CN112966264A - XSS attack detection method, device, equipment and machine-readable storage medium - Google Patents
XSS attack detection method, device, equipment and machine-readable storage medium Download PDFInfo
- Publication number
- CN112966264A CN112966264A CN202110222949.6A CN202110222949A CN112966264A CN 112966264 A CN112966264 A CN 112966264A CN 202110222949 A CN202110222949 A CN 202110222949A CN 112966264 A CN112966264 A CN 112966264A
- Authority
- CN
- China
- Prior art keywords
- xss attack
- input
- xss
- abnormal
- input data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 59
- 230000002159 abnormal effect Effects 0.000 claims abstract description 54
- 230000003068 static effect Effects 0.000 claims abstract description 39
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 244000035744 Hura crepitans Species 0.000 claims abstract description 16
- 238000004364 calculation method Methods 0.000 abstract description 9
- 230000007123 defense Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 12
- 238000004590 computer program Methods 0.000 description 9
- 230000014509 gene expression Effects 0.000 description 9
- 238000010801 machine learning Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013450 outlier detection Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The present disclosure provides an XSS attack detection method, apparatus, device and storage medium, the method comprising: acquiring user input data, and marking the input data as legal input data or abnormal input which is not in accordance with a preset input frame portrait according to the preset input frame portrait; comparing the abnormal input with an XSS attack feature library, and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result; and analyzing the static exception through the running of the sandbox browser, and marking the static exception as an XSS attack or a dynamic exception according to an analysis result. According to the technical scheme, after most legal input data are screened out by the input box image, only XSS attack detection is carried out on abnormal input, so that the calculation performance consumption is greatly reduced, the false alarm rate and the missing report rate are reduced by combining the XSS attack feature library and the running analysis of a sandbox browser, and the identification and defense of unknown XSS attacks are realized.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to an XSS attack detection method, apparatus, device, and machine-readable storage medium.
Background
Regular expressions, also known as regular expressions. (English: Regular Expression, often abbreviated in code as regex, regexp or RE), a concept of computer science. Regular expressions are usually used to retrieve and replace text that conforms to a certain pattern (rule), and a regular expression is a logical formula for operating on a character string, i.e. a "regular character string" is formed by using specific characters defined in advance and a combination of the specific characters, and the "regular character string" is used to express a filtering logic for the character string.
The Web Application Firewall (WAF for short) is used for defending common OWASP attacks such as SQL injection, XSS cross-site scripts, common Web server plug-in bugs, Trojan uploading and unauthorized core resource access and filtering massive malicious CC attacks on the basis of cloud security big data capability, so that leakage of asset data of a website is avoided, and the security and the usability of the website are guaranteed.
XSS (Cross Site Scripting) refers to that malicious instructions are injected into a webpage by using a vulnerability left during webpage development through a smart method, so that a user loads and executes a webpage program manufactured by a malicious attacker, and the purposes of unauthorized access, session cookie stealing and the like are achieved by the attacker.
The current technical scheme for analyzing and detecting the XSS attack has the problems of higher calculation performance consumption or incapability of identifying unknown attacks.
Disclosure of Invention
In view of the above, the present disclosure provides an XSS attack detection method, an XSS attack detection device, an electronic device, and a machine-readable storage medium, so as to solve the technical problems that the computation performance is high in cost and one of unknown attacks cannot be identified.
The specific technical scheme is as follows:
the present disclosure provides an XSS attack detection method, applied to a server device, the method including: acquiring user input data, and marking the input data as legal input data or abnormal input which is not in accordance with a preset input frame portrait according to the preset input frame portrait; comparing the abnormal input with an XSS attack feature library, and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result; and analyzing the static exception through the running of the sandbox browser, and marking the static exception as an XSS attack or a dynamic exception according to an analysis result.
As a technical scheme, the input box image is generated according to the learning of collected legal input data.
As a technical scheme, XSS attack characteristics of input data marked as XSS attack are extracted, and the XSS attack characteristics are merged into an XSS attack characteristic library.
As a technical scheme, an abnormal value of the dynamic abnormity is calculated, and the dynamic abnormity of which the abnormal value is larger than a threshold value is output.
The present disclosure also provides an XSS attack detection apparatus, which is applied to a server device, and the apparatus includes: the portrait module is used for acquiring user input data, marking the input data as legal input data or abnormal input inconsistent with the preset input frame portrait according to the preset input frame portrait; the static module is used for comparing the abnormal input with the XSS attack feature library and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result; and the dynamic module is used for analyzing the static exception through the running of the sandbox browser and marking the static exception as an XSS attack or a dynamic exception according to an analysis result.
