| With the development of internet, the number of Web application is increasing, such as online shopping mall, online banking and so on, it is easy to use and the cost is low. In nowadays, more and more office systems of companies, govements and schools storing a lot of important data are built on web applications, so it is very important to keep the systems safety. Web application is becoming easier to be hacked, because it is hard for traditional firewalls to protect it. The issue of Web security is becoming increasingly prominent, and lots of websites which existed web vulnerabilities were hacked. There are many kinds of Web vulnerabilities, which can be exploited to attack both clients and servers. This paper mainly focused on XSS and CSRF vulnerabilities which would leading to great harm and a wide range of affects, and both of them are based on the client’s vulnerablility.This paper introduced some related knowledge about XSS and CSRF, including web application technologies, a detailed description of principle, classifications, harms and attack techniques of XSS and CSRF vulnerabilities and so on. On the basis of above knowledge, the paper mainly analyzed detection and prevention methods of XSS and CSRF vulnerabilities.On one hand, this paper introduced two kinds of XSS detection methods, including static and dynamic detection methods. Firstly, it analyzed the principle, the advantages and disadvantages of existing detection methods. Secondly, in order to improve the disadvantages of the method, it proposed an improved dectection methods for XSS vulnerability. The principle of this method is to simulate an attacker to launch attacks against the target site. It firstly used legitimate vectors to detect which can exclude the presence of reflected XSS pages and collected some information about injection points including the pages where to input vectors and where the vectors appeared. After it, it used the attack vectors for futher detection. The implementation results proved that the method can detect both reflected XSS and stored XSS, and it can improve the dectection efficiency. In addition, the paper introduced the prevention methods of XSS, and analyzed the principle, the advantages and disadvantages of each methods.On the other hand, this paper described the dectection methods of CSRF. Firstly, it analyzed the principle and the advantages and disadvantages of existing detection tools, and then it proposed an improved detection method of CSRF. The main principle is to analyze whether there are some defense characteristic in HTTP request packet, the experimental results showed the effectiveness of this method. In addition, the paper introduced the protection methods of CSRF vulnerability, including the principle and advantages and disadvantages of each approach. |
PDF Full Text Request