CN117034298A

CN117034298A - XSS vulnerability detection method and device, electronic equipment and storage medium

Info

Publication number: CN117034298A
Application number: CN202311184662.4A
Authority: CN
Inventors: 吴曦; 唐攀
Original assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Current assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Priority date: 2023-09-14
Filing date: 2023-09-14
Publication date: 2023-11-10

Abstract

The present invention relates to the field of network security technologies, and in particular, to an XSS vulnerability detection method, an XSS vulnerability detection device, an electronic device, and a storage medium. The method comprises the following steps: when compiling codes contained in the file, obtaining a subfile with the file type of view type; analyzing the subfiles of the view types to obtain target contents with the data types of character strings, analyzing the target contents into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relation among the characters to obtain an abstract syntax tree; determining a target node with XSS loopholes in the codes according to the abstract syntax tree and a preset XSS loophole detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

Description

XSS vulnerability detection method and device, electronic equipment and storage medium

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to an XSS vulnerability detection method, an XSS vulnerability detection device, electronic equipment and a storage medium.

Background

Cross-site scripting (XSS) vulnerabilities are a type of security vulnerability that is common in world Wide Web (WWAN) applications.

XSS vulnerabilities allow an attacker to embed malicious script code into normal web pages that users may access. Thus, when the user accesses the page normally, there may be an attack on the user's normal access due to the execution of malicious script code implanted by an attacker.

Therefore, how to check XSS vulnerabilities and avoid XSS vulnerabilities in web applications is a problem to be solved.

Disclosure of Invention

The embodiment of the invention aims to provide an XSS vulnerability detection method, an XSS vulnerability detection device, electronic equipment and a storage medium, which are used for detecting XSS vulnerabilities.

In a first aspect, an embodiment of the present invention provides an XSS vulnerability detection method, where the method includes:

when compiling codes contained in the file, obtaining a subfile with the file type of view type;

analyzing the subfiles of the view types to obtain target contents with the data types of character strings, analyzing the target contents into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relation among the characters to obtain an abstract syntax tree;

Determining a target node with XSS loopholes in the codes according to the abstract syntax tree and a preset XSS loophole detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

In one possible implementation manner, when compiling the code contained in the file, obtaining the subfiles with the file types being view types includes:

subscribing a compiling event of codes contained in the file by a code compiling tool Webpack platform;

and when receiving the compiling event notification message sent by the Webpack platform, calling an interface provided by the Webpack platform to intercept and acquire the subfiles with the file types of the view types.

when a command for executing XSS vulnerability detection is detected, acquiring a current active window object;

acquiring a document object from the current active window object, wherein the document object comprises a file which is being edited;

And obtaining the subfiles with the file types of the view types in the files being edited.

In one possible implementation manner, the parsing process is performed on the subfiles of the view type to obtain the target content with the data type of the string type, including:

converting the subfiles of the view types into character string type contents, and detecting whether the character string type contents exist between a first character indicating the beginning of a template and a second character indicating the end of the template according to a regular expression;

and if the content of the character string type exists between the first character and the second character, taking the content between the first character and the second character as the target content.

In one possible implementation manner, the parsing the target content into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relationship between the characters to obtain an abstract syntax tree includes:

converting the target content from the character string type to the array type to obtain a target content group;

selecting characters one by one from the head of the target content group, respectively comparing the selected characters with preset characters in grammar rules, and determining nodes for indicating the characters and internal records corresponding to each node according to comparison results to obtain a plurality of nodes; the internal records are determined according to the relation among preset characters and are used for recording the father-son node relation among the nodes corresponding to each node;

And combining the plurality of nodes according to the internal records corresponding to each node in the plurality of nodes to obtain an abstract syntax tree.

In a possible implementation manner, the preset XSS vulnerability detection rule includes:

if the attribute of the node is matched with the preset attribute information, determining that the node has XSS loopholes;

wherein the preset attribute information is functional attribute information indicating dynamic setting content; or, the preset attribute information is binding attribute information indicating a preset binding event; or, the preset attribute information is set attribute information for setting specific attributes to the fixed type node.

