【摘要】：Web應(yīng)用的快速發(fā)展,在為人們的工作和生活提供便捷的同時,也帶來了越來越多的安全威脅。其中,跨站腳本攻擊XSS是危害性最大的一種。攻擊者可以利用XSS漏洞控制目標(biāo)主機,還可以結(jié)合其他攻擊手段來實施進一步的攻擊,嚴(yán)重威脅了用戶隱私信息和財產(chǎn)的安全。因此高效率地檢測出web應(yīng)用程序中存在的XSS安全漏洞變得尤為重要。據(jù)分析,檢測這一漏洞最有效的方法是進行人工代碼審計,但這一過程相當(dāng)繁瑣,開銷較大;目前采用的自動化檢測技術(shù)大多使用大量攻擊載荷進行黑盒測試,但是黑盒測試不能遍歷所有的邏輯導(dǎo)致大量的漏報,準(zhǔn)確率較低;并且靜態(tài)代碼審計技術(shù)在針對DOM型XSS安全漏洞的發(fā)現(xiàn)上效果也比較差,兼容性不足。針對上述問題,在擁有被防護目標(biāo)網(wǎng)站的源碼的前提下,本文研究并設(shè)計了灰盒檢測方案“XSScan”,用于檢測反射型、存儲性和DOM型XSS漏洞。研究的主要成果是:1.針對反射型和存儲型XSS,運用編譯原理技術(shù)構(gòu)建源代碼的抽象語法樹和程序控制流圖,審查所有被調(diào)用的敏感函數(shù),然后跟蹤和分析以上函數(shù)中敏感的參數(shù)的數(shù)據(jù)流,最后進行動態(tài)驗證,檢查是否存在XSS漏洞。既可以有效地從根本上找到可能存在的全部漏洞,又可以通過動態(tài)黑盒驗證方法來減少系統(tǒng)的誤報率,顯著提高了審計工作的效率。2.針對DOM型XSS,利用無頭瀏覽器PhantomJS的強大功能,在解析執(zhí)行JavaScript腳本期間,通過傳播污染的信號來破解JavaScript和WebKit渲染引擎,在所有的DOM輸出點檢測該污染信號是否被輸出。該方法大幅度降低了DOM型XSS檢測的誤報率和漏報率,彌補了以上灰盒方案在檢測DOM型XSS上的不足。編碼實現(xiàn)“XSScan”檢測系統(tǒng),測試結(jié)果表示,“XSScan”系統(tǒng)能更高效并且準(zhǔn)確的發(fā)現(xiàn)Web系統(tǒng)中存在的XSS漏洞。與同類的XSS檢測工具相比,運行效率有提高,且誤報率和漏報率也有一定程度的降低。
[Abstract]:The rapid development of Web applications not only provides convenience for people's work and life, but also brings more and more security threats. Among them, cross-site script attack XSS is the most harmful. Attackers can take advantage of XSS vulnerabilities to control the target host, and can also combine other attacks to carry out further attacks, which seriously threaten the security of users' privacy information and property. Therefore, it is particularly important to detect XSS security vulnerabilities in web applications efficiently. According to the analysis, the most effective method to detect this vulnerability is to carry out manual code audit, but this process is quite tedious and expensive. At present, most of the automatic detection techniques use a large number of attack loads for black box testing, but black box testing can not traverse all the logic resulting in a large number of missed reports, and the accuracy is low. The static code audit technology is also poor in the discovery of Dom XSS security vulnerabilities, and the compatibility is insufficient. In order to solve the above problems, on the premise of having the source code of the protected target website, this paper studies and designs the gray box detection scheme "XSScan", which is used to detect reflective, storage and Dom XSS vulnerabilities. The main results of the study are as follows: 1. This paper uses compilation principle technology to construct abstract syntax tree and program control flow diagram of source code for reflective and storage XSS, reviews all called sensitive functions, and then tracks and analyzes the data flow of sensitive parameters in the above functions. Finally, dynamic verification is carried out to check for XSS vulnerability. It can not only find all the possible vulnerabilities fundamentally, but also reduce the false alarm rate of the system by dynamic black box verification method, which significantly improves the efficiency of audit work. 2. Aiming at Dom XSS, which makes use of the powerful function of headless browser PhantomJS, during the parsing and execution of JavaScript script, JavaScript and WebKit rendering engine are cracked by propagating contaminated signal, and whether the polluted signal is output is detected at all DOM output points. This method greatly reduces the false alarm rate and false positive rate of Dom type XSS detection, and makes up for the shortcomings of the above gray box scheme in detecting Dom type XSS. The "XSScan" detection system is implemented by coding. The test results show that the "XSScan" system can detect the XSS vulnerability in Web system more efficiently and accurately. Compared with the same kind of XSS detection tools, the operation efficiency is improved, and the false alarm rate and false alarm rate are also reduced to a certain extent.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 孫偉;張凱寓;薛臨風(fēng);徐田華;;XSS漏洞研究綜述[J];信息安全研究;2016年12期

2 李潔;俞研;吳家順;;基于動態(tài)污點分析的DOM XSS漏洞檢測算法[J];計算機應(yīng)用;2016年05期

3 李威;李曉紅;;Web應(yīng)用存儲型XSS漏洞檢測方法及實現(xiàn)[J];計算機應(yīng)用與軟件;2016年01期

4 張海燕;莫勇;;基于決策樹分類的跨站腳本攻擊檢測方法[J];微型機與應(yīng)用;2015年16期

5 鮑澤民;王根英;李娟;;跨站腳本攻擊客戶端防御技術(shù)研究[J];鐵路計算機應(yīng)用;2015年07期

6 王永樂;葛洪央;;淺析Cookies欺騙攻擊與防御策略[J];信息技術(shù);2014年08期

7 李欣;孫珊珊;;XSS攻擊的研究與防范[J];黑河學(xué)院學(xué)報;2013年06期

8 邱永華;;XSS跨站腳本攻擊剖析與防御[J];中國科技信息;2013年20期

9 徐博文;曹維華;劉春暉;朱華虹;;基于Javascript蠕蟲的實時會話劫持攻擊技術(shù)研究[J];計算機安全;2013年09期

10 李冰;趙逢禹;;Stored-XSS漏洞檢測的研究與設(shè)計[J];計算機應(yīng)用與軟件;2013年03期

相關(guān)碩士學(xué)位論文 前4條

1 徐浩然;基于代理的跨站腳本攻擊檢測技術(shù)研究[D];電子科技大學(xué);2016年

2 左丹丹;Web應(yīng)用程序的跨站腳本漏洞檢測問題的研究[D];北京工業(yè)大學(xué);2015年

3 牛皓;基于網(wǎng)絡(luò)爬蟲的XSS漏洞檢測系統(tǒng)的研究與設(shè)計[D];北京郵電大學(xué);2015年

4 趙艷;基于網(wǎng)絡(luò)爬蟲的跨站腳本漏洞動態(tài)檢測技術(shù)研究[D];西南交通大學(xué);2011年

，

本文編號：2484308