Research Of XSS Vulnerability Attack And Defense

The XSS vulnerability has been a major concern in WEB security in recent years.Since 2007,the XSS vulnerability has been the TOP three of OSWAP TOP 10.That means the XSS vulnerability has been one of the most influential vulnerabilities in WEB security.The XSS vulnerability's attacking behavior in different business scenarios is also different.Therefore,it is necessary to summarize it's principle,to find commonalities in these personality.In addition,it is necessary to classify and discuss the current attack payload of XSS,and to summarize their respective characteristics.So the developers and maintainers can "enter into the base" according to their own business scenarios.The target is to put forward the front-end defence early warning model and XSS general editor automatically fix the plugin.So,it's very necessary to summarize the shortcomings of XSS vulnerability defense strategy.And the XSS vulnerability would be defensed from the execution of the intercept malicious code and the source security.Based on the actual application environment,the principle and the output point characteristics of XSS vulnerability are analyzed in detail.After these analysis of the principle of the XSS vulnerability,the various attack payload of the XSS vulnerability would be comprehensively summarized in current network environment.Then the latest attack payload types would be analyzed,too.And because of the javascript features,there may be some new types XSS payload occurs in the future,which would provide new train of thought for XSS vulnerability defense.Finally,an XSS vulnerability defense mechanism which is feasible,easy to deploy,easy to be accepted and used by developers is proposed.Using HTML and javascript language features,there will build a XSS defence early warning modelto intercept the XSS payload,when the XSS attacks happens in the browser.At the same time,a XSS editor repair plug-in also will be designed which is based on the theory of the spot data tracking,automaticly testing and repairing the XSS vulnerability before the source code would be deployed online.Beacuse the support standard of the HTML language and javascript language in the main browsers is defferent;the defense module has been optimized in the IE,Chrome and Firefox.And in the process of experiment,the defense effect of the experiment has been displayed through the actual environment.The purpose has been completed that improves the WEB syatem's defensive strategy of the XSS vulnuerabilities.At the same time,the repair process of the editor source XSS vulnerability is clearly visible to the developer,which achieves the preset of lowering the security programming threshold and reduces the learning cost of security programming.