Research And Implementation Of XSS And CSRF Defense Based On Node.js

Today, more and more applications come to the model based on internet content dominated by users relying on the Web platform. Web applications have been the most popular computer applications. But with the prosperity of Web application, security problem has cropped up. Cross-site scripting attacks(XSS) and cross-site request forgery(CSRF) are the two most popular Web application attack types. As a more and more popular platform to develop Web application, Node.js does not provide functions to defense XSS and CSRF attacks.Basing on the operating mechanism of Node.js and considering the improvement of whole performance of Web applications developed on Node.js, this paper designs and implements a defense system resisting XSS and CSRF attacks. By running on the child process of Node.js, the defense system offers valid defense to XSS and CSRF. By highly decoupling, the defense system can work effectively without changing too much codes for the applications which have been developed and deployed on Node.js platform.There are six modules of the defense system, including XSS defending module, CSRF defending module, session managing module, log managing module, communication interface, and initialization module. XSS defending module is the center module because only with no XSS security vulnerabilities, the designing for CSRF defense can works effectively. XSS defense includes four steps: detecting, analyzing, filtering, and coding output. First, the type of input data is detected. Second, the data is analyzed with the HTML analyzing tool designed by this paper, and during the analyzing, some spots are marked using stain marking algorithm. Filtering process includes two parts: the filtering of HTML label type and the filtering of the HTML type value. To improve the efficiency of filter, a white list and a black list are stored using the red-black trees, information entropy of string and the characteristics of attack regular matching algorithm are used to improve the correctness of the filter of the type value. Last, by tracing the spot marking label, replacing the initial character string with safe value, legal data is coded and output. Basing on the realization of XSS defense, according to Anti CSRF Token defending strategy, CSRF defending module is realized. Session module offers the session management for Web applications basing on Redis database. The communication between the Web application and defense system mostly uses IPC channel and the exchanging of the data is realized by data sharing, using the Redis as the third-party storage area.This paper also builds a test environment to test the defense system. Function test and performance test are included. By analyzing the test results, we can conclude the defense system can provide effectively defense to XSS and CSRF attacks for the Web applications. Meanwhile, the defense system almost has no harm to Web response. Which meets the performance requirement.