TWI489309B - System and method for defending against cross-site scripting - Google Patents

System and method for defending against cross-site scripting Download PDF

Info

Publication number
TWI489309B
TWI489309B TW102100841A TW102100841A TWI489309B TW I489309 B TWI489309 B TW I489309B TW 102100841 A TW102100841 A TW 102100841A TW 102100841 A TW102100841 A TW 102100841A TW I489309 B TWI489309 B TW I489309B
Authority
TW
Taiwan
Prior art keywords
module
server
javascript
url
http
Prior art date
Application number
TW102100841A
Other languages
Chinese (zh)
Other versions
TW201428526A (en
Inventor
Shi Jinn Horng
Chien Hsun Wang
Original Assignee
Nat Taiwan University Of Sience And Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nat Taiwan University Of Sience And Technology filed Critical Nat Taiwan University Of Sience And Technology
Priority to TW102100841A priority Critical patent/TWI489309B/en
Publication of TW201428526A publication Critical patent/TW201428526A/en
Application granted granted Critical
Publication of TWI489309B publication Critical patent/TWI489309B/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Description

跨網站攻擊防禦系統及方法Cross-site attack defense system and method

本發明係與一種跨網站攻擊防範系統及方法有關,並且係特別地與一種可精確攔截惡意碼之跨網站攻擊防範系統及方法有關。The present invention relates to a cross-site attack prevention system and method, and is particularly related to a cross-site attack prevention system and method that can accurately intercept malicious code.

隨著網際網路的快速發展與普及化,網頁內容也變得越來越豐富,同時,網頁的構成方式亦從早期的靜態網頁,發展成為大量運用動態網頁技術之動態網頁。由於網頁技術的發展使得網頁應用更多元化,並提供了更多互動性。然而,其也同時產生了各種網頁系統的安全性問題,而增加電腦防護系統偵測入侵及安全防護的困難度。With the rapid development and popularization of the Internet, web content has become more and more abundant. At the same time, the composition of web pages has evolved from an early static web page to a dynamic web page using a large number of dynamic web technologies. Due to the development of web technology, web applications are more diversified and provide more interactivity. However, it also creates security issues for various web systems, and increases the difficulty of computer protection systems to detect intrusions and security.

跨網站攻擊(Cross-Site Scripting,XSS)是目前全球最嚴重的資安弱點之一,其係為一種典型的網頁安全漏洞,攻擊者可利用這個漏洞來竊取使用者cookie或是使用者資料。跨網站攻擊的攻擊手法,通常是攻擊者會在網站伺服器所提供的網頁之程式碼內,嵌入惡意的腳本參數(script),接著再利用社交工程手法來吸引網頁瀏覽者點擊。當瀏覽者點擊後,若網路伺服器所提供網頁的應用程式並未將多餘程式碼濾除,其之瀏覽器便會執行惡意的腳本參數程式碼,而將受害者的cookie傳送到攻擊者預先建立的第三方網站,因此攻擊者可藉此竊取受害者的私密資料,例如網路帳號、密碼、甚至是信用卡號碼等。其不僅對於使用者個人的資訊安全而言傷害甚大,跨網站攻擊的影響層面可說不論是對民生、經濟、甚至國防方面都有重 大影響。Cross-Site Scripting (XSS) is one of the most serious security weaknesses in the world. It is a typical web security vulnerability that can be exploited by attackers to steal user cookies or user data. The attack method of cross-site attack is usually that the attacker embeds malicious script parameters in the code of the webpage provided by the web server, and then uses social engineering techniques to attract webpage viewers to click. When the browser clicks, if the application provided by the web server does not filter the redundant code, the browser will execute the malicious script parameter code and transmit the victim's cookie to the attacker. Pre-established third-party websites, so attackers can steal private information about victims, such as online accounts, passwords, and even credit card numbers. It not only hurts the user's personal information security, but also affects people's livelihood, economy, and even national defense. Great impact.

基於現今網路應用程式講求互動性的趨勢,網頁架構相較之前更趨複雜,在在增加了偵測跨網站攻擊的技術困難度與複雜度,即使是經驗豐富的程式開發人員也不容易針對各類程式碼做完全的過濾。此外,就使用者方而言,一般大眾對跨網站攻擊的認知更為薄弱,因此要期待一般使用者主動發現或防禦跨網站攻擊是極為困難的。Based on the trend of interactive web applications today, the web architecture is more complex than before, and the technical difficulty and complexity of detecting cross-site attacks are increasing. Even experienced programmers are not easy to target. All kinds of code are completely filtered. In addition, as far as the user side is concerned, the general public is less aware of cross-site attacks, so it is extremely difficult to expect that the average user actively discovers or defends against cross-site attacks.

