面向规则缺陷的浏览器XSS过滤器测试方法

doi:10.11959/j.issn.2096-109x.2018093

Abstract

Abstract:

In order to alleviate XSS (cross-site scripting) attacks,modern browsers use XSS filters for defense.It is difficult to effectively test and evaluate the security of browser XSS filters.The rule-defect is the defect and security problem in the implementation process of browser XSS filter.The formal definition,design test sample and scene generation algorithm were presented for browser XSS filter rule-defects.In order to quantitatively test and evaluate the filtering level of different browser XSS filters,combined with filtering success rate,false positive rate,input loss calculation filtering ability.Based on the proposed method,the prototype system is designed to automate the testing of several mainstream browser XSS filters,and the XSS filtering capabilities of different browsers are obtained.Further,after actual testing,the system also has the ability to discover undisclosed vulnerabilities.

Key words: cross-site scripting attack, browser XSS filter, rule-defect, filtering capabilitiy

CLC Number:

TP309

Zhijie GUI,Hui SHU. Rule-defect oriented browser XSS filter test method[J]. Chinese Journal of Network and Information Security, 2018, 4(11): 69-77.

Figures/Tables 11

References 15

[1]	GUPTA BB , GUPTA S , GANGWAR S ,et al. Meena PK (2015) cross-site scripting (XSS) abuse and defense:exploitation on several testing bed environments and its defense[J]. J Inf Privacy Secur, 11(2): 118-136.
[2]	ROSS D . IE8 security part IV:the XSS filter[EB/OL]. .aspx,July 2008.
[3]	NAVA E , LINDSAY D . Abusing Internet Explorer 8's XSS filters[C]// BlackHat Europe. 2010.
[4]	BATES D , BARTH A , JACKSON C . Regular expressions considered harmful in client-side XSS filters[C]// 19th International World Wide Web Conference. 2010.
[5]	LEKIES S , STOCK B , JOHNS M.2014 . A tale of the weaknesses of current client-side filtering[C]// Black Hat Europe. 2014.
[6]	刘雅楠 . Web 前端攻击及安全防护技术研究与实现[D]. 北京:北京邮电大学, 2017.
	LIU Y N . Research and implementation of Web front-end attack and protection technology[D]. Beijing:Beijing University of Posts and Telecommunications, 2017.
[7]	LIU J D , . An improved XSS vulnerability detection method based on attack vector[C]// 2018 International Conference on Modeling,Simulation and Analysis. 2018:6.
[8]	PAN J K ,et al. Taint inference for cross-site scripting in context of URL rewriting and HTML Sanitization[J]. ETRI Journal, 2016(2): 376-386.
[9]	黄娜娜, 万良 . 一种基于序列最小优化算法的跨站脚本漏洞检测技术[J]. 信息网络安全, 2017(10): 55-62.
	HUANG N N , WAN L . A cross site script vulnerability detection technology based on sequential minimum optimization algorithm[J]. Netinfo Securi, 2017(10): 55-62.
[10]	SALUNKE S S . Selenium Web driver in Python:learn with examples[M]. CreateSpace Independent Publishing Platform, 2014.
[11]	BEKRAR S , BEKRAR C , GROZ R ,et al. Finding software vulnerabilities by smart fuzzing[C]// IEEE Fourth International Conference on Software Testing Verification and Validation. 2011.
[12]	ANASTASIOS S , NTANTOGIAN C , XENAKIS C . Bypassing XSS auditor:taking advantage of badly written PHP code[C]// IEEE International Symposium on Signal Processing and Information Technology. 2015: 290-295.
[13]	Taint inference for cross-site scripting in context of URL rewriting and HTML sanitization[J]. ETRI Journal, 2016,(2): 376-386.
[14]	LIU B W , . XSS vulnerability scanning algorithm based on anti-filtering rules[C]// International Conference on Computer,Electronics and Communication Engineering. 2017.
[15]	LEKIES S , KOTOWICZ K , GROB S ,et al. Code-reuse attacks for the Web:breaking cross-site scripting mitigations via script gadgets[C]// ACM SIGSAC Conference on Computer and Communications Security. 2017: 1709-1723.

