HTML5安全研究

发布时间：2018-03-06 04:08

本文选题：HTML　切入点：Web应用安全　出处：《计算机应用与软件》2013年03期 　论文类型：期刊论文

【摘要】：HTML5是目前富互联网应用(RIA)中最重要的技术之一。由于得到了业界厂商的大力支持,发展迅速,已经成为未来Web应用发展的事实标准。新技术的引用,在给用户提供丰富多彩互联网的同时,也引入了新的安全问题:CORS、XHR-LEVEL2等已经打破了浏览器原有的同源策略准则(SOP);Web Storage、Application Cache等新功能在增强客户端能力的同时,也提供了一些新型的客户端攻击机制;Web Workers、Web Socket等新特性则引入了新的滥用手段。在中国互联网上,越来越多的网站开始逐步采用HTML5技术,但在安全防护方面还存在众多弱点。与此同时,目前大多数Web应用扫描器都不具备检测HTML5安全问题的特性,这使得HTML5安全问题在安全评估与渗透测试过程中成为盲点。深入探讨HTML5新引入的安全威胁,通过对国内支持HTML5大型网站的测试发现了大量安全问题,并对现有Web应用扫描器对HTML5支持情况进行了调查分析,结果验证了国内互联网网站对于HTML5新形态安全威胁的脆弱性。
[Abstract]:HTML5 is one of the most important technologies in the Rich Internet Application (RIA). Because of the strong support and rapid development of the industry manufacturers, HTML5 has become the de facto standard for the development of Web applications in the future. In addition to providing users with rich and colorful Internet, we also introduce new security issues, such as: CORBA XHR-LEVEL2, which have broken the browser's original homology policy guidelines, such as SOP / Web Storage Application Cache and so on, while enhancing client capabilities. It also provides some new client-side attack mechanisms, such as web workers and web Socket, and introduces new means of abuse. On the Chinese Internet, more and more websites begin to adopt HTML5 technology step by step. At the same time, most Web application scanners do not have the ability to detect HTML5 security problems. This makes the HTML5 security problem become a blind spot in the process of security evaluation and penetration testing. The existing Web application scanners for HTML5 support are investigated and analyzed. The results verify the vulnerability of domestic Internet sites to the new form of HTML5 security threats.
【作者单位】：清华大学计算机科学与技术系;清华大学网络科学与网络空间研究院;
【基金】：国家自然科学基金项目(61003127) 国家重点基础研究发展计划项目(2009CB320505)
【分类号】：TP393.08

【相似文献】