跳到主要內容

臺灣博碩士論文加值系統

(2600:1f28:365:80b0:90c8:68ff:e28a:b3d9) 您好!臺灣時間:2025/01/16 07:35
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:周宜萱
研究生(外文):Yi-Shauin Zhou
論文名稱:以客戶端為基礎並整合HTML5與CORS特性之跨站腳本攻擊防禦機制研究
論文名稱(外文):Study on Client Side based Cross-site Scripting Prevention Mechanism Integrated with HTML5 and CORS Properties
指導教授:王智弘王智弘引用關係
指導教授(外文):Chih-Hung Wang
學位類別:碩士
校院名稱:國立嘉義大學
系所名稱:資訊工程學系研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
畢業學年度:105
語文別:中文
論文頁數:61
中文關鍵詞:網路安全跨站攻擊跨資源存取分享協定HTML5瀏覽器擴充套件
外文關鍵詞:Web securitycross-site scripting (XSS)cross origin resource shearing (CORS)HTML5browser extensions
相關次數:
  • 被引用被引用:1
  • 點閱點閱:178
  • 評分評分:
  • 下載下載:27
  • 收藏至我的研究室書目清單書目收藏:0
跨站腳本攻擊是現今一種常見的網路攻擊手法。儘管執行跨站腳本攻擊並不需要複雜的操作背景知識,然而對於一般的使用者而言,一個簡單的攻擊在無預警的情況下依然可以造成嚴重的資訊洩漏。除此之外,若新的技術如HTML5與跨來源資源分享協定(CORS)整合在舊有的攻擊樣式中可能會導致整個防禦偵測工作變得雪上加霜。
在此論文中,我們將目標放在整合HTML5技術以及跨來源資源分享協定相關的攻擊特性來強化偵測跨站腳本攻擊,實作出架設在瀏覽器上的擴充套件並結合規則式過濾法的防禦應用。此外,我們提出一個混合樣式比對的評估概念模組,可以用來檢查欄截的request是否有包含了惡意的企圖。
在實驗階段,我們參考一些常用的攻擊樣式來調整過濾模組,並以OWASP開發的攻擊產生工具XSSer進行測試。結果顯示我們的研究可以達到一個相當好的偵測效能。
Cross-site scripting(XSS) is a kind of common attack nowadays. Although XSS does not require complicated knowledge, a simple attack sentence can still cause a serious privacy leakage for ordinary user without awareness. Apart from that, the existing attack patterns integrated with new techniques like HTML5 and Cross Origin Resource Sharing(CORS) that will make the detection task getting harder and harder.
In this thesis, we aim at enhancing the capability of XSS detection for browser extensions by applying rule based filters and integrating HTML5 and CORS properties.
Furthermore, we also present a model of composite pattern estimation system which can be used to inspect whether the intercepted request has malicious attempts or not.
The experimental results show that our approach can reach high detection rate by tuning our system modules through some frequently used attack sentences and testing it with the popular tool-kits: XSSer developed by OWASP.
中文摘要.............................................. i
Abstract............................................. ii
致謝................................................. iii
CONTENTS............................................. iv
LIST OF FIGURES...................................... vi
LIST OF TABLES....................................... vii
Chapter 1. Introduction............................... 1
1.1 Overview......................................... 1
1.2 Motivations...................................... 3
1.3 Contributions ................................... 4
1.4 Organization .................................... 5
Chapter 2. Related Works ............................. 6
2.1 Cross-Site Scripting Attacks .................... 6
2.1.1 Stored XSS .................................... 6
2.1.2 Reflected XSS ................................. 7
2.1.3 DOM-based XSS ................................. 8
2.2 Existing mechanism of XSS detection ............. 8
2.2.1 Server-side approaches ........................ 9
2.2.2 Proxy-based approaches ........................ 12
2.2.3 Client-side approaches ........................ 15
2.3 HTML5 ........................................... 19
2.3.1 HTML5 and XSS ................................. 19
2.3.2 Cross Origin Resource Sharing (CORS) .......... 20
Chapter 3. Implementation of Browser Extension ....... 23
3.1 System Architecture ............................. 23
3.1.1 Interceptor ................................... 24
3.1.2 Action processor .............................. 24
3.1.3 Reaction processor ............................ 25
3.2 Rule Set and Algorithm .......................... 25
3.2.1 Single-format attack patterns ................. 26
3.2.2 Muti-format attack patterns ................... 27
3.2.3 Vulnerable usage of HTML DOM detection ........ 29
3.2.4 CORS detection ................................ 30
3.2.5 Algorithm ..................................... 31
3.2.6 Rule-composition computation module ........... 35
Chapter 4. Extension Development and Experiments ..... 37
4.1 Environments .................................... 37
4.2 Kernel function flow and coding details ......... 38
4.3 Comparison and Evaluation ....................... 40
4.3.1 Comparison with other studies ................. 40
4.3.2 Comparison with built-in protection in browsers.42
4.3.3 CORS detection scenarios ...................... 43
4.3.4 Performance Evaluation ........................ 46
Chapter 5. Conclusions and Future work ............... 48
Reference ............................................ 49
[1] U. Aavasalu, “Attacks And Defence With Html5,” Tallinn University of Technology, master thesis, 2012, unpublished.
[2] D. Bates, A. Barth and C. Jackson, “Regular
expressions considered harmful in client-side XSS filters,” WWW '10 Proceedings of the 19th international conference on ACM, USA, April 30, 2010, pp. 91-100.
[3] H. Choo, S. -H. Oh, J. -H. Jung and H. -K. Kim, "The Behavior-Based Analysis Techniques
for HTML5 Malicious features," In: Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2015 9th International Conference on IEEE, July 2015, pp.436-440.
[4] G. Dong, Y. Zhang, X. Wang, P. Wang and L. Liu, “Detecting Cross Site Scripting Vulnerabilities Introduced by HTML5,” Proc. 11th International Joint Conference on Computer Science and Software Engineering (JCSSE), May 2014, pp. 319-323.
[5] A. Doupé, et al., "deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation," in Proc. CCS, ACM SIGSAC, October 2013, pp. 1205-1216.
[6] S. Fogie, J. Grossman, R. Hansen, A. Rager and P. D. Petkov, XSS Attacks: Cross Site Scripting Exploits and Defense, Syngress, 2007.
[7] X. Guo, S. Jin and Y. Zhang, "XSS Vulnerability Detection Using Optimized Attack Vector Repertory," Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), September 2015, pp. 29-36.
[8] M. K. Gupta, M. C. Govil and G. Singh, "Predicting Cross Site Scripting (XSS) Security Vulnerabilities in Web Applications," International Joint Conference on Computer Science and Software Engineering (IJCSE), July 2015, pp. 162-167.
[9] I. Hydara, A. B. Md. Sultan, H. Zulzalil and N. Admodisastro, “Current state of research on cross-site scripting (XSS) – A systematic literature review,” Proc. Information and Software Technology, vol. 58, Feb. 2015, pp. 170-186.
[10] S. Lekies, B. Stock and M. Johns, "A tale of the weaknesses of current client-side XSS
filtering," BlackHat USA, 2014.
[11] B. Mewara, S. Bairwa and J. Gajrani, “Browser's Defenses Against Reflected Cross-Site Scripting Attacks,” Proc. International Conference on Signal Propagation and Computer Technology (ICSPCT), June 2014, pp.662-667.
[12] B. Mewara, S. Bairwa, J. Gajrani and V. Jain, “Enhanced Browser Defense for Reflected Cross-Site Scripting,” Proc. 3rd International Conference Reliability, on Infocom Technologies and Optimization (ICRITO), Oct 2014, pp. 1-6.
[13] N. Nikiforakis, et al, "sessionShield: Lightweight protection against session hijacking," In: International Symposium on Engineering Secure Software and Systems, Springer Berlin Heidelberg, February 2011, pp. 87-100.
[14] E. Ofuonye and J. Miller, "Securing web-clients with instrumented code and dynamic runtime monitoring," The Journal of Systems and Software, Vol. 86, June 2013, pp. 1689–1711.
[15] D. K. Patil and K. R. Patil, “Automated Client-side Sanitizer for Code Injection Attacks, ” International Journal of Information Technology and Computer Science, Vol. 8, No. 4, 2016, pp. 86-95.
[16] R. Pelizzi and R. Sekar, “Protection, Usability and Improvementsin Reflected XSS Filters,” Proc. ACM Symp. the 12th on Information, Computer and Communications Security (ASIACCS 12), May 2012, NY USA, pp. 5-5.
[17] K. S. Rao, et al., “Two for the price of one: A combined browser defense against XSS and clickjacking,” Proc. In International Conference on Computing, Networking and Communications (ICNC), Feb 2016, pp. 1-6.
[18] P. D. Ryck, L. Desmet, F. Piessens and W. Joosen, “A Security Analysis of Emerging Web Standards HTML5 and Friends,from Specification to Implementation,” Proc. International Conference on Security and Cryptography (SECRYPT), vol.7, Rome Italy, Jul 2012, pp. 257-262.
[19] K. Selvamani, A. Duraisamy and A. Kannan, “Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side,” International ournal of Computer Science and Information Security 7th, 2010, pp. 229–236.
[20] S. Shah, “HTML5 Top 10 Threats - Stealth Attacks and Silent Exploits,” BlackHat Europe, 2012.
[21] G. Shanmugasundaram, S. Ravivarman and P.Thangavellu, "A study on removal techniques of Cross-Site Scripting from web applications," Energy Information and Commuincation (ICCPEIC), April 2015, pp. 436-442.
[22] L. K. Shar and H. B. Tan, "Automated removal of cross site scripting vulnerabilities in web application," Information and Software Technology, vol. 54(5), May 2012, pp. 467-478.
[23] A. K. Sood and R. J. Enbody, "Frametrapping the framebusting defence," Network Security, 2011(10), pp. 8-12.
[24] S. Sundareswaran, A.C. Squicciarini, “XSS-Dec:A hybrid solution to mitigate cross-site scripting attacks,” In: Data and Applications Security and Privacy XXVI, 2012, pp. 223-238.
[25] S. Tang, C. Grier, O. Aciicmez and S.T.King, “Alhambra : A System for Creating, Enforcing,
and Testing Browser Security Policies,” In: WWW ’10: Proceedings of the 19th international
conference on World wide web, 2010, pp. 941–950.
[26] C. H. Thomas, S. Maffeis and C.
Novakovic, “BrowserAudit: automated testing of browser
security features,” Proc. International Symposium on Software Testing and Analysis, NY USA, July 2015, pp. 37-47.
[27] P. Wurzinger, C. Platzer and C. Ludl, "SWAP: Mitigating XSS Attacks using a Reverse Proxy," ICSE Workshop on Software Engineering for Secure Systems '09, May 2009, pp. 33-39.
[28] S. Yoon, J. Jung and H. Kim, “Attack on Web Browsers with HTML5,” Proc. 10th International Conference for Internet Technology and Secured Transactions (ICITST), Dec 2015, pp. 193-198.
[29] Alexa Internet, The top 500 sites on the web [online], Available: http://www.alexa.com/topsites.
[30] S. D. Ankush, “XSS Attack Prevention Using DOM based filtering API,” National Institute of Technology Rourkela [online], Available: http://ethesis.nitrkl.ac.in/5633/.
[31] Attack and defense lab, Shell of future [online], Available:
http://blog.andlabs.org/2010/07/shell-of-future-reverse-web-shell.html.
[32] Bertrand Stivalet, Php vulnerabilities test suite [online], Available:
https://github.com/stivalet/PHP-Vulnerability-test-suite.
[33] Cure53, HTML5 seurity Cheatsheet [online], Available: https://github.com/cure53/H5SC.
[34] ESAPI, OWASP Enterprise Security API [online], Available:
http://www.owasp.org/index.php/ESAPI#tab=Project_Details.
[35] A. Judson, TamperData [online], Available: http://tamperdata.mozdev.org/index.html.
[36] Microsoft, Event 1046 – Cross-Site Scripting Filter [online], Available:
https://msdn.microsoft.com/en-us/library/dd565647(VS.85).aspx.
[37] Microsoft, IE8 Security Part IV: The XSS Filter [online], Available:
https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/.
[38] Mozilla Foundation, Document Object Model (DOM) [online], Available:
https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model.
[39] Mozilla Foundation, HTTP access control (CORS) [online], Available:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS.
[40] OWASP, Cross-site Scripting (XSS) [online], Available:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).
[41] OWASP, HTML5 Introduction [online], Available:
http://www.w3schools.com/html/html5_intro.asp.
[42] OWASP, OWASP Top Ten Cheat Sheet [online], Available:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet.
[43] OWASP, OWASP XSSER [online], Available:
https://www.owasp.org/index.php/OWASP_XSSER.
[44] P. Reutemann, E. Frank, M. Hall and L. Trigg, Weka: Data mining tool [online], Available:
http://www.cs.waikato.ac.nz/ml/weka.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top