浅议跨站脚本攻击的检测与防护

随着互联网技术的迅猛发展,跨站脚本攻击逐渐成为威胁网站安全的重要攻击手段之一.阐述了跨站脚本攻击的原理,详细介绍了跨站脚本漏洞的检测方法与用例,并总结了防止跨站脚本攻击的防护方法与措施.     

跨站脚本攻击及防范技术研究

跨站脚本攻击是当前Web安全领域常用攻击手段。该文介绍了跨站脚本攻击的基本概念,揭示了跨站脚本漏洞的严重性,分析跨站脚本漏洞的触发机制,论述了两种常见跨站脚本攻击模式,展示了几种跨站脚本攻击效果。最后,分别从Web应用程序编写和客户端用户两个层次,对跨站脚本攻击的防范措施进行了阐述。     

跨站脚本攻击及防范技术研究

跨站脚本攻击是当前Web安全领域常用攻击手段.该文介绍了跨站脚本攻击的基本概念,揭示了跨站脚本漏洞的严重性,分析跨站脚本漏洞的触发机制,论述了两种常见跨站脚本攻击模式,展示了几种跨站脚本攻击效果.最后,分别从Web应用程序编写和客户端用户两个层次,对跨站脚本攻击的防范措施进行了阐述.     

服务器-客户端协作的跨站脚本攻击防御方法

在网络应用的链接中注入恶意代码,以此欺骗用户浏览器,当用户访问这些网站时便会受到跨站脚本攻击.为此,提出基于服务器端-客户端协作的跨站脚本攻击防御方法.利用规则文件、文档对象模型完整性测试和脚本混淆监测等方法,提高脚本的检测效率和准确性.实验结果表明,该方法能获得良好的攻击防御效果.     

浅析跨站脚本的攻击与防御

跨站脚本攻击是目前Web安全中最为常用攻击手段之一,跨站脚本漏洞发生在程序直接把用户的数据发送到网络浏览器的时候,由于没有确认和编译这些内容,从而在浏览器中执行恶意的脚本.黑客还把跨站脚本与别的网络攻击相结合,造成更大的危害.通过对跨站脚本攻击原理的分析,给出了一些防御方法.     

针对基于编码的跨站脚本攻击分析及防范方法

随着Web应用的快速发展,跨站脚本攻击事件迅猛增加,其攻击技术也在不断更新变化,出现一些特殊的高级攻击方法,其中基于编码的跨站脚本攻击就是其中之一.本文针对二进制和N元字母表两种常见的基于编码的跨站脚本攻击进行了深入分析,在已有客户端跨站脚本攻击检测技术的基础上,给出了一种动态访问控制的防范方法,弥补了现有针对此类攻击的防范方案缺乏实用性的不足,并通过实验验证了此方法的有效性和实用性.     

跨站脚本漏洞的白盒测试框架的设计和实现

伴随着B/S架构的流行和Web2.0时代的迅速发展,由于对不可信用户数据缺乏正确的校验机制,造成跨站脚本漏洞广泛地存在于各类网站中,并严重威胁用户安全。其主要原因在于服务端代码和客户端脚本的混合,使得当前技术无法准确而有效地生成攻击向量,探测跨站脚本漏洞。本文基于静态数据流特征分析,依据脚本注入位置和攻击向量模式设计了新的分析模糊器,通过采用字符串约束求解技术来验证攻击向量的有效性,并实现了白盒测试框架的原型系统XSS-Explore。实验结果表明,与同类工具相比,该系统能够较全面而准确地检测跨站脚本漏洞。     

跨站脚本蠕虫的技术与研究

跨站脚本攻击（XSS）是目前安全漏洞中最为常用的攻击手段之一。介绍了跨站脚本漏洞及其基本原理和攻击方式;设计了一个跨站脚本蠕虫,并对其进行分析;给出了一个XSS的实例及其攻击破坏的过程。对研究XSS起到一定的启示作用。     

