基于动态分析的XSS漏洞检测模型
XSS Vulnerability Detection Model Based on Dynamic Analysis
查看参考文献16篇
文摘
|
针对在XSS漏洞动态检测中降低漏报率时导致检测效率低下的问题,提出一种新的XSS漏洞检测模型.该模型分为载荷单元生成、绕过规则选择、试探载荷测试、载荷单元组合测试、载荷单元单独测试5个部分.根据载荷单元所在位置和功能类型的不同,将攻击载荷切割为不同类别的单元,并制定组合成完整攻击载荷的规则.使用探针载荷判断待检测点是否可能存在漏洞,运用组合测试和单独测试的方式将载荷单元与绕过规则的组合放入检测点测试,根据测试结果生成针对性的完整攻击载荷.实验结果表明,该模型使用较少的测试请求完成对较多攻击载荷的测试,在有效降低漏报率的同时,保持较高的检测效率. |
其他语种文摘
|
Aiming at the problem of the failure rate and low detection efficiency in the XSS dynamic detection method, a new XSS vulnerability detection model is proposed. The model is divided into five parts: load cell generation,bypassing rule selection, exploratory load test,load unit combination test and load unit separate test. According to the location and function type of the load unit,the attack load is cut into different types of units, and the rules of combined attack load are formulated. The probe load is used to determine whether there is any vulnerabilities to be detected,it puts the payload unit and the bypassing rules into the detection point with combination test and separate test, and generates attack loads based on the test results. Experimental results show that this model uses fewer test requests to complete the test of more attack loads, and maintains a high detection efficiency while effectively reducing the failure rate. |
来源
|
计算机工程
,2018,44(10):34-41 【扩展库】
|
DOI
|
10.19678/j.issn.1000-3428.0051222
|
关键词
|
漏洞检测
;
XSS攻击
;
动态分析
;
黑盒测试
;
Web安全
|
地址
|
1.
北京邮电大学网络空间安全学院, 北京, 100876
2.
贵州大学, 贵州省公共大数据重点实验室, 贵阳, 550025
|
语种
|
中文 |
文献类型
|
研究性论文 |
ISSN
|
1000-3428 |
学科
|
自动化技术、计算机技术 |
基金
|
贵州省科技重大专项
;
贵州省公共大数据重点实验室开放课题基金
|
文献收藏号
|
CSCD:6345008
|
参考文献 共
16
共1页
|
1.
Moralejo A.
OWASP top 10 project,2017
|
CSCD被引
1
次
|
|
|
|
2.
Dimension F.
Stealing cookie With XSS,2017
|
CSCD被引
1
次
|
|
|
|
3.
Antunes N. Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in Web services.
Proceedings of IEEE International Conference on Services Computing,2011:104-111
|
CSCD被引
1
次
|
|
|
|
4.
Bau J. State of the art: automated black-box Web application vulnerability testing.
Security and Privacy,2010,41(3):332-345
|
CSCD被引
1
次
|
|
|
|
5.
沈寿忠. 基于爬虫的XSS漏洞检测工具设计与实现.
计算机工程,2009,35(21):151-154
|
CSCD被引
9
次
|
|
|
|
6.
Doupe A. Enemy of the state: a state-aware black-box vulnerability scanner.
Proceedings of Usenix Security Symposium,2012:125-134
|
CSCD被引
1
次
|
|
|
|
7.
王丹. 基于用户行为模拟的XSS漏洞检测.
大连理工大学学报,2017,57(3):302-307
|
CSCD被引
1
次
|
|
|
|
8.
Duchene F. Kameleon Fuzz: evolutionary fuzzing for black-box XSS detection.
Proceedings of ACM Conference on Data and Application Security and Privacy,2014:37-48
|
CSCD被引
1
次
|
|
|
|
9.
刘金辉. 基于模糊测试的XSS漏洞挖掘技术研究.
网络新媒体技术,2016,5(1):11-18
|
CSCD被引
1
次
|
|
|
|
10.
程诚. 基于模糊测试和遗传算法的XSS漏洞挖掘.
计算机科学,2016,43(s1):328-331
|
CSCD被引
5
次
|
|
|
|
11.
Wang Y H. Structural learning of attack vectors for generating mutated XSS attacks.
Electronic Proceedings in Theoretical Computer Science,2010,35:15-26
|
CSCD被引
1
次
|
|
|
|
12.
Tripp O. Finding your way in the testing jungle: a learning approach to web security testing.
Proceedings of International Symposium on Software Testing and Analysis,2013:347-357
|
CSCD被引
1
次
|
|
|
|
13.
Duchene F. XSS vulnerability detection using model inference assisted evolutionary fuzzing.
Proceedings of the 5th IEEE International Conference on Software Testing,Verification and Validation,2012:815-817
|
CSCD被引
1
次
|
|
|
|
14.
.
Cross site script cheat sheet ESP: for filter evasion,2017
|
CSCD被引
1
次
|
|
|
|
15.
Antunes J. Vulnerability discovery with attack injection.
IEEE Transactions on Software Engineering,2010,36(3):357-370
|
CSCD被引
7
次
|
|
|
|
16.
Thummalapenta S. Guided test generation for web applications.
Proceedings of International Conference on Software Engineering,2013:162-171
|
CSCD被引
1
次
|
|
|
|
|