MUTEC:Mutation-based Testing of Cross Site

Scripting

Hossain Shahriar Mohammad Zulkernine

One of the worst vulnerabilities in web applications

It involves the generation of dynamic HTML contents with invalidated inputs, which might contain HTML tags, Javescript code and so on.

When invalidated contents are interpreted by browser, unintended and malicious web page behaviors are generated

Cross Site Scripting(XSS)

Stored XSS persistent (or stored) XSS vulnerability injected code is permanently stored on the

target servers, such as in a database, in a message forum, visitor log, comment field, etc.

The victim retrieves the malicious script from the server when it requests the stored information.

Reflected XSS Attacks The injected code is reflected off the web

server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request

DOM allow program or script can visit and change web document’s content, structure, and style dynamically

Using DOM, Script program on client side can check and alter web page dynamically without interacting with server side

If the data has not been checked, there might be XSSVs

DOM-base XSS

URL:http://www.mysite.com/welcome.html?name=somename

From welcome web page: <TITLE>Welcome!</TITLE> Hi <SCRIPT>       var pos=document.URL.indexOf("name=")+5;      

document.write(document.URL.substring(pos,document.URL.length));

</SCRIPT>

But how about we enter: http://www.mysite.com/welcome.html?name=<script>alert(document.cookie)</script> as URL?

DOM-based XSS

An effective testing of XSSVs helps fixing implementations early and decreasing losses.

After modifying the program’s source code, output behavior of test case should be affected. This is a method of evaluating the quality of test cases.

The paper is focusing on obtaining an adequate test data set, which implies a collection of test cases that can exploit XSSVs.

What the Paper Concerns

The process is fault-based Mutant: Objects being tested are injected

with modifications to generate mutants Mutation Operator: Rule of injecting faults Kill and Live Mutants: If a test case

causes different output between the original program and a mutant, then we say it kills a mutant. Otherwise, the mutant is said to be live.

Definitions(1)

Denote the original implementation as P, and the mutant as M. Killing Criterion 1(C1): The number of HTML

tags generated in P(NP) is not equal to that in the mutant(NM). (NP!=NM)

Killing Criterion 2(C2): The HTML contents displayed in P(HP) is different than that in M(HM). (HP!=HM)

Definitions(2)

Mutation Score(MS): Ratio of the number of killed mutants to the total number of non-equivalent mutants.

Definitions(3)

Basic Idea: If our operators are effective:When test cases are powerful at killing mutants gererated by operators, they should be powerful at distinguishing good apps and malicious apps

Implementation Overview

Implementation Overview

Add escape function calls (ADES) Modify arguments of write function calls, adding escape function, which encodes special punctuation characters into hexadecimal chars, so the injected HTML tags will not be executed.

Remove escape function calls(RESC)

Operator Details

Replace write function with eval (RWWE) Replace write function call with eval, which can execute JavsScript expressions and statements in string arguments.

Operator Details

Replace innerHTML property with text node addition in DOM(RIHA) innerHTML property of DOM can be used to modify text of HTML tags, which is vulnerable to XSS.

Operator Details

Modify arguments of replace function calls(MARF) MARF operator injects faults into the search string pattern by modifying (a)local search with global search (b) case sensitive search to case insensitive

Operator Detials

Add htmlspecialchars function calls(AHSC) htmlspecialchars function can replace each character in the accepted string with its HTML equivalent. Mutant can be killed by C1.

Remove htmlspecialchars function calls(RHSC)

Operator Details(PHP)

Add htmlentities function calls(AHEN) Similar to AHSC. The function converts all input characters to their corresponding HTML entities

Remove htmlentities function calls(RHEN)

Operator Details(PHP)

Modify allowable tag parameter in striptags function calls(MALT) striptags function can remove all HTML tags, except for allowable tags. By modifying allowable tag argument, more tags are allowed.

Remove strip_tags function calls(RSTT)

Operator Details(PHP)

Choose five open source web apps from Open Source Vulnerability Database(OSVDB), both vulnerable version(bad app) and upgraded or manually fixed version(good app).

Mutants of good apps are generated by the tool.

Implementation Details

Collect 303 test cases to form an attack test pool

Each app has an initial test data set composed of 10 test cases, which do not contain attack test cases

Use attack test cases from attack test pool to augment initial test cases, let each app has 50 test cases

Implementation Details

For each app, do the procedure: randomly choose 10 out of 50 test cases to

construct an initial test data set. Repeatedly add to the set if needed until MS reach 100%.

Repeat the procedure 15 times and calculate the average test set size.

Implementation Details

Check whether test data set can distinguish between good and bad apps by checking whether at least one test case in the set can distinguish following either of the killing criterion

Result showed that all the adequate test data sets(with MS 100%) for a bad program can distinguish the corresponding good program.

Operators are proved to be effective.

Implementation Details

Extending MUTEC tool to support automatic mutation analysis process

Performing adequate testing of XSSVs on large scale web-based applications

Propose mutation operators for filters implemented using PHP library functions such as preg_replace and preg_search.

Future Work

Qustions?

Presenter: Dengfeng Xia

Thank You