(3.235.245.219) 您好!臺灣時間:2021/05/07 20:16
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:王思翰
研究生(外文):Shi-Han Wang
論文名稱:合作式跨網站指令碼攻擊之防禦機制
論文名稱(外文):Cooperative Defense Against XSS Attacks
指導教授:田筱榮田筱榮引用關係
指導教授(外文):Hsiao-Rong Tyan
學位類別:碩士
校院名稱:中原大學
系所名稱:資訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:中文
論文頁數:40
中文關鍵詞:網頁安全網頁應用防火牆跨網站指令碼
外文關鍵詞:XSSweb application securityXSS worm
相關次數:
  • 被引用被引用:1
  • 點閱點閱:390
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
存在已久的跨網站指令碼 (XSS)攻擊一直以來都是網頁應用安全的嚴重威脅,尤其近年來結合了web 2.0資訊分享模式、Ajax動態網頁技術和社交網路,XSS攻擊衍生出類似蠕蟲般具備自我複製能力的攻擊型態,不但在短時間內就能造成大量的客戶端使用者受到攻擊,受害的客戶端使用者對伺服器端產生的大量複製要求也形同對伺服器的分散式阻斷攻擊,因此對伺服器而言受害者也是攻擊者。傳統在伺服器端實施基於輸入輸出驗證的XSS防禦機制難以防禦XSS worm的擴散,因輸入驗證根據惡意指令碼特徵進行過濾,而XSS worm利用Javascript易於變形的特性來迴避伺服器端對於惡意指令碼特徵之偵測,本文提出新的合作式防禦架構,一方面由具備技術能力並瞭解所提供的網頁應用服務的特性的伺服器端定義安全規範協助客戶端使用者於瀏覽器執行指令碼安全性過濾,另一方面,客戶端使用者瀏覽器在偵測到XSS攻擊時,將此攻擊的訊息回報伺服器,伺服器可自動化將此攻擊資訊轉為網頁應用防火牆的規則,防止該XSS攻擊指令碼的下載,阻斷XSS worm大規模擴散,並提供網頁開發人員充裕的時間修補網頁應用程式原始碼中的弱點,在此合作式防禦架構中,客戶端安裝瀏覽器套件,利用瀏覽器套件強化瀏覽器的安全性;伺服器端安裝網頁應用防火牆,利用網頁應用防火牆強化網頁伺服器的安全性,雙方共同合作來抵抗XSS攻擊。
XSS attack is long recognized as the major threat to the security of web applications. With the emergence of Web 2.0, Ajax and social networking, recent XSS attacks are able to induce massive assaults within a short time through worm-like self-reproduction. Traditional defense based on server-side input-output validation is not able to stop them from spreading.
In this thesis, we proposed a novel cooperative defense mechanism to solve the problem from both ends. At the client side, customized security policy are supplied by the more knowledgeable web application provider to assist client-side malicious script filtering to protect the client from being compromised by attacks. At the server side, the detection incidences reported from the client are automatically utilized to enhance the server-side output-filtering rules which immediately stop the malicious scripts from spreading while a final remedy to the vulnerability is still being developed.
