提出一种自动化检测Android应用反射型跨站脚本漏洞的方法,通过对Android应用组件的识别和分类,自动化输入测试例和点击与输入框关联的按钮,监测运行结果判断应用是否具有潜在的反射型跨站脚本漏洞,并通过图像处理方法实现了对WebView的支持。基于该方法实现了一个原型工具。实验表明,该方法可以有效的检测Android应用的反射型跨站脚本漏洞,具有较高的实用性。%This paper presents an automated method for detecting reflected XSS vulnerabilities of Android Apps. Through identifying and classifying Android Apps components, automatically inputting test cases, clicking on the input box-related buttons and monitoring the results, to determine whether the applications have potential reflected XSS vulnerabilities. Moreover this method implements support for WebView by image processing. Based on this method, a prototyping tool is also implemented. The experiment results demonstrate that this proposed method can detect reflected XSS vulnerabilities of Android Apps with high practicability and effectiveness.
展开▼
