DOI: https://doi.org/10.32515/2664-262X.2019.2(33).173-180
Mathematical Model of DOM XSS Vulnerability Testing Technology for Analytical Assessment of Time Costs
About the Authors
Oleksandr Kovalenko, Associate Professor, PhD in Technics (Candidate of Technics Sciences), Central Ukraіnian National Technical University, Kropyvnytskyi, Ukraine
Abstract
The paper presents the results of the study and testing algorithms for vulnerability to one of the most common types of attacks on Web applications, DOM XSS, for analytic assessment of time costs. Analysis of various kinds of statistical materials of well-known organizations (for example, the Open Web Application Security Project) showed that one of the most dangerous types of attacks (vulnerabilities) is Cross Site Scripting – XSS. In a number of works, attempts of mathematical formalization the process of finding and eliminating vulnerabilities of this kind were made . However, the presented models do not take into account the latest trends of XSS vulnerability, namely the difference in their types (“stored XSS”, “reflected XSS” and DOM Based XSS) and the need to identify them. That is why a particularly relevant task in this direction seems to be the modeling of the DOM (Document Object Model) XSS vulnerability algorithm taking into account the complex of their three possible types.
In general, studies have shown that GERT-modeling is an effective way to determine previously unknown laws and distribution functions of random variables with a known algorithm of functioning (process). That is why, we chose GERT modeling as a tool for mathematical modeling. The main purpose of GERT is to evaluate the network logic and the duration of the activity and obtaining a conclusion on the need to perform certain activities.
As a result, a mathematical model was developed for testing the DOM XSS vulnerability complex which differs from the known ones by taking into account the specifics of complex analysis of various types of XSS vulnerability (“stored XSS”, “reflected XSS” and DOM Based XSS), as well as separately including DOM Based XSS into the algorythm of automatic audit procedures. This makes it possible to conduct an analytical assessment of the time spent testing these vulnerabilities in the context of implementing a secure software development strategy.
Keywords
testing technologies, DOM XSS vulnerabilities, GERT modeling, security vulnerabilities
Full Text:
PDF
References
1. About The Open Web Application Security Project – OWASP. www.owasp.org. Retrieved from: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project.
2. Smirnov, A.A., Kovalenko, A.V., Jakimenko, N.N. & Dorenskij, A.P. (2016). Problemy analiza i ocenki riskov informacionnoj dejatel'nosti [Problems analysis and risk assessment information activities]. Sistemi obrobki іnformacії – Information Processing Systems, Vol. 3(140), 40-42 [in Russian].
3. Smirnov, A.A. & Kovalenko, A.V. (2016). Metody kachestvennogo analiza i kolichestvennoj ocenki riskov razrabotki programmnogo obespechenija [Methods of qualitative analysis and quantitative risk assessment software development]. Sistemi obrobki іnformacії – Information Processing Systems, Vol. 5(142), 153-157 [in Russian].
4. Kovalenko, A.V. (2106). Metod upravlenija riskami razrabotki programmnogo obespechenija [Software Development Risk Management Method]. Sistemi upravlіnnja, navіgacії ta zv’jazku – Control, Navigation and Communication Systems . Vol. 2 (38). S. 93-100 [in Russian].
5. OSSTMM 3 – The Open Source Security Testing Methodology Manual. Contemporary Security Testing And Analysis. www.isecom.org. Retrieved from: http://www.isecom.org/mirror/OSSTMM.3.pdf.
6. Positive Research 2016: Retrieved from: https://www.ptsecurity.com/upload/ptru/analytics/Positive-Research-2016-rus.pdf.
7. Semenov, S.G., Zmiyevskaya, V N. & Kassem, Khalife (2016). Development of Gert model of management system by using test cases. Journal of Qafqaz university-mathematics and computer science, Vol.(4), 1, 52-59
8. Testing for DOM-based Cross-site scripting (OTG-CLIENT-001) – OWASP: Retrieved from: https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001).
9. Cohen W., Ravikumar P., Fienberg S. A Comparison of String Metrics for Matching Names and Records William W. Cohen, Pradeep Ravikumar, Stephen E. Fienberg. Retrieved from: https://www.cs.cmu.edu/afs/cs/Web/People/wcohen/postscript/kdd-2003-match-ws.pdf.
10. Kevin Dressler & Axel-Cyrille Ngonga Ngomo. (2015). On the Efficient Execution of Bounded Jaro-Winkler Distances / Semantic Web – Interoperability, Usability, Applicability an IOS Press Journal. Retrieved from: http://www.semantic-web-journal.net/system/files/swj944.pdf
GOST Style Citations
Пристатейна бібліографія ГОСТ
About The Open Web Application Security Project – OWASP. URL: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project (Last accessed: 08.12.2019)
Смирнов А.А. , Коваленко А.В., Якименко Н.Н., Доренский А.П. Проблемы анализа и оценки рисков информационной деятельности. Системи обробки інформації: збірник наукових праць. 2016. Вип. 3(140). С. 40-42.
