The Design and Implementation of the Random HTML Tags and Attributes-Based XSS Defence System
详细信息 查看全文
- 关键词:random ; tag prefix ; cross ; site scripting ; defence system
- 刊名:Lecture Notes in Computer Science
- 出版年:2014
- 出版时间:2014
- 年:2014
- 卷:8795
- 期:1
- 页码:204-211
- 全文大小:234 KB
- 参考文献:1. OWASP: OWASP Top- 2013 10 rcl The Ten Most Critical Web Application Security Risks (2013)
2. eNet, http://www.enet.com.cn/article/2012/1112/A20121112190987.shtml
3. WooYun, http://www.wooyun.org/bugs/wooyun-2010-022080
4. WooYun, http://www.wooyun.org/bugs/wooyun-2010-025030
5. WooYun, http://www.wooyun.org/bugs/wooyun-2010-025002
6. Top 25 most dangerous software errors, http://cwe.mitre.org/top25/.CWE/SANS
7. Bozic, J., Wotawa, F.: XSS Pattern for Attack Modeling in Testing. In: 8th International Workshop on Automation of Software Test (AST), pp. 71-4. IEEE (2013) - 作者单位:Heng Lin (18)
Yiwen Yan (18)
Hongfei Cai (18)
Wei Zhang (18)
18. School of Software, Beijing Institute of Technology, Beijing, 100081, China - ISSN:1611-3349
文摘
At present, cross site scripting (XSS) is still one of the biggest threat for Internet security. But the defensive approach is still feature matching mostly; that is, to check for a matching and filter in all information submitted. However, filtering technology has many disadvantages as heavy-workload, complex-operation, high-risk and so on. For this reason, our system use the randomization techniques of HTML tags and attributes innovatively, based on the prefix of HTML tags and attributes, to determine the tags and attributes are Web designers expect to generate or other users insert in, and then we follow the results to carry out different policies, only tags and attributes that Web designers expected to generate can be rendered and implemented. By this way, we can defend against XSS attacks completely. The test results show that the system is able to solve a variety of problems in filtering technology. It uses simple and convenient operation and safe and secure effect to free developers from heavy filtering work. System has a good compatibility and portability across platforms, it also can connect with all web-based applications seamlessly. In all, system defend against XSS better and meet the need of today’s XSS attacks defence.