作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2018, Vol. 44 ›› Issue (8): 167-173. doi: 10.19678/j.issn.1000-3428.0047650

• 安全技术 • 上一篇    下一篇

一种自动化的跨站脚本漏洞发现模型

马富天,钱雪忠,宋威   

  1. 江南大学 物联网工程学院 物联网技术应用教育部工程研究中心,江苏 无锡 214122
  • 收稿日期:2017-06-20 出版日期:2018-08-15 发布日期:2018-08-15
  • 作者简介:马富天(1992—),男,硕士研究生,主研方向为Web安全;钱雪忠,副教授、硕士;宋威,副教授、博士。
  • 基金资助:

    国家自然科学基金(61673193);中央高校基本科研业务费专项资金(JUSRP51510,JUSRP51635B)。

An Automated Cross-site Scripting Loopholes Discovery Model

MA Futian,QIAN Xuezhong,SONG Wei   

  1. Engineering Research Center of Internet of Things Technology Applications Ministry of Education, School of Internet of Things Engineering,Jiangnan University,Wuxi,Jiangsu 214122,China
  • Received:2017-06-20 Online:2018-08-15 Published:2018-08-15

摘要:

跨站脚本攻击给Web应用带来严重的威胁,在应用发布之前,对其进行检测能够有效地降低漏洞风险。针对现有跨站脚本在动态检测中存在漏报误报的问题,提出一种动态检测方法。基于攻击向量基本侯选元素库和初始攻击向量种子库,在检测过程中自动生成符合输出点类型 的有效攻击向量,根据当前时刻的检测结果,自适应调整攻击向量优先级,待所有注入点攻击完毕,重新二次遍历整个站点检验待发现的漏洞。实验结果表明,与APPScan、WVS相比,该方法能发现更多漏洞。

关键词: 跨站脚本, 动态检测, 静态分析, 攻击向量, 合法向量

Abstract:

Cross-site Scripting(XSS) attacks pose serious threats to web applications.Before the application is released,detecting them can effectively reduce the risk of vulnerabilities.Aiming at the problems in the current detection of cross-site scripting,such as missed reports and false alarms,a dynamic detection method is proposed.Based on the basic candidate element library of attack vectors and the initial attack vector seed library,an effective attack vector conforming to the output point type is automatically generated during the detection process.According to the detection result at the current moment,the priority of the attack vector is adaptively adjusted,and all the injection point attacks are performed,after finishing,it traverses the entire site twice to check the vulnerabilities to be discovered.Experimental results show that compared with APPScan、WVS,this method can find more vulnerabilities.

Key words: Cross-site Scripting(XSS), dynamic detection, static analysis, attack vector, legal vector

中图分类号: