| With the rapid development of web technology,the internet is becoming increasingly rich and prevalence.While the number of attacks against web application vulnerabilities are getting more numerous,it has brought a huge threat to the security of web applications for the sake of the various type of malicious attack,particularly for cross-site scripting attacks,SQL injection,cross-site request forgery,click hijacking.An attacker could exploit these vulnerabilities to injecting custom malicious code,changing the execution flow of the program,damaging the user program as well as stealing user sensitive information.As the existing web security measures are concentrated in the server side,the client side security mechanism is relatively weak,which imposes a challenge to make a proper security enhancement for it,so it is a meaningful topic for researchers to invent a new client defensive approach to detect web vulnerability and prevent web attacks.Traditionally,the approach of taint analysis are focused on the special program language of server side.It is almost impossible to implementing a generic approach that can be applied to all programming language in server side,because web applications are using various programming languages,and extending the browser kernel to improve the security of the client is also a complex and non generic method,mainly because of a wide range of browsers and maybe the different versions of browser have its different implementation.To address the problem,this paper presents a novel approach for detecting web vulnerability in the client side via rewriting based dynamic taint analysis to prevent illegal behavior of malicious script without having to modify the code of the server and the client side.It first converts the client-side JavaScript code into intermediate code,and then implement a specific taint engine based on the taint analysis techniques.To archive the purpose of detecting web vulnerability,The taint engine will track the process of sensitive data at runtime by recording the information flow of sensitive data,identifying the relationship of data dependencies between source data and objective data and preventing the data originates from the domain of not trust flowing into objective data.This paper has designed and realized a system for web vulnerability detection based on the proposed dynamic taint analysis approach.We deployed it as a browser proxy to rewrite web applications at real time,the experiments show that our system could gain good result in the protection of information confidentiality and integrity and the accuracy of detection algorithms,it can also effectively prevent common web exploits. |
PDF Full Text Request