Basic Search / Detailed Display

Author: 徐偉峰
Wei-Feng Hsu
Thesis Title: 基於跨網站攻擊而造成資訊洩漏的伺服器端防禦系統
A server side solution to prevent information leakage by cross site scripting attack
Advisor: 洪西進
Shi-Jinn Horng
Committee: 吳有基
Degree: 碩士
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2011
Graduation Academic Year: 99
Language: 中文
Pages: 48
Keywords (in Chinese): 跨網站攻擊網頁安全資訊洩密javascript
Keywords (in other languages): XSS, web application security, information leakage, javascript
Reference times: Clicks: 284Downloads: 8
School Collection Retrieve National Library Collection Retrieve Error Report
  • 近年來網站提供了越來越豐富的內容,動態網頁技術也被大量套用,因此使用者輸入的資料越來越多元,但並不是每一個網站開發者都能正確的檢查使用者輸入的資料,這也使得跨網站攻擊(Cross-site scripting)一直都是網路安全的重大威脅,透過XSS的攻擊,攻擊者能竊取使用者的web sessions,甚至是私密資料。為了要有效的防禦XSS攻擊,許多的防禦系統都需要另外安裝客戶端程式,但這會增加系統安裝的困難,又因為惡意程式碼的變化太多元,使得大部分的偵測系統亦不能正確的偵測到各種惡意程式碼。因此本論文提出了一套伺服器端的偵測系統,網站管理員只需要簡單的設定網頁伺服器,就能偵測惡意程式碼,不僅簡化了架設流程,也能對編碼過的程式碼做解碼並偵測出可疑的跨網站攻擊,提供有效率的防禦機制。

    With web sites providing users with rich and a great deal of information, and dynamic webs being also increasingly applied to web applications, there is a wide range of user input in recent years. Unfortunately, it is hard for every web application developer to monitor and validate users’ input data correctly, and this is the reason that XSS is always the important issue of internet security. Attackers steal user sessions as well as user private data via XSS attacks. In order to defend XSS attacks efficaciously, most of the defense systems mainly require client plug-in installation. It increases the complexity and difficulty of system installation, and furthermore the obfuscated malicious code that is multipurpose cannot be detected fully and correctly by most of the security systems. Therefore, this paper proposes a server side detection system, web administrators which simply need to configure web servers; likewise the detection system will start working. It not only simplifies the installation instruction but provides an efficiency detection system which can decode obfuscated code and strike suspicious XSS attacks.

    中文摘要 I 英文摘要 II 目次 III 圖目錄 V 表目錄 VII 表目錄 VII 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機 2 1.3 論文架構 5 第二章 相關研究 6 2.1 CLIENT端的解決方案 6 2.2 SERVER端的解決方案 7 2.3 CLIENT端與SERVER端混合的解決方案 8 2.4 比較與討論 10 第三章 系統架構與研究方法 13 3.1 跨網站攻擊的手法分類 13 3.1.1 反射型XSS (REFLECTED XSS) 13 3.1.2 儲存型XSS (STORED XSS) 14 3.1.3 DOM BASED XSS 15 3.2 系統架構 16 3.3 資料庫系統 18 3.3.1 白名單 18 3.3.2 待查名單 19 3.4 研究方法 20 3.4.1 FILTER ENGINE 22 3.4.2 傳送資料偵測 23 3.4.3 讀取資料偵測 24 3.4.4 URLCRAWLER 25 3.4.5 JS-DETECTOR 26 第四章 研究結果與分析 28 4.1 系統環境 28 4.2 偵測JAVASCRIPT 28 4.3 實作 29 4.4 討論 31 4.5 分析 33 第五章 結論 38 參考文獻 39

    [1] WhiteHat Security. Website Security Statistics Report., 2011.
    [2] CERT/CC, “CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests”,, 2011.
    [3] The Open Web Application Security Project., 2011.
    [4] NoScript Firefox extension., 2011.
    [5] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In 21st ACM Symposium on Applied Computing (SAC), 2006
    [6] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript Code in Mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems(ICECCS), 2005.
    [7] O.Ismaill,M.E.Youki,K.adobayashi, S.Yamaguch, A proposal and Implementation of Automatic Detection/Collection system for Cross-Site Scripting Vulnerability, 2004.
    [8] Ricca, F., Tonella, P. Analysis and Testing of Web Applications. In: Proceedings of the 23rd IEEE International Conference on Software Engineering (Toronto, Ontario, Canada, May 2001), 25 –34.
    [9] Benedikt M., Freire J., Godefroid P., VeriWeb: Automatically Testing Dynamic Web Sites. In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002).
    [10] IBM Rational AppScan, , 2011.
    [11] HP WebInspect,, 2011.
    [12] DOM XSS Scanner,, 2011.
    [13] Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary , 2003.
    [14] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In IEEE Symposium on Security and Privacy, 2006.
    [15] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In IEEE Security and Privacy Symposium, 2008.
    [16] Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In 15th USENIX Security Symposium, 2006.
    [17] Z. Su and G.Wassermann. The Essence of Command Injection Attacks in Web Applications. In Symposium on Principles of Programming Languages, 2006.
    [18] G. D. Lucca, A. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross site scripting vulnerabilities in web applications. In Sixth IEEE International Workshop on Web Site Evolution (WSE), 2004.
    [19] Y.W. Huang, S.K. Huang, T.P. Lin, C.H. Tsai, Securing Web application code by static analysis and runtime protection, in: Proceedings of the 13th International World Wide Web Conference, New York, May 17–22, 2004.
    [20] D. Scott, and R. Sharp, Specifying and enforcing application-level web security policies, IEEE Knowledge Data Engineering, vol. 15, no. 4, pp. 771–783, 2003.
    [21] T. Jim and N. Swamy and M. Hicks. “BEEP: browser- enforced embedded policies,” the 16th International World Wide Web Conference, Banff, 2007, pp. 601-610.
    [22] Alexander Yip, Neha Narula, Maxwell Krohn, and Robert Morris. Privacy-Preserving Browser-Side Scripting With BFlow. 2009.
    [23] M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
    [24] S. Aljawarneh, F. Alkhateeb and E. Al Maghayreh. "A Semantic Data Validation Service for Web Applications" in Journal of Theoretical and Applied Electronic Commerce Research Volume 5, Issue 1, 2010, Pages 39-55.
    [25] RFC2616,, 2011.
    [26] Caffeine Monkey,, 2011.
    [27] JavaScript engine,, 2011.
    [28] SpiderMonkey,, 2011.
    [29] IBM Internet Security Systems X-ForceR2008 Mid-Year Trend Statistics,, 2011.
    [30] Yellowpipe Internet Services,, 2011.
    [31] malwareguru script to pack,, 2011.
    [32] Audit my PC HTML Encoder,, 2011.
    [33] VirtualBox,, 2011.
    [34] Apache module mod_ext_filter,, 2011.
    [35] XSS Cheat Sheet,, 2011.
    [36] Phpbb,, 2011.
    [37] WordPress,, 2011.
    [38] Wireshark,, 2011
    [39] Peter Wurzinger, Christian Platzer, Christian Ludl, Engin Kirda, and Christopher Kruegel, Mitigating XSS Attacks using a Reverse Proxy, 2009.