A Multi-view Learning Framework for Obfuscation-Resilient XSS Detection
摘要
XSS is still everywhere and hard to pin down, thanks to layered encodings, hidden control characters, and keywords chopped into pieces. Signature and regex matching tends to miss polymorphic attacks, while many DL approaches can’t see both the small details and the long-distance links at the same time. We unveil XSS-Shield, an all-in-one detection framework combining multi-view canonicalization and dual-branch neural networks, together with a public dataset of obfuscated XSS. Our release builds on PayloadAllTheThings, appending systematically created variants together with a curated set of benign payloads. During preprocessing, we step through successive decodings to create multiple canonical views of a payload and compute hand-built obfuscation features. Our study compares a character-level CNN focused on n-grams with a heads-only Transformer encoder aimed at broad, long-range context. Both architectures handle multi-class obfuscation typing, with a second head that gives a simple benign/malicious verdict. Evaluated on our data, CharCNN delivered 0.9958 macro-F1 and the Transformer 0.9905, supporting the case for lightweight models when paired with domain-aware preprocessing. We also introduce a task-specific XAI toolkit that learns execution and hidden patterns, suggesting which characters/tokens are mostly affect output label. We’re publishing the dataset, code, and trained models so others can reproduce our results and use them in IPS and WAFs.