In one possible implementation manner, after determining the target node in the code where the XSS vulnerability exists, the method further includes:

determining code position information of the target node in the subfiles of the view types;

outputting prompt information, wherein the prompt information comprises the code position information and subfiles of the view types; the prompt information is used for prompting that the XSS loopholes exist in the codes.

In a second aspect, an embodiment of the present invention provides an XSS vulnerability detection apparatus, where the apparatus includes:

The acquiring unit is used for acquiring subfiles with the file types being view types when compiling codes contained in the files;

the obtaining unit is used for analyzing the subfiles of the view types to obtain target contents with the data types of character strings, analyzing the target contents into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relation among the characters to obtain an abstract syntax tree;

the determining unit is used for determining a target node with the XSS loophole in the code according to the abstract syntax tree and a preset XSS loophole detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

In a possible embodiment, the obtaining unit is specifically configured to:

In a possible embodiment, the apparatus further comprises an output unit for:

In a third aspect, an embodiment of the present invention provides an electronic device, including at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform any one of the methods provided by the embodiments of the first aspect of the present invention.

In a fourth aspect, embodiments of the present invention provide a computer storage medium, where the computer readable storage medium stores a computer program for causing a computer to perform any of the methods provided by the embodiments of the first aspect of the present invention.

In a fifth aspect, embodiments of the present invention provide a computer program product comprising: computer program code which, when run on a computer, causes the computer to perform any of the methods provided by the embodiments of the first aspect.

The invention has the following beneficial effects:

in the embodiment of the invention, the subfiles with the file types of view types can be obtained when compiling codes contained in the files; analyzing the subfiles of the view types to obtain target contents with the data types of character strings, analyzing the target contents into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relation among the characters to obtain an abstract syntax tree; determining target nodes with XSS vulnerabilities in codes according to the abstract syntax tree and a preset XSS vulnerability detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

Therefore, the XSS vulnerability detection method provided by the embodiment of the invention can detect the potential XSS vulnerability in the code in the editing stage of the code, is convenient for developers to locate and repair the vulnerability, and is characterized in that character strings are converted into abstract syntax trees, and then the abstract syntax trees are traversed to detect the XSS vulnerability, so that the XSS vulnerability is more accurately located.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic diagram of an application scenario in an embodiment of the present invention;

FIG. 2 is a flowchart of an XSS vulnerability detection method according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of an abstract syntax tree according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart of a node obtaining method according to an embodiment of the present invention;

FIG. 5 is a flow chart of constructing an abstract syntax tree according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of a structure of an XSS vulnerability detection apparatus according to an embodiment of the present invention;

fig. 7 is a schematic diagram of a hardware composition structure of an electronic device according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention. Embodiments of the invention and features of the embodiments may be combined with one another arbitrarily without conflict. Also, while a logical order is depicted in the flowchart, in some cases, the steps depicted or described may be performed in a different order than presented herein.

The term "comprising" and any variations thereof in the description of the invention and in the claims is intended to cover non-exclusive protection. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.

In the embodiments of the present invention, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.

And, unless otherwise indicated, the terms "first," "second," and the like according to the embodiments of the present invention are used for distinguishing a plurality of objects, and are not used for limiting the size, content, order, timing, priority, importance, or the like of the plurality of objects. For example, the first character and the second character are only for distinguishing the characters, and are not indicative of the difference in size, priority, importance, or the like of the two characters.

In the technical scheme of the invention, the data is collected, transmitted, used and the like, and all meet the requirements of national relevant laws and regulations.

In order to facilitate understanding of the technical solution provided by the embodiments of the present invention, some key terms used in the embodiments of the present invention are explained here:

1. the code editor (Visual Studio Code, VScode) is a cross-platform source code editor for writing modern Web and cloud applications. Through VScode, software functions can be extended in an integrated plug-in manner.

