In this paper, we design an automatic fuzzing framework that can be used to investigate potential injection vulnerabilities for modern HTML5 websites. For its programmability and flexibility in conducting regularized and large-scale tests, fuzzing helps to reduce human efforts and provides quick test case generation.
FINITE STATE AUTOMATA GENERATOR SOFTWARE
To address the issue, some studies adopt fuzzing, a software testing technique that has been used in quality assurance and vulnerability detection.
However, while the validators are designed and constructed by mere brainstorming of engineers without a formal and systematical methodology, there may be some underneath threats based on the loopholes in these expressions due to the human limitations. As the requests are directly sent to the web server and are not checked by the user interfaces, websites should handle the malicious string inputs to avoid injection attacks.Ĭurrent website developers rely on developing several regular expressions to validate the correctness of the input strings and filter malicious ones. These requests could contain strings for injection attacks. Even though in HTML5 regular users can only enter a valid value through the user interfaces supported by browsers, malicious users can skip the user interface and directly send malformed HTTP requests to the web server. However, on the other hand, some studies have also presented the security issues affiliated with HTML5, especially the injection attacks on the websites. Compared with HTML4, HTML5 defines more specific input attributes such as telephone number, color, and email address. For example, HTML5 is an emerging interactive syntax which has been adopted in website development for its up-to-date specifications and support of multimedia content. Meanwhile, more and more sensitive data such as payment or personal information has been exchanged and stored online. Nowadays, with the rapid development of modern web technologies, a large number of social, interactive, and commercial services and a great amount of information are provided and exchanged between websites and end users. According to the results, our approach is not only efficient but also effective for identifying weak validators in HTML5. To evaluate the performance of our proposal, we conduct an experiment in identifying vulnerabilities of the input attributes in HTML5. According to the proposal, fuzzing can be completed through inputting a regular expression corresponding to the test target. We apply graph analysis techniques to extract paths from finite state machines and use these paths to construct test patterns automatically. To decrease the entry barrier of conducting fuzzing, in this study, we propose a test pattern generation algorithm based on the concept of finite state machines.
For vulnerability investigation, many previous studies used fuzzing and focused on generation-based approaches to produce test cases for fuzzing however, these methods require a significant amount of knowledge and mental efforts to develop test patterns for generating test cases.
However, the security issues in the new web technologies are also raised and are worthy of investigation. Among these technologies, HTML5 is a popular one and is widely used in establishing modern sites. With the rapid development of the Internet, several emerging technologies are adopted to construct fancy, interactive, and user-friendly websites. Generates an identity transducer on the alphabet \(\".
0 kommentar(er)
