Spider-Scents v2: Enhancing Gray-Box Scanning for Stored XSS Vulnerability Discovery

Abstract

Stored XSS vulnerabilities pose significant security risks in modern web applications, yet detecting them remains challenging due to their complex data propagation paths and the limitations of traditional scanning tools. Spider-Scents addresses these challenges using a gray-box database-aware approach that directly injects payloads into backend storage, effectively bypassing the difficulties of conventional input-based fuzzing. Building on this foundation, we present Spider-Scents v2 — a substantial enhancement of the original Spider-Scents prototype. Spider-Scents v2 introduces two key advancements: a refined table traversal strategy that models the database schema as a directed graph and leverages BFS and DFS to systematically explore injection paths; and a format-aware payload customization module specifically tailored for JSON-structured data, which is increasingly common in modern applications. To evaluate the practical impact of these enhancements, we conduct a series of experiments assessing Spider-Scents v2’s performance on both the original PHP-based applications and a broader set of non-PHP applications. Furthermore, we investigate how Spider-Scents database synthesis algorithm can serve as a preparatory module to augment the vulnerability detection capabilities of other black-box scanners, including Black Widow, Burp Suite, ZAP, and SCNR. Our results demonstrate that Spider-Scents v2 offers measurable improvements in stored XSS detection, achieving better coverage and uncovering new vulnerabilities that were previously undetected. Additionally, the integration of Spider-Scents data synthesis algorithm enhances the effectiveness of third-party scanners, highlighting its potential as a complementary tool for web security assessments.