一种XSS漏洞灰盒检测方案的设计与实现
发布时间:2019-05-23 22:53
【摘要】:Web应用的快速发展,在为人们的工作和生活提供便捷的同时,也带来了越来越多的安全威胁。其中,跨站脚本攻击XSS是危害性最大的一种。攻击者可以利用XSS漏洞控制目标主机,还可以结合其他攻击手段来实施进一步的攻击,严重威胁了用户隐私信息和财产的安全。因此高效率地检测出web应用程序中存在的XSS安全漏洞变得尤为重要。据分析,检测这一漏洞最有效的方法是进行人工代码审计,但这一过程相当繁琐,开销较大;目前采用的自动化检测技术大多使用大量攻击载荷进行黑盒测试,但是黑盒测试不能遍历所有的逻辑导致大量的漏报,准确率较低;并且静态代码审计技术在针对DOM型XSS安全漏洞的发现上效果也比较差,兼容性不足。针对上述问题,在拥有被防护目标网站的源码的前提下,本文研究并设计了灰盒检测方案“XSScan”,用于检测反射型、存储性和DOM型XSS漏洞。研究的主要成果是:1.针对反射型和存储型XSS,运用编译原理技术构建源代码的抽象语法树和程序控制流图,审查所有被调用的敏感函数,然后跟踪和分析以上函数中敏感的参数的数据流,最后进行动态验证,检查是否存在XSS漏洞。既可以有效地从根本上找到可能存在的全部漏洞,又可以通过动态黑盒验证方法来减少系统的误报率,显著提高了审计工作的效率。2.针对DOM型XSS,利用无头浏览器PhantomJS的强大功能,在解析执行JavaScript脚本期间,通过传播污染的信号来破解JavaScript和WebKit渲染引擎,在所有的DOM输出点检测该污染信号是否被输出。该方法大幅度降低了DOM型XSS检测的误报率和漏报率,弥补了以上灰盒方案在检测DOM型XSS上的不足。编码实现“XSScan”检测系统,测试结果表示,“XSScan”系统能更高效并且准确的发现Web系统中存在的XSS漏洞。与同类的XSS检测工具相比,运行效率有提高,且误报率和漏报率也有一定程度的降低。
[Abstract]:The rapid development of Web applications not only provides convenience for people's work and life, but also brings more and more security threats. Among them, cross-site script attack XSS is the most harmful. Attackers can take advantage of XSS vulnerabilities to control the target host, and can also combine other attacks to carry out further attacks, which seriously threaten the security of users' privacy information and property. Therefore, it is particularly important to detect XSS security vulnerabilities in web applications efficiently. According to the analysis, the most effective method to detect this vulnerability is to carry out manual code audit, but this process is quite tedious and expensive. At present, most of the automatic detection techniques use a large number of attack loads for black box testing, but black box testing can not traverse all the logic resulting in a large number of missed reports, and the accuracy is low. The static code audit technology is also poor in the discovery of Dom XSS security vulnerabilities, and the compatibility is insufficient. In order to solve the above problems, on the premise of having the source code of the protected target website, this paper studies and designs the gray box detection scheme "XSScan", which is used to detect reflective, storage and Dom XSS vulnerabilities. The main results of the study are as follows: 1. This paper uses compilation principle technology to construct abstract syntax tree and program control flow diagram of source code for reflective and storage XSS, reviews all called sensitive functions, and then tracks and analyzes the data flow of sensitive parameters in the above functions. Finally, dynamic verification is carried out to check for XSS vulnerability. It can not only find all the possible vulnerabilities fundamentally, but also reduce the false alarm rate of the system by dynamic black box verification method, which significantly improves the efficiency of audit work. 2. Aiming at Dom XSS, which makes use of the powerful function of headless browser PhantomJS, during the parsing and execution of JavaScript script, JavaScript and WebKit rendering engine are cracked by propagating contaminated signal, and whether the polluted signal is output is detected at all DOM output points. This method greatly reduces the false alarm rate and false positive rate of Dom type XSS detection, and makes up for the shortcomings of the above gray box scheme in detecting Dom type XSS. The "XSScan" detection system is implemented by coding. The test results show that the "XSScan" system can detect the XSS vulnerability in Web system more efficiently and accurately. Compared with the same kind of XSS detection tools, the operation efficiency is improved, and the false alarm rate and false alarm rate are also reduced to a certain extent.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
