| DC 欄位 |
值 |
語言 |
| DC.contributor | 資訊工程學系 | zh_TW |
| DC.creator | 葉峻羲 | zh_TW |
| DC.creator | CHUN-HSI YEH | en_US |
| dc.date.accessioned | 2023-7-17T07:39:07Z | |
| dc.date.available | 2023-7-17T07:39:07Z | |
| dc.date.issued | 2023 | |
| dc.identifier.uri | http://ir.lib.ncu.edu.tw:444/thesis/view_etd.asp?URN=109522118 | |
| dc.contributor.department | 資訊工程學系 | zh_TW |
| DC.description | 國立中央大學 | zh_TW |
| DC.description | National Central University | en_US |
| dc.description.abstract | 圖片是現今大多數的網站上不可或缺的一項元素,對於文字無法
說明的部分,圖片是一種能夠輔助說明的媒介,在任何能夠讓使用
者交流的網站,大多都允許使用者發布圖片,這就具有被駭客利在
在網路攻擊上的可能性。因其廣泛性與重要性,許多網站都不會去
禁止 img tag 的使用,使得基於圖片的多用途網際網路郵件擴展類
型混淆攻擊(Multipurpose Internet Mail Extensions(MIME) Type
Confusion attack)變得相當重要。
多用途網際網路郵件擴展類型混淆攻擊是駭客利用瀏覽器會使用
MIME-Type sniffing 檢測正確的檔案類型這一特徵,而發展出來的
攻擊。早期的瀏覽器開始導入 MIME-Type sniffing 功能的原因,
是用來防止伺服器給出錯誤的檔案格式,而讓瀏覽器使用錯誤的處
理方式解釋接收到的資源。而這卻被駭客利用偽裝檔案類型的方
式,讓瀏覽器在未經使用者同意的情況下導致跨網站腳本攻擊
(Coss-Site Scripting(XSS) attack)。或者使用者的個人訊息透過
惡意的網絡信標(Web Beacon),導致使用者的隱私遭到洩漏。
本論文提出一種方法,針對任何應當是圖片類型的資源,在瀏覽
器向伺服器請求資源之前,就正確的辨認和解釋會從伺服器傳遞的
檔案類型,並透過實作成瀏覽器插件的形式,以即時動態分析的方
式,預先阻擋任何可疑的請求,以阻斷 MIME Type Confusion
attack 的攻擊途徑。 | zh_TW |
| dc.description.abstract | Images are an indispensable element on most websites
today. For parts that cannot be explained by text, pictures
are a medium that can assist in explanation. Most of the
websites that allow users to communicate, allow users to
post pictures. This has the possibility of being exploited
by hackers in attacks. Because of its extensiveness and
importance, many websites will not prohibit the use of img
tag, making image-based Multipurpose Internet Mail
Extensions (MIME) Type Confusion attack (Multipurpose
Internet Mail Extensions (MIME) Type Confusion attack) very
important.
The MIME type confusion attack is an attack developed by
hackers to take advantage of the fact that browsers use
MIME sniffing to detect the correct file type. The reason
why early browsers started importing MIME-Type sniffing was
to prevent the server from giving the wrong file format and
let the browser interpret the received resource in the wrong way. However, hackers use the method of disguising
the file type to allow the browser to cause a cross-site
scripting attack (Coss-Site Scripting (XSS) attack) without
the consent of the user. Forgery (CSRF) attack). Or the
user′s personal information is transmitted through a
malicious web beacon (Web Beacon), causing the user′s
privacy to be leaked.
This paper proposes a method to correctly identify and
explain the file type that will be transmitted from the
server before the browser requests the resource from the
server for any resource that should be an image type, and
implement it in the form of a browser plug-in. By means of
real-time dynamic analysis, any suspicious request is
blocked in advance to block the attack path of MIME Type
Confusion attack. | en_US |
| DC.subject | MIME 類型混淆攻擊 | zh_TW |
| DC.subject | 圖片標籤 | zh_TW |
| DC.subject | MIME | en_US |
| DC.subject | img | en_US |
| DC.subject | html | en_US |
| DC.title | 檢測基於惡意使用圖像標籤的�MIME類型混淆攻擊 | zh_TW |
| dc.language.iso | zh-TW | zh-TW |
| DC.title | Detecting MIME Type Confusion Attacks Based on Malicious Use of Image Tags | en_US |
| DC.type | 博碩士論文 | zh_TW |
| DC.type | thesis | en_US |
| DC.publisher | National Central University | en_US |