AUTOMATED XSS VULNERABILITY DETECTION IN WEB APPLICATIONS BASED ON A MULTI-AGENT APPROACH
DOI:
https://doi.org/10.32782/2786-9024/v3i4(36).324435Keywords:
multi-agent systems, penetration testing, XSS vulnerabilities, automated detection, web securityAbstract
With the development of information technologies and the increasing volume of sensitive data processing on the Internet, web applications have become a crucial part of modern business processes. However, with this growth, the number of cyber threats also increases, posing the challenge for organizations to ensure the security of their web resources. One of the primary methods of protection is penetration testing, which allows vulnerabilities to be identified by simulating real attacks. This article explores the use of multi-agent systems (MAS) for automating the penetration testing process, specifically for detecting XSS vulnerabilities. Penetration testing is a vital step in ensuring the security of web applications, encompassing several stages: initial analysis, vulnerability identification, exploitation of vulnerabilities, and evaluating the consequences of an attack. Common vulnerabilities, such as XSS, are key targets in penetration testing because they can be easily exploited to compromise a system. However, traditional penetration testing methods often have limited ability to adapt quickly to new attacks, making them less effective.
References
Kravari K. and Bassiliades N. A survey of agent platforms. J. Artif. Soc. Soc. Simul., vol. 18, 2015. DOI: 10.18564/ jasss.2661.
Gilbert N. and Bankes S. Platforms and methods for agent-based modeling. Proc. Natl. Acad. Sci. U. S. A., vol. 99, pp. 7197–7198, May 2002. DOI: 10.1073/ PNAS.072079499.
Railsback S., Lytinen S., and Jackson S. Agentbased simulation platforms: Review and development recommendations. Simulation, vol. 82, pp. 609–623, Sep. 2006. DOI: 10.1177/0037549706073695.
Pal C.-V., Leon F., Paprzycki M., and Ganzha M. A review of platforms for the development of agent systems. Inf., vol. 14, p. 348, Jul. 2020. DOI: 10.3390/info14060348.
Maneva R. Development of agent platform architecture for intelligent analysis of business processes. Bionics of Intelligence, 2020. DOI: 10.30837/bi.2020.1(94).09.
Bragin A. Modern software tools for agent-based modeling. Artificial Societies, 2022. DOI: 10.18254/ s207751800023501-0.
Vrba P. JAVA-based agent platform evaluation. Sep. 2003, pp. 47–58. DOI: 10.1007/978-3-540-45185-3_5.
Puliafito A., Tomarchio O., and Vita L. MAP: Design and implementation of a mobile agents’ platform. J. Syst. Archit., vol. 46, pp. 145–162, Jan. 2000. DOI: 10.1016/ S1383-7621(98)00076-9.
Cabral L. Towards a theory of platform dynamics. ERN: Other Organizations & Markets: Personnel Management (Topic), Jul. 2018. DOI: 10.1111/jems.12312.
Altmann D. and Gruber A. Using mobile agents in real world: A survey and comparison of different approaches. Semantic Scholar. [Online]. URL: https:// surl.gd/tijhjn.
Pan K., Lyu Y., and Pan Q. Adaptive formation for multiagent systems subject to denial-of-service attacks. IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 69, pp. 3391–3401, Aug. 2022. DOI: 10.1109/ TCSI.2022. 3168163.
Catta D., Leneutre J., Malvone V., and Murano A. Obstruction alternating-time temporal logic: A strategic logic to reason about dynamic models. pp. 271–280, 2024. DOI: 10.5555/3635637.3662875.
Cavalcante R., Bittencourt I., Silva A., Silva M., Costa E., and Santos R. A survey of security in multi-agent systems. Expert Systems with Applications, vol. 39, pp. 4835–4846, Apr. 2012. DOI: 10.1016/j.eswa.2011.09.130.
Yang X., Yang L., Dong L., Jin W.-H., Zhang M., Yang F., and Lin Y. Consensus tracking control for uncertain nonstrict feedback multi-agent system under cyber-attack via resilient neuroadaptive approach. International Journal of Robust and Nonlinear Control, vol. 32, pp. 4251–4280, Feb. 2022. DOI: 10.1002/rnc.6035.
Dorri A., Kanhere S., and Jurdak R. Multi-agent systems: A survey. IEEE Access, vol. 6, pp. 28573–28593, Apr. 2018. DOI: 10.1109/ACCESS.2018.2831228.
Ahmed M., Kazar O., and Harous S. Cyber-physical system model based on multi-agent system. IET Cyber- Physical Systems: Theory & Applications, Jun. 2024. DOI: 10.1049/cps2.12096.
