WO2015067114A1 - 基于文档对象模型的跨站脚本攻击漏洞检测方法、装置、终端及介质 - Google Patents
基于文档对象模型的跨站脚本攻击漏洞检测方法、装置、终端及介质 Download PDFInfo
- Publication number
- WO2015067114A1 WO2015067114A1 PCT/CN2014/088283 CN2014088283W WO2015067114A1 WO 2015067114 A1 WO2015067114 A1 WO 2015067114A1 CN 2014088283 W CN2014088283 W CN 2014088283W WO 2015067114 A1 WO2015067114 A1 WO 2015067114A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- parameter value
- object model
- document object
- webpage
- value pair
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Definitions
- the present invention relates to the field of network technologies, and in particular, to a Document Object Model (DOM)-based Cross Site Script (XSS) vulnerability detection method and apparatus, and a terminal.
- DOM Document Object Model
- XSS Cross Site Script
- the XSS vulnerability is the most common vulnerability in the Internet today. It can be triggered by various browsers such as IE, Chrome, FireFox, etc., and the damage is very huge.
- XSS is a malicious attacker who adds malicious code to a web page and entice a user to access it.
- malicious code is executed on the user's machine, causing the malicious attacker to steal user information, or at the user.
- the machine is attacked by a horse and remotely gains control of the user's machine.
- Ordinary reflective XSS has obvious echo features in the return page source code, which is relatively easy to detect.
- DOM XSS occurs when the browser executes JavaScript (JS) code and changes the page DOM tree. The malicious code is not echoed back to the page source.
- JS JavaScript
- an embodiment of the present invention provides a method, device, and terminal for detecting a cross-site scripting vulnerability based on a document object model.
- a method for detecting a cross-site scripting vulnerability based on a document object model includes:
- the feature script is a malicious code that contains malicious characters and can be uniquely identified in a document object model tree of the webpage;
- a document object model based cross-site scripting vulnerability detection apparatus comprising:
- An obtaining module configured to obtain a set of parameter value pairs in an original web address of the webpage, where the parameter value pair includes at least one parameter value pair in the set;
- a replacement module configured to replace a parameter value in the parameter value pair with a feature script to form a test URL of the webpage;
- the feature script is a malicious character and can be uniquely identified in a document object model tree of the webpage Malicious code;
- the obtaining module is further configured to obtain a page content corresponding to the test URL;
- a conversion module configured to convert the page content into a document object model tree
- a detecting module configured to detect, according to the document object model tree and the feature script, whether the cross-site scripting vulnerability exists in the parameter value pair.
- a terminal wherein the terminal object is provided with a cross-site scripting vulnerability detecting apparatus based on a document object model as described above.
- Still another aspect provides a non-transitory computer readable storage medium having stored thereon computer executable instructions for executing the above-described document object model based cross-site scripting vulnerability when running the executable instructions in a computer Detection method.
- the DOM XSS vulnerability can be effectively discovered, which greatly improves the vulnerability discovery capability and detection efficiency.
- FIG. 1 is a flowchart of a DOM XSS vulnerability detection method according to an embodiment of the present invention.
- FIG. 2 is a flowchart of a DOM XSS vulnerability detection method according to another embodiment of the present invention.
- FIG. 3 is a diagram showing an example of detection results of a DOM XSS vulnerability detection scheme according to an embodiment of the present invention.
- FIG. 4 is a schematic structural diagram of a DOM XSS vulnerability detecting apparatus according to an embodiment of the present invention.
- FIG. 5 is a schematic structural diagram of a DOM XSS vulnerability detecting apparatus according to another embodiment of the present invention.
- FIG. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
- FIG. 1 is a flowchart of a DOM XSS vulnerability detection method according to an embodiment of the present invention.
- the Document Object Model (DOM)-based Cross Site Script (XSS) vulnerability detection method in this embodiment is simply referred to as the DOM XSS vulnerability detection method.
- the DOM XSS vulnerability detection method in this embodiment may include the following steps.
- the parameter value pair set of the embodiment includes at least one parameter value pair.
- the webpage is a webpage that may have an XSS, and may be, for example, a Common Gateway Interface (CGI) with parameters, or a static page without parameters.
- CGI Common Gateway Interface
- the user can control the input place in the webpage corresponding to the webpage as a parameter value pair in the webpage, that is, a target point to be detected.
- the parameter value pairs can be a.html#XXX and a.html? XXX.
- the feature script of this embodiment is malicious code that contains malicious characters and can be uniquely identified in the DOM tree of the web page.
- the feature script can also be referred to as a JS feature script.
- the malicious characters may be malicious characters obtained according to the existing XSS vulnerability detection scheme, such as characters ⁇ , characters>, characters ", characters", characters ', characters', and characters/etc.
- the above parameter pair XXX represents a parameter value that needs to be replaced with a feature script.
- each feature script needs sequential independent detection. Obviously, the more feature scripts, the stronger the vulnerability discovery capability, but the slower the overall detection efficiency, the strict control of the number of feature scripts while ensuring sufficient discovery capability to ensure detection efficiency.
