Some applications, such as web applications, may be subjected to attacks by, e.g., hackers. For instance, injection attacks may be used to attack web applications. An example of an injection attack may include cross-site scripting (XSS)—a vulnerability that may allow attackers to bypass a client-side security mechanism and gain elevated access-privileges to sensitive information.
Security scanners, such as a dynamic, automated web application security scanner, may be used to identify XSS vulnerabilities, as well as other injection vulnerabilities (e.g., command injection). However, the scale of some web applications is increasing, both in number of pages and in functionality. For instance, some web applications may consist of numerous pages (e.g., thousands), each defining numerous parameters (e.g., tens or hundreds). Each test payload sent by the security scanner targeting an individual parameter may translate into, e.g., Hypertext Transfer Protocol (HTTP) traffic, which may be expensive compared to other, in-memory computations.
Moreover, the number of possible ways to exploit XSS alone may be large, and commercial black-box scanners may be equipped with a specification of merely several dozen injection attacks. Thus, the coverage of existing security scanners is typically poor, as only a small, fixed number of tests are generally sent for each parameter to guarantee reasonable overall scanning time. For example, the attempted payloads are typically those that are deemed by a security expert to be the most prevalent attack payloads. As such, some scanners may, e.g., leave open many security holes, provide a false sense of security, and encourage attackers to attempt less obvious payloads than those likely selected by the security expert.