ACTA Scientiarum Naturalium Universitatis Pekinensis
Cross Site Script Prevention Based on Delimiters
ZHANG Huilin1,2, LI Guancheng1, DING Yu1, DUAN Lei1, HAN Xinhui1,†, XIAO Jianguo1
1. Institute of Computer Science and Technology, Peking University, Beijing 100871; 2. National Computer Network Emergency Response
Technical Team/coordination Center of China, Beijing 100029; † Corresponding author, E-mail: hanxinhui@pku.edu.cn Abstract The authors propose a practical and accurate cross site script prevention method based on delimiters for UTF-8 encoded web applications. Only trusted delimiters are tainted into corresponding UTF-8 shadow bytes, and these tainted shadow bytes are automatically propagated in web applications and can be directly delivered into output pages. Cross site script is prevented by analyzing the tainted delimiters and HTML context of output pages. A prototype called Xsscleaner is implemented on PHP. The evaluation shows that Xsscleaner can accurately protect web applications from real world cross site script attacks with an average overhead 12.9%. Key words cross site script; delimiter; dynamic taint analysis; positive taint; shadow bytes; context
随着 Web 的发展, Web应用程序越来越趋于富交互模式: 用户通过表单、URL 参数等向网站提交数据; 服务器端应用程序动态地生成结果页面(即HTML 格式的响应页面), 结果页面中包含用户提交内容。典型的应用如博客、论坛、微博等。这种交互模式在方便人们生活的同时, 也带来安全问题。开放式 Web 应用程序安全项目组织(Open Web Application Security Project, OWASP)发布的 Web安全评估报告显示, 跨站脚本攻击(cross site script, XSS)占据 Web 安全威胁前列[1]。跨站脚本攻击是由于网站服务器端没有对用户
输入和 URL 参数进行合理检查或过滤, 使得结果页面中含有攻击者精心注入的非授权脚本(通常为客户端 Javascript 脚本代码)[2]。一个典型的场景:攻击者在论坛网站的评论栏中输入一段 Javascript脚本并提交, 服务器端未经充分验证就将该内容放入结果页面中。任意用户访问该结果页面时, 非授权脚本均会被客户端浏览器解析并执行。非授权脚本能窃取页面隐私数据(如网站 cookie、用户输入的口令)、操纵页面组件、劫持会话等[3], 严重危害Web安全和用户隐私。
在服务器端的防御方案中, 工业界采用的输入