目前對於防範跨網站攻擊的系統架設,包含設置於用戶端、設置於伺服器端,以及混合設置於用戶端與伺服器端等三種架構。設置於用戶端之方法對於大多數的網路使用者來說,在安裝及設定防範系統的步驟上過於複雜,因此這樣的解決方法的最大問題,在於如何能確保使用者正確安裝並執行檢查程式。混合設置於用戶端與伺服器端之方法則更為繁瑣,除了必須克服上述設置於用戶端之困難外,在伺服器端所設置之系統也需要配合用戶端之系統,因而倍增其複雜度。此外,設置於伺服器端之系統需要程式開發人員花時間來設定及測試防火牆規則,雖然比起上述兩種方式較不複雜,然而,設定這樣的法則仍然相當不容易,程式開發人員必須經驗豐富並且相當謹慎,才能設定出具有足夠防範能力之系統。At present, the system erection for preventing cross-site attacks includes three configurations: setting on the client side, setting on the server side, and mixing on the client side and the server side. The method of setting it on the user side is too complicated for most network users to install and set the security system. Therefore, the biggest problem with this solution is how to ensure that the user correctly installs and executes the check program. . The method of mixing and setting on the client side and the server side is more complicated. In addition to the difficulty of setting the above-mentioned setting on the user side, the system set on the server side also needs to cooperate with the system of the user end, thereby multiplying the complexity. In addition, the system set on the server side requires the programmer to take the time to set and test the firewall rules. Although it is less complicated than the above two methods, it is still not easy to set such a rule. The program developer must be experienced. And be very careful to set up a system with sufficient defense capabilities.

雖然上述三種架構均有其架設上的缺點,但僅就伺服器端而言,只要透過具有豐富經驗的開發人員即可解決。然而,在跨網站攻擊防禦中,如何有效偵測到使用者輸入的資料,是否有惡意內容乃是最困難的部份。因此,目前仍有需要研發一種可精確判斷惡意碼,並能輕易地架設的防禦系統或方法,以解決先前技術之問題。Although all of the above three architectures have their own shortcomings, they can only be solved by the experienced developers through the server side. However, in cross-site attack defense, how to effectively detect the data input by the user, whether malicious content is the most difficult part. Therefore, there is still a need to develop a defense system or method that can accurately determine malicious code and can be easily set up to solve the problems of the prior art.

本發明之一範疇在於提供一種跨網站攻擊防禦系統,以解決先前技術之問題。One aspect of the present invention is to provide a cross-site attack defense system to solve the problems of the prior art.

根據一具體實施例,本發明之跨網站攻擊防禦系統包含原始碼取得模組、確認模組、傳送模組、讀取模組以及剖析模組,其中,原始碼取得模組、確認模組以及傳送模組係設置於網路伺服器中,並且讀取模組係設置於網路伺服器與用戶端之間,而剖析模組則連接至讀取模組。According to a specific embodiment, the cross-site attack defense system of the present invention comprises a source code acquisition module, a confirmation module, a transmission module, a reading module, and a parsing module, wherein the source code acquisition module, the confirmation module, and The transmission module is disposed in the network server, and the reading module is disposed between the network server and the client, and the profiling module is connected to the reading module.

於本具體實施例中,原始碼取得模組可用來取得網路伺服器之網頁應用程式的原始碼。確認模組連接於原始碼取得模組,其可用來偵測網頁應用程式的原始碼並自其中找出JavaScript以及URL,接著,確認模組可根據所找出JavaScript以及URL產生白名單,再由傳送模組將白名單傳送出去。讀取模組可接收傳送模組所傳送之白名單,而剖析模組則由讀取模組接收白名單,並將網路伺服器對應用戶端之HTTP要求所產生之HTTP回應與白名單進行比對,藉以攔截其中的惡意碼。因此,最後傳送至用戶端的HTTP回應中已攔截了惡意碼,可避免用戶端遭到跨網站攻擊。In this embodiment, the source code acquisition module can be used to obtain the source code of the web application of the web server. The confirmation module is connected to the source code acquisition module, which can be used to detect the source code of the web application and find the JavaScript and the URL from it. Then, the confirmation module can generate a white list according to the found JavaScript and the URL, and then The transfer module transmits the white list. The reading module can receive the white list transmitted by the transmitting module, and the parsing module receives the white list by the reading module, and performs the HTTP response and the white list generated by the web server corresponding to the HTTP request of the user end. Compare, to intercept the malicious code. Therefore, the malicious code is intercepted in the HTTP response finally transmitted to the client, which can prevent the client from being attacked by a cross-site.

本發明之另一範疇在於提供一種跨網站攻擊防禦方法,以解決先前技術之問題。Another aspect of the present invention is to provide a cross-site attack defense method to solve the problems of the prior art.

根據一具體實施例,本發明之跨網站攻擊防禦方法包含下列步驟:取得網路伺服器之網頁應用程式的原始碼;取得原始碼中之JavaScript以及URL,並根據JavaScript 以及URL產生白名單;將白名單傳送至代理伺服器;以及,於代理伺服器中將網路伺服器對應用戶端之HTTP要求所產生之HTTP回應與白名單進行比對,藉此攔截HTTP回應中的惡意碼。According to a specific embodiment, the cross-site attack defense method of the present invention comprises the steps of: obtaining a source code of a web application of a web server; obtaining a JavaScript and a URL in the source code, and according to the JavaScript And the URL generates a whitelist; the whitelist is transmitted to the proxy server; and the HTTP response generated by the web server corresponding to the HTTP request of the client is compared with the whitelist in the proxy server, thereby intercepting the HTTP response Malicious code in the middle.

