摘要
针对在XSS漏洞动态检测中降低漏报率时导致检测效率低下的问题,提出一种新的XSS漏洞检测模型。该模型分为载荷单元生成、绕过规则选择、试探载荷测试、载荷单元组合测试、载荷单元单独测试5个部分。根据载荷单元所在位置和功能类型的不同,将攻击载荷切割为不同类别的单元,并制定组合成完整攻击载荷的规则。使用探针载荷判断待检测点是否可能存在漏洞,运用组合测试和单独测试的方式将载荷单元与绕过规则的组合放入检测点测试,根据测试结果生成针对性的完整攻击载荷。实验结果表明,该模型使用较少的测试请求完成对较多攻击载荷的测试,在有效降低漏报率的同时,保持较高的检测效率。
Aiming at the problem of the failure rate and low detection efficiency in the XSS dynamic detection method,a new XSS vulnerability detection model is proposed.The model is divided into five parts:load cell generation,bypassing rule selection,exploratory load test,load unit combination test and load unit separate test.According to the location and function type of the load unit,the attack load is cut into different types of units,and the rules of combined attack load are formulated.The probe load is used to determine whether there is any vulnerabilities to be detected,it puts the payload unit and the bypassing rules into the detection point with combination test and separate test,and generates attack loads based on the test results.Experimental results show that this model uses fewer test requests to complete the test of more attack loads,and maintains a high detection efficiency while effectively reducing the failure rate.
作者
谷家腾
辛阳
GU Jiateng;XIN Yang(College of Cyberspace Security,Beijing University of Posts and Telecommunications,Beijing 100876,China;Key Lab of Public Big Data of Guizhou Province,Guizhou University,Guiyang 550025,China)
出处
《计算机工程》
CAS
CSCD
北大核心
2018年第10期34-41,共8页
Computer Engineering
基金
贵州省科技重大专项(20183001)
贵州省公共大数据重点实验室开放课题基金(2017BDKFJJ015)
关键词
漏洞检测
XSS攻击
动态分析
黑盒测试
WEB安全
vulnerability detection
XSS attack
dynamic analysis
black box test
Web security
