检测HTML5引入的跨站脚本漏洞

2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE) Pub Date : 2014-05-14 DOI:10.1109/JCSSE.2014.6841888

Guowei Dong, Yan Zhang, Xin Wang, Peng Wang, Liangkun Liu

{"title":"检测HTML5引入的跨站脚本漏洞","authors":"Guowei Dong, Yan Zhang, Xin Wang, Peng Wang, Liangkun Liu","doi":"10.1109/JCSSE.2014.6841888","DOIUrl":null,"url":null,"abstract":"Recent years, HTML5 is widely adopted in popular browsers. Unfortunately, as a new Web standard, HTML5 may expand the Cross Site Scripting (XSS) attack surface as well as improve the interactivity of the page. In this paper, we identified 14 XSS attack vectors related to HTML5 by a systematic analysis about new tags and attributes. Based on these vectors, a XSS test vector repository is constructed and a dynamic XSS vulnerability detection tool focusing on Webmail systems is implemented. By applying the tool to some popular Webmail systems, seven exploitable XSS vulnerabilities are found. The evaluation result shows that our tool can efficiently detect XSS vulnerabilities introduced by HTML5.","PeriodicalId":331610,"journal":{"name":"2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"27","resultStr":"{\"title\":\"Detecting cross site scripting vulnerabilities introduced by HTML5\",\"authors\":\"Guowei Dong, Yan Zhang, Xin Wang, Peng Wang, Liangkun Liu\",\"doi\":\"10.1109/JCSSE.2014.6841888\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Recent years, HTML5 is widely adopted in popular browsers. Unfortunately, as a new Web standard, HTML5 may expand the Cross Site Scripting (XSS) attack surface as well as improve the interactivity of the page. In this paper, we identified 14 XSS attack vectors related to HTML5 by a systematic analysis about new tags and attributes. Based on these vectors, a XSS test vector repository is constructed and a dynamic XSS vulnerability detection tool focusing on Webmail systems is implemented. By applying the tool to some popular Webmail systems, seven exploitable XSS vulnerabilities are found. The evaluation result shows that our tool can efficiently detect XSS vulnerabilities introduced by HTML5.\",\"PeriodicalId\":331610,\"journal\":{\"name\":\"2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE)\",\"volume\":\"37 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-05-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"27\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/JCSSE.2014.6841888\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/JCSSE.2014.6841888","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 27

摘要

近年来，HTML5在流行浏览器中被广泛采用。不幸的是，作为一种新的Web标准，HTML5可能会扩展跨站点脚本(XSS)的攻击面，并改善页面的交互性。在本文中，我们通过对新标签和属性的系统分析，确定了14个与HTML5相关的跨站攻击向量。在此基础上，构建了跨站攻击测试向量库，实现了针对Webmail系统的跨站攻击漏洞动态检测工具。通过将该工具应用于一些流行的Webmail系统，发现了七个可利用的XSS漏洞。评估结果表明，我们的工具能够有效检测HTML5引入的跨站攻击漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detecting cross site scripting vulnerabilities introduced by HTML5

Recent years, HTML5 is widely adopted in popular browsers. Unfortunately, as a new Web standard, HTML5 may expand the Cross Site Scripting (XSS) attack surface as well as improve the interactivity of the page. In this paper, we identified 14 XSS attack vectors related to HTML5 by a systematic analysis about new tags and attributes. Based on these vectors, a XSS test vector repository is constructed and a dynamic XSS vulnerability detection tool focusing on Webmail systems is implemented. By applying the tool to some popular Webmail systems, seven exploitable XSS vulnerabilities are found. The evaluation result shows that our tool can efficiently detect XSS vulnerabilities introduced by HTML5.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2014 11th International Joint Conference on Computer Science and Software Engineering (JCSSE)

自引率

0.00%

发文量