期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一种基于行为的XSS客户端防范方法 被引量:15

A behavior-based client defense scheme against XSS
下载PDF
导出
摘要 跨站脚本(XSS)漏洞是Web安全的最大威胁之一.目前XSS防范方法主要为在服务端对用户输入进行过滤.这种方法漏报率较高,且不能及时保护互联网用户.通过对XSS攻击行为,尤其是XSS蠕虫的传播行为进行深入分析,设计并实现了一套新的基于行为的客户端XSS防范方案StopXSS.通过实验及与现有常用客户端XSS防范方案比较,证明其具有对XSS攻击,甚至对0-Day XSS蠕虫的防范能力. Recent popularity of Web 2.0 application has given rise to a large number of Web vulnerabilities,and XSS vulnerability is among the top security threats.In recent years,the occurrence of XSS worms worsened the situation of Web security.Existing XSS defense methods mainly depend on filtering users' inputs on the server side,which cannot protect in time the main victims of XSS attacks,the Internet users.In this paper we focus on the analysis of XSS behavior,especially the propagation behavior of XSS worms,and propose a new client-side XSS defense method,StopXSS.The testing experiments show that our method can defend against XSS attacks effectively and can be used to detect even 0-Day XSS worms.
作者 王夏莉 张玉清
机构地区 中国科学院研究生院国家计算机网络入侵防范中心
出处 《中国科学院研究生院学报》 CAS CSCD 北大核心 2011年第5期668-675,共8页 Journal of the Graduate School of the Chinese Academy of Sciences
基金 国家自然科学基金(60773135 90718007 60970140)资助
关键词 WEB安全 JAVASCRIPT 跨站脚本 XSS蠕虫 Web security JavaScript cross site scripting(XSS) XSS worm
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献12

  • 1Wichers D. The top 10 most critical web application security risks[ R]. The Open Web Application Security Project (OWASP), 2010.
  • 2Kirda E, Vigna G, Jovanovic N. Noxes: a client-side solution for mitigating cross-site scripting attacks [ C ] //The 21st Annum ACM Symposium on Applied Computing. New York, USA: ACM, 2006: 330-337.
  • 3Kirda E, Kruegel C, Virgac G. Client-side cross-site scripting protection[ J]. Computers and Security, 2009, 28 (7) : 592-604.
  • 4Livshits B, Cui W. Spectator: detection and containment of JavaScript worms [ C ]//USENIX 2008 Annual Technical Conference on Annual Technical Conference. Boston, USA: ACM, 2008; 335-348.
  • 5Sun F, Xu L, Su Z. Client-side detection of XSS worms by monitoring payload propagation [ C ] //Proceedings of the 14th European Conference on Research in Computer Security. Saint-Malo, France: ACM, 2009: 539-554.
  • 6Fogie S, Hansen R, Rager A, et al. XSS attacks: cross site scripting exploits and defense [ M ]. New York: Syngress Media, 2007.
  • 7Garcia J, Navarro G.A survey on cross-site scripting attacks : USA, abs/0905. 4850 [ P/OL]. (2009-05-29) [ 2010-10-12 ] http ://arxiv. org/pdf/0905. 4850v1.
  • 8Faghani M, Saidi H. Social networks' XSS worms[ C]//International Conference on Computational Science and Engineering. Vancouver, Canada: IEEE Computer Society, 2009 : 1137-1141.
  • 9Dabirsiaghi A. Building and stopping next generation XSS worms[ C]//3rd International OWASP Symposium on Web Application Security. Ghent, Belguim, 2008.
  • 10Network Working Group. HTTP methods: USA, internet RFC 2616 [ P/OL ]. (2004-09-01) [ 2010-10-12 ] http: //www. w3. org/ Protocols/rfc2616/rfc2616. html.

同被引文献88

  • 1古开元,周安民.跨站脚本攻击原理与防范[J].网络安全技术与应用,2005(12):19-21. 被引量:15
  • 2高能,冯登国,向继.一种基于数据挖掘的拒绝服务攻击检测技术[J].计算机学报,2006,29(6):944-951. 被引量:44
  • 3徐涛.基于IPv4的DNS攻击原理与防预[J].中国科技信息,2007(15):125-126. 被引量:1
  • 4郝永清.黑客Web脚本攻击与防御技术核心剖析[M].北京:科学出版社,2010:78-81.
  • 5HOPE P, WALTBER B. Web安全测试[M].傅鑫,等译.北京:清华大学出版社,2010.
  • 6OWASP. Category : OWASP Top Ten Project[ EB/OL]. [ 2012 -01 - 18 ]. http ://owasp. corn/index, php/Category: OWASP_ Top_Ten_Project.
  • 7邱永杰,姜建国.跨站脚本攻击与防御技术研究[D].北京:北京交通大学,2010.
  • 8OWASP. Cross-site Scripting (XSS) [ EB/OL ]. [ 2011 - 11 - 17 ]. https://www, owasp, org/index, php/Cross-site Scrip- ting_(XSS).
  • 9OWASP. DOM Based XSS [ EB/OL ]. [ 2011 - 11 - 17 ]. ht- tp ://www. owasp, corn/index, php/DOM_Based_XSS.
  • 10罗浩,魏祖宽.基于CLucene和Larbin的企业搜索引擎的研究与实现[D].成都:电子科技大学,2010.

引证文献15

二级引证文献59

中国科学院研究生院学报
2011年 第5期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部