Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

XSS vulnerability detection method based on simulating browser behavior

A vulnerability detection, browser technology, applied in the direction of instrumentation, digital data processing, platform integrity maintenance, etc., can solve complex, difficult to parse JavaScript or load Ajax, cannot dynamically analyze the response information of the target site, etc., to achieve The effect of high accuracy

Inactive Publication Date: 2015-09-02
BEIJING UNIV OF TECH
View PDF4 Cites 20 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the injection point is likely to be hidden in the dynamic content of the web page, and requires user actions, such as clicking a button, to make the browser parse JavaScript or load Ajax to generate
Because traditional crawlers cannot simulate browser behavior, it is difficult to parse JavaScript or load Ajax, thus ignoring hidden injection points
At the same time, when parsing the page, they also need to extract the entire form content, obtain the attributes of the form to analyze the way of submitting data to the server before submitting the attack vector, which is relatively complicated, and cannot dynamically analyze the response information of the target site in terms of vulnerability detection, so It may not be possible to determine whether an XSS vulnerability exists

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • XSS vulnerability detection method based on simulating browser behavior
  • XSS vulnerability detection method based on simulating browser behavior
  • XSS vulnerability detection method based on simulating browser behavior

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0023] The principle of this method is based on Ghost.py's black-box testing of the server, which consists of two parts: a crawler module and a vulnerability detection module. System architecture such as figure 1 shown.

[0024] 1.1 Crawler module

[0025] The crawler module implements the functions of exploring pages and analyzing web pages. The crawler that explores pages uses the recursive depth-first algorithm proposed in this paper to mine only pages under the same domain name. The algorithm description is shown in Algorithm 1.

[0026] Algorithm 1. Depth-first recursive algorithm for page exploration

[0027] Input: Start Website URL

[0028] Output: URLs of all pages with the same domain name crawled starting from the input URL

[0029] 1. Set the maximum depth MAX_DEPTH;

[0030] 2. Set the current depth depth=0;

[0031] 3. If the current depth is greater than the maximum depth, end; otherwise, go to step 4;

[0032] 4. Access the current URL;

[0033] 5. Ob...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to an XSS vulnerability detection method based on simulating a browser behavior. A crawler module is contained with a core of a browser, JavaScript can be analyzed and Ajax can be loaded by simulating the browser behavior to obtain a hidden type decanting point of a page. Compared with a traditional condition, the system increases covering of the decanting point greatly. A vulnerability detection module uses a black-box detection method to detect whether an abnormal condition occurs on the page or not by simulating the browser behavior after the attack vector is improved, namely whether the browser executes a page script or not can be detected, whether a current decanting point has vulnerability or not is judged directly, and the method is more accurate compared with the traditional method. In addition, the method is exploited through the python language, the advantages of being easy to maintain and being easy to conduct secondary development are possessed, and a great application value is possessed to the detection and research of the XSS vulnerability.

Description

technical field [0001] The invention relates to an XSS loophole detection method based on simulated browser behavior, and belongs to the field of computer software cross-site scripting loopholes. Background technique [0002] In recent years, with the widespread use of Web applications, Web security issues have become increasingly prominent. Among the top ten web application security risks released by OWASP in 2013, cross-site scripting vulnerability XSS (Cross Site Scripting) ranked third, which shows that XSS vulnerability has become one of the common security risks that all kinds of websites need to face. [0003] XSS vulnerabilities arise when untrusted data from the user is processed by the application without validation and reflected back to the browser without encoding or escaping, causing the browser engine to execute code. Many websites ignore the necessary input validation during the development process and lack sufficient security. Such websites are easily attack...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57G06F21/56
CPCG06F21/562G06F21/577
Inventor 王丹刘源赵文兵杜金莲苏航
Owner BEIJING UNIV OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com