Detection method and system for interactive XSS (Cross-Site Scripting) vulnerability

A detection method and detection system technology, which are applied in the field of detection methods and systems for interactive XSS vulnerabilities, can solve problems such as failure to detect XSS vulnerabilities, and achieve the effect of successful detection.

Inactive Publication Date: 2017-08-22
深圳市九州安域科技有限公司 +2
View PDF5 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The embodiment of the present invention provides a method for detecting interactive XSS vulnerabilities, aiming to solve the problem that the existing methods cannot detect the XSS vulnerabilities generated by the dynamic execution of scripts

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and system for interactive XSS (Cross-Site Scripting) vulnerability
  • Detection method and system for interactive XSS (Cross-Site Scripting) vulnerability
  • Detection method and system for interactive XSS (Cross-Site Scripting) vulnerability

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0023] figure 1 A flowchart of a method for detecting an interactive XSS vulnerability provided by the first embodiment of the present invention is shown, and the details are as follows:

[0024] Step S11, send the detection request with the feature value constructed to the Web server, and receive the response page returned by the Web server;

[0025] In this step, the XSS detection tool receives and saves the http request sent by the client to the web server, and constructs a feature value according to the http request; specifically, based on the received and saved user http request, each http request is modified one by one The parameter value is modified into the characteristic value. The characteristic value is a string, and its purpose is to attempt XSS injection attack. For example, an eigenvalue could be: , if there is no XSS encoding protection on the page, the div will be inserted into the DOM structure as a DOM node. In addition, for different page output points,...

Embodiment 2

[0054] image 3 A structural diagram showing an interactive XSS vulnerability detection system provided by the second embodiment of the present invention For convenience of description, only parts related to the embodiment of the present invention are shown. The detection system for the interactive XSS vulnerability includes: a detection request sending unit 31, a DOM listener parsing unit 32, an intelligent event simulator parsing unit 33, and a judging unit 34, wherein:

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention is suitable for the field of Web program applications, and provides a detection method and system for interactive XSS (Cross-Site Scripting) vulnerability. The method comprises the following steps that: sending a constructed detection request with a feature value to a Web server, and receiving a response page returned from the Web server; analyzing a DOM (Document Object Model) monitor injected into the response page in advance, then, analyzing an intelligent event simulator injected to the response page in advance, and finding and automatically triggering the event on a DOM structure of the response page through the intelligent event simulator; and according to the monitoring result of the DOM monitor, judging whether the XSS vulnerability is in the presence or not. Through the above method, through the execution of the intelligent event simulator, an effect on identifying and simulating user interaction is achieved, and therefore, an XSS detection tool obtains an integral DOM structure. Through the DOM monitor, the real-time monitoring of the DOM structure change situation of the response page is realized so as to realize the successful detection of the interactive XSS vulnerability of the response page.

Description

technical field [0001] The embodiments of the invention belong to the field of web program application, and in particular relate to a method and a system for detecting an interactive XSS vulnerability. Background technique [0002] With the widespread use of web applications, web security issues have become increasingly prominent. Cross-site scripting (XSS) is an attack by an attacker injecting a specific script into a page of a web application. When a user browses the page, the attacker The injected script will be executed to achieve the purpose of the attack. XSS has become one of the most common vulnerabilities in web applications, and automatic detection of XSS vulnerabilities has also become an important technology. With the development of Web 2.0 technology, the pages of Web applications can not only display static content, but also have more and more interactive functions with users. These interactive functions are often implemented by embedding JavaScript and CSS sc...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57
CPCG06F21/577
Inventor 万振华徐瑞祝
Owner 深圳市九州安域科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap