透過您的圖書館登入 IP:3.136.26.20
透過您的圖書館登入
IP:3.136.26.20
  • 精確檢索 : 冠狀病毒
  • 模糊檢索 : 冠狀病毒
  • 冠狀病毒感染
    冠狀病毒疾病
  • 查詢出版品: 冠狀病毒
進階查詢
查詢歷史
主題瀏覽
  • 學位論文

跨站腳本攻擊之防禦機制之客戶端輸入驗證

Defense of Cross-Site Scripting in Client-Side Using Input Validation

高崇智(Chung-Chih Kao)
指導教授 : 留忠賢
中原大學/工學院/資訊工程研究所/碩士(2009年)
https://doi.org/10.6840/cycu200901551
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
未授權

摘要

跨站腳本攻擊(Cross-site Scripting)利用網站開發時輸入驗證的漏洞,將惡意程式碼嵌入伺服器的網頁中。當使用者瀏覽到問題網站時,惡意程式隨即被載入客戶端。在使用者不經意的點選後,惡意程式碼隨即執行,進行竊取使用者儲存在Cookie中的使用者私人資訊或植入其他木馬及後門程式,造成機密資訊外流或電腦中毒的問題。 為了要防止惡意程式碼嵌入伺服器中,現有的防禦機制大多是在伺服器端程式附加驗證模組,過濾輸入字串內容。這個方法會增加伺服器程式上工作負擔,影響運作效能。 本論文提出將跨站腳本攻擊的輸入驗證機制,從伺服器端移至客戶端,使用相同過濾Pattern的常規表示式(Regular Expression)所組成的黑名單,在客戶端進行輸入驗證及過濾。希望能在不影響伺服器端程式的運作效能,在客戶端阻止惡意指令碼嵌入伺服器中。

關鍵字

跨站腳本攻擊 輸入驗證 安全性 客戶端

並列摘要

Cross-site scripting is an attack that exploits vulnerabilities of a web application to inject some malicious code or command into a web page. When a user visits the web page, the malicious code would be downloaded to the user’s computer. If the malicious code is executed, it may be used to steal the user’s information or to inject trojan horse or other backdoor programs to the user’s computer. To prevent such attacks, extra modules for input string validation at the server side are needed. This may increase the loading of a server and thus degrades its performance. In this thesis, we perform input string validation at client side, using the same filter pattern of regular expression. It should be able to prevent cross-site scripting attacks without degrading the performance of a server.

並列關鍵字

Cross-Site Scripting Input Validation Security Client-S

參考文獻

[4] G. A. D. Lucca, A. R. Fasolino, M. Mastoianni and P. Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications. In Proceedings of 6th IEEE International Workshop on Web Site Evolution 2004, WSE’04, 2004, pp.71-80.
[5] Jin-Cherng Lin, Jan-Min Chen and Cheng-Hsiung Liu. An Automatic Mechanism for Sanitizing Malicious Injection. In The 9th International Conference for Young Computer Scientists, ICYCS 2008, Nov 2008, pp. 1470 – 1475.
[7] Omar Ismail, Masashi Etoh, Youki Kadobayashi and Suguru Yamaguchi. A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In Proceedings of the 18th International Conference on Advanced Information Networking and Application 2004, AINA’04, 2004, pp. 145-151.
[1] Open Web Application Security Project. Cross-Site Scripting. April 2009. http://www.owasp.org/index.php/Top_10_2007-A1
[2] David Endler. The Evolution of Cross-Site Scripting Attacks. Technical Report, iDEFENSE Labs, 20 May 2002.

延伸閱讀

未授權