摘要
跨站脚本(cross-site scripting,XSS)是一种常见的针对Web应用程序安全漏洞的攻击.恶意用户利用漏洞将恶意脚本注入网页之中,当用户浏览该网页时,便会触发脚本,导致攻击行为发生.由于HTML编码方案的高度灵活性,攻击者可通过多种方法绕过输入验证过滤器,导致XSS难以被发现和预防.为了有效减少XSS造成的危害损失,依照XSS的分类,对反射型XSS、存储型XSS和基于DOM的XSS特征及原理进行了细致的分析和对比,并对数量庞大、形态各异的XSS攻击向量进行归纳和梳理,通过举例对C∞kie窃取、会话劫持、钓鱼欺骗等XSS常见利用方式进行说明,并对常用的XSS防御手段进行整理,最后对静态分析、动态分析、机器学习等主流的XSS漏洞自动化检测方法进行总结.
XSS(cross-site scripting) is a type of computer security vulnerability typically found in Web applications.Attackers usually inject malicious scripts into Web pages viewed by other users,and expect the script to be executed.Because of the high flexibility of HTML encoding schemes offering the attacker many possibilities for circumventing input filters,XSS attacks are difficult to detect and prevent.In order to make effective prevention for XSS vulnerabilities,firstly we carefully analyzed and compared the characteristics and principles of Reflected XSS,Stored XSS and DOM-based XSS,then combed the large number of XSS attack vectors with different shapes,and illustrated the common use of XSS vulnerabilities,such as cookie stealing,session hijacking and phishing.Finally,we sorted out the basic means of defense XSS,and summarized the main methods of automatic XSS vulnerability detection including static analysis,dynamic analysis and machine learning.
出处
《信息安全研究》
2016年第12期1068-1079,共12页
Journal of Information Security Research
基金
澳门科技发展基金项目(097/2013/A3)
轨道交通控制与安全国家重点实验室(北京交通大学)开放课题基金项目(RCS2016K007)
关键词
WEB安全
跨站脚本
攻击向量
漏洞利用
漏洞检测方法
Web security
XSS(cross-site scripting)
attack vectors
exploit
vulnerability detection methods
