發(fā)布時間：2019-05-07 05:31

【摘要】：近年來,因Web應(yīng)用漏洞而引發(fā)的安全事件頻繁發(fā)生,Web應(yīng)用漏洞對網(wǎng)絡(luò)安全的威脅越來越大,跨站腳本(Cross Site Script,XSS)漏洞就是最為常見的Web應(yīng)用漏洞,攻擊者能夠利用跨站腳本漏洞對用戶進行信息竊取,會話挾持、釣魚欺騙等攻擊。而現(xiàn)有的Web漏洞檢測方案及工具一般都不完善,存在著效率低、漏檢率高、誤報率高等各種缺陷。因此對于XSS漏洞的檢測與防御技術(shù)需要進行進一步的深入研究。設(shè)計一款高性能的XSS漏洞檢測系統(tǒng)有利于預防Web應(yīng)用的跨站腳本攻擊,減少Web安全事件的發(fā)生。在對XSS漏洞的利用過程以及現(xiàn)有的檢測技術(shù)深入學習研究的基礎(chǔ)上,詳細分析了漏洞檢測系統(tǒng)的需求,設(shè)計并實現(xiàn)了一種針對Web應(yīng)用中的跨站腳本漏洞檢測系統(tǒng)。該系統(tǒng)在現(xiàn)有Web漏洞檢測技術(shù)與檢測工具的基礎(chǔ)上,添加了驗證碼識別功能,解決了檢測期間需要輸入驗證碼后才可向服務(wù)器提交數(shù)據(jù)的問題,并根據(jù)現(xiàn)有Web漏洞檢測工具的不足,對系統(tǒng)的網(wǎng)絡(luò)爬蟲進行改進,同時根據(jù)服務(wù)器對于XSS代碼的過濾規(guī)則,構(gòu)造出更多能夠繞過服務(wù)器過濾的XSS代碼。測試結(jié)果表明,所構(gòu)建的系統(tǒng)具有低漏檢率、低誤報率并且改進的網(wǎng)絡(luò)爬蟲具有較高的效率。通過添加驗證碼識別功能和構(gòu)造可繞過服務(wù)器過濾規(guī)則的XSS代碼,能夠深度挖掘跨站腳本漏洞,降低系統(tǒng)的漏檢率。高效的、能夠準確提取頁面交互點信息的網(wǎng)絡(luò)爬蟲提高了漏洞檢測的正確性和效率。
[Abstract]:In recent years, security events caused by Web application vulnerability occur frequently, and Web application vulnerability is more and more serious to network security. Cross-site script (Cross Site Script,XSS (cross-site script vulnerability) vulnerability is the most common Web application vulnerability. Attackers can exploit cross-site scripting vulnerabilities to exploit information theft, session hijacking, phishing spoofing and other attacks. But the existing Web vulnerability detection schemes and tools are generally not perfect, there are many defects such as low efficiency, high miss rate, high false alarm rate and so on. Therefore, the XSS vulnerability detection and defense technology needs to be further in-depth research. Designing a high-performance XSS vulnerability detection system is helpful to prevent cross-site scripting attacks of Web applications and reduce the occurrence of Web security events. Based on the in-depth study on the exploitation process of XSS vulnerability and the existing detection techniques, the requirements of the vulnerability detection system are analyzed in detail, and a cross-station script vulnerability detection system for Web applications is designed and implemented. Based on the existing Web vulnerability detection technology and detection tools, the system adds the function of authentication code recognition, which solves the problem that the data can be submitted to the server only after the authentication code is inputted during the detection period. According to the deficiency of the existing Web vulnerability detection tools, the network crawler of the system is improved, and more XSS codes that can bypass the server filtering are constructed according to the filtering rules of the server to the XSS code. The test results show that the proposed system has low miss detection rate, low false positive rate and high efficiency of the improved network crawler. By adding the authentication code recognition function and constructing the XSS code which can bypass the server filtering rules, the cross-station script vulnerability can be deeply excavated and the miss detection rate of the system can be reduced. An efficient web crawler that can accurately extract the information of page interaction points improves the correctness and efficiency of vulnerability detection.
【學位授予單位】：南京郵電大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前10條

1 莫永華;于冰冰;;二維碼中XSS攻擊檢測系統(tǒng)的設(shè)計[J];現(xiàn)代計算機(專業(yè)版);2016年24期

2 王巖;程紹銀;蔣凡;;自動化檢測Android應(yīng)用反射型跨站腳本漏洞的方法[J];計算機系統(tǒng)應(yīng)用;2015年07期

3 嚴磊;丁賓;姚志敏;馬勇男;鄭濤;;基于MD5去重樹的網(wǎng)絡(luò)爬蟲的設(shè)計與優(yōu)化[J];計算機應(yīng)用與軟件;2015年02期

4 杜雷;辛陽;;基于規(guī)則庫和網(wǎng)絡(luò)爬蟲的漏洞檢測技術(shù)研究與實現(xiàn)[J];信息網(wǎng)絡(luò)安全;2014年10期

5 劉奇旭;溫濤;聞觀行;;Flash跨站腳本漏洞挖掘技術(shù)研究[J];計算機研究與發(fā)展;2014年07期

6 尹龍;尹東;張榮;王德建;;一種扭曲粘連字符驗證碼識別方法[J];模式識別與人工智能;2014年03期

7 曹文;郭帆;余敏;張磊;;基于哈希樹和有限狀態(tài)機的XSS檢測模型[J];計算機工程;2013年06期

8 陳景峰;王一丁;張玉清;劉奇旭;;存儲型XSS攻擊向量自動化生成技術(shù)[J];中國科學院研究生院學報;2012年06期

9 潘古兵;周彥暉;;基于靜態(tài)分析和動態(tài)檢測的XSS漏洞發(fā)現(xiàn)[J];計算機科學;2012年S1期

10 顏浩;蔣巍;蔣天發(fā);;SQLI和XSS漏洞檢測與防御技術(shù)研究[J];信息網(wǎng)絡(luò)安全;2011年12期

相關(guān)會議論文 前1條

1 李楠;谷利澤;鈕心忻;;用于XSS掃描的網(wǎng)絡(luò)爬蟲的設(shè)計與實現(xiàn)[A];2010年全國通信安全學術(shù)會議論文集[C];2010年

相關(guān)碩士學位論文 前1條

1 黃俊;基于指令集隨機化的XSS檢測系統(tǒng)研究[D];中國科學技術(shù)大學;2014年

，

本文編號：2470807