一個伺服器端關於cookie竊取之XSS攻擊的防禦機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：19

、訪客IP：18.223.107.124

姓名

王貞力(Jhen-Li Wang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

一個伺服器端關於cookie竊取之XSS攻擊的防禦機制
(A Server Solution for Cookie-Stealing-Based XSS Attacks)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

本篇論文我們在伺服器端，建立了一個自動化防禦跨站腳本攻擊(XSS)的機制，當包含我們身份驗證資訊的cookie被攻擊者偷走時，無法成功登入系統。Cross Site Scripting (XSS)，是一種攻擊者利用網路應用程式的漏洞，將腳本注入所引起的網路攻擊，而現今一般防禦XSS的方式分為兩種，第一種是辨認出可能造成攻擊的字串將其過濾掉，禁止其執行，但由於攻擊者會運用各種編碼方式來包裝攻擊的腳本，而導致惡意字串繞過了過濾器達到攻擊效果，第二種則是保護個人的敏感資訊，如：cookie，標記(taint)起來，並使用動態和靜態追蹤，一路追蹤其資料流向，判斷最後送出的目的地是否為合法的，來達到保護個人敏感資訊不會流出到惡意攻擊者，但現今網路上的應用推陳出新，使得動態和靜態追蹤方式很難完全涵蓋所有的資料流向。
而一般伺服器端的網路應用程式撰寫者，若想防禦XSS攻擊，需要程式撰寫者擁有充足的網路安全知識，針對可能產生的漏洞各別撰寫保護程式，於是我們系統在伺服器端的Linux核心中，對於網路上常見的動態網頁撰寫語言，自動化的保護其身份認證cookie，將進入系統的封包進行cookie萃取、確認和判別的動作，當XSS攻擊發生時，攻擊者則無法利用偷取到的cookie中的session ID執行身分驗證，來冒充使用者。

摘要(英)

In this thesis, we will introduce a mechanism to automatically protect cookies with authenticated identity information which being stolen by XSS attackers. Cross Site Scripting (XSS) is an application-level attack which injects script via web application vulnerability. One of the general ways to defend XSS is to identify possible attacking strings, filter them, and disobey to access them. But attackers use varieties of coding to package attacking scripts to skip string filter. The other way is to protect sensitive information in cookies. Taint them and trace data flow not only statically but also dynamically, and finally validate its destination so that offensive attacker cannot get this sensitive information easily. But it hardly covers whole data flow in large Internet applications.
In order to defend XSS attacks, programmers require sufficient network security knowledge and fix possible vulnerabilities that may be attacked. We set up a mechanism into server side in Linux kernel which automatically protect authenticated cookie – for popular dynamical web script language, get packets first, then validate cookies in system. So attackers are unable to pass identification by stolen session ID from cookie.

關鍵字(中)

★ 跨站腳本攻擊
★ 網路安全
★ cookie竊取

關鍵字(英)

★ Cross Site Scripting
★ Network Security
★ Cookie Stealing

論文目次

目錄
摘要 i
Abstract ii
致謝 iii
目錄 iv
圖目錄 vi
表目錄 vii
一、緒論 1
1-1研究背景與動機 1
1-2方法概述 4
1-3章節架構 5
二、背景技術 6
2-1 HTTP 請求與回應 6
2-2 cookie和身分認證 7
2-3 Session應用 8
2-4 Cross Site Scripting 9
三、相關研究 11
3-1 目前網路上已實現的XSS防禦 11
3-2 利用特徵值過濾，輸入的參數字串 12
3-2-1 XSSDS：Server-side Detection of Cross-site Scripting Attacks 12
3-2-2 Anomaly detection of web-based attacks 13
3-3追蹤資訊流向 14
3-3-1 Cross-Site Scripting prevention with dynamic data tainting and static analysis 14
3-3-2 SOMA ：Mutual Approval for Included Content in Web Pages 15
四、主系統與架構 16
4-1 系統設計與架構圖 16
4-1-1 Payload Collector 17
4-1-2 Cookie Abstractor 20
4-1-3 Cookie Verifier 21
4-1-4 Cookie Cleaner 21
4-1-5 Cookie Table 22
4-2系統運作流程 23
4-3系統速度增進方式 24
五、實驗與分析 26
5-1 網路上實際情況 26
5-2 False positive 31
5-3 False negative 31
5-4 有效性測試 32
5-4-1 實驗環境 33
5-4-2 攻擊步驟 33
5-5 效能測試 35
六、結論 36
6-1 總結 36
6-2 未來展望 37
參考文獻 38

參考文獻

﹝1﹞ OWASP組織：十大網路應用安全漏洞。2007年，取自http://www.owasp.org/index.php/Top_10_2007
﹝2﹞ CVE , http://cve.mitre.org/
﹝3﹞ IBM Internet Security Systems , http://xforce.iss.net/
﹝4﹞ W3C, http://www.w3.org/Protocols/
﹝5﹞ Chuan Yue,Mengjun Xie,Haining Wang, “Automatic Cookie Usage Setting with CookiePicker”37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2007.
﹝6﹞ ASP.Net, http://www.asp.net/
﹝7﹞ Forms Element for authentication (ASP.NET Settings Schema), http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx
﹝8﹞ PHP: Hypertext Preprocessor, http://www.php.net/
﹝9﹞ JSP, http://java.sun.com/products/jsp/
﹝10﹞ ASP, http://www.w3schools.com/asp/default.ASP
﹝11﹞ PHP SESSION, http://tw.php.net/manual/en/book.session.php
﹝12﹞ Philipp Vogt, Florian Nentwich, Nenad Jovanovic,Engin Kirda, Christopher Kruegel, and Giovanni Vigna, “Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis” Network and Distributed System Security Symposium (NDSS), 2007 .
﹝13﹞ Michael Martin, Monica S. Lam, “Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking”, 17th USENIX Security Symposium, 2008.
﹝14﹞ Martin Johns, Bj‥orn Engelmann, and Joachim Posegga, “XSSDS: Server-side Detection of Cross-site Scripting Attacks”, Annual Computer Security Applications Conference (ACSAC), 2008
﹝15﹞ Javascript, http://www.w3schools.com/JS/default.asp
﹝16﹞ E Kirda, C Kruegel, G Vigna, N Jovanovic, “Noxes: A client-side solution for mitigating cross-site scripting attacks”, Proceedings of the 2006 ACM symposium on Applied computing, 2006.
﹝17﹞ J. Ruderman, The same origin policy, 2001, https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
﹝18﹞ DOM object
http://www.w3schools.com/htmldom/dom_obj_document.asp
﹝19﹞ Jayamsakthi Shanmugam, Dr. M. Ponnavaikko, “Cross Site Scripting-Latest developments and solutions: A survay”, International Journal Open Problems Compt. Math., Vol. 1, No.2, September 2008.
﹝20﹞ Firefox, http://de.www.mozilla.com/de/
﹝21﹞ Firefox Add-ons NoScript, https://addons.mozilla.org/de/firefox/addon/722
﹝22﹞ Microsoft,“Mitigating Cross-site Scripting With HTTP-only Cookies”, http://msdn.microsoft.com/en-us/library/aa384321(VS.85).aspx
﹝23﹞ OWASP HttpOnly, https://www.owasp.org/index.php/HTTPOnly#Who_developed_HTTPOnly.3F_When.3F
﹝24﹞ Opera, http://www.opera.com/
﹝25﹞ Safari, http://www.apple.com/safari/
﹝26﹞ RSnake, XSS (Cross Site Scripting) Cheat Sheet, http://ha.ckers.org/xss.html
﹝27﹞ CVE Bug 380418, XMLHttpRequest allows reading HTTPOnly cookies, February 2009
https://bugzilla.mozilla.org/show_bug.cgi?id=380418
﹝28﹞ Mozilla Foundation Security Advisory 2009-05, http://www.mozilla.org/security/announce/2009/mfsa2009-05.html
﹝29﹞ DFA, Michael Sipser, Introduction to the Theory of Computation. PWS, Boston. 1997.
﹝30﹞ Christopher Kruegel, Giovanni Vigna, “Anomaly Detection of Webbased Attacks”, ACM CCS,2003.
﹝31﹞ AJAX, http://www.adaptivepath.com/ideas/essays/archives/000385.php
﹝32﹞ Terri Oda, Glenn Wurster, P. C. van Oorschot, Anil Somayaji, “SOMA: Mutual Approval for Included Content in Web Pages”, ACM CCS, 2008.
﹝33﹞ Christian Benvenuti, Understanding Linux Network Internals, O'Reilly Media, December 2005
﹝34﹞ W. Richard stevens, Bill Fenner, Andrew M. Rudoff, UNIX Network Programming. The Sockets Networking API, Third Edition, Addison-Wesley Professional Computing Series, 2004.
﹝35﹞ Python, http://docs.python.org/index.html
﹝36﹞ Vmware, http://www.vmware.com/
﹝37﹞ MySQL：A open source database, http://www.mysql.com/
﹝38﹞ Burp Suite, http://portswigger.net/suite/

指導教授

許富皓(Fu-hau Hsu)

審核日期

2009-7-23

推文