| Web Applications not only bring convenience and efficiency to people’s life, but also lead to security issues such as websites attacks; cross-site scripting attack is exactly one of the common attacks. Most website developers filter user input to protect against cross-site scripting attack, however, this practice has been confirmed that there are its own limitations, need some vulnerability detections. The existing detection tools could detect cross-site scripting vulnerabilities to a certain extent, but its detection comprehensiveness needs to be enhanced.Based on the idea of penetration testing, in this paper for the cross-site scripting vulnerability detection has been studied, and the major work includes the following two parts:On the one hand, this paper puts forward a relatively complete cross-site scripting attack vector mining strategy. After some analysis of the structure characteristics on different types of cross-site scripting attack vectors, it conclude a structure definition of the cross-site scripting attack vectors, then analyze, summarize, classify and extend the anti-filtering method according to the above structured definition, which has brought out a set of anti-filtering rules. Based on the structure definition and the set of anti-filtering rules, it poses a more comprehensive Mining Strategy. Through application example and experiments, it can prove that the strategy possess the comprehensiveness and effectiveness in the digging of some cross-site attack vectors.On the other hand, it designs a relatively complete cross-site scripting vulnerability detection model. At the beginning of this part, it propose the detection principle by simulating website attacker attacks based on penetration testing ideas and the key issues which the detection model is trying to achieve, following by a detailed description of the overall structure design and the operation mechanism of cross-site scripting vulnerability detection model. Then it describes the implementation techniques of each functional module. Through the relevant application examples and experiments, it can prove that the vulnerability detection model could not only effectively detect the cross-site scripting vulnerability of websites, but also improve the comprehensiveness of vulnerability detection.The excavation of the cross-site scripting attack vectors can be good solutions to the problems caused by diverse types of attack vectors and various forms of injections, and the simulation of website attacks based on the penetration test can be a good solution to the problems brought about by using distinct developing languages and different parsing ways of browsers. However, the accuracy of Mining Strategy still need to be raised, and the detection model could not properly identify the type of DOM-based vulnerabilities due to the problems of penetration testing, which should be improved in further research work. |
PDF Full Text Request