Kantamneni A., Brown L., Parker G., and Weaver W. Survey of multi-agent systems for microgrid control. Engineering Applications of Artificial Intelligence, vol. 45, pp. 192–203, Oct. 2015. DOI: 10.1016/ j.engappai.2015.07.005.
Gonçalves E., Cortés M., Campos G., Lopes Y.S., Freire E., Silva V., Oliveira K., and De Oliveira M.A. MAS-ML 2.0: Supporting the modelling of multi-agent systems with different agent architectures. Journal of Systems and Software, vol. 108, pp. 77–109, Oct. 2015. DOI: 10.1016/ j.jss.2015.06.008.
Calvaresi D., Appoggetti K., Lustrissimini L., Marinoni M., Sernani P., Dragoni A., and Schumacher M. Multi-agent systems’ negotiation protocols for cyber-physical systems: Results from a systematic literature review. Pp. 224–235, 2018. DOI: 10.5220/0006594802240235.
Binyamin S. and Slama S. Multi-agent systems for resource allocation and scheduling in a smart grid. Sensors, vol. 22, Oct. 2022. DOI: 10.3390/s22218099.
Valentina A., Vishwashri R., and Rajadurai S. Finding Vulnerability in Web Application by using Pentesting. Int. J. Multidiscip. Res., 2024. DOI: 10.36948/ijfmr.2024. v06i04.24517.
Olivares-Naya M., de Gracia J.C., and S’anchez-Maci’an A. Adding web pentesting functionality to PTHelper. ArXiv, vol. abs/2410.12422, 2024. [Online]. URL: https:// api.semanticscholar.org/CorpusID:273375081.
De Lima L., Horstmann M., Neto D., Grégio A., Silva F., and Peres L. On the Challenges of Automated Testing of Web Vulnerabilities. In 2020 IEEE 29th Int. Conf. Enabling Technol. Infrastruct. Collaborative Enterprises (WETICE), 2020, pp. 203–206. DOI: 10.1109/ WETICE49692.2020.00047.
Wijaya Y. Web-Based Dashboard for Monitoring Penetration Testing Activities Based on OWASP Standards. J. Ilm. Tek. Elektro Komput. Inform., 2020. DOI: 10.26555/jiteki.v16i1.17019.
Doupé A., Cova M., and Vigna G. Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. 2010, pp. 111–131. doi: 10.1007/978-3- 642-14215-4_7.
Vimala K. and Fugkeaw S. VAPE-BRIDGE: Bridging OpenVAS Results for Automating Metasploit Framework. In 2022 14th Int. Conf. Knowl. Smart Technol. (KST), 2022, pp. 69–74. DOI: 10.1109/KST53302.2022.9729085.
Albahar M., Alansari D., and Jurcut A. An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities. Electronics, 2022. DOI: 10.3390/ electronics11192991.
Addressing Web Application Security Issues and Vulnerabilities Assessment Pen Testing. Int. J. Recent Technol. Eng., 2020. DOI: 10.35940/ijrte.f8169.038620.
Al-Ahmad A., Ata B., and Wahbeh A. Pen Testing for Web Applications. Int. J. Inf. Technol. Web Eng., vol. 7, pp. 1–13, 2012. DOI: 10.4018/jitwe.2012070101.
Bertoglio D.D., Gil A., Acosta J., Godoy J., Lunardi R., and Zorzo A. Towards new challenges of modern Pentest. ArXiv, vol. abs/2311.12952, 2023. DOI: 10.48550/arXiv. 2311.12952.
Bots: Introduction. Telegram. [Онлайн]. URL: https:// surl.gd/ffcfcx. Дата звернення: 20.02.2025.
Discovery P. Katana. GitHub. [Онлайн]. URL: https:// surl.gd/tsgljg. Дата звернення: 20.02.2025.
K.P., Gxss. GitHub. [Онлайн]. URL: https://surl.gd/ bnuefy. Дата звернення: 20.02.2025
H. W., Dalfox. GitHub. [Онлайн]. URL: https://surl.gd/ plpdtk. Дата звернення: 20.02.2025.
Content Security Policy. [Онлайн]. URL: https://surl.gd/ gpihew. Дата звернення: 20.02.2025.
Web application firewall. Wikipedia. [Онлайн]. URL: https://surl.gd/efjsff. Дата звернення: 20.02.2025.
Burp Suite. PortSwigger. [Онлайн]. URL: https://surl.gd/ kteluz. Дата звернення: 20.02.2025.
SPADE-MAS. Read the Docs. [Онлайн]. URL: https:// surl.gd/uguutq. Дата звернення: 20.02.2025.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Владислав Сергійович Кравчук, Наталія Олександрівна Маслова, Ярослав Юрійович Дорогий
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