目錄
摘要...........................................................................I
英文摘要......................................................................II
誌謝.........................................................................III
目錄..........................................................................IV
圖目錄.........................................................................V
表目錄........................................................................VI
第一章 緒論....................................................................1
1.1 背景..................................................................1
1.2 動機..................................................................2
1.3 目的..................................................................3
1.4 論文架構...............................................................3
第二章 背景介紹與相關研究........................................................4
2.1 背景介紹...........................................................4
2.1.1 Javascript與Ajax......................................................4
2.1.2 同源政策...............................................................5
2.1.3 http cookie...........................................................5
2.1.4 Document Object Model.................................................6
2.2 相關研究...........................................................7
2.2.1 客戶端防禦.....................................................7
2.2.2 伺服器端防禦...................................................7
2.2.3 伺服器端協同客戶端防禦..........................................8
2.3 討論..............................................................9
第三章 合作式XSS攻擊之防禦機制................................................10
3.1 XSS攻擊手法之分類..................................................10
3.1.1 反射型XSS...............................................................10
3.1.2 DOM based XSS..........................................................10
3.1.3 儲存型XSS...............................................................11
3.1.4 XSS worm...............................................................12
3.2網頁應用個人化資訊安全的攻擊流程......................................13
3.3 合作式XSS攻擊之防禦機制............................................15
第四章 實作與討論............................................................19
4.1實作..............................................................19
4.2 討論.............................................................25
第五章 結論與未來工作...........................................................26
參考文獻......................................................................27
附錄A 客戶端環境安裝...........................................................29
附錄B 伺服器端環境建置..........................................................31

圖目錄
圖 2.1 cookie內容..............................................................6
圖 2.2 DOM模型.................................................................6
圖 3.1 反射型XSS攻擊流程.......................................................10
圖 3.2 DOM based XSS 攻擊流程..................................................11
圖 3.3 DOM based XSS攻擊流程2..................................................11
圖 3.4 儲存型XSS攻擊流程.......................................................11
圖 3.5 XSS 蠕蟲攻擊流程........................................................12
圖 3.6 XSS 蠕蟲原始碼分析......................................................12
圖 3.7 網頁應用個人化資訊安全的攻擊流程...........................................14
圖 3.8 合作式防禦機制架構圖.....................................................16
圖 3.9 合作式防禦機制流程圖.....................................................16
圖 3.10 伺服器端處理弱點資訊之流程...............................................18
圖 4.1 客戶端下載安全規範.......................................................19
圖 4.2 客戶端偵測XSS攻擊.......................................................20
圖 4.3 客戶端詢問使否需要回報弱點資訊............................................20
圖 4.4 客戶端使用者回報的弱點資訊檔案............................................20
圖 4.5 進行轉換規則程式並更新防火牆規則...........................................21
圖 4.6 XSS.txt 檔案內容........................................................21
圖 4.7 執行轉換程式後防火牆規則..................................................21
圖 4.8 防禦反射型XSS流程圖......................................................22
圖 4.9 cookie stealing 指令碼.................................................22
圖 4.10 GreaseMonkey腳本內容...................................................22
圖 4.11防禦儲存型XSS流程圖......................................................23
圖 4.12 防禦XSS蠕蟲流程圖......................................................24
圖 4.13 Myspace蠕蟲原始碼片段..................................................24
圖 4.14 GreaseMonkey腳本......................................................25

表目錄
表 2.1 同源政策................................................................5
表 2.2相關研究比較表............................................................9
[1].CERT, “CERT_ Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests”, http://www.cert.org/ /advisories/CA-2000-02.html
[2].Jesse James Garrett , “Ajax: A New Approach to Web Applications”, http://www.adaptivepath.com/ideas/essays/archives/000385.php
[3].Myspace, http://www.myspace.com
[4].Google Docs, http://docs.google.com
[5].OWASP, “Top 10 Web application vulnerabilities for 2007”, http://www.owasp.org/index.php/Top_10_2007
[6].Samy, “I’m popular”,http://namb.la/popular/,October 2005. Description of the MySpace worm by the author, including a technical explanation.
[7].Wayne Huang, “17歲少年:twitter XSS worm「stalkdaily worm」蠕蟲是我做的 阿碼外傳”, http://armorize-cht.blogspot.com/2009/04/xsstwitter-mikeyy.html
[8].Rsnake,“XSS Worm Analysis And Defense”, http://ha.ckers.org/
xss-worm
[9].David Scott, Richard Sharp,“Abstracting application-level web security”,11th International World World Web Conference,2002
[10].Engin Kirda,Christopher Kruegel, Giovanni Vigna, Nenad Jovanovic,“Noxes: a client-side solution for mitigating XSS attacks”, Proceedings of the 2006 ACM symposium on Applied computing, 2006
[11].Trevor Jim, Nikhil Swamy, Michael Hicks,“BEEP: Browser-enforced embedded policies”, 16th International World World Web Conference, 2007
[12].Klein, Amit, “DOM Based Cross Site Scripting or XSS of the Third Kind”. Web Application Security Consortium. Retrieved on 2008-05-28, http://www.webappsec.org/projects/articles/071105.shtml
[13].Wikipedia,“Http Cookie”, http://en.wikipedia.org/wiki/Http_cookie
[14].Jess Ruderman,“The same origin policy”, http://www.mozilla.org /projects/security/components/same-origin.html
[15].admin@cgisecurity.com,“The Cross Site Scripting FAQ”, http://www.cgisecurity.com/articles/XSS-faq.shtml/
[16].Adam Judson, tamperdata , http://tamperdata.mozdev.org/
[17].Giorgio Maone, noscript, http://noscript.net/
[18].RSnake,“XSS (cross site scripting) cheat sheet.Esp:for filter evasion”, http://ha.ckers.org/xss.html.
