摘要
为了应对利用web应用漏洞发起的XSS攻击,提出建立web前端白名单的恶意代码检测技术。在客户端接收服务端发送的非渲染文件数据后,通过web前端搭建的一个基于DOM树的防御平台,对这个非渲染文件做过滤处理,将处理过的文件碎片在浏览器上渲染,导致XSS恶意代码无法执行。技术采用Javascript语言编写,可适用于当前各大主流浏览器。实验结果与分析表明,该系统可成功过滤掉输入代码中的恶意代码,并且保留代码中的非恶意部分,提高了阻止XSS攻击的有效性。
Aiming at XSS vulnerabilities in web application attacks, malicious code detection and filtering technology based on JavaScript is proposed, with focus mainly on the white list filtering of the web Front- end. After receiving the non-rendering file data sent from server by the client, and via the setting-up of a web front-end based on DOM tree defense platform, filtering treatment is done on the non-rendering file, the processed file fragments are rendered in the browser, resulting in non-execution of XSS malicious code. The technology written in Javascript language is applicable to the current major browsers. Experimental results and analysis incidate that the system can successfully filter out the malicious part in the input code, and retain the non-malicious part of the code, thus to improve the effectiveness for prevention of XSS attacks.
出处
《通信技术》
2017年第3期539-544,共6页
Communications Technology
