【摘要】：隨著Web的發(fā)展,其安全問題日益嚴(yán)重。其中Web前端作為Web應(yīng)用的入口,是Web安全防范最薄弱的環(huán)節(jié),也是最容易遭到攻擊的部分。因此,對Web前端安全問題的研究與防范迫在眉睫。 本文首先對當(dāng)前最主要的三種攻擊方式(XSS攻擊、CSRF攻擊、界面操作劫持)進(jìn)行了深入的分析與研究,詳細(xì)闡述了三種攻擊的作用原理和攻擊分類。接著,針對W3C的新標(biāo)準(zhǔn)HTML5的安全問題,本文就HTML5的新屬性、新標(biāo)簽、新方法以及相應(yīng)的新特性所產(chǎn)生的安全問題進(jìn)行了深入的研究分析。 最后本文詳細(xì)闡述了針對三種攻擊方式的防御方案,同時(shí)針對網(wǎng)絡(luò)安全管理系統(tǒng)的具體場景,設(shè)計(jì)了一種新型Web前端防御模型,該模型是一種針對JSP的基于靜態(tài)分析與動(dòng)態(tài)攔截相結(jié)合的混合防范機(jī)制,在客戶端與服務(wù)器端對用戶輸入與請求進(jìn)行基于黑名單模式的驗(yàn)證與攔截,同時(shí)針對JSP頁面動(dòng)態(tài)內(nèi)容進(jìn)行標(biāo)記與特征提取,通過Nginx代理服務(wù)器對相應(yīng)頁面與原始JSP頁面進(jìn)行特征比對,以此來檢測和防止JSP動(dòng)態(tài)內(nèi)容產(chǎn)生有害的攻擊信息。通過測試,該模型能有效的防御各種前端攻擊,防護(hù)攔截效果顯著,漏報(bào)率接近0%,同時(shí)誤報(bào)率保持在8.5%上下。
[Abstract]:With the development of the Web, the security problem is becoming more and more serious. The Web front end, as the portal of Web application, is the weakest link of Web security and is the most vulnerable part. Therefore, the research and prevention of the security of the front end of the Web is urgent. In this paper, the three attack modes (XSS attack, CSRF attack and interface operation hijack) are analyzed and studied in detail, and the action principle and the attack point of the three attacks are described in detail. Then, for the security of the new standard HTML5 of the W3C, this paper makes an in-depth study of the new properties, new labels, new methods and the corresponding new characteristics of HTML5. In the end, a new type of Web front-end defense model, which is based on static analysis and dynamic interception, is designed for the specific scenarios of the network security management system. the method comprises the following steps of: performing authentication and interception on a user input and a request by a client and a server side based on a blacklist mode, and simultaneously marking and extracting the dynamic content of the JSP page, and performing a special test on the corresponding page and the original JSP page through the Nginx proxy server To detect and prevent a harmful attack from the JSP's dynamic content. By testing, the model can effectively defend various front-end attacks, the protection interception effect is obvious, the missed report rate is close to 0%, and the error rate is kept at 8.5.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 王廣;;Web前端的安全防護(hù)漫談[J];計(jì)算機(jī)安全;2013年02期

2 劉海;徐芳;郭帆;;防范XSS攻擊的研究綜述[J];計(jì)算機(jī)與現(xiàn)代化;2011年08期

3 孫松柏;Ali Abbasi;諸葛建偉;段海新;王珩;;HTML5安全研究[J];計(jì)算機(jī)應(yīng)用與軟件;2013年03期

，

本文編號(hào)：2505742