Web客户端安全漏洞评估方案设计与实现

发布时间：2018-03-14 12:00

本文选题：Web客户端　切入点：Web安全　出处：《西安电子科技大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着Web2.0时代的到来,互联网用户由信息的接收者渐渐也变成了信息的制造者和传播者,诸如聊天,交友,购物等功能强大的Web应用程序正在不断涌现,基于Web的应用程序变得越来越普及。然而,这些应用在带给人们生活方便的同时也夹带着许许多多的安全隐患,海量的用户个人隐私数据随时有被暴露的危险。如今各种社交类网站的客户端漏洞层出不穷,攻击者无需攻击服务器便可获取私密信息或者进行非授权操作,其对用户造成的影响并不亚于Web后端漏洞及系统漏洞,许多开发以及研究人员对漏洞的检测及防御做出了大量工作。又由于Web客户端网络环境复杂且不受开发人员控制,其漏洞数量也不容小觑,因此如何在众多漏洞发现时能够高效合理地进行修复也是应当重视的环节之一,这就需要对漏洞进行等级划分评估。目前的安全漏洞评估工作无论是定量评估还是定性评估都是针对于通用系统漏洞来进行的,旨在为所有的信息系统安全漏洞制定出一个通用的标准。然而,Web客户端漏洞本身具有特殊性,这些安全漏洞主要影响Web客户端的安全,其往往不会对服务器端造成影响。但目前Web客户端新安全漏洞层出不穷、数量繁多,在Web时代极其影响用户的系统安全。为此,本文为Web客户端漏洞专门设计了一个漏洞评价体系,以便更好地提高Web客户端漏洞的修复效率,促进Web信息系统的安全。论文的主要工作和创新点如下:1.对Web客户端漏洞的主要类别:XSS,CSRF,clickjacking进行了深入分析,分析这些漏洞的成因及其影响,选取了针对这些安全漏洞的评估要素集。2.基于Web客户端漏洞的实际特点制定了评价指标,对Web客户端安全漏洞进行了属性划分,设计了一个Web客户端漏洞的评估方案。3.基于评估方案实现了一个自动化评估工具,并将方案实际应用于现有的漏洞库中,自动化评估了四千多条Web客户端漏洞,实验结果表明我们的方案具有很强的实用性和有效性。
[Abstract]:With the advent of the Web2.0 era, Internet users are gradually becoming information makers and disseminators, such as chat, dating, shopping and other powerful Web applications are emerging. Applications based on Web are becoming more and more popular. However, these applications not only bring convenience to people's lives, but also carry a lot of security risks. Huge amounts of personal privacy data are at risk of being exposed at any time. Nowadays, there are numerous client vulnerabilities in various social networking sites, and attackers can obtain private information or carry out unauthorized operations without attacking the server. Many developers and researchers have done a great deal of work on vulnerability detection and defense. Because of the complexity of Web client network environment and not under the control of the developer, many researchers have done a lot of work on the vulnerability detection and defense. The number of vulnerabilities should not be underestimated, so how to be able to effectively and reasonably repair many vulnerabilities is one of the links that should be paid attention to. This requires a hierarchical assessment of vulnerabilities. The current assessment of security vulnerabilities, whether quantitative or qualitative, is aimed at common system vulnerabilities. The purpose of this paper is to establish a general standard for all information system security vulnerabilities. However, the web client vulnerabilities have their own particularities, which mainly affect the security of Web clients. However, at present, the new security vulnerabilities of Web client end emerge in endlessly and in many ways, which greatly affect the system security of users in the era of Web. This paper designs a vulnerability evaluation system for Web client vulnerability in order to improve the efficiency of Web client vulnerability repair. To promote the security of Web information system. The main work and innovation of this paper are as follows: 1.The main types of Web client vulnerabilities are analyzed in depth, and the causes and effects of these vulnerabilities are analyzed. Based on the actual characteristics of Web client vulnerability, the evaluation index is established, and the Web client security vulnerability is divided into attributes. An evaluation scheme of Web client vulnerability is designed. Based on the evaluation scheme, an automatic evaluation tool is implemented, and the scheme is applied to the existing vulnerability library. More than 4,000 Web client vulnerabilities are automatically evaluated. The experimental results show that our scheme is very practical and effective.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】