跨站脚本(Cross Site Scripting,XSS)攻击是Web安全中最严重的风险之一.通过对近年来XSS攻击漏洞检测文献的调研,对XSS攻击漏洞检测技术的研究进展进行了全面综述.探讨了静态分析基于代码审计对比源代码转换的抽象模型检测出漏洞和静态污染分析跟踪源代码找到漏洞的方法;分析了动态分析基于动态污染分析在运行时跟踪污染数据发现漏洞、安全性测试构造XSS漏洞对Web应用程序进行测试,以及混合动态分析使用多种动态分析方法检测XSS攻击漏洞的方法;阐述了混合分析组合静态分析和动态分析降低检测假阳性率的方法;分别从代码审计的可解释性和混合分析的稀少性,提出了XSS攻击漏洞检测未来需要考虑的问题,并作出展望.
Research Progress of Cross Site Scripting Attack Vulnerability Detection Technology
Cross Site Scripting(XSS)attack,is one of the most serious risks in web security.Through the research on the literature of XSS attack vulnerability detection in recent years,a comprehensive review of the research progress of XSS attack vulnerability detection technology is conducted.First,the methods of static analysis to detect vulnerabilities based on the abstract model comparing code auditing and source code conversion is discussed,together with the static contamination analysis to track the source code to find vulnerabilities.Second,discussion is also made about the methods of dynamic analysis to track the contaminated data during the operation and find vulnerabilities based on dynamic contamination analysis,security testing to construct XSS vulnerabilities to test the web application,and hybrid dynamic analysis to use multiple dynamic analysis methods to detect XSS attack vulnerabilities.Then,the method of hybrid analysis combining static analysis and dynamic analysis to reduce the detection of false-positive rate is elaborated.Finally,the future issues to be considered for the detection of XSS attack vulnerabilities and the outlook are put forward,from the perspectives of the interpretability of code auditing and the sparsity of hybrid analysis.
NETL
NSTL
万方数据