[19].Mozilla Firefox , http://www.mozilla.org/
[20].Greasemonkey , http://www.greasespot.net/
[21].Apache , Apache HTTP Server, http://www.apache.org/
[22].Mediawiki , http://www.mediawiki.org
[23].BREACH , Mod Security, http://www.modsecurity.org/
[24].d0ubl3_h3lix,Greasemonkey::Malware Script Detector, http://sourceforge.net/projects/gmsd/#item3rd-3
[25].WhiteHat Security,“XSS Worms and Viruses: The Impending Threat and the Best Defense”
[26].Wikipedia,“Cross-site scripting” , http://en.wikipedia.org/wiki/Cross-site_scripting
[27].Oystein Hallaraker , Giovanni Vigna,“Detecting Malicious JavaScript Code in Mozilla”, 10th IEEE International Conference on Engineering of Complex Computer Systems 2005.
[28].Xforce, “MediaWiki useskin parameter cross-site scripting”,http://xforce.iss.net/xforce/xfdb/45632
[29].W3C, “Document Object Model (DOM)”,http://www.w3.org/DOM/
[30].Vupen,“MediaWiki_Vulnerabilities”,http://www.vupen.com/english/product/2169
[31].Langy, “How to Fix a XSS Vulnerability in PHP Source”, http://www.XSSed.com/article/17/Paper_How_to_Fix_a_XSS_Vulnerability _in_PHP_Source_Codes/
[32].Pilgrim Mark , “Dive Into Greasemonkey”, http://diveintogreasemonkey.org/
[33].SPI Dynamics , “Web Application Security Assessment SPI Dynamics Whitepaper”, 2003
[34].User script compiler,http://arantius.com/misc/greasemonkey/script-compiler
[35].Chris Shiflett,“Foiling Cross-Site Attacks”,http://shiflett.org/articles/foiling-cross-site-attacks
[36].Jeremiah Grossman , Burlington , Mass, “XSS attacks : cross-site scripting exploits and defense”, Syngress, 2007,ISBN9781597491549
[37].CWE,“CWE-79:Failure to Preserve Web Page Structure('Cross-siteScripting')”, http://cwe.mitre.org/data/definitions/79.html
[38].Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai,”Web application security assessment by fault injection and behavior monitoring”, Proceedings of the 12th International World Wide Web Conference (WWW 2003), May 2003.
[39].Yao-Wen Huang, Fang Yu, Christian Hang,Chung-Hung Tsai, D.T.Lee, and Sy-Yen Kuo, “Securing Web Application Code by Static Analysis and Runtime Protection”, Proceedings of the 13th International World Wide Web Conference (WWW 2004), May 2004
[40].“Cross Site Scripting Info”, http://httpd.apache.org/info/css-security/
[41].Joon S. Park and Ravi Sandhu, “Secure cookies on the Web”, IEEE Internet Computing, 4(4):36–44, July/August 2000
[42].Wikipedia, “Javascript”, http://zh.wikipedia.org/wiki/Javascript
[43].Benjamin Livshits and Weidong Cui, “Spectator:Detection and containment of javascript worms”, Proceedings of the 2008 USENIX Annual Technical Conference, pages 335–348, Boston, MA, USA, Jun2008.
[44].Thorsten Holz , Simon Marechal , Frederic Raynal, “New threats and attacks on the World Wide Web” , Security & Privacy, IEEE, Volume 4, Issue 2, March-April 2006 Page(s):72–75
[45].Robert Vamosi, “Twitter: A Growing Security Minefield”, PC World, http://www.pcworld.com/article/168859/twitter_a_growing_security_minefield.html
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