CN103577188A - Method and device for preventing cross site scripting attack - Google Patents
Method and device for preventing cross site scripting attack Download PDFInfo
- Publication number
- CN103577188A CN103577188A CN201310507467.0A CN201310507467A CN103577188A CN 103577188 A CN103577188 A CN 103577188A CN 201310507467 A CN201310507467 A CN 201310507467A CN 103577188 A CN103577188 A CN 103577188A
- Authority
- CN
- China
- Prior art keywords
- environment
- variable
- template file
- escape
- escape mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a device for preventing cross site scripting attack, and belongs to the technical field of website design. The method comprises the following steps: performing lexical analysis on a website design template file to acquire user interface (UI) variables of the template file; acquiring a semantic environment of each UI variable in the template file; acquiring a transferred meaning method corresponding to the semantic environment of each UI variable; adding the transferred meaning methods into the template file of the UI variables to perform transferred meaning on the corresponding UI variables according to the transferred meaning methods after the template file in which the transferred meaning methods are added is on line. According to the method and the device, the output safety of the UI variables can be improved, so that the cross site scripting attack can be effectively prevented.
Description
Technical field
The present invention relates to field of webpage design, be specifically related to a kind of method and device of defending cross-site scripting attack.
Background technology
In Web exploitation, along with the place that user can input is more and more, the safety problem that user's input causes is more and more serious.A kind of common safety problem is cross-site scripting attack (Cross Site Scripting, XSS), XSS attacks and refers to that malicious attacker embeds malice html code in the Web page, when user browses in this page, the html code embedding wherein can be performed, thereby reaches the specific purposes of malicious user.XSS attack can steal user account, obtain administrator right, cause very serious consequence.How quick, safe solution XSS safety problem seems extremely important in webpage development.
A kind of scheme of prior art is by some instruments, online service to be scanned, can be with the code of upper malice in scanning process, if the content of returning is not removed content corresponding to these malicious codes or transcoding, there is XSS safety problem in website.Although this scheme can be found some problems on line, has following shortcoming: code just scans after reaching the standard grade, some security breaches may be utilized by people; Scanning is a black box mechanism, can not find all problems.
The another kind of scheme of prior art is that logical layer in rear end is to being delivered to user interface (the User Interface in webpage design template, UI) variable is unified transcoding, this transcoding is used general escape function to carry out, and can allow UI variable be delivered in template safety as far as possible.But, when specific implementation, find, adopt after this scheme, still there is more XSS safety problem.
Summary of the invention
In view of the above problems, the present invention has been proposed to a kind of method and device of the defence cross-site scripting attack that overcomes the problems referred to above or address the above problem are at least in part provided.
According to one aspect of the present invention, a kind of method of defending cross-site scripting attack is provided, comprising:
Webpage design template file is carried out to lexical analysis, obtain user interface (UI) variable in template file;
Obtain each UI variable residing semantic environment in template file;
Obtain the escape mode corresponding with the residing semantic environment of each UI variable;
Described escape mode is added in the template file of described UI variable place so that after adding template file after escape mode and reaching the standard grade, corresponding UI variable is carried out to escape according to described escape mode.
Alternatively, described semantic environment comprises following one or more:
HTML environment, in this environment, UI variable uses is in html page label or in tag attributes value;
JS environment, in this environment, UI variable uses is in JS code;
Data environment, in this environment, UI variable uses inserts in character string at the innerHTML of JS environment;
Url environment, in this environment, UI variable uses is in the parameter of template chained address URL;
Event environment, in this environment, UI variable uses is in the event functions parameter of html page label;
Callback environment, in this environment, UI variable is the callback parameter that browser end passes over.
Alternatively, described method also comprises: the corresponding relation of setting up semantic environment and escape mode;
Describedly obtain the escape mode corresponding with the residing semantic environment of each UI variable and comprise: according to described corresponding relation, obtain the escape mode corresponding with the residing semantic environment of each UI variable.
Alternatively, described template file is Smarty template file.
