面向规则缺陷的浏览器XSS过滤器测试方法

doi:10.11959/j.issn.2096-109x.2018093

摘要/Abstract

摘要：

为了缓解跨站脚本（XSS，cross-site scripting）攻击，现代浏览器使用XSS过滤器进行防御，现有方法很难有效对浏览器XSS过滤器的安全性进行测试与评估。规则缺陷是浏览器XSS过滤器实现过程中的缺陷和安全问题。面向浏览器XSS过滤器规则缺陷，给出其形式化定义，设计测试样例和场景生成算法。为了定量测试与评估不同浏览器XSS过滤器的过滤水平，结合过滤成功率、误报率、输入损耗计算过滤能力。基于所提方法，设计原型系统对几种主流浏览器XSS过滤器进行自动化测试，得到了不同浏览器的XSS过滤能力。经过实际测试，该系统具备发现未公开漏洞的能力。

关键词: 跨站脚本攻击, 浏览器XSS过滤器, 规则缺陷, 过滤能力

Abstract:

In order to alleviate XSS (cross-site scripting) attacks,modern browsers use XSS filters for defense.It is difficult to effectively test and evaluate the security of browser XSS filters.The rule-defect is the defect and security problem in the implementation process of browser XSS filter.The formal definition,design test sample and scene generation algorithm were presented for browser XSS filter rule-defects.In order to quantitatively test and evaluate the filtering level of different browser XSS filters,combined with filtering success rate,false positive rate,input loss calculation filtering ability.Based on the proposed method,the prototype system is designed to automate the testing of several mainstream browser XSS filters,and the XSS filtering capabilities of different browsers are obtained.Further,after actual testing,the system also has the ability to discover undisclosed vulnerabilities.

Key words: cross-site scripting attack, browser XSS filter, rule-defect, filtering capabilitiy

中图分类号:

TP309

桂智杰,舒辉. 面向规则缺陷的浏览器XSS过滤器测试方法[J]. 网络与信息安全学报, 2018, 4(11): 69-77.

Zhijie GUI,Hui SHU. Rule-defect oriented browser XSS filter test method[J]. Chinese Journal of Network and Information Security, 2018, 4(11): 69-77.

图/表 11

图1

图2

图3

表1

图4

表2

图5

表3

表4

表5

表6

参考文献 15

[1]	GUPTA BB , GUPTA S , GANGWAR S ,et al. Meena PK (2015) cross-site scripting (XSS) abuse and defense:exploitation on several testing bed environments and its defense[J]. J Inf Privacy Secur, 11(2): 118-136.
[2]	ROSS D . IE8 security part IV:the XSS filter[EB/OL]. .aspx,July 2008.
[3]	NAVA E , LINDSAY D . Abusing Internet Explorer 8's XSS filters[C]// BlackHat Europe. 2010.
[4]	BATES D , BARTH A , JACKSON C . Regular expressions considered harmful in client-side XSS filters[C]// 19th International World Wide Web Conference. 2010.
[5]	LEKIES S , STOCK B , JOHNS M.2014 . A tale of the weaknesses of current client-side filtering[C]// Black Hat Europe. 2014.
[6]	刘雅楠 . Web 前端攻击及安全防护技术研究与实现[D]. 北京:北京邮电大学, 2017.
	LIU Y N . Research and implementation of Web front-end attack and protection technology[D]. Beijing:Beijing University of Posts and Telecommunications, 2017.
[7]	LIU J D , . An improved XSS vulnerability detection method based on attack vector[C]// 2018 International Conference on Modeling,Simulation and Analysis. 2018:6.
[8]	PAN J K ,et al. Taint inference for cross-site scripting in context of URL rewriting and HTML Sanitization[J]. ETRI Journal, 2016(2): 376-386.
[9]	黄娜娜, 万良 . 一种基于序列最小优化算法的跨站脚本漏洞检测技术[J]. 信息网络安全, 2017(10): 55-62.
	HUANG N N , WAN L . A cross site script vulnerability detection technology based on sequential minimum optimization algorithm[J]. Netinfo Securi, 2017(10): 55-62.
[10]	SALUNKE S S . Selenium Web driver in Python:learn with examples[M]. CreateSpace Independent Publishing Platform, 2014.
[11]	BEKRAR S , BEKRAR C , GROZ R ,et al. Finding software vulnerabilities by smart fuzzing[C]// IEEE Fourth International Conference on Software Testing Verification and Validation. 2011.
[12]	ANASTASIOS S , NTANTOGIAN C , XENAKIS C . Bypassing XSS auditor:taking advantage of badly written PHP code[C]// IEEE International Symposium on Signal Processing and Information Technology. 2015: 290-295.
[13]	Taint inference for cross-site scripting in context of URL rewriting and HTML sanitization[J]. ETRI Journal, 2016,(2): 376-386.
[14]	LIU B W , . XSS vulnerability scanning algorithm based on anti-filtering rules[C]// International Conference on Computer,Electronics and Communication Engineering. 2017.
[15]	LEKIES S , KOTOWICZ K , GROB S ,et al. Code-reuse attacks for the Web:breaking cross-site scripting mitigations via script gadgets[C]// ACM SIGSAC Conference on Computer and Communications Security. 2017: 1709-1723.

规则缺陷向量元素	序号	子向量
	0	html parser
ruleDef.loc	1	http request
	2	server handle
	3	http response
	0	bypass filter
ruleDef.way	1	avoid filter
	2	disabled filter
	0	exec code
ruleDef.res	1	break page
	2	cause vuln

描述	攻击向量
script标签直接注入JavaScript	<script>alert(“xxxx”);</script>
引用文件属性加载JavaScript	<imgsrc=http://xsss.js>
内联事件处理函数	<imgonerror=alert(1)>
CSS表达式	<div style=”xxx:expression(alert(1))”>
……	……

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	基本测试样例	30	0	0
		混淆样例	0	0	12
Chrome	68.0.3440.106	基本测试样例	30	0	0
		混淆样例	0	0	4
Firefox	61.0.2	基本测试样例	0	30	0
		混淆样例	0	0	0

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	场景测试样例	20	10	0
Chrome	68.0.3440.106	场景测试样例	13	17	0
Firefox	61.0.2	场景测试样例	0	30	0

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	场景测试样例	0	30	0
Chrome	68.0.3440.106	场景测试样例	0	30	0
Firefox	61.0.2	场景测试样例	0	30	0