| Cross-site scripting attack is one of the most leading threats in Web application. An attacker can inject the illegal client-side script code by using one vulnerability, and this will result in appearing the phenomenon, includeing hijacking the client browser, stealing Cookie, leaking the sensitive information, and damaging the reputation of the server site. So cross-site scriptng is great harm to us.When it occurs, the scripts running at client side can be classified into the benign ones, from application templates, and the suspicious ones, from others. Therefore, distinguishing the both scripts is the base of resisting strategy.In this thesis, a large number of the example of cross-site scriptng are analysed synthetically, and the characteristics of ones are summed up. A method called ScriptE is proposed to mitigate XSS attacks based on script encapsulation. Meanwhile, the method is analyzed about its compatibility, convenience, computational security and robustness. According to this method, the benign scripts will be encapsulated by an extra HTML tag at server side, and the id attribute value of which is randomized to having characteristics about randomized identification and Anti-counterfeiting encapsulation. By applying a designed browser add-on or embedding analyzing scripts in response pages, the suspicious scripts can be distinguished at client side, and hence the XSS attack can be detected. At last, the program about the detecting script with ScriptE strategy is tested to validate the ScriptE method, especially its feasibility and effectiveness. |
PDF Full Text Request