Basic Search / Detailed Display

Author: 王建勳
Chien-Hsun Wang
Thesis Title: 跨網站攻擊的主從架構防禦機制
A Client/Server Mechanism to against cross site scripting attack
Advisor: 洪西進
Shi-Jinn Horng
Committee: 古鴻炎
Hung-yan Gu
蔡鴻旭
Hung-Hsu Tsai
江季翰
Ji-Han Jiang
Degree: 碩士
Master
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2012
Graduation Academic Year: 100
Language: 中文
Pages: 47
Keywords (in Chinese): 惡意JavaScript 偵測網頁安全跨網站攻擊
Keywords (in other languages): XSS, web application security, Malicious javascript
Reference times: Clicks: 256Downloads: 2
Share:
School Collection Retrieve National Library Collection Retrieve Error Report

隨著網路的普及以及Web 2.0技術的應用,網站成為企業的重要行銷管道。因網頁開發週期縮短,程式的安全性容易被開發人員忽略,而未對輸入資料過濾並考量周全,網頁應用程式因此成為駭客攻擊的目標,其中的漏洞以跨網站攻擊(XSS)為常見的攻擊方式。大部分的XSS都是透過JavaScript並經由使用者輸入注入達成,故現行的XSS防禦機制中,如何判斷使用者輸入的資料是否為正常,已經成為一個防禦的要點。本論文提出了一套簡易的偵測機制,主要以Server/Client互相搭配為主,網站管理者只需在Server端安裝簡單的掃描程式,就可透過Client的檢查機制進行XSS 攻擊的偵測及阻擋。Client檢查機制可放置於Server前端或者Client端,藉此大幅地提昇佈署的靈活程度,提供網站管理者一個簡單而有效率的防禦機制。


With the spreading of network and the applying of WEB2.0 technology, the web site has become the most important marketing tools. When the web application developing time is short, the application's security is ignored easily than past. The web application's input validation isn't perfect by developer's consideration and it became the attacking target of hacker. The common attack is XSS (Cross Site Scripting). Most of XSS Attack is to inject the malicious JavaScript from user's input. How to judge the user's input is the important point of defense. This paper proposes a simple detecting mechanism. We use the Client/Server architecture, the web manager just installs the scanning program in web server and we can use the checking process of client for detecting and defensing the XSS attack. The client's checking mechanism can set at server site or client site. It can deploy the defense mechanism agilely and provide easy and effective protection.

中文摘要 I 英文摘要 II CONTENTS III 圖目錄 IV 表目錄 V 第一章 緒論 1.1 研究背景 1.2 研究動機 1.3 論文架構 第二章 相關研究 2.1 CLIENT端解決方案 2.2 SERVER端的解決方案 2.3 CLIENT端與SERVER端混合的解決方案 2.4 比較與討論 第三章 系統架構與研究方法 3.1 系統架構 3.2 研究方法 3.2.1 Server 端防禦機制說明 3.2.2 Client 端防禦機制說明 第四章 研究結果與分析 4.1 系統環境 4.2 HTML 剖析及ATTACKING SAMPLE PATTERN 說明 4.3 實作 4.4 討論 4.5 分析 第五章 結論 參考文獻

[1] Web 1.0 Definition, Wikipedia, http://en.wikipedia.org/wiki/Web_1.0.,2012
[2] Web 2.0 Definition, Wikipedia ,http://en.wikipedia.org/wiki/Web_2.0.
[3] The Open Web Application Security Project.,2012
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2012.
[4] XSS 2011CVE List ,http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS+2011,2012
[5] Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager , Petko D. Petkov, “XSS Exploits: Cross Site Scripting Attacks and Defense”, Syngress Publishing, Burlington, MA, May 2007
[6] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript Code in Mozilla. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems(ICECCS),
[7] SpiderMonkey, https://developer.mozilla.org/en/SpiderMonkey, 2012.
[8] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks. In 21st ACM Symposium on Applied Computing (SAC), 2006
[9] Jaikumar Vijayan, “’Less than zero-day’ threats too often overlooked, analysts warn Companies tend to focus only on patching known flaws, ignoring other threats”, Computerworld, October 26, 2006
[10] Hossain Shahriar and Mohammad Zulkernine,S2XS2:A Server Side Approach to Automatically Detect XSS Attacks, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference.
[11] Wei Fong Hsu, Shi-Jinn Horng ,A server side solution to prevent information leakage by Cross Site Scripting attack.2011
[12] Jayamsakthi Shanmugam , XSS Application Worms: New Internet Infestation and Optimized Protective Measures , Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing
[13] Abdul Razzaq, Ali Hur, Nasir Haider, Farooq Ahmad , Multi-Layered Defense against Web Application Attacks, 2009 Sixth International Conference on Information Technology: New Generations.
[14] D. Scott, and R. Sharp, Specifying and enforcing application-level web security policies, IEEE Knowledge Data Engineering, vol. 15, no. 4, pp. 771–783, 2003.
[15] T. Jim and N. Swamy and M. Hicks. “BEEP: browser- enforced embedded policies,” the 16th International World Wide Web Conference, Banff, 2007, pp. 601-610.
[16] Alexander Yip, Neha Narula, Maxwell Krohn, and Robert Morris. Privacy-Preserving Browser-Side Scripting With BFlow. 2009.
[17] M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross site scripting attacks. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
[18] Html Event Handler List, http://www.w3schools.com/tags/ref_eventattributes.asp,2012
[19] Jericho HTML Parser, http://jericho.htmlparser.net/docs/index.html
[20] SHA-256 cryptographic hash functions, http://en.wikipedia.org/wiki/SHA-2,2012
[21] VirtualBox, http://www.virtualbox.org/, 2012.
[22] Cent OS ,http://www.centos.org/,2012
[23] Apache HTTP Server Project, http://httpd.apache.org/ ,2012.
[24] Apache module mod_ext_filter, http://httpd.apache.org/docs/2.0/mod/mod_ext_filter.html, 2012
[25] Java Platform, Standard Edition 1.6, http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html,2012.
[26] Apache HTTPClient , http://hc.apache.org/httpclient-3.x/,2012.
[27] XSS Cheat Sheet,http://ha.ckers.org/xss.html,2012.
[28] Phpbb , http://www.phpbb.com/, 2012.
[29] CVE-2006-1775 , http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1775, 2012.

QR CODE