Fabien Duchene > Research >

XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing

Paper

[IEEE]   [PDF]   [VIEW-PDF]   [POSTER]   [TALK]  

Bibtex

@inproceedings{duchene-12-GRR-xssevofuzz,
	Author = {Fabien Duchene and Sanjay Rawat and Roland Groz and Jean-Luc Richier},
	Title = {{{XSS} Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing}},
	Institution = {UJF-Grenoble 1/Grenoble-INP/UPMF-Grenoble2/CNRS, Laboratoire d’Informatique de Grenoble UMR 5217, Grenoble Institute Of Technology},
	Year = {2012},
	Month = {Apr},
	booktitle = {the 3rd International Workshop on Security Testing ({SECTEST}), in association with the 5th IEEE International Conference on Software Testing, Verification and Validation ({ICST})},
	pages = {815-817},
	doi = {10.1109/ICST.2012.181},
	masid = {56970217},
	note={talk: \url{http://bit.ly/HvMtGL}, paper: \url{http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6200193&contentType=Conference+Publications}},
	confURL={http://www.spacios.eu/sectest2012/},
	MicrosoftAcademicURL={http://academic.research.microsoft.com/Conference/2586/icst-international-conference-on-software-testing-verification-and-validation},
	paperURL = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6200193&contentType=Conference+Publications},
	talkURL = {http://bit.ly/HvMtGL},
	type={workshop},
	range={international},
	keywords = {Evolutionary Algorithm, Black-Box Security Testing, Test Automation, Model Inference, Model Based Fuzzing},
	publisher = {IEEE Computer Society},
	address = {Montreal, Canada},
	x-international-audience = {yes},
	shortpaper={yes},
}

Abstract

We present an approach to detect web injection vulnerabilities by generating test inputs using a combination of model inference and evolutionary fuzzing. Model inference is used to obtain a knowledge about the application behavior. Based on this understanding, inputs are generated using genetic algorithm (GA). GA uses the learned formal model to automatically generate inputs with better fitness values towards triggering an instance of the given vulnerability.

Authors

Fabien Duchene (google bing DBLP homepage) - Sanjay Rawat (google bing DBLP homepage) - Roland Groz (bing DBLP) - Jean-Luc Richier (bing DBLP)

Conference



the 3rd International Workshop on Security Testing (SECTEST), in association with the 5th IEEE International Conference on Software Testing, Verification and Validation (ICST)

Fabien Duchene's Publications


In the pipe :)


International Academic Conferences


Only peer-reviewed academic conferences, with program committee, and proceedings are listed here.
  • [ conf_5 ]   "KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection", Fabien Duchene and Sanjay Rawat and Jean-Luc Richier and Roland Groz, in CODASPY, (to appear), (acceptance rate: 15.9%) San Antonio, Texas, USA.
  • [ conf_4 ]   "LigRE : Reverse-Engineering of Control and Data Flow Models for Black-Box XSS Detection", Fabien Duchene and Sanjay Rawat and Jean-Luc Richier and Roland Groz, in 20th Working Conference in Reverse Engineering (WCRE), Oct 2013, Koblenz-Landau, Germany.
  • [ conf_3 ]   "Fuzzing Intelligent de XSS Type-2 Filtrés selon Darwin: KameleonFuzz", Fabien Duchene and Sanjay Rawat and Jean-Luc Richier and Roland Groz, in 11ème Symposium sur la Sécurité des Technologies de l'Information et des Communications (SSTIC), Jun 2013, Rennes, France.
  • [ conf_2 ]   "Evolving Indigestible Codes: Fuzzing Interpreters with Genetic Programming", Sanjay Rawat and Fabien Duchene and Roland Groz and Jean-Luc Richier, in the IEEE Symposium on Computational Intelligence in Cyber Security (CICS), in association with the 4th IEEE Symposium Series on Computational Intelligence (SSCI), Apr 2013, Singapore, Singapore.
  • [ conf_1 ]   "XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing", Fabien Duchene and Sanjay Rawat and Roland Groz and Jean-Luc Richier, in the 3rd International Workshop on Security Testing (SECTEST), in association with the 5th IEEE International Conference on Software Testing, Verification and Validation (ICST), Apr 2012, Montreal, Canada.

Thesis


Talks


We only list invited talks, academic talks without formal proceedings, and posters.

Hacking Conferences