【作者】 秦英；

【导师】 刘西洋；

【作者基本信息】 西安电子科技大学 ， 计算机软件与理论， 2010， 硕士

【摘要】 随着计算机技术和网络技术的快速发展,Internet已经将人们带入了一个更为精彩的虚拟世界里。很多网站为了丰富用户体验,充分地利用了动态脚本语言,如JavaScript,然而这种技术在增强了网页互动性的同时,也带来了用户敏感信息泄漏等安全隐患。目前,虽然安全服务商开发了各种工具来保护用户信息的安全,但这些工具大多是基于特征码扫描,并不能够及时地处理网络中的安全隐患。为了有效地保护互联网用户信息的安全,本文着重研究了目前整个网络中最为普遍的利用动态代码混淆(DCO)技术进行跨站脚本(XSS)攻击的原理和流程,并提出了基于行为的XSS检测技术。XSS攻击的主要目的是盗取用户的敏感信息,由于其行为特征是未经用户的授权而将用户的敏感信息发送给第三方,那么通过客户端对当前页面所访问敏感信息的传输情况做相应分析,我们就可以得出XSS攻击检测结果,从而判定出哪些存在可疑攻击行为,然后采取相应的处理措施。本文所提出的检测技术采取了浏览器端保护方式的思路,在浏览器中通过污点追踪方法对当前页面所包含的敏感信息的行为进行分析,如果敏感信息流向未授权的第三方,则认为该行为为可疑行为,从而判定XSS攻击行为发生。在具体实现中,本文以开源的网络浏览器Mozilla Firefox作为实验平台。通过对该浏览器的JavaScript引擎进行分析,扩展了它的各个阶段的处理过程。该技术采用以动态追踪为主,静态分析为辅的方式分析当前页面中敏感信息的传输情况。通过对分析结果进行处理和判断来阻止可能的XSS攻击。一旦发现可疑的XSS攻击行为就警示用户,告知当前操作伴随敏感信息泄漏,并由用户来处理。经实验验证,本文所提出的基于行为的XSS检测技术在保护用户敏感数据方面是切实可行的。更多还原

【Abstract】 With the rapid development of Computer and Network technology, Internet has brought people into a more wonderful virtual world. Many Web sites make extensive use of client-side script (mostly written in JavaScript) to enhance user experience. However, when this technology enhances the interaction of web pages, it also brings some security problems, such as user information leakage. At present, security service providers have developed various kinds of tools to protect the security of user information, but most of these tools are signature-based, which are not able to handle the security risks in a timely way. To protect the security of web users’information effectively, this paper emphasizes to discuss the theory and flow for attacking in cross-site scripting (XSS) with dynamic code obfuscation (DCO) technology, and proposes a behavior-based XSS detection technique.The main purpose of XSS is to steal the user’s sensitive information, as its behavior is to send user’s sensitive information to a third party without the user’s authorization, we can get the XSS attack detection results by analyzing the situation of user’s accessing sensitive information in current page. The detection technique presented in this paper adopts the idea of protecting user information in client-side of the Web browser. It will analyze the behavior of current page’s accessing sensitive information by tracking the flow of tainted data. If some tainted data will be transferred to a third party, the current operation will be assumed suspicious. In the implementation, this paper chooses the open-source Web browser Mozilla Firefox as its experimental platform. By analyzing its JavaScript engine, we extend its handle process in each phase. Our approach employs dynamic analysis techniques in general, and an auxiliary static analysis technique when necessary to analyze the situation of sensitive information in current page. By handling and judging the analysis result, we can prevent the suspicious XSS attack. If sensitive information is about to transferred to a third party, the user can decide if this should be permitted or not. The results of our experiment have demonstrated that the behavior-based XSS detection technique proposed in this paper is feasible in practice.更多还原