DOM型跨站脚本网络攻击防御有效路径模拟

由于DOM型跨站脚本攻击的不确定性,导致DOM型跨站脚本攻击防御困难.提出一种DOM型跨站脚本网络攻击防御有效路径模拟,通过构建可信度计算模块,对DOM跨站脚本攻击的路径进行计算,得到脚本攻击的大致过程与攻击特性,依据脚本攻击的攻击特性,建立可信度调度模块,对脚本攻击的访问速率进行检测,获取其攻击过程中的数据变化,凭借上述结果结合三种原则(安全性原则、先进性原则、高可用性原则)组建防御有效路径模拟平台,进而捕获不同防御方法对DOM跨站脚本攻击的数据波动与重定向,以此来实现对防御方法的模拟.实验证明,所设计的模拟平台能够对不同的防御方法进行精确的模拟,同时平台还能够模拟出防御方法的特性与薄弱点.     

常见网站漏洞及其防御

针对以ASP脚本作为编码的网站,从SQL注入、跨站攻击、挂马三个方面分析了常见网站漏洞及其防御措施在网站管理中的应用。以网站开发者的角度对网站常见漏洞原理、漏洞所致后果以及漏洞的预防方法进行了分析和探讨。     

Windows 2000 Web站点安全设置

多数中小学Web站点均基于Windows2000,其安全存在较大隐患,文章从Windows2000Server安装、Windows2000Server设置、IIS设置、ASP编程及Webshell防范四个方面,对Web站点的创建、安全设置进行了分析,对基于Windows的Web站点的安装和设置提出了一些建议,有助于提高基于Windows的Web站点安全。     

基于多粒度树模型的Web站点描述及挖掘算法

随着Web所拥有的信息量和信息种类的急剧增长,Web站点挖掘对于自动实现特定主题的Web资源发现和分类具有重要的意义.然而现有的Web站点分类或挖掘算法在利用上下文语义信息、去除噪声信息以进一步提高分类准确率等方面还缺乏深入研究.从站点的采样尺寸、分析粒度和描述结构3个方面分析了设计高效的Web站点挖掘算法所需要解决的问题.在此基础上,提出了一种新的Web站点多粒度树描述模型,并描述了包括基于隐Markov树的两阶段分类算法、粒度间上下文融合算法、两阶段去噪程序以及基于熵的动态剪枝策略在内的多粒度Web站点挖掘算法.站点的多粒度描述方法及挖掘算法为多站点查询优化、Web效用挖掘等的深入研究奠定了基础.实验表明,该算法相对于基线系统平均可以提高16%的分类准确率,并减少了34.5%的处理时间.     

基于模板化的Blog信息抽取

Blog（博客）可以称为在线个人日志。作为一种新兴的媒体,Blog目前已经成为一种在Web上表达个人观点和情感的一种非常流行的方式。那么如何从Blog中快速准确地抽取有用的信息（话题发布时间、话题题目、话题内容、评论内容等）就成为了Blog应用中一个非常重要的步骤。提出了一种基于模板化的Blog信息抽取方法,该方法通过分析Blog网站的HTML源代码,然后提取出网站的模板,并根据该模板对Blog网页进行信息抽取。对来自国内10个著名博客网站进行模板的提取,并对这10个网站中的7 374个Blog网页进行了实验,实验结果表明,该方法能根据提取出的模板快速、准确地对Blog网页进行信息抽取。     

Using protocol analysis to evaluate the usability of a commercial web site

Despite the increasing popularity of electronic commerce, there appears to be little evidence of the methodical evaluation of the usability of commercial web sites. The usability of a web site defines how well and how easily a visitor, without formal training, can interact with the site. This paper reports the results of a research project, which applies a systematic qualitative technique known as protocol analysis or think aloud method, to examine the usability of a commercial web site. About 15 usability principles and 3 evaluation parameters (content, navigation and interactivity) were used as a framework to analyze the verbal protocols of a sample of users interacting with a greeting card web site. The protocols provided evidence of usability problems caused by crowded content, poor navigation and cumbersome interactivity. These results underscore the importance of two crucial usability goals for commercial web sites: clear path to products and transparency of the ordering process.     

