| According to data disclosed by the China National Vulnerability Database(CNVD)in 2020,web application vulnerabilities in the current internet environment account for 26.5% of the total number of vulnerabilities.It can be seen that web applications in the current internet environment are faceing great security threats.Today,the main threats to web applications are code injection attacks and XSS(Cross Site Scripting)attacks.Traditional defenses against such attacks have shortcomings such as easy filtering rules to be bypassed,difficult detection accuracy to be guaranteed,passive defense forms and so on,making it difficult to provide comprehensive and effective defenses against attacks.Randomization technology is an active defense technology in the face of attacks.This technology aims to transform the defense targets into functional equivalents.On the basis of maintaining the original functions,the method of implementation is changed,and the attacker is presented with uncertainty.Attacking the target environment makes it impossible for an attacker to implement an attack method carefully constructed using prior knowledge,thereby enhancing the system’s defensive capabilities.Starting from the characteristics of randomization technology,we proposes and designs a server-side code execution environment randomization architecture and a randomization-based XSS attack defense architecture,on this basis,further will deploy two architecture of the server abstraction for randomized server side.the potential threats of the randomized server side are analyzed.Based on the randomized server side,combined with the advantages of the Dynamic Heterogeneous Redundancy(DHR)architecture in mimic defense technology,a mimic web application security framework is designed.The research content and innovations of the thesis are as follows:1.For the server,two methods of language interpretation environment randomization and template engine parsing environment randomization are proposed,on this basis,combined with the dynamic idea,RANDcode,the randomization architecture of server code execution environment is implemented,which enhances the web server side targeting the ability to defend against code injection attacks.Experimental results show that the RANDcode architecture can effectively defend against interpreted language injection attacks and Server-Side Template Injection(SSTI)attacks.2.For the client,implements the defense architecture RANDJS against XSS attacks,randomize the trusted HTML and Java Script code on the server,distinguish between the randomized trusted code and unrandomized malicious code before the response result is delivered to the client,so as to improve the security of the web client in the face of XSS attacks.Experiments show that the RANDJS architecture can effectively defend against reflection XSS attacks and storage XSS attacks.3.Implemented a mimic web application security framework,abstracted the server deployed with RANDcode and RANDJS architecture into a randomized server,analyzed the potential threats of the randomized server,combined with the DHR architecture in mimic defense technology,and used heterogeneous redundant structures and output judgments mechanism to make up for the lack of defensive capabilities when the randomization method of the randomized server is cracked,and improve the overall security of the system.Through experiments and real network data,it is shown that the security framework of simulated web application can guarantee the overall security of the system even if the randomization method of a randomized server is cracked,and it has great defense ability and applicability in the real network environment. |
PDF Full Text Request