關於本發明之優點與精神可以藉由以下的發明詳述及所附圖式得到進一步的瞭解。The advantages and spirit of the present invention will be further understood from the following detailed description of the invention.

請參閱圖一,圖一係繪示根據本發明之一具體實施例之跨網站攻擊防禦系統1的示意圖。如圖一所示,跨網站攻擊防禦系統1可架設於網路伺服器S與用戶端C之間,其包含原始碼取得模組10、確認模組12、傳送模組14、讀取模組16以及剖析模組18。原始碼取得模組10、確認模組12以及傳送模組14係設置於網路伺服器S中,而讀取模組16以及剖析模組18則可設置於網路伺服器S與用戶端C之間。於本具體實施例中,讀取模組16以及剖析模組18可設於代理伺服器P中,但本發明並不以此為限,只要兩者係設置於網路伺服器S與用戶端C之間即可。Referring to FIG. 1, FIG. 1 is a schematic diagram of a cross-site attack defense system 1 according to an embodiment of the present invention. As shown in FIG. 1 , the cross-site attack defense system 1 can be installed between the network server S and the client C, and includes a source code acquisition module 10, a confirmation module 12, a transmission module 14, and a reading module. 16 and the parsing module 18. The source code obtaining module 10, the confirming module 12 and the transmitting module 14 are disposed in the network server S, and the reading module 16 and the parsing module 18 are disposed on the network server S and the client terminal C. between. In this embodiment, the reading module 16 and the parsing module 18 may be disposed in the proxy server P, but the invention is not limited thereto, as long as the two are set on the network server S and the client. Can be between C.

當用戶端C連接至網路伺服器S以進行網頁瀏覽時,用戶端C會對網路伺服器S之網頁應用程式提出HTTP要求,而網頁應用程式則會依要求來進行HTTP回應。舉例而言,用戶端C可對網頁應用程式提出瀏覽網頁之要求,而網頁應用程式則會依所要求之HTTP來回應用戶端C特定網頁。一般之跨網站攻擊的惡意碼,可能會夾帶於網頁應用程式的HTTP回應之中,若用戶端C執行HTTP回應 中的惡意碼,便會受到跨網站攻擊。請注意,本具體實施例之讀取模組16及剖析模組18係設置於代理伺服器P中,換言之,用戶端C對網路伺服器S所提出的要求,以及網路伺服器S給予用戶端C的HTTP回應,均透過代理伺服器P而傳送至另一方。When the client C connects to the web server S for web browsing, the client C will make an HTTP request to the web application of the web server S, and the web application will respond HTTP as required. For example, the client C can request the webpage application to browse the webpage, and the webpage application responds to the specific webpage of the client C according to the required HTTP. The general malicious code for cross-site attacks may be entrained in the HTTP response of the web application, if the client C performs an HTTP response. The malicious code in it will be attacked by cross-sites. Please note that the reading module 16 and the parsing module 18 of the specific embodiment are disposed in the proxy server P, in other words, the request made by the client C to the network server S and the network server S are given. The HTTP response of the client C is transmitted to the other party through the proxy server P.

於本具體實施例中,原始碼取得模組10可用來取得網路伺服器S中之網頁應用程式的原始碼。確認模組12係與原始碼取得模組10連接,以自原始碼取得模組10接收所取得的原始碼。確認模組12可分析原始碼,以自其中找出JavaScript。基於跨網站攻擊大部分也會伴隨著對外的惡意連結,因此為了更廣泛的攔截,確認模組12也可同時找出原始碼中之URL。確認模組12所找出的JavaScript以及URL乃是有效的JavaScript與URL而非惡意碼,詳言之,其係根據預設規則來找出有效的JavaScript與URL,而此預設規則是由網頁應用程式的設計者來制定。由於網頁應用程式的設計者能夠清楚地知道網頁應用程式及其HTTP回應中,哪些JavaScript與URL是有效的,而其他的JavaScript與URL則可能為攻擊者所植入的惡意碼,因此,確認模組12可根據設計者所制定之預設規則來找出有效的JavaScript與URL。接著,確認模組12將所取得的有效JavaScript與URL進行雜湊運算(Hash)後形成白名單。In this embodiment, the source code acquisition module 10 can be used to obtain the source code of the web application in the network server S. The confirmation module 12 is connected to the source code acquisition module 10 to receive the acquired source code from the source code acquisition module 10. The validation module 12 can analyze the source code to find JavaScript from it. Most of the cross-site attacks are accompanied by external malicious links, so for broader interception, the validation module 12 can also find the URLs in the source code at the same time. The JavaScript and URL found by the confirmation module 12 are valid JavaScript and URLs instead of malicious codes. In detail, it is based on preset rules to find valid JavaScript and URLs. The designer of the application to develop. Since the designer of the web application can clearly know which JavaScript and URL are valid in the web application and its HTTP response, and other JavaScript and URLs may be malicious code implanted by the attacker, therefore, the confirmation mode Group 12 can find valid JavaScript and URLs based on preset rules set by the designer. Next, the confirmation module 12 hashes the obtained valid JavaScript and the URL to form a white list.

傳送模組14係連接至確認模組12,其可接收白名單並將白名單傳送至讀取模組16。於實務中,傳送模組14可將白名單包裝在HTTP封包中,網路伺服器S再將HTTP封包,夾帶在網頁應用程式要給予用戶端C的HTTP回應 內,並將HTTP回應傳送到代理伺服器P,而讀取模組16則可將白名單,從HTTP回應中萃取出來。除了夾帶於HTTP回應中,傳送模組14也可直接將封包傳給讀取模組16,並令讀取模組16直接接收白名單。此外,除了上述以有效JavaScript與URL所形成的白名單外,讀取模組16還可進一步地從網頁應用程式的HTTP回應中,萃取出DNS資訊以及網頁程式檔案名稱以作為另外兩份白名單。The transfer module 14 is coupled to the validation module 12, which receives the whitelist and transmits the whitelist to the read module 16. In practice, the delivery module 14 can wrap the whitelist in the HTTP packet, and the network server S then encapsulates the HTTP packet and entrains the HTTP response that the web application should give to the client C. The HTTP response is sent to the proxy server P, and the read module 16 extracts the whitelist from the HTTP response. In addition to being entrained in the HTTP response, the transport module 14 can also directly transmit the packet to the read module 16 and cause the read module 16 to directly receive the whitelist. In addition, in addition to the above-mentioned white list formed by valid JavaScript and URL, the reading module 16 can further extract the DNS information and the web program file name from the HTTP response of the web application as two other white lists. .

剖析模組18係連接至讀取模組16,以自讀取模組16接收所萃取出的白名單。剖析模組18可從網路伺服器S所傳送來之HTTP回應中取得JavaScript或URL,接著,將HTTP回應中的JavaScript或URL與白名單進行比對,若比對之結果不符合白名單中所包含之JavaScript及URL,則表示HTTP回應中之JavaScript或URL並非為原本網頁應用程式及其HTTP回應中,所應包含的JavaScript及URL,進而可判斷其為可疑的程式碼甚至是惡意碼。相對地,若HTTP回應中JavaScript或URL符合白名單中所包含之JavaScript及URL,則可判斷其為原本網頁應用程式及其HTTP回應中,所應包含的JavaScript及URL。這些惡意碼被判斷出來之後,剖析模組18可將惡意碼從HTTP回應中刪除,而符合白名單的JavaScript或URL則會留存於HTTP回應之中。由於惡意攻擊的程式碼多半會經過編碼來混淆視聽,故於實務中,剖析模組18可先將HTTP回應中所取得之JavaScript或URL解碼後,再與白名單進行比對。The parsing module 18 is coupled to the read module 16 to receive the extracted whitelist from the read module 16. The parsing module 18 can obtain the JavaScript or the URL from the HTTP response sent by the web server S, and then compare the JavaScript or URL in the HTTP response with the whitelist, if the result of the comparison does not match the whitelist The included JavaScript and URL means that the JavaScript or URL in the HTTP response is not the JavaScript and URL that should be included in the original web application and its HTTP response, and can be judged as suspicious code or even malicious code. In contrast, if the JavaScript or URL in the HTTP response matches the JavaScript and URL contained in the whitelist, it can be judged as the JavaScript and URL that should be included in the original web application and its HTTP response. After these malicious codes are judged, the parsing module 18 can remove the malicious code from the HTTP response, and the whitelisted JavaScript or URL will remain in the HTTP response. Since the code of the malicious attack is mostly encoded to confuse the audiovisual, in practice, the parsing module 18 can first decode the JavaScript or URL obtained in the HTTP response, and then compare it with the whitelist.

上述HTTP回應中之惡意碼被刪除後,代理伺服器P 可將HTTP回應傳送至用戶端C來執行,因此用戶端C可避免受到跨網站攻擊。請注意,由於惡意碼的動態比對係在用戶端C前端的代理伺服器P中完成,亦即,用戶端C不需要進行複雜的防禦系統安裝程序,而是由專業的程式開發人員於代理伺服器P中完成,藉此可克服先前技術中設置於用戶端之防禦系統的安裝問題。另外,透過網站應用程式之設計者所制定的預設規則,可得知哪些JavaScript及URL是有效的程式碼,進而可精確地判斷出HTTP回應中的可疑之處或惡意碼。After the malicious code in the above HTTP response is deleted, the proxy server P The HTTP response can be sent to the client C for execution, so the client C can avoid cross-site attacks. Please note that since the dynamic comparison of the malicious code is completed in the proxy server P at the front end of the client C, that is, the client C does not need to perform a complicated defense system installation procedure, but is represented by a professional program developer. This is done in the server P, thereby overcoming the installation problem of the defense system set in the prior art in the prior art. In addition, through the preset rules set by the designer of the website application, it is possible to know which JavaScript and URL are valid codes, so as to accurately determine the suspicious or malicious code in the HTTP response.

