathematical Model of the Testing Technology for DOM XSS Vulnerabilities

Автор: O.Kovalenko, A.Kovalenko, O.Smirnov, S.Smirnov, V.Vialkova
Организация: Kirovohrad National Technical University and Taras Shevchenko National University of Kyi

Категория:

Ключевые слова: DOM XSS vulnerabilities, GERT-network, security vulnerabilities, testing
Аннотация. The paper presents the results of the study and a mathematical model of the testing technology for vulnerability to one of the most common types of attacks on Web applications – XSS (Cross Site Scripting) – XSS DOM. Cross-site scripting is an error validation of user data, which allows you to send JavaScript code to be executed in the user's browser. Attacks of this kind are often also referred to as HTML injection, because the mechanism of their implementation is very similar to SQL injection, but unlike the latter, the introduced code is executed in the user's browser. The approach of mathematical modeling based on GERT networks is argued. Studies have shown that GERT (Graphical Evaluation and Review Technique) is a method of studying and analysis of stochastic networks that are used to describe the logical relationship between parts of the project or stages of the process. The main purpose of GERT is to evaluate the logic of the network and the duration of activity and reception of the conclusion about necessity of execution of some activities. A mathematical model of the testing technology of Web applications is developed. As the basis of the mathematical modeling the approach of GERT-network synthesis was taken. The developed mathematical model of testing technologies of DOM XSS vulnerability differs from the known by accounting of performance or analyzing the DOM structure. The developed mathematical model can be used when testing the vulnerability of a Web application.

Библиография:

About The Open Web Application Security Project – OWASP: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security _Project
OWASP Top 10 – 2017 RC1: https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%2 0-%202017%20RC1-English.pdf
Positive Research 2016: https://www.ptsecurity.com/upload/ptru/analytics/Positive-Research-2016- rus.pdf
OSSTMM 3 – The Open Source Security Testing Methodology Manual. Contemporary Security Testing And Analysis: http://www.isecom.org/mirror/OSSTMM.3.pdf
Testing for DOM-based Cross-site scripting (OTG-CLIENT-001) – OWASP: https://www.owasp.org/index.php/Testing_for_DOMbased_Cross_site_scripting_(OTG-CLIENT-001)
Testing for SQL Injection (OTG-INPVAL-005) – OWASP: https://www.owasp.org/index.php/103 Testing_for_SQL_Injection_(OTGINPVAL-005)
Cohen W., Ravikumar P., Fienberg S. A Comparison of String Metrics for Matching Names and Records / William W. Cohen, Pradeep Ravikumar, Stephen E. Fienberg.: https://www.cs.cmu.edu/afs/cs/Web/People/wcohen/postscript/kdd-2003-matchws.pdf
Kevin Dreßler a , Axel-Cyrille Ngonga Ngomo On the Efficient Execution of Bounded Jaro-Winkler Distances / Semantic Web – Interoperability, Usability, Applicability an IOS Press Journal http://www.semantic-webjournal.net/system/files/swj944.pdf
Pritsker A. A. В. GERT: Graphical Evaluation and Review Technique. Part I. Fundamentals / Pritsker A. A. В., Happ W. W. // The Journal of Industrial Engineering (May 1966). pp. 267-274
Pritsker, A. A. В. Modeling and analysis using Q-GERT networks / Pritsker, A. A. В. – New York: Wiley : Distributed by Halsted Press, 1979 – 435 p.
. Semenov S.G., Zmiyevskaya V N., Kassem Khalife Development of Gert model of management system by using test cases // Journal of Qafqaz universitymathematics and computer science 2016, Vol.(4), № 1 PP. 52-59