期刊文献+

基于动态测试的XSS漏洞检测方法研究 被引量:7

RESEARCH ON CROSS-SITE SCRIPTING VULNERABILITY DETECTION METHOD BASED ON DYNAMIC TESTING
下载PDF
导出
摘要 XSS(Cross-site Scripting)漏洞是Web应用程序最严重的漏洞之一。针对现有动态检测方法在检测效率方面的不足,提出一种高效率的检测方法。在用攻击向量来测试之前,先提交合法向量来测试,排除肯定不存在XSS漏洞的页面以及收集输入点、输出点、输出点类型的信息。在用攻击向量测试的过程中,只需要根据输出点类型来提交相应的攻击向量作进一步测试,避免遍历所有的攻击向量。另外,只需要到对应的输出点页面寻找特定的数据,可以有效避免遍历所有的页面。实验证明,该方法在提高效率方面很有效。 Cross-site scripting( XSS) vulnerability is one the top web application vulnerabilities. In the paper,we analyse the inadequacy of existing dynamic analysis methods in detecting XSS vulnerability and propose a high-efficiency detection method. Before using attack vectors to test,we first submit legal vectors for testing in order to exclude the pages definitely without XSS vulnerabilities and to collect the information about input points,output points and the types of output points. In the process of testing with attack vectors,it just needs to submit the correlated attack vectors according to output point type for further testing,and avoids traversing all the attack vectors. In addition,by looking for the specific data in corresponding page of output points only,it is able to effectively avoid traversing all the pages. Experiment proves that the proposed method is very effective in improving the efficiency of XSS vulnerability detection.
出处 《计算机应用与软件》 CSCD 2015年第8期272-275,共4页 Computer Applications and Software
基金 国家自然科学基金项目(61202478 61303263) 中央高校基本科研业务费项目(2013QNA26)
关键词 XSS漏洞 动态检测 合法向量 攻击向量 XSS vulnerability Dynamic testing Legal vectors Attack vectors
  • 相关文献

参考文献12

  • 1OWASP. Category : OWASP TopTen Project[ EB/OL] . https;//www.owasp. org/index. php/Category : OWASP _ Top _ Ten _ Project 2013 ,6,12.
  • 2Ceponis J, Ceponiene L, Venckauskas A, et al. Evaluation of OpenSource Server-Side XSS Protection Solutions [ M ]//Information andSoftware Technologies. Springer Berlin Heidelberg,2013 :345 -356.
  • 3Shar L K,Tan H B K. Automated removal of cross site scripting vulner-abilities in web applications[ J]. Information and Software Technology,2012,54(5) :467~478.
  • 4Fonseca J, Matarese F. Using Vulnerability Injection to Improve WebSecurityf M]//Innovative Technologies for Dependable OTS-Based.
  • 5Critical Systems[ M]. Springer Milan,2013:145 _ 157.
  • 6Kals S,Kirda E,Kruegel C,et al. Secubat. a web vulnerability scanner[C ] //Proceedings of the 15th international conference on World WideWeb. ACM ,2006:247 -256.
  • 7沈寿忠,张玉清.基于爬虫的XSS漏洞检测工具设计与实现[J].计算机工程,2009,35(21):151-154. 被引量:28
  • 8王强,蔡皖东,姚烨.基于渗透测试的跨站脚本漏洞检测方法研究[J].计算机技术与发展,2013,23(3):147-151. 被引量:5
  • 9李冰,赵逢禹.Stored-XSS漏洞检测的研究与设计[J].计算机应用与软件,2013,30(3):17-21. 被引量:7
  • 10Ceponis J, Ceponiene L, Venckauskas A,et al. Evaluation of OpenSource Server-Side XSS Protection Solutions [ M ]//Information andSoftware Technologies. Springer Berlin Heidelberg ,2013 :345 ~ 356.

二级参考文献29

  • 1Chinotec Technologies Company. Paros--for Web Application Security Assessment[EB/OL]. (2008-08-15). http://www, parosproxy. org/index,shtml.
  • 2OWASE OWASP Testing Project[EB/OL]. (2008-08-10). http:// www.owasp.org/.
  • 3Klein A. DOM Based Cross Site Scripting or XSS of the Third Kind[EB/OL]. (2008-07-28). http://www, Webappsec.org/projeets/ articles/071105.html,.
  • 4Fortify Software Inc.. Cross-site Scripting(XSS)[EB/OL]. (2008-04- 07). http://www.owasp.org/index.php/Cross-site Scripting_(XSS).
  • 5Ismail O, Etoh M, Kadobayashi Y. A Proposal and Implementation of Automatic Detection/Collection System for Cross-site Scripting Vulnerability[C]//Proc. of the 18th International Conference on Advanced Information Networking and Applications. Washington D C., USA: IEEE Computer Society. 2004.
  • 6郝永清.黑客Web脚本攻击与防御技术核心剖析[M].北京:科学出版社,2010:78-81.
  • 7HOPE P, WALTBER B. Web安全测试[M].傅鑫,等译.北京:清华大学出版社,2010.
  • 8OWASP. Category : OWASP Top Ten Project[ EB/OL]. [ 2012 -01 - 18 ]. http ://owasp. corn/index, php/Category: OWASP_ Top_Ten_Project.
  • 9邱永杰,姜建国.跨站脚本攻击与防御技术研究[D].北京:北京交通大学,2010.
  • 10OWASP. Cross-site Scripting (XSS) [ EB/OL ]. [ 2011 - 11 - 17 ]. https://www, owasp, org/index, php/Cross-site Scrip- ting_(XSS).

共引文献37

同被引文献51

引证文献7

二级引证文献32

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部