基于代理的跨站脚本攻击防御研究
Research on Cross-Site Scripting Attack Defense Based on Proxy

DOI: 10.12677/CSA.2019.96120, PP. 1061-1071

Keywords: 跨站脚本攻击，防御，Web安全
XSS, Defense, Web Security

Full-Text   Cite this paper   Add to My Lib

Abstract:

在网络安全领域中，跨站脚本攻击已经是最严重的安全问题之一。本文在深入研究跨站脚本攻击方式的基础上，提出了一种基于代理的跨站脚本防御框架。该框架部署在客户端和服务器端之间，利用算法对通信数据进行深度分析和过滤，从而对跨站脚本进行有效的防御。实验证明设计的框架不仅能对跨站脚本攻击进行有效的防御，而且可以对合法标签进行放行，为用户提供良好的访问体验。
In the field of network security, cross site scripting is one of the most destructive security problems. This paper puts forward a kind of XSS defense framework based on agent after an indepth study of XSS attack mode. The framework is deployed between the client and the server, and the framework analyzes and filters the data by intercepting the communication data between the client and server using the algorithm. The evaluation shows that it can not only effectively defense against XSS attacks, but also provide a good experience for the user through the release of legitimate tags.

References

[1]	李威, 李晓红. Web应用存储型XSS漏洞检测方法及实现[J]. 计算机应用与软件, 2016, 33(1): 24-27.
[2]	Guha, A., Krish-namurthi, S. and Jim, T. (2009) Using Static Analysis for Ajax Intrusion Detection. Proceedings of the 18th International Conference on World Wide Web, Madrid, 20-24 April 2009, 561-570. https://doi.org/10.1145/1526709.1526785
[3]	王夏莉, 张玉清. 一种基于行为的XSS客户端防范方法[J]. 中国科学院大学学报, 2011, 28(5): 668-675.
[4]	Likarish, P., Jung, E. and Jo, I. (2009) Obfuscated Malicious Javascript Detection Using Classifica-tion Techniques. International Conference on Malicious and Unwanted Software, Montreal, 13-14 October 2009, 47-54. https://doi.org/10.1109/malware.2009.5403020
[5]	鲍泽民, 王根英, 李娟. 跨站脚本攻击客户端防御技术研究[J]. 铁路计算机应用, 2015(7): 17-20.
[6]	Arzt, S., Kussmaul, T. and Bodden, E. (2016) Towards Cross-Platform Cross-Language Analysis with Soot. The 5th ACM SIGPLAN International Workshop, Santa Barbara, 14 June 2016, 1-6. https://doi.org/10.1145/2931021.2931022
[7]	刘达. 通过HTML编码防御XSS跨站脚本攻击的研究[J]. 信息安全与技术, 2016, 7(6): 23-24.
[8]	OWASP (2017) XSS (Cross Site Scripting) Prevention Cheat Sheet. http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Full-Text