面向规则缺陷的浏览器XSS过滤器测试方法

doi:10.11959/j.issn.2096-109x.2018093

Abstract

Abstract:

In order to alleviate XSS (cross-site scripting) attacks,modern browsers use XSS filters for defense.It is difficult to effectively test and evaluate the security of browser XSS filters.The rule-defect is the defect and security problem in the implementation process of browser XSS filter.The formal definition,design test sample and scene generation algorithm were presented for browser XSS filter rule-defects.In order to quantitatively test and evaluate the filtering level of different browser XSS filters,combined with filtering success rate,false positive rate,input loss calculation filtering ability.Based on the proposed method,the prototype system is designed to automate the testing of several mainstream browser XSS filters,and the XSS filtering capabilities of different browsers are obtained.Further,after actual testing,the system also has the ability to discover undisclosed vulnerabilities.

Key words: cross-site scripting attack, browser XSS filter, rule-defect, filtering capabilitiy

CLC Number:

TP309

Zhijie GUI,Hui SHU. Rule-defect oriented browser XSS filter test method[J]. Chinese Journal of Network and Information Security, 2018, 4(11): 69-77.

Figures/Tables 11

References 15

[1]	GUPTA BB , GUPTA S , GANGWAR S ,et al. Meena PK (2015) cross-site scripting (XSS) abuse and defense:exploitation on several testing bed environments and its defense[J]. J Inf Privacy Secur, 11(2): 118-136.
[2]	ROSS D . IE8 security part IV:the XSS filter[EB/OL]. .aspx,July 2008.
[3]	NAVA E , LINDSAY D . Abusing Internet Explorer 8's XSS filters[C]// BlackHat Europe. 2010.
[4]	BATES D , BARTH A , JACKSON C . Regular expressions considered harmful in client-side XSS filters[C]// 19th International World Wide Web Conference. 2010.
[5]	LEKIES S , STOCK B , JOHNS M.2014 . A tale of the weaknesses of current client-side filtering[C]// Black Hat Europe. 2014.
[6]	刘雅楠 . Web 前端攻击及安全防护技术研究与实现[D]. 北京:北京邮电大学, 2017.
	LIU Y N . Research and implementation of Web front-end attack and protection technology[D]. Beijing:Beijing University of Posts and Telecommunications, 2017.
[7]	LIU J D , . An improved XSS vulnerability detection method based on attack vector[C]// 2018 International Conference on Modeling,Simulation and Analysis. 2018:6.
[8]	PAN J K ,et al. Taint inference for cross-site scripting in context of URL rewriting and HTML Sanitization[J]. ETRI Journal, 2016(2): 376-386.
[9]	黄娜娜, 万良 . 一种基于序列最小优化算法的跨站脚本漏洞检测技术[J]. 信息网络安全, 2017(10): 55-62.
	HUANG N N , WAN L . A cross site script vulnerability detection technology based on sequential minimum optimization algorithm[J]. Netinfo Securi, 2017(10): 55-62.
[10]	SALUNKE S S . Selenium Web driver in Python:learn with examples[M]. CreateSpace Independent Publishing Platform, 2014.
[11]	BEKRAR S , BEKRAR C , GROZ R ,et al. Finding software vulnerabilities by smart fuzzing[C]// IEEE Fourth International Conference on Software Testing Verification and Validation. 2011.
[12]	ANASTASIOS S , NTANTOGIAN C , XENAKIS C . Bypassing XSS auditor:taking advantage of badly written PHP code[C]// IEEE International Symposium on Signal Processing and Information Technology. 2015: 290-295.
[13]	Taint inference for cross-site scripting in context of URL rewriting and HTML sanitization[J]. ETRI Journal, 2016,(2): 376-386.
[14]	LIU B W , . XSS vulnerability scanning algorithm based on anti-filtering rules[C]// International Conference on Computer,Electronics and Communication Engineering. 2017.
[15]	LEKIES S , KOTOWICZ K , GROB S ,et al. Code-reuse attacks for the Web:breaking cross-site scripting mitigations via script gadgets[C]// ACM SIGSAC Conference on Computer and Communications Security. 2017: 1709-1723.

Metrics

Recommended 0

No Suggested Reading articles found!

规则缺陷向量元素	序号	子向量
	0	html parser
ruleDef.loc	1	http request
	2	server handle
	3	http response
	0	bypass filter
ruleDef.way	1	avoid filter
	2	disabled filter
	0	exec code
ruleDef.res	1	break page
	2	cause vuln

描述	攻击向量
script标签直接注入JavaScript	<script>alert(“xxxx”);</script>
引用文件属性加载JavaScript	<imgsrc=http://xsss.js>
内联事件处理函数	<imgonerror=alert(1)>
CSS表达式	<div style=”xxx:expression(alert(1))”>
……	……

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	基本测试样例	30	0	0
		混淆样例	0	0	12
Chrome	68.0.3440.106	基本测试样例	30	0	0
		混淆样例	0	0	4
Firefox	61.0.2	基本测试样例	0	30	0
		混淆样例	0	0	0

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	场景测试样例	20	10	0
Chrome	68.0.3440.106	场景测试样例	13	17	0
Firefox	61.0.2	场景测试样例	0	30	0

名称	版本号	测试样例集合	过滤成功数量	过滤失败数量	误报数量
IE	11.228.17134.0	场景测试样例	0	30	0
Chrome	68.0.3440.106	场景测试样例	0	30	0
Firefox	61.0.2	场景测试样例	0	30	0

Rule-defect oriented browser XSS filter test method

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 15

Related Articles 15

Metrics

Recommended 0

名称	版本号	过滤能力
IE	11.228.17134.0	1.38
Chrome	68.0.3440.106	3.75
Firefox	61.0.2	0

[1]	Yilong WANG, Zhenyu LI, Daofu GONG, Fenlin LIU. Image double fragile watermarking algorithm based on block neighborhood [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 38-48.
[2]	Renfeng CHEN, Hongbin ZHU. Research on credit card transaction security supervision based on PU learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 73-78.
[3]	Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112.
[4]	Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.
[5]	Peng HOU, Zhixin LI, Fei ZHANG, Xu SUN, Dan CHEN, Yihao CUI, Hanbing ZHANG, Yinan JIN, Hongfeng CHAI. Technology and practice of intelligent governance for financial data security [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 174-187.
[6]	Min XIAO, Faying MAO, Yonghong HUANG, Yunfei CAO. Anonymous trust management scheme of VANET based on attribute signature [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 33-45.
[7]	Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80.
[8]	Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102.
[9]	Jiashuo SONG, Zhenzhen LI, Haiyang DING, Zichen LI. Efficient and fully simulated oblivious transfer protocol on elliptic curve [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 158-166.
[10]	Fenghua LI, Hui LI, Ben NIU, Weidong QIU. Academic connotation and research trends of privacy computing [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 1-8.
[11]	Fei TANG, Ning GAN, Xianggui YANG, Jinyang WANG. Anti malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 9-19.
[12]	Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51.
[13]	Jun LIU, Lin YUAN, Zhishang FENG. Survey of key management schemes for cluster networks [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 52-69.
[14]	Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83.
[15]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.