本文選題：跨站腳本漏洞　切入點(diǎn)：攻擊檢測(cè)　出處：《北京郵電大學(xué)》2017年碩士論文　論文類型：學(xué)位論文

【摘要】：跨站腳本在近幾年計(jì)算機(jī)網(wǎng)絡(luò)的十大安全漏洞排名中始終高居三甲。由于計(jì)算機(jī)網(wǎng)絡(luò)中存儲(chǔ)著大量用戶信息,XSS漏洞攻擊給網(wǎng)絡(luò)用戶的信息安全造成了嚴(yán)重的危害,如何應(yīng)對(duì)XSS漏洞攻擊成為網(wǎng)絡(luò)用戶最為關(guān)心的問題。本論文對(duì)客戶端腳本安全技術(shù)進(jìn)行綜述,對(duì)跨站腳本的攻擊檢測(cè)原理和安全防護(hù)技術(shù)進(jìn)行了研究,對(duì)XSS檢測(cè)系統(tǒng)進(jìn)行了概要設(shè)計(jì),詳細(xì)分析了 XSS漏洞檢測(cè)算法,并對(duì)漏洞可疑點(diǎn)提取算法和XSS漏洞檢測(cè)算法進(jìn)行了改進(jìn),最后對(duì)XSS漏洞檢測(cè)系統(tǒng)進(jìn)行了編碼實(shí)現(xiàn)及測(cè)試評(píng)估。本文的主要工作成果如下:(1)綜述了國(guó)內(nèi)外Web前端安全技術(shù)現(xiàn)狀,研究了 XSS漏洞攻擊原理和XSS漏洞的防御方法,對(duì)XSS漏洞的檢測(cè)機(jī)制進(jìn)行了深入分析。(2)提出了分層的XSS漏洞檢測(cè)模型,設(shè)計(jì)了系統(tǒng)的總體架構(gòu),并對(duì)該系統(tǒng)的統(tǒng)一性和可擴(kuò)展性進(jìn)行了改進(jìn),其中包括鏈接提取,漏洞定位,攻擊向量生成和模擬攻擊。(3)研究了基于爬蟲的XSS漏洞檢測(cè)算法,對(duì)漏洞可疑點(diǎn)定位算法和XSS漏洞攻擊檢測(cè)算法進(jìn)行研究和分析,提出了基于BFS算法的XSS網(wǎng)站鏈接提取算法,基于文本相似度算法的頁面去重和基于注入點(diǎn)分類的攻擊向量生成算法,從而有效提高XSS漏洞檢測(cè)模型誤報(bào)率和檢測(cè)效率。(4)最后對(duì)基于爬蟲的XSS漏洞檢測(cè)系統(tǒng)進(jìn)行了實(shí)現(xiàn)和測(cè)試。對(duì)基于爬蟲的可疑點(diǎn)定位提取和基于動(dòng)態(tài)XSS模擬攻擊檢測(cè)模塊進(jìn)行了實(shí)現(xiàn)。通過對(duì)特定網(wǎng)站進(jìn)行測(cè)試,驗(yàn)證該XSS漏洞檢測(cè)模型能夠準(zhǔn)確又高效的檢測(cè)出跨站漏洞。本文針對(duì)XSS漏洞檢測(cè)準(zhǔn)確率和效率低下的問題,提出了一種基于爬蟲的XSS漏洞檢測(cè)方案。該方案對(duì)傳統(tǒng)的XSS檢測(cè)算法進(jìn)行改進(jìn),采用網(wǎng)絡(luò)爬蟲查找定位XSS漏洞,再根據(jù)漏洞類別動(dòng)態(tài)生成特定攻擊向量庫,利用該攻擊向量庫模擬攻擊。實(shí)驗(yàn)結(jié)果證明該方案提高了跨站腳本檢測(cè)效率和準(zhǔn)確率。
[Abstract]:In recent years, cross-site scripts have always been the top 10 security vulnerabilities in computer networks. Due to the large amount of user information stored in computer networks, XSS vulnerability attacks have caused serious harm to the information security of network users. How to deal with the XSS vulnerability attack has become the most concerned problem for network users. This paper summarizes the security technology of client script, and studies the attack detection principle and security protection technology of cross-site script. This paper gives a brief design of XSS detection system, analyzes the algorithm of XSS vulnerability detection in detail, and improves the algorithm of extracting suspected points and detecting XSS vulnerability. Finally, the coding implementation and test evaluation of XSS vulnerability detection system are carried out. The main work results of this paper are as follows: 1) the present situation of Web front-end security technology at home and abroad is summarized, and the principle of XSS vulnerability attack and the method of preventing XSS vulnerability are studied. The detection mechanism of XSS vulnerability is deeply analyzed. (2) A layered XSS vulnerability detection model is proposed, the overall architecture of the system is designed, and the uniformity and expansibility of the system are improved, including link extraction, vulnerability location, and so on. XSS vulnerability detection algorithm based on crawler is studied, vulnerability location algorithm and XSS vulnerability detection algorithm are studied and analyzed, and XSS website link extraction algorithm based on BFS algorithm is proposed. Based on the text similarity algorithm, the page removal algorithm and the attack vector generation algorithm based on injection point classification are proposed. Therefore, the false positive rate and detection efficiency of XSS vulnerability detection model are improved effectively. Finally, the XSS vulnerability detection system based on crawler is implemented and tested. The suspicious spot location extraction based on crawler and dynamic XSS simulation attack detection are carried out. The test module is implemented. By testing a specific website, Verify that the XSS vulnerability detection model can accurately and efficiently detect cross-site vulnerabilities. This paper aims at the problem of low accuracy and efficiency of XSS vulnerability detection. This paper presents a XSS vulnerability detection scheme based on crawler, which improves the traditional XSS detection algorithm, uses the crawler to locate the XSS vulnerability, and dynamically generates the specific attack vector library according to the type of vulnerability. The attack vector library is used to simulate the attack. Experimental results show that the scheme improves the efficiency and accuracy of cross-site script detection.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 李響;;Web前端安全[J];科技創(chuàng)新與應(yīng)用;2016年23期

