摘要
跨站脚本攻击给Web应用带来严重的威胁,在应用发布之前,对其进行检测能够有效地降低漏洞风险。针对现有跨站脚本在动态检测中存在漏报误报的问题,提出一种动态检测方法。基于攻击向量基本侯选元素库和初始攻击向量种子库,在检测过程中自动生成符合输出点类型的有效攻击向量,根据当前时刻的检测结果,自适应调整攻击向量优先级,待所有注入点攻击完毕,重新二次遍历整个站点检验待发现的漏洞。实验结果表明,与APPScan、WVS相比,该方法能发现更多漏洞。
Cross-site Scripting( XSS) attacks pose serious threats to web applications. Before the application is released,detecting them can effectively reduce the risk of vulnerabilities. Aiming at the problems in the current detection of cross-site scripting,such as missed reports and false alarms,a dynamic detection method is proposed. Based on the basic candidate element library of attack vectors and the initial attack vector seed library,an effective attack vector conforming to the output point type is automatically generated during the detection process. According to the detection result at the current moment,the priority of the attack vector is adaptively adjusted,and all the injection point attacks are performed,after finishing,it traverses the entire site twice to check the vulnerabilities to be discovered. Experimental results show that compared with APPScan、WVS,this method can find more vulnerabilities.
作者
马富天
钱雪忠
宋威
MA Futian ,QIAN Xuezhong,SONG Wei(Engineering Research Center of Internet of Things Technology Applications Ministry of Education, School of Intermet of Things Engineering, Jiangnan University,Wuxi,Jiangsu 214122 ,Chin)
出处
《计算机工程》
CAS
CSCD
北大核心
2018年第8期167-173,共7页
Computer Engineering
基金
国家自然科学基金(61673193)
中央高校基本科研业务费专项资金(JUSRP51510
JUSRP51635B)
关键词
跨站脚本
动态检测
静态分析
攻击向量
合法向量
Cross-site Scripting ( XSS )
dynamic detection
static analysis
attack vector
legal vector
