在用戶端上設計防護XSS攻擊之資安技術

Abstract

在現今Web 2.0的時代下，腳本語言（scripting language）廣泛的被使用，並且以在客戶端的瀏覽器上執行的方式，添加網頁內容多樣性。在眾多腳本語言當中，JavaScript由於具有動態的特性，並且因應AJAX技術的興起，近年來大量使用在各種網頁的服務。然而，JavaScript在發展設計的初期，並沒有對資料安全性詳加保護，以致於利用其安全性漏洞的攻擊手法紛紛出籠，而XSS (cross-site scrpting)即為其中最具代表性的攻擊手法之一。此種攻擊手法，將惡意的JavaScript植入網頁，在用戶端執行這個JavaScript的同時，駭客可竊取用戶端上的重要敏感資料。此篇論文提出在用戶端瀏覽器上偵測JavaScript不當存取敏感資料的方法，以此防堵XSS攻擊。此偵測方式具有高度移植性，不受限於特定瀏覽器，也不需要改寫現有的應用程式，在使用的便利性方面，勝過先前提出的偵測方式。我們將此偵測方式實作於廣泛使用的瀏覽器引擎(WebKit)，在無需伺服器端的支援下，在PC和Android智慧型手機上，僅需要少量用戶端系統資源與短暫偵測時間，即可偵測出可能含有惡意攻擊的JavaScript，因此，此偵測方式非常適合應用在個人電腦和手持裝置。

In the era of Web 2.0, many websites are powered by JavaScript, a flexible dynamic scripting language that can be executed by most browsers on the client side [10]. However, JavaScript has few protections or information hiding mechanisms, which has opened up new classes of security vulnerabilities such as cross-site scripting (XSS) and code injection attacks. With XSS, a malicious scripting code can access and transfer private information to a third party (i.e., the attacker) while it executes on the client side. In this paper, we propose to defend malicious JavaScript codes by tracking sensitive data in the client-side browser, so the users can detect XSS attacks conveniently with our detection engine plugged into a browser. Unlike some previously proposed server-side methods, our approach does not require developers to rewrite existing web applications. In our experimental study, we implemented our method on the WebKit, a browser engine that is widely used by many well -known browsers. Our results on PC and Android smart phone showed that our detection engine is flexible and portable, and the system resources required from the client is acceptable. Thus, we believe that our approach is suitable for many personal computers and mobile devices.