A method and system for mining cross-site scripting vulnerabilities in a cloud computing environment

Abstract

The invention discloses a cross-site scripting vulnerability mining method and system oriented to a cloud computing environment. In the invention, a web page crawling module first crawls super HTTP web pages; an HTML parsing module parses the captured web pages to obtain corresponding web pages. DOM structure tree, at the same time, the HTML parsing module will obtain the embedded URL link and call parameters; pass the URL and call parameters to the external JavaScript link extractor module, which can extract the corresponding external JS file set; the script extractor module It can extract the relevant script content in the HTTP response message; perform similarity detection between the script content and the script content retrieved from the URL link, and judge whether there is an XSS vulnerability by whether the similarity is detected. The present invention effectively avoids modifying the source code of browsers and Web application programs. The invention solves the problem that the Web application program deployed in the cloud computing environment is easily attacked by cross-site scripting, and improves the security.

Description

technical field [0001] The invention belongs to the technical field of cloud computing environment security, and relates to a script loophole mining method and system, in particular to a cloud environment-oriented cross-site script loophole mining method and system. Background technique [0002] Cloud computing uses convenient and ubiquitous Internet resources to distribute shared hardware resources and information to other users according to their needs. At present, many companies are committed to developing cloud computing technology and deploying application systems in the cloud environment. Because of its flexibility and low cost, it has become the most popular technology for deploying applications on the Internet. The three cloud computing service models used by users are described as follows: [0003] (1) Infrastructure as a Service (IaaS for short). IaaS aims to provide end users with physical or virtual resources such as processors, storage, network and other basi...

AI Technical Summary

Problems solved by technology

Therefore, it leads to a non-persistent XSS attack

[0011] Traditional cross-site scripting attack detection methods cannot be directly applied in the cloud environment. The main reasons are: 1. Users choose the browser they use according to their own preferences, and forcing users to use a specific browser is not in the user's own interests.

2. The cloud environment provides corresponding security guarantees for the application system, and cannot modify the application program or browse the source code of the application program at will

At the same time, some traditional methods only focus on one language, such as JSP, PHP or ASP

Therefore, the solution of modifying the browser and application source code is not feasible in the cloud environment

Images