As a technical scheme, the input box image is generated according to the learning of collected legal input data.
As a technical scheme, XSS attack characteristics of input data marked as XSS attack are extracted, and the XSS attack characteristics are merged into an XSS attack characteristic library.
As a technical scheme, an abnormal value of the dynamic abnormity is calculated, and the dynamic abnormity of which the abnormal value is larger than a threshold value is output.
The present disclosure also provides an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the processor executes the machine-executable instructions to implement the aforementioned XSS attack detection method.
The present disclosure also provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned XSS attack detection method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
after most legal input data are screened out through the input box portrait, only XSS attack detection is carried out on abnormal input, so that the calculation performance consumption is greatly reduced, the operation analysis of an XSS attack feature library and a sandbox browser is combined, namely the false alarm rate and the missing report rate are reduced, and meanwhile, the identification and the defense of unknown XSS attack are realized.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.
FIG. 1 is a flow diagram of an XSS attack detection method in one embodiment of the disclosure;
FIG. 2 is a block diagram of an XSS attack detection apparatus according to an embodiment of the disclosure;
fig. 3 is a hardware configuration diagram of an electronic device in an embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
The disclosure provides an XSS attack detection method and device, an electronic device and a machine-readable storage medium, so as to solve the technical problems that the calculation performance is high in cost and one of unknown attacks cannot be identified.
The specific technical scheme is as follows.
In an embodiment provided by the present disclosure, the present disclosure provides an XSS attack detection method, applied to a server device, the method including: acquiring user input data, and marking the input data as legal input data or abnormal input which is not in accordance with a preset input frame portrait according to the preset input frame portrait; comparing the abnormal input with an XSS attack feature library, and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result; and analyzing the static exception through the running of the sandbox browser, and marking the static exception as an XSS attack or a dynamic exception according to an analysis result.
Specifically, as shown in fig. 1, the method comprises the following steps:
step S11, obtaining user input data, and marking the input data as legal input data or abnormal input not in accordance with the predetermined input frame image according to the predetermined input frame image.
And step S12, comparing the abnormal input with the XSS attack feature library, and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result.
And step S13, running and analyzing the static exception through the sandbox browser, and marking the static exception as XSS attack or dynamic exception according to the analysis result.
After most legal input data are screened out through the input box portrait, only XSS attack detection is carried out on abnormal input, so that the calculation performance consumption is greatly reduced, the operation analysis of an XSS attack feature library and a sandbox browser is combined, namely the false alarm rate and the missing report rate are reduced, and meanwhile, the identification and the defense of unknown XSS attack are realized.
In one embodiment provided by the present disclosure, the input box image is generated by learning from the collected legal input data.
In one embodiment provided by the present disclosure, XSS attack features of input data tagged as an XSS attack are extracted and incorporated into an XSS attack feature library.
In one embodiment provided by the present disclosure, an abnormal value of the dynamic anomaly is calculated, and the dynamic anomaly having the abnormal value greater than a threshold value is output.
In one embodiment, the static XSS attack detection method does not need to run a webpage and a script, and judges whether an XSS vulnerability exists in the webpage and whether an XSS attack exists in the running webpage or not by analyzing a source code of the webpage. When detecting XSS attacks using a static analysis method, the user input may be analyzed alone or in combination with the source code of the web page. The dynamic XSS attack detection method does not concern the source code of the webpage, and judges whether the XSS attack exists in the running webpage or not by analyzing the running process and the running result of the webpage. The static-dynamic hybrid analysis method simultaneously analyzes the source code, the operation process and the operation result of the webpage, thereby identifying XSS attack in the operation webpage.
The XSS attack detection module can be deployed at a client side and a server side, and can also be deployed at the client side and the server side simultaneously. When the browser is deployed at a client, the browser can be used as a filter or a plug-in of a browser, and can also be a proxy server; when it is deployed on the server, it may be deployed directly on the Web server, or may be a reverse proxy, such as waf (Web Application firewall).
In the XSS attack detection based on the characteristics, a security expert summarizes the characteristics of the XSS attack based on historical XSS attacks, an XSS attack characteristic library is constructed, and the attacks contained in user input are identified based on the characteristic library. In XSS attack detection based on machine learning, a machine learning expert trains a machine learning detection model through collected black samples, and then the detection model is used for distinguishing user input, so that XSS attack detection is achieved. A machine learning detection model is typically trained for each XSS attack, and detection of the corresponding XSS attack is performed based on the detection model.
