Cross-site scripting vulnerability detection method and device based on file object model

A document object model and cross-site scripting attack technology, applied in the network field, can solve the problems of reducing vulnerability discovery capability and detection efficiency, and spend a lot of time, and achieve the effect of improving vulnerability discovery capability and detection efficiency.

Active Publication Date: 2015-05-20
TENCENT TECH (SHENZHEN) CO LTD
View PDF3 Cites 15 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] In the process of realizing the present invention, the inventor has found that the prior art has at least the following problems: the existing DOM XSS vulnerability detection scheme needs to trigger the execution of the inserted characteristic JS script to find the XSS vulnerability, and only when the inserted characteristic JS script It is possible to trigger the execution of characteristic JS scripts only when they fully match the context syntax of dynamic web content, which results in the need to try enough types of characteristic JS scripts, and it takes a lot of time to try to execute JS scripts each time, which greatly reduces the vulnerability Discovery capability and detection efficiency

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Cross-site scripting vulnerability detection method and device based on file object model
  • Cross-site scripting vulnerability detection method and device based on file object model
  • Cross-site scripting vulnerability detection method and device based on file object model

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0028] In order to make the object, technical solution and advantages of the present invention clearer, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

[0029] figure 1 It is a flowchart of a DOM XSS vulnerability detection method provided by an embodiment of the present invention. That is, the document object model (Document Object Model, DOM)-based cross-site scripting (Cross Site Script, XSS) vulnerability detection method of this embodiment is directly referred to as the DOM XSS vulnerability detection method for short. like figure 1 As shown, the DOM XSS vulnerability detection method of the present embodiment may specifically include the following steps:

[0030] 100. Obtain a set of parameter value pairs in the original URL of the webpage to be detected;

[0031] The set of parameter value pairs in this embodiment includes at least one parameter value pair.

[0032] In this ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Disclosed are a method, apparatus, and terminal for detecting a document object model-based cross-site scripting attack vulnerability. The method comprises: obtaining a set of parameter value pairs in the original URL of a webpage, the set of parameter value pairs including at least one parameter value pair; replacing parameter values of the parameter pairs with a feature script to form a test URL of the webpage, the feature script being malicious codes that contain malicious characters and can be uniquely identified in a document object model tree of the webpage; obtaining the page content corresponding to the test URL; converting the page content into the document object model tree; and detecting whether the cross-site scripting attack vulnerabilities are in the parameter value pairs according to the document object model tree and the feature script. By using the above solution, DOM XSS vulnerabilities can be effectively found only through searching the inserted feature script in the converted DOM tree and without triggering the execution of the feature script, thus greatly improving the ability of vulnerability discovery and the detection efficiency.

Description

technical field [0001] The present invention relates to the field of network technology, in particular to a method, device and terminal for detecting cross-site scripting (Cross Site Script, XSS) vulnerabilities based on a Document Object Model (Document Object Model, DOM). Background technique [0002] XSS vulnerability is the most common vulnerability on the Internet today, and it can be triggered in various browsers such as IE, Chrome, and FireFox, causing great harm. [0003] Usually, XSS is that malicious attackers add malicious codes to webpages and induce users to visit. When visitors browse the webpages, malicious codes will be executed on the user's machine, resulting in malicious attackers stealing user information, or Carry out a hanging horse attack on the machine and remotely gain control of the user's machine. Ordinary reflective XSS has obvious echo characteristics in the source code of the returned page, which is relatively easy to detect. DOM XSS is a DOM ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
CPCG06F21/577G06F21/554G06F2221/033G06F2221/2119G06F21/563
Inventor 翁家才
Owner TENCENT TECH (SHENZHEN) CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products