According to a further aspect in the invention, provide a kind of device of defending cross-site scripting attack, having comprised:
Lexical analysis unit, is suitable for webpage design template file to carry out lexical analysis, obtains user interface (UI) variable in template file;
Semantic environment acquiring unit, is suitable for obtaining each UI variable residing semantic environment in template file;
Escape mode acquiring unit, is suitable for obtaining the escape mode corresponding with the residing semantic environment of each UI variable;
Escape mode adding device, is suitable for described escape mode to add in the template file of described UI variable place so that after adding template file after escape mode and reaching the standard grade, corresponding UI variable is carried out to escape according to described escape mode.
Alternatively, described semantic environment comprises following one or more:
HTML environment, in this environment, UI variable uses is in html page label or in tag attributes value;
JS environment, in this environment, UI variable uses is in JS code;
Data environment, in this environment, UI variable uses inserts in character string at the innerHTML of JS environment;
Url environment, in this environment, UI variable uses is in the parameter of template chained address URL;
Event environment, in this environment, UI variable uses is in the event functions parameter of html page label;
Callback environment, in this environment, UI variable is the callback parameter that browser end passes over.
Alternatively, described device also comprises that corresponding relation sets up unit, is suitable for setting up the corresponding relation of semantic environment and escape mode;
Described escape mode acquiring unit is further adapted for: according to described corresponding relation, obtain the escape mode corresponding with the residing semantic environment of each UI variable.
Alternatively, described template file is Smarty template file.
According to the technical scheme of the embodiment of the present invention, by analyzing template code, find out the UI variable of exporting in template code, correct identification UI variable residing semantic environment in template file, and in template file, append the escape mode corresponding with semantic environment, like this, by carrying out escape at template layer in conjunction with semantic environment, security in the time of can improving the output of UI variable, thus cross-site scripting attack effectively defendd.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 shows the method flow diagram of defending according to an embodiment of the invention cross-site scripting attack;
Fig. 2 shows the structure drawing of device of defending according to an embodiment of the invention cross-site scripting attack.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
For defence cross-site scripting attack, a kind of scheme of prior art is, by the logical layer in rear end, the UI variable being delivered in webpage design template is unified to transcoding, and this transcoding is used general escape function to carry out, and still has more XSS safety problem.
For this problem, present inventor carries out finding after theoretical analysis and great many of experiments, this scheme is to carry out escape at logical layer, although be safe in the time of can allowing a lot of UI variable output, but due to cannot perception UI variable residing semantic environment in template at logical layer, can only unify transcoding to all UI variablees, make the escape mode (escape function) of some UI variable uses incorrect or inaccurate, while causing some UI variable output, still have safety problem.
So, the embodiment of the present invention provides a kind of method and device of defending cross-site scripting attack, by analyzing template code, find out the UI variable of exporting in template code, correct identification UI variable residing semantic environment in template file, and in template file, append the escape mode corresponding with semantic environment, like this, by carrying out escape at template layer in conjunction with semantic environment, make each UI variable can use correct escape mode to carry out escape, security in the time of can improving the output of UI variable, thus cross-site scripting attack effectively defendd.
Fig. 1 shows the method flow diagram of defending according to an embodiment of the invention cross-site scripting attack.With reference to Fig. 1, described method can comprise:
Template is the strategy of a kind of mask data presentation layer and logical layer, and wherein, presentation layer is realized page data and shown according to predetermined way, and logical layer is the source of the page data of showing.Webpage design template refers to the html file that has embedded the UI variable that logical layer passes over.UI variable is the object that UI resolves, and is also the carrier that page dynamic data obtains.Wherein, described template file can be the template file of Smarty template file or other type.
By template file is carried out to lexical analysis, can get the UI variable in template file.Template file is carried out to lexical analysis to be had multiplely to obtain the algorithm of the UI variable wherein comprising, and the embodiment of the present invention does not limit the algorithm of concrete lexical analysis.
As previously mentioned, template file is the html file that has embedded UI variable, can be using the statement of same type in html file or the predetermined portions of statement as a kind of semantic environment.
According to the abovementioned embodiments of the present invention, because being carries out the escape of UI variable at template layer, therefore, can carry out escape in conjunction with the residing semantic environment of UI variable, than prior art, adopt unified escape mode to carry out escape, due to escape mode has been carried out to refinement, therefore can escape mode (escape function) corresponding to right-on use, security while having improved the output of UI variable, thus cross-site scripting attack effectively defendd
Alternatively, described method also comprises: the corresponding relation of setting up semantic environment and escape mode.Like this, in step 106, can obtain the escape mode corresponding with the residing semantic environment of each UI variable according to described corresponding relation.
