Analysis And Research On The Characteristics Of XSS Attack And Its Defense Technology

The early Web only provided users with functions for information display, in which users could just browse web pages they had chosen but lacked interaction with the server. Then, with the wide-ranging influence of Web2.0, there were enormous changes in the service content and mode provided by the web site. Compared with early Web’s single function of information display, network application now pays more attention to user experience and the interaction with users, in which users can submit the input data and affect the contents of the site database. Without enough inspection and filtering of these inputs, XSS(Cross Site Scripting) may appear.The fundamental reason which leads to XSS vulnerabilities is user’s lack of sufficient inspection and filtering on the input data, while the essential way to realize XSS attack is that the malicious codes successfully escape the defensive system by the means of confusion, false camouflage, etc.. Aiming at the above problems, this thesis has carried out the following research work:1. A cooperative detection and defense system is realized, which starts from the two aspects: detection and defense. On one hand, when a user has requested the page, the detection module will detect and restore the XSS vulnerabilities and perfect the server’s input validation for the users through completing dynamic test to simulate the attack. On the other hand, the defense module in the server will separate the un-trusted contents in the web pages by using the separation strategy and marking algorithm. Meanwhile, with the introduction of terminal restriction and confusing code detection and other means in the client so as to analyze and detect the marked un-trusted contents, the XSS defense work can be complished cooperatively.2. The XSS defense of cooperative systems at present tend to rely too much on the server, while the client’s work is limited, which causes over headed work of the server system but the idle situation of the client resources. With the improvement of the template engine in this system, the server in the whole defense system is only responsible for the separation of un-trust contents, the generation of the pages and the detection of the un-trusted contents will be done by the client, thus, reducing the pressure of the server and the network bandwidth. In addition, for the detection of XSS vulnerabilities, general detection means are often not strong-targeted, leading to higher miss rate. This system has made upgradation of the Fuzzing technology: introducing the original test cases from the actual network; extending the sentence elements of HTML, CSS, and JS as the test cases. Consequently, the improved test method has strong pertinence and high efficiency in the generated test cases.3. The collaborative detection and defense system achieved in this thesis has borrowed the thought of distributed system, which is a kind of liberation for the server. It will complete the XSS detection and defense work depending on the cooperative effort of numerous customer bases and the server. The experiment in the erected virtual network environment has proved that this system can make effective detection and defense of XSS attacks such as the storage type, reflection type and DOM type. At the same time, it can also reduce the pressure of the server and the network bandwidth, as well as the cost of client performance(with the delay of 0.2s).