跨站脚本(XSS)滥用与防御:几种测试平台环境的利用及其防御

IF 0.5 Q4 COMPUTER SCIENCE, SOFTWARE ENGINEERING

International Journal of Information Security and Privacy Pub Date : 2015-04-03 DOI:10.1080/15536548.2015.1044865

B. B. Gupta, Shashank Gupta, S. Gangwar, Manoj Kumar, P. K. Meena

{"title":"跨站脚本(XSS)滥用与防御:几种测试平台环境的利用及其防御","authors":"B. B. Gupta, Shashank Gupta, S. Gangwar, Manoj Kumar, P. K. Meena","doi":"10.1080/15536548.2015.1044865","DOIUrl":null,"url":null,"abstract":"Today cyber physical systems (CPS) facilitate physical world devices to integrate with several Internet data sources and services. In the contemporary era of Web 2.0 technologies, web applications are being developed on several advanced technologies (e.g., AJAX, JavaScript, Flash, ASP.net). However, due to the frequent usage in daily life, web applications are constantly under attack. Cross-site scripting (XSS) attacks are presently the most exploited security problems in the modern web applications. XSS attacks are generally caused by the improper sanitization of user-supplied input on the applications. These attacked use vulnerabilities in the source code, resulting in serious consequences such as stealing of session-identifications embedded in cookies, passwords, credit card numbers, and several other related personal credentials. This article describes a three-fold approach: 1) testing the vulnerabilities of XSS attack on the local host server Apache Tomcat by utilizing the malicious scripts from XSS cheat sheet website; 2) exploiting the same vulnerabilities on Web Goat; and 3) exploiting encoded versions of the injected scripts for testing the level of XSS attack prevention capability. Based on the observed results, further work is also discussed.","PeriodicalId":44332,"journal":{"name":"International Journal of Information Security and Privacy","volume":"1 1","pages":"118 - 136"},"PeriodicalIF":0.5000,"publicationDate":"2015-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"55","resultStr":"{\"title\":\"Cross-Site Scripting (XSS) Abuse and Defense: Exploitation on Several Testing Bed Environments and Its Defense\",\"authors\":\"B. B. Gupta, Shashank Gupta, S. Gangwar, Manoj Kumar, P. K. Meena\",\"doi\":\"10.1080/15536548.2015.1044865\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Today cyber physical systems (CPS) facilitate physical world devices to integrate with several Internet data sources and services. In the contemporary era of Web 2.0 technologies, web applications are being developed on several advanced technologies (e.g., AJAX, JavaScript, Flash, ASP.net). However, due to the frequent usage in daily life, web applications are constantly under attack. Cross-site scripting (XSS) attacks are presently the most exploited security problems in the modern web applications. XSS attacks are generally caused by the improper sanitization of user-supplied input on the applications. These attacked use vulnerabilities in the source code, resulting in serious consequences such as stealing of session-identifications embedded in cookies, passwords, credit card numbers, and several other related personal credentials. This article describes a three-fold approach: 1) testing the vulnerabilities of XSS attack on the local host server Apache Tomcat by utilizing the malicious scripts from XSS cheat sheet website; 2) exploiting the same vulnerabilities on Web Goat; and 3) exploiting encoded versions of the injected scripts for testing the level of XSS attack prevention capability. Based on the observed results, further work is also discussed.\",\"PeriodicalId\":44332,\"journal\":{\"name\":\"International Journal of Information Security and Privacy\",\"volume\":\"1 1\",\"pages\":\"118 - 136\"},\"PeriodicalIF\":0.5000,\"publicationDate\":\"2015-04-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"55\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Information Security and Privacy\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1080/15536548.2015.1044865\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1080/15536548.2015.1044865","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 55

摘要

今天，网络物理系统(CPS)促进了物理世界设备与多个Internet数据源和服务的集成。在Web 2.0技术的当代时代，Web应用程序正在使用几种先进技术(例如，AJAX, JavaScript, Flash, ASP.net)进行开发。然而，由于在日常生活中的频繁使用，web应用程序不断受到攻击。跨站点脚本(XSS)攻击是目前现代web应用程序中最容易被利用的安全问题。XSS攻击通常是由于对用户提供的应用程序输入的处理不当造成的。这些攻击者利用源代码中的漏洞，导致了严重的后果，比如窃取嵌入在cookie中的会话标识、密码、信用卡号和其他一些相关的个人凭证。本文介绍了一种三方面的方法:1)利用XSS小抄网站的恶意脚本，在本地主机服务器Apache Tomcat上测试跨站攻击的漏洞;2)利用Web Goat上的相同漏洞;3)利用注入脚本的编码版本来测试XSS攻击防御能力的水平。在此基础上，对进一步的工作进行了讨论。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Cross-Site Scripting (XSS) Abuse and Defense: Exploitation on Several Testing Bed Environments and Its Defense

Today cyber physical systems (CPS) facilitate physical world devices to integrate with several Internet data sources and services. In the contemporary era of Web 2.0 technologies, web applications are being developed on several advanced technologies (e.g., AJAX, JavaScript, Flash, ASP.net). However, due to the frequent usage in daily life, web applications are constantly under attack. Cross-site scripting (XSS) attacks are presently the most exploited security problems in the modern web applications. XSS attacks are generally caused by the improper sanitization of user-supplied input on the applications. These attacked use vulnerabilities in the source code, resulting in serious consequences such as stealing of session-identifications embedded in cookies, passwords, credit card numbers, and several other related personal credentials. This article describes a three-fold approach: 1) testing the vulnerabilities of XSS attack on the local host server Apache Tomcat by utilizing the malicious scripts from XSS cheat sheet website; 2) exploiting the same vulnerabilities on Web Goat; and 3) exploiting encoded versions of the injected scripts for testing the level of XSS attack prevention capability. Based on the observed results, further work is also discussed.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Journal of Information Security and Privacy COMPUTER SCIENCE, SOFTWARE ENGINEERING-

CiteScore

2.50

自引率

0.00%

发文量

期刊介绍： As information technology and the Internet become more and more ubiquitous and pervasive in our daily lives, there is an essential need for a more thorough understanding of information security and privacy issues and concerns. The International Journal of Information Security and Privacy (IJISP) creates and fosters a forum where research in the theory and practice of information security and privacy is advanced. IJISP publishes high quality papers dealing with a wide range of issues, ranging from technical, legal, regulatory, organizational, managerial, cultural, ethical and human aspects of information security and privacy, through a balanced mix of theoretical and empirical research articles, case studies, book reviews, tutorials, and editorials. This journal encourages submission of manuscripts that present research frameworks, methods, methodologies, theory development and validation, case studies, simulation results and analysis, technological architectures, infrastructure issues in design, and implementation and maintenance of secure and privacy preserving initiatives.