Web安全与防护技术研究(论文14000字)
摘 要
近些年来,随着科技的进步,人们开始青睐无需安装的Web应用。自Web应用诞生以来,跨站脚本(Cascading Style Sheets,XSS)一直都是Web安全的重大威胁,XSS攻击是指通过在网页中嵌入可执行的代码进而获取用户的隐私信息或者使用户的浏览器奔溃等。在最新的非营利性组织开放式Web应用安全项目(OpenWebApplicationSecurityProject,OWASP)发布的十大Web应用安全漏洞列表中,XSS位列第二,说明了XSS的威胁之大及其破坏力之强。
此前,开发者们致力于通过各种方法防范XSS攻击以控制因此带来的损失,对于每一种不同形式的攻击代码都需要采用不同的应对方案。这种凌乱不统一的解决方式容易使得开发者在开发Web站点时未考虑到某一种攻击。
本文在基于前人的防御经验上,通过大量文献阅读以及大量实践来深入了解XSS攻击,并寻找三类XSS攻击的共同点,对如何更好的进行防御XSS攻击进行了总结,最后提出一个统一的XSS攻击防御方案。
本防御方案的主要思想是对URL以及无法信任的内容进行转义过滤,使其包含的无法信任的内容中的恶意代码失去执行力。本方案使用JavaScript语言进行实现,也能够非常方便的移植到其他语言,另外,本方案在实现时提供了自定义的过滤行为,开发者可自定义特殊字符的替换内容。
本方案通过枚举匹配的方式对可疑代码进行过滤。最后通过JavaScript语言以及NodeJS模拟攻击与防护场景,验证本方案的可行性。
在测试时,本方案对三种类型的XSS攻击分别在无防御、服务器端防御、浏览器度与服务器端到端防御状态下进行测试,并针对测试结果优化本方案,以最大程度的提高本方案的防御程度。
关键词:Web安全XSS防御
Web Security and Protective Technology Research
Zhuang Zhanji
(College of Mathematics and Informatics, South China Agricultural University, Guangzhou 510642, China)
Abstract: Recently, with the advancement of technology, people have started to favor Web applications that don't need to be installed, meanwhile, Cross-site scripting (XSS) has been a major threat to Web security since the advent of Web applications, which refers to obtaining user's private information by embedding executable code in a web page or causing the user's browser to crash. In the latest non-profit organization Open Web Application Security Project (OWASP), XSS ranks the second in the list of the top ten Web Application Security vulnerabilities, which undoubtedly shows the great threat and destructive power of XSS.
Previously, developers focused on preventing XSS attacks in a variety of ways to control the resulting losses, who have had to respond differently to each form of attack code. This messy and inconsistent approach makes it easy for developers to develop Web sites without considering an attack.
Based on the predecessor's defense experience, this paper has a deep understanding of XSS attacks through reading a large amount of literature and doing a lot of practice, and seeks for the commonalities of the three types of XSS attacks. What’s more, it summarizes how to better defend against XSS attacks, and finally proposes a unified XSS attack defense program.
The main idea of this defense scheme is to escape the URL and untrusted content so as to make the malicious code in the untrusted content lose execution.The program is implemented in JavaScript language and can be easily ported to other languages. In addition, the implementation of this scheme provides a custom filter behavior, so developers can customize special character replacement content.
This scheme filters suspicious code by enumerating matches. Finally, the feasibility of this scheme is verified by the JavaScript and NodeJS simulation attack and protection scenarios.
During the test, the scheme tests three types of XSS attacks respectively in the state of no defense, server-side defense, browser degree and server-side defense, and optimizes the scheme according to the test results to maximize the defense degree of the scheme.
Keywords: Web Security XSS Attack Defense
目 录
1 前言 1
1.1 课题的研究背景 1
1.2 课题的研究内容 2
2 相关知识 4
2.1 Web攻击 4
2.1.1 Web攻击概述 4
2.1.2 SQL注入 4
2.1.3 XSS跨站脚本攻击 5
2.2 XSS攻击 5
2.2.1 XSS攻击概述 5
2.2.2 基于DOM的XSS攻击 6
2.2.3 反射型XSS攻击 8
2.2.4 存储型XSS攻击 9
2.3 URL 10
2.3.1 URL组成 10
2.3.2 URL格式分析 11
2.3.3 URL编码分析 12
2.4 本章小结 13
3 总体设计方案 14
3.1 针对基于DOM的XSS攻击 14
3.2 针对反射型XSS攻击 16
3.3 针对存储型XSS攻击 17
4 程序模拟实现 19
4.1 对URL进行过滤 19
4.2 对内容进行过滤 19
4.2.1 内容过滤方案 19
4.2.2 核心代码 22
5 程序测试结果 26
5.1 运行截图及说明 26
5.2 测试结果及说明 28
5.2.1 基于DOM的XSS攻防演示 28
5.2.2 反射型XSS攻防演示 29
5.2.3 存储型XSS攻防演示 31
6 结束语 33
参考文献 34
致谢 36
|