- a feature script is taken as an example to describe the technical solution of the present invention. For each feature script, a similar scheme may be used for detection, and details are not described herein again.
- a parameter script may be substituted for the parameter value for each parameter value pair in the set of parameter value pairs to form a test URL for the web page.
- the scripts are tested one by one to ensure the efficiency of the test.
- the feature script of the embodiment of the present invention may be preset according to experience.
- the page content corresponding to the test URL can be obtained from the web server of the test URL.
- the page content in this embodiment refers to all the information included in the webpage corresponding to the web address, and may include text, pictures, and the like.
- the content of the page corresponding to the test URL refers to all the information included in the webpage corresponding to the test URL.
- the DOM tree is a tree representation of the data and structure on the page in the page content
- the page Content is the representation of data and structure in the DOM tree.
- the DOM tree and page content are two representations of data and structure. According to the corresponding relationship between the two, they can be converted to each other. For example, in the specific conversion, all the tag nodes in the source code of the webpage content may be displayed according to the parent-child relationship between the nodes, and the DOM tree structure of the content of the page is obtained.
- the execution body of the DOM XSS vulnerability detection method in this embodiment is a DOM XSS vulnerability detection device, which may be specifically obtained through software integration, for example, may be a software integration tool.
- the inserted feature script can be found only in the converted DOM tree, and the DOM XSS vulnerability can be effectively discovered without triggering the execution of the feature script, thereby greatly improving the vulnerability discovery.
- Ability and efficiency of detection by using the above solution, the inserted feature script can be found only in the converted DOM tree, and the DOM XSS vulnerability can be effectively discovered without triggering the execution of the feature script, thereby greatly improving the vulnerability discovery.
- Ability and efficiency of detection can be used in the converted DOM tree.
- the step 104 “detecting whether the parameter value pair has an XSS vulnerability according to the DOM tree and the feature script” may include: determining whether a feature script is included in the DOM tree, When included, it is determined that the parameter value pair has an XSS vulnerability; when not included, it is determined that the parameter value pair does not have an XSS vulnerability.
- the step 102 “acquiring the page content corresponding to the test website” includes: requesting, by the website server of the test website, the page content corresponding to the test website; and receiving the website of the test website. The page content of the server response.
- the method may further include the step of: receiving the original webpage input by the user through the human interface module.
- URL a human machine interface module can be set on the DOM XSS vulnerability detecting device, and the human interface module is configured to receive the original web address of the webpage input by the user.
- the method may further include: when the feature script is not included in the document object model tree, triggering a button in the execution webpage, and in response to the button being triggered, updating the location Determining, according to the updated document object model tree and the feature script, whether the parameter value pair has a cross-site scripting vulnerability, until all buttons in the webpage are triggered and no vulnerability is detected. There is no vulnerability in this page, otherwise there will be a vulnerability in the page if there is a vulnerability in the page after a button is triggered. This can be triggered for some of the more complex DOM XSS vulnerabilities, such as partial DOM XSS vulnerabilities that need to be clicked on a button on the returned page.
- the solution of the present invention can still be solved, and the DOM XSS vulnerability detection range of the technical solution of the present invention is further expanded.
- the technical solution of the foregoing embodiment only needs to find the inserted feature script in the converted DOM tree, and the feature script can be triggered to execute to effectively discover the DOM XSS vulnerability, thereby greatly improving the vulnerability discovery capability and the detection efficiency.
- the technical solution of the above embodiment can also detect, further expand the detection range of the DOM XSS vulnerability, and improve the vulnerability discovery capability.
- the technical solution of the above embodiment can not only detect the DOM XSS vulnerability, but also effectively detect the common anti- The XSS vulnerability is very applicable.
- FIG. 2 is a flowchart of a DOM XSS vulnerability detection method according to another embodiment of the present invention.
- the DOM XSS vulnerability detection method of this embodiment is based on the technical solutions of the embodiment shown in FIG. 1 and its optional embodiments, and the technical solution of the present invention is introduced in more detail.
- the DOM XSS vulnerability detection method in this embodiment may specifically include the following steps:
- the DOM XSS vulnerability detecting device receives the original web address of the webpage input by the user through the human interface module; performing step 201;
- the human interface module of this embodiment may be a touch screen or a keyboard or the like.
- the original URL of the webpage can be input through its touch screen.
- the DOM XSS vulnerability detection device has a keyboard
- the original URL of the web page can be entered via the keyboard.
- DOM XSS vulnerability detection device parses the original URL of the webpage, and obtains a set of parameter value pairs in the original webpage of the webpage; step 202;
- the DOM XSS vulnerability detection device analyzes the original URL of the webpage, extracts all pairs of parameter values included therein, and extracts all pairs of parameter values to form a set of parameter value pairs.
- the DOM XSS vulnerability detecting device determines whether there is a pair of parameter values to be detected; when yes, step 203 is performed; otherwise, when not present, the DOM XSS vulnerability detection ends;
- the DOM XSS vulnerability detection device can specifically determine whether the set of parameter values is an empty set. When the set is empty, there is no pair of parameter values to be detected, and the DOM XSS vulnerability detection ends. When the parameter value pair is a non-empty set, step 203 can be performed at this time to continue the detection.
- DOM XSS vulnerability detection device determines the current parameter value pair to be detected; performing step 204;
- the test may be performed one by one according to the order of each parameter value in the original URL of the web page.
- First test When trying, obtain the first parameter value pair in the original URL of the webpage, and then select one by one according to the order of each parameter value pair. When it does not exist, the parameter value pair in the original URL of the web page is tested for each parameter value pair in the set, and the corresponding DOM XSS vulnerability detection ends.
- DOM XSS vulnerability detection device uses a feature script to replace the parameter value, forming a test URL of the web page; performing step 205;
- the feature script is a malicious code that contains a malicious character and can be uniquely identified in the DOM tree of the webpage.
- the feature script can also be referred to as a JS feature script. For details, refer to the description of the related embodiments, and details are not described herein.
- the DOM XSS vulnerability detection device requests the website content corresponding to the test URL from the website server of the test website; and step 206 is performed;
- the DOM XSS vulnerability detection device Since the page content of the URL is stored in the server of the website, when the DOM XSS vulnerability detection device wants to obtain the content of the page, it needs to request the content of the page corresponding to the test URL from the website server of the test URL.
- the DOM XSS vulnerability detection device receives the page content of the web server response of the test website; performing step 207;
- the web server of the test URL When the web server of the test URL receives a request from the DOM XSS vulnerability detection device, it returns a page content response to the DOM XSS vulnerability detection device. Corresponding to the content of the page received by the DOM XSS vulnerability detection device on the DOM XSS vulnerability detection device side.
- DOM XSS vulnerability detection device converts the page content into a DOM tree; step 208;
- the DOM XSS vulnerability detection device After receiving the content of the page, the DOM XSS vulnerability detection device converts the data and structure on the page in the page content into a corresponding DOM tree. For example, in the specific conversion, all the tag nodes in the source code of the webpage content may be displayed according to the parent-child relationship between the nodes, and the DOM tree structure of the content of the page is obtained.
- the DOM XSS vulnerability detecting device determines whether a feature script is included in the DOM tree. When included, step 209 is performed; otherwise step 210 is performed;
- the DOM XSS vulnerability detection device detects all the information of the DOM tree and determines whether the feature script is included in the DOM tree.
- the DOM XSS vulnerability detecting apparatus determines that the parameter value pair has an XSS vulnerability; and step 202 is performed;
- the DOM XSS vulnerability detection device detects all the information of the DOM tree and determines that the feature script is included in the DOM tree, it is determined that the parameter value pair has an XSS vulnerability.
- the DOM XSS vulnerability detecting apparatus determines that the parameter value pair does not have an XSS vulnerability; and performs step 202.
- the DOM XSS vulnerability detection device detects all the information of the DOM tree and determines that the feature script is not included in the DOM tree, it is determined that the parameter value pair does not have an XSS vulnerability. At this point, the next parameter value pair can be detected in a similar manner as described above.
- a feature script is still taken as an example for description.
- multiple feature scripts may be preset, and each parameter value pair is detected by using multiple feature scripts.
- each parameter value pair is detected by using multiple feature scripts.
- step 208 "DOM XSS vulnerability detection device determines that the DOM tree does not include feature scripts" Then, before step 210, the DOM XSS vulnerability detection device triggers the execution of the button in the webpage, and then returns to steps 205-208. If the button is triggered, the DOM XSS vulnerability detection device also determines that the feature script is still not included in the DOM tree. The XSS vulnerability detection device triggers the next button in the execution webpage until all the buttons are triggered, and the feature script is not included in the DOM tree. 210.
- the DOM XSS vulnerability detection device determines that the parameter value pair does not have an XSS vulnerability.
- the technical solution of the embodiment only needs to find the inserted feature script in the converted DOM tree, and the feature script can be triggered to execute to effectively discover the DOM XSS vulnerability, thereby greatly improving the vulnerability discovery capability and the detection efficiency.
- the technical solution of the above embodiment can also detect, further expand the detection range of the DOM XSS vulnerability, and improve the vulnerability discovery capability.
- the technical solution of the above embodiment can not only detect the DOM XSS vulnerability, but also effectively detect the common reflective XSS vulnerability, and the applicability is very strong.
- FIG. 3 is a diagram showing an example of detection results of a DOM XSS vulnerability detection scheme according to an embodiment of the present invention. As shown in FIG.
- FIG. 4 is a schematic structural diagram of a DOM XSS vulnerability detecting apparatus according to an embodiment of the present invention.
- the DOM XSS vulnerability detection apparatus of this embodiment may specifically include an acquisition module 10, a replacement module 11, a conversion module 12, and a detection module 13.
- the obtaining module 10 is configured to obtain a set of parameter value pairs in the original webpage of the webpage, and the parameter value pair set includes at least one parameter value pair; the replacing module 11 is connected to the obtaining module 10, and the replacing module 11 is used to acquire the acquiring module 10.