Give an example, described template file adopts Smarty template file, uses smarty engine, and in Smarty template file, the left and right delimiter of UI variable is { % and %}, as: { % $ title%}, { % $ smarty.get.callback%}, is UI variable.In Smarty template file, the corresponding relation of semantic environment and escape mode has several as follows:
1, HTML environment
In this environment, UI variable uses is in html page label or in tag attributes value, as:
<title>{%$title%}</title>
Or,
<input?type="text”value=“{%$value%}”name="f_name"/>
Under this environment, need handle ' < ', ' > ', " ", " " ' escape is ' & lt respectively; ', ' & gt; ', " & quot; ", " & #39; ", can by the corresponding relation of the character after the character of escape and escape, as a kind of escape mode, be stored (encapsulation) and for example in escape_html, that is to say that escape_html is the escape mode file under HTML environment to a file above-mentioned.
2, JS environment
In this environment, UI variable uses is in JS (JavaScript) code, in <script>...<scri pt> label, as:
<script>
var?name=“{%$name%}”;
</script>
Under this environment, need " ", " " ', " " "; " / "; " n ", " r " respectively escape be " ", " x27 "; " x22 "; " / ", " n ", " r "; can by the corresponding relation of the character after the character of escape and escape, as a kind of escape mode, be stored (encapsulation) and for example in escape_js, that is to say that escape_js is the escape mode file under JS environment to a file above-mentioned.
3, Data environment
In this environment, UI variable uses inserts in character string at the innerHTML of JS environment, as:
<script>
" you are good for QW.g (" tip ") .innerHTML=! Welcome enters "+" % $ value%} ";
</script>
Under this environment, need ' ', ' < ', ' > ', " ", " " ', " n ", " r ", "/" respectively escape be ' ', ' & lt; ', ' & gt; ', ' & quot; ', " & #39; "; " n "; " r "; " / "; can by the corresponding relation of the character after the character of escape and escape, as a kind of escape mode, be stored (encapsulation) and for example in escape_data, that is to say that escape_data is the escape mode file under Data environment to a file above-mentioned.
4, url environment
In this environment, UI variable uses is in the parameter of template chained address URL, as:
<a?href=“{%$path%}”target=“_blank”>welefen</a>
Under this environment, needing special character escapes such as Chinese is entity character, can store using the corresponding relation of the character by after the special character of escape and escape as a kind of escape mode (encapsulation) and for example in escape_url, that is to say that escape_url is the escape mode file under url environment to a file.
5, event environment
In this environment, UI variable uses is in the event functions parameter of html page label, as:
<body>
<input type=" button " onclick=" checkV (' % $ arg%} ') " value=" submission "/>
</body>
Under this environment, need by ' ', ' & ', ' < ', ' > ', " ", " " ', " n ", " r ", "/" respectively escape be ' ', ' & amp; ', ' & lt; ', ' & gt; ', ' & quot; ', " & #39; "; " n "; " r "; " / "; can by the corresponding relation of the character after the character of escape and escape, as a kind of escape mode, be stored (encapsulation) and for example in escape_event, that is to say that escape_event is the escape mode file under event environment to a file above-mentioned.
6, callback environment
In this environment, UI variable is the callback parameter that browser end passes over, as:
{%$smarty.get.callback%}()
Generally by $ smarty.get.callback, obtain, need to space, <, >, ", ' ,/,+etc. special character filter (deletions) and fall; can by the corresponding relation of the character after the character of escape and escape (being sky), as a kind of escape mode, be stored (encapsulation) to file escape_callback for example using above-mentioned, that is to say that escape_callback is the escape mode file under callback environment.
Below provide an application example of the present invention.