2. The vue.js frame is a JavaScript frame used to build a user interface. It is built based on standard hypertext markup language (hyper text markup language, HTML), cascading style sheets (cascading style sheets, CSS) and JavaScript, and provides a set of declarative, componentized programming models that help developers develop user interfaces efficiently.

3. The code compiling tool (Webpack) refers to a static module packaging tool for a modern JavaScript application program, and can compile a module generated by a Vue. Js framework into HTML, javaScript and css type files which can be identified by a browser, and meanwhile, the code compiling tool also provides rich external interfaces, so that a user can access the platform in a plug-in mode to expand functions of the platform.

4. Cross-site scripting (XSS) vulnerabilities are a type of security vulnerability that is common in world Wide Web (WWAN) applications.

5. Hypertext markup language (hyper text markup language, HTML), is a markup language. The system comprises a series of labels, and document formats on a network can be unified through the labels, so that scattered Internet resources are connected into a logic whole. HTML text is descriptive text composed of HTML commands that can specify words, graphics, animations, sounds, tables, links, etc.

6. An abstract syntax tree (abstract syntax tree, AST), which is an abstract representation of the source code syntax structure, represents the syntax structure of the programming language in tree form.

As previously described, XSS vulnerabilities allow an attacker to embed malicious script code into normal web pages that users may access. Thus, when the user accesses the page normally, there may be an attack on the user's normal access due to the execution of malicious script code implanted by an attacker.

In view of this, an embodiment of the present invention provides an XSS vulnerability detection method, by which, when compiling a code included in a file, a subfile with a file type of view type may be obtained; analyzing the subfiles of the view types to obtain target contents with the data types of character strings, analyzing the target contents into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relation among the characters to obtain an abstract syntax tree; determining target nodes with XSS vulnerabilities in codes according to the abstract syntax tree and a preset XSS vulnerability detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

After the design idea of the embodiment of the present invention is introduced, some simple descriptions are made below for application scenarios applicable to the technical solution of the embodiment of the present invention, and it should be noted that the application scenarios described below are only used for illustrating the embodiment of the present invention and are not limiting. In the specific implementation process, the technical scheme provided by the embodiment of the invention can be flexibly applied according to actual needs.

The scheme provided by the embodiment of the invention can be suitable for the business scene of detecting XSS loopholes of codes written by the Vue.js framework.

Referring to fig. 1, a schematic view of a scenario provided in an embodiment of the present invention may include a terminal device 101 and a server 102, where the terminal device 101-1, the terminal devices 101-2, … …, and the terminal device 101-n may be used by different developers.

In the embodiment of the invention, a developer can compile codes written by a Vue.js frame on a terminal device 101, then a server 102 can acquire a sub-file with a file type being a view type, analyze the sub-file with the view type to acquire target content with a data type being a character string type, analyze the target content into a plurality of nodes for indicating characters, and combine the corresponding nodes according to the relation among the characters to acquire an abstract syntax tree; determining target nodes with XSS vulnerabilities in codes according to the abstract syntax tree and a preset XSS vulnerability detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

In the embodiment of the present invention, the terminal device 101 may be, for example, a tablet personal computer (PAD), a personal computer (Personal computer, PC), a smart television, a smart vehicle-mounted device, a wearable device, or the like, which is not limited in the embodiment of the present invention.

In the embodiment of the present invention, the server 102 may be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms, or may be a physical server, but is not limited thereto.

Wherein, the terminal equipment 101 and the server 102, and the terminal equipment 101 can be directly or indirectly connected through one or more networks 103. The network 103 may be a wired network, or may be a Wireless network, for example, a mobile cellular network, or may be a Wireless-Fidelity (WIFI) network, or may be other possible networks, which are not limited in this embodiment of the present invention.

Of course, the method provided by the embodiment of the present invention is not limited to the application scenario shown in fig. 1, but may be used in other possible application scenarios, for example, only the terminal device implements the XSS vulnerability detection method or only the server implements the XSS vulnerability method, which is not limited by the embodiment of the present invention. The functions that can be implemented by each device in the application scenario shown in fig. 1 will be described together in the following method embodiments, which are not described in detail herein.

