计算机 JAVA 电子信息 单片机 机械机电 模具 土木工程 建筑结构 论文
热门搜索词:网络 ASP.NET 汽车 电气 数控 PLC



摘 要
    近些年来,随着科技的进步,人们开始青睐无需安装的Web应用。自Web应用诞生以来,跨站脚本(Cascading Style Sheets,XSS)一直都是Web安全的重大威胁,XSS攻击是指通过在网页中嵌入可执行的代码进而获取用户的隐私信息或者使用户的浏览器奔溃等。在最新的非营利性组织开放式Web应用安全项目(OpenWebApplicationSecurityProject,OWASP)发布的十大Web应用安全漏洞列表中,XSS位列第二,说明了XSS的威胁之大及其破坏力之强。



Web Security and Protective Technology Research
Zhuang Zhanji
(College of Mathematics and Informatics, South China Agricultural University, Guangzhou 510642, China)
Abstract: Recently, with the advancement of technology, people have started to favor Web applications that don't need to be installed, meanwhile, Cross-site scripting (XSS) has been a major threat to Web security since the advent of Web applications, which refers to obtaining user's private information by embedding executable code in a web page or causing the user's browser to crash. In the latest non-profit organization Open Web Application Security Project (OWASP), XSS ranks the second in the list of the top ten Web Application Security vulnerabilities, which undoubtedly shows the great threat and destructive power of XSS.

    Previously, developers focused on preventing XSS attacks in a variety of ways to control the resulting losses, who have had to respond differently to each form of attack code. This messy and inconsistent approach makes it easy for developers to develop Web sites without considering an attack.
    Based on the predecessor's defense experience, this paper has a deep understanding of XSS attacks through reading a large amount of literature and doing a lot of practice, and seeks for the commonalities of the three types of XSS attacks. What’s more, it summarizes how to better defend against XSS attacks, and finally proposes a unified XSS attack defense program.
    The main idea of this defense scheme is to escape the URL and untrusted content so as to make the malicious code in the untrusted content lose execution.The program is implemented in JavaScript language and can be easily ported to other languages. In addition, the implementation of this scheme provides a custom filter behavior, so developers can customize special character replacement content. [来源:http://think58.com]
    This scheme filters suspicious code by enumerating matches. Finally, the feasibility of this scheme is verified by the JavaScript and NodeJS simulation attack and protection scenarios.
    During the test, the scheme tests three types of XSS attacks respectively in the state of no defense, server-side defense, browser degree and server-side defense, and optimizes the scheme according to the test results to maximize the defense degree of the scheme.
Keywords: Web Security  XSS Attack  Defense


目 录
1  前言    1
1.1  课题的研究背景    1
1.2  课题的研究内容    2
2  相关知识    4
2.1  Web攻击    4
2.1.1  Web攻击概述    4
2.1.2  SQL注入    4
2.1.3  XSS跨站脚本攻击    5
2.2  XSS攻击    5
2.2.1  XSS攻击概述    5
2.2.2  基于DOM的XSS攻击    6
2.2.3  反射型XSS攻击    8
2.2.4  存储型XSS攻击    9
2.3  URL    10
2.3.1  URL组成    10
2.3.2  URL格式分析    11
2.3.3  URL编码分析    12 [版权所有:http://think58.com]
2.4  本章小结    13
3  总体设计方案    14
3.1  针对基于DOM的XSS攻击    14
3.2  针对反射型XSS攻击    16
3.3  针对存储型XSS攻击    17
4  程序模拟实现    19
4.1  对URL进行过滤    19
4.2  对内容进行过滤    19
4.2.1  内容过滤方案    19
4.2.2  核心代码    22
5  程序测试结果    26
5.1  运行截图及说明    26
5.2  测试结果及说明    28
5.2.1  基于DOM的XSS攻防演示    28
5.2.2  反射型XSS攻防演示    29
5.2.3  存储型XSS攻防演示    31
6  结束语    33
参考文献    34
致谢    36
