发帖
雷达卡
英文文献:Automatic and Context-Aware Cross-Site Scripting Filter Evasion-自动和上下文感知的跨站点脚本过滤逃避
英文文献作者:Fabrizio d??Amore,Mauro Gentile
英文文献摘要:
Cross-Site Scripting (XSS) is a pervasive vulnerability that involves a huge portion of modern web applications. Implementing a correct and complete XSS filter for user-generated content can really be a challenge for web developers. Many aspects have to be taken into account sincethe attackers may continuously show off a potentially unlimited armory. This work proposes an approach and a tool ?± named snuck ?± for web application penetration testing, which can definitely help in finding hard-to-spot and advanced XSS vulnerabilities. This methodology is based on the inspection of the inject ion??s reflection context and relies on a set of specialized and obfuscated attack vectors for bypassing filter based protections, adopted against potentially harmful inputs. In addition, XSS testing is performed in-browser, this means that a web browser is driven in reproducing the attacker and possibly the victim behavior. Results of several tests on many popular Content Management Systems proved the benefits of this approach: no other web vulnerability scanner would have been able to discover some advanced ways to bypass robust XSS filters.
跨站点脚本编制(XSS)是一个普遍存在的漏洞,涉及到现代web应用程序的很大一部分。对于web开发人员来说,为用户生成的内容实现正确而完整的XSS过滤器确实是一项挑战。许多方面必须考虑到,因为攻击者可能会不断地炫耀潜在的无限武器库。这项工作提出了一种用于web应用程序渗透测试的方法和工具snuck(±),它绝对可以帮助发现难以定位的高级跨站攻击漏洞。这种方法基于对inject ionA-s反射上下文的检查,并依赖于一组专门的、模糊的攻击向量,用于绕过基于过滤器的保护,以防止潜在的有害输入。此外,XSS测试是在浏览器中执行的,这意味着web浏览器会驱动复制攻击者和受害者的行为。在许多流行的内容管理系统上进行的几次测试的结果证明了这种方法的好处:其他web漏洞扫描器都无法发现绕过健壮的XSS过滤器的一些高级方法。
京公网安备 11010802022788号