In order to further explain the technical solution provided by the embodiments of the present invention, the following details are described with reference to the accompanying drawings and the detailed description. Although embodiments of the present invention provide the method operational steps shown in the following embodiments or figures, more or fewer operational steps may be included in the method, either on a routine or non-inventive basis. In steps where there is logically no necessary causal relationship, the execution order of the steps is not limited to the execution order provided by the embodiments of the present invention. The methods may be performed sequentially or in parallel as shown in the embodiments or the drawings when the actual processing or the apparatus is performed.

Referring to fig. 2, fig. 2 is a flowchart of an XSS vulnerability detection method according to an embodiment of the invention. The flow of the method may be performed by an electronic device, which may be the server 102 in fig. 1, and the specific implementation flow of the method is as follows:

Step 201: and when compiling codes contained in the file, acquiring subfiles with the file type of view type.

The XSS vulnerability detection method provided by the embodiment of the invention can be deployed on a VScode platform or a Webpack platform.

Alternatively, when the XSS vulnerability detection method is deployed on the weback platform, the foregoing step 201 may be performed by, but is not limited to, the following substeps:

subscribing compiling events of codes contained in the file by the Webpack platform;

and (B) step (B): and when receiving the compiling event notification message sent by the Webpack platform, calling an interface provided by the Webpack platform to intercept and acquire the subfiles with the file types of view types.

In the embodiment of the invention, a Webpack platform can be accessed, then the Webpack platform is initialized, a configuration file is read, and a Webpack instance object is created; loading an instruction for XSS vulnerability detection; adding an instruction for XSS vulnerability detection into a loader of a Webpack instance object; executing a compiling command by the Webpack instance object, and compiling codes written by the vue.js framework; and detecting all compiled file types, and intercepting and acquiring subfiles with the file types being view types. The view type is, for example, a vue type. Specifically, the file type of the file being compiled may be detected, and whether the file type of the file being compiled is a vue type may be detected; if the file type of the file being compiled is vue type, the file being compiled is obtained as a subfile.

Alternatively, when the XSS vulnerability detection method is deployed on the VScode platform, the foregoing step 201 may be performed by, but is not limited to, the following sub-steps:

step a: when a command for executing XSS vulnerability detection is detected, acquiring a current active window object;

step b: acquiring a document object from the current active window object, wherein the document object comprises a file which is being edited;

step c: and obtaining a subfile with the view type as the file type in the file being edited.

In this embodiment, before executing step 201, the configuration information may be read, and the VScode system may be initialized to generate a VScode real object; an XSS detection button is registered in a menu bar of the VScode platform, and XSS detection is performed by clicking the button. That is, binding the XSS detection menu button with the execution command of the VScode, clicking the XSS detection button, the VScode will go to execute the XSS detection action. Thus, after receiving an instruction for performing XSS vulnerability detection, detecting a file currently being edited, and if it is determined that the file type of the file currently being edited is a vue type, acquiring the file currently being edited as a sub-file.

Specifically, the user clicks an XSS execution button in the VScode menu to start executing an XSS vulnerability detection command; acquiring a current active window object; acquiring a document object from the current active window object, wherein the document object contains information such as content, name, length, type and the like of a file which is currently being edited; acquiring file type information from a document object; it is determined whether the file currently being edited is of the type vue, and if so, the content of the file currently being edited is obtained from the document object. If not, the user is prompted that the file types are not matched, and the process is ended.

Step 202: analyzing the subfiles of the view types to obtain target contents with the data types of character strings, analyzing the target contents into a plurality of nodes for indicating characters, and combining the corresponding nodes according to the relation among the characters to obtain an abstract syntax tree.

In the embodiment of the invention, the subfiles of the view type are converted into the contents of the character string type, and whether the contents of the character string type exist between a first character indicating the beginning of a template and a second character indicating the end of the template or not is detected according to the regular expression; if it is determined that the content of the character string type has sub-content between the first character and the second character, the sub-content is taken as target content. Wherein the first character is for example < template > and the second character is for example </template >.

In the embodiment of the invention, the target content is converted from the character string type to the array type, and the target content group is obtained; selecting characters one by one from the head of the target content group, respectively comparing the selected characters with preset characters in grammar rules, and determining nodes for indicating the characters and internal records corresponding to each node according to the comparison result to obtain a plurality of nodes; the internal records are determined according to the relation among preset characters and are used for recording the father-son node relation among the nodes corresponding to each node; and combining the nodes according to the internal records corresponding to each node in the nodes to obtain an abstract syntax tree. For example, referring to fig. 3, fig. 3 is a schematic diagram of an abstract syntax tree. As shown in fig. 3, the first occurrence of "div" is the root node of the abstract syntax tree, and is also the parent node of the "P" node.

In this embodiment, in order to describe the process of converting characters into nodes more clearly, a specific example is described below, and referring to fig. 4, fig. 4 is a schematic flow diagram of obtaining nodes according to an embodiment of the present invention.

Step 401: converting the target content from the character string type to the array type to obtain a target content set;

step 402: judging whether the target content group is empty or not, if so, ending the processing flow; if it is determined that the target content set is not empty, step 403 is performed.

Step 403: selecting any character from the head of the target content group;

step 404: if any one of the characters is a character for indicating the start of the tag element and the previous character of any one of the characters is a character for indicating the end of the tag element or is null, determining that any one of the characters indicates the start of a new tag element, and creating a node, determining the internal record of the node.

For example, any one character is "<" and the previous character is ">" or null. Wherein the internal record of the node comprises: the status is marked as not closed, and the identity information of the parent node. Wherein the status flag is not closed to indicate that the node also has child nodes. Further, the node is stored in a first set of specially stored non-closed state nodes, and the character is then marked as either a previous character or empty.

Step 405: if any character is used for indicating the end of the tag element and the previous character of any character is used for indicating the end position of the tag element, determining that any character indicates the end position of one tag element, creating a node and determining the internal record of the node.

For example, any character is ">" and the previous character of any character is "/", wherein the internal record of the node includes: the state is marked as an off state. Further, the node may be stored in a second set of nodes that exclusively store closed states, and a node may be assigned to the node from the end of the set that exclusively store non-closed state nodes.

Step 406: if either character is a character indicating the position of the end of the tag element and the preceding character of either character is a character indicating the start of the tag element, determining that either character indicates the next character of the start of the new tag element, and newly building a node, determining the internal record of the node.

For example, one character is "/", and the previous character of any one character is "<". Wherein the internal record of the node comprises: the state is marked as not closed, and the node information corresponding to the previous character is used as the identification information of the father node. Further, the node is stored in a second set of specially stored non-shutdown state nodes, and the character is then marked as the previous character.

Step 407: if any character is used for indicating attribute information and the character format before and after any character is a fixed format, a node is newly built, and the internal record of the node is determined.

For example, any one character is "=", and the fixed format is "xxx=yyyy". Wherein the internal record of the node comprises: the state is marked as not closed, the previous character of any character is used as the key of the current node attribute, and the next character of any character is used as the value of the current node attribute.

In the embodiment of the present invention, if any character does not belong to the above type of character, it is continuously determined whether the target content group has a character, if so, the next character is continuously fetched and the above steps 402 to 407 are performed. That is, steps 402-407 in FIG. 4 are performed for the characters in each target content group.

In the embodiment of the invention, after each node, the internal record corresponding to each node, the first set and the second set are obtained, an abstract syntax tree can be constructed.

In the embodiment of the present invention, in order to more clearly describe the scheme of constructing the abstract syntax tree, a specific example is described below, and please refer to fig. 5, fig. 5 is a schematic flow chart of constructing the abstract syntax tree according to the embodiment of the present invention.

