本文選題：跨站腳本攻擊　切入點(diǎn)：瀏覽器安全　出處：《北京交通大學(xué)》2014年碩士論文

【摘要】：跨站腳本攻擊是當(dāng)今Web應(yīng)用領(lǐng)域危害最嚴(yán)重、最常見(jiàn)的威脅之一,該攻擊根源于Web應(yīng)用安全機(jī)制的薄弱環(huán)節(jié)：對(duì)用戶輸入缺乏足夠的過(guò)濾處理。雖然在服務(wù)器端修復(fù)Web應(yīng)用中的跨站腳本漏洞可以根本性解決該問(wèn)題,但是由于安全補(bǔ)丁的更新速度慢,系統(tǒng)運(yùn)維人員的安全意識(shí)薄弱等各種原因,仍有很多Web應(yīng)用不能及時(shí)修復(fù)漏洞,從而導(dǎo)致用戶在使用這些應(yīng)用時(shí)處于遭受跨站攻擊的風(fēng)險(xiǎn)下。因而為了提高用戶面對(duì)跨站腳本攻擊的主動(dòng)防御能力,研究客戶端的跨站攻擊防御措施顯得很有必要。 論文的主要工作包括以下四個(gè)方面： 首先,論述了Web應(yīng)用的安全現(xiàn)狀,分析了客戶端現(xiàn)有的安全機(jī)制和承受的安全風(fēng)險(xiǎn),這些安全機(jī)制都是跨站腳本攻擊所要挑戰(zhàn)、克服的。 隨后,依據(jù)形成原因不同對(duì)跨站腳本攻擊進(jìn)行了分類,并分別歸納各種類型跨站腳本攻擊的特點(diǎn)�？偨Y(jié)了跨站腳本漏洞挖掘技巧,包括跨站腳本編碼方式以及防御策略繞過(guò)技巧。同時(shí)研究了跨站腳本在HTML界面中的觸發(fā)機(jī)制。 另外,搭建了一個(gè)虛擬的博客網(wǎng)站系統(tǒng),針對(duì)竊取cookie隱私、跨站腳本釣魚攻擊、跨站腳本蠕蟲攻擊等跨站攻擊方式,通過(guò)實(shí)例逐個(gè)演示了其具體攻擊過(guò)程并驗(yàn)證其危害。簡(jiǎn)單探討了鍵盤監(jiān)測(cè)、訪問(wèn)本地剪貼板等其他攻擊方式。 最后,鑒于跨站腳本攻擊的主要目的是竊取用戶的敏感信息,其行為特征是未經(jīng)用戶的授權(quán)而將用戶的敏感信息發(fā)送給第三方,本文設(shè)計(jì)了全新的跨站攻擊防御方法,該方法在客戶端瀏覽器以動(dòng)態(tài)污點(diǎn)追蹤為主,輔以靜態(tài)污點(diǎn)分析,通過(guò)污點(diǎn)追蹤對(duì)當(dāng)前頁(yè)面中的敏感信息傳輸進(jìn)行監(jiān)測(cè),當(dāng)敏感信息有異常操作時(shí)向用戶發(fā)出警告,從而有效阻止客戶端敏感信息的泄露,實(shí)現(xiàn)對(duì)跨站攻擊的有效攔截。并通過(guò)對(duì)Javascript引擎Spidermonkey的擴(kuò)展,在開(kāi)源的Firefox上實(shí)現(xiàn)了基于該方法的插件xssCleaner,驗(yàn)證了防御方法的有效性和可行性。
[Abstract]:Cross-site scripting attack is one of the most serious and common threats in the field of Web application. This attack is rooted in the weak link of Web application security mechanism: lack of adequate filtering for user input.Although fixing the cross-site script vulnerability in Web application on the server side can solve this problem fundamentally, but because of the slow update speed of the security patch and the weak security consciousness of the system operator,There are still many Web applications that cannot fix vulnerabilities in time, resulting in users at risk of cross-site attacks when using these applications.Therefore, in order to improve the active defense ability of users against cross-site script attacks, it is necessary to study the defense measures of cross-site attacks on clients.The main work of the thesis includes the following four aspects:Firstly, this paper discusses the current security situation of Web application, analyzes the existing security mechanism and the security risk of the client. These security mechanisms are all challenges and overcome by the cross-station script attack.Then, the cross-site script attacks are classified according to the formation reasons, and the characteristics of various types of cross-site script attacks are summarized respectively.The techniques of exploiting cross-site script vulnerabilities are summarized, including cross-site script coding and defense strategy bypass techniques.At the same time, the trigger mechanism of cross-station script in HTML interface is studied.In addition, a virtual blog website system is built, aiming at stealing cookie privacy, cross-site script phishing attack, cross-site script worm attack and other cross-station attacks, the concrete attack process is demonstrated one by one through examples and its harm is verified.A simple discussion of keyboard monitoring, access to the local clipboard and other attacks.Finally, in view of the fact that the main purpose of cross-site script attack is to steal the sensitive information of the user, and its behavior characteristic is to send the sensitive information of the user to a third party without the authorization of the user, this paper designs a new cross-station attack defense method.The method is based on dynamic stain tracing in the client browser, supplemented by static stain analysis, monitors the transmission of sensitive information in the current page through stain tracing, and issues a warning to the user when the sensitive information has abnormal operation.In order to effectively prevent the client sensitive information leakage, the effective interception of cross-station attacks.Through the extension of Javascript engine Spidermonkey, the plug-in XSS Cleaner based on this method is implemented on the open source Firefox, which verifies the effectiveness and feasibility of the defense method.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【引證文獻(xiàn)】

相關(guān)碩士學(xué)位論文 前1條

1 楊芮;Web用戶行為數(shù)據(jù)收集統(tǒng)計(jì)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];北京交通大學(xué);2015年

，

本文編號(hào)：1714772