2 楊青松;;爬蟲技術(shù)在互聯(lián)網(wǎng)領(lǐng)域的應(yīng)用探索[J];電腦知識(shí)與技術(shù);2016年15期

3 肖萍;;存儲(chǔ)式跨站腳本攻擊與防范對(duì)策研究[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2015年08期

4 洪永新;;web技術(shù)與安全分析[J];信息通信;2015年06期

5 李旭芳;陳家琪;;Web應(yīng)用中XSS攻擊的分析和防御[J];信息技術(shù);2014年11期

6 杜雷;辛陽;;基于規(guī)則庫和網(wǎng)絡(luò)爬蟲的漏洞檢測(cè)技術(shù)研究與實(shí)現(xiàn)[J];信息網(wǎng)絡(luò)安全;2014年10期

7 楊濟(jì)運(yùn);劉建勛;姜磊;彭桃;文一憑;盧廳;;基于協(xié)程模型的分布式爬蟲框架[J];計(jì)算技術(shù)與自動(dòng)化;2014年03期

8 莊小妹;羅澤林;張貴洲;陳思亮;謝喬;;網(wǎng)頁木馬的注入與清除[J];廣東培正學(xué)院學(xué)報(bào);2013年02期

9 吳伶琳;;基于Selenium的軟件自動(dòng)化測(cè)試的研究與應(yīng)用[J];計(jì)算機(jī)與現(xiàn)代化;2013年02期

10 文凱;何小東;;一種基于網(wǎng)絡(luò)爬蟲的跨站腳本漏洞檢測(cè)方法[J];電腦編程技巧與維護(hù);2012年24期

相關(guān)碩士學(xué)位論文 前10條

1 王豫中;基于BFS的局部社區(qū)發(fā)現(xiàn)算法研究[D];上海交通大學(xué);2015年

2 李冬萌;Web前端安全問題的分析與防范研究[D];北京郵電大學(xué);2014年

3 張燁青;Web應(yīng)用安全漏洞掃描器爬蟲技術(shù)的改進(jìn)與實(shí)現(xiàn)[D];北京郵電大學(xué);2014年

4 王永健;基于網(wǎng)購比價(jià)工具的安全方案的設(shè)計(jì)與實(shí)現(xiàn)[D];北京郵電大學(xué);2014年

5 李春元;網(wǎng)站漏洞掃描軟件WEBSCAN的設(shè)計(jì)與實(shí)現(xiàn)[D];北京交通大學(xué);2012年

6 張哲;Web應(yīng)用中安全漏洞檢測(cè)技術(shù)的研究[D];西安電子科技大學(xué);2011年

7 公衍磊;跨站腳本漏洞與攻擊的客戶端檢測(cè)方法研究[D];大連理工大學(xué);2011年

8 趙艷;基于網(wǎng)絡(luò)爬蟲的跨站腳本漏洞動(dòng)態(tài)檢測(cè)技術(shù)研究[D];西南交通大學(xué);2011年

9 劉為;基于模糊測(cè)試的XSS漏洞檢測(cè)系統(tǒng)研究與實(shí)現(xiàn)[D];湖南大學(xué);2010年

10 楊新英;基于網(wǎng)絡(luò)爬蟲的Web應(yīng)用程序漏洞掃描器的研究與實(shí)現(xiàn)[D];電子科技大學(xué);2010年

，

本文編號(hào)：1639977