Step 501: and judging whether the number of the nodes in the second set is larger than 1.

If the number of nodes in the second set is greater than 1, step 502 is executed, and if the number of nodes in the second set is not greater than 1, the process of constructing the abstract syntax tree is ended.

Step 502: a node is selected starting from the end of the second set.

Step 503: and marking the node as a current node, and determining whether a corresponding father node exists in the current node according to the internal record of the current node.

If the identification information of the parent node does not exist in the internal record of the current node, executing step 504; if the identification information of the parent node exists in the internal record of the current node, step 505 is performed.

Step 504: and determining the current node as a root node, and setting the storage position of the current node as the head of the second set.

Step 505: and determining whether a child node set exists in the parent node corresponding to the current node.

Step 506: if the parent node corresponding to the current node has a child node set and the current node has a child node, setting the current node and the child node thereof in the child node set of the parent node corresponding to the current node.

Step 507: if the parent node corresponding to the current node does not have the child node set, the child node set of the parent node corresponding to the current node is newly built, wherein the child node set of the parent node comprises the current node, or the child node set of the parent node comprises the child node of the current node and the current node.

In the embodiment of the invention, the abstract syntax tree can be constructed according to the root node, the father node and the child node set of the father node obtained in the previous step.

Step 203: determining target nodes with XSS vulnerabilities in codes according to the abstract syntax tree and a preset XSS vulnerability detection rule; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

In the embodiment of the invention, if the attribute of the node is matched with the preset attribute information, determining that the node has XSS vulnerability.

In the embodiment of the present invention, the vue.js framework may provide various methods, for example, a v-html function, a method for dynamically setting href attribute to a tag type node, a method for dynamically setting src attribute to an img tag type node, a method for dynamically setting value attribute to an input tag type node, a method for dynamically setting src value to a script tag node, and the like, each of which points to a value or a tag, and if the value or the tag has unsafe conditions, it is determined that XSS vulnerability may exist in the method.

Optionally, the preset attribute information is function attribute information indicating the dynamically set content. For example, there are node attributes in which the internal content is dynamically set by a v-html instruction. Wherein v-html is a function provided by the vue.js framework that can dynamically set the content inside an element.

For example, assume that the syntax example of the vue.js framework dynamically sets node content is as follows: < span v-html= "content" >/span >. Thus, when the attribute of the style v-html "=xxx" exists in the attribute of the node, the node is determined to have XSS vulnerability.

Optionally, the preset attribute information is binding attribute information indicating a preset binding event. For example, the node attribute has an event of dynamically binding an element in an attribute binding mode, such as onclick, ondbclick, onmouseenter, onmouseleave, onmousemove, onmouseup;

for example, assume that the syntax example of the dynamic set binding event for the vue.js framework is as follows: < span: onclick= "handler" >/span >. Thus, when the attribute of the style such as onclick= "xxx" and ondbclick= "xxx" exists in the attribute of the node, the node is determined to have XSS loopholes.

Optionally, the preset attribute information is setting attribute information set to a fixed type node to set a specific attribute.

For example, assume that the syntax example of dynamically setting href attribute for a node of the a-tag type by the vue.js framework is as follows: < a > href= "content" >. Thus, when the attribute of the style of href= "xxx" exists in the attribute of the node of the a label type, the node is determined to have XSS loopholes.

For another example, an example of a syntax for dynamically setting src attributes for img tag type nodes by the vue.js framework is as follows: < img, src= "content"/>. Thus, when the attribute of the style of src= "xxx" exists in the attribute of the img label type node, it is determined that the node has an XSS vulnerability.

For another example, an example of a syntax for dynamically setting a value attribute for a node of an input tag type by a vue.js framework is as follows: < input value= "content"/>. Thus, when the attribute of the style of value= "xxx" exists in the attribute of the input label type node, the node is determined to have XSS vulnerability.

For another example, the syntax example of dynamically setting src attributes for nodes of script tag type by the vue.js framework is as follows: < script: src= "content" >/script >. Thus, when the attribute of the script tag type node exists in the attribute of the style of src= "xxx", the node is determined to have XSS vulnerability.

In the embodiment of the invention, the detection can be started from the root node of the abstract syntax tree, the attribute information of the root node is determined, the attribute information of the root node is matched with the preset attribute information, and whether the XSS vulnerability exists according to the node is judged. If the root node is determined to have XSS loopholes, marking the root node as a target node, and determining code position information of the target node in a sub-file of the view type; outputting prompt information, wherein the prompt information comprises code position information and subfiles of view types; the prompt information is used for prompting that XSS loopholes exist in the codes.

Furthermore, XSS vulnerability detection can be performed on child nodes of the root node. And judging whether the child node of the root node is a father node or not, namely, when the child node also exists, performing XSS vulnerability detection on the child node which is the child node of the root node until the XSS vulnerability detection is realized on the nodes of the whole abstract syntax tree. The manner of XSS vulnerability detection on the child nodes of the root node and the child nodes of the root node is the same as the manner of XSS vulnerability detection on the root node, and is not described herein.

Based on the same inventive concept, the embodiment of the invention also provides an XSS vulnerability detection device. As shown in fig. 6, which is a schematic structural diagram of an XSS vulnerability detection apparatus 600, may include:

an obtaining unit 601, configured to obtain a subfile with a view type as a file type when compiling a code included in the file;

an obtaining unit 602, configured to parse the subfiles of the view type to obtain target content with a data type being a character string type, parse the target content into a plurality of nodes for indicating characters, and combine the corresponding nodes according to a relationship between the characters to obtain an abstract syntax tree;

a determining unit 603, configured to determine, according to the abstract syntax tree and a preset XSS vulnerability detection rule, a target node in the code where an XSS vulnerability exists; the preset XSS vulnerability detection rule is used for comparing the attribute of the nodes in the abstract syntax tree with preset attribute information according to the sequence of the nodes in the abstract syntax tree so as to screen out the nodes with XSS vulnerabilities.

In a possible implementation manner, the acquiring unit 601 is specifically configured to:

In a possible implementation manner, the obtaining unit 602 is specifically configured to:

In a possible embodiment, the apparatus further comprises an output unit for:

For convenience of description, the above parts are described as being functionally divided into modules (or units) respectively. Of course, the functions of each module (or unit) may be implemented in the same piece or pieces of software or hardware when implementing the present invention.

Having described the XSS vulnerability detection method and apparatus of an exemplary embodiment of the present invention, next, an electronic device according to another exemplary embodiment of the present invention is described.

Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.

The embodiment of the invention also provides electronic equipment based on the same conception as the embodiment of the method. In this embodiment, the structure of the electronic device may be shown in fig. 7, where the electronic device is, for example, the server 102 in fig. 1, as shown in fig. 7, and the electronic device in the embodiment of the present invention includes at least one processor 701, and a memory 702 and a communication interface 703 connected to the at least one processor 701, where the embodiment of the present invention does not limit a specific connection medium between the processor 701 and the memory 702, and in fig. 7, a connection between the processor 701 and the memory 702 is taken as an example, and in fig. 7, the system bus 700 is shown in bold line, and a connection manner between other components is merely illustrative and not limited thereto. The system bus 700 may be divided into an address bus, a data bus, a control bus, etc., and is shown with only one thick line in fig. 7 for convenience of illustration, but does not represent only one bus or one type of bus.

In an embodiment of the present invention, the memory 702 stores instructions executable by the at least one processor 701, and the at least one processor 701 can execute the steps included in the XSS vulnerability detection method by executing the instructions stored in the memory 702.

