As the old saying goes, “Everything old is new again.” Unfortunately, pervasive Cross-Site Scripting (XSS) vulnerabilities continue to be one of the most common application vulnerability types. It’s hard to believe that we’ve been fighting this vulnerability for more than a decade, yet Cross-Site Scripting is still one of the most common vulnerability types in the OWASP Top 10. According to a 2018 report, XSS vulnerabilities can be found in up to 82% of modern applications.

What is XSS?

OWASP defines Cross-Site Scripting as follows: “XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.”

While reflecting on the fact that XSS continues to be a current and pervasive vulnerability after all of these years, I recalled how back in 2012 we introduced ground-breaking AppScan technology that we named XSS Analyzer. Here in 2020, it’s still available in AppScan V10.0.1, and it continues to be technologically ahead of what most application security testing solutions can offer. Essentially, it improves speed and accuracy for automated detection of Cross-Site Scripting.

Identify Cross-Site Scripting Vulnerabilities with XSS Analyzer

Identification of Cross-Site Scripting vulnerabilities with XSS Analyzer is simple – just fill an entity (e.g. parameter) value to include JavaScript code (e.g. <script>alert(‘XSS’)</script>) and check if the JavaScript code is executed when the response is rendered (e.g. an alert pops). There are many ways to exploit an XSS vulnerability. If one fails, the analyzer will try the next one. Previous lists of such potential payloads (usually referred to as “cheat sheets”) contained tens or a few hundred potential payloads. Our ongoing research has revealed that more than 700 million payloads have been used by XSS Analyzer!

Automated Identification of XSS

The automated identification of Cross-Site Scripting is performed by sending potential payloads until a successful payload is found. Traditional dynamic application scanners are limited in time; therefore, they cannot send more than a few dozen requests for each entity. For that reason, DAST scanners choose a small subset of the huge payload space and test only against that subset. The choice of the subset is smart – based on success probability, reflection contexts and other characteristics, but it will never cover the whole testing space. A subset won’t even cover one-half of the testing space.

XSS Analyzer’s Learning Capabilities

This is what makes XSS Analyzer unique. It finds more XSS vulnerabilities with higher accuracy and less time, without impacting time performance of your scans.

Additionally, XSS Analyzer is trained to impersonate a human attacker. It doesn’t just send random requests; it learns server-side logic and chooses the appropriate payload to test.   This is the key to XSS Analyzer performance and accuracy.  This “learning system” enables XSS Analyzer to learn from each test payload.

Based on testing results, XSS Analyzer can eliminate potential payloads from the 700 million payloads in our “cheat sheet” and focus on others.  With each test, XSS Analyzer narrows the scope of what will work, usually finding an issue in fewer than 20 tests and can determine if no threat exists from the 700-million item cheat sheet listing, in an average of 20 tests. That is truly a huge accomplishment for XSS identification, in terms of speed and accuracy.

Demo AppScan Enterprise

Sign up now for a comprehensive demo of HCL AppScan Enterprise, to learn more about our XSS Analyzer capabilities.


Comment wrap
Further Reading
a/icon/common/search Created with Sketch.