請一併參閱圖一以及圖二,圖二係繪示根據本發明之一具體實施例之跨網站攻擊防禦方法的步驟流程圖,請注意,本具體實施例之方法可透過圖一之跨網站攻擊防禦系統1來進行,網站攻擊防禦系統1之各單元已於上述具體實施例中進行說明,於此不再贅述。如圖二所示,跨網站攻擊防禦方法包含下列步驟:於步驟S20,取得網路伺服器S之網頁應用程式的原始碼;於步驟S22,取得網頁應用程式的原始碼中之JavaScript以及URL,並根據所取得之JavaScript以及URL來產生白名單;於步驟S24,將白名單傳送至代理伺服器P;以及,於步驟S26,於代理伺服器P中將網路伺服器對應用戶端之HTTP要求所產生之HTTP回應與白名單進行比對,以攔截網路伺服器之HTTP回應中之惡意碼。Please refer to FIG. 1 and FIG. 2 together. FIG. 2 is a flow chart showing the steps of the cross-site attack defense method according to an embodiment of the present invention. Please note that the method of the specific embodiment can be cross-site through FIG. The attack defense system 1 is performed. The units of the website attack defense system 1 are described in the foregoing specific embodiments, and details are not described herein. As shown in FIG. 2, the cross-site attack defense method includes the following steps: in step S20, the source code of the web application of the web server S is obtained; in step S22, the JavaScript and the URL in the source code of the web application are obtained. And generating a whitelist according to the obtained JavaScript and the URL; transmitting the whitelist to the proxy server P in step S24; and, in step S26, the web server corresponding to the HTTP request of the client in the proxy server P The generated HTTP response is compared against the whitelist to intercept the malicious code in the HTTP response of the web server.

步驟S20可藉由上述具體實施例之原始碼取得模組10取出原始碼,接著,步驟S22可藉確認模組S12來取得原始碼中之JavaScript以及URL。由於網頁應用程式的設計 者能清楚地知道網頁應用程式及其HTTP回應中,哪些JavaScript與URL是有效的,而其他的JavaScript與URL則可能是攻擊者所植入的惡意碼,因此,步驟S22可藉確認模組S12根據設計者所制定之預設規則,來判別JavaScript與URL是否有效,並將所取得的有效JavaScript與URL進行雜湊運算後形成白名單。Step S20 can retrieve the original code by using the original code acquisition module 10 of the above specific embodiment. Then, in step S22, the verification module S12 can obtain the JavaScript and the URL in the original code. Due to the design of web applications It is clear to the web application and its HTTP response which JavaScript and URL are valid, while other JavaScript and URLs may be malicious code implanted by the attacker. Therefore, step S22 can be used to confirm the module S12. According to the preset rules set by the designer, it is determined whether the JavaScript and the URL are valid, and the obtained valid JavaScript and the URL are hashed to form a white list.

步驟S24可藉由傳送模組14而將白名單傳送至代理伺服器P。如上一具體實施例所述,傳送模組14可將白名單包裝在HTTP封包中並夾帶於HTTP回應裡,以使網路伺服器S傳送HTTP回應時可一併傳送白名單,而讀取模組16則可由HTTP回應中萃取出白名單。接著,步驟S26可藉由代理伺服器P中之剖析模組18對HTTP回應及白名單進行比對,以攔截HTTP回應中的惡意碼。如上一具體實施例所述,剖析模組18可取得HTTP回應中之JavaScript或URL,並將其與白名單進行比對。若HTTP回應之JavaScript或URL符合白名單則留存於HTTP回應中,相對地,若比對結果不符合白名單,則將其判斷為惡意碼而從HTTP回應中刪除,藉此可攔截HTTP回應中之惡意碼。Step S24 can transmit the white list to the proxy server P by the transfer module 14. As described in the foregoing embodiment, the transport module 14 can package the whitelist in the HTTP packet and entrain it in the HTTP response, so that the network server S can transmit the whitelist together with the whitelist, and the read module Group 16 can extract whitelists from HTTP responses. Then, step S26 can compare the HTTP response and the whitelist by the parsing module 18 in the proxy server P to intercept the malicious code in the HTTP response. As described in the previous embodiment, the parsing module 18 can retrieve the JavaScript or URL in the HTTP response and compare it to the whitelist. If the HTTP response URL or URL matches the whitelist, it will remain in the HTTP response. If the comparison result does not match the whitelist, it will be judged as malicious code and deleted from the HTTP response, thereby intercepting the HTTP response. Malicious code.

本具體實施例之網站攻擊防禦方法可刪除網路伺服器S所傳送之HTTP回應中的惡意碼,因此HTTP回應由代理伺服器P傳送至用戶端C以執行時,並不會對用戶端C產生跨網站攻擊。另外,由於步驟S22是根據網頁應用程式之設計者所制定的預設規則,來找出有效的JavaScript以及URL,因而可精確地判斷HTTP回應中,哪些JavaScript及URL是被植入的程式碼。The website attack defense method of this embodiment can delete the malicious code in the HTTP response transmitted by the network server S, so the HTTP response is transmitted by the proxy server P to the client C for execution, and does not affect the client C. Generate cross-site attacks. In addition, since step S22 is based on the preset rules established by the designer of the web application to find valid JavaScript and URL, it is possible to accurately determine which JavaScript and URL are the embedded code in the HTTP response.

綜上所述,本發明之跨網站攻擊系統及方法,係透過設置於網路伺服器之原始碼取得模組、確認模組以及傳送模組,而將網路伺服器之網頁應用程式原始碼中的JavaScript以及URL用於形成白名單,接著再以設置於網路伺服器與用戶端之間的讀取模組以及剖析模組,對白名單與網路伺服器所送出之HTTP回應進行比對,藉此攔截HTTP回應中的惡意碼,以避免用戶端受到跨網站攻擊。基於網頁應用程式的設計者明確知道網頁應用程式中,哪些JavaScript以及URL是有效的,因此所產生的白名單可精確比對出HTTP回應中,可疑的JavaScript以及URL。另外,上述比對HTTP回應之惡意碼的動作係由代理伺服器進行,故用戶端不需進行複雜的安裝與設定,可簡化系統架設的流程。In summary, the cross-web attack system and method of the present invention uses a web server application source code of a web server through a source code acquisition module, a confirmation module, and a transmission module installed on a web server. The JavaScript and the URL are used to form a whitelist, and then the read module and the parsing module set between the web server and the client are used to compare the whitelist with the HTTP response sent by the web server. In this way, the malicious code in the HTTP response is intercepted to avoid the client being attacked by the cross-site. Web-based application designers know exactly which JavaScript and URLs are valid in a web application, so the resulting whitelist can accurately compare HTTP responses, suspicious JavaScript, and URLs. In addition, the above-mentioned action of comparing the malicious code of the HTTP response is performed by the proxy server, so the user terminal does not need complicated installation and setting, which simplifies the process of system setup.

藉由以上較佳具體實施例之詳述,係希望能更加清楚描述本發明之特徵與精神,而並非以上述所揭露的較佳具體實施例來對本發明之範疇加以限制。相反地,其目的是希望能涵蓋各種改變及具相等性的安排於本發明所欲申請之專利範圍的範疇內。因此,本發明所申請之專利範圍的範疇應該根據上述的說明作最寬廣的解釋,以致使其涵蓋所有可能的改變以及具相等性的安排。The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed. Therefore, the scope of the patented scope of the invention should be construed as broadly construed in the

1‧‧‧跨網站攻擊防禦系統1‧‧‧cross-site attack defense system

10‧‧‧原始碼取得模組10‧‧‧ source code acquisition module

12‧‧‧確認模組12‧‧‧Confirmation module

14‧‧‧傳送模組14‧‧‧Transmission module

16‧‧‧讀取模組16‧‧‧Reading module

18‧‧‧剖析模組18‧‧‧analysis module

S‧‧‧網路伺服器S‧‧‧Web server

P‧‧‧代理伺服器P‧‧‧Proxy server

C‧‧‧用戶端C‧‧‧Client

S20~S26‧‧‧流程步驟S20~S26‧‧‧ Process steps

圖一係繪示根據本發明之一具體實施例之跨網站攻擊防禦系統的示意圖。1 is a schematic diagram of a cross-site attack defense system in accordance with an embodiment of the present invention.

圖二係繪示根據本發明之一具體實施例之跨網站攻擊防禦方法的步驟流程圖。2 is a flow chart showing the steps of a cross-site attack defense method according to an embodiment of the present invention.

1‧‧‧跨網站攻擊防禦系統1‧‧‧cross-site attack defense system

10‧‧‧原始碼取得模組10‧‧‧ source code acquisition module

12‧‧‧確認模組12‧‧‧Confirmation module

14‧‧‧傳送模組14‧‧‧Transmission module

16‧‧‧讀取模組16‧‧‧Reading module

18‧‧‧剖析模組18‧‧‧analysis module

S‧‧‧網路伺服器S‧‧‧Web server

P‧‧‧代理伺服器P‧‧‧Proxy server

C‧‧‧用戶端C‧‧‧Client

Claims (8)

一種跨網站攻擊防禦系統,其係建立於一網路伺服器及一用戶端之間,該用戶端會對該網路伺服器提出一HTTP要求,而該網路伺服器則會對應於該HTTP要求而產生一HTTP回應,該跨網站攻擊防禦系統包含:一原始碼取得模組,其係設置於該網路伺服器中,該原始碼取得模組係用以取得該網路伺服器之一網頁應用程式的原始碼;一確認模組,其係設置於該網路伺服器中並連接至該原始碼取得模組,該確認模組係用以根據一預設規則取得該網頁應用程式的原始碼中之至少一JavaScript以及至少一URL,並根據該至少一JavaScript以及該至少一URL來產生一白名單,其中該預設規則係由該網頁應用程式之設計者所制定;一傳送模組,其係設置於該網路伺服器並連接至該確認模組,該傳送模組係用以傳送該白名單;一讀取模組,其係設置於該網路伺服器及該用戶端之間,該讀取模組係用以接收該傳送模組所傳送之該白名單;以及一剖析模組,其係連接至該讀取模組,該剖析模組係用以比對該白名單及該網路伺服器所產生之該HTTP回應,以攔截該HTTP回應中之一惡意碼。 A cross-site attack defense system is established between a network server and a client, and the client sends an HTTP request to the network server, and the network server corresponds to the HTTP server. Requesting an HTTP response, the cross-site attack defense system includes: a source code acquisition module, which is disposed in the network server, and the source code acquisition module is used to obtain one of the network servers. a source code of the web application; a confirmation module is disposed in the web server and connected to the source code acquisition module, wherein the confirmation module is configured to obtain the web application according to a preset rule At least one JavaScript and at least one URL in the source code, and generating a white list according to the at least one JavaScript and the at least one URL, wherein the preset rule is determined by a designer of the web application; a transmitting module The system is disposed on the network server and connected to the confirmation module, the transmission module is configured to transmit the white list; a reading module is disposed on the network server and the user terminal between, The reading module is configured to receive the white list transmitted by the transmitting module; and a profiling module is connected to the reading module, wherein the parsing module is configured to compare the whitelist and the web The HTTP response generated by the server to intercept one of the HTTP responses. 如申請專利範圍第1項所述之跨網站攻擊防禦系統,其中該確認模組係對所取得之該至少一JavaScript以及該至少一URL,進行雜湊運算以產生該白名單。 The cross-site attack defense system of claim 1, wherein the confirmation module performs a hash operation on the obtained at least one JavaScript and the at least one URL to generate the whitelist. 如申請專利範圍第1項所述之跨網站攻擊防禦系統,其進一步包含連接該網路伺服器及該用戶端之一代理伺服器,該讀取模組以及該剖析模組係設置於該代理伺服器中,該代理伺服器係用以將該用戶端之該HTTP要求傳送至該網路伺服器,並將該網路伺服器之該HTTP回應回傳至該用戶端。 The cross-site attack defense system of claim 1, further comprising a network server and a proxy server of the client, the read module and the parsing module being disposed on the proxy In the server, the proxy server is configured to transmit the HTTP request of the client to the network server, and send the HTTP response of the network server back to the client. 如申請專利範圍第1項所述之跨網站攻擊防禦系統,其中該剖析模組係自該HTTP回應中,取出至少一第一JavaScript或至少一第一URL並進行雜湊運算後與該白名單進行比對,若比對結果不符白名單則將該至少一第一JavaScript或該至少一第一URL判斷為該惡意碼,並將該惡意碼自該HTTP回應中刪除。 The cross-site attack defense system of claim 1, wherein the parsing module extracts at least one first JavaScript or at least one first URL from the HTTP response and performs a hash operation with the white list. If the comparison result is inconsistent with the whitelist, the at least one first JavaScript or the at least one first URL is determined as the malicious code, and the malicious code is deleted from the HTTP response. 一種跨網站攻擊防禦方法,其包含下列步驟:取得一網路伺服器之一網頁應用程式的原始碼;根據一預設規則,取得該網頁應用程式的原始碼中之至少一JavaScript以及至少一URL,並根據該至少一JavaScript以及該至少一URL來產生一白名單,其中該預設規則係由該網頁應用程式之設計者所制定;將該白名單傳送至一代理伺服器;以及於該代理伺服器中,對該白名單及該網路伺服器對應一用戶端所提出之一HTTP要求而產生之一HTTP回應進行比對,以攔截該HTTP回應中之一惡意碼。 A cross-site attack defense method includes the following steps: obtaining a source code of a web application of a web server; obtaining at least one JavaScript and at least one URL in a source code of the web application according to a preset rule And generating a white list according to the at least one JavaScript and the at least one URL, wherein the preset rule is determined by a designer of the web application; transmitting the white list to a proxy server; and the proxy The server compares the whitelist and one of the HTTP responses generated by the network server corresponding to one of the HTTP requests of the client to intercept one of the HTTP responses. 如申請專利範圍第5項所述之跨網站攻擊防禦方法,進一步包含下列步驟:對所取得之該至少一JavaScript以及該至少一URL進行雜湊運算以產生該白名單。 The cross-site attack defense method of claim 5, further comprising the step of hashing the obtained at least one JavaScript and the at least one URL to generate the whitelist. 如申請專利範圍第5項所述之跨網站攻擊防禦方法,其中該代理伺服器係用以將該用戶端之該HTTP要求傳送至該網路伺服器,並將該網路伺服器之該HTTP回應回傳至該用戶端。 The cross-site attack defense method according to claim 5, wherein the proxy server is configured to transmit the HTTP request of the client to the network server, and the HTTP server of the network server The response is passed back to the client. 如申請專利範圍第5項所述之跨網站攻擊防禦方法,進一步包含下列步驟:自該HTTP回應中取出至少一第一JavaScript或至少一第一URL,並進行雜湊運算後與該白名單進行比對;以及若比對之結果為不符合該白名單,則將該至少一第一JavaScript或至少一第一URL,判斷為該惡意碼並自該HTTP回應中刪除。 The cross-site attack defense method according to claim 5, further comprising the steps of: extracting at least one first JavaScript or at least a first URL from the HTTP response, and performing a hash operation on the whitelist And if the result of the comparison is that the whitelist is not met, the at least one first JavaScript or the at least one first URL is determined as the malicious code and deleted from the HTTP response.
TW102100841A 2013-01-10 2013-01-10 System and method for defending against cross-site scripting TWI489309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102100841A TWI489309B (en) 2013-01-10 2013-01-10 System and method for defending against cross-site scripting