The XSS attack is detected by adopting a static analysis method to analyze an input part of a user, and the adopted method comprises a characteristic-based method and other methods (based on statistics, based on machine learning, and the like), but false alarm and false alarm exist, and the detection result cannot be reasonably explained. The XSS attack detection method based on the characteristics has interpretability on the characteristics of the existing XSS attack extraction, but can not identify unknown XSS attacks. The XSS attack detection method based on dynamic analysis identifies the XSS attack by running the dynamic characteristics of the webpage, and although the XSS attack detection method has better identification accuracy than a static analysis method, the XSS attack detection method needs larger time delay and calculation overhead.
XSS attacks are divided into three types, namely reflection type XSS attacks, storage type XSS attacks and Dom type XSS attacks, wherein the reflection type XSS attacks and the storage type XSS attacks utilize vulnerabilities of Web servers, and the Dom type XSS attacks utilize vulnerabilities of client browsers. The XSS attack detection method deployed on the client can detect the three XSS attacks, but is influenced by computing resources of the client and can possibly influence the webpage browsing experience of the client; the XSS attack detection method deployed at the server can utilize high-performance computing resources of the server, but only can detect two XSS attacks, namely a reflection type XSS attack and a storage type XSS attack, and cannot detect a Dom type XSS attack.
In the embodiment provided by the disclosure, the XSS attack detection method combines input box images, static detection and dynamic detection. Legal input of a user is filtered by introducing an input box image, so that the calculation amount of subsequent XSS attack detection is reduced. In the static XSS attack detection, the known XSS attack is identified through an XSS attack feature library, so that the calculation amount of the dynamic XSS attack detection is reduced. In the XSS attack dynamic detection, the operation process and the operation result characteristics are extracted through the actual operation webpage, the XSS attack dynamic detection is carried out according to the extracted characteristics, and the XSS attack detection accuracy is further improved. The method is characterized in that a plurality of sandbox browsers are integrated at a server side, and is an XSS attack detection method deployed at the server side. The XSS attack detection method deployed at the server side can detect reflection-type and storage-type XSS attacks, and can detect DOM-type XSS attacks after simulating the operation condition of the client side through the sandbox browser, so that the implementation method provided by the disclosure can detect three XSS attacks at the same time.
And when the preset input frame image is generated by learning, collecting the user input text of each input frame, and constructing the legally input frame image of each input frame after the preset number is reached. The input box image adopts a regular expression set. For example, for an account login entry box that can enter a username, phone number, or mailbox, its Input static representation can be represented by three regular expression sets. When the input data is collected, only the input data which is considered to be legal by static detection and dynamic detection is collected; further, for these input data, an outlier detection method based on statistics is employed to eliminate the abnormal input. After the above two methods are used for filtering, the input text for creating the portrait is considered to be free of XSS attack, so as to avoid polluting the preset input box portrait.
And carrying out real-time anomaly detection on the input data extracted by the server according to the input frame image of the input frame. If the input data can be identified by a regular expression in the input box representation, then the input data is legitimate; if the input data cannot be identified by all regular expressions in the input box image, then this input data is anomalous.
The abnormal input of the user is identified based on each input box image, and through the step, a large amount of legal input of the user can be filtered out, so that only a small amount of abnormal input enters an XSS attack static detection process.
Second, a known XSS attack is found in the user's anomalous input. The step is to analyze and detect the result of the first step by adopting a static analysis mode based on an XSS attack feature library. After the analysis of the step, the abnormal input which is confirmed to be XSS attack is marked as XSS attack, the abnormal input which cannot be confirmed to be XSS attack is marked as static abnormality, and the abnormal input is sent to XSS attack dynamic detection.
And thirdly, detecting XSS attacks in the static abnormity by adopting a dynamic detection method. A webpage with legal input is simulated and operated through a sandbox browser, and dynamic characteristics of a calling/called function, parameters of the function, return values of the function, variables, types of the variables, objects and the like are extracted to form an input frame dynamic detection portrait. The webpage of the user is simulated and operated through the sandbox browser, dynamic characteristics such as a calling/called function, a parameter of the function, a return value of the function, a variable, a type of the variable, an object and the like are extracted, the extracted input dynamic characteristics are matched with the input box dynamic detection portrait, and whether the operated webpage and the corresponding user input are XSS attacks or not is identified. And marking the identified XSS attack as an XSS attack, otherwise, marking the XSS attack as a dynamic exception. After analysis and judgment, the attack characteristics of the XSS attack can be added into an XSS attack characteristic library.
And analyzing the abnormal value of the dynamic abnormity, specifically, presetting a calculation formula combined with each input characteristic according to needs, substituting each abnormal characteristic of the dynamic abnormity into the formula, calculating to obtain the abnormal value, setting an abnormal value threshold, outputting the dynamic abnormity of which the abnormal value is higher than or equal to the threshold for further analysis, and judging the dynamic abnormity of which the abnormal value is lower than the threshold as normal input.
The sandbox includes multiple browsers for simulating different types of browsers on the client side, thereby detecting and identifying DOM-type XSS attacks.
In an embodiment provided by the present disclosure, the present disclosure also provides an XSS attack detection apparatus, as shown in fig. 2, applied to a server device, where the apparatus includes: the portrait module 21 is used for acquiring user input data, and marking the input data as legal input data or abnormal input inconsistent with a preset input frame portrait according to the preset input frame portrait; the static module 22 is used for comparing the abnormal input with the XSS attack feature library and marking the abnormal input as the static abnormality which is not matched with the XSS attack feature library or the XSS attack which is matched with the XSS attack feature library according to the comparison result; and the dynamic module 23 is configured to analyze the static exception through the running of the sandbox browser, and mark the static exception as an XSS attack or a dynamic exception according to an analysis result.
In one embodiment provided by the present disclosure, the input box image is generated by learning from the collected legal input data.
In one embodiment provided by the present disclosure, XSS attack features of input data tagged as an XSS attack are extracted and incorporated into an XSS attack feature library.
In one embodiment provided by the present disclosure, an abnormal value of the dynamic anomaly is calculated, and the dynamic anomaly having the abnormal value greater than a threshold value is output.
The device embodiments are the same or similar to the corresponding method embodiments and are not described herein again.
In one embodiment, the present disclosure provides an electronic device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the XSS attack detection method described above, and from a hardware level, a hardware architecture diagram may be as shown in fig. 3.
In one embodiment, the present disclosure provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned XSS attack detection method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in practicing the disclosure.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but is not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an embodiment of the present disclosure, and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the scope of the claims of the present disclosure.
Claims (10)
1. An XSS attack detection method applied to a server device, the method comprising:
acquiring user input data, and marking the input data as legal input data or abnormal input which is not in accordance with a preset input frame portrait according to the preset input frame portrait;
comparing the abnormal input with an XSS attack feature library, and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result;
and analyzing the static exception through the running of the sandbox browser, and marking the static exception as an XSS attack or a dynamic exception according to an analysis result.
2. The method of claim 1, wherein the input box image is learned from collected legal input data.
3. The method of claim 1, wherein XSS attack features of input data tagged as an XSS attack are extracted and incorporated into an XSS attack feature library.
4. The method of claim 1, wherein an outlier of the dynamic anomaly is calculated, and the dynamic anomaly having the outlier greater than a threshold is output.
5. An XSS attack detection apparatus, applied to a server device, the apparatus comprising:
the portrait module is used for acquiring user input data, marking the input data as legal input data or abnormal input inconsistent with the preset input frame portrait according to the preset input frame portrait;
the static module is used for comparing the abnormal input with the XSS attack feature library and marking the abnormal input as static abnormal which is not matched with the XSS attack feature library or XSS attack which is matched with the XSS attack feature library according to a comparison result;
and the dynamic module is used for analyzing the static exception through the running of the sandbox browser and marking the static exception as an XSS attack or a dynamic exception according to an analysis result.
6. The apparatus of claim 5, wherein the input box image is learned from collected legal input data.
7. The apparatus of claim 5, wherein XSS attack features of input data tagged as XSS attacks are extracted and incorporated into an XSS attack feature library.
8. The apparatus of claim 5, wherein an anomaly value of the dynamic anomaly is calculated, and the dynamic anomaly having the anomaly value greater than a threshold value is output.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1 to 4.
10. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110222949.6A CN112966264A (en) | 2021-02-28 | 2021-02-28 | XSS attack detection method, device, equipment and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110222949.6A CN112966264A (en) | 2021-02-28 | 2021-02-28 | XSS attack detection method, device, equipment and machine-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112966264A true CN112966264A (en) | 2021-06-15 |
Family
ID=76275938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110222949.6A Pending CN112966264A (en) | 2021-02-28 | 2021-02-28 | XSS attack detection method, device, equipment and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112966264A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886829A (en) * | 2021-12-08 | 2022-01-04 | 北京微步在线科技有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
| CN114499968A (en) * | 2021-12-27 | 2022-05-13 | 奇安信科技集团股份有限公司 | XSS attack detection method and device |
| CN116132502A (en) * | 2022-08-01 | 2023-05-16 | 马上消费金融股份有限公司 | Webpage access processing method and device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8949990B1 (en) * | 2007-12-21 | 2015-02-03 | Trend Micro Inc. | Script-based XSS vulnerability detection |
| CN104601540A (en) * | 2014-12-05 | 2015-05-06 | 华为技术有限公司 | Cross-site scripting (XSS) attack defense method and Web server |
| CN105516128A (en) * | 2015-12-07 | 2016-04-20 | 中国电子技术标准化研究院 | Detecting method and device of Web attack |
| CN107872463A (en) * | 2017-11-29 | 2018-04-03 | 四川无声信息技术有限公司 | A kind of WEB mails XSS attack detection method and relevant apparatus |
| CN110909160A (en) * | 2019-10-11 | 2020-03-24 | 平安科技(深圳)有限公司 | Regular expression generation method, server and computer readable storage medium |
-
2021
- 2021-02-28 CN CN202110222949.6A patent/CN112966264A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8949990B1 (en) * | 2007-12-21 | 2015-02-03 | Trend Micro Inc. | Script-based XSS vulnerability detection |
| CN104601540A (en) * | 2014-12-05 | 2015-05-06 | 华为技术有限公司 | Cross-site scripting (XSS) attack defense method and Web server |
| CN105516128A (en) * | 2015-12-07 | 2016-04-20 | 中国电子技术标准化研究院 | Detecting method and device of Web attack |
| CN107872463A (en) * | 2017-11-29 | 2018-04-03 | 四川无声信息技术有限公司 | A kind of WEB mails XSS attack detection method and relevant apparatus |
| CN110909160A (en) * | 2019-10-11 | 2020-03-24 | 平安科技(深圳)有限公司 | Regular expression generation method, server and computer readable storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886829A (en) * | 2021-12-08 | 2022-01-04 | 北京微步在线科技有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
| CN113886829B (en) * | 2021-12-08 | 2022-03-18 | 北京微步在线科技有限公司 | Method and device for detecting defect host, electronic equipment and storage medium |
| CN114499968A (en) * | 2021-12-27 | 2022-05-13 | 奇安信科技集团股份有限公司 | XSS attack detection method and device |
| CN116132502A (en) * | 2022-08-01 | 2023-05-16 | 马上消费金融股份有限公司 | Webpage access processing method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881294B (en) | Attack source IP portrait generation method and device based on network attack behaviors | |
| US10785241B2 (en) | URL attack detection method and apparatus, and electronic device | |
| US20240121266A1 (en) | Malicious script detection | |
| US9509714B2 (en) | Web page and web browser protection against malicious injections | |
| US9712560B2 (en) | Web page and web browser protection against malicious injections | |
| CN112966264A (en) | XSS attack detection method, device, equipment and machine-readable storage medium | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| US20190132334A1 (en) | System and method for analyzing binary code for malware classification using artificial neural network techniques | |
| CN107888554B (en) | Method and device for detecting server attack | |
| CN107241296B (en) | Webshell detection method and device | |
| CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| JP6656211B2 (en) | Information processing apparatus, information processing method, and information processing program | |
| CN113162794B (en) | Next attack event prediction method and related equipment | |
| WO2018066221A1 (en) | Classification device, classification method, and classification program | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN112651024A (en) | Method, device and equipment for malicious code detection | |
| CN107231383B (en) | CC attack detection method and device | |
| Park et al. | Antibot: Clustering common semantic patterns for bot detection | |
| CN106485148A (en) | The implementation method of the malicious code behavior analysiss sandbox being combined based on JS BOM | |
| CN113190847B (en) | Method, device, equipment and storage medium for detecting confusion of script files | |
| CN108509796B (en) | Method for detecting risk and server | |
| KR102022626B1 (en) | Apparatus and method for detecting attack by using log analysis | |
| CN116170186A (en) | Attack code online detection method and device based on network traffic analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210615 |
|
| RJ01 | Rejection of invention patent application after publication |