MUTEC: Mutation-based Testing of Cross Site Scripting Hossain Shahriar and Mohammad Zulkernine School of Computing Queen’s University, Kingston, Canada {shahriar, mzulker}@cs.queensu.ca Abstract Cross Site Scripting (XSS) is one of the worst vulnerabilities that allow malicious attacks such as cookie thefts and web page defacements. Testing an implementation against XSS vulnerabilities (XSSVs) can avoid these consequences. Obtaining an adequate test data set is essential for testing of XSSVs. An adequate test data set contains effective test cases that can reveal XSSVs. Unfortunately, traditional testing techniques for XSSVs do not address the issue of adequate testing. In this work, we apply the idea of mutation-based testing technique to generate adequate test data sets for testing XSSVs. Our work addresses XSSVs related to web-applications that use PHP and JavaScript code to generate dynamic HTML contents. We propose 11 mutation operators to force the generation of adequate test data set. A prototype mutation-based testing tool named MUTEC is developed to generate mutants automatically. The proposed operators are validated by using five open source applications having XSSVs. The results indicate that the proposed operators are effective for testing XSSVs. 1. Introduction Cross Site Scripting (XSS) is one of the worst vulnerabilities in web-based applications [5]. XSS vulnerabilities (XSSVs) involves the generation of dynamic Hyper Text Markup Language (HTML) [16] contents (i.e., attributes of tags) with invalidated inputs. XSS attacks exploit the vulnerabilities through inputs that might contain HTML tags, JavaScript code, and so on. These inputs are interpreted by browsers while rendering web pages. As a result, the intended behavior of generated web pages alters through visible (e.g., creation of pop-up windows) and invisible (e.g., cookie bypassing) symptoms. XSS attacks circumvent traditional security mechanisms employed by browsers such as same origin policy, sandbox, and signed scripts. The exploitation of XSSVs have resulted in widespread damages in real world such as hacking of websites and identity thefts [12]. Therefore, addressing XSSVs is important in today’s web-based applications. Traditional complementary approaches for detecting and preventing XSSVs include static analysis [14], combination of static analysis and dynamic monitoring [1, 2], and browser-based defenses [9, 11]. Static analysis helps identifying potential locations of XSSVs in source code. However, the approach results in some false positive warnings. Combination of static analysis and runtime monitoring approaches provide more accuracy in detecting XSSVs at the cost of the deployment of customized frameworks. Browser-based approaches require end user interventions and rewriting of entire implementations. An effective testing of XSSVs helps fixing implementations early and decreasing losses incurred by the end users. Obtaining an adequate test data set is an important goal towards an effective testing approach. An adequate test data set implies a collection of test cases that can exploit XSSVs. Unfortunately, existing testing approaches [3, 6, 15] do not address the issue of obtaining adequate test data sets for XSSVs. In this work, we apply mutation-based testing [8, 13] technique to perform adequate testing of XSSVs. Mutation is a fault-based testing technique, where an implementation is injected with faults to generate mutants. The rule of injecting fault is known as mutation operator. A test case kills a mutant, if it causes different output between the original program and a mutant. Otherwise, the mutant is said to be live. Additional test cases need to be generated to kill the live mutants. The adequacy of a test data set is measured by mutation score (MS), which is the ratio of the number of killed mutants to the total number of non-equivalent mutants. Similarly, we modify application source code to generate mutants and assess whether a given test data set can detect XSSVs or not.