英文文献：Automatic and Context-Aware Cross-Site Scripting Filter Evasion
英文文献作者：Fabrizio d??Amore,Mauro Gentile
英文文献摘要：
Cross-Site Scripting (XSS) is a pervasive vulnerability that involves a huge portion of modern web applications. Implementing a correct and complete XSS filter for user-generated content can really be a challenge for web developers. Many aspects have to be taken into account sincethe attackers may continuously show off a potentially unlimited armory. This work proposes an approach and a tool ?± named snuck ?± for web application penetration testing, which can definitely help in finding hard-to-spot and advanced XSS vulnerabilities. This methodology is based on the inspection of the inject ion??s reflection context and relies on a set of specialized and obfuscated attack vectors for bypassing filter based protections, adopted against potentially harmful inputs. In addition, XSS testing is performed in-browser, this means that a web browser is driven in reproducing the attacker and possibly the victim behavior. Results of several tests on many popular Content Management Systems proved the benefits of this approach: no other web vulnerability scanner would have been able to discover some advanced ways to bypass robust XSS filters.