Metrics

Recommended 0

No Suggested Reading articles found!

规则缺陷向量元素	序号	子向量
	0	html parser
ruleDef.loc	1	http request
	2	server handle
	3	http response
	0	bypass filter
ruleDef.way	1	avoid filter
	2	disabled filter
	0	exec code
ruleDef.res	1	break page
	2	cause vuln

描述	攻击向量
script标签直接注入JavaScript	<script>alert(“xxxx”);</script>
引用文件属性加载JavaScript	<imgsrc=http://xsss.js>
内联事件处理函数	<imgonerror=alert(1)>
CSS表达式	<div style=”xxx:expression(alert(1))”>
……	……

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	基本测试样例	30	0	0
		混淆样例	0	0	12
Chrome	68.0.3440.106	基本测试样例	30	0	0
		混淆样例	0	0	4
Firefox	61.0.2	基本测试样例	0	30	0
		混淆样例	0	0	0

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	场景测试样例	20	10	0
Chrome	68.0.3440.106	场景测试样例	13	17	0
Firefox	61.0.2	场景测试样例	0	30	0

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	场景测试样例	0	30	0
Chrome	68.0.3440.106	场景测试样例	0	30	0
Firefox	61.0.2	场景测试样例	0	30	0

Rule-defect oriented browser XSS filter test method

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 15

Related Articles 15

Metrics

Recommended 0

名称	版本号	过滤能力
IE	11.228.17134.0	1.38
Chrome	68.0.3440.106	3.75
Firefox	61.0.2	0

[1]	Aiqun HU, Lanting FANG, Tao LI. Research on bionic mechanism based endogenous security defense system [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 11-19.
[2]	Wang ZHOU, Honggang HU, Nenghai YU. Rapid responsive and efficient multi-valued Byzantine consensus scheme [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 57-64.
[3]	Qi CAO, Shuhua RUAN, Xingshu CHEN, Xiao LAN, Hongxia ZHANG, Hongjian JIN. Embedding of national cryptographic algorithm in Hyperledger Fabric [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 65-75.
[4]	Jian SHEN, Tianqi ZHOU, Chen WANG, Huijie YANG. Privacy protection key distribution protocol for edge computing [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 93-100.
[5]	Liming PU, Hongquan WEI, Xing LI, Yiming JIANG. Mimic cloud service architecture for cloud applications [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 101-112.
[6]	Mingfeng ZHAO, Chen LEI, Yang ZHONG, Jinbo XIONG. Dynamic privacy measurement model and evaluation system for mobile edge crowdsensing [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 157-166.
[7]	Jingcheng GUO,Hui SHU,Xiaobing XIONG,Fei KANG. Software protection technology based on code fragmentation [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 57-68.
[8]	Luhui YANG,Huiwen BAI,Guangjie LIU,Yuewei DAI. Lightweight malicious domain name detection model based on separable convolution [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 112-120.
[9]	Hao WANG,Tianhao WU,Konglin ZHU,Lin ZHANG. Anonymous vehicle authentication scheme based on blockchain technology in the intersection scenario [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 27-35.
[10]	Fan CHAO,Zhi YANG,Xuehui DU,Yan SUN. Android malware detection method based on deep neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 67-79.
[11]	Zhe LI,Yiliang HAN,Yu LI. Improved RLCE public key encryption scheme based on Polar codes [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 110-118.
[12]	Xu ZHANG,Xin MA. Lightweight mobile Ad Hoc network authentication scheme based on blockchain [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 14-22.
[13]	Sijie QIAN,Liquan CHEN,Shihui WANG. PKI cross-domain authentication scheme based on advanced PBFT algorithm [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 37-44.
[14]	Xiaokang YIN,Liu LIU,Long LIU,Shengli LIU. Function argument number identification in stripped binary under PPC and MIPS instruction set [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 95-103.
[15]	Yu ZHANG,Xixiang LYU,Yucong ZOU,Yige LI. Differentially private sequence generative adversarial networks for data privacy masking [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 109-119.