【摘要】：Web應用的快速發(fā)展,在為人們的工作和生活提供便捷的同時,也帶來了越來越多的安全威脅。其中,跨站腳本攻擊XSS是危害性最大的一種。攻擊者可以利用XSS漏洞控制目標主機,還可以結合其他攻擊手段來實施進一步的攻擊,嚴重威脅了用戶隱私信息和財產(chǎn)的安全。因此高效率地檢測出web應用程序中存在的XSS安全漏洞變得尤為重要。據(jù)分析,檢測這一漏洞最有效的方法是進行人工代碼審計,但這一過程相當繁瑣,開銷較大;目前采用的自動化檢測技術大多使用大量攻擊載荷進行黑盒測試,但是黑盒測試不能遍歷所有的邏輯導致大量的漏報,準確率較低;并且靜態(tài)代碼審計技術在針對DOM型XSS安全漏洞的發(fā)現(xiàn)上效果也比較差,兼容性不足。針對上述問題,在擁有被防護目標網(wǎng)站的源碼的前提下,本文研究并設計了灰盒檢測方案“XSScan”,用于檢測反射型、存儲性和DOM型XSS漏洞。研究的主要成果是:1.針對反射型和存儲型XSS,運用編譯原理技術構建源代碼的抽象語法樹和程序控制流圖,審查所有被調用的敏感函數(shù),然后跟蹤和分析以上函數(shù)中敏感的參數(shù)的數(shù)據(jù)流,最后進行動態(tài)驗證,檢查是否存在XSS漏洞。既可以有效地從根本上找到可能存在的全部漏洞,又可以通過動態(tài)黑盒驗證方法來減少系統(tǒng)的誤報率,顯著提高了審計工作的效率。2.針對DOM型XSS,利用無頭瀏覽器PhantomJS的強大功能,在解析執(zhí)行JavaScript腳本期間,通過傳播污染的信號來破解JavaScript和WebKit渲染引擎,在所有的DOM輸出點檢測該污染信號是否被輸出。該方法大幅度降低了DOM型XSS檢測的誤報率和漏報率,彌補了以上灰盒方案在檢測DOM型XSS上的不足。編碼實現(xiàn)“XSScan”檢測系統(tǒng),測試結果表示,“XSScan”系統(tǒng)能更高效并且準確的發(fā)現(xiàn)Web系統(tǒng)中存在的XSS漏洞。與同類的XSS檢測工具相比,運行效率有提高,且誤報率和漏報率也有一定程度的降低。
[Abstract]:The rapid development of Web applications not only provides convenience for people's work and life, but also brings more and more security threats. Among them, cross-site script attack XSS is the most harmful. Attackers can take advantage of XSS vulnerabilities to control the target host, and can also combine other attacks to carry out further attacks, which seriously threaten the security of users' privacy information and property. Therefore, it is particularly important to detect XSS security vulnerabilities in web applications efficiently. According to the analysis, the most effective method to detect this vulnerability is to carry out manual code audit, but this process is quite tedious and expensive. At present, most of the automatic detection techniques use a large number of attack loads for black box testing, but black box testing can not traverse all the logic resulting in a large number of missed reports, and the accuracy is low. The static code audit technology is also poor in the discovery of Dom XSS security vulnerabilities, and the compatibility is insufficient. In order to solve the above problems, on the premise of having the source code of the protected target website, this paper studies and designs the gray box detection scheme "XSScan", which is used to detect reflective, storage and Dom XSS vulnerabilities. The main results of the study are as follows: 1. This paper uses compilation principle technology to construct abstract syntax tree and program control flow diagram of source code for reflective and storage XSS, reviews all called sensitive functions, and then tracks and analyzes the data flow of sensitive parameters in the above functions. Finally, dynamic verification is carried out to check for XSS vulnerability. It can not only find all the possible vulnerabilities fundamentally, but also reduce the false alarm rate of the system by dynamic black box verification method, which significantly improves the efficiency of audit work. 2. Aiming at Dom XSS, which makes use of the powerful function of headless browser PhantomJS, during the parsing and execution of JavaScript script, JavaScript and WebKit rendering engine are cracked by propagating contaminated signal, and whether the polluted signal is output is detected at all DOM output points. This method greatly reduces the false alarm rate and false positive rate of Dom type XSS detection, and makes up for the shortcomings of the above gray box scheme in detecting Dom type XSS. The "XSScan" detection system is implemented by coding. The test results show that the "XSScan" system can detect the XSS vulnerability in Web system more efficiently and accurately. Compared with the same kind of XSS detection tools, the operation efficiency is improved, and the false alarm rate and false alarm rate are also reduced to a certain extent.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前10條

1 孫偉;張凱寓;薛臨風;徐田華;;XSS漏洞研究綜述[J];信息安全研究;2016年12期

2 李潔;俞研;吳家順;;基于動態(tài)污點分析的DOM XSS漏洞檢測算法[J];計算機應用;2016年05期

3 李威;李曉紅;;Web應用存儲型XSS漏洞檢測方法及實現(xiàn)[J];計算機應用與軟件;2016年01期

4 張海燕;莫勇;;基于決策樹分類的跨站腳本攻擊檢測方法[J];微型機與應用;2015年16期

5 鮑澤民;王根英;李娟;;跨站腳本攻擊客戶端防御技術研究[J];鐵路計算機應用;2015年07期

6 王永樂;葛洪央;;淺析Cookies欺騙攻擊與防御策略[J];信息技術;2014年08期

7 李欣;孫珊珊;;XSS攻擊的研究與防范[J];黑河學院學報;2013年06期

8 邱永華;;XSS跨站腳本攻擊剖析與防御[J];中國科技信息;2013年20期

9 徐博文;曹維華;劉春暉;朱華虹;;基于Javascript蠕蟲的實時會話劫持攻擊技術研究[J];計算機安全;2013年09期

10 李冰;趙逢禹;;Stored-XSS漏洞檢測的研究與設計[J];計算機應用與軟件;2013年03期

相關碩士學位論文 前4條

1 徐浩然;基于代理的跨站腳本攻擊檢測技術研究[D];電子科技大學;2016年

2 左丹丹;Web應用程序的跨站腳本漏洞檢測問題的研究[D];北京工業(yè)大學;2015年

3 牛皓;基于網(wǎng)絡爬蟲的XSS漏洞檢測系統(tǒng)的研究與設計[D];北京郵電大學;2015年

4 趙艷;基于網(wǎng)絡爬蟲的跨站腳本漏洞動態(tài)檢測技術研究[D];西南交通大學;2011年

，

本文編號：2484308