摘要
当前Web技术发展迅速,与其相关的安全问题也层出不穷。其中XSS攻击方式因具有隐蔽性而带来极大的隐私安全隐患。而目前国内对于XSS漏洞检测的研究较少,仍存在如XSS漏洞自动化检测准确率低等问题。因此,本文提出了一种基于爬虫的检测方案。通过模拟用户行为挖掘web隐藏页面,分析页面结构,更加充分地提取页面注入点。针对存储型XSS漏洞在检测过程中,输出数据不一定在响应页面的情况,提出了一种探子向量测试方法,对页面的注入点与输出点进行对应。同时,基于对现有的XSS攻击方式与变异方法的总结,设计并实现了一个XSS漏洞检测工具,即XSS-finder。最终实验证明,该检测工具的准确率可达82%,与同类工具相比更高。
Currently, Web technology is in a rapid development and its related security problems emerge endlessly. Among them, XSS attack brings huge privacy security risks due to the imperceptibility. At present, few researches exist on XSS vulnerability detection in domestic, and some problems still remain such as low accuracy in automatic detection of XSS vulnerability. Therefore, this paper proposes a detection scheme based on crawler, where the page injection point could be extracted more fully by simulating the user behavior to mine web hidden pages and to analyze the page structure. To address the problem that the output data of the stored XSS vulnerability might not be in the response page during the detection process, a probe vector testing method is proposed to correlate the injection point and output point of the page. Meanwhile, an XSS vulnerability detection tool named XSS-finder is designed and implemented after summarizing the available attack manners and mutation methods of XSS. Finally experimental results show that the accuracy of the designed detection tool reaches 82%, higher than its peers.
作者
韩妍妍
何彦茹
刘培鹤
任慧
张锦圣
HAN Yanyan;HE Yanru;LIU Peihe;Ren Hui;ZHANG Jinsheng(Beijing Electronic Science and Technology Institute,Beijing 100070,P.R.China;Xidian University,Xi’an 710071,Shaanxi,P.R.China)
出处
《北京电子科技学院学报》
2019年第1期7-16,共10页
Journal of Beijing Electronic Science And Technology Institute
基金
中央高校基本科研业务费No.328201801.