期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

Web应用存储型XSS漏洞检测方法及实现 被引量:10

DETECTION METHOD FOR STORED-XSS VULNERABILITY IN WEB APPLICATIONS AND ITS IMPLEMENTATION
下载PDF
导出
摘要 跨站脚本XSS(Cross Site Scripting)漏洞,已对大多数网站产生严重威胁。其中存储型XSS漏洞对用户及网站的损害尤为巨大。事先使用漏洞扫描工具对该漏洞进行检测并修补,可以有效预防和减轻该漏洞被利用后导致的一系列危害。分析存储型XSS漏洞的攻击原理,提出用巴科斯范式(BNF)自动生成初始攻击向量,对初始攻击向量进行变异处理。使用辅助标记自动检测存储型XSS漏洞的动态检测方法,设计并实现存储型XSS漏洞检测系统。在现实Web应用中测试评估了该系统,实验证明它能有效检测出应用中存在的存储型XSS漏洞。 Cross site scripting (XSS) vulnerabilities have been the serious threat to most websites, amongst them the stored-XSS vulnerability is particularly a great damage to users and websites. Using a vulnerability scanning tool to detect and repair the vulnerability beforehand can effectively prevent and mitigate the series damages when the vulnerabilities are made use of. We analysed the attack principle of the stored-XSS, and proposed the dynamic detection method which uses Backus-Naur Form (BNF) to generate initial attack vectors for carrying out the variation treatment on them, and uses auxiliary marker to detect stored-XSS vulnerability automatically. Furthermore, we designed and implemented the stored-XSS vulnerability detection system, and tested and evaluated it in real Web applications. Experiment proved that it can effectively detect the presence of stored-XSS vulnerability in applications.
作者 李威 李晓红
机构地区 天津大学计算机科学与技术学院
出处 《计算机应用与软件》 CSCD 2016年第1期24-27,37,共5页 Computer Applications and Software
基金 国家自然科学基金项目(91118003 61272106 61340039)
关键词 存储型XSS 动态检测 漏洞扫描 攻击向量 Stored-XSS Dynamic detection Vulnerability scanning Attack vector
分类号 TP309 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献12

  • 1Owasp.Top 10-2013[EB/OL].https://www.owasp.org/index.php/Top_10_2013-Top_10.
  • 2Jovanovic N,Kruegel C,Kirda E.Pixy:A static analysis tool for detecting Web application vulnerabilities[C]//2006 IEEE Symposium on Security and Privacy,2006:6.
  • 3Yichen Xie,Alex Aiken.Static Detection of Security Vulnerabilities in Scripting Languages[C]//Proc.15th Usenix Security Symp.(UsenixSS 06),Usenix,2006:179-192.
  • 4Monica S Lam,Michael Martin,Benjamin Livshits,et al.Securing Web Applications with Static and Dynamic Information Flow Tracking[C]//Proc.2008 ACM SIGPLAN symposium on Partial Evaluation and Semantics-Based Program Manipulation(PEPM 08),ACM,2008:3-12.
  • 5Gary Wassermann,Su Zhendong.Static Detection of Cross-Site Scripting Vulnerabilities[C]//Proc.30th Int’l Conf.Software Eng.(ICSE08),ACM,2008:171-180.
  • 6Kieyzun A,Jayaraman K,Ernst M D,et al.Automatic Creation of SQL Injection and Cross-Site Scripting Attacks[C]//Proc.31st Int’l Conf.Software Eng.(ICSE 09),IEEE CS,2009:199-209.
  • 7潘古兵,周彦晖.基于静态分析和动态检测的XSS漏洞发现[J].计算机科学,2012,39(B06):51-53. 被引量:12
  • 8Hossain Shahriar,Mohammad Zulkernine.S2XS2:A Server Side Approach to Automatically Detect XSS Attacks[C]//Ninth IEEE International Conference on Dependable,Autonomic and Secure Computing.Sydney,NSW,2011:7-14.
  • 9王夏莉,张玉清.一种基于行为的XSS客户端防范方法[J].中国科学院研究生院学报,2011,28(5):668-675. 被引量:15
  • 10Bloom Filter[EB/OL].http://en.wikipedia.org/wiki/Bloom_filter.

二级参考文献22

  • 1Wichers D. The top 10 most critical web application security risks[ R]. The Open Web Application Security Project (OWASP), 2010.
  • 2Kirda E, Vigna G, Jovanovic N. Noxes: a client-side solution for mitigating cross-site scripting attacks [ C ] //The 21st Annum ACM Symposium on Applied Computing. New York, USA: ACM, 2006: 330-337.
  • 3Kirda E, Kruegel C, Virgac G. Client-side cross-site scripting protection[ J]. Computers and Security, 2009, 28 (7) : 592-604.
  • 4Livshits B, Cui W. Spectator: detection and containment of JavaScript worms [ C ]//USENIX 2008 Annual Technical Conference on Annual Technical Conference. Boston, USA: ACM, 2008; 335-348.
  • 5Sun F, Xu L, Su Z. Client-side detection of XSS worms by monitoring payload propagation [ C ] //Proceedings of the 14th European Conference on Research in Computer Security. Saint-Malo, France: ACM, 2009: 539-554.
  • 6Fogie S, Hansen R, Rager A, et al. XSS attacks: cross site scripting exploits and defense [ M ]. New York: Syngress Media, 2007.
  • 7Garcia J, Navarro G.A survey on cross-site scripting attacks : USA, abs/0905. 4850 [ P/OL]. (2009-05-29) [ 2010-10-12 ] http ://arxiv. org/pdf/0905. 4850v1.
  • 8Faghani M, Saidi H. Social networks' XSS worms[ C]//International Conference on Computational Science and Engineering. Vancouver, Canada: IEEE Computer Society, 2009 : 1137-1141.
  • 9Dabirsiaghi A. Building and stopping next generation XSS worms[ C]//3rd International OWASP Symposium on Web Application Security. Ghent, Belguim, 2008.
  • 10Network Working Group. HTTP methods: USA, internet RFC 2616 [ P/OL ]. (2004-09-01) [ 2010-10-12 ] http: //www. w3. org/ Protocols/rfc2616/rfc2616. html.

共引文献25

同被引文献50

引证文献10

二级引证文献36

计算机应用与软件
2016年 第1期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部