本文選題：跨站請求偽造 + Web應用程序�。� 參考：《江西師范大學》2014年碩士論文

【摘要】：近幾年來,基于Web和數(shù)據(jù)庫構架的應用程序的使用越來越廣泛,尤其進入Web2.0時代以來,Web技術以突出的交互性和實時性等特點得到了人們的青睞。例如個人博客、社交網(wǎng)站、網(wǎng)上購物等新興的交互型網(wǎng)絡應用已成為人們生活的一部分,以此同時,Web技術也給Web應用程序帶來了新的安全性問題�？缯菊埱髠卧焓悄壳癢eb應用中主要的安全威脅之一,攻擊者構造一個惡意請求,并通過社會工程誘導合法用戶訪問,以達到在Web應用中以該用戶的身份進行攻擊者期望的操作目的。通過利用跨站請求偽造,攻擊者往往能夠進一步滲透目標Web應用,以至于對目標站點造成巨大的威脅。因此,如何有效地防御CSRF漏洞對保證Web應用程序的安全非常重要。 本文首先分析了目前國內(nèi)外Web安全技術,并對跨站請求偽造攻擊緊密相關的核心技術進行了詳細闡述,然后重點研究了常見的跨站請求偽造防御策略和防御工具的原理。針對當前CSRF防御方法的不足之處,本文研究設計了一個基于服務器端CSRF模塊,該模塊主要利用過濾器方式實現(xiàn)。該過濾器在J2EE工作平臺設計,基于添加Token機制,運用J2EE編寫Servlet過濾器以及JavaScript腳本技術實現(xiàn)。它通過攔截服務器端和客戶端之間的請求與響應,并對這些信息進行處理驗證。該模塊的實現(xiàn)基于服務器端,不需要客戶端瀏覽器的修改支持,利用JavaScript事件委托機制綁定表單的獲取焦點和提交事件,能夠有效處理動態(tài)創(chuàng)建的請求。 最后通過實驗結(jié)果表明該模塊有效防御了Web應用的CSRF攻擊,和其他防范工具相比,具有較好的可用性和有效性。
[Abstract]:In recent years, the application program based on Web and database architecture has been used more and more widely, especially since the entry of Web 2.0 era, the Web technology has been favored by people because of its outstanding interactive and real-time characteristics. Such as personal blog, social networking site, online shopping and other new interactive network applications have become a part of people's lives, and at the same time, Web technology has also brought new security problems to Web applications. Cross-station request forgery is one of the major security threats in Web applications. Attackers construct a malicious request and induce legitimate users to access it through social engineering. In order to achieve in the Web application as the user of the user for the purpose of the desired operation. By using cross-site request forgery, attackers are often able to penetrate the target Web application further and pose a great threat to the target site. Therefore, how to effectively defend CSRF vulnerabilities is very important to ensure the security of Web applications. Firstly, this paper analyzes the current domestic and foreign Web security technologies, and describes in detail the core technologies closely related to cross-station request forgery attacks. Then the principle of common cross-station request forgery defense strategy and defense tools are studied. In view of the shortcomings of the current CSRF defense methods, a server-side CSRF module is designed in this paper, which is mainly implemented by filter. The filter is designed in J2EE working platform, based on the mechanism of adding token, the servlet filter is written by J2EE and JavaScript script technology is implemented. It intercepts requests and responses between the server and the client and processes and verifies the information. The implementation of this module is based on the server side and does not need the modification support of the client browser. The JavaScript event delegation mechanism is used to bind the form to get focus and submit events. Finally, the experimental results show that the module is effective against CSRF attacks of Web applications, and has better availability and effectiveness compared with other preventive tools.
【學位授予單位】：江西師范大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前9條

1 李松,沈文軒;J2EE平臺上過濾器技術的研究與應用[J];鞍山科技大學學報;2004年03期

2 陳振;;CSRF攻擊的原理解析與對策研究[J];福建電腦;2009年06期

3 周安輝;;預防跨站點假冒請求攻擊[J];計算機安全;2010年05期

4 李德水;;Servlet過濾器機制分析及應用[J];計算機時代;2006年11期

5 鄭斌峰;謝勇;王紅衛(wèi);;Java事件委托模型在RFID中間件中的應用與實現(xiàn)[J];計算機與數(shù)字工程;2007年02期

6 孫松柏;Ali Abbasi;諸葛建偉;段海新;王珩;;HTML5安全研究[J];計算機應用與軟件;2013年03期

7 季凡;方勇;蒲偉;周妍;;CSRF新型利用及防范技術研究[J];信息安全與通信保密;2013年03期

8 張慧琳;鄒維;韓心慧;;網(wǎng)頁木馬機理與防御技術[J];軟件學報;2013年04期

9 李馥娟;;基于Cookies的Web應用分析及其安全研究[J];網(wǎng)絡安全技術與應用;2009年06期

，

本文編號：1995553