發(fā)布時(shí)間：2019-05-07 05:31

【摘要】：近年來(lái),因Web應(yīng)用漏洞而引發(fā)的安全事件頻繁發(fā)生,Web應(yīng)用漏洞對(duì)網(wǎng)絡(luò)安全的威脅越來(lái)越大,跨站腳本(Cross Site Script,XSS)漏洞就是最為常見的Web應(yīng)用漏洞,攻擊者能夠利用跨站腳本漏洞對(duì)用戶進(jìn)行信息竊取,會(huì)話挾持、釣魚欺騙等攻擊。而現(xiàn)有的Web漏洞檢測(cè)方案及工具一般都不完善,存在著效率低、漏檢率高、誤報(bào)率高等各種缺陷。因此對(duì)于XSS漏洞的檢測(cè)與防御技術(shù)需要進(jìn)行進(jìn)一步的深入研究。設(shè)計(jì)一款高性能的XSS漏洞檢測(cè)系統(tǒng)有利于預(yù)防Web應(yīng)用的跨站腳本攻擊,減少Web安全事件的發(fā)生。在對(duì)XSS漏洞的利用過(guò)程以及現(xiàn)有的檢測(cè)技術(shù)深入學(xué)習(xí)研究的基礎(chǔ)上,詳細(xì)分析了漏洞檢測(cè)系統(tǒng)的需求,設(shè)計(jì)并實(shí)現(xiàn)了一種針對(duì)Web應(yīng)用中的跨站腳本漏洞檢測(cè)系統(tǒng)。該系統(tǒng)在現(xiàn)有Web漏洞檢測(cè)技術(shù)與檢測(cè)工具的基礎(chǔ)上,添加了驗(yàn)證碼識(shí)別功能,解決了檢測(cè)期間需要輸入驗(yàn)證碼后才可向服務(wù)器提交數(shù)據(jù)的問(wèn)題,并根據(jù)現(xiàn)有Web漏洞檢測(cè)工具的不足,對(duì)系統(tǒng)的網(wǎng)絡(luò)爬蟲進(jìn)行改進(jìn),同時(shí)根據(jù)服務(wù)器對(duì)于XSS代碼的過(guò)濾規(guī)則,構(gòu)造出更多能夠繞過(guò)服務(wù)器過(guò)濾的XSS代碼。測(cè)試結(jié)果表明,所構(gòu)建的系統(tǒng)具有低漏檢率、低誤報(bào)率并且改進(jìn)的網(wǎng)絡(luò)爬蟲具有較高的效率。通過(guò)添加驗(yàn)證碼識(shí)別功能和構(gòu)造可繞過(guò)服務(wù)器過(guò)濾規(guī)則的XSS代碼,能夠深度挖掘跨站腳本漏洞,降低系統(tǒng)的漏檢率。高效的、能夠準(zhǔn)確提取頁(yè)面交互點(diǎn)信息的網(wǎng)絡(luò)爬蟲提高了漏洞檢測(cè)的正確性和效率。
[Abstract]:In recent years, security events caused by Web application vulnerability occur frequently, and Web application vulnerability is more and more serious to network security. Cross-site script (Cross Site Script,XSS (cross-site script vulnerability) vulnerability is the most common Web application vulnerability. Attackers can exploit cross-site scripting vulnerabilities to exploit information theft, session hijacking, phishing spoofing and other attacks. But the existing Web vulnerability detection schemes and tools are generally not perfect, there are many defects such as low efficiency, high miss rate, high false alarm rate and so on. Therefore, the XSS vulnerability detection and defense technology needs to be further in-depth research. Designing a high-performance XSS vulnerability detection system is helpful to prevent cross-site scripting attacks of Web applications and reduce the occurrence of Web security events. Based on the in-depth study on the exploitation process of XSS vulnerability and the existing detection techniques, the requirements of the vulnerability detection system are analyzed in detail, and a cross-station script vulnerability detection system for Web applications is designed and implemented. Based on the existing Web vulnerability detection technology and detection tools, the system adds the function of authentication code recognition, which solves the problem that the data can be submitted to the server only after the authentication code is inputted during the detection period. According to the deficiency of the existing Web vulnerability detection tools, the network crawler of the system is improved, and more XSS codes that can bypass the server filtering are constructed according to the filtering rules of the server to the XSS code. The test results show that the proposed system has low miss detection rate, low false positive rate and high efficiency of the improved network crawler. By adding the authentication code recognition function and constructing the XSS code which can bypass the server filtering rules, the cross-station script vulnerability can be deeply excavated and the miss detection rate of the system can be reduced. An efficient web crawler that can accurately extract the information of page interaction points improves the correctness and efficiency of vulnerability detection.
【學(xué)位授予單位】：南京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 莫永華;于冰冰;;二維碼中XSS攻擊檢測(cè)系統(tǒng)的設(shè)計(jì)[J];現(xiàn)代計(jì)算機(jī)(專業(yè)版);2016年24期

2 王巖;程紹銀;蔣凡;;自動(dòng)化檢測(cè)Android應(yīng)用反射型跨站腳本漏洞的方法[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2015年07期

3 嚴(yán)磊;丁賓;姚志敏;馬勇男;鄭濤;;基于MD5去重樹的網(wǎng)絡(luò)爬蟲的設(shè)計(jì)與優(yōu)化[J];計(jì)算機(jī)應(yīng)用與軟件;2015年02期

4 杜雷;辛陽(yáng);;基于規(guī)則庫(kù)和網(wǎng)絡(luò)爬蟲的漏洞檢測(cè)技術(shù)研究與實(shí)現(xiàn)[J];信息網(wǎng)絡(luò)安全;2014年10期

5 劉奇旭;溫濤;聞?dòng)^行;;Flash跨站腳本漏洞挖掘技術(shù)研究[J];計(jì)算機(jī)研究與發(fā)展;2014年07期

6 尹龍;尹東;張榮;王德建;;一種扭曲粘連字符驗(yàn)證碼識(shí)別方法[J];模式識(shí)別與人工智能;2014年03期

7 曹文;郭帆;余敏;張磊;;基于哈希樹和有限狀態(tài)機(jī)的XSS檢測(cè)模型[J];計(jì)算機(jī)工程;2013年06期

8 陳景峰;王一丁;張玉清;劉奇旭;;存儲(chǔ)型XSS攻擊向量自動(dòng)化生成技術(shù)[J];中國(guó)科學(xué)院研究生院學(xué)報(bào);2012年06期

9 潘古兵;周彥暉;;基于靜態(tài)分析和動(dòng)態(tài)檢測(cè)的XSS漏洞發(fā)現(xiàn)[J];計(jì)算機(jī)科學(xué);2012年S1期

10 顏浩;蔣巍;蔣天發(fā);;SQLI和XSS漏洞檢測(cè)與防御技術(shù)研究[J];信息網(wǎng)絡(luò)安全;2011年12期

相關(guān)會(huì)議論文 前1條

1 李楠;谷利澤;鈕心忻;;用于XSS掃描的網(wǎng)絡(luò)爬蟲的設(shè)計(jì)與實(shí)現(xiàn)[A];2010年全國(guó)通信安全學(xué)術(shù)會(huì)議論文集[C];2010年

相關(guān)碩士學(xué)位論文 前1條

1 黃俊;基于指令集隨機(jī)化的XSS檢測(cè)系統(tǒng)研究[D];中國(guó)科學(xué)技術(shù)大學(xué);2014年

，

本文編號(hào)：2470807