跨站脚本攻击客户端防御技术研究

Client-side defense techniques of cross-site scripting attack

摘要: 跨站脚本攻击是当今Web应用领域危害最严重、最常见的威胁之一,本文设计了全新的跨站攻击防御方法,该方法以动态污点追踪为主,辅以静态污点分析,可有效阻止客户端敏感信息的泄露,实现了对跨站攻击的有效拦截。并通过对Javascript引擎Spidermonkey的扩展,在开源的Firefox上实现了基于该方法的插件xssCleaner,验证了防御方法的有效性。

Abstract: Cross-site scripting(XSS) attack was the most serious and common threat in Web applications today. This paper proposed a novel client-side approach, which combined the dynamic taint tracking with static analysis, to prevent XSS attacks. Based on this method, through extending Spidermonkey of Javascript, the plugin xssCleaner was implemented in open-source Firefox.