摘要
为解决Web网站跨站脚本攻击(XSS)问题,通过对XSS漏洞特征及过滤方式的分析,提出了通过反过滤规则集转换XSS代码并用自动爬虫程序实现漏洞代码的自动注入和可用性检验的XSS漏洞挖掘技术,依此方法可以获取XSS漏洞代码的转换形式及漏洞的注入入口,以实现对Web跨站漏洞深度挖掘.提出的XSS漏洞挖掘技术在邮箱XSS漏洞挖掘及Web网站XSS漏洞检测方面的实际应用验证了该技术的有效性.
To guard against the WEB site's cross-site scripting(XSS) attacks,the characteristics and filtering mode of XSS vulnerabilities were analyzed.A technical scheme for XSS vulnerabilities discovery was presented.First,an anti-filter rules set was used to convert the XSS code and then an automatic crawler program was employed to inject the XSS code and test it's usability.Finally,the effective XSS code and the point of the injected code could be acquired.The presented method has been successfully used to discover the XSS vulnerabilities of web-email and web site.
出处
《北京理工大学学报》
EI
CAS
CSCD
北大核心
2012年第4期395-401,共7页
Transactions of Beijing Institute of Technology
基金
国家自然科学基金资助项目(60873008)
关键词
跨站
XSS反过滤
XSS漏洞挖掘
自动爬虫
cross-site
anti-XSS rules set
XSS vulnerabilities discovery technique
automatic crawler