Suppose that template file has following code:
{%$smarty.get.callback%}({%$pars|no_escape%})
<div>{%$name%}</div>
<div?title=″{%$title%}″>welefen</div>
<a?href=″{%$url%}″>welefen</a>
<a?onclick=″foo(′{%$bar%}′)″>suredy</a>
<script?type=″text/javascript">
var?value=′{%$js_value%}′;
</script>
Above-mentioned template file is one section of html text that contains smarty template grammer, by content is carried out to lexical analysis, can show that UI variable has: smarty.get.callback, $ pars, $ name, $ title, $ url, $ bar, $ js_value.In addition, in template file, for example, for the UI variable (, secure variant) that does not need to carry out escape, can after this variable, add identifying accordingly for example no_escape and describe.In above-mentioned template file, $ pars variable is secure variant, modifies having increased no_escape thereafter, represents that this variable does not need escape.
According to above-named semantic environment, can know:
1, the variable of HTML environment has: $ pars, $ name, $ title
2, the variable of JS environment has: $ is_value
3, the variable of url environment has: $ url
4, the variable of event environment has: $ bar
5, the variable of catlback environment has: $ smarty.get.callback
Wherein, the exemplary codes of analysis UI variable semantic environment is as follows:
Owing to having added no_escape after $ pars variable
Modify, being expressed as this variable is secure variant, does not need escape.
Analyzed the semantic environment of each UI variable, just can use corresponding escape mode to carry out escape, the content after escape is:
{%$smarty.get.callback|escape_callback%}({%$pars|no_escape%})
<div>{%$name|escape_html%}</div>
<div?title=″{%$title|escape_html%}″>welefen</div>
<a?href=″{%$url|escape_path%}″>welefen</a>
<a?onclick=″foo(′{%$bar|escape_event%}′)″>suredy</a>
<script?type=″text/javascript">
var?value=′{%$js_value|escape_js%}′;
</script>
So, the code after automatic escape is reached the standard grade, just can substantially stop the problem of XSS.
Corresponding with the method for the above-mentioned defence cross-site scripting attack of the embodiment of the present invention, the embodiment of the present invention also provides a kind of device of realizing said method.
Fig. 2 shows the structure drawing of device of defending according to an embodiment of the invention cross-site scripting attack.With reference to Fig. 2, described device can comprise lexical analysis unit 10, semantic environment acquiring unit 20, escape mode acquiring unit 30 and escape mode adding device 40, wherein:
Semantic environment acquiring unit 20, is suitable for obtaining each UI variable residing semantic environment in template file.Template file is the html file that has embedded UI variable, can be using the statement of same type in html file or the predetermined portions of statement as a kind of semantic environment.
Escape mode acquiring unit 30, is suitable for obtaining the escape mode corresponding with the residing semantic environment of each UI variable.
Escape mode adding device 40, is suitable for described escape mode to add in the template file of described UI variable place so that after adding template file after escape mode and reaching the standard grade, corresponding UI variable is carried out to escape according to described escape mode.
Alternatively, described semantic environment comprises following one or more:
HTML environment, in this environment, UI variable uses is in html page label or in tag attributes value;
JS environment, in this environment, UI variable uses is in JS code;
Data environment, in this environment, UI variable uses inserts in character string at the innerHTML of JS environment;
Url environment, in this environment, UI variable uses is in the parameter of template chained address URL;
Event environment, in this environment, UI variable uses is in the event functions parameter of html page label;
Callback environment, in this environment, UI variable is the callback parameter that browser end passes over.
Alternatively, described device also comprises that corresponding relation sets up unit (not shown), is suitable for setting up the corresponding relation of semantic environment and escape mode; Described escape mode acquiring unit 30 is further adapted for: according to described corresponding relation, obtain the escape mode corresponding with the residing semantic environment of each UI variable.
In sum, according to the technical scheme of the embodiment of the present invention, by analyzing template code, find out the UI variable of exporting in template code, correctly identify UI variable residing semantic environment in template file, and in template file, append the escape mode corresponding with semantic environment, like this, by carrying out escape at template layer in conjunction with semantic environment, the security in the time of can improving the output of UI variable, thus effectively defend cross-site scripting attack.And this mode is that full automation carries out, without manual intervention.
