資料載入處理中...
圖書館首頁
|
網站地圖
|
首頁
|
本站說明
|
聯絡我們
|
相關資源
|
台聯大論文系統
|
操作說明
|
English
簡易查詢
進階查詢
論文瀏覽
熱門排行
我的研究室
上傳論文
建檔說明
常見問題
帳號:guest(18.191.234.237)
離開系統
字體大小:
詳目顯示
第 1 筆 / 共 1 筆
/1
頁
以作者查詢圖書館館藏
、
以作者查詢臺灣博碩士論文系統
、
以作者查詢全國書目
論文基本資料
摘要
外文摘要
論文目次
參考文獻
電子全文
作者(中文):
吳俊霖
作者(外文):
Wu, Chun-Lin
論文名稱(中文):
一個用於檢測以DOM為基礎的跨網站腳本漏洞系統
論文名稱(外文):
A Static Analysis System for Detecting DOM-Based XSS Posed on HTML5 Web Applications
指導教授(中文):
孫宏民
指導教授(外文):
Sun, Hung-Min
口試委員(中文):
曾文貴
顏嵩銘
口試委員(外文):
Tzeng, Wen-Guey
Yen, Sung-Ming
學位類別:
碩士
校院名稱:
國立清華大學
系所名稱:
資訊系統與應用研究所
學號:
104065529
出版年(民國):
106
畢業學年度:
105
語文別:
英文
論文頁數:
45
中文關鍵詞:
HTML5網頁
、
跨網站腳本漏洞
、
靜態檢測
、
文件物件模型
外文關鍵詞:
HTML5
、
XSS
、
Static-Analysis
、
DOM
相關次數:
推薦:0
點閱:923
評分:
下載:11
收藏:0
隨著網路科技越來越進步,網頁開始擁有比以前更多的功能,使用者現在甚 至可以利用手機網頁去做很多事情,例如:利用電子商務網站購買商品、訂車 票、查詢所要的地點等等。因此,使用者的隱私安全會更顯重要,使用者無法偵 測應用程式何時搜集他們的個人資料,在瀏覽網頁途中就可能被攻擊者竊取敏感 的資料,例如帳號密碼、地理位置等等。 在本篇論文中,我們介紹了新的網 頁技術–HTML5,HTML5 是現代網頁中常常會用到的技術,它將許多以往需要 在伺服器實作的技術移轉到使用者端,這會讓開發者更方便開發網頁,但也可能 造成致命的 DOM-Based XSS 攻擊,我們在這篇論文列出了許多 HTML5 可能造 成的 DOM-Based XSS 攻擊方式,並且提出一套用於偵測 HTML5 網頁是否暴露 於 DOM-Based XSS 威脅的檢測系統,以期能夠降低 DOM-Based XSS 攻擊的影 響。
With the evolution of the Internet technology, there are more and more functions in web applications. Even users can do lots of things via web applications on the smart phones. For example, buying some stu s on the e-commerce websites, booking train tickets, search the locations, and so on. As a result, user’s privacy is getting more and more important, the attackers may steal the sensitive data when the users type their information. For instance, stealing the user’s account number and password, watching the user’s location.
In this paper, we introduce a new web technology called HTML5. HTML5 is a common used technology in the modern web applications. It moves a large number of functions which used to implement on the server side to the client side. That makes developers can develop web applications easily. However, it may also su er from new methods of DOM-Based XSS attacks. We list a lot of HTML5 DOM- Based XSS vectors in this paper. In addition, we propose a System for Detecting DOM-Based XSS Posed on HTML5 web applications.
Table of Contents .......................................................................................... i List of Figures ................................................................................................ iii List of Tables .................................................................................................. v
Chapter 1 Introduction .............................................................................. 1
1.1 Motivation........................................................................................... 1
1.2 Our Contribution ................................................................................ 2
1.3 Organization ....................................................................................... 2
Chapter 2 Background ............................................................................... 3
2.1 Cross-site Scripting Methods .............................................................. 3
2.1.1 Re ected XSS ....................................................................... 3
2.1.2 Stored XSS ........................................................................... 4
2.1.3 DOM-Based XSS .................................................................. 5
2.2 DOM (Document Object Model) ........................................................ 5
2.3 HTML5 Techniques............................................................................. 6
2.3.1 HTML5 Improvement........................................................... 6
2.3.2 HTML5 API ......................................................................... 7
Chapter 3 HTML5 DOM-Based XSS Vulnerabilities.......................... 9
3.1 Event Attributes ................................................................................. 9
3.1.1 Window Events .................................................................... 9
3.1.2 Form Events ......................................................................... 11
3.1.3 Drag Events.......................................................................... 12
3.1.4 Media Events........................................................................ 13
3.1.5 Misc Events .......................................................................... 13
3.2 HTML5 APIs ...................................................................................... 14
3.2.1 Geolocation .......................................................................... 15
3.2.2 Webstorage ........................................................................... 16
3.2.3 Postmessage ......................................................................... 17
3.2.4 Web SQL.............................................................................. 18
3.2.5 SVG (Scalable Vector Graphics) .......................................... 19
3.3 DOM Manipulation Methods .............................................................. 20
3.3.1 Write raw HTML ................................................................. 21
3.3.2 Directly modifying the DOM ............................................... 21
3.3.3 Redirect the document URL ................................................ 22
3.3.4 Opening and modifying a window ........................................ 23
3.3.5 Directly executing script ...................................................... 24
3.4 HTML5 XSS Attack Vectors............................................................... 26
Chapter 4 Implementation ........................................................................ 28
4.1 Goal .................................................................................................... 28
4.2 System Requirement ........................................................................... 29
4.3 Tools ................................................................................................... 29
4.4 System Architecture............................................................................ 30
4.5 Results ................................................................................................ 32
Chapter 5 Mitigation.................................................................................. 37
5.1 X-XSS-Protection................................................................................ 37
5.2 HSTS (HTTP Strict Transport Security) ........................................... 38
5.3 CSP (Content-Security-Policy) ........................................................... 39
Chapter 6 Conclusions ............................................................................... 41 6.1 Conclusion........................................................................................... 41
[1] Owasp: Cross site scripting. https://www.slideshare.net/m1ke/ owasp-a3-xss.
[2] Soojin Yoon, JongHun Jung, and HwanKuk Kim. Attacks on web browsers with html5. In Internet Technology and Secured Transactions (ICITST), 2015 10th International Conference for, pages 193–197. IEEE, 2015.
[3] The html dom. https://www.w3schools.com/js/js_htmldom.asp.
[4] Html event attributes. https://www.w3schools.com/tags/ref_
eventattributes.asp.
[5] Html5onresizeevent.https://www.w3schools.com/jsref/event_onresize.
asp.
[6] Html5 oninput event. https://www.w3schools.com/jsref/event_oninput.
asp.
[7] Html5 drag and drop api. https://www.w3schools.com/html/html5_
draganddrop.asp.
[8] Html5 oncanplay event. https://www.w3schools.com/jsref/event_
oncanplay.asp.
[9] Html5 ontoggle event. https://www.w3schools.com/jsref/event_ ontoggle.asp.
[10] Html5 geolocation api. https://www.w3schools.com/html/html5_geolocation.asp.
[11] Html5 webstorage api. https://www.w3schools.com/html/html5_webstorage.asp.
[12] Html5 postmessage api. http://xyz.cinc.biz/2014/05/html5-postmessage-text.html.
[13] Html5 websql xss attack. http://www.andlabs.org/html5/csXSS1.html.
[14] Svg (scalable vector graphics). https://www.w3schools.com/graphics/svg_
intro.asp.
[15] Amit Klein. Dom based cross site scripting or xss of the third kind. http://
www. webappsec. org/projects/articles/071105. shtml, 2005.
[16] Prabhu Seshagiri, Anu Vazhayil, and Padmamala Sriram. Ama: Static code analysis of web page for the detection of malicious scripts. Procedia Computer Science, 93:768–773, 2016.
[17] Shukai Liu, Xuexiong Yan, Qingxian Wang, Xu Zhao, Chuansen Chai, and Yajing Sun. A protection mechanism against malicious html and javascript code in vulnerable web applications. Mathematical Problems in Engineering, 2016, 2016.
[18] Npm (node package manager). https://www.npmjs.com.
[19] The crawler module. https://www.npmjs.com/package/crawler.
[20] The yargs module. http://yargs.js.org.
[21] The express module. https://expressjs.com.
[22] Daniel Hedin and Andrei Sabelfeld. Web application security using js ow. In
Symbolic and Numeric Algorithms for Scienti c Computing (SYNASC), 2015 17th International Symposium on, pages 16–19. IEEE, 2015.
[23] W3school.com. https://www.w3schools.com.
[24] The x-xss-protection header. https://developer.mozilla.org/en-US/docs/
Web/HTTP/Headers/X-XSS-Protection.
[25] Hsts (http strict-transport-security). https://developer.mozilla.org/
en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
[26] Csp (content security policy). https://developer.mozilla.org/en-US/ docs/Web/HTTP/CSP.
電子全文
中英文摘要
推文
當script無法執行時可按︰
推文
推薦
當script無法執行時可按︰
推薦
評分
當script無法執行時可按︰
評分
引用網址
當script無法執行時可按︰
引用網址
轉寄
當script無法執行時可按︰
轉寄
top
相關論文
1.
適用於保護應用伺服器以防止分散式阻斷服務攻擊之入侵保護系統
2.
利用一個強韌的封包過濾機制來保護伺服器免於DDoS攻擊
3.
於核心模式中動態偵測惡意程式之入侵行為
4.
於無線感知網路之資料認證研究
5.
具防止金鑰竊取攻擊之植基於密碼的金鑰交換認證研究
6.
具轉移性數位版權管理系統與其在電子商務應用之研究
7.
具版權保護之點對點網路數位內容分享系統
8.
具防止身分竊取之基於機器資訊的使用者認證機制
9.
應用於付費電視系統中限制存取系統的一個有效率且具彈性之金鑰分配架構
10.
基於最小擴張樹著色之影像資訊隱藏之研究
11.
基於改良式相鄰圖之無線區域網路快速漫遊認證
12.
Business Continuity Plan for a University Lab Network
13.
在行動無線射頻辨識系統上的認證機制
14.
行動隨意網路下抵擋路由攻擊之防禦機制
15.
藉由估計RSA模數的質因數來延伸Wiener Attack
簡易查詢
|
進階查詢
|
論文瀏覽
|
熱門排行
|
管理/審核者登入