Client-side defense techniques of cross-site scripting attack
-
摘要: 跨站脚本攻击是当今Web应用领域危害最严重、最常见的威胁之一,本文设计了全新的跨站攻击防御方法,该方法以动态污点追踪为主,辅以静态污点分析,可有效阻止客户端敏感信息的泄露,实现了对跨站攻击的有效拦截。并通过对Javascript引擎Spidermonkey的扩展,在开源的Firefox上实现了基于该方法的插件xssCleaner,验证了防御方法的有效性。Abstract: Cross-site scripting(XSS) attack was the most serious and common threat in Web applications today. This paper proposed a novel client-side approach, which combined the dynamic taint tracking with static analysis, to prevent XSS attacks. Based on this method, through extending Spidermonkey of Javascript, the plugin xssCleaner was implemented in open-source Firefox.
-
Key words:
- cross-site scripting attack /
- browser security /
- dynamic taint tracking /
- static analysis
-
[1] Seixas N, Fonseca J, Vieira M, et al. Looking at web security vulnerabilities from the programming language perspective: a field study[C]. Software Reliability Engineering, 2009. ISSRE'09. 20th International Symposium on. IEEE, 2009: 129-135. [2] Hallaraker O, Vigna G. Detecting malicious javascript code in mozilla[C]. Engineering of Complex Computer Systems, 2005. ICECCS 2005. Proceedings. 10th IEEE International Conference on. IEEE, 2005: 85-94. [3] Kirda E, Kruegel C, Vigna G, et al. Noxes: a client-side solution for mitigating cross-site scripting attacks[C]. Proceedings of the 2006 ACM symposium on Applied computing. ACM, 2006: 330-337. [4] Denning D E. A lattice model of secure information flow[J]. Communications of the ACM, 1976, 19(5): 236-243. [5] Kodumal J, Aiken A. Banshee: A scalable constraint-based analysis toolkit[M]. Static Analysis. Springer Berlin Heidelberg, 2005: 218-234. [6] Huang Y W, Yu F, Hang C, et al. Securing web application code by static analysis and runtime protection[C]. Proceedings of the 13th international conference on World Wide Web. ACM, 2004: 40-52. [7] Shon Harris. CISSP All-in-One Exam Guide, Fifth Edition[M]. McGraw-Hill Osborne Media, 2010.