- the parameter value pairs the parameter value pairs in the set, and the feature script replaces the parameter values to form a test URL of the webpage;
- the feature script is a malicious code that contains malicious characters and can be uniquely identified in the DOM tree of the webpage;
- the obtaining module 10 is also used for Get replacement
- the module 11 replaces the page content corresponding to the obtained test URL;
- the conversion module 12 is connected to the acquisition module 10, and the conversion module 12 is configured to convert the page content acquired by the acquisition module 10 into a DOM tree;
- the detection module 13 is connected to the conversion module 12, and detects The module 13 is configured to detect, according to the DOM tree and the feature script converted by the conversion module 12, whether the parameter value pair has an XSS vulnerability.
- the feature script can be pre-set.
- the DOM XSS vulnerability detection device of the present embodiment is the same as the implementation mechanism of the foregoing method embodiment by using the above-mentioned module to implement the DOM XSS vulnerability.
- the DOM XSS vulnerability detection device of the present embodiment is the same as the implementation mechanism of the foregoing method embodiment by using the above-mentioned module to implement the DOM XSS vulnerability.
- the DOM XSS vulnerability detecting apparatus of this embodiment can find the inserted feature script only in the converted DOM tree by using the above module, and can effectively discover the DOM XSS vulnerability by triggering the execution of the feature script, thereby greatly improving the vulnerability discovery.
- FIG. 5 is a schematic structural diagram of a DOM XSS vulnerability detecting apparatus according to another embodiment of the present invention. As shown in FIG. 5, the embodiment further includes the following optional technical solutions on the basis of the foregoing embodiment shown in FIG.
- the detecting module 13 in the DOM XSS vulnerability detecting apparatus of the embodiment is specifically configured to determine whether a feature script is included in the DOM tree, and when included, determining that the parameter value pair has an XSS vulnerability; when not included , determining that the parameter value pair does not have an XSS vulnerability.
- the obtaining module 10 in the DOM XSS vulnerability detecting apparatus of the embodiment is specifically configured to request the website server 20 of the test website to request the page content corresponding to the test website; and receive the website server 20 of the test website. The content of the page in response.
- the website server 20 interacting with the acquisition module 10 is also shown.
- the website server is a server of a website, and the website server 20 stores the page content of all the web pages under the website, and is in other When a device or module requests a page content from it, it responds to the requested device or module with the requested page content.
- the website server 20 receives the request for obtaining the page content corresponding to the test URL sent by the module 10, the page content corresponding to the test URL is obtained, and the acquisition module is obtained. 10: Send a response to send the page content corresponding to the test URL to the obtaining module 10.
- the DOM XSS vulnerability detecting apparatus of this embodiment may further include a receiving module 14.
- the receiving module 14 is configured to receive an original web address of a webpage input by a user through a human interface module.
- the corresponding obtaining module 10 is connected to the receiving module 14 , and the obtaining module 10 is configured to obtain a set of parameter value pairs in the original web address of the webpage received by the receiving module 14 .
- the DOM XSS vulnerability detecting apparatus of this embodiment may further include an engine triggering module 15, which is an alternate auxiliary module of the embodiment of the present invention.
- an engine triggering module 15 For some DOM XSS vulnerabilities, a button needs to be clicked to trigger. At this time, the DOM XSS vulnerability of the feature script cannot be found in the DOM tree generated by the initial return page, and the detection module 13 detects that the document object model tree does not include the feature script.
- the engine triggering module 15 triggers the execution of the button in the webpage, so that the DOM XSS vulnerability is triggered.
- the acquiring module 10 acquires the page content corresponding to the test URL that has been triggered by the engine triggering module 15.
- the acquisition module 10 is therefore also connected to the engine trigger module 15.
- the obtaining module 10 obtains the page content corresponding to the obtained test URL replaced by the replacement module 11;
- the conversion module 12 converts the page content obtained by the obtaining module 10 into a DOM tree; and the DOM converted by the detecting module 13 according to the conversion module 12
- the tree and feature scripts detect if there is an XSS vulnerability in the parameter value pair. If the button is triggered, the detecting module 13 further determines that the feature script is still not included in the DOM tree. At this time, the engine triggering module 15 triggers the execution of the next button in the webpage until all the buttons are triggered, and the detecting module 13 detects the DOM tree.
- the technical solution of the embodiment of the present invention can also detect and further improve the vulnerability discovery capability for some more complex DOM XSS vulnerabilities.
- the DOM XSS vulnerability detecting apparatus of this embodiment implements DOM by adopting the above module
- the detection of the XSS vulnerability is the same as that of the foregoing method embodiment.
- the DOM XSS vulnerability detecting apparatus of this embodiment only needs to find the inserted feature script in the converted DOM tree by using the above module, and can effectively discover the DOM XSS vulnerability by triggering the execution of the feature script, thereby greatly improving the vulnerability discovery capability. And detection efficiency.
- the technical solution of the above embodiment can also detect, further expand the detection range of the DOM XSS vulnerability, and improve the vulnerability discovery capability.
- the technical solution of the above embodiment can not only detect the DOM XSS vulnerability, but also effectively detect the common reflective XSS vulnerability, and the applicability is very strong.
- the DOM XSS vulnerability detecting apparatus of this embodiment may be specifically disposed on the browser client side and used as an engine device of the browser. It can also be set in a terminal to perform its functions separately.
- FIG. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
- the terminal can be used to implement the DOM XSS vulnerability detection method provided in the foregoing embodiment.
- the terminal device 800 can include a communication unit 110, a memory 120 including one or more computer readable storage media, an input unit 130, a display unit 140, a sensor 150, an audio circuit 160, a WiFi (wireless fidelity) module 170.
- a processor 180 having one or more processing cores, and a power supply 190 and the like are included. It will be understood by those skilled in the art that the terminal device structure shown in FIG. 6 does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or a combination of certain components, or different component arrangements. among them:
- the communication unit 110 can be used for transmitting and receiving information and receiving and transmitting signals during a call.
- the communication unit 110 can be an RF (Radio Frequency) circuit, a router, a modem, or the like.
- RF circuits as communication units include, but are not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, and a LNA (Low Noise Amplifier, low). Noise amplifier), duplexer, etc.
- SIM Subscriber Identity Module
- the communication unit 110 can also communicate with the network and other devices through wireless communication.
- the wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access). , Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
- the memory 120 can be used to store software programs and modules, and the processor 180 executes various functional applications and data processing by running software programs and modules stored in the memory 120.
- the memory 120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to The data created by the use of the terminal device 800 (such as audio data, phone book, etc.) and the like.
- memory 120 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 120 may also include a memory controller to provide access to memory 120 by processor 180 and input unit 130.
- the input unit 130 can be configured to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
- input unit 130 can include touch-sensitive surface 131 as well as other input devices 132.
- Touch-sensitive surface 131 also referred to as a touch display or trackpad, can collect touch operations on or near the user (such as a user using a finger, stylus, etc., on any suitable object or accessory on touch-sensitive surface 131 or The operation near the touch-sensitive surface 131), and driving the corresponding connection according to a preset program Set.
- the touch-sensitive surface 131 can include two portions of a touch detection device and a touch controller.
- the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
- the processor 180 is provided and can receive commands from the processor 180 and execute them.
- the touch-sensitive surface 131 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
- the input unit 130 can also include other input devices 132.
- other input devices 132 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
- the display unit 140 can be used to display information input by the user or information provided to the user and various graphical user interfaces of the terminal device 800, which can be composed of graphics, text, icons, video, and any combination thereof.
- the display unit 140 may include a display panel 141.
- the display panel 141 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
- the touch-sensitive surface 131 may cover the display panel 141, and when the touch-sensitive surface 131 detects a touch operation thereon or nearby, it is transmitted to the processor 180 to determine the type of the touch event, and then the processor 180 according to the touch event The type provides a corresponding visual output on display panel 141.
- touch-sensitive surface 131 and display panel 141 are implemented as two separate components to implement input and input functions, in some embodiments, touch-sensitive surface 131 can be integrated with display panel 141 for input. And output function.
- Terminal device 800 may also include at least one type of sensor 150, such as a light sensor, motion sensor, and other sensors.
- the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 141 according to the brightness of the ambient light, and the proximity sensor may close the display panel 141 when the terminal device 800 moves to the ear. And / or backlight.
- the gravity acceleration sensor can detect in all directions (a Generally, it is the size of the three-axis acceleration. When it is still, it can detect the magnitude and direction of gravity. It can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as step counting).
- Others such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, and the like, which are also configurable by the terminal device 800, will not be described herein.
- the audio circuit 160, the speaker 161, and the microphone 162 can provide an audio interface between the user and the terminal device 800.
- the audio circuit 160 can transmit the converted electrical data of the received audio data to the speaker 161 for conversion to the sound signal output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electrical signal by the audio circuit 160. After receiving, it is converted into audio data, and then processed by the audio data output processor 180, transmitted to the terminal device such as another terminal device via the RF circuit 110, or outputted to the memory 120 for further processing.
- the audio circuit 160 may also include an earbud jack to provide communication of the peripheral earphones with the terminal device 800.
- the terminal device may be configured with a wireless communication unit 170, which may be a WiFi module.
- WiFi is a short-range wireless transmission technology
- the terminal device 800 can help a user to send and receive emails, browse web pages, and access streaming media through the wireless communication unit 170, which provides wireless broadband Internet access for users.
- FIG. 6 shows the wireless communication unit 170, it can be understood that it does not belong to the essential configuration of the terminal device 800, and may be omitted as needed within the scope of not changing the essence of the invention.
- the processor 180 is the control center of the terminal device 800, which connects various portions of the entire handset using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 120, and recalling data stored in the memory 120.
- the various functions and processing data of the terminal device 800 are executed to perform overall monitoring of the mobile phone.
- the processor 180 may include one or more processing cores; preferably, the processor 180 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like.
- the modem processor primarily handles wireless communications. It can be understood that the above modulation and demodulation processor It may also not be integrated into the processor 180.
- the terminal device 800 further includes a power source 190 (such as a battery) for supplying power to the various components.
- a power source 190 such as a battery
- the power source can be logically connected to the processor 180 through the power management system to manage functions such as charging, discharging, and power management through the power management system.
- Power supply 190 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
- the terminal device 800 may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
- the display unit of the terminal device is a touch screen display
- the terminal device further includes a memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be one or one
- the above processor executing the one or more programs includes instructions for: acquiring a set of parameter value pairs in an original web address of the web page, the parameter value pair including at least one parameter value pair in the set; replacing the feature script with a feature script
- the parameter value in the pair of parameter values forms a test URL of the webpage;
- the feature script is a malicious code that contains a malicious character and can be uniquely identified in a document object model tree of the webpage; and the test URL is obtained Corresponding page content; converting the page content into a profile object model tree; detecting, according to the document object model tree and the feature script, whether there is a cross-site scripting vulnerability.
- the memory is further configured to: store whether the feature script is included in the document object model tree, and when included, determine that the parameter value pair has a cross-site scripting vulnerability; when not included, Determine that there is no cross-site scripting vulnerability in the parameter value pair.
- the memory is further configured to: store, by the website server of the test website, the page content corresponding to the test website; and receive the page content of the website server response of the test website.
- the memory is further configured to store an instruction to receive an original web address of the webpage input by the user through the human interface module.
- the memory is further configured to: when the feature script is not included in the document object model tree, trigger a button in the webpage; acquire a page content corresponding to the test URL; The page content is converted into a document object model tree; and the parameter value pair is detected according to the document object model tree and the feature script to detect whether there is a cross-site scripting vulnerability.
- the DOM XSS vulnerability detection device only exemplifies the division of each functional module when the DOM XSS vulnerability detection service is triggered.
- the foregoing functions may be allocated differently according to requirements.
- the functional module is completed, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
- the DOM XSS vulnerability detection device provided by the foregoing embodiment is the same as the DOM XSS vulnerability detection method embodiment, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
- a person skilled in the art may understand that all or part of the steps of implementing the above embodiments may be completed by hardware, or may be instructed by a program to execute related hardware, and the program may be stored in a computer readable storage medium.
- the storage medium mentioned may be a read only memory, a magnetic disk or an optical disk or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Information Transfer Between Computers (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
Claims (12)
- 一种基于文档对象模型的跨站脚本攻击漏洞检测方法,所述方法包括:获取网页的原始网址中的参数值对集合,所述参数值对集合中包括至少一个参数值对;采用特征脚本替换所述参数值对中的参数值,形成所述网页的测试网址,所述特征脚本为包含有恶意字符且能在所述网页的文档对象模型树中唯一标识的恶意代码;获取所述测试网址对应的页面内容;将所述页面内容转化为文档对象模型树;根据所述文档对象模型树和所述特征脚本检测所述参数值对是否存在跨站脚本攻击漏洞。
- 根据权利要求1所述的方法,根据所述文档对象模型树和所述特征脚本检测所述参数值对是否存在跨站脚本攻击漏洞,包括:判断所述文档对象模型树中是否包括所述特征脚本,当包括时,确定所述参数值对存在跨站脚本攻击漏洞;当不包括时,确定所述参数值对不存在跨站脚本攻击漏洞。
- 根据权利要求1所述的方法,获取所述测试网址对应的页面内容,包括:向所述测试网址的网站服务器请求所述测试网址对应的页面内容;接收所述测试网址的网站服务器响应的所述页面内容。
- 根据权利要求1-3任一所述的方法,还包括:接收用户通过人机接口模块输入的所述网页的所述原始网址。
- 根据权利要求2所述的方法,所述方法还包括:当所述文档对象模型树中不包括所述特征脚本时,触发所述网页中的按钮;响应于所述按钮被触发,更新所述文档对象模型树;根据所述更新的文档对象模型树和所述特征脚本检测所述参数值对是否存在跨站脚本攻击漏洞。
- 一种基于文档对象模型的跨站脚本攻击漏洞检测装置,所述装置包括:获取模块,用于获取网页的原始网址中的参数值对集合,所述参数值对集合中包括至少一个参数值对;替换模块,用于采用特征脚本替换所述参数值对中的参数值,形成所述网页的测试网址,所述特征脚本为包含有恶意字符且能在所述网页的文档对象模型树中唯一标识的恶意代码;所述获取模块,还用于获取所述测试网址对应的页面内容;转化模块,用于将所述页面内容转化为文档对象模型树;检测模块,用于根据所述文档对象模型树和所述特征脚本检测所述参数值对是否存在跨站脚本攻击漏洞。
- 根据权利要求6所述的装置,所述检测模块,还用于判断所述文档对象模型树中是否包括所述特征脚本,当包括时,确定所述参数值对存在跨站脚本攻击漏洞;当不包括时,确定所述参数值对不存在跨站脚本攻击 漏洞。
- 根据权利要求6所述的装置,所述获取模块还用于向所述测试网址的网站服务器请求所述测试网址对应的页面内容;并接收所述测试网址的网站服务器响应的所述页面内容。
- 根据权利要求6-8任一所述的装置,所述装置还包括:接收模块,用于接收用户通过人机接口模块输入的所述网页的原始网址。
- 根据权利要求6-8任一所述的装置,所述装置还包括:引擎触发模块,用于当所述文档对象模型树中不包括所述特征脚本时,触发所述网页中的按钮;以及更新模块,用于响应于所述按钮被触发,更新所述文档对象模型树。
- 一种终端,所述终端上设置有如上权利要求6-10任一所述的基于文档对象模型的跨站脚本攻击漏洞检测装置。
- 一种非瞬时性的计算机可读存储介质,其上存储有计算机可执行指令,当计算机中运行这些可执行指令时,执行如下步骤:获取网页的原始网址中的参数值对集合,所述参数值对集合中包括至少一个参数值对;采用特征脚本替换所述参数值对中的参数值,形成所述网页的测试网址,所述特征脚本为包含有恶意字符且能在所述网页的文档对象模型树中唯一标识的恶意代码;获取所述测试网址对应的页面内容;将所述页面内容转化为文档对象模型树;根据所述文档对象模型树和所述特征脚本检测所述参数值对是否存在跨站脚本攻击漏洞。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/034,363 US9754113B2 (en) | 2013-11-08 | 2014-10-10 | Method, apparatus, terminal and media for detecting document object model-based cross-site scripting attack vulnerability |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310554402.1 | 2013-11-08 | ||
CN201310554402.1A CN104636664B (zh) | 2013-11-08 | 2013-11-08 | 基于文档对象模型的跨站脚本攻击漏洞检测方法及装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015067114A1 true WO2015067114A1 (zh) | 2015-05-14 |
Family
ID=53040883
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/088283 WO2015067114A1 (zh) | 2013-11-08 | 2014-10-10 | 基于文档对象模型的跨站脚本攻击漏洞检测方法、装置、终端及介质 |
Country Status (3)
Country | Link |
---|---|
US (1) | US9754113B2 (zh) |
CN (1) | CN104636664B (zh) |
WO (1) | WO2015067114A1 (zh) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105279215A (zh) * | 2014-06-10 | 2016-01-27 | 中兴通讯股份有限公司 | 资源的下载方法及装置 |
CN107454041B (zh) * | 2016-05-31 | 2020-06-02 | 阿里巴巴集团控股有限公司 | 防止服务器被攻击的方法及装置 |
CN108073828B (zh) * | 2016-11-16 | 2022-02-18 | 阿里巴巴集团控股有限公司 | 一种网页防篡改方法、装置及*** |
CN108881101B (zh) * | 2017-05-08 | 2021-06-15 | 腾讯科技(深圳)有限公司 | 一种基于文档对象模型的跨站脚本漏洞防御方法、装置以及客户端 |
CN109768945A (zh) * | 2017-11-09 | 2019-05-17 | 国网青海省电力公司电力科学研究院 | 一种任意文件下载漏洞的检测装置及发现方法 |
CN107832622B (zh) * | 2017-12-08 | 2019-03-12 | 平安科技(深圳)有限公司 | 漏洞检测方法、装置、计算机设备及存储介质 |
CN108616526A (zh) * | 2018-04-16 | 2018-10-02 | 贵州大学 | 一种检测Web页面中的XSS漏洞的检测方法 |
CN110874475A (zh) * | 2018-08-30 | 2020-03-10 | 重庆小雨点小额贷款有限公司 | 漏洞挖掘方法、漏洞挖掘平台及计算机可读存储介质 |
CN109450844B (zh) * | 2018-09-18 | 2022-05-10 | 华为云计算技术有限公司 | 触发漏洞检测的方法及装置 |
CN109657469B (zh) * | 2018-12-07 | 2023-02-24 | 腾讯科技(深圳)有限公司 | 一种脚本检测方法及装置 |
CN114153729A (zh) * | 2021-11-30 | 2022-03-08 | 北京达佳互联信息技术有限公司 | 网页测试方法、装置、电子设备和存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101883024A (zh) * | 2010-06-23 | 2010-11-10 | 南京大学 | 一种跨站点伪造请求的动态检测方法 |
CN101902470A (zh) * | 2010-07-14 | 2010-12-01 | 南京大学 | 一种基于表单特征的Web安全漏洞动态检测方法 |
CN102609649A (zh) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | 一种自动采集恶意软件的方法和装置 |
CN102663296A (zh) * | 2012-03-31 | 2012-09-12 | 杭州安恒信息技术有限公司 | 面向网页JavaScript恶意代码的智能检测方法 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007183838A (ja) * | 2006-01-06 | 2007-07-19 | Fujitsu Ltd | クエリーパラメーター出力ページ発見プログラム、クエリーパラメーター出力ページ発見方法およびクエリーパラメーター出力ページ発見装置 |
US8656495B2 (en) * | 2006-11-17 | 2014-02-18 | Hewlett-Packard Development Company, L.P. | Web application assessment based on intelligent generation of attack strings |
US8949990B1 (en) * | 2007-12-21 | 2015-02-03 | Trend Micro Inc. | Script-based XSS vulnerability detection |
KR101001132B1 (ko) * | 2008-02-22 | 2010-12-15 | 엔에이치엔비즈니스플랫폼 주식회사 | 웹 어플리케이션의 취약성 판단 방법 및 시스템 |
US8800040B1 (en) * | 2008-12-31 | 2014-08-05 | Symantec Corporation | Methods and systems for prioritizing the monitoring of malicious uniform resource locators for new malware variants |
CN101964025B (zh) * | 2009-07-23 | 2016-02-03 | 北京神州绿盟信息安全科技股份有限公司 | Xss检测方法和设备 |
EP2513800B1 (en) * | 2009-12-15 | 2021-08-04 | Synopsys, Inc. | Methods and systems of detecting and analyzing correlated operations in a common storage |
CN102592089B (zh) * | 2011-12-29 | 2015-04-08 | 北京神州绿盟信息安全科技股份有限公司 | 网页重定向跳转漏洞检测方法及装置 |
CN103095681B (zh) * | 2012-12-03 | 2016-08-03 | 微梦创科网络科技(中国)有限公司 | 一种检测漏洞的方法及装置 |
US8943589B2 (en) * | 2012-12-04 | 2015-01-27 | International Business Machines Corporation | Application testing system and method |
US9195570B2 (en) * | 2013-09-27 | 2015-11-24 | International Business Machines Corporation | Progressive black-box testing of computer software applications |
US9390269B2 (en) * | 2013-09-30 | 2016-07-12 | Globalfoundries Inc. | Security testing using semantic modeling |
-
2013
- 2013-11-08 CN CN201310554402.1A patent/CN104636664B/zh active Active
-
2014
- 2014-10-10 WO PCT/CN2014/088283 patent/WO2015067114A1/zh active Application Filing
- 2014-10-10 US US15/034,363 patent/US9754113B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101883024A (zh) * | 2010-06-23 | 2010-11-10 | 南京大学 | 一种跨站点伪造请求的动态检测方法 |
CN101902470A (zh) * | 2010-07-14 | 2010-12-01 | 南京大学 | 一种基于表单特征的Web安全漏洞动态检测方法 |
CN102609649A (zh) * | 2012-02-06 | 2012-07-25 | 北京百度网讯科技有限公司 | 一种自动采集恶意软件的方法和装置 |
CN102663296A (zh) * | 2012-03-31 | 2012-09-12 | 杭州安恒信息技术有限公司 | 面向网页JavaScript恶意代码的智能检测方法 |
Also Published As
Publication number | Publication date |
---|---|
US9754113B2 (en) | 2017-09-05 |
CN104636664B (zh) | 2018-04-27 |
US20160267278A1 (en) | 2016-09-15 |
CN104636664A (zh) | 2015-05-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015067114A1 (zh) | 基于文档对象模型的跨站脚本攻击漏洞检测方法、装置、终端及介质 | |
CN108989266B (zh) | 一种防止网页劫持的处理方法和客户端以及服务器 | |
CN103617165B (zh) | 一种加载图片的方法、装置及终端 | |
CN107040609B (zh) | 一种网络请求处理方法和装置 | |
WO2015090248A1 (zh) | 服务器的过载保护方法及装置 | |
CN110716850B (zh) | 页面测试方法、装置、***及存储介质 | |
US10095666B2 (en) | Method and terminal for adding quick link | |
WO2018077041A1 (zh) | 应用运行的方法及装置 | |
WO2014206143A1 (zh) | 未读消息数目显示方法、装置和设备 | |
WO2017084452A1 (zh) | 图形界面中标签页的处理方法和装置 | |
CN109088844B (zh) | 信息拦截方法、终端、服务器及*** | |
US10956653B2 (en) | Method and apparatus for displaying page and a computer storage medium | |
WO2018006841A1 (zh) | 二维码信息传输方法、装置以及设备 | |
WO2013185565A1 (zh) | 移动终端浏览器弱光源下浏览网页的方法及装置 | |
WO2014173167A1 (en) | Method, apparatus and system for filtering data of web page | |
WO2014194688A1 (en) | Webpage processing method and terminal device | |
WO2014206138A1 (zh) | 一种更新网页数据的方法、装置和终端设备 | |
WO2017219293A1 (zh) | 一种获取网页内容的方法及装置 | |
WO2015067142A1 (zh) | 网页显示方法及装置 | |
WO2015003636A1 (zh) | 一种页面元素的拦截方法和装置 | |
US9582584B2 (en) | Method, apparatus and system for filtering data of web page | |
WO2018137528A1 (zh) | 资源访问方法及装置 | |
CN112749074B (zh) | 一种测试用例推荐方法以及装置 | |
WO2015062234A1 (zh) | 移动终端资源处理方法、装置和设备 | |
CN110445746B (zh) | cookie获取方法、装置及存储设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14859875 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15034363 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.10.2016) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14859875 Country of ref document: EP Kind code of ref document: A1 |