摘要
近年来跨站脚本(XSS)漏洞占据十大计算机网络安全漏洞第3名位置,对互联网安全形成严重威胁。目前大多数检测方案无法兼顾反射型、存储型和基于文档对象模型的XSS漏洞。为提高检测准确率,设计一种结合黑盒测试与动态污点分析技术的XSS漏洞检测方案并优化XSS攻击向量选择策略。该策略首先筛选XSS攻击向量模版,检测时对应不同注入点实时生成不同XSS攻击向量,并根据过滤规则集测试结果进行反过滤变换。对比实验表明,该方案可以提高XSS漏洞检测能力,同时检测时间开销较小。
Cross-site scripting(XSS)vulnerabilities has ranked the third in the top 10 web security vulnerabilities in recent years,posing a serious threat to Internet security.Currently,most of the detection schemes cannot take into account of all XSS types,including reflective XSS vulnerabilities,storage XSS vulnerabilities and vulnerabilities based on the document object model(DOM).In order to improve the detection accuracy,based on previous research,an XSS vulnerabilities detection scheme combining black box testing and dynamic taint analysis is given,which optimizes the selection strategy of XSS attack vectors.In the scheme,the XSS attack vector templates are screened,and inverse filtering transformation is performed according to the result of the filter rule set test.The comparison experiment shows that this scheme can improve the detection ability of XSS vulnerability and it takes much shorter time than usual.
作者
赵跃华
吴东耀
ZHAO Yue-hua;WU Dong-yao(School of Computer Science&Communication Engineering,Jiangsu University,Zhenjiang 212013,China)
出处
《软件导刊》
2019年第3期162-167,共6页
Software Guide
关键词
跨站脚本漏洞
漏洞检测
黑盒测试
动态污点分析技术
cross-site scripting vulnerabilities
vulnerabilities detection
black box testing
dynamic taint analysis
