欢迎访问中国科学院大学学报,今天是

中国科学院大学学报 ›› 2011, Vol. 28 ›› Issue (5): 668-675.DOI: 10.7523/j.issn.2095-6134.2011.5.015

• 论文 • 上一篇    下一篇

一种基于行为的XSS客户端防范方法

王夏莉, 张玉清   

  1. 中国科学院研究生院国家计算机网络入侵防范中心, 北京 100049
  • 收稿日期:2010-09-07 修回日期:2010-11-07 发布日期:2011-09-15
  • 基金资助:

    国家自然科学基金(60773135, 90718007, 60970140)资助 

A behavior-based client defense scheme against XSS

WANG Xia-Li, ZHANG Yu-Qing   

  1. National Computer Network Intrusion Protection Center, Graduate University, Chinese Academy of Sciences, Beijing 100049, China
  • Received:2010-09-07 Revised:2010-11-07 Published:2011-09-15

摘要:

跨站脚本(XSS)漏洞是Web安全的最大威胁之一.目前XSS防范方法主要为在服务端对用户输入进行过滤.这种方法漏报率较高,且不能及时保护互联网用户.通过对XSS攻击行为,尤其是XSS蠕虫的传播行为进行深入分析,设计并实现了一套新的基于行为的客户端XSS防范方案StopXSS.通过实验及与现有常用客户端XSS防范方案比较,证明其具有对XSS攻击,甚至对0-Day XSS蠕虫的防范能力.

关键词: Web安全, JavaScript, 跨站脚本, XSS蠕虫

Abstract:

Recent popularity of Web 2.0 application has given rise to a large number of Web vulnerabilities, and XSS vulnerability is among the top security threats. In recent years, the occurrence of XSS worms worsened the situation of Web security. Existing XSS defense methods mainly depend on filtering users’ inputs on the server side, which cannot protect in time the main victims of XSS attacks, the Internet users. In this paper we focus on the analysis of XSS behavior, especially the propagation behavior of XSS worms, and propose a new client-side XSS defense method, StopXSS. The testing experiments show that our method can defend against XSS attacks effectively and can be used to detect even 0-Day XSS worms.

Key words: Web security, JavaScript, cross site scripting (XSS), XSS worm

中图分类号: