本文選題：Web客戶端　切入點(diǎn)：Web安全　出處：《西安電子科技大學(xué)》2014年碩士論文　論文類型：學(xué)位論文

【摘要】：隨著Web2.0時(shí)代的到來,互聯(lián)網(wǎng)用戶由信息的接收者漸漸也變成了信息的制造者和傳播者,諸如聊天,交友,購物等功能強(qiáng)大的Web應(yīng)用程序正在不斷涌現(xiàn),基于Web的應(yīng)用程序變得越來越普及。然而,這些應(yīng)用在帶給人們生活方便的同時(shí)也夾帶著許許多多的安全隱患,海量的用戶個(gè)人隱私數(shù)據(jù)隨時(shí)有被暴露的危險(xiǎn)。如今各種社交類網(wǎng)站的客戶端漏洞層出不窮,攻擊者無需攻擊服務(wù)器便可獲取私密信息或者進(jìn)行非授權(quán)操作,其對(duì)用戶造成的影響并不亞于Web后端漏洞及系統(tǒng)漏洞,許多開發(fā)以及研究人員對(duì)漏洞的檢測(cè)及防御做出了大量工作。又由于Web客戶端網(wǎng)絡(luò)環(huán)境復(fù)雜且不受開發(fā)人員控制,其漏洞數(shù)量也不容小覷,因此如何在眾多漏洞發(fā)現(xiàn)時(shí)能夠高效合理地進(jìn)行修復(fù)也是應(yīng)當(dāng)重視的環(huán)節(jié)之一,這就需要對(duì)漏洞進(jìn)行等級(jí)劃分評(píng)估。目前的安全漏洞評(píng)估工作無論是定量評(píng)估還是定性評(píng)估都是針對(duì)于通用系統(tǒng)漏洞來進(jìn)行的,旨在為所有的信息系統(tǒng)安全漏洞制定出一個(gè)通用的標(biāo)準(zhǔn)。然而,Web客戶端漏洞本身具有特殊性,這些安全漏洞主要影響Web客戶端的安全,其往往不會(huì)對(duì)服務(wù)器端造成影響。但目前Web客戶端新安全漏洞層出不窮、數(shù)量繁多,在Web時(shí)代極其影響用戶的系統(tǒng)安全。為此,本文為Web客戶端漏洞專門設(shè)計(jì)了一個(gè)漏洞評(píng)價(jià)體系,以便更好地提高Web客戶端漏洞的修復(fù)效率,促進(jìn)Web信息系統(tǒng)的安全。論文的主要工作和創(chuàng)新點(diǎn)如下:1.對(duì)Web客戶端漏洞的主要類別:XSS,CSRF,clickjacking進(jìn)行了深入分析,分析這些漏洞的成因及其影響,選取了針對(duì)這些安全漏洞的評(píng)估要素集。2.基于Web客戶端漏洞的實(shí)際特點(diǎn)制定了評(píng)價(jià)指標(biāo),對(duì)Web客戶端安全漏洞進(jìn)行了屬性劃分,設(shè)計(jì)了一個(gè)Web客戶端漏洞的評(píng)估方案。3.基于評(píng)估方案實(shí)現(xiàn)了一個(gè)自動(dòng)化評(píng)估工具,并將方案實(shí)際應(yīng)用于現(xiàn)有的漏洞庫中,自動(dòng)化評(píng)估了四千多條Web客戶端漏洞,實(shí)驗(yàn)結(jié)果表明我們的方案具有很強(qiáng)的實(shí)用性和有效性。
[Abstract]:With the advent of the Web2.0 era, Internet users are gradually becoming information makers and disseminators, such as chat, dating, shopping and other powerful Web applications are emerging. Applications based on Web are becoming more and more popular. However, these applications not only bring convenience to people's lives, but also carry a lot of security risks. Huge amounts of personal privacy data are at risk of being exposed at any time. Nowadays, there are numerous client vulnerabilities in various social networking sites, and attackers can obtain private information or carry out unauthorized operations without attacking the server. Many developers and researchers have done a great deal of work on vulnerability detection and defense. Because of the complexity of Web client network environment and not under the control of the developer, many researchers have done a lot of work on the vulnerability detection and defense. The number of vulnerabilities should not be underestimated, so how to be able to effectively and reasonably repair many vulnerabilities is one of the links that should be paid attention to. This requires a hierarchical assessment of vulnerabilities. The current assessment of security vulnerabilities, whether quantitative or qualitative, is aimed at common system vulnerabilities. The purpose of this paper is to establish a general standard for all information system security vulnerabilities. However, the web client vulnerabilities have their own particularities, which mainly affect the security of Web clients. However, at present, the new security vulnerabilities of Web client end emerge in endlessly and in many ways, which greatly affect the system security of users in the era of Web. This paper designs a vulnerability evaluation system for Web client vulnerability in order to improve the efficiency of Web client vulnerability repair. To promote the security of Web information system. The main work and innovation of this paper are as follows: 1.The main types of Web client vulnerabilities are analyzed in depth, and the causes and effects of these vulnerabilities are analyzed. Based on the actual characteristics of Web client vulnerability, the evaluation index is established, and the Web client security vulnerability is divided into attributes. An evaluation scheme of Web client vulnerability is designed. Based on the evaluation scheme, an automatic evaluation tool is implemented, and the scheme is applied to the existing vulnerability library. More than 4,000 Web client vulnerabilities are automatically evaluated. The experimental results show that our scheme is very practical and effective.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前1條

1 張新義;;基于Ajax的Web客戶端實(shí)時(shí)推送機(jī)制原理與實(shí)踐[J];科技信息;2012年28期

相關(guān)碩士學(xué)位論文 前1條

1 張慧;Web客戶端安全漏洞評(píng)估方案設(shè)計(jì)與實(shí)現(xiàn)[D];西安電子科技大學(xué);2014年

，

本文編號(hào)：1611113