Research On The Attack Detection Of Cross-site Scripting In Web Applications

With the development of Internet and the popularity of Web applications,Web security has become one of the most serious problems in the Internet. Cross-Site Scripting(XSS) vulnerability has become more popular in recent years, while its harmfulness and rapid dissemination capabilities are increasingly serious.Due to the widespread of Ajax technology, a large amount of hidden Web existed,which make it harder to seek the vulnerability injection point.Existing techniques to detect vulnerabilities are not sufficiently focused on the XSS vulnerability injection points especially for those in the hidden Web,and the testing technology do not fully consider about the response pages after the request, which leading to the vulnerability detection rate is relatively low. For the shortcomings mentioned, we enhanced the analysis of the hidden Web and found vulnerability injection points based on the way DOM state changed.We also proposed a new method for vulnerability detection based on the relevant interaction points in the redirected page,then we designed and implemented the vulnerability detection prototype system. Experimental results show that this prototype system can find more vulnerability injection points and effectively improve vulnerability detection rate.The main contributions of this dissertation are as follows.(1)The dissertation made a brief introduction about the browser access control strategy,then analysed the JavaScript security and the Ajax techonology security,introduced the principle of XSS attack and the XSS attack type, at last the existing vulnerability detection methods were analyzed and studied.(2)The dissertation proposed an method based on the way DOM status changed for the seek of XSS vulnerability injection points,especially for the hidden Web.Due to the dynamic characteristics of JavaScript and the wide spread of Ajax technology, a large amounts of hidden Web existed which can exist many vulnerability injection points. This dissertation enhanced the analysis of the hidden Web and found the vulnerability injection points not only in the static page,but also in the hidden Web.(3)The dissertation proposed the vulnerability detection method based on the interaction points of the redirected page, and the method can increase the detection rate,especially for the stored cross-site scripting attack.The proposed method fully considered the response pages after the request, including the tested page,the redirected page and the pages related to the interaction points. In addition,the dissertation made an improvement on the probe request method,then judged the page output location type by the probe request string, then use the related test cases to inject the injection points, which can reduce unnecessary request in subsequent work.(4)The dissertation designed and implemented the prototype of XSS vulnerability detection based on the technology menthioned above.To validate the proposed method,we make experimental evaluationon the prototype system and it showed a good performance.