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the instructions that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the device of the defence cross-site scripting attack of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
Claims (8)
1. a method of defending cross-site scripting attack, comprising:
Webpage design template file is carried out to lexical analysis, obtain the user interface UI variable in template file;
Obtain each UI variable residing semantic environment in template file;
Obtain the escape mode corresponding with the residing semantic environment of each UI variable;
Described escape mode is added in the template file of described UI variable place so that after adding template file after escape mode and reaching the standard grade, corresponding UI variable is carried out to escape according to described escape mode.
2. the method for claim 1, wherein described semantic environment comprises following one or more:
HTML environment, in this environment, UI variable uses is in html page label or in tag attributes value;
JS environment, in this environment, UI variable uses is in JS code;
Data environment, in this environment, UI variable uses inserts in character string at the innerHTML of JS environment;
Url environment, in this environment, UI variable uses is in the parameter of template chained address URL;
Event environment, in this environment, UI variable uses is in the event functions parameter of html page label;
Callback environment, in this environment, UI variable is the callback parameter that browser end passes over.
3. method as claimed in claim 1 or 2, wherein, also comprises: the corresponding relation of setting up semantic environment and escape mode;
Describedly obtain the escape mode corresponding with the residing semantic environment of each UI variable and comprise: according to described corresponding relation, obtain the escape mode corresponding with the residing semantic environment of each UI variable.
4. the method for claim 1, wherein described template file is Smarty template file.
5. a device of defending cross-site scripting attack, comprising:
Lexical analysis unit, is suitable for webpage design template file to carry out lexical analysis, obtains the user interface UI variable in template file;
Semantic environment acquiring unit, is suitable for obtaining each UI variable residing semantic environment in template file;
Escape mode acquiring unit, is suitable for obtaining the escape mode corresponding with the residing semantic environment of each UI variable;
Escape mode adding device, is suitable for described escape mode to add in the template file of described UI variable place so that after adding template file after escape mode and reaching the standard grade, corresponding UI variable is carried out to escape according to described escape mode.
6. device as claimed in claim 5, wherein, described semantic environment comprises following one or more:
HTML environment, in this environment, UI variable uses is in html page label or in tag attributes value;
JS environment, in this environment, UI variable uses is in JS code;
Data environment, in this environment, UI variable uses inserts in character string at the innerHTML of JS environment;
Url environment, in this environment, UI variable uses is in the parameter of template chained address URL;
Event environment, in this environment, UI variable uses is in the event functions parameter of html page label;
Callback environment, in this environment, UI variable is the callback parameter that browser end passes over.
7. the device as described in claim 5 or 6, wherein, also comprises that corresponding relation sets up unit, is suitable for setting up the corresponding relation of semantic environment and escape mode;
Described escape mode acquiring unit is further adapted for: according to described corresponding relation, obtain the escape mode corresponding with the residing semantic environment of each UI variable.
8. device as claimed in claim 5, wherein, described template file is Smarty template file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310507467.0A CN103577188B (en) | 2013-10-24 | 2013-10-24 | The method and device of defence cross-site scripting attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310507467.0A CN103577188B (en) | 2013-10-24 | 2013-10-24 | The method and device of defence cross-site scripting attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103577188A true CN103577188A (en) | 2014-02-12 |
| CN103577188B CN103577188B (en) | 2016-11-16 |
Family
ID=50049037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310507467.0A Active CN103577188B (en) | 2013-10-24 | 2013-10-24 | The method and device of defence cross-site scripting attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103577188B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601540A (en) * | 2014-12-05 | 2015-05-06 | 华为技术有限公司 | Cross-site scripting (XSS) attack defense method and Web server |
| CN106845221A (en) * | 2016-11-09 | 2017-06-13 | 哈尔滨安天科技股份有限公司 | A kind of recognition methods of script class file format and system based on grammatical form |
