期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

存储型XSS攻击向量自动化生成技术 被引量:7

Automatic generation of attack vectors for stored-XSS
下载PDF
导出
摘要 针对危害性最为严重的存储型XSS漏洞的特点及其触发方式,设计并实现了一款自动生成存储型XSS攻击向量的工具.使用该工具对中国2个大型视频分享网站的日志发布系统进行测试,发现6类导致存储型XSS漏洞的攻击向量.实验结果验证了该方法及测试工具的有效性,并说明中国视频网站仍存在着较大安全隐患. The stored-XSS(cross-site scripting) is generally more serious than the other modalities of XSS.We study the characteristics and trigger mechanism of stored-XSS,propose an generation method of attack vectors for stored-XSS,and accomplish a tool which can generate the attack vectors automatically.After we used this tool in testing the blog systems of two popular video-sharing sites in China,we found 6 types of attcak vectors which can trigger stored-XSS.The results of the testing experiments show the effectiveness of our method and also show the potential security risk in the video-sharing sites.
作者 陈景峰 王一丁 张玉清 刘奇旭
机构地区 北方工业大学信息工程学院 中国科学院研究生院国家计算机网络入侵防范中心
出处 《中国科学院研究生院学报》 CAS CSCD 北大核心 2012年第6期815-820,共6页 Journal of the Graduate School of the Chinese Academy of Sciences
基金 国家自然科学基金(60970140)资助
关键词 存储型XSS 攻击向量 WEB安全 漏洞挖掘 stored-XSS attack vector Web security vulnerability discovery
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献10

  • 1新浪微博XSS攻击事件分析[EB/OL](2011-08-30)[2011-09-22].http://netsecurity.51cto.com/art/201108/287982.htm.
  • 2Galtm E, Alcaide A, Orfila A, et al. A Secured Transactions (ICITST). London, Kieyzun A, Guo P J, Jayaraman K, et al Vancouver. Canada, 2009:199-209.
  • 3multi-agent scanner to detect stored-XSS vulnerabilities [ C ] //IEEE lnternet Technology and Ernst automatic creation of SQL injection and cross-site scripting attacks [ C ]//IEEE ICSE,2010: 1-6.
  • 4陈建青,张玉清.Web跨站脚本漏洞检测工具的设计与实现[J].计算机工程,2010,36(6):152-154. 被引量:18
  • 5XSS (cross site scripting) cheat sheet[ DB/OL]. [2011-09-02]. http://ha, ckers, org/xss, html.
  • 6Tang Z S, Zhu H J, Cao Z F, et al. L-WMxD: lexical based Webmail XSS discoverer[ C]//IEEE Computer Communications Workshops INFOCOM WKSHPS). Shanghai, 2011:976-981.
  • 7Gebre MT, Lhee K, Hong M. A robust defense against content-sniffing XSS attacks [ C ] //IEEE Multimedia Technology and its Applications (IDC). Barcelona, 2010:315-320.
  • 8HTMIA.0事件属性[EB/OL].[2011-09-20].http://www.w3sch001.con.cn/html/html-eventattributes.asp.
  • 9Stuttard D, Pinto M. The web application Hacker's handbook: discovering and exploiting security flaws[ M ]. America: Wiley Publishing Inc, 2008:406-410.
  • 10Sutton M, Greene A, Amini P. Fuzzing brute force vulnerability discover[M]. America: Pearson Education lne, 2007:140-144.

二级参考文献5

  • 1National Vulnerability Database(NVD)[Z]. [2009-04-16]. http://nvd.nist.gov/home.cfm.
  • 2Paros[Z]. [2009-04-16]. http://www.parosproxy.org/index.shtml.
  • 3XSS-Me[Z]. [2009-04-16]. http://www.securitycompass.com/exploite.tml.
  • 4Auronen L. Tool-based Approach to Assessing Web Application Security[D]. Helsinki, Finland: Helsinki University of Technology, 2002.
  • 5Klein A. DOM Based Cross Site Scripting or XSS of the Third Kind[EB/OL]. (2005-07-04). http://www.webappsec.org/projects/ articles/071105.html.

共引文献17

同被引文献46

  • 1Wichers D. The top 10 most critical web application security risk [R]. Belgium: The Open Web Application Security Project (OWASP), 2010.
  • 2Faghani M, Saidi H. Social networks' XSS worms [C] //International Conference on Computational science and Engieering Vancouver, Canada: IEEE Computer Society, 2009: 1137-1141.
  • 3Vogt P. Cross site scripting (XSS) attack prevention with dynamic data tainting on the client side [D]. Vienna: Technical University of Vienna, 2006.
  • 4Fogie S, Hansen R, Rager A, et al. XSS attacks: Cross site scripting exploits and defense [M]. New York: Syngress Media, 2007.
  • 5Sun F, Xu L, Su Z. Client-side detection of XSS worms by mo- nitoring payload propagation [C]// Proceeding of the 14th European Conference on Research in Computer Security. Saint-Malo, France: ACM, 2009: 539-554.
  • 6Joanne K, Colin P H. Flash vulnerabilities analysis of US educational websites [J]. International Journal of Electronic Security and Digital Forensics, 2010, 3(2): 95-107.
  • 7Amit Y. Cross-site scripting through Flash in gmail based services [EB/OL]. (2012-03-22) [2013-12-10]. http://blog. watchfire, com/wfblog/2010/03/cross-site-scripting-through- flash-in-gmail- based-services, html.
  • 8Ruiz-Martinez A. A survey on solutions and main free tools for privacy enhancing Web communications [J]. Journal of Network and Computer Applications, 2012, 35 (5) : 1473- 1492.
  • 9OWASP. Top ten project [EB/OL]. (2013-12-03) [2013-12- 10]. https://www, owasp, org/index, php/Category: OWASP_ Top_Ten_Project.
  • 10Engin K, Christopher K, Giovanni V, et al. Noxes: A client-side solution for mitigating cross-site scripting attacks [C] //Proc of the 2006 ACM Symp on Applied Computing. New York: ACM, 2006:330-337.

引证文献7

二级引证文献28

中国科学院研究生院学报
2012年 第6期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部