【摘要】：隨著互聯(lián)網(wǎng)的快速發(fā)展,以個人為中心的開放式Web2.0站點開始逐漸占據(jù)各大網(wǎng)站,各種社交網(wǎng)絡(luò)、個人博客、開放式信息-平臺孕育而生。然而新技術(shù)的使用以及Web2.0網(wǎng)站數(shù)量的不斷增長,在為用戶帶來更好的互聯(lián)網(wǎng)體驗時也帶來了新的安全威脅,各種Web蠕蟲、惡意信息利用Web2.0網(wǎng)或站的開放性大肆傳播,嚴(yán)重危害著互聯(lián)網(wǎng)用戶的安全與隱私。因此,對Web2.0技術(shù)的安全性研究與防范具有重大意義。本文首先對Web2.0相關(guān)技術(shù)進(jìn)行了研究與總結(jié)并對這些技術(shù)的安全性進(jìn)行分析,主要包括能極大改善交互體驗的AJAX技術(shù)以及提高信息傳輸速度的HTTP壓縮技術(shù)。對于AJAX技術(shù),首先研究了主要原理,分析其中可能存在的安全隱患并與傳統(tǒng)Webl.0的交互方式進(jìn)行對比,總結(jié)兩者的優(yōu)缺點,結(jié)合目前出現(xiàn)Web攻擊,分析了 XSS、CSRF等多種攻擊基于AJAX技術(shù)的新改變。對于HTTP壓縮技術(shù),首先研究了目前Web常用的幾種壓縮算法,并對利用HTTP壓縮技術(shù)而新產(chǎn)生的Orcale攻擊、Breach攻擊進(jìn)行了研究與分析。經(jīng)過對以上技術(shù)的安全性分析,通過調(diào)研現(xiàn)有的XSS、CSRF防御方法,主要有基于黑白名單的防御方法和基于Token校驗的防御方法,在分析了這些防御的優(yōu)缺點以及新攻擊對這些方法產(chǎn)生威脅的基礎(chǔ)上,本文提出了一種針對Web2.0應(yīng)用的安全防御方案。該方案將基于特征匹配的輸入檢測以及富文本白名單輸出過濾相結(jié)合進(jìn)行XSS攻擊的防御,使用一種可逆加密算法將Token隨機化來防御與Breach攻擊結(jié)合的新型CSRF攻擊。通過實驗數(shù)據(jù)表明,該防御方案能有效的防御Web2.0應(yīng)用中頻繁出現(xiàn)的攻擊,防御效果相比傳統(tǒng)方案更加顯著。
[Abstract]:With the rapid development of the Internet, individual-centered open Web2.0 sites gradually occupy the major websites, various social networks, personal blogs, open information-platform gestation. However, the use of new technologies and the increasing number of Web2.0 websites also bring new security threats to users when they bring a better Internet experience. Various Web worms and malicious information take advantage of the openness of Web2.0 nets or stations to spread extensively. It seriously endangers the security and privacy of Internet users. Therefore, it is of great significance to study and prevent the security of Web2.0 technology. In this paper, Web2.0-related technologies are studied and summarized, and the security of these technologies is analyzed, including AJAX technology, which can greatly improve interactive experience, and HTTP compression technology, which can improve the speed of information transmission. For AJAX technology, the main principle is studied firstly, the possible security hidden danger is analyzed and compared with the traditional Webl.0, the advantages and disadvantages of the two are summarized, and combined with the Web attack at present, the XSS, is analyzed. Many attacks, such as CSRF, are based on new changes in AJAX technology. For HTTP compression technology, this paper first studies several compression algorithms commonly used in Web at present, and studies and analyzes the new Orcale attack and Breach attack which are generated by using HTTP compression technology. Through the security analysis of the above technologies, through the investigation of the existing XSS,CSRF defense methods, there are mainly black-and-white list-based defense methods and Token-based defense methods. Based on the analysis of the advantages and disadvantages of these defenses and the threat of new attacks to these methods, a security defense scheme for Web2.0 applications is proposed in this paper. This scheme combines feature matching-based input detection and rich text white list output filtering to defend against XSS attacks, and uses a reversible encryption algorithm to randomize Token against a new type of CSRF attack combined with Breach attacks. The experimental data show that this defense scheme can effectively defend against the frequent attacks in Web2.0 applications, and the defense effect is more significant than the traditional scheme.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.4

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 詹雄;郭昊;張，

本文編號：2465860