Web application vulnerabilities such as cross-site scripting (XSS), click jacking, and Iframe injection are major security concerns on the Internet today. Malicious adversaries can exploit these vulnerabilities to harm both web application providers and users. Exploits may enable adversaries to steal sensitive data from a client's browsing session, inject malicious code into a web session, or otherwise interfere with a client's interaction with cloud services. For example, if a bank's website has a XSS vulnerability, an adversary can exploit this vulnerability to run arbitrary scripts in the context of a user's banking session. The malicious scripts could perform damaging actions such as unauthorized balance transfers, credential theft, and denial-of-service attacks.
Conventional web application vulnerability scanners attempt to identify vulnerabilities by injecting test vectors into web applications and distinguishing successful attacks based on application output. In general, a web vulnerability scanner reads in a web application, executes the application, and applies a variety of tests to identify possible web vulnerabilities. For example, a conventional scanner might perform a number of submissions to a web forum and inspect the posted submissions to identify whether the forum correctly filtered the input submissions.
Conventional scanners have several limitations. First, for example, some conventional scanners perform scans on web applications without using a specification of correct behavior. Instead, they apply heuristics to attempt to identify code injection vulnerabilities. Second, some conventional scanners apply the same detection heuristics to each scanned web application and as a result achieve poor coverage of an application's behavior. Third, some conventional scanners typically scan for vulnerabilities as scripts are executing, i.e., execution-time detection, which is less desirable than scanning for vulnerabilities as scripts are loaded, i.e., load-time detection.
Some conventional scanners generate more false warnings and detect fewer vulnerabilities because, in part, they apply a blanket policy to all web applications. Conventional scanners do not use client security policies (CSPs) specific to the scanned web applications, so they use a heuristic approach based on a blanket policy rather than an algorithmic approach based on specific CSPs.
In view of the foregoing, it may be understood that there may be significant problems and shortcomings associated with current web application vulnerability scanning technologies.