Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Automatic detection system capable of dynamically determining XSS vulnerability

A technology of automatic detection and vulnerability detection, which is applied in the direction of instruments, electrical digital data processing, platform integrity maintenance, etc.

Inactive Publication Date: 2016-10-12
BEIJING UNIV OF TECH
View PDF3 Cites 25 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0025] 被删除后,提交的参数变为alert("XSS"); , still can easily bypass the filtering, it can be seen that the traditional method may not be able to determine whether the XSS vulnerability exists

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Automatic detection system capable of dynamically determining XSS vulnerability
  • Automatic detection system capable of dynamically determining XSS vulnerability
  • Automatic detection system capable of dynamically determining XSS vulnerability

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0048]The principle of this system is based on Ghost.py's black-box test of the server, which consists of three modules: crawler module, vulnerability detection module and user interface. System architecture such as figure 1 shown.

[0049] 4.1 Crawler module

[0050] The crawler module mainly explores pages, using a recursive depth-first algorithm to mine pages under the same domain name.

[0051] When exploring the page, it is also necessary to perform dynamic analysis of the webpage, dynamically load the page, and trigger events in the page to obtain the new URL and injection point generated by JavaSricpt or Ajax, where the loading page is provided by the API provided by Ghost.py Finish.

[0052] After the web page is loaded, the crawler will add the URL of the new page to the list. URL hyperlinks generally exist in The href attribute of the tag, for HTML tag whose value for the href attribute can be a relative or absolute URL to any valid document, including fragme...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

An automatic detection system capable of dynamically judging XSS vulnerabilities, the system is composed of a crawler module, a dynamic vulnerability detection module and a user interaction interface. The software system introduces a library containing the browser kernel, which can simulate browser behavior to parse JavaScript and load Ajax to obtain hidden injection points and interaction points in the page, and find unconventional web submission request methods through static analysis of the page structure. Compared with the traditional static method and the method without dynamic judgment module, the coverage rate of injection point identification is greatly improved. The injection point test uses a black-box method without considering the internal logic of the server. After submitting the attack vector, it can detect whether there is any abnormality on the page by simulating the behavior of the browser, that is, it can detect whether the browser has executed the web script, and can directly judge It is more accurate to find out whether the current injection point is vulnerable. In addition, the system is completely developed in Python language, which is easy to maintain and carry out secondary development.

Description

technical field [0001] The invention relates to an automatic detection system capable of dynamically judging XSS loopholes, belonging to the field of computer software. Background technique [0002] In recent years, with the widespread use of Web applications, Web security issues have become increasingly prominent. Among the top ten web application security risks released by OWASP in 2013, cross-site scripting vulnerability XSS (Cross Site Scripting) ranked third, which shows that XSS vulnerability has become one of the common security risks that all kinds of websites need to face. [0003] XSS vulnerabilities arise when untrusted data from the user is processed by the application without validation and reflected back to the browser without encoding or escaping, causing the browser engine to execute code. Many websites ignore the necessary input validation during the development process and lack sufficient security. Such websites are easily attacked by cross-site scripting....

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/57
CPCG06F21/577G06F2221/033
Inventor 王丹刘源赵文兵
Owner BEIJING UNIV OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com