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102100841A TWI489309B (en) 2013-01-10 2013-01-10 System and method for defending against cross-site scripting

Publications (2)

Publication Number Publication Date
TW201428526A TW201428526A (en) 2014-07-16
TWI489309B true TWI489309B (en) 2015-06-21

Family

ID=51726096

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102100841A TWI489309B (en) 2013-01-10 2013-01-10 System and method for defending against cross-site scripting

Country Status (1)

Country Link
TW (1) TWI489309B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7343626B1 (en) * 2002-11-12 2008-03-11 Microsoft Corporation Automated detection of cross site scripting vulnerabilities
TW201029412A (en) * 2009-01-17 2010-08-01 Univ Nat Taiwan Science Tech Network attack detection systems and methods, and computer program products thereof
CN101849238A (en) * 2007-11-05 2010-09-29 微软公司 Cross-site scripting filter
CN101895516A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for positioning cross-site scripting attack source
CN102780684A (en) * 2011-05-12 2012-11-14 同济大学 XSS defensive system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7343626B1 (en) * 2002-11-12 2008-03-11 Microsoft Corporation Automated detection of cross site scripting vulnerabilities
CN101849238A (en) * 2007-11-05 2010-09-29 微软公司 Cross-site scripting filter
TW201029412A (en) * 2009-01-17 2010-08-01 Univ Nat Taiwan Science Tech Network attack detection systems and methods, and computer program products thereof
CN101895516A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for positioning cross-site scripting attack source
CN102780684A (en) * 2011-05-12 2012-11-14 同济大学 XSS defensive system

Also Published As

Publication number Publication date
TW201428526A (en) 2014-07-16

Similar Documents

Publication Publication Date Title
US10367903B2 (en) Security systems for mitigating attacks from a headless browser executing on a client computer
Akhawe et al. Towards a formal foundation of web security
JP6624771B2 (en) Client-based local malware detection method
Kirda et al. Client-side cross-site scripting protection
Cao et al. PathCutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks.
US20100037317A1 (en) Mehtod and system for security monitoring of the interface between a browser and an external browser module
US20150082424A1 (en) Active Web Content Whitelisting
Stock et al. Protecting users against XSS-based password manager abuse
US11503072B2 (en) Identifying, reporting and mitigating unauthorized use of web code
Li et al. WebShield: Enabling Various Web Defense Techniques without Client Side Modifications.
Mitropoulos et al. How to train your browser: Preventing XSS attacks using contextual script fingerprints
Niakanlahiji et al. Webmtd: defeating web code injection attacks using web element attribute mutation
Patil Request dependency integrity: validating web requests using dependencies in the browser environment
Selvamani et al. Protection of web applications from cross-site scripting attacks in browser side
Kaur et al. State-of-the-art survey on web vulnerabilities, threat vectors, and countermeasures
Duraisamy et al. A server side solution for protection of web applications from cross-site scripting attacks
Avramescu et al. Guidelines for discovering and improving application security
TWI489309B (en) System and method for defending against cross-site scripting
Hadpawat et al. Analysis of prevention of XSS attacks at client side
Sentamilselvan et al. Survey on Cross Site Request Forgery
KR101731838B1 (en) Apparatus and Method for Scanning Vulnerability of Web Site Based Java Script
TWI506471B (en) System and method for defending against cross-site scripting
Kour A Study On Cross-Site Request Forgery Attack And Its Prevention Measures
Kushwaha et al. A Survey on Malware & Session Hijack Attack over WebEnvironments
Ćosić Web 2.0 services (vulnerability, threats and protection measures)

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees