摘要
跨站脚本XSS(Cross Site Scripting)漏洞,已对大多数网站产生严重威胁。其中存储型XSS漏洞对用户及网站的损害尤为巨大。事先使用漏洞扫描工具对该漏洞进行检测并修补,可以有效预防和减轻该漏洞被利用后导致的一系列危害。分析存储型XSS漏洞的攻击原理,提出用巴科斯范式(BNF)自动生成初始攻击向量,对初始攻击向量进行变异处理。使用辅助标记自动检测存储型XSS漏洞的动态检测方法,设计并实现存储型XSS漏洞检测系统。在现实Web应用中测试评估了该系统,实验证明它能有效检测出应用中存在的存储型XSS漏洞。
Cross site scripting (XSS) vulnerabilities have been the serious threat to most websites, amongst them the stored-XSS vulnerability is particularly a great damage to users and websites. Using a vulnerability scanning tool to detect and repair the vulnerability beforehand can effectively prevent and mitigate the series damages when the vulnerabilities are made use of. We analysed the attack principle of the stored-XSS, and proposed the dynamic detection method which uses Backus-Naur Form (BNF) to generate initial attack vectors for carrying out the variation treatment on them, and uses auxiliary marker to detect stored-XSS vulnerability automatically. Furthermore, we designed and implemented the stored-XSS vulnerability detection system, and tested and evaluated it in real Web applications. Experiment proved that it can effectively detect the presence of stored-XSS vulnerability in applications.
出处
《计算机应用与软件》
CSCD
2016年第1期24-27,37,共5页
Computer Applications and Software
基金
国家自然科学基金项目(91118003
61272106
61340039)
关键词
存储型XSS
动态检测
漏洞扫描
攻击向量
Stored-XSS Dynamic detection Vulnerability scanning Attack vector