The proliferation of the Internet has created a massive venue for computer hackers to attempt to disrupt web services, cripple company web sites, and exploit users' private personal information. Typical types of Internet-based attacks include buffer overflow attacks, denial-of-service attacks, and a newer class of attack termed a cross site scripting (XSS, previously known in the art as CSS) attack.
Cross site scripting attacks exploit a server that echoes some user supplied data back to the user's client computer over HTTP or HTTPS. For example, suppose a CGI script accepts as input a person's name, such as is illustrated in FIG. 1. The CGI script might return to the client computer an HTML document that displays a message directed to that person, such as is illustrated in FIG. 2. The echoed data is boldfaced in FIG. 2 for illustrative purposes only.
A malicious user such as a hacker might be able to exploit this echoing feature to execute malicious code on a client computer. For example, a malicious user might persuade an inattentive user to click on a hyperlink corresponding to a URL such as is shown in FIG. 3. The malicious user might send the inattentive user an innocent-looking link in an unsolicited email, or might maintain a web page that many people want to visit, e.g., advertising information about a popular celebrity. In either scenario (email or web page), a hyperlink is supplied that corresponds to a URL such as is shown in FIG. 3 (GET request) or an HTML form is pre-populated with malicious form data (POST request). The CGI script, upon execution at the server, returns to the client an HTML documents such as is illustrated in FIG. 4. The echoed data is boldfaced in FIG. 4 for illustrative purposes only. Because the user's Web browser receives the evil JavaScript from the trusted Web page (goodguy.com), the Web browser will execute the script and allow access to anything to which goodguy.com would otherwise have access, e.g., a cookie with the user's personal login and password, account information, credit card information, etc.
The ability to execute, on a user's local computer, a script appearing to originate from a trusted web site, but that in fact originates from a malicious user, is a serious security vulerability. For example, the simple script alert (document.cookie) will pop up an alert dialog box displaying the user's current set of cookies for goodguy.com. One of skill in the art will appreciate that a malicious user can do much more serious damage, including stealing passwords or other personal information stored in a cookie (e.g., credit card information), or redirecting the user to another (malicious) Web site.
While solutions for preventing cross site scripting attacks have been proposed, e.g., by performing validation on received input to ensure that the input does not contain any malicious code, or encoding characters with special meaning in HTML, there is presently no way to automate testing of a Web site for susceptibility to cross site scripting attacks. In order to test for cross site scripting vulnerabilities, a tester must manually submit test data to a Web server in the form of URLs with various test data. This manual testing is tedious and consumes unnecessary resources (i.e., man-hours).
Thus, it would be an advancement in the art to provide an automated solution for testing a Web site for susceptibility to cross site scripting type attacks. It would be a further advancement in the art to provide an automated software testing tool that checks not only for simple cross site scripting vulnerabilities, but also tests for susceptibility to advanced cross site scripting attacks. It would be a further advancement in the art if the automated software tool were able to use the same engine used by a common web browser to ensure that the site being tested will perform exactly as when a user visits the web site using the common web browser.