基于渗透测试的XSS漏洞检测方法
首发时间:2018-01-03
摘要:Web漏洞以对大多数网站产生严重威胁。其中跨站脚本XSS(Cross-site Scripting)漏洞是对用户及网站损害较重的漏洞之一。针对现有动态检测XSS漏洞方法效率上的不足,提出一种改进的渗透测试检测方法,通过构造网页预处理模块,利用探子算法筛选掉不存在XSS漏洞的页面,同时提取注入点以及注入点所在的最小对象,根据注入点的最小对象分类生成相应的攻击向量并分开存储,避免无效攻击向量的测试。另外,在URL参数检测XSS的模块,增加伪静态页面检测XSS,以减少漏报率。在此基础上,利用爬虫程序设计实现了该检测系统,实验结果表明,所提的检测系统在提高检测网页XSS漏洞效率上很有效。
For information in English, please click here
XSS vulnerability detection based on penetration testing
Abstract:Web vulnerabilities have posed a serious threat to most websites. Cross-site Scripting (XSS) vulnerability is one of the most important vulnerabilities to users and websites. In order to overcome the shortcomings of the existing XSS vulnerability detection methods, this paper proposes an improved penetration testing method. By constructing a webpage preprocessing module, the XSS vulnerability filtering page is filtered out by using the probe algorithm. At the same time, the injection points and the injection points are extracted According to the minimum object classification of injection point, the corresponding attack vector is generated and stored separately to avoid the test of invalid attack vectors. In addition, the XSS module for detecting URL parameters adds pseudo-static page detection XSS to reduce the false negative rate. On this basis, the detection system is realized by using reptile program design. The experimental results show that the proposed detection system is effective in improving the efficiency of detecting XSS vulnerabilities.
Keywords: XSS detection dynamic vulnerability detection web crawler web security
引用
No.****
同行评议
共计0人参与
勘误表
基于渗透测试的XSS漏洞检测方法
评论
全部评论0/1000