The processor 701 is a control center of the electronic device, and may connect various parts of the entire electronic device using various interfaces and lines, and may implement various functions of the electronic device by executing or executing instructions stored in the memory 702 and invoking data stored in the memory 702. Alternatively, the processor 701 may include one or more processing units, and the processor 701 may integrate an application processor and a modem processor, wherein the processor 701 primarily processes an operating system, a user interface, an application program, and the like, and the modem processor primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 701. In some embodiments, processor 701 and memory 702 may be implemented on the same chip, or they may be implemented separately on separate chips in some embodiments.

The processor 701 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, and may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.

The memory 702 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 702 may include at least one type of storage medium, and may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory), magnetic Memory, magnetic disk, optical disk, and the like. Memory 702 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 702 in embodiments of the present invention may also be circuitry or any other device capable of performing storage functions for storing program instructions and/or data.

The communication interface 703 is a transmission interface that can be used for communication, and data can be received or transmitted through the communication interface 703.

The electronic device also includes a basic input/output system (I/O system) 704, a mass storage device 708 for storing an operating system 705, application programs 706, and other program modules 707, which facilitate the transfer of information between the various devices within the electronic device.

The basic input/output system 704 includes a display 709 for displaying information and an input device 710, such as a mouse, keyboard, etc., for a user to input information. In which a display 709 and an input device 710 are coupled to the processor 701 through a basic input/output system 704 coupled to the system bus 700. The basic input/output system 704 may also include an input/output controller for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, the input-output controller also provides output to a display screen, a printer, or other type of output device.

In particular, mass storage device 708 is coupled to processor 701 through a mass storage controller (not shown) coupled to system bus 700. Wherein mass storage device 708 and its associated computer-readable media provide non-volatile storage for the server package. That is, mass storage device 708 may include a computer-readable medium (not shown), such as a hard disk or CD-ROM drive.

The electronic device may also operate via a network, such as the internet, connected to a remote computer on the network, in accordance with various embodiments of the present invention. I.e., the electronic device may be connected to the network 711 through a communication interface 703 coupled to the system bus 700, or alternatively, the communication interface 703 may be used to connect to other types of networks or remote computer systems (not shown).

The embodiment of the invention also provides a computer storage medium, wherein the computer readable storage medium stores a computer program, and the computer program is used for enabling a computer to execute the technical scheme of the XSS vulnerability detection method.

Embodiments of the present invention also provide a computer program product comprising: computer program code, when the computer program code runs on a computer, makes the computer execute the computer program to implement the technical scheme of the XSS vulnerability detection method in the above embodiment.

Those skilled in the art will appreciate that: all or part of the steps of implementing the above method embodiments may be implemented by hardware associated with program instructions pertaining to a computer program, which may be stored in a computer-readable storage medium, which when executed performs steps comprising the above method embodiments; the readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product of embodiments of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program code and may run on a computing device. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a command execution system, apparatus, or device.

The readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a command execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's equipment, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. An XSS vulnerability detection method, wherein the method further comprises:

2. The method of claim 1, wherein obtaining the subfiles with the file types being view types when compiling the code contained in the file comprises:

3. The method of claim 1, wherein obtaining the subfiles with the file types being view types when compiling the code contained in the file comprises:

4. A method according to claim 2 or 3, wherein parsing the subfiles of the view type to obtain the target content of the data type of the string type comprises:

5. The method of claim 4, wherein parsing the target content into a plurality of nodes for indicating characters and combining the corresponding plurality of nodes according to relationships between characters to obtain an abstract syntax tree, comprises:

6. A method according to any one of claims 1-3, wherein the preset XSS vulnerability detection rule includes:

if the attribute of the node is matched with the preset attribute information, the node has an XSS vulnerability;

7. A method as recited in any of claims 1-3, wherein after determining that a target node of XSS vulnerability exists in the code, the method further comprises:

8. An XSS vulnerability detection apparatus, the apparatus comprising:

9. An electronic device comprising at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to implement the method of any of claims 1-7.

10. A computer storage medium, characterized in that the computer storage medium stores a computer program for enabling a computer to perform the method according to any one of claims 1-7.

11. A computer program product, the computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the method of any of the preceding claims 1-7.