Смирнов А.А., Коваленко А.В. Методы качественного анализа и количественной оценки рисков разработки программного обеспечения. Системи обробки інформації: збірник наукових праць. 2016. Вип. 5(142). С. 153-157.
Коваленко А.В. Метод управления рисками разработки программного обеспечения. Системи управління, навігації та зв’язку. 2016. Вип. 2 (38). С. 93-100.
OSSTMM 3 – The Open Source Security Testing Methodology Manual. Contemporary Security Testing And Analysis. URL: http://www.isecom.org/mirror/OSSTMM.3.pdf (Last accessed: 10.12.2019)
Positive Research 2016. URL: https://www.ptsecurity.com/upload/ptru/analytics/Positive-Research-2016-rus.pdf (Last accessed: 08.12.2019)
Semenov S.G., Zmiyevskaya V N., Kassem Khalife Development of Gert model of management system by using test cases. Journal of Qafqaz university-mathematics and computer science. 2016. Vol.(4), № 1. C. 52-59.
Testing for DOM-based Cross-site scripting (OTG-CLIENT-001) – OWASP. URL: https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001) (Last accessed: 08.12.2019)
Cohen W., Ravikumar P., Fienberg S. A Comparison of String Metrics for Matching Names and Records. URL: https://www.cs.cmu.edu/afs/cs/Web/People/wcohen/postscript/kdd-2003-match-ws.pdf (Last accessed: 11.12.2019)
Kevin Dressler, Axel-Cyrille Ngonga Ngomo. On the Efficient Execution of Bounded Jaro-Winkler Distances. Semantic Web – Interoperability, Usability, Applicability an IOS Press Journal. URL: http://www.semantic-web-journal.net/system/files/swj944.pdf (Last accessed:6.12.2019)
Copyright (c) 2019 Oleksandr Kovalenko
Mathematical Model of DOM XSS Vulnerability Testing Technology for Analytical Assessment of Time Costs
About the Authors
Oleksandr Kovalenko, Associate Professor, PhD in Technics (Candidate of Technics Sciences), Central Ukraіnian National Technical University, Kropyvnytskyi, Ukraine
Abstract
Keywords
Full Text:
PDFReferences
1. About The Open Web Application Security Project – OWASP. www.owasp.org. Retrieved from: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project.
2. Smirnov, A.A., Kovalenko, A.V., Jakimenko, N.N. & Dorenskij, A.P. (2016). Problemy analiza i ocenki riskov informacionnoj dejatel'nosti [Problems analysis and risk assessment information activities]. Sistemi obrobki іnformacії – Information Processing Systems, Vol. 3(140), 40-42 [in Russian].
3. Smirnov, A.A. & Kovalenko, A.V. (2016). Metody kachestvennogo analiza i kolichestvennoj ocenki riskov razrabotki programmnogo obespechenija [Methods of qualitative analysis and quantitative risk assessment software development]. Sistemi obrobki іnformacії – Information Processing Systems, Vol. 5(142), 153-157 [in Russian].
4. Kovalenko, A.V. (2106). Metod upravlenija riskami razrabotki programmnogo obespechenija [Software Development Risk Management Method]. Sistemi upravlіnnja, navіgacії ta zv’jazku – Control, Navigation and Communication Systems . Vol. 2 (38). S. 93-100 [in Russian].
5. OSSTMM 3 – The Open Source Security Testing Methodology Manual. Contemporary Security Testing And Analysis. www.isecom.org. Retrieved from: http://www.isecom.org/mirror/OSSTMM.3.pdf.
6. Positive Research 2016: Retrieved from: https://www.ptsecurity.com/upload/ptru/analytics/Positive-Research-2016-rus.pdf.
7. Semenov, S.G., Zmiyevskaya, V N. & Kassem, Khalife (2016). Development of Gert model of management system by using test cases. Journal of Qafqaz university-mathematics and computer science, Vol.(4), 1, 52-59
8. Testing for DOM-based Cross-site scripting (OTG-CLIENT-001) – OWASP: Retrieved from: https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001).
9. Cohen W., Ravikumar P., Fienberg S. A Comparison of String Metrics for Matching Names and Records William W. Cohen, Pradeep Ravikumar, Stephen E. Fienberg. Retrieved from: https://www.cs.cmu.edu/afs/cs/Web/People/wcohen/postscript/kdd-2003-match-ws.pdf.
10. Kevin Dressler & Axel-Cyrille Ngonga Ngomo. (2015). On the Efficient Execution of Bounded Jaro-Winkler Distances / Semantic Web – Interoperability, Usability, Applicability an IOS Press Journal. Retrieved from: http://www.semantic-web-journal.net/system/files/swj944.pdf