Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model)

A technology for cross-site scripting vulnerabilities and testing methods, which is applied in the field of DOM-based cross-site scripting vulnerability testing, can solve problems such as inability to accurately test cross-site scripting vulnerabilities, and achieve the effect of facilitating positioning and ensuring accuracy.

Active Publication Date: 2013-03-27
ALIBABA GRP HLDG LTD
View PDF3 Cites 25 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The technical problem to be solved in this application is to provide a DOM-based cross-site scripting vulnerability testing method and system, which can solve the problem that the DOM-based cross-site scripting vulnerability cannot be accurately tested

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model)
  • XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model)
  • XSS (Cross Site Scripting) testing method and XSS testing system based on DOM (Document Object Model)

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0052] refer to figure 1 , which shows a first embodiment of a DOM-based cross-site scripting vulnerability testing method of the present application, including the following steps:

[0053] Step 101, obtaining the source code of the target page and extracting the script code therein.

[0054] Wherein, the script (javascript) content extracted from the source code can be obtained directly by using a plug-in, for example, in ruby, it can be directly obtained by using the hpricot plug-in. In addition, the content in the script tag can also be intercepted by means of character string interception, and the content in each script tag can be spliced ​​together.

[0055] Step 102, traversing all script codes, using predefined dirty data entries to obtain all dirty data entries in the script codes and the variables passed by the dirty data entries.

[0056] Dirty data is data that may exploit vulnerabilities to implement malicious attacks. Specifically, it includes all Dom entry poi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an XSS (Cross Site Scripting) testing method based on a DOM (Document Object Model). The XSS testing method comprises the following steps of obtaining source codes of a destination page, and extracting script codes in the source codes; traversing all the script codes, and obtaining all dirty data inlets and variables passed by the dirty data inlets from the script codes by utilizing a predefined dirty data inlet; traversing all the script codes again, obtaining output functions in the script codes, extracting parameters of the output functions for being matched with the dirty data inlets and the variables passed by the dirty data inlets, and determining that bugs exist if the parameters of the output functions can be matched with the dirty data inlets and the variables passed by the dirty data inlets; and recording information of the bugs. The invention also provides an XSS testing device based on the DOM for realizing the XSS testing method. According to the XSS testing method based on the DOM and the XSS testing device based on the DOM, which are provided by the invention, the problem that XSS based on the DOM cannot be accurately tested can be solved.

Description

technical field [0001] The present application relates to the technical field of computer network security testing, in particular to a DOM-based cross-site scripting vulnerability testing method and system. Background technique [0002] Cross Site Scripting (Cross Site Scripting, often abbreviated as XSS) is a vulnerability in the web application when it outputs data to the web page, which allows the attacker to display the constructed malicious data on the page. The malicious code injected by the cross-site scripting attack runs in the browser, which can control the user's browser, obtain the user's computer information, intercept the user's keyboard input, spy on the user's local area network information, and even attack other websites. Among them, DOM (Document Object Model, Document Object Model) is a page output by JavaScript, and cross-site scripting vulnerabilities based on DOM are vulnerabilities that appear in JavaScript codes. [0003] Black-box testing is often u...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F11/36
Inventor 谢雄钦吴翰清
Owner ALIBABA GRP HLDG LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com