跨站脚本攻击客户端防御技术研究

发布时间：2018-04-05 12:45

本文选题：跨站脚本攻击　切入点：浏览器安全　出处：《北京交通大学》2014年硕士论文

【摘要】：跨站脚本攻击是当今Web应用领域危害最严重、最常见的威胁之一,该攻击根源于Web应用安全机制的薄弱环节：对用户输入缺乏足够的过滤处理。虽然在服务器端修复Web应用中的跨站脚本漏洞可以根本性解决该问题,但是由于安全补丁的更新速度慢,系统运维人员的安全意识薄弱等各种原因,仍有很多Web应用不能及时修复漏洞,从而导致用户在使用这些应用时处于遭受跨站攻击的风险下。因而为了提高用户面对跨站脚本攻击的主动防御能力,研究客户端的跨站攻击防御措施显得很有必要。论文的主要工作包括以下四个方面：首先,论述了Web应用的安全现状,分析了客户端现有的安全机制和承受的安全风险,这些安全机制都是跨站脚本攻击所要挑战、克服的。随后,依据形成原因不同对跨站脚本攻击进行了分类,并分别归纳各种类型跨站脚本攻击的特点。总结了跨站脚本漏洞挖掘技巧,包括跨站脚本编码方式以及防御策略绕过技巧。同时研究了跨站脚本在HTML界面中的触发机制。另外,搭建了一个虚拟的博客网站系统,针对窃取cookie隐私、跨站脚本钓鱼攻击、跨站脚本蠕虫攻击等跨站攻击方式,通过实例逐个演示了其具体攻击过程并验证其危害。简单探讨了键盘监测、访问本地剪贴板等其他攻击方式。最后,鉴于跨站脚本攻击的主要目的是窃取用户的敏感信息,其行为特征是未经用户的授权而将用户的敏感信息发送给第三方,本文设计了全新的跨站攻击防御方法,该方法在客户端浏览器以动态污点追踪为主,辅以静态污点分析,通过污点追踪对当前页面中的敏感信息传输进行监测,当敏感信息有异常操作时向用户发出警告,从而有效阻止客户端敏感信息的泄露,实现对跨站攻击的有效拦截。并通过对Javascript引擎Spidermonkey的扩展,在开源的Firefox上实现了基于该方法的插件xssCleaner,验证了防御方法的有效性和可行性。
[Abstract]:Cross-site scripting attack is one of the most serious and common threats in the field of Web application. This attack is rooted in the weak link of Web application security mechanism: lack of adequate filtering for user input.Although fixing the cross-site script vulnerability in Web application on the server side can solve this problem fundamentally, but because of the slow update speed of the security patch and the weak security consciousness of the system operator,There are still many Web applications that cannot fix vulnerabilities in time, resulting in users at risk of cross-site attacks when using these applications.Therefore, in order to improve the active defense ability of users against cross-site script attacks, it is necessary to study the defense measures of cross-site attacks on clients.The main work of the thesis includes the following four aspects:Firstly, this paper discusses the current security situation of Web application, analyzes the existing security mechanism and the security risk of the client. These security mechanisms are all challenges and overcome by the cross-station script attack.Then, the cross-site script attacks are classified according to the formation reasons, and the characteristics of various types of cross-site script attacks are summarized respectively.The techniques of exploiting cross-site script vulnerabilities are summarized, including cross-site script coding and defense strategy bypass techniques.At the same time, the trigger mechanism of cross-station script in HTML interface is studied.In addition, a virtual blog website system is built, aiming at stealing cookie privacy, cross-site script phishing attack, cross-site script worm attack and other cross-station attacks, the concrete attack process is demonstrated one by one through examples and its harm is verified.A simple discussion of keyboard monitoring, access to the local clipboard and other attacks.Finally, in view of the fact that the main purpose of cross-site script attack is to steal the sensitive information of the user, and its behavior characteristic is to send the sensitive information of the user to a third party without the authorization of the user, this paper designs a new cross-station attack defense method.The method is based on dynamic stain tracing in the client browser, supplemented by static stain analysis, monitors the transmission of sensitive information in the current page through stain tracing, and issues a warning to the user when the sensitive information has abnormal operation.In order to effectively prevent the client sensitive information leakage, the effective interception of cross-station attacks.Through the extension of Javascript engine Spidermonkey, the plug-in XSS Cleaner based on this method is implemented on the open source Firefox, which verifies the effectiveness and feasibility of the defense method.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【引证文献】