Research On Client-Side Scripting Security Technology Of Web Application

Web2.0sites where interaction is their core feature allow people notjust to retrieve information but contribute their own knowledge andinternet is not only a virtual world but also becoming a bridge amongpeople’s real life. The new and powerful Web applications like socialnetworking sites, blogs, and content sharing sites are different withtraditional computer applications, which undoubtedly bring new securityconcerns.Client-side scripting is the foundation of Web applications andincreasing number of functions are implemented on the client-sideimproving user experience. However because of the complicated networksituations, Web users are easy to be attacked by scripting attack vectorsand the extent of these damages is not less than direct attack onserver-side. This paper systematically explains core techniques related toWeb applications and then focuses on Cross-site scripting (XSS) which isthe Godfather of attacks against Web users. XSS vulnerabilities can bedivided into three varieties and they have important differences in howthey can be identified and exploited. Studies on different XSS attackvectors and vulnerability exploiting processes have been extensivelyconducted by examing real-world examples of XSS attacks. Cross-siterequest forgery (CSRF/XSRF) and ClickJacking are new types of attacksagainst users. This paper analyzes the attacking process as well as protection methods, especially for some combination attacks.In addition, this paper proposes a novel client-side approach toprevent XSS attacks at the basis of existing protections. XSS attacks areto inject malicious script contents in the user’s browser and through astatic constraint analysis based on JavaScript abstract syntax tree, thisalgorithm can successfully construct a constraint system for sensitiveinformation, which can be used to dynamic tracking tainted data andsuccessfully stop the execution of malicious scripts. Further, based on thisalgorithm a Firefox plugin is developed to prevent XSS attacks fromstealing users’ sensitive information which improves the security of webbrowser. And this technique has good flexibility and scalability in that itdoesn’t need to modify the Web application codes.