本文選題：Web應(yīng)用　切入點(diǎn)：Node.js　出處：《西安電子科技大學(xué)》2014年碩士論文

【摘要】：如今越來越多的應(yīng)用程序依靠Web這一平臺發(fā)展為由用戶主導(dǎo)的內(nèi)容互聯(lián)網(wǎng)模式。Web應(yīng)用已經(jīng)成為了當(dāng)前最流行的計(jì)算機(jī)應(yīng)用程序,但是隨著Web應(yīng)用的越來越火熱,安全問題也隨之而來,跨站腳本攻擊(XSS)和跨站請求偽造(CSRF)是兩種最流行的Web應(yīng)用攻擊方式。而Node.js作為一種新興的Web應(yīng)用開發(fā)平臺,并沒有為在其上開發(fā)及部署的Web應(yīng)用提供XSS和CSRF防御功能。本文從Node.js的運(yùn)行機(jī)制出發(fā),對開發(fā)及部署在Node.js上的Web應(yīng)用的性能方面進(jìn)行綜合考慮,設(shè)計(jì)實(shí)現(xiàn)了一個為Node.js Web應(yīng)用提供XSS防御功能和CSRF防御功能的防御系統(tǒng)。該防御系統(tǒng)通過運(yùn)行在Node.js的子進(jìn)程中為Web應(yīng)用提供防御服務(wù),通過高度的解耦合,對于已開發(fā)及部署在Node.js平臺上的Web應(yīng)用來說,并不需要改動太多的代碼就可以開啟防御系統(tǒng)為其提供防御服務(wù)。防御系統(tǒng)分為六個模塊,包括XSS防御模塊、CSRF防御模塊、會話管理模塊、日志管理模塊、通信接口模塊以及初始化模塊。而防御系統(tǒng)設(shè)計(jì)實(shí)現(xiàn)的中心是XSS防御模塊,因?yàn)橹挥蠾eb應(yīng)用在沒有XSS安全漏洞的前提下,針對CSRF設(shè)計(jì)的防御措施才能夠正常的進(jìn)行防御。XSS的防御有四個步驟,分別為檢測、解析、過濾及輸出編碼。首先對數(shù)據(jù)進(jìn)行檢測來判斷其類型。接下來使用本文設(shè)計(jì)實(shí)現(xiàn)的HTML解析器對HTML數(shù)據(jù)進(jìn)行解析,同時在解析過程中會利用污點(diǎn)標(biāo)記算法對解析出的HTML標(biāo)簽進(jìn)行污點(diǎn)標(biāo)記。過濾過程分為兩部分,包括HTML標(biāo)簽屬性的過濾,以及HTML屬性值的過濾;為了提高過濾效率,使用紅黑樹存儲白名單及黑名單;并利用字符串信息熵以及攻擊特征正則匹配算法來提高屬性值過濾的準(zhǔn)確性。最后通過追蹤污點(diǎn)標(biāo)記對原始字符串進(jìn)行安全值替換,編碼輸出合法數(shù)據(jù)。在實(shí)現(xiàn)XSS防御的基礎(chǔ)上,根據(jù)Anti CSRF Token防御策略實(shí)現(xiàn)了CSRF防御模塊,同時實(shí)現(xiàn)了基于Redis數(shù)據(jù)庫存儲的Session模塊來為Web應(yīng)用提供會話管理。Web應(yīng)用與防御系統(tǒng)之間的通信以IPC通道為主,同時使用Redis數(shù)據(jù)庫作為第三方數(shù)據(jù)存儲區(qū),以數(shù)據(jù)共享的方式進(jìn)行數(shù)據(jù)交換。本文搭建了測試環(huán)境對防御系統(tǒng)進(jìn)行測試。測試主要包括功能測試和性能測試。通過對測試結(jié)果進(jìn)行分析,證明防御系統(tǒng)能夠?qū)SS和CSRF攻擊進(jìn)行有效防御,并且在為Web應(yīng)用提供防御服務(wù)的同時,防御系統(tǒng)并沒有對Web應(yīng)用的響應(yīng)時間造成太大的影響,符合性能需求。
[Abstract]:Nowadays, more and more applications have become the most popular computer applications, depending on the platform of Web, which is the user-led content Internet mode. But with the increasing popularity of Web applications, The security problem also comes, the cross-station script attack (XSS) and cross-station request forgery (Web) are the two most popular attack methods of Web application, and Node.js is a new Web application development platform. It does not provide XSS and CSRF defense functions for Web applications developed and deployed on Node.js. This paper considers the performance of Web applications developed and deployed on Node.js based on the running mechanism of Node.js. This paper designs and implements a defense system which provides XSS defense function and CSRF defense function for Node.js Web application. This defense system provides defense service for Web application by running in the child process of Node.js, and it is highly decoupled. For Web applications that have been developed and deployed on the Node.js platform, it is not necessary to change too much code to enable the defense system to provide defense services. The defense system is divided into six modules, including the XSS defense module and the XSS defense module. Session management module, log management module, communication interface module and initialization module. The center of the defense system design and implementation is the XSS defense module, because only the Web application without XSS security vulnerabilities, The defense measures designed for CSRF can normally be used to defend. XSs. There are four steps, which are detection and analysis, respectively. Filtering and output coding. First, the data is detected to determine its type. Then the HTML parser designed in this paper is used to parse the HTML data. At the same time, the stain labeling algorithm is used to mark the HTML tags. The filtering process is divided into two parts, including the filtering of HTML tag attributes and the filtering of HTML attribute values, in order to improve the filtering efficiency. White list and blacklist are stored in red-black tree, and string information entropy and attack feature regular matching algorithm are used to improve the accuracy of attribute value filtering. Based on the implementation of XSS defense, the CSRF defense module is implemented according to the Anti CSRF Token defense strategy. At the same time, the Session module based on Redis database storage is implemented to provide the communication between the session management. The web application and the defense system for the Web application. Meanwhile, the IPC channel is used as the main communication channel, and the Redis database is used as the third party data storage area. In this paper, a test environment is set up to test the defense system. The test includes function test and performance test. It is proved that the defense system can effectively defend against XSS and CSRF attacks, and while providing defense services for Web applications, the defense system does not have too much impact on the response time of Web applications, which is in line with the performance requirements.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP311.52;TP393.09

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 朱輝;沈明星;李善平;;Web應(yīng)用中代碼注入漏洞的測試方法[J];計(jì)算機(jī)工程;2010年10期

，

本文編號：1683330