Research and Implementation of Cross-site Scripting Defense Method Based on Moving Target Defense Technology

2018 5th International Conference on Systems and Informatics (ICSAI) Pub Date : 2018-11-01 DOI:10.1109/ICSAI.2018.8599463

Ping Chen, Han Yu, Min Zhao, Jinshuang Wang

{"title":"Research and Implementation of Cross-site Scripting Defense Method Based on Moving Target Defense Technology","authors":"Ping Chen, Han Yu, Min Zhao, Jinshuang Wang","doi":"10.1109/ICSAI.2018.8599463","DOIUrl":null,"url":null,"abstract":"The root cause of cross-site scripting(XSS) attack is that the JavaScript engine can’t distinguish between the JavaScript code in Web application and the JavaScript code injected by attackers. Moving Target Defense (MTD) is a novel technique that aim to defeat attacks by frequently changing the system configuration so that attackers can’t catch the status of the system. This paper describes the design and implement of a XSS defense method based on Moving Target Defense technology. This method adds a random attribute to each unsafe element in Web application to distinguish between the JavaScript code in Web application and the JavaScript code injected by attackers and uses a security check function to verify the random attribute, if there is no random attribute or the random attribute value is not correct in a HTML (Hypertext Markup Language) element, the execution of JavaScript code will be prevented. The experiment results show that the method can effectively prevent XSS attacks and have little impact on the system performance.","PeriodicalId":375852,"journal":{"name":"2018 5th International Conference on Systems and Informatics (ICSAI)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 5th International Conference on Systems and Informatics (ICSAI)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSAI.2018.8599463","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

The root cause of cross-site scripting(XSS) attack is that the JavaScript engine can’t distinguish between the JavaScript code in Web application and the JavaScript code injected by attackers. Moving Target Defense (MTD) is a novel technique that aim to defeat attacks by frequently changing the system configuration so that attackers can’t catch the status of the system. This paper describes the design and implement of a XSS defense method based on Moving Target Defense technology. This method adds a random attribute to each unsafe element in Web application to distinguish between the JavaScript code in Web application and the JavaScript code injected by attackers and uses a security check function to verify the random attribute, if there is no random attribute or the random attribute value is not correct in a HTML (Hypertext Markup Language) element, the execution of JavaScript code will be prevented. The experiment results show that the method can effectively prevent XSS attacks and have little impact on the system performance.

查看原文本刊更多论文

基于移动目标防御技术的跨站点脚本防御方法研究与实现

跨站脚本(XSS)攻击的根本原因是JavaScript引擎无法区分Web应用程序中的JavaScript代码和攻击者注入的JavaScript代码。移动目标防御(MTD)是一种新颖的技术，其目的是通过频繁改变系统配置，使攻击者无法捕获系统的状态来挫败攻击。本文介绍了一种基于移动目标防御技术的跨站防御方法的设计与实现。该方法为Web应用程序中的每个不安全元素添加一个随机属性，以区分Web应用程序中的JavaScript代码和攻击者注入的JavaScript代码，并使用安全检查功能对随机属性进行验证，如果HTML(超文本标记语言)元素中没有随机属性或随机属性值不正确，则会阻止JavaScript代码的执行。实验结果表明，该方法能有效防止XSS攻击，对系统性能影响较小。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 5th International Conference on Systems and Informatics (ICSAI)

自引率

0.00%

发文量