Research And Implementation Of Web Application Cross-site Scripting Vulnerability Detection

In recent years,along with the rapid development and progress of Web application technology,its powerful features have greatly improved people's work efficiency,and are increasingly loved by the developers and users,but they have also caused Web security threats have caused serious threats to people's personal information and property security.Among them,cross-site scripting attack is one of the most influential and harmful attack ways among the Web security vulnerabilities.However,the existing cross-site scripting vulnerability detection technology is still defective,for example,the efficiency is low,the false positive and false negative rate is high,so it is still necessary to carry out further research.This paper has conducted in-depth research and analysis on the research status,detection principles,and the implementation technologies of cross-site scripting vulnerabilities,and mainly completes the following aspects:Firstly,a lot of researches are done on the common filtering mechanism in the Web application and the existing vector structure of cross-site scripting attacks.A strategy of automatically generating attack vector and legal vector is proposed to bypass the filter module.For the attack vector,firstly,an initial basic attack vector is generated according to a basic symbol set,an alternative element library,and an attack vector combination model,and then various transformations and transposition processings are performed through the transformation rule set,so that the resulting attack vector is more comprehensive,complex and effective;for legal vectors,it proposes to automatically generate the ptimum legal vector based on relevant information of form input points,the legal vectors and attack vectors together constitute the test data in the attack phase.Secondly,the crawler technology is improved and the web crawler based on Headless Browser is proposed.For the traditional static crawler,there are some shortcomings such as low coverage of vulnerability injection points and unable to obtain the data of dynamically loaded on the page.The web crawler designed in this paper introduces a library containing the browser kernel,and parses and executes it by manipulating the API provided by the library.Scripts such as JavaScript or Ajax on the page implement crawling of dynamically loaded page content;many URL or vulnerability injection points for the current page are displayed based on event triggering,and it is difficult for traditional crawlers to detect this type of URL and injection points.In order to find more injection points as possible and expand the coverage of vulnerability injection points,this paper proposes a hidden trigger injection point search algorithm based on the event-triggered web crawler combined with the Headless browser.Finally,when analyzing the existence of loopholes,This reptile technology is also used to analyze the content of relevant response pages more comprehensively,and it can monitor whether the code submitted in the attack phase is executed on the page,and the coverage is expanded,which helps to reduce the phenomenon of missed reports.Again,the detection method is improved.For the problem of low detection efficiency,this paper uses Gearman,a distributed task scheduling framework,to design the overall model of the detection system.The detection system is completed by a plurality of working machines distributed to jointly complete the detection tasks.Each of the working machines is independent and cooperate with each other,and parallel processing tasks improve the detection efficiency.The dynamically generated attack vector during the attack phase is unique and can identify the attacked injection point information to avoid false alarms.In order to make full use of the effective information generated during the attack process,an adaptive random test method is proposed to adaptively adjust the priority of the attack vector combination mode according to the detection situation at the current moment.When the attack phase is complete,Retraversing the entire Web application for the second time,and the undetected vulnerabilities during the attack are detected to reduce missed reports.Finally,based on the above methods,combined with the idea of penetration testing technology,an automated cross-site scripting vulnerability detection system based on distributed systems is designed and implemented to discover potential cross-site scripting vulnerabilities in Web applications.Finally,compared with the same type of detection tools,the experimental results show that the cross-site scripting vulnerability detection system designed in this paper can effectively detect cross-site scripting vulnerabilities in Web applications.