期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

Stored-XSS漏洞检测的研究与设计 被引量:7

STUDY AND DESIGN OF Stored-XSS VULNERABILITY DETECTION
下载PDF
导出
摘要 跨站脚本XSS(Cross Site Scripting)漏洞已经成为了大多数网站共同面对的Web安全问题,对XSS漏洞的有效预防检测有利于提高Web安全。分析XSS漏洞的攻击原理,指出现有动态分析方法在检测存储型XSS漏洞方面的不足,提出一种有效的存储型漏洞动态检测方法。设计并实现了Stored-XSS漏洞动态检测模型,并在实际的场景下对该模型进行了测试评估,实验证明提出的方法能对存储型XSS漏洞进行有效检测。 Cross-site scripting(XSS) vulnerability has become the Web security problem for most websites,effective prevention and detection of XSS vulnerability favour the improvement in Web security.In the paper,we analyse the attacking principle of XSS vulnerability,and point out the inadequacy of existing dynamic analysis methods in detecting stored-XSS vulnerability.An effective dynamic detection method for stored-XSS vulnerability is proposed,moreover we also design and implement a dynamic detection model for the stored-XSS vulnerability,as well as carry out testing and evaluation on this model in practical scenario.Experiments prove that the method proposed in the paper can detect stored-XSS vulnerability effectively.
作者 李冰 赵逢禹
机构地区 上海理工大学光电信息与计算机工程学院 上海计算机软件技术开发中心上海市计算机软件评测重点实验室
出处 《计算机应用与软件》 CSCD 北大核心 2013年第3期17-21,共5页 Computer Applications and Software
基金 国家自然科学基金委员会与中国民航空局联合资助项目(60979011)
关键词 XSS漏洞 WEB安全 存储型XSS漏洞 动态检测 XSS vulnerability Web security Stored-XSS vulnerability Dynamic analysis
分类号 TP309 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献12

  • 1Owasp. Top 10 -2010 [ EB/OL]. http ://www. owasp, org, cn/owagp- project/download/2010_OWASP_Top_I 0/view.
  • 2Owasp[ EB/OL]. https://www, owasp, org/index, php/Cross-site Scripting_(XSS).
  • 3Engin Kirda, Christopher Kruegegl, Giovanni Vigna, et al. Noxes: A client-side solution for mitigating cross-site scripting attacks [ C ]//Pro- ceedings of the 21st ACM Symposium on Applied Computing, 2006: 330 - 337.
  • 4Omar Ismail, Masashi Etoh, Youki Kadobayashi. A Proposal and Im- plementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability [ C]//18th International Conference on Ad- vanced Information Networking and Applications (AINA 2004) ,2004, 1:145 - 151.
  • 5Joaquin Garcia-Alfaro, Guillermo Navarro-Arribas. A Survey on Cross- Site Scripting [ S ]. Attacks. arXiv : 0905. 4850vl [ cs. CR ] 29 May 2009.
  • 6Gary Wasserman, Su Zhendong. Static detection of cross-site scripting vulnerabilities [ C ]//Proceedings of the 30th international conference on Software engineering. ACM New York, NY, USA ,2008 : 171 - 180.
  • 7Nanad Jovanovic, Christopher Kruegel, Engin Kirda. A static analysis tool for detecting web application vulnerabilities [ C ]//2006 IEEE Symposium on Security and Privacy,2006:6.
  • 8Acunetix. Web application security [ EB/OL ]. 2010. http ://www. clusif, asso. fr/fr/production/ouvrages/pdf/CLUSIF-2010-Web-appli- cation-security, pdf.
  • 9Stefan Kals, Engin Kirda, Christopher Kruegel. A Web Vulnerability Scanner[ C ]//Proceedings of the 15th international conference on World Wide Web ,2006:247 - 556.
  • 10Snake R. Xss ( cross site scripting) cheat sheet [ EB/OL ] . http :// ha. ckers, org/xss, html.

二级参考文献12

  • 1Wichers D. The top 10 most critical web application security risks[ R]. The Open Web Application Security Project (OWASP), 2010.
  • 2Kirda E, Vigna G, Jovanovic N. Noxes: a client-side solution for mitigating cross-site scripting attacks [ C ] //The 21st Annum ACM Symposium on Applied Computing. New York, USA: ACM, 2006: 330-337.
  • 3Kirda E, Kruegel C, Virgac G. Client-side cross-site scripting protection[ J]. Computers and Security, 2009, 28 (7) : 592-604.
  • 4Livshits B, Cui W. Spectator: detection and containment of JavaScript worms [ C ]//USENIX 2008 Annual Technical Conference on Annual Technical Conference. Boston, USA: ACM, 2008; 335-348.
  • 5Sun F, Xu L, Su Z. Client-side detection of XSS worms by monitoring payload propagation [ C ] //Proceedings of the 14th European Conference on Research in Computer Security. Saint-Malo, France: ACM, 2009: 539-554.
  • 6Fogie S, Hansen R, Rager A, et al. XSS attacks: cross site scripting exploits and defense [ M ]. New York: Syngress Media, 2007.
  • 7Garcia J, Navarro G.A survey on cross-site scripting attacks : USA, abs/0905. 4850 [ P/OL]. (2009-05-29) [ 2010-10-12 ] http ://arxiv. org/pdf/0905. 4850v1.
  • 8Faghani M, Saidi H. Social networks' XSS worms[ C]//International Conference on Computational Science and Engineering. Vancouver, Canada: IEEE Computer Society, 2009 : 1137-1141.
  • 9Dabirsiaghi A. Building and stopping next generation XSS worms[ C]//3rd International OWASP Symposium on Web Application Security. Ghent, Belguim, 2008.
  • 10Network Working Group. HTTP methods: USA, internet RFC 2616 [ P/OL ]. (2004-09-01) [ 2010-10-12 ] http: //www. w3. org/ Protocols/rfc2616/rfc2616. html.

共引文献14

同被引文献43

  • 1邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):1086-1088. 被引量:17
  • 2田俊峰,张喆,赵卫东.MAIDS-多检测技术的IDS模型[J].计算机工程与应用,2006,42(5):138-141. 被引量:1
  • 3钟晨鸣,徐少培.Web前端黑客技术揭秘[M].北京:电子工业出版社,2013.
  • 4OWASP[EB/OL].(2013-12-10).https://www.OWASP.org/index.php/.
  • 5XSS攻击技术详解[EB/OL].(2013-12-11).http://www.blogjava.net/qileilove/archive/2013/12/11/407435.html.
  • 6XSSer 1.5发布,XSS漏洞渗透测试工具[EB/OL].(2011-02-27).http://www.oschina.net/news/15819/XSSer-1-5-released.
  • 7OWASP. Category : OWASP TopTen Project[ EB/OL] . https;//www.owasp. org/index. php/Category : OWASP _ Top _ Ten _ Project 2013 ,6,12.
  • 8Ceponis J, Ceponiene L, Venckauskas A, et al. Evaluation of OpenSource Server-Side XSS Protection Solutions [ M ]//Information andSoftware Technologies. Springer Berlin Heidelberg,2013 :345 -356.
  • 9Shar L K,Tan H B K. Automated removal of cross site scripting vulner-abilities in web applications[ J]. Information and Software Technology,2012,54(5) :467~478.
  • 10Fonseca J, Matarese F. Using Vulnerability Injection to Improve WebSecurityf M]//Innovative Technologies for Dependable OTS-Based.

引证文献7

二级引证文献28

计算机应用与软件
2013年 第3期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部