(3.227.0.150) 您好!臺灣時間:2021/05/06 13:01
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:吳其哲
研究生(外文):Chi-Che Wu
論文名稱:非程式化JavaScript跨網域資料安全交換協定
論文名稱(外文):A non-programming secure protocol for cross-domain JavaScript data communication
指導教授:丁建文丁建文引用關係
指導教授(外文):Jen-Wen Ding
學位類別:碩士
校院名稱:國立高雄應用科技大學
系所名稱:資訊管理系
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:中文
中文關鍵詞:跨網域攻擊跨網域資料請求Web 應用程式Post-MessageJSONPYQL
外文關鍵詞:Post-Message
相關次數:
  • 被引用被引用:2
  • 點閱點閱:1103
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:117
  • 收藏至我的研究室書目清單書目收藏:1
近年來,由於網際網路的普及以及行動網路、智慧型手機的蓬勃發展,應用程式的使用典範已經從原生應用程式(Native Applications)轉移成網頁應用程式(Web Applications)。程式開發者不用再針對各種不同作業系統的版本開發不同的應用程式;同樣的,使用者也不用再安裝一大堆程式,也不用再考慮程式升級的問題。換言之,使用者只需要安裝瀏覽器,並連上網頁應用程式的網址就可以使用各種軟體的服務,例如: Gmail、Youtube、Google Document, Facebook, …等等。
使用傳統的原生應用程式,使用者往往需要擔心中毒的問題,但對網頁應用程式而言,因為不需要安裝軟體,因此能夠避免使用者不小心安裝到惡意軟體造成的中毒問題。但是網頁應用程式也有淺在的風險,若開發者的技術不夠成熟,或是使用者不小心連到惡意攻擊的網站,極有可能造成如XSS、CSRF、SQL injection、Session Fixation 之類的攻擊,其中以XSS、CSRF最難防範。雖然目前HTML5的標準草案已提出一個新的機制-postMessage企圖解決此一問題,但若干研究已指出該機制將對程式設計師造成額外的負擔,在實做上容易導致安全上的漏洞。本論文探討目前常見的跨網域資料存取方法的優缺點,例如:JSONP, YQL, HTML5 postMessage,並提出一個新的機制,可有效解決既有機制的缺點,避免常見的XSS、CSRF攻擊。本論文主張此一新提出的安全通訊協定在未來應該由瀏覽器來實作,一方面減少程式設計者的負擔,二方面確保跨網域資料交換的安全性。
With the rapid development of the Internet, mobile networks, and smart phones, a new paradigm is formed: from native applications to web applications. With web applications, system developers need not develop different versions of software for different platforms, and users need not reinstall the new version of software. Instead, users need only web browsers and the URL of the web applications to gain different software services, such as Gmail, YouTube, Google Documents, Facebook, etc.
With traditional native applications, users need to worry about computer virus. For web applications, since the software is not installed on client side, users need not worry about computer virus. However, for web applications, there is a potential risk that users may suffer from attacks like XSS, CSRF, SQL injection if users visit a non-well-designed web site or a malicious web; in particular, it is difficult to prevent the attacks of XSS and CSRF. Although the draft of the newly proposed HTML5 standard has tried to solve this problem by a new mechanism, postMessage, a few studies have indicated that the postMessage mechanism will impose an extra burden on programmers, resulting in insecurity in practice. This thesis explore the advantages and disadvantages of commonly used cross-domain data communication methods for web applications, such as JSONP, YQL, and HTML5 postMessage, and then proposes a new protocol to avoid the attacks of XSS and CSRF without the drawbacks of these methods. In the proposed approach, we believe that it is best to implement the protocol inside a browser to reduce the extra burden imposed on programmers and to ensure the security of cross-domain data exchange.
中文摘要 i
ABSTRACT ii
誌謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
一、緒論 1
二、文獻探討 3
2.1 主動攻擊與被動攻擊 3
1.主動攻擊 3
2.被動攻擊 4
2.2 瀏覽器的相同來源政策 9
2.3 常見的跨網域資料請求的解決方案 11
1.JSONP(JavaScript Object Notation with Padding) 11
2.YQL(Yahoo! Query Language) 12
3.HTML5 POST Message 14
三、原生的HTML5 PostMessage的缺點 18
1.Facebook的跨網域通訊協定 (PostMessage) 18
2.利用漏洞進行CSRF的攻擊 20
3.利用漏洞進行XSS攻擊 21
4.利用漏洞進行使用者資料竊取 22
5 點閱綁架攻擊 23
四、系統架構與設計 25
4.1 研究動機 25
3.2 研究目的 26
3.3 實驗設計 26
五、效益評估 31
六、結論 33
七、參考文獻 34
[1]Yi Wang; Zhoujun Li; Tao Guo; , "Program Slicing Stored XSS Bugs in Web Application," Theoretical Aspects of Software Engineering (TASE), 2011 Fifth International Symposium on , vol., no., pp.191-194, 29-31 Aug. 2011
[2] Boyan Chen; Zavarsky, P.; Ruhl, R.; Lindskog, D.; , "A Study of the Effectiveness of CSRF Guard," Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom) , vol., no., pp.1269-1272, 9-11 Oct. 2011
[3]Siddiqui, M.S.; Verma, D.; , "Cross site request forgery: A common web application weakness," Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on , vol., no., pp.538-543, 27-29 May 2011
[4]Jung-Ying Lai; Jain-Shing Wu; Shih-Jen Chen; Chia-Huan Wu; Chung-Huang Yang; , "Designing a Taxonomy of Web Attacks," Convergence and Hybrid Information Technology, 2008. ICHIT '08. International Conference on , vol., no., pp.278-282, 28-30 Aug. 2008
[5]Siddavatam, I.; Gadge, J.; , "Comprehensive test mechanism to detect attack on Web Services," Networks, 2008. ICON 2008. 16th IEEE International Conference on , vol., no., pp.1-6, 12-14 Dec. 2008
doi: 10.1109/ICON.2008.4772620
[6]Razzaq, A.; Hur, A.; Haider, N.; Ahmad, F.; , "Multi-Layered Defense against Web Application Attacks," Information Technology: New Generations, 2009. ITNG '09. Sixth International Conference on , vol., no., pp.492-497, 27-29 April 2009
[7]Grossman, Jeremiah. Advanced Web Attack Techniques using GMail
Steve Hannax, Eui Chul Richard Shinz, Devdatta Akhawex, Arman Boehmz, Prateek [8]Saxenax, Dawn Song , The Emperor’s New APIs: On the (In)Secure Usage of New Client-side Primitives , University of California, Berkeley
[9]Shahriar, H.; Zulkernine, M.; , "S2XS2: A Server Side Approach to Automatically Detect XSS Attacks," Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on , vol., no., pp.7-14, 12-14 Dec. 2011
[10] Shar, Lwin Khin; Tan, Hee Beng Kuan; , "Auditing the defense against cross site scripting in web applications," Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on , vol., no., pp.1-7, 26-28 July 2010

[11] Johns, M.; Engelmann, B.; Posegga, J.; , "XSSDS: Server-Side Detection of Cross-Site Scripting Attacks," Computer Security Applications Conference, 2008. ACSAC 2008. Annual , vol., no., pp.335-344, 8-12 Dec. 2008

[12] Shanmugam, J.; Ponnavaikko, M.; , "A solution to block Cross Site Scripting Vulnerabilities based on Service Oriented Architecture," Computer and Information Science, 2007. ICIS 2007. 6th IEEE/ACIS International Conference on , vol., no., pp.861-866, 11-13 July 2007

[13] Ismail, O.; Etoh, M.; Kadobayashi, Y.; Yamaguchi, S.; , "A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability," Advanced Information Networking and Applications, 2004. AINA 2004. 18th International Conference on , vol.1, no., pp. 145- 151 Vol.1, 2004

[14] Wassermann, G.; Zhendong Su; , "Static detection of cross-site scripting vulnerabilities," Software Engineering, 2008. ICSE '08. ACM/IEEE 30th International Conference on , vol., no., pp.171-180, 10-18 May 2008

[15] Wassermann, G.; Zhendong Su; , "Static detection of cross-site scripting vulnerabilities," Software Engineering, 2008. ICSE '08. ACM/IEEE 30th International Conference on , vol., no., pp.171-180, 10-18 May 2008
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