本文编号:2484308
[Abstract]:The rapid development of Web applications not only provides convenience for people's work and life, but also brings more and more security threats. Among them, cross-site script attack XSS is the most harmful. Attackers can take advantage of XSS vulnerabilities to control the target host, and can also combine other attacks to carry out further attacks, which seriously threaten the security of users' privacy information and property. Therefore, it is particularly important to detect XSS security vulnerabilities in web applications efficiently. According to the analysis, the most effective method to detect this vulnerability is to carry out manual code audit, but this process is quite tedious and expensive. At present, most of the automatic detection techniques use a large number of attack loads for black box testing, but black box testing can not traverse all the logic resulting in a large number of missed reports, and the accuracy is low. The static code audit technology is also poor in the discovery of Dom XSS security vulnerabilities, and the compatibility is insufficient. In order to solve the above problems, on the premise of having the source code of the protected target website, this paper studies and designs the gray box detection scheme "XSScan", which is used to detect reflective, storage and Dom XSS vulnerabilities. The main results of the study are as follows: 1. This paper uses compilation principle technology to construct abstract syntax tree and program control flow diagram of source code for reflective and storage XSS, reviews all called sensitive functions, and then tracks and analyzes the data flow of sensitive parameters in the above functions. Finally, dynamic verification is carried out to check for XSS vulnerability. It can not only find all the possible vulnerabilities fundamentally, but also reduce the false alarm rate of the system by dynamic black box verification method, which significantly improves the efficiency of audit work. 2. Aiming at Dom XSS, which makes use of the powerful function of headless browser PhantomJS, during the parsing and execution of JavaScript script, JavaScript and WebKit rendering engine are cracked by propagating contaminated signal, and whether the polluted signal is output is detected at all DOM output points. This method greatly reduces the false alarm rate and false positive rate of Dom type XSS detection, and makes up for the shortcomings of the above gray box scheme in detecting Dom type XSS. The "XSScan" detection system is implemented by coding. The test results show that the "XSScan" system can detect the XSS vulnerability in Web system more efficiently and accurately. Compared with the same kind of XSS detection tools, the operation efficiency is improved, and the false alarm rate and false alarm rate are also reduced to a certain extent.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 孙伟;张凯寓;薛临风;徐田华;;XSS漏洞研究综述[J];信息安全研究;2016年12期
2 李洁;俞研;吴家顺;;基于动态污点分析的DOM XSS漏洞检测算法[J];计算机应用;2016年05期
3 李威;李晓红;;Web应用存储型XSS漏洞检测方法及实现[J];计算机应用与软件;2016年01期
4 张海燕;莫勇;;基于决策树分类的跨站脚本攻击检测方法[J];微型机与应用;2015年16期
5 鲍泽民;王根英;李娟;;跨站脚本攻击客户端防御技术研究[J];铁路计算机应用;2015年07期
6 王永乐;葛洪央;;浅析Cookies欺骗攻击与防御策略[J];信息技术;2014年08期
7 李欣;孙珊珊;;XSS攻击的研究与防范[J];黑河学院学报;2013年06期
8 邱永华;;XSS跨站脚本攻击剖析与防御[J];中国科技信息;2013年20期
9 徐博文;曹维华;刘春晖;朱华虹;;基于Javascript蠕虫的实时会话劫持攻击技术研究[J];计算机安全;2013年09期
10 李冰;赵逢禹;;Stored-XSS漏洞检测的研究与设计[J];计算机应用与软件;2013年03期
相关硕士学位论文 前4条
1 徐浩然;基于代理的跨站脚本攻击检测技术研究[D];电子科技大学;2016年
2 左丹丹;Web应用程序的跨站脚本漏洞检测问题的研究[D];北京工业大学;2015年
3 牛皓;基于网络爬虫的XSS漏洞检测系统的研究与设计[D];北京邮电大学;2015年
4 赵艳;基于网络爬虫的跨站脚本漏洞动态检测技术研究[D];西南交通大学;2011年
,本文编号:2484308
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2484308.html
