@inproceedings{88e44a8fe7164b07a1070e700423ccf5,
title = "L-WMxD: Lexical based Webmail XSS Discoverer",
abstract = "XSS (Cross-Site Scripting) is a major security threat for web applications. Due to lack of source code of web application, fuzz technique has become a popular approach to discover XSS in web application except Webmail. This paper proposes a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer). L-WMxD , which works on a lexical based mutation engine, is an active defense system to discover XSS before the Webmail application is online for service. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Two prototype tools are realized by us to send the newly-generated test cases to various Webmail servers to discover XSS vulnerability. Experimental results of L-WMxD are quite encouraging. We have run L-WMxD over 26 real-world Webmail applications and found vulnerabilities in 21 Webmail services, including some of the most widely used Yahoo!Mail, Mirapoint Webmail and ORACLE' Collaboration Suite Mail.",
keywords = "L-WMxD, Webmail, XSS, fuzzer",
author = "Zhushou Tang and Haojin Zhu and Zhenfu Cao and Shuai Zhao",
year = "2011",
doi = "10.1109/INFCOMW.2011.5928954",
language = "英语",
isbn = "9781457702488",
series = "2011 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2011",
pages = "976--981",
booktitle = "2011 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2011",
note = "2011 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2011 ; Conference date: 10-04-2011 Through 15-04-2011",
}