基于分隔符的跨站脚本攻击防御方法
Cross Site Script Prevention Based on Delimiters

摘要 通过分析跨站脚本攻击的特性, 提出一种基于分隔符的跨站脚本攻击防御方法, 该方法适用于UTF-8编码的Web应用程序。首先, 仅对可信数据中的分隔符进行积极污点标记; 然后, 利用字符UTF-8编码值的转换轻量级完成污点标记, 该污点信息可随着字符串操作直接传播到结果页面; 最后, 根据结果页面中分隔符的污点信息及页面上下文分析, 检查脚本执行节点的合法性和脚本内容的可靠性, 精确地检测并防御跨站脚本攻击。针对PHP平台实现了原型系统XSSCleaner。实验证明, XSSCleaner可轻量级地完成污点分析, 并且能够对跨站脚本攻击进行精确防御, 页面生成的时间开销平均为12.9%。
Abstract The authors propose a practical and accurate cross site script prevention method based on delimiters for UTF-8 encoded web applications. Only trusted delimiters are tainted into corresponding UTF-8 shadow bytes, and these tainted shadow bytes are automatically propagated in web applications and can be directly delivered into output pages. Cross site script is prevented by analyzing the tainted delimiters and HTML context of output pages. A prototype called XSSCleaner is implemented on PHP. The evaluation shows that XSSCleaner can accurately protect web applications from real world cross site script attacks with an average overhead 12.9%.