跨站脚本(XSS)攻击与防护方法研究
Research on Cross-Site Scripting Attack and Prevention Methods
DOI: 10.12677/CSA.2021.111020, PDF,   
作者: 王亚东:新疆大学信息科学与工程学院,新疆 乌鲁木齐
关键词: 跨站脚本Web漏洞防护方法Cross-Site Scripting Web Application Vulnerability Prevention Methods
摘要: 跨站脚本(XSS)攻击多次位列OWASP (开放Web应用安全项目) Top10漏洞列表,是Web客户端面临的最严重的安全危害之一,为有效防御XSS攻击,本文提出了客户端和服务端相结合的XSS攻击防护方法。在客户端,首先判断输入是否为编码后的文本,如果是编码后的文本内容则解码后进行黑名单过滤,如果是未编码的,则直接过滤;在服务端采取强制输出格式的方法对输出到页面的内容进行格式限制,以此防御未知攻击载荷的XSS攻击。此外,通过搭建本地测试环境WAMP (Windows + Apache + Mysql + PHP),对XSS攻击过程进行模拟研究,并对本文提出的防护方法进行验证。实验的结果表明,本文提出的XSS防护方法能够有效合理地防御XSS攻击。
Abstract: Cross-site scripting (XSS) attack has been listed as one of the Top10 vulnerabilities in OWASP (open Web application security project) many times, and is one of the most serious security hazards faced by Web clients. In order to effectively defend against XSS attacks, this paper proposes an XSS attack protection method combining client and server. On the client side, the input is judged to be encoded text at first. If it is encoded text, the blacklist is filtered after decoding; if it is unencoded, it is directly filtered. At the server side, the output format is forced to restrict the content output to the page, so as to prevent the XSS attack of unknown attack payloads. In addition, the local test environment WAMP (Windows + Apache + Mysql + PHP) was set up to simulate the XSS attack process, and the protection method proposed in this paper was verified. The experimental results show that the XSS protection method proposed in this paper can effectively and reasonably defend against XSS attacks.
文章引用:王亚东. 跨站脚本(XSS)攻击与防护方法研究[J]. 计算机科学与应用, 2021, 11(1): 195-206. https://doi.org/10.12677/CSA.2021.111020

参考文献

[1] 2019CWE/SANS Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
[2] Shanmugam, J. and Ponnavaikko, M. (2007) Xss Application Worms: New Internet Infestation and Optimized Protective Measures. Eighth ACIS International Con-ference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), 3, 1164-1169. [Google Scholar] [CrossRef
[3] Wit, E. and McClure, J. (2004) Statistics for Microar-rays: Design, Analysis, and Inference. 5th Edition, John Wiley & Sons Ltd., Chichester, 5-18.
[4] Chun, S., Jing, C., Changzhen, H., et al. (2016) A XSS Attack Detection Method based on Skip List. International Journal of Security and its Applications, 10, 95-106. [Google Scholar] [CrossRef
[5] Gupta, S. and Gupta, B.B. (2016) CSSXC: Context-Sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Envi-ronments. Procedia Computer Science, 85, 198-205. [Google Scholar] [CrossRef
[6] Schwenk, J., Niemietz, M. and Mainka, C. (2017) Same-Origin Policy: Evaluation in Modern Browsers. 26th {USENIX} Security Symposium {USENIX} Security, 17, 713-727.
[7] Barth, A. (2011) Rfc 6265-http State Management Mechanism. Internet Engineering Task Force (IETF), April 2011, 2070-1721. [Google Scholar] [CrossRef
[8] Di Lucca, G.A., Fasolino, A.R., Mastoianni, M. and Tramontana, P. (2004) Identifying Cross Site Scripting Vulnerabilities in Web Applications. Proceedings. Sixth IEEE In-ternational Workshop on Web Site Evolution, Chicago, IL, 71-80. [Google Scholar] [CrossRef
[9] Fogie, S., Grossman, J., Hansen, R., et al. (2007) XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing, Burlington. [Google Scholar] [CrossRef
[10] Wassermann, G. and Su, Z. (2008) Static Detection of Cross-Site Scripting Vulnerabilities. 30th International Conference on Software Engineering (ICSE 2008), Leipzig, 10-18 May 2008, 171-180.
[11] 王岩, 程绍银, 蒋凡. 自动化检测Android应用反射型跨站脚本漏洞的方法[J]. 计算机系统应用, 2015, 24(7): 195-199.
[12] 窦永富, 崔为红. 应用程序安全设计探析[J]. 计算机系统应用, 2006, 15(9): 83-86.
[13] Lekies, S., Stock, B. and Johns, M. (2013) 25 Million Flows Later—Large-Scale Detection of DOM-Based XSS. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, 4-8 November 2013, 1193-1204. [Google Scholar] [CrossRef