| CN107172029A (en) * | 2017-05-09 | 2017-09-15 | 努比亚技术有限公司 | Cross-site attack solution, mobile terminal and storage medium |
| CN112364353A (en) * | 2020-11-03 | 2021-02-12 | 深圳开源互联网安全技术有限公司 | Xss vulnerability detection method and device based on nodejs express application |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192217A (en) * | 2006-11-28 | 2008-06-04 | 阿里巴巴公司 | Method for canceling harmful code of hypertext marker language |
| CN101217537A (en) * | 2007-12-28 | 2008-07-09 | 董韶瑜 | A network attacking prevention method |
| CN101964025A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
| US20120023395A1 (en) * | 2010-07-22 | 2012-01-26 | International Business Machines Corporation | Method and apparatus for dynamic content marking to facilitate context-aware output escaping |
| CN102999723A (en) * | 2012-11-20 | 2013-03-27 | 焦点科技股份有限公司 | Method and device for generating data defense assembly for actively defending XSS (Cross Site Script) attack |
-
2013
- 2013-10-24 CN CN201310507467.0A patent/CN103577188B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192217A (en) * | 2006-11-28 | 2008-06-04 | 阿里巴巴公司 | Method for canceling harmful code of hypertext marker language |
| CN101217537A (en) * | 2007-12-28 | 2008-07-09 | 董韶瑜 | A network attacking prevention method |
| CN101964025A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
| US20120023395A1 (en) * | 2010-07-22 | 2012-01-26 | International Business Machines Corporation | Method and apparatus for dynamic content marking to facilitate context-aware output escaping |
| CN102999723A (en) * | 2012-11-20 | 2013-03-27 | 焦点科技股份有限公司 | Method and device for generating data defense assembly for actively defending XSS (Cross Site Script) attack |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601540A (en) * | 2014-12-05 | 2015-05-06 | 华为技术有限公司 | Cross-site scripting (XSS) attack defense method and Web server |
| CN104601540B (en) * | 2014-12-05 | 2018-11-16 | 华为技术有限公司 | A kind of cross site scripting XSS attack defence method and Web server |
| CN106845221A (en) * | 2016-11-09 | 2017-06-13 | 哈尔滨安天科技股份有限公司 | A kind of recognition methods of script class file format and system based on grammatical form |
| CN107172029A (en) * | 2017-05-09 | 2017-09-15 | 努比亚技术有限公司 | Cross-site attack solution, mobile terminal and storage medium |
| CN112364353A (en) * | 2020-11-03 | 2021-02-12 | 深圳开源互联网安全技术有限公司 | Xss vulnerability detection method and device based on nodejs express application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103577188B (en) | 2016-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gupta et al. | XSS-secure as a service for the platforms of online social network-based multimedia web applications in cloud | |
| US10834101B2 (en) | Applying bytecode obfuscation techniques to programs written in an interpreted language | |
| Lekies et al. | 25 million flows later: large-scale detection of DOM-based XSS | |
| Gupta et al. | XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code | |
| Gupta et al. | Hunting for DOM-Based XSS vulnerabilities in mobile cloud-based online social network | |
| US8474048B2 (en) | Website content regulation | |
| US8266700B2 (en) | Secure web application development environment | |
| US8286250B1 (en) | Browser extension control flow graph construction for determining sensitive paths | |
| US10216488B1 (en) | Intercepting and injecting calls into operations and objects | |
| Shahriar et al. | Mutec: Mutation-based testing of cross site scripting | |
| US20110185271A1 (en) | Marking documents with executable text for processing by computing systems | |
| CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
| US9838418B1 (en) | Detecting malware in mixed content files | |
| Singh et al. | An analytical study on cross-site scripting | |
| CN103577188A (en) | Method and device for preventing cross site scripting attack | |
| CN110309631B (en) | Programming language structure confusion processing method, intelligent terminal and storage medium | |
| CN108830082B (en) | XSS vulnerability detection parameter automatic selection method based on output point position | |
| US20070130620A1 (en) | Method, computer arrangement, computer program and computer program product for checking for the presence of control statements in a data value | |
| Klein et al. | Hand sanitizers in the wild: A large-scale study of custom javascript sanitizer functions | |
| CN115688108B (en) | Webshell static detection method and system | |
| CN103838865A (en) | Method and device for mining timeliness seed page | |
| CN114626061A (en) | Webpage Trojan horse detection method and device, electronic equipment and medium | |
| CN105426500A (en) | Extraction method and device of link dynamically generated by webpage scripts | |
| Falah et al. | Towards enhanced PDF maldocs detection with feature engineering: design challenges | |
| Athanasopoulos et al. | Code-injection attacks in browsers supporting policies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220714 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |