基于网络爬虫与页面代码行为的XSS漏洞动态检测方法

doi:10.11959/j.issn.1000-0801.2016068

Abstract

Abstract:

XSS vulnerability is a common vulnerability of attacking the Web application and getting the user’s privacy data.Traditional XSS vulnerability detection’s softwares aren’t specially detecting for AJAX Web application.There is a huge disparity in the inspection accuracy.According to this situation，the XSS vulnerability characteristics of AJAX Web applications were described in detail，and a dynamic detection method based on Web crawler and page code behavior was proposed.Experimental results show that the proposed method has good performance in labor-saving，time saving and vulnerability detection effect.

Key words: XSS vulnerabilitiy, Web crawler, vulnerabilitiy detecting, AJAX Web application

Yi LIU,Junbin HONG. A dynamic detection method based on Web crawler and page code behavior for XSS vulnerability[J]. Telecommunications Science, 2016, 32(3): 87-91.

Figures/Tables 5

References 21

[1]	， DAHSE J . A vulnerability scanner for different kinds of vulnerabilities[DB/OL].[2015-04-09]. .
[2]	AN H Y ， SONG Y ， YU T ， et al. A new architecture of AJAX Web application security crawler with finite-state machine[J]. IEEE Computer Society， 2014（27）：112-117.
[3]	OWASP. Cross site scripting prevention cheat sheet[EB/OL].（2013-12-26）[2014-03-26]. .
[4]	OWASP. Top ten project[EB/OL].（2013-12-03）[2013-12-10]. .
[5]	LI Z ， XU X ， LIAO L J ， et al. Using templates combination to generate testing vectors dynamically indetecting Web applications vulnerabilities[J]. Application Research of Computers， 2015，32（10）：3004-3009.
[6]	CHEN J F ， WANG Y D ， ZHANG Y Q ， et al. Automatic generation of attack vectors for stored-XSS[J]. Journal of Graduate University of Chinese Academy of Sciences， 2012，29（6）：815-820.
[7]	WANG X L ， ZHANG Y Q . A behavior-based client defense scheme against XSS[J]. Journal of Graduate University of Chinese Academy of Sciences， 2011，25（5）：668-675.
[8]	CHEN J Q ， ZHANG Y Q . Design and realization of Web cross-site scripting vulnerability detection tool[J]. Computer Engineering， 2010，36（6）：152-158.
[9]	JIANG H ， XU Z Y ， WANG X . XSS attack defense method based on behavior[J]. Computer Engineering and Designg， 2014，35（6）：1911-1925.
[10]	GUO X B ， JIN S Y ， ZHANG Y X . XSS vulnerability detection using optimized attack vector repertory[J]. IEEE Computer Society， 2015（50）：29-36.
[11]	CUI B J ， LONG B L ， HOU T T . Reverse analysis method of static XSS defect detection technique based on database query language[C]// The Nineth International Conference on P2P，Parallel，Grid，Cloud and Internet Computing（3PGCIC）， November 8-10，2014， Guangzhou，Guangdong，China. New Jersey： IEEE Press， 2014：487-491.
[12]	LIU W X ， YU S Z . Research for ACK attacks in network coding[J]. Journal of Chinese Computer Systems， 2012，32（7）：1354-1359.
[13]	Rsnake. XSS（cross site scripting） cheat sheet[EB/OL].[2013-11-15]. .
[14]	WU H Q . White hatter talks about web security[M]. Beijing： Publishing House of Electronics Industry， 2013：152-178.
[15]	GUPTA M K ， GOVIL M C ， SINGH G . Predicting cross-site scripting（XSS）security vulnerabilities in Web applications[C]// 2015 12th International Joint Conference on Computer Science and Software Engineering（JCSSE）， July 22-24，2015， Songkhla，Thailand. New Jersey： IEEE Press， 2015：162-167.
[16]	LI Y W ， LIU Z X ， DING S J . Technique for discovering stored XSS vulnerability based on tracing risky data[J]. Computer Science， 2014，41（11A）：241-244.
[17]	QIU Y H . The analysis and defense of XSS attack[M]. Beijing： Posts＆Telecom Press， 2013.
[18]	LI Z J ， ZHANG J X ， LIAO X K . Survey of software vulnerability detection techniques[J]. Chinese Journal of Computers， 2015，38（4）：717-732.
[19]	HALFOND W G J ， ORSO A ， MANOLIOS P . WASP：protecting web applications using positive tainting and syntax-aware evaluation[J]. IEEE Transactions on Software Engineering， 2008，34（1）：65-81.
[20]	SAYED B ， TRAORE I . Protection against Web 2.0 client-side web attacks using information flow control[J]. The 28th International Conference on Advanced Information Networking and Applications Workshops （WAINA）， May 13-16，2014， Victoria，BC，USA. New Jersey： IEEE Press， 2014：261-268.
[21]	HELEN K ， SARANDIS M ， CHRISTOS D . An advanced web attack detection and prevention tool[J]. Information Management＆ Computer Security， 2011，19（5）：280-299.

Metrics

Recommended 0

No Suggested Reading articles found!

Type	攻击字符串
常用的最基本的XSS攻击	＜SCRIPT SRC =http://www.xxx.org/file/attack.js＞＜/SCRIPT＞
16 进制编码注入JavaScript	＜Frame Source=＆#x29＆#x53＆#x58＆# x61＆#x76＆#x61＆#x53＆#x27＆#x6A ＞
使用两个尖括号引入 style 属性进行注入	＜＜SCRIPT＞Document.Write（）；//＜＜/SCRIPT＞＜IMG STYLE=“alert（‘XSS’）”＞
…	…

网站	工具	数据入口点	XSS漏洞数	系统漏洞数
某学校	Paros	1 forms、8 inputs	9	15
官网	X5S	1 forms、5 inputs	7	15
	XSS Finder	4 forms、13 inputs	15	15
PetStore	Paros	12 forms、25 inputs	4	8
	X5S	10 forms、22 inputs	3	8
	XSS Finder	17 forms、32 inputs	8	8

A dynamic detection method based on Web crawler and page code behavior for XSS vulnerability

RichHTML

PDF下载

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 5

References 21

Related Articles 2

Metrics

Recommended 0

[1]	Enming SHI,Xiaojun XIAO,Yu LU. Research and design of distributed high-performance network reptiles based on cloud platform [J]. Telecommunications Science, 2017, 33(8): 180-186.
[2]	Jianfeng Zhang,Jin Wang. A Classification Method of Music Style Based on Text Mining and Neural Network [J]. Telecommunications Science, 2015, 31(7): 79-85.