Web前端安全问题的分析与防范研究
发布时间:2019-06-25 14:14
【摘要】:随着Web的发展,其安全问题日益严重。其中Web前端作为Web应用的入口,是Web安全防范最薄弱的环节,也是最容易遭到攻击的部分。因此,对Web前端安全问题的研究与防范迫在眉睫。 本文首先对当前最主要的三种攻击方式(XSS攻击、CSRF攻击、界面操作劫持)进行了深入的分析与研究,详细阐述了三种攻击的作用原理和攻击分类。接着,针对W3C的新标准HTML5的安全问题,本文就HTML5的新属性、新标签、新方法以及相应的新特性所产生的安全问题进行了深入的研究分析。 最后本文详细阐述了针对三种攻击方式的防御方案,同时针对网络安全管理系统的具体场景,设计了一种新型Web前端防御模型,该模型是一种针对JSP的基于静态分析与动态拦截相结合的混合防范机制,在客户端与服务器端对用户输入与请求进行基于黑名单模式的验证与拦截,同时针对JSP页面动态内容进行标记与特征提取,通过Nginx代理服务器对相应页面与原始JSP页面进行特征比对,以此来检测和防止JSP动态内容产生有害的攻击信息。通过测试,该模型能有效的防御各种前端攻击,防护拦截效果显著,漏报率接近0%,同时误报率保持在8.5%上下。
[Abstract]:With the development of the Web, the security problem is becoming more and more serious. The Web front end, as the portal of Web application, is the weakest link of Web security and is the most vulnerable part. Therefore, the research and prevention of the security of the front end of the Web is urgent. In this paper, the three attack modes (XSS attack, CSRF attack and interface operation hijack) are analyzed and studied in detail, and the action principle and the attack point of the three attacks are described in detail. Then, for the security of the new standard HTML5 of the W3C, this paper makes an in-depth study of the new properties, new labels, new methods and the corresponding new characteristics of HTML5. In the end, a new type of Web front-end defense model, which is based on static analysis and dynamic interception, is designed for the specific scenarios of the network security management system. the method comprises the following steps of: performing authentication and interception on a user input and a request by a client and a server side based on a blacklist mode, and simultaneously marking and extracting the dynamic content of the JSP page, and performing a special test on the corresponding page and the original JSP page through the Nginx proxy server To detect and prevent a harmful attack from the JSP's dynamic content. By testing, the model can effectively defend various front-end attacks, the protection interception effect is obvious, the missed report rate is close to 0%, and the error rate is kept at 8.5.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2505742
[Abstract]:With the development of the Web, the security problem is becoming more and more serious. The Web front end, as the portal of Web application, is the weakest link of Web security and is the most vulnerable part. Therefore, the research and prevention of the security of the front end of the Web is urgent. In this paper, the three attack modes (XSS attack, CSRF attack and interface operation hijack) are analyzed and studied in detail, and the action principle and the attack point of the three attacks are described in detail. Then, for the security of the new standard HTML5 of the W3C, this paper makes an in-depth study of the new properties, new labels, new methods and the corresponding new characteristics of HTML5. In the end, a new type of Web front-end defense model, which is based on static analysis and dynamic interception, is designed for the specific scenarios of the network security management system. the method comprises the following steps of: performing authentication and interception on a user input and a request by a client and a server side based on a blacklist mode, and simultaneously marking and extracting the dynamic content of the JSP page, and performing a special test on the corresponding page and the original JSP page through the Nginx proxy server To detect and prevent a harmful attack from the JSP's dynamic content. By testing, the model can effectively defend various front-end attacks, the protection interception effect is obvious, the missed report rate is close to 0%, and the error rate is kept at 8.5.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前3条
1 王广;;Web前端的安全防护漫谈[J];计算机安全;2013年02期
2 刘海;徐芳;郭帆;;防范XSS攻击的研究综述[J];计算机与现代化;2011年08期
3 孙松柏;Ali Abbasi;诸葛建伟;段海新;王珩;;HTML5安全研究[J];计算机应用与软件;2013年03期
,本文编号:2505742
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2505742.html
