TWI489309B - System and method for defending against cross-site scripting - Google Patents
System and method for defending against cross-site scripting Download PDFInfo
- Publication number
- TWI489309B TWI489309B TW102100841A TW102100841A TWI489309B TW I489309 B TWI489309 B TW I489309B TW 102100841 A TW102100841 A TW 102100841A TW 102100841 A TW102100841 A TW 102100841A TW I489309 B TWI489309 B TW I489309B
- Authority
- TW
- Taiwan
- Prior art keywords
- module
- server
- javascript
- url
- http
- Prior art date
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
本發明係與一種跨網站攻擊防範系統及方法有關,並且係特別地與一種可精確攔截惡意碼之跨網站攻擊防範系統及方法有關。The present invention relates to a cross-site attack prevention system and method, and is particularly related to a cross-site attack prevention system and method that can accurately intercept malicious code.
隨著網際網路的快速發展與普及化,網頁內容也變得越來越豐富,同時,網頁的構成方式亦從早期的靜態網頁,發展成為大量運用動態網頁技術之動態網頁。由於網頁技術的發展使得網頁應用更多元化,並提供了更多互動性。然而,其也同時產生了各種網頁系統的安全性問題,而增加電腦防護系統偵測入侵及安全防護的困難度。With the rapid development and popularization of the Internet, web content has become more and more abundant. At the same time, the composition of web pages has evolved from an early static web page to a dynamic web page using a large number of dynamic web technologies. Due to the development of web technology, web applications are more diversified and provide more interactivity. However, it also creates security issues for various web systems, and increases the difficulty of computer protection systems to detect intrusions and security.
跨網站攻擊(Cross-Site Scripting,XSS)是目前全球最嚴重的資安弱點之一,其係為一種典型的網頁安全漏洞,攻擊者可利用這個漏洞來竊取使用者cookie或是使用者資料。跨網站攻擊的攻擊手法,通常是攻擊者會在網站伺服器所提供的網頁之程式碼內,嵌入惡意的腳本參數(script),接著再利用社交工程手法來吸引網頁瀏覽者點擊。當瀏覽者點擊後,若網路伺服器所提供網頁的應用程式並未將多餘程式碼濾除,其之瀏覽器便會執行惡意的腳本參數程式碼,而將受害者的cookie傳送到攻擊者預先建立的第三方網站,因此攻擊者可藉此竊取受害者的私密資料,例如網路帳號、密碼、甚至是信用卡號碼等。其不僅對於使用者個人的資訊安全而言傷害甚大,跨網站攻擊的影響層面可說不論是對民生、經濟、甚至國防方面都有重 大影響。Cross-Site Scripting (XSS) is one of the most serious security weaknesses in the world. It is a typical web security vulnerability that can be exploited by attackers to steal user cookies or user data. The attack method of cross-site attack is usually that the attacker embeds malicious script parameters in the code of the webpage provided by the web server, and then uses social engineering techniques to attract webpage viewers to click. When the browser clicks, if the application provided by the web server does not filter the redundant code, the browser will execute the malicious script parameter code and transmit the victim's cookie to the attacker. Pre-established third-party websites, so attackers can steal private information about victims, such as online accounts, passwords, and even credit card numbers. It not only hurts the user's personal information security, but also affects people's livelihood, economy, and even national defense. Great impact.
基於現今網路應用程式講求互動性的趨勢,網頁架構相較之前更趨複雜,在在增加了偵測跨網站攻擊的技術困難度與複雜度,即使是經驗豐富的程式開發人員也不容易針對各類程式碼做完全的過濾。此外,就使用者方而言,一般大眾對跨網站攻擊的認知更為薄弱,因此要期待一般使用者主動發現或防禦跨網站攻擊是極為困難的。Based on the trend of interactive web applications today, the web architecture is more complex than before, and the technical difficulty and complexity of detecting cross-site attacks are increasing. Even experienced programmers are not easy to target. All kinds of code are completely filtered. In addition, as far as the user side is concerned, the general public is less aware of cross-site attacks, so it is extremely difficult to expect that the average user actively discovers or defends against cross-site attacks.
