Automatic Examination-Based Whitelist Generation for XSS Attack Detection

When faced with cross-site scripting (XSS) attacks, it is difficult to counter all malicious inputs such that they are rendered completely harmless. In such situations, the introduction of a whitelist-based XSS countermeasure is considered to be an effective and robust approach. However, as the behavior of current web applications is complex, it is difficult to theoretically generate the necessary and sufficient whitelists. To this end, we propose an examination-based approach for whitelist generation instead of a theory-based one. We focus on software tests that are always performed during the final stage of the development process and establish a method to automatically generate whitelists that are consistent with the specifications of each web application. By adding the function for whitelist generation on a web application's test tool, a whitelist can be generated without changing the development process of a conventional web application. We implement our proposed method and evaluate its effectiveness.