在用戶端上設計防護XSS攻擊之資安技術

Jiun-Ting Lin; 林俊廷

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/23315

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	洪士灝(Shih-Hao Hung)
dc.contributor.author	Jiun-Ting Lin	en
dc.contributor.author	林俊廷	zh_TW
dc.date.accessioned	2021-06-08T04:59:05Z	-
dc.date.copyright	2010-08-20
dc.date.issued	2010
dc.date.submitted	2010-08-18
dc.identifier.citation	[1] Alexa the web information company. http://www.alexa.com/. [2] Mitre. common vulnerabilities and exposures. http://cve.mitre.org. [3] Sunspider javascript benchmark. http://www2.webkit.org/perf/sunspider-0.9/sunspider.html. [4] The ten most critical web application security vulnerabilities 2007 update. Technical report, OWASP, 2007. [5] The ten most critical web application security risks 2010 rc-1. Technical report, OWASP, 2009. [6] Google web toolkit. http://code.google.com/webtoolkit/, November,2008. [7] volta. http://live.labs.com/volta, November,2008. [8] C Anderson, P Giannini, and S Drossopoulou. Towards type inference for JavaScript. [9] Stephen Chong, Jed Liu, Andrew Myers, Xin Qi, K Vikram, Lantian Zheng, and Xin Zheng. Secure web applications via automatic partitioning. In SOSP '07: Proceedings of twenty- rst ACM SIGOPS symposium on Operating systems principles, pages 44, 31, Stevenson, Washington, USA, 2007. ACM. [10] Ravi Chugh, Je rey A. Meister, Ranjit Jhala, and Sorin Lerner. Staged information flow for javascript. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation, pages 50-62, Dublin, Ireland, 2009. ACM. [11] Steven Cook. A web developer s guide to cross-site scripting. Technical Report GSEC Version 1.4b (Option 1), SANS, January 2003. [12] Ryan Dewsbury. Google Web Toolkit Applications. [13] David Flanagan. JavaScript: The De nitive Guide. O'Reilly Media, Inc., 2006. [14] E. C. M. A. International. ECMA-262: ECMAScript Language Speci cation. ECMA (European Association for Standardizing Information and Communication Systems), Geneva, Switzerland, third edition, December 1999. [15] Omar Ismail, Masashi Etoh, Youki Kadobayashi, and Suguru Yamaguchi. A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. Advanced Information Networking and Applications, International Conference on, 1:145, 2004. [16] Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web, pages 601-610, Ban , Alberta, Canada,2007. ACM. [17] Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IN 2006 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, pages 258-263, 2006. [18] Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. Noxes: A client-side solution for mitigating cross-site scripting attacks, 2006. [19] G. A. Di Lucca, A. R. Fasolino, M. Mastoianni, and P. Tramontana. Identifying cross site scripting vulnerabilities in web applications. In WSE '04: Proceedings of the Web Site Evolution, Sixth IEEE International Workshop, pages 71-80, Washington, DC, USA, 2004. IEEE Computer Society. [20] Geo rey Smith. Principles of secure information flow analysis. In Malware Detection, pages 297-307. Springer-Verlag, 2007. [21] Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. February 2007. [22] Gary Wassermann and Zhendong Su. Static detection of cross-site scripting vulnerabilities. In In ICSE, 2008. [23] Yao wen Huang, Fang Yu, Christian Hang, Chung hung Tsai, D. T. Lee, and Sy yen Kuo. Securing web application code by static analysis and runtime protection. In In Proceedings of the 13th conference on World Wide Web, pages 40-52. ACM Press, 2004.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/23315	-
dc.description.abstract	在現今Web 2.0的時代下，腳本語言（scripting language）廣泛的被使用，並且以在客戶端的瀏覽器上執行的方式，添加網頁內容多樣性。在眾多腳本語言當中，JavaScript由於具有動態的特性，並且因應AJAX技術的興起，近年來大量使用在各種網頁的服務。然而，JavaScript在發展設計的初期，並沒有對資料安全性詳加保護，以致於利用其安全性漏洞的攻擊手法紛紛出籠，而XSS (cross-site scrpting)即為其中最具代表性的攻擊手法之一。此種攻擊手法，將惡意的JavaScript植入網頁，在用戶端執行這個JavaScript的同時，駭客可竊取用戶端上的重要敏感資料。此篇論文提出在用戶端瀏覽器上偵測JavaScript不當存取敏感資料的方法，以此防堵XSS攻擊。此偵測方式具有高度移植性，不受限於特定瀏覽器，也不需要改寫現有的應用程式，在使用的便利性方面，勝過先前提出的偵測方式。我們將此偵測方式實作於廣泛使用的瀏覽器引擎(WebKit)，在無需伺服器端的支援下，在PC和Android智慧型手機上，僅需要少量用戶端系統資源與短暫偵測時間，即可偵測出可能含有惡意攻擊的JavaScript，因此，此偵測方式非常適合應用在個人電腦和手持裝置。	zh_TW
dc.description.abstract	In the era of Web 2.0, many websites are powered by JavaScript, a flexible dynamic scripting language that can be executed by most browsers on the client side [10]. However, JavaScript has few protections or information hiding mechanisms, which has opened up new classes of security vulnerabilities such as cross-site scripting (XSS) and code injection attacks. With XSS, a malicious scripting code can access and transfer private information to a third party (i.e., the attacker) while it executes on the client side. In this paper, we propose to defend malicious JavaScript codes by tracking sensitive data in the client-side browser, so the users can detect XSS attacks conveniently with our detection engine plugged into a browser. Unlike some previously proposed server-side methods, our approach does not require developers to rewrite existing web applications. In our experimental study, we implemented our method on the WebKit, a browser engine that is widely used by many well -known browsers. Our results on PC and Android smart phone showed that our detection engine is flexible and portable, and the system resources required from the client is acceptable. Thus, we believe that our approach is suitable for many personal computers and mobile devices.	en
dc.description.provenance	Made available in DSpace on 2021-06-08T04:59:05Z (GMT). No. of bitstreams: 1 ntu-99-R97922114-1.pdf: 1641000 bytes, checksum: 6a2b6e1956044a509af6704772b9eef1 (MD5) Previous issue date: 2010	en
dc.description.tableofcontents	Acknowledgements . . . . . . . . . . . . . . . . . i Abstract . . . . . . . . . . . . . . . . . . . . . ii Abstract (Chinese). . . . . . . . . . . . . . . . . iii List of Tables . . . . . . . . . . . . . . . . . . vii List of Figures . . . . . . . . . . . . . . . . . . viii 1 Introduction . . . . . . . . . . . . . . . . . . . . 1 1.1 XSS Attack . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Non-Persistent Attacks . . . . . . . . . . . . . . . . . 2 1.1.2 DOM-Based Attacks . . . . . . . . . . . . . . . . . . . 3 1.1.3 Persistent Attacks . . . . . . . . . . . . . . . . . . . 4 1.2 Proposed Approach . . . . . . . . . . . . . . . . 4 1.3 Thesis Organization . . . . . . . . . . . . . . . 6 2 Detection of XSS Attacks . . . . . . . . . . . . . . 7 2.1 Default Tracked Items . . . . . . . . . . . . . . 8 2.2 Propagation of Tracked Items . . . . . . . . . . . 10 2.2.1 Assignment . . . . . . . . . . . . . . . . . . . 11 2.2.2 Arithmetic . . . . . . . . . . . . . . . . . . . 11 2.2.3 Function . . . . . . . . . . . . . . . . . . . . 13 2.2.4 Conditional Expression . . . . . . . . . . . . . 14 2.3 Items Transmission . . . . . . . . . . . . . . . . 14 2.4 Coverage of Detection . . . . . . . . . . . . . . 15 3 Software Design . . . . . . . . . . . . . . . . . . 17 3.1 Detection Flow . . . . . . . . . . . . . . . . . . 18 3.2 JavaScript Syntax . . . . . . . . . . . . . . . . 20 3.2.1 Hierarchical Syntax Tables Search . . . . . . . 24 3.2.2 Prototype . . . . . . . . . . . . . . . . . . . 24 3.2.3 Scope Chain Rule . . . . . . . . . . . . . . . . 25 3.3 Portability . . . . . . . . . . . . . . . . . . . 26 4 Evaluation . . . . . . . . . . . . . . . . . . . . . 28 4.1 Experimental Setup . . . . . . . . . . . . . . . . . 28 4.1.1 Target Browser . . . . . . . . . . . . . . . . . 29 4.1.2 Platforms . . . . . . . . . . . . . . . . . . . 30 4.1.3 Performance Index . . . . . . . . . . . . . . . 31 4.2 Functional Test . . . . . . . . . . . . . . . . . 31 4.2.1 Real World Cases . . . . . . . . . . . . . . . . 32 4.2.2 Accuracy Measurement . . . . . . . . . . . . . . 33 4.3 Performance Experiment . . . . . . . . . . . . . . 34 4.3.1 x86 . . . . . . . . . . . . . . . . . . . . . . 35 4.3.2 Android . . . . . . . . . . . . . . . . . . . . 38 5 Related Work . . . . . . . . . . . . . . . . . . . . 40 6 Conclusion . . . . . . . . . . . . . . . . . . . . . 42 Bibliography . . . . . . . . . . . . . . . . . . . . . 43
dc.language.iso	en
dc.subject	WebKit	zh_TW
dc.subject	XSS	zh_TW
dc.subject	JavaScript	zh_TW
dc.title	在用戶端上設計防護XSS攻擊之資安技術	zh_TW
dc.title	Methods for Detecting XSS Attacks On the Client-Side	en
dc.type	Thesis
dc.date.schoolyear	98-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	郭大維(Tei-Wei Kuo),施吉昇(Chi-Sheng Shih)
dc.subject.keyword	JavaScript,WebKit,XSS,	zh_TW
dc.relation.page	45
dc.rights.note	未授權
dc.date.accepted	2010-08-19
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
ntu-99-1.pdf 未授權公開取用	1.6 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。