计算机工程 ›› 2018, Vol. 44 ›› Issue (10): 34-41.doi: 10.19678/j.issn.1000-3428.0051222

所属专题: 网络空间安全专题

• 网络空间安全专题 • 上一篇    下一篇

基于动态分析的XSS漏洞检测模型

谷家腾1,辛阳1,2   

  1. 1.北京邮电大学 网络空间安全学院,北京 100876; 2.贵州大学 贵州省公共大数据重点实验室,贵阳 550025
  • 收稿日期:2018-04-16 出版日期:2018-10-15 发布日期:2018-10-15
  • 作者简介:谷家腾(1993—),男,硕士研究生,主研方向为网络信息安全;辛阳,副教授。
  • 基金项目:

    贵州省科技重大专项(20183001);贵州省公共大数据重点实验室开放课题基金(2017BDKFJJ015)。

XSS Vulnerability Detection Model Based on Dynamic Analysis

GU Jiateng1,XIN Yang1,2   

  1. 1.College of Cyberspace Security,Beijing University of Posts and Telecommunications,Beijing 100876,China; 2.Key Lab of Public Big Data of Guizhou Province,Guizhou University,Guiyang 550025,China
  • Received:2018-04-16 Online:2018-10-15 Published:2018-10-15

摘要:

针对在XSS漏洞动态检测中降低漏报率时导致检测效率低下的问题,提出一种新的XSS漏洞检测模型。该模型分为载荷单元生成、绕过规则选择、试探载荷测试、载荷单元组合测试、载荷单元单独测试5个部分。根据载荷单元所在位置和功能类型的不同,将攻击载荷切割为不同类别的单元,并制定组合成完整攻击载荷的规则。使用探针载荷判断待检测点是否可能存在漏洞,运用组合测试和单独测试的方式将载荷单元与绕过规则的组合放入检测点测试,根据测试结果生成针对性的完整攻击载荷。实验结果表明,该模型使用较少的测试请求完成对较多攻击载荷的测试,在有效降低漏报率的同时,保持较高的检测效率。

关键词: 漏洞检测, XSS攻击, 动态分析, 黑盒测试, Web安全

Abstract:

Aiming at the problem of the failure rate and low detection efficiency in the XSS dynamic detection method,a new XSS vulnerability detection model is proposed.The model is divided into five parts:load cell generation,bypassing rule selection,exploratory load test,load unit combination test and load unit separate test.According to the location and function type of the load unit,the attack load is cut into different types of units,and the rules of combined attack load are formulated.The probe load is used to determine whether there is any vulnerabilities to be detected,it puts the payload unit and the bypassing rules into the detection point with combination test and separate test,and generates attack loads based on the test results.Experimental results show that this model uses fewer test requests to complete the test of more attack loads,and maintains a high detection efficiency while effectively reducing the failure rate.

Key words: vulnerability detection, XSS attack, dynamic analysis, black box test, Web security

中图分类号: