The Research On Detection And Defense Techniques Of Cross-site Scripting Attack

As the development of internet technology,the application of web is becoming more and more widely,various websites and application systems built upon the B/S framework is constantly emerging.In order to enhance the user experience,the mainstream websites take full advantage of the dynamic scripting languages such as Java Script.This technology not only brings convenience to the users,but also followed by large quantities of security flaws and menaces.Nowadays,in the application fields of Web,the cross-site scripting attack is one of the most severe and common threatens.The root of these attacks come from the defect of the security mechanism of the web applications,which is not enough inspection and filtration of the users' inputs.Even though the server can fundamentally solve this problem by restoring the web application,the users will go through a high risk when using these applications due to the delayed repairing of the web application flaws during the cross-site attack because of the low refresh rate of the security patches and the weakness of safety awareness of the operation and maintenance staffs.Thus,it is crucial to study the defensive measures of the cross-site scripting attack of the users' client-side in order to improve the active defense capabilities during the cross-site scripting attacks.This dissertation analyzes and discusses the common techniques for the detection and defense of cross-site scripting attach at present,carries out the researches in the following two subjects:(1)Based on the profound understanding of dynamic taint tracking and static taint analysis,this dissertation proposed a defense method focuses on dynamic taint tracking and assists with static taint analysis for the detection and defense of cross-site scripting attack,it first marks the sensitive information of the current page,by monitoring the sensitive information transmission process of the current page,warns the users against the danger when the sensitive information shows abnormal operation and leave the users to handle it,which realizes the effective interception of the cross-site scripting attack.(2)Focus on the direct detection issue of common features of the cross-site scripting attack,this dissertation brings in the detection technology of cross-site scripting attack features and proposes the known feature library of cross-site scripting.After analyzing the static taint of the users' input,compares the questionable taint sources from the analyzing results with the known feature library of the cross-site scripting,and directly filtered the taint information that exist in the known feature library.Also,the known feature library is constantly updated by combining the taint analyzing results.This extensional cross-site scripting detection and defense technology greatly improves the inspection rate.Regarding to the practical implementation method,this dissertation selects the open source Mozilla Firefox as the experimental platform.By analyzing the Java Script engine of this browser,each stage of its processing is expanded.Verified by the experiment,the detection and defense method brought up by this dissertation is applicable.