| 一种基于行为的XSS客户端防范方法 |
| |
| 作者姓名: | 王夏莉 张玉清 |
| |
| 作者单位: | 中国科学院研究生院国家计算机网络入侵防范中心, 北京 100049 |
| |
| 基金项目: | 国家自然科学基金(60773135, 90718007, 60970140)资助 |
| |
| 摘 要: | 跨站脚本(XSS)漏洞是Web安全的最大威胁之一.目前XSS防范方法主要为在服务端对用户输入进行过滤.这种方法漏报率较高,且不能及时保护互联网用户.通过对XSS攻击行为,尤其是XSS蠕虫的传播行为进行深入分析,设计并实现了一套新的基于行为的客户端XSS防范方案StopXSS.通过实验及与现有常用客户端XSS防范方案比较,证明其具有对XSS攻击,甚至对0-Day XSS蠕虫的防范能力.
|
| 关 键 词: | Web安全 JavaScript 跨站脚本 XSS蠕虫 |
| 收稿时间: | 2010-09-07 |
| 修稿时间: | 2010-11-07 |
A behavior-based client defense scheme against XSS |
| |
| Authors: | WANG Xia-Li ZHANG Yu-Qing |
| |
| Institution: | National Computer Network Intrusion Protection Center, Graduate University, Chinese Academy of Sciences, Beijing 100049, China |
| |
| Abstract: | Recent popularity of Web 2.0 application has given rise to a large number of Web vulnerabilities, and XSS vulnerability is among the top security threats. In recent years, the occurrence of XSS worms worsened the situation of Web security. Existing XSS defense methods mainly depend on filtering users’ inputs on the server side, which cannot protect in time the main victims of XSS attacks, the Internet users. In this paper we focus on the analysis of XSS behavior, especially the propagation behavior of XSS worms, and propose a new client-side XSS defense method, StopXSS. The testing experiments show that our method can defend against XSS attacks effectively and can be used to detect even 0-Day XSS worms. |
| |
| Keywords: | |
|
| 点击此处可从《》浏览原始摘要信息 |
| 点击此处可从《》下载免费的PDF全文 |
|
