Author: |
徐偉峰 Wei-Feng Hsu |
---|---|
Thesis Title: |
基於跨網站攻擊而造成資訊洩漏的伺服器端防禦系統 A server side solution to prevent information leakage by cross site scripting attack |
Advisor: |
洪西進
Shi-Jinn Horng |
Committee: |
吳有基
none 黃元欣 none 楊士萱 none |
Degree: |
碩士 Master |
Department: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
Thesis Publication Year: | 2011 |
Graduation Academic Year: | 99 |
Language: | 中文 |
Pages: | 48 |
Keywords (in Chinese): | 跨網站攻擊 、網頁安全 、資訊洩密 、javascript |
Keywords (in other languages): | XSS, web application security, information leakage, javascript |
Reference times: | Clicks: 454 Downloads: 8 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
近年來網站提供了越來越豐富的內容,動態網頁技術也被大量套用,因此使用者輸入的資料越來越多元,但並不是每一個網站開發者都能正確的檢查使用者輸入的資料,這也使得跨網站攻擊(Cross-site scripting)一直都是網路安全的重大威脅,透過XSS的攻擊,攻擊者能竊取使用者的web sessions,甚至是私密資料。為了要有效的防禦XSS攻擊,許多的防禦系統都需要另外安裝客戶端程式,但這會增加系統安裝的困難,又因為惡意程式碼的變化太多元,使得大部分的偵測系統亦不能正確的偵測到各種惡意程式碼。因此本論文提出了一套伺服器端的偵測系統,網站管理員只需要簡單的設定網頁伺服器,就能偵測惡意程式碼,不僅簡化了架設流程,也能對編碼過的程式碼做解碼並偵測出可疑的跨網站攻擊,提供有效率的防禦機制。
With web sites providing users with rich and a great deal of information, and dynamic webs being also increasingly applied to web applications, there is a wide range of user input in recent years. Unfortunately, it is hard for every web application developer to monitor and validate users’ input data correctly, and this is the reason that XSS is always the important issue of internet security. Attackers steal user sessions as well as user private data via XSS attacks. In order to defend XSS attacks efficaciously, most of the defense systems mainly require client plug-in installation. It increases the complexity and difficulty of system installation, and furthermore the obfuscated malicious code that is multipurpose cannot be detected fully and correctly by most of the security systems. Therefore, this paper proposes a server side detection system, web administrators which simply need to configure web servers; likewise the detection system will start working. It not only simplifies the installation instruction but provides an efficiency detection system which can decode obfuscated code and strike suspicious XSS attacks.
[1] WhiteHat Security. Website Security Statistics Report. https://www.whitehatsec.com/home/resource/stats.html, 2011.
[2] CERT/CC, “CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests”,
http://www.cert.org/advisories/CA-2000-02.html, 2011.
[3] The Open Web Application Security Project.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2011.
[4] NoScript Firefox extension. http://noscript.net/, 2011.
[5] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In 21st ACM Symposium on Applied Computing (SAC), 2006
[6] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript Code in Mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems(ICECCS), 2005.
[7] O.Ismaill,M.E.Youki,K.adobayashi, S.Yamaguch, A proposal and Implementation of Automatic Detection/Collection system for Cross-Site Scripting Vulnerability, 2004.
[8] Ricca, F., Tonella, P. Analysis and Testing of Web Applications. In: Proceedings of the 23rd IEEE International Conference on Software Engineering (Toronto, Ontario, Canada, May 2001), 25 –34.
[9] Benedikt M., Freire J., Godefroid P., VeriWeb: Automatically Testing Dynamic Web Sites. In: Proceedings of the 11th International Conference on the World Wide Web (Honolulu, Hawaii, May 2002).
[10] IBM Rational AppScan, http://www-01.ibm.com/software/awdtools/appscan/standard/ , 2011.
[11] HP WebInspect, https://download.spidynamics.com/webinspect/default.htm, 2011.
[12] DOM XSS Scanner, http://www.domxssscanner.com/, 2011.
[13] Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. “Web Application Security Assessment by Fault Injection and Behavior Monitoring.” In Proc. 12th Int’l World Wide Web Conference, p.148-159, Budapest, Hungary , 2003.
[14] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In IEEE Symposium on Security and Privacy, 2006.
[15] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In IEEE Security and Privacy Symposium, 2008.
[16] Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In 15th USENIX Security Symposium, 2006.
[17] Z. Su and G.Wassermann. The Essence of Command Injection Attacks in Web Applications. In Symposium on Principles of Programming Languages, 2006.
[18] G. D. Lucca, A. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross site scripting vulnerabilities in web applications. In Sixth IEEE International Workshop on Web Site Evolution (WSE), 2004.
[19] Y.W. Huang, S.K. Huang, T.P. Lin, C.H. Tsai, Securing Web application code by static analysis and runtime protection, in: Proceedings of the 13th International World Wide Web Conference, New York, May 17–22, 2004.
[20] D. Scott, and R. Sharp, Specifying and enforcing application-level web security policies, IEEE Knowledge Data Engineering, vol. 15, no. 4, pp. 771–783, 2003.
[21] T. Jim and N. Swamy and M. Hicks. “BEEP: browser- enforced embedded policies,” the 16th International World Wide Web Conference, Banff, 2007, pp. 601-610.
[22] Alexander Yip, Neha Narula, Maxwell Krohn, and Robert Morris. Privacy-Preserving Browser-Side Scripting With BFlow. 2009.
[23] M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
[24] S. Aljawarneh, F. Alkhateeb and E. Al Maghayreh. "A Semantic Data Validation Service for Web Applications" in Journal of Theoretical and Applied Electronic Commerce Research Volume 5, Issue 1, 2010, Pages 39-55.
[25] RFC2616, http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html, 2011.
[26] Caffeine Monkey, http://www.secureworks.com/research/tools/caffeinemonkey/, 2011.
[27] JavaScript engine, http://en.wikipedia.org/wiki/JavaScript_engine, 2011.
[28] SpiderMonkey, https://developer.mozilla.org/en/SpiderMonkey, 2011.
[29] IBM Internet Security Systems X-ForceR2008 Mid-Year Trend Statistics, http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf, 2011.
[30] Yellowpipe Internet Services, http://www.yellowpipe.com/yis/tools/encrypter/index.php, 2011.
[31] malwareguru script to pack, http://malwareguru.com/JSPacker/JavaScriptPacker.php, 2011.
[32] Audit my PC HTML Encoder, http://www.auditmypc.com/html-encoder.asp, 2011.
[33] VirtualBox, http://www.virtualbox.org/, 2011.
[34] Apache module mod_ext_filter, http://httpd.apache.org/docs/2.0/mod/mod_ext_filter.html, 2011.
[35] XSS Cheat Sheet, http://ha.ckers.org/xss.html, 2011.
[36] Phpbb, http://www.phpbb.com/, 2011.
[37] WordPress, http://wordpress.org/, 2011.
[38] Wireshark, http://www.wireshark.org/, 2011
[39] Peter Wurzinger, Christian Platzer, Christian Ludl, Engin Kirda, and Christopher Kruegel, Mitigating XSS Attacks using a Reverse Proxy, 2009.