【摘要】：近年來,因Web應用漏洞而引發(fā)的安全事件頻繁發(fā)生,Web應用漏洞對網(wǎng)絡安全的威脅越來越大,跨站腳本(Cross Site Script,XSS)漏洞就是最為常見的Web應用漏洞,攻擊者能夠利用跨站腳本漏洞對用戶進行信息竊取,會話挾持、釣魚欺騙等攻擊。而現(xiàn)有的Web漏洞檢測方案及工具一般都不完善,存在著效率低、漏檢率高、誤報率高等各種缺陷。因此對于XSS漏洞的檢測與防御技術需要進行進一步的深入研究。設計一款高性能的XSS漏洞檢測系統(tǒng)有利于預防Web應用的跨站腳本攻擊,減少Web安全事件的發(fā)生。在對XSS漏洞的利用過程以及現(xiàn)有的檢測技術深入學習研究的基礎上,詳細分析了漏洞檢測系統(tǒng)的需求,設計并實現(xiàn)了一種針對Web應用中的跨站腳本漏洞檢測系統(tǒng)。該系統(tǒng)在現(xiàn)有Web漏洞檢測技術與檢測工具的基礎上,添加了驗證碼識別功能,解決了檢測期間需要輸入驗證碼后才可向服務器提交數(shù)據(jù)的問題,并根據(jù)現(xiàn)有Web漏洞檢測工具的不足,對系統(tǒng)的網(wǎng)絡爬蟲進行改進,同時根據(jù)服務器對于XSS代碼的過濾規(guī)則,構(gòu)造出更多能夠繞過服務器過濾的XSS代碼。測試結(jié)果表明,所構(gòu)建的系統(tǒng)具有低漏檢率、低誤報率并且改進的網(wǎng)絡爬蟲具有較高的效率。通過添加驗證碼識別功能和構(gòu)造可繞過服務器過濾規(guī)則的XSS代碼,能夠深度挖掘跨站腳本漏洞,降低系統(tǒng)的漏檢率。高效的、能夠準確提取頁面交互點信息的網(wǎng)絡爬蟲提高了漏洞檢測的正確性和效率。
[Abstract]:In recent years, security events caused by Web application vulnerability occur frequently, and Web application vulnerability is more and more serious to network security. Cross-site script (Cross Site Script,XSS (cross-site script vulnerability) vulnerability is the most common Web application vulnerability. Attackers can exploit cross-site scripting vulnerabilities to exploit information theft, session hijacking, phishing spoofing and other attacks. But the existing Web vulnerability detection schemes and tools are generally not perfect, there are many defects such as low efficiency, high miss rate, high false alarm rate and so on. Therefore, the XSS vulnerability detection and defense technology needs to be further in-depth research. Designing a high-performance XSS vulnerability detection system is helpful to prevent cross-site scripting attacks of Web applications and reduce the occurrence of Web security events. Based on the in-depth study on the exploitation process of XSS vulnerability and the existing detection techniques, the requirements of the vulnerability detection system are analyzed in detail, and a cross-station script vulnerability detection system for Web applications is designed and implemented. Based on the existing Web vulnerability detection technology and detection tools, the system adds the function of authentication code recognition, which solves the problem that the data can be submitted to the server only after the authentication code is inputted during the detection period. According to the deficiency of the existing Web vulnerability detection tools, the network crawler of the system is improved, and more XSS codes that can bypass the server filtering are constructed according to the filtering rules of the server to the XSS code. The test results show that the proposed system has low miss detection rate, low false positive rate and high efficiency of the improved network crawler. By adding the authentication code recognition function and constructing the XSS code which can bypass the server filtering rules, the cross-station script vulnerability can be deeply excavated and the miss detection rate of the system can be reduced. An efficient web crawler that can accurately extract the information of page interaction points improves the correctness and efficiency of vulnerability detection.
【學位授予單位】：南京郵電大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前10條

1 莫永華;于冰冰;;二維碼中XSS攻擊檢測系統(tǒng)的設計[J];現(xiàn)代計算機(專業(yè)版);2016年24期

2 王巖;程紹銀;蔣凡;;自動化檢測Android應用反射型跨站腳本漏洞的方法[J];計算機系統(tǒng)應用;2015年07期

3 嚴磊;丁賓;姚志敏;馬勇男;鄭濤;;基于MD5去重樹的網(wǎng)絡爬蟲的設計與優(yōu)化[J];計算機應用與軟件;2015年02期

4 杜雷;辛陽;;基于規(guī)則庫和網(wǎng)絡爬蟲的漏洞檢測技術研究與實現(xiàn)[J];信息網(wǎng)絡安全;2014年10期

5 劉奇旭;溫濤;聞觀行;;Flash跨站腳本漏洞挖掘技術研究[J];計算機研究與發(fā)展;2014年07期

6 尹龍;尹東;張榮;王德建;;一種扭曲粘連字符驗證碼識別方法[J];模式識別與人工智能;2014年03期

7 曹文;郭帆;余敏;張磊;;基于哈希樹和有限狀態(tài)機的XSS檢測模型[J];計算機工程;2013年06期

8 陳景峰;王一丁;張玉清;劉奇旭;;存儲型XSS攻擊向量自動化生成技術[J];中國科學院研究生院學報;2012年06期

9 潘古兵;周彥暉;;基于靜態(tài)分析和動態(tài)檢測的XSS漏洞發(fā)現(xiàn)[J];計算機科學;2012年S1期

10 顏浩;蔣巍;蔣天發(fā);;SQLI和XSS漏洞檢測與防御技術研究[J];信息網(wǎng)絡安全;2011年12期

相關會議論文 前1條

1 李楠;谷利澤;鈕心忻;;用于XSS掃描的網(wǎng)絡爬蟲的設計與實現(xiàn)[A];2010年全國通信安全學術會議論文集[C];2010年

相關碩士學位論文 前1條

1 黃俊;基于指令集隨機化的XSS檢測系統(tǒng)研究[D];中國科學技術大學;2014年

，

本文編號：2470807