计算机应用与软件
計算機應用與軟件
계산궤응용여연건
Computer Applications and Software
2015年
8期
272-275
,共4页
XSS漏洞%动态检测%合法向量%攻击向量
XSS漏洞%動態檢測%閤法嚮量%攻擊嚮量
XSS루동%동태검측%합법향량%공격향량
XSS vulnerability%Dynamic testing%Legal vectors%Attack vectors
XSS ( Cross-site Scripting)漏洞是Web应用程序最严重的漏洞之一。针对现有动态检测方法在检测效率方面的不足,提出一种高效率的检测方法。在用攻击向量来测试之前,先提交合法向量来测试,排除肯定不存在XSS漏洞的页面以及收集输入点、输出点、输出点类型的信息。在用攻击向量测试的过程中,只需要根据输出点类型来提交相应的攻击向量作进一步测试,避免遍历所有的攻击向量。另外,只需要到对应的输出点页面寻找特定的数据,可以有效避免遍历所有的页面。实验证明,该方法在提高效率方面很有效。
XSS ( Cross-site Scripting)漏洞是Web應用程序最嚴重的漏洞之一。針對現有動態檢測方法在檢測效率方麵的不足,提齣一種高效率的檢測方法。在用攻擊嚮量來測試之前,先提交閤法嚮量來測試,排除肯定不存在XSS漏洞的頁麵以及收集輸入點、輸齣點、輸齣點類型的信息。在用攻擊嚮量測試的過程中,隻需要根據輸齣點類型來提交相應的攻擊嚮量作進一步測試,避免遍歷所有的攻擊嚮量。另外,隻需要到對應的輸齣點頁麵尋找特定的數據,可以有效避免遍歷所有的頁麵。實驗證明,該方法在提高效率方麵很有效。
XSS ( Cross-site Scripting)루동시Web응용정서최엄중적루동지일。침대현유동태검측방법재검측효솔방면적불족,제출일충고효솔적검측방법。재용공격향량래측시지전,선제교합법향량래측시,배제긍정불존재XSS루동적혈면이급수집수입점、수출점、수출점류형적신식。재용공격향량측시적과정중,지수요근거수출점류형래제교상응적공격향량작진일보측시,피면편력소유적공격향량。령외,지수요도대응적수출점혈면심조특정적수거,가이유효피면편력소유적혈면。실험증명,해방법재제고효솔방면흔유효。
Cross-site scripting ( XSS) vulnerability is one the top web application vulnerabilities.In the paper, we analyse the inadequacy of existing dynamic analysis methods in detecting XSS vulnerability and propose a high-efficiency detection method.Before using attack vectors to test, we first submit legal vectors for testing in order to exclude the pages definitely without XSS vulnerabilities and to collect the information about input points, output points and the types of output points.In the process of testing with attack vectors, it just needs to submit the correlated attack vectors according to output point type for further testing, and avoids traversing all the attack vectors.In addition, by looking for the specific data in corresponding page of output points only, it is able to effectively avoid traversing all the pages.Experiment proves that the proposed method is very effective in improving the efficiency of XSS vulnerability detection.
