LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES
Cross-site scripting is one of the vulnerabilities that is always being published in the fourth last OWASP Top 10's publication. Moreover, cross-site scripting is the most reported vulnerability in CVEDetails' site. In fact, this vulnerability shows an increasing trend in the last ten y...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/82472 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| id |
id-itb.:82472 |
|---|---|
| spelling |
id-itb.:824722024-07-08T14:05:46ZLARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES Ramadhana P. K., Rizky Indonesia Final Project cross-site scripting, large language model, software testing INSTITUT TEKNOLOGI BANDUNG https://digilib.itb.ac.id/gdl/view/82472 Cross-site scripting is one of the vulnerabilities that is always being published in the fourth last OWASP Top 10's publication. Moreover, cross-site scripting is the most reported vulnerability in CVEDetails' site. In fact, this vulnerability shows an increasing trend in the last ten years. So, it can be concluded that a comprehensive testing mechanism is needed to prevent this vulnerability from happening. To address the prevalence of cross-site scripting vulnerabilities, many researches and tools have been made. However, those tools still have a high false positive rate and are dependent on the tech stack being used. For example, XSStrike is not confirming the vulnerabilities with an attack, not even being able to create a payload for DOM cross-site scripting. Another example comes from Mohammadi et al. (2017) that can only be used for software using JSP. This Final Project proposes a cross-site scripting detection tool that validates the vulnerability by directly attacking the target. By using payloads created by a large language model with the few-shot prompting technique, the tool proposed in this Final Project has a comparable performance as the baseline, XSStrike, in server cross-site scripting detection. Moreover, this tool outperforms XSStrike in client cross-site scripting detection. In short, this tool can detect 59 out of 92 cross-site scripting vulnerabilities in a testbed called Google Firing Range. The tool proposed can also reduce the false positive rate to zero in a test to open source software Airflow. All these performances are achieved with only $0.01 additional cost for each page tested. However, the automatic prompt engineering technique used in this Final Project is not exactly the same with the original theory and the small number of vulnerabilities tested in Airflow can be suggestions for next research. text |
| institution |
Institut Teknologi Bandung |
| building |
Institut Teknologi Bandung Library |
| continent |
Asia |
| country |
Indonesia Indonesia |
| content_provider |
Institut Teknologi Bandung |
| collection |
Digital ITB |
| language |
Indonesia |
| description |
Cross-site scripting is one of the vulnerabilities that is always being published in
the fourth last OWASP Top 10's publication. Moreover, cross-site scripting is the most
reported vulnerability in CVEDetails' site. In fact, this vulnerability shows an increasing
trend in the last ten years. So, it can be concluded that a comprehensive testing mechanism
is needed to prevent this vulnerability from happening.
To address the prevalence of cross-site scripting vulnerabilities, many researches
and tools have been made. However, those tools still have a high false positive rate and are
dependent on the tech stack being used. For example, XSStrike is not confirming the
vulnerabilities with an attack, not even being able to create a payload for DOM cross-site
scripting. Another example comes from Mohammadi et al. (2017) that can only be used for
software using JSP.
This Final Project proposes a cross-site scripting detection tool that validates the
vulnerability by directly attacking the target. By using payloads created by a large language
model with the few-shot prompting technique, the tool proposed in this Final Project has a
comparable performance as the baseline, XSStrike, in server cross-site scripting detection.
Moreover, this tool outperforms XSStrike in client cross-site scripting detection. In short,
this tool can detect 59 out of 92 cross-site scripting vulnerabilities in a testbed called
Google Firing Range. The tool proposed can also reduce the false positive rate to zero in a
test to open source software Airflow. All these performances are achieved with only $0.01
additional cost for each page tested. However, the automatic prompt engineering technique
used in this Final Project is not exactly the same with the original theory and the small
number of vulnerabilities tested in Airflow can be suggestions for next research. |
| format |
Final Project |
| author |
Ramadhana P. K., Rizky |
| spellingShingle |
Ramadhana P. K., Rizky LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES |
| author_facet |
Ramadhana P. K., Rizky |
| author_sort |
Ramadhana P. K., Rizky |
| title |
LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES |
| title_short |
LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES |
| title_full |
LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES |
| title_fullStr |
LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES |
| title_full_unstemmed |
LARGE LANGUAGE MODEL-BASED TESTING FOR CROSS-SITE SCRIPTING VULNERABILITIES |
| title_sort |
large language model-based testing for cross-site scripting vulnerabilities |
| url |
https://digilib.itb.ac.id/gdl/view/82472 |
| _version_ |
1822997714598625280 |