基于Node.js的XSS和CSRF防御研究与实现

发布时间：2018-03-29 23:23

本文选题：Web应用　切入点：Node.js　出处：《西安电子科技大学》2014年硕士论文

【摘要】：如今越来越多的应用程序依靠Web这一平台发展为由用户主导的内容互联网模式。Web应用已经成为了当前最流行的计算机应用程序,但是随着Web应用的越来越火热,安全问题也随之而来,跨站脚本攻击(XSS)和跨站请求伪造(CSRF)是两种最流行的Web应用攻击方式。而Node.js作为一种新兴的Web应用开发平台,并没有为在其上开发及部署的Web应用提供XSS和CSRF防御功能。本文从Node.js的运行机制出发,对开发及部署在Node.js上的Web应用的性能方面进行综合考虑,设计实现了一个为Node.js Web应用提供XSS防御功能和CSRF防御功能的防御系统。该防御系统通过运行在Node.js的子进程中为Web应用提供防御服务,通过高度的解耦合,对于已开发及部署在Node.js平台上的Web应用来说,并不需要改动太多的代码就可以开启防御系统为其提供防御服务。防御系统分为六个模块,包括XSS防御模块、CSRF防御模块、会话管理模块、日志管理模块、通信接口模块以及初始化模块。而防御系统设计实现的中心是XSS防御模块,因为只有Web应用在没有XSS安全漏洞的前提下,针对CSRF设计的防御措施才能够正常的进行防御。XSS的防御有四个步骤,分别为检测、解析、过滤及输出编码。首先对数据进行检测来判断其类型。接下来使用本文设计实现的HTML解析器对HTML数据进行解析,同时在解析过程中会利用污点标记算法对解析出的HTML标签进行污点标记。过滤过程分为两部分,包括HTML标签属性的过滤,以及HTML属性值的过滤;为了提高过滤效率,使用红黑树存储白名单及黑名单;并利用字符串信息熵以及攻击特征正则匹配算法来提高属性值过滤的准确性。最后通过追踪污点标记对原始字符串进行安全值替换,编码输出合法数据。在实现XSS防御的基础上,根据Anti CSRF Token防御策略实现了CSRF防御模块,同时实现了基于Redis数据库存储的Session模块来为Web应用提供会话管理。Web应用与防御系统之间的通信以IPC通道为主,同时使用Redis数据库作为第三方数据存储区,以数据共享的方式进行数据交换。本文搭建了测试环境对防御系统进行测试。测试主要包括功能测试和性能测试。通过对测试结果进行分析,证明防御系统能够对XSS和CSRF攻击进行有效防御,并且在为Web应用提供防御服务的同时,防御系统并没有对Web应用的响应时间造成太大的影响,符合性能需求。
[Abstract]:Nowadays, more and more applications have become the most popular computer applications, depending on the platform of Web, which is the user-led content Internet mode. But with the increasing popularity of Web applications, The security problem also comes, the cross-station script attack (XSS) and cross-station request forgery (Web) are the two most popular attack methods of Web application, and Node.js is a new Web application development platform. It does not provide XSS and CSRF defense functions for Web applications developed and deployed on Node.js. This paper considers the performance of Web applications developed and deployed on Node.js based on the running mechanism of Node.js. This paper designs and implements a defense system which provides XSS defense function and CSRF defense function for Node.js Web application. This defense system provides defense service for Web application by running in the child process of Node.js, and it is highly decoupled. For Web applications that have been developed and deployed on the Node.js platform, it is not necessary to change too much code to enable the defense system to provide defense services. The defense system is divided into six modules, including the XSS defense module and the XSS defense module. Session management module, log management module, communication interface module and initialization module. The center of the defense system design and implementation is the XSS defense module, because only the Web application without XSS security vulnerabilities, The defense measures designed for CSRF can normally be used to defend. XSs. There are four steps, which are detection and analysis, respectively. Filtering and output coding. First, the data is detected to determine its type. Then the HTML parser designed in this paper is used to parse the HTML data. At the same time, the stain labeling algorithm is used to mark the HTML tags. The filtering process is divided into two parts, including the filtering of HTML tag attributes and the filtering of HTML attribute values, in order to improve the filtering efficiency. White list and blacklist are stored in red-black tree, and string information entropy and attack feature regular matching algorithm are used to improve the accuracy of attribute value filtering. Based on the implementation of XSS defense, the CSRF defense module is implemented according to the Anti CSRF Token defense strategy. At the same time, the Session module based on Redis database storage is implemented to provide the communication between the session management. The web application and the defense system for the Web application. Meanwhile, the IPC channel is used as the main communication channel, and the Redis database is used as the third party data storage area. In this paper, a test environment is set up to test the defense system. The test includes function test and performance test. It is proved that the defense system can effectively defend against XSS and CSRF attacks, and while providing defense services for Web applications, the defense system does not have too much impact on the response time of Web applications, which is in line with the performance requirements.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP311.52;TP393.09

【参考文献】