XSS漏洞研究综述

信息安全研究 ›› 2016, Vol. 2 ›› Issue (12): 1068-1080.

XSS漏洞研究综述

孙伟

中山大学信息科学技术学院

收稿日期:2016-12-26 出版日期:2016-12-15 发布日期:2016-12-26
通讯作者: 孙伟
作者简介:教授，博士生导师，主要研究方向为网络安全和多媒体技术. sunwei@mail.sysu.edu.cn

A Review on Cross-Site Scripting

Sun Wei

School of Information Science and Technology, Sun Yatsen University

Received:2016-12-26 Online:2016-12-15 Published:2016-12-26
Contact: Sun Wei

摘要/Abstract

摘要： 跨站脚本(cross-site scripting, XSS)是一种常见的针对Web应用程序安全漏洞的攻击．恶意用户利用漏洞将恶意脚本注入网页之中，当用户浏览该网页时，便会触发脚本，导致攻击行为发生．由于HTML编码方案的高度灵活性，攻击者可通过多种方法绕过输入验证过滤器，导致XSS难以被发现和预防．为了有效减少XSS造成的危害损失，依照XSS的分类，对反射型XSS、存储型XSS和基于DOM的XSS特征及原理进行了细致的分析和对比，并对数量庞大、形态各异的XSS攻击向量进行归纳和梳理，通过举例对Cookie窃取、会话劫持、钓鱼欺骗等XSS常见利用方式进行说明，并对常用的XSS防御手段进行整理，最后对静态分析、动态分析、机器学习等主流的XSS漏洞自动化检测方法进行总结.

关键词: Web安全, 跨站脚本, 攻击向量, 漏洞利用, 漏洞检测方法

Abstract: XSS(cross-site scripting) is a type of computer security vulnerability typically found in Web applications. Attackers usually inject malicious scripts into Web pages viewed by other users, and expect the script to be executed. Because of the high flexibility of HTML encoding schemes offering the attacker many possibilities for circumventing input filters, XSS attacks are difficult to detect and prevent. In order to make effective prevention for XSS vulnerabilities, firstly we carefully analyzed and compared the characteristics and principles of Reflected XSS, Stored XSS and DOM-based XSS, then combed the large number of XSS attack vectors with different shapes, and illustrated the common use of XSS vulnerabilities, such as stealing, session hijacking and phishing. Finally, we sorted out the basic means of defense XSS, and summarized the main methods of automatic XSS vulnerability detection including static analysis, dynamic analysis and machine learning.

Key words: Web security, XSS(cross-site scripting), attack vectors, exploit, vulnerability detection methods

孙伟. XSS漏洞研究综述[J]. 信息安全研究, 2016, 2(12): 1068-1080.

Sun Wei. A Review on Cross-Site Scripting[J]. Journal of Information Security Research, 2016, 2(12): 1068-1080.

参考文献

［1］Garg A, Singh S. A review on Web application security vulnerabilities［J］. International Journal, 2013, 3(1): 222226［2］Antunes N, Vieira M. Defending against Web application vulnerabilities［J］. Computer, 2012, 45(2): 6672［3］中国信息安全测评中心. 中国国家信息安全漏洞库漏洞统计［DBOL］. ［20160701］. http: www.cnnvd.org.cnvulnerabilitystatistics［4］Williams J, Wichers D. OWASP top 10, the ten most critical Web application security risks［R］. New York: The Open Web Application Security Project, 2013［5］OWASP. OWASP top ten project［EBOL］. (20130623) ［20160914］. https:www.owasp.org index.phpCategory:OWASP_Top_Ten_Project［6］邱永华. XSS跨站脚本攻击剖析与防御［M］. 北京: 人民邮电出版社, 2013［7］Malviya V K, Saurav S, Gupta A. On security issues in Web applications through cross site scripting (XSS)［C］ Proc of the 20th AsiaPacific Software Engineering Conf. Piscataway, NJ: IEEE, 2013: 583588［8］Klein A. DOM based cross site scripting or XSS of the third kind［EBOL］. (20050407) ［20160910］. http:www.webappsec.orgprojectsarticles071105.shtml［9］Pan Jinkun, Mao Xiaoguang, Li Weishi. Taint inference for crosssite scripting in context of URL rewriting and HTML sanitization［J］. ETRI Journal, 2016, 38(2): 376386［10］OWASP. XSS (cross site scripting) prevention cheat sheet［EBOL］. ［20160327］. https:www.owasp.orgindex.phpXSS_(Cross_Site_Scripting)［11］Shar L K, Tan H B K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns［J］. Information and Software Technology, 2013, 55(10): 17671780［12］Kirda E, Jovanovic N, Kruegel C, et al. Clientside crosssite scripting protection［J］. Computers & Security, 2009, 28(7): 592604［13］OWASP. DOM based XSS prevention cheat sheet［EBOL］. ［20160908］. https:www.owasp.orgindex.phpDOM_based_XSS_Prevention_Cheat_Sheet［14］Van Gundy M, Chen H. Noncespaces: Using randomization to defeat crosssite scripting attacks ［J］. Computers & Security, 2012, 31(4): 612628［15］Shar L K, Tan H B K. Automated removal of cross site scripting vulnerabilities in Web applications［J］. Information and Software Technology, 2012, 54(5): 467478［16］曹黎波, 曹天杰. 基于动态测试的XSS漏洞检测方法研究［J］. 计算机应用与软件, 2015, 32(8): 272275［17］李洁, 俞研, 吴家顺. 基于动态污点分析的DOM XSS漏洞检测算法［J］. 计算机应用, 2016, 36(5): 12461249, 1278［18］沈寿忠, 张玉清. 基于爬虫的XSS漏洞检测工具设计与实现［J］. 计算机工程, 2009, 35(21): 151154［19］Vishnu B A, Jevitha K P. Prediction of crosssite scripting attack using machine learning algorithms［C］ Proc of Int Conf on Interdisciplinary Advances in Applied Computing. New York: ACM, 2014: No.55［20］张海燕, 莫勇. 基于决策树分类的跨站脚本攻击检测方法［J］. 微型机与应用, 2015, 34(16): 5557, 61［21］Guo Xiaobing, Jin Shuyuan, Zhang Yaxing. XSS vulnerability detection using optimized attack vector repertory［C］ Proc of Int Conf on Cyber Enabled Distributed Computing and Knowledge Discovery. Piscataway, NJ: IEEE, 2015: 2936

[1]	李仁杰华驰鲁志萍. 基于FP-growth优化SVM分类器的XSS攻击检测研究[J]. 信息安全研究, 2020, 6(9): 0-0.
[2]	潘志岗. 互联网企业Web系统易忽视漏洞分析[J]. 信息安全研究, 2020, 6(2): 181-187.
[3]	叶超. 基于MD5的CSRF防御模块的设计与实现[J]. 信息安全研究, 2019, 5(3): 223-229.
[4]	易楠. 基于语义分析的Webshell检测技术研究[J]. 信息安全研究, 2017, 3(2): 145-150.
[5]	石刘洋. 基于Web日志的Webshell检测方法研究[J]. 信息安全研究, 2016, 2(1): 66-73.