目前對於防範跨網站攻擊的系統架設,包含設置於用戶端、設置於伺服器端,以及混合設置於用戶端與伺服器端等三種架構。設置於用戶端之方法對於大多數的網路使用者來說,在安裝及設定防範系統的步驟上過於複雜,因此這樣的解決方法的最大問題,在於如何能確保使用者正確安裝並執行檢查程式。混合設置於用戶端與伺服器端之方法則更為繁瑣,除了必須克服上述設置於用戶端之困難外,在伺服器端所設置之系統也需要配合用戶端之系統,因而倍增其複雜度。此外,設置於伺服器端之系統需要程式開發人員花時間來設定及測試防火牆規則,雖然比起上述兩種方式較不複雜,然而,設定這樣的法則仍然相當不容易,程式開發人員必須經驗豐富並且相當謹慎,才能設定出具有足夠防範能力之系統。At present, the system erection for preventing cross-site attacks includes three configurations: setting on the client side, setting on the server side, and mixing on the client side and the server side. The method of setting it on the user side is too complicated for most network users to install and set the security system. Therefore, the biggest problem with this solution is how to ensure that the user correctly installs and executes the check program. . The method of mixing and setting on the client side and the server side is more complicated. In addition to the difficulty of setting the above-mentioned setting on the user side, the system set on the server side also needs to cooperate with the system of the user end, thereby multiplying the complexity. In addition, the system set on the server side requires the programmer to take the time to set and test the firewall rules. Although it is less complicated than the above two methods, it is still not easy to set such a rule. The program developer must be experienced. And be very careful to set up a system with sufficient defense capabilities.
雖然上述三種架構均有其架設上的缺點,但僅就伺服器端而言,只要透過具有豐富經驗的開發人員即可解決。然而,在跨網站攻擊防禦中,如何有效偵測到使用者輸入的資料,是否有惡意內容乃是最困難的部份。因此,目前仍有需要研發一種可精確判斷惡意碼,並能輕易地架設的防禦系統或方法,以解決先前技術之問題。Although all of the above three architectures have their own shortcomings, they can only be solved by the experienced developers through the server side. However, in cross-site attack defense, how to effectively detect the data input by the user, whether malicious content is the most difficult part. Therefore, there is still a need to develop a defense system or method that can accurately determine malicious code and can be easily set up to solve the problems of the prior art.
本發明之一範疇在於提供一種跨網站攻擊防禦系統,以解決先前技術之問題。One aspect of the present invention is to provide a cross-site attack defense system to solve the problems of the prior art.
根據一具體實施例,本發明之跨網站攻擊防禦系統包含原始碼取得模組、確認模組、傳送模組、讀取模組以及剖析模組,其中,原始碼取得模組、確認模組以及傳送模組係設置於網路伺服器中,並且讀取模組係設置於網路伺服器與用戶端之間,而剖析模組則連接至讀取模組。According to a specific embodiment, the cross-site attack defense system of the present invention comprises a source code acquisition module, a confirmation module, a transmission module, a reading module, and a parsing module, wherein the source code acquisition module, the confirmation module, and The transmission module is disposed in the network server, and the reading module is disposed between the network server and the client, and the profiling module is connected to the reading module.
於本具體實施例中,原始碼取得模組可用來取得網路伺服器之網頁應用程式的原始碼。確認模組連接於原始碼取得模組,其可用來偵測網頁應用程式的原始碼並自其中找出JavaScript以及URL,接著,確認模組可根據所找出JavaScript以及URL產生白名單,再由傳送模組將白名單傳送出去。讀取模組可接收傳送模組所傳送之白名單,而剖析模組則由讀取模組接收白名單,並將網路伺服器對應用戶端之HTTP要求所產生之HTTP回應與白名單進行比對,藉以攔截其中的惡意碼。因此,最後傳送至用戶端的HTTP回應中已攔截了惡意碼,可避免用戶端遭到跨網站攻擊。In this embodiment, the source code acquisition module can be used to obtain the source code of the web application of the web server. The confirmation module is connected to the source code acquisition module, which can be used to detect the source code of the web application and find the JavaScript and the URL from it. Then, the confirmation module can generate a white list according to the found JavaScript and the URL, and then The transfer module transmits the white list. The reading module can receive the white list transmitted by the transmitting module, and the parsing module receives the white list by the reading module, and performs the HTTP response and the white list generated by the web server corresponding to the HTTP request of the user end. Compare, to intercept the malicious code. Therefore, the malicious code is intercepted in the HTTP response finally transmitted to the client, which can prevent the client from being attacked by a cross-site.
本發明之另一範疇在於提供一種跨網站攻擊防禦方法,以解決先前技術之問題。Another aspect of the present invention is to provide a cross-site attack defense method to solve the problems of the prior art.
根據一具體實施例,本發明之跨網站攻擊防禦方法包含下列步驟:取得網路伺服器之網頁應用程式的原始碼;取得原始碼中之JavaScript以及URL,並根據JavaScript 以及URL產生白名單;將白名單傳送至代理伺服器;以及,於代理伺服器中將網路伺服器對應用戶端之HTTP要求所產生之HTTP回應與白名單進行比對,藉此攔截HTTP回應中的惡意碼。According to a specific embodiment, the cross-site attack defense method of the present invention comprises the steps of: obtaining a source code of a web application of a web server; obtaining a JavaScript and a URL in the source code, and according to the JavaScript And the URL generates a whitelist; the whitelist is transmitted to the proxy server; and the HTTP response generated by the web server corresponding to the HTTP request of the client is compared with the whitelist in the proxy server, thereby intercepting the HTTP response Malicious code in the middle.
關於本發明之優點與精神可以藉由以下的發明詳述及所附圖式得到進一步的瞭解。The advantages and spirit of the present invention will be further understood from the following detailed description of the invention.
請參閱圖一,圖一係繪示根據本發明之一具體實施例之跨網站攻擊防禦系統1的示意圖。如圖一所示,跨網站攻擊防禦系統1可架設於網路伺服器S與用戶端C之間,其包含原始碼取得模組10、確認模組12、傳送模組14、讀取模組16以及剖析模組18。原始碼取得模組10、確認模組12以及傳送模組14係設置於網路伺服器S中,而讀取模組16以及剖析模組18則可設置於網路伺服器S與用戶端C之間。於本具體實施例中,讀取模組16以及剖析模組18可設於代理伺服器P中,但本發明並不以此為限,只要兩者係設置於網路伺服器S與用戶端C之間即可。Referring to FIG. 1, FIG. 1 is a schematic diagram of a cross-site attack defense system 1 according to an embodiment of the present invention. As shown in FIG. 1 , the cross-site attack defense system 1 can be installed between the network server S and the client C, and includes a source code acquisition module 10, a confirmation module 12, a transmission module 14, and a reading module. 16 and the parsing module 18. The source code obtaining module 10, the confirming module 12 and the transmitting module 14 are disposed in the network server S, and the reading module 16 and the parsing module 18 are disposed on the network server S and the client terminal C. between. In this embodiment, the reading module 16 and the parsing module 18 may be disposed in the proxy server P, but the invention is not limited thereto, as long as the two are set on the network server S and the client. Can be between C.
當用戶端C連接至網路伺服器S以進行網頁瀏覽時,用戶端C會對網路伺服器S之網頁應用程式提出HTTP要求,而網頁應用程式則會依要求來進行HTTP回應。舉例而言,用戶端C可對網頁應用程式提出瀏覽網頁之要求,而網頁應用程式則會依所要求之HTTP來回應用戶端C特定網頁。一般之跨網站攻擊的惡意碼,可能會夾帶於網頁應用程式的HTTP回應之中,若用戶端C執行HTTP回應 中的惡意碼,便會受到跨網站攻擊。請注意,本具體實施例之讀取模組16及剖析模組18係設置於代理伺服器P中,換言之,用戶端C對網路伺服器S所提出的要求,以及網路伺服器S給予用戶端C的HTTP回應,均透過代理伺服器P而傳送至另一方。When the client C connects to the web server S for web browsing, the client C will make an HTTP request to the web application of the web server S, and the web application will respond HTTP as required. For example, the client C can request the webpage application to browse the webpage, and the webpage application responds to the specific webpage of the client C according to the required HTTP. The general malicious code for cross-site attacks may be entrained in the HTTP response of the web application, if the client C performs an HTTP response. The malicious code in it will be attacked by cross-sites. Please note that the reading module 16 and the parsing module 18 of the specific embodiment are disposed in the proxy server P, in other words, the request made by the client C to the network server S and the network server S are given. The HTTP response of the client C is transmitted to the other party through the proxy server P.
於本具體實施例中,原始碼取得模組10可用來取得網路伺服器S中之網頁應用程式的原始碼。確認模組12係與原始碼取得模組10連接,以自原始碼取得模組10接收所取得的原始碼。確認模組12可分析原始碼,以自其中找出JavaScript。基於跨網站攻擊大部分也會伴隨著對外的惡意連結,因此為了更廣泛的攔截,確認模組12也可同時找出原始碼中之URL。確認模組12所找出的JavaScript以及URL乃是有效的JavaScript與URL而非惡意碼,詳言之,其係根據預設規則來找出有效的JavaScript與URL,而此預設規則是由網頁應用程式的設計者來制定。由於網頁應用程式的設計者能夠清楚地知道網頁應用程式及其HTTP回應中,哪些JavaScript與URL是有效的,而其他的JavaScript與URL則可能為攻擊者所植入的惡意碼,因此,確認模組12可根據設計者所制定之預設規則來找出有效的JavaScript與URL。接著,確認模組12將所取得的有效JavaScript與URL進行雜湊運算(Hash)後形成白名單。In this embodiment, the source code acquisition module 10 can be used to obtain the source code of the web application in the network server S. The confirmation module 12 is connected to the source code acquisition module 10 to receive the acquired source code from the source code acquisition module 10. The validation module 12 can analyze the source code to find JavaScript from it. Most of the cross-site attacks are accompanied by external malicious links, so for broader interception, the validation module 12 can also find the URLs in the source code at the same time. The JavaScript and URL found by the confirmation module 12 are valid JavaScript and URLs instead of malicious codes. In detail, it is based on preset rules to find valid JavaScript and URLs. The designer of the application to develop. Since the designer of the web application can clearly know which JavaScript and URL are valid in the web application and its HTTP response, and other JavaScript and URLs may be malicious code implanted by the attacker, therefore, the confirmation mode Group 12 can find valid JavaScript and URLs based on preset rules set by the designer. Next, the confirmation module 12 hashes the obtained valid JavaScript and the URL to form a white list.
傳送模組14係連接至確認模組12,其可接收白名單並將白名單傳送至讀取模組16。於實務中,傳送模組14可將白名單包裝在HTTP封包中,網路伺服器S再將HTTP封包,夾帶在網頁應用程式要給予用戶端C的HTTP回應 內,並將HTTP回應傳送到代理伺服器P,而讀取模組16則可將白名單,從HTTP回應中萃取出來。除了夾帶於HTTP回應中,傳送模組14也可直接將封包傳給讀取模組16,並令讀取模組16直接接收白名單。此外,除了上述以有效JavaScript與URL所形成的白名單外,讀取模組16還可進一步地從網頁應用程式的HTTP回應中,萃取出DNS資訊以及網頁程式檔案名稱以作為另外兩份白名單。The transfer module 14 is coupled to the validation module 12, which receives the whitelist and transmits the whitelist to the read module 16. In practice, the delivery module 14 can wrap the whitelist in the HTTP packet, and the network server S then encapsulates the HTTP packet and entrains the HTTP response that the web application should give to the client C. The HTTP response is sent to the proxy server P, and the read module 16 extracts the whitelist from the HTTP response. In addition to being entrained in the HTTP response, the transport module 14 can also directly transmit the packet to the read module 16 and cause the read module 16 to directly receive the whitelist. In addition, in addition to the above-mentioned white list formed by valid JavaScript and URL, the reading module 16 can further extract the DNS information and the web program file name from the HTTP response of the web application as two other white lists. .
剖析模組18係連接至讀取模組16,以自讀取模組16接收所萃取出的白名單。剖析模組18可從網路伺服器S所傳送來之HTTP回應中取得JavaScript或URL,接著,將HTTP回應中的JavaScript或URL與白名單進行比對,若比對之結果不符合白名單中所包含之JavaScript及URL,則表示HTTP回應中之JavaScript或URL並非為原本網頁應用程式及其HTTP回應中,所應包含的JavaScript及URL,進而可判斷其為可疑的程式碼甚至是惡意碼。相對地,若HTTP回應中JavaScript或URL符合白名單中所包含之JavaScript及URL,則可判斷其為原本網頁應用程式及其HTTP回應中,所應包含的JavaScript及URL。這些惡意碼被判斷出來之後,剖析模組18可將惡意碼從HTTP回應中刪除,而符合白名單的JavaScript或URL則會留存於HTTP回應之中。由於惡意攻擊的程式碼多半會經過編碼來混淆視聽,故於實務中,剖析模組18可先將HTTP回應中所取得之JavaScript或URL解碼後,再與白名單進行比對。The parsing module 18 is coupled to the read module 16 to receive the extracted whitelist from the read module 16. The parsing module 18 can obtain the JavaScript or the URL from the HTTP response sent by the web server S, and then compare the JavaScript or URL in the HTTP response with the whitelist, if the result of the comparison does not match the whitelist The included JavaScript and URL means that the JavaScript or URL in the HTTP response is not the JavaScript and URL that should be included in the original web application and its HTTP response, and can be judged as suspicious code or even malicious code. In contrast, if the JavaScript or URL in the HTTP response matches the JavaScript and URL contained in the whitelist, it can be judged as the JavaScript and URL that should be included in the original web application and its HTTP response. After these malicious codes are judged, the parsing module 18 can remove the malicious code from the HTTP response, and the whitelisted JavaScript or URL will remain in the HTTP response. Since the code of the malicious attack is mostly encoded to confuse the audiovisual, in practice, the parsing module 18 can first decode the JavaScript or URL obtained in the HTTP response, and then compare it with the whitelist.
上述HTTP回應中之惡意碼被刪除後,代理伺服器P 可將HTTP回應傳送至用戶端C來執行,因此用戶端C可避免受到跨網站攻擊。請注意,由於惡意碼的動態比對係在用戶端C前端的代理伺服器P中完成,亦即,用戶端C不需要進行複雜的防禦系統安裝程序,而是由專業的程式開發人員於代理伺服器P中完成,藉此可克服先前技術中設置於用戶端之防禦系統的安裝問題。另外,透過網站應用程式之設計者所制定的預設規則,可得知哪些JavaScript及URL是有效的程式碼,進而可精確地判斷出HTTP回應中的可疑之處或惡意碼。After the malicious code in the above HTTP response is deleted, the proxy server P The HTTP response can be sent to the client C for execution, so the client C can avoid cross-site attacks. Please note that since the dynamic comparison of the malicious code is completed in the proxy server P at the front end of the client C, that is, the client C does not need to perform a complicated defense system installation procedure, but is represented by a professional program developer. This is done in the server P, thereby overcoming the installation problem of the defense system set in the prior art in the prior art. In addition, through the preset rules set by the designer of the website application, it is possible to know which JavaScript and URL are valid codes, so as to accurately determine the suspicious or malicious code in the HTTP response.
請一併參閱圖一以及圖二,圖二係繪示根據本發明之一具體實施例之跨網站攻擊防禦方法的步驟流程圖,請注意,本具體實施例之方法可透過圖一之跨網站攻擊防禦系統1來進行,網站攻擊防禦系統1之各單元已於上述具體實施例中進行說明,於此不再贅述。如圖二所示,跨網站攻擊防禦方法包含下列步驟:於步驟S20,取得網路伺服器S之網頁應用程式的原始碼;於步驟S22,取得網頁應用程式的原始碼中之JavaScript以及URL,並根據所取得之JavaScript以及URL來產生白名單;於步驟S24,將白名單傳送至代理伺服器P;以及,於步驟S26,於代理伺服器P中將網路伺服器對應用戶端之HTTP要求所產生之HTTP回應與白名單進行比對,以攔截網路伺服器之HTTP回應中之惡意碼。Please refer to FIG. 1 and FIG. 2 together. FIG. 2 is a flow chart showing the steps of the cross-site attack defense method according to an embodiment of the present invention. Please note that the method of the specific embodiment can be cross-site through FIG. The attack defense system 1 is performed. The units of the website attack defense system 1 are described in the foregoing specific embodiments, and details are not described herein. As shown in FIG. 2, the cross-site attack defense method includes the following steps: in step S20, the source code of the web application of the web server S is obtained; in step S22, the JavaScript and the URL in the source code of the web application are obtained. And generating a whitelist according to the obtained JavaScript and the URL; transmitting the whitelist to the proxy server P in step S24; and, in step S26, the web server corresponding to the HTTP request of the client in the proxy server P The generated HTTP response is compared against the whitelist to intercept the malicious code in the HTTP response of the web server.
步驟S20可藉由上述具體實施例之原始碼取得模組10取出原始碼,接著,步驟S22可藉確認模組S12來取得原始碼中之JavaScript以及URL。由於網頁應用程式的設計 者能清楚地知道網頁應用程式及其HTTP回應中,哪些JavaScript與URL是有效的,而其他的JavaScript與URL則可能是攻擊者所植入的惡意碼,因此,步驟S22可藉確認模組S12根據設計者所制定之預設規則,來判別JavaScript與URL是否有效,並將所取得的有效JavaScript與URL進行雜湊運算後形成白名單。Step S20 can retrieve the original code by using the original code acquisition module 10 of the above specific embodiment. Then, in step S22, the verification module S12 can obtain the JavaScript and the URL in the original code. Due to the design of web applications It is clear to the web application and its HTTP response which JavaScript and URL are valid, while other JavaScript and URLs may be malicious code implanted by the attacker. Therefore, step S22 can be used to confirm the module S12. According to the preset rules set by the designer, it is determined whether the JavaScript and the URL are valid, and the obtained valid JavaScript and the URL are hashed to form a white list.
步驟S24可藉由傳送模組14而將白名單傳送至代理伺服器P。如上一具體實施例所述,傳送模組14可將白名單包裝在HTTP封包中並夾帶於HTTP回應裡,以使網路伺服器S傳送HTTP回應時可一併傳送白名單,而讀取模組16則可由HTTP回應中萃取出白名單。接著,步驟S26可藉由代理伺服器P中之剖析模組18對HTTP回應及白名單進行比對,以攔截HTTP回應中的惡意碼。如上一具體實施例所述,剖析模組18可取得HTTP回應中之JavaScript或URL,並將其與白名單進行比對。若HTTP回應之JavaScript或URL符合白名單則留存於HTTP回應中,相對地,若比對結果不符合白名單,則將其判斷為惡意碼而從HTTP回應中刪除,藉此可攔截HTTP回應中之惡意碼。Step S24 can transmit the white list to the proxy server P by the transfer module 14. As described in the foregoing embodiment, the transport module 14 can package the whitelist in the HTTP packet and entrain it in the HTTP response, so that the network server S can transmit the whitelist together with the whitelist, and the read module Group 16 can extract whitelists from HTTP responses. Then, step S26 can compare the HTTP response and the whitelist by the parsing module 18 in the proxy server P to intercept the malicious code in the HTTP response. As described in the previous embodiment, the parsing module 18 can retrieve the JavaScript or URL in the HTTP response and compare it to the whitelist. If the HTTP response URL or URL matches the whitelist, it will remain in the HTTP response. If the comparison result does not match the whitelist, it will be judged as malicious code and deleted from the HTTP response, thereby intercepting the HTTP response. Malicious code.
本具體實施例之網站攻擊防禦方法可刪除網路伺服器S所傳送之HTTP回應中的惡意碼,因此HTTP回應由代理伺服器P傳送至用戶端C以執行時,並不會對用戶端C產生跨網站攻擊。另外,由於步驟S22是根據網頁應用程式之設計者所制定的預設規則,來找出有效的JavaScript以及URL,因而可精確地判斷HTTP回應中,哪些JavaScript及URL是被植入的程式碼。The website attack defense method of this embodiment can delete the malicious code in the HTTP response transmitted by the network server S, so the HTTP response is transmitted by the proxy server P to the client C for execution, and does not affect the client C. Generate cross-site attacks. In addition, since step S22 is based on the preset rules established by the designer of the web application to find valid JavaScript and URL, it is possible to accurately determine which JavaScript and URL are the embedded code in the HTTP response.
綜上所述,本發明之跨網站攻擊系統及方法,係透過設置於網路伺服器之原始碼取得模組、確認模組以及傳送模組,而將網路伺服器之網頁應用程式原始碼中的JavaScript以及URL用於形成白名單,接著再以設置於網路伺服器與用戶端之間的讀取模組以及剖析模組,對白名單與網路伺服器所送出之HTTP回應進行比對,藉此攔截HTTP回應中的惡意碼,以避免用戶端受到跨網站攻擊。基於網頁應用程式的設計者明確知道網頁應用程式中,哪些JavaScript以及URL是有效的,因此所產生的白名單可精確比對出HTTP回應中,可疑的JavaScript以及URL。另外,上述比對HTTP回應之惡意碼的動作係由代理伺服器進行,故用戶端不需進行複雜的安裝與設定,可簡化系統架設的流程。In summary, the cross-web attack system and method of the present invention uses a web server application source code of a web server through a source code acquisition module, a confirmation module, and a transmission module installed on a web server. The JavaScript and the URL are used to form a whitelist, and then the read module and the parsing module set between the web server and the client are used to compare the whitelist with the HTTP response sent by the web server. In this way, the malicious code in the HTTP response is intercepted to avoid the client being attacked by the cross-site. Web-based application designers know exactly which JavaScript and URLs are valid in a web application, so the resulting whitelist can accurately compare HTTP responses, suspicious JavaScript, and URLs. In addition, the above-mentioned action of comparing the malicious code of the HTTP response is performed by the proxy server, so the user terminal does not need complicated installation and setting, which simplifies the process of system setup.
藉由以上較佳具體實施例之詳述,係希望能更加清楚描述本發明之特徵與精神,而並非以上述所揭露的較佳具體實施例來對本發明之範疇加以限制。相反地,其目的是希望能涵蓋各種改變及具相等性的安排於本發明所欲申請之專利範圍的範疇內。因此,本發明所申請之專利範圍的範疇應該根據上述的說明作最寬廣的解釋,以致使其涵蓋所有可能的改變以及具相等性的安排。The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed. Therefore, the scope of the patented scope of the invention should be construed as broadly construed in the
1‧‧‧跨網站攻擊防禦系統1‧‧‧cross-site attack defense system
10‧‧‧原始碼取得模組10‧‧‧ source code acquisition module
12‧‧‧確認模組12‧‧‧Confirmation module
14‧‧‧傳送模組14‧‧‧Transmission module
16‧‧‧讀取模組16‧‧‧Reading module
18‧‧‧剖析模組18‧‧‧analysis module
S‧‧‧網路伺服器S‧‧‧Web server
P‧‧‧代理伺服器P‧‧‧Proxy server
C‧‧‧用戶端C‧‧‧Client
S20~S26‧‧‧流程步驟S20~S26‧‧‧ Process steps
圖一係繪示根據本發明之一具體實施例之跨網站攻擊防禦系統的示意圖。1 is a schematic diagram of a cross-site attack defense system in accordance with an embodiment of the present invention.
圖二係繪示根據本發明之一具體實施例之跨網站攻擊防禦方法的步驟流程圖。2 is a flow chart showing the steps of a cross-site attack defense method according to an embodiment of the present invention.
1‧‧‧跨網站攻擊防禦系統1‧‧‧cross-site attack defense system
10‧‧‧原始碼取得模組10‧‧‧ source code acquisition module
12‧‧‧確認模組12‧‧‧Confirmation module
14‧‧‧傳送模組14‧‧‧Transmission module
16‧‧‧讀取模組16‧‧‧Reading module
18‧‧‧剖析模組18‧‧‧analysis module
S‧‧‧網路伺服器S‧‧‧Web server
P‧‧‧代理伺服器P‧‧‧Proxy server
C‧‧‧用戶端C‧‧‧Client
Claims (8)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW102100841A TWI489309B (en) | 2013-01-10 | 2013-01-10 | System and method for defending against cross-site scripting |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW102100841A TWI489309B (en) | 2013-01-10 | 2013-01-10 | System and method for defending against cross-site scripting |
Publications (2)
Publication Number | Publication Date |
---|---|
TW201428526A TW201428526A (en) | 2014-07-16 |
TWI489309B true TWI489309B (en) | 2015-06-21 |
Family
ID=51726096
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW102100841A TWI489309B (en) | 2013-01-10 | 2013-01-10 | System and method for defending against cross-site scripting |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI489309B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7343626B1 (en) * | 2002-11-12 | 2008-03-11 | Microsoft Corporation | Automated detection of cross site scripting vulnerabilities |
TW201029412A (en) * | 2009-01-17 | 2010-08-01 | Univ Nat Taiwan Science Tech | Network attack detection systems and methods, and computer program products thereof |
CN101849238A (en) * | 2007-11-05 | 2010-09-29 | 微软公司 | Cross-site scripting filter |
CN101895516A (en) * | 2009-05-19 | 2010-11-24 | 北京启明星辰信息技术股份有限公司 | Method and device for positioning cross-site scripting attack source |
CN102780684A (en) * | 2011-05-12 | 2012-11-14 | 同济大学 | XSS defensive system |
-
2013
- 2013-01-10 TW TW102100841A patent/TWI489309B/en not_active IP Right Cessation
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7343626B1 (en) * | 2002-11-12 | 2008-03-11 | Microsoft Corporation | Automated detection of cross site scripting vulnerabilities |
CN101849238A (en) * | 2007-11-05 | 2010-09-29 | 微软公司 | Cross-site scripting filter |
TW201029412A (en) * | 2009-01-17 | 2010-08-01 | Univ Nat Taiwan Science Tech | Network attack detection systems and methods, and computer program products thereof |
CN101895516A (en) * | 2009-05-19 | 2010-11-24 | 北京启明星辰信息技术股份有限公司 | Method and device for positioning cross-site scripting attack source |
CN102780684A (en) * | 2011-05-12 | 2012-11-14 | 同济大学 | XSS defensive system |
Also Published As
Publication number | Publication date |
---|---|
TW201428526A (en) | 2014-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10367903B2 (en) | Security systems for mitigating attacks from a headless browser executing on a client computer | |
Akhawe et al. | Towards a formal foundation of web security | |
JP6624771B2 (en) | Client-based local malware detection method | |
Kirda et al. | Client-side cross-site scripting protection | |
Cao et al. | PathCutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks. | |
US20100037317A1 (en) | Mehtod and system for security monitoring of the interface between a browser and an external browser module | |
US20150082424A1 (en) | Active Web Content Whitelisting | |
Stock et al. | Protecting users against XSS-based password manager abuse | |
US11503072B2 (en) | Identifying, reporting and mitigating unauthorized use of web code | |
Li et al. | WebShield: Enabling Various Web Defense Techniques without Client Side Modifications. | |
Mitropoulos et al. | How to train your browser: Preventing XSS attacks using contextual script fingerprints | |
Niakanlahiji et al. | Webmtd: defeating web code injection attacks using web element attribute mutation | |
Patil | Request dependency integrity: validating web requests using dependencies in the browser environment | |
Selvamani et al. | Protection of web applications from cross-site scripting attacks in browser side | |
Kaur et al. | State-of-the-art survey on web vulnerabilities, threat vectors, and countermeasures | |
Duraisamy et al. | A server side solution for protection of web applications from cross-site scripting attacks | |
Avramescu et al. | Guidelines for discovering and improving application security | |
TWI489309B (en) | System and method for defending against cross-site scripting | |
Hadpawat et al. | Analysis of prevention of XSS attacks at client side | |
Sentamilselvan et al. | Survey on Cross Site Request Forgery | |
KR101731838B1 (en) | Apparatus and Method for Scanning Vulnerability of Web Site Based Java Script | |
TWI506471B (en) | System and method for defending against cross-site scripting | |
Kour | A Study On Cross-Site Request Forgery Attack And Its Prevention Measures | |
Kushwaha et al. | A Survey on Malware & Session Hijack Attack over WebEnvironments | |
Ćosić | Web 2.0 services (vulnerability, threats and protection measures) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
MM4A | Annulment or lapse of patent due to non-payment of fees |