Improving the quality of online presence through interactivity

Online interactivity is becoming a valuable way of improving the communication quality of business web sites. As a result, it is important that web site designers understand the concept and how it affects the quality of web site design. This study empirically validated Ha and James’ five interactivity dimensions (playfulness, connectedness, reciprocal communication, information collection, and choice) and their relationship to design quality. The findings suggested that the playfulness, connectedness, and reciprocal communication dimensions are important predictors of web site quality. While information collection tools are powerful for web engineering and user tracking, the companies surveyed here had not fully used the promising potential of such tools. The choice dimension, although it offered flexibility and customizability to users, was not significant in predicting web site quality. The results underscored the viability of interactivity dimensions in the online environment.     

Improving the quality of online presence through interactivity

Online interactivity is becoming a valuable way of improving the communication quality of business web sites. As a result, it is important that web site designers understand the concept and how it affects the quality of web site design. This study empirically validated Ha and James’ five interactivity dimensions (playfulness, connectedness, reciprocal communication, information collection, and choice) and their relationship to design quality. The findings suggested that the playfulness, connectedness, and reciprocal communication dimensions are important predictors of web site quality. While information collection tools are powerful for web engineering and user tracking, the companies surveyed here had not fully used the promising potential of such tools. The choice dimension, although it offered flexibility and customizability to users, was not significant in predicting web site quality. The results underscored the viability of interactivity dimensions in the online environment.     

Open systems and citizenship: Designing a departmental web site as an open system

Academic web sites are often “brochureware”: monologic sites that primarily provide information about an academic unit, with strongly limited feedback or contributions from those who are represented by the site. In such sites, divergent ideas and viewpoints are typically papered over, because the means of producing such pages tend to be concentrated in the hands of a small group of people. This article describes how we redesigned one such site as an open system in which control is distributed among departmental members. Our goal was to provide a productive civic forum for those citizens while still meeting the needs of the site’s visitors. We describe the conversational approach we used to redesign the site, apply it to a critique of the original web site, then describe the changes we implemented to remake the site as a civic forum. Finally, we describe the site’s early successes and failures and the lessons we learned.     

Analysis and design of Web-based information systems

We have developed a method for analysis and design of web-based information systems (WBISs), and tools to support the method, WebArchitect and PilotBoat. The method and the tools focus on architectures and functions of web sites, rather than on appearance of each web resource (page), such as graphics and layouts. Our goal is to efficiently develop WBISs that best support particular business processes at least maintenance cost. Our method consists of two approaches, static and dynamic. We use the entity relation (E-R) approach for the statis aspects of WBISs, and use scenario approach for the dynamic aspects. The E-R analysis and design, based on relationship management methodology (RMM) developed by Isakowitz et al., defines what are entities and how they are related. The scenario analysis defines how web resources are accessed, used, and changed by whom. The method also defines attributes of each web resource, which are used in maintaining the resource. WebArchitect enables designers and maintainers to directly manipulate meta-level links between web resources that are represented in a hierarchical manner. PilotBoat is a web client that navigates and lets users collaborate through web sites. We have applied our approaches to the WWW6 proceedings site.     

Do web sites change customers’ beliefs? A study of prior–posterior beliefs in e-commerce

Web sites are the main interface between online merchants and their customers. Despite the consequent importance of web-site design, there is little theoretical foundation that can be used to assess how web-design factors lead e-customers to revise their earlier beliefs. Our study examined web customers’ salient beliefs and the role of web-design elements in altering customers’ existing beliefs after their exposure to an e-commerce web site. Using salient beliefs and categories of web-design elements identified previously, we developed a conceptual model of belief revisions due to exposure to web-design elements and internal cues. The empirical analysis of the model indicated that web customers were influenced by the external cues from the design factors as well as the internal ones from their prior beliefs. Our findings have implications in designing web sites for e-commerce.     

分布式系统下挖掘关联规则的两种方案

对关联规则的分布式挖掘问题进行了探讨,给出了两种实现方案。一是采用局部－局部的通信模式,各个站点的通信负载比较均衡;二是采用局部－全局的通信模式,减少了各局部站点的通信负荷,实现了各局部站点的完全异步,但对全局站点的性能要求较高。