| XSS attack is one of the most frequently used types of attack aiming to Web application layers. The vicious scripts injected into the remote web page by the attacker shall automatically execute on the users' browsers without any awareness of the users who trusted this web site and browse its pages. Thus, the attacker's purpose is realized.This thesis, first of all, introduces the knowledge about HTTP and HTML related to XSS attack, the basic principles of XSS attack as well as its ways of classification and the possible jeopardy. Then it illustrates the precautions and detecting methods of XSS attack, together with the conclusions on the merits and faults of the current detecting methods, and analyzes an XSS dynamic detecting method which is based on database and single thread network spider, following by fundamental theories and the existing disadvantages of its mode. In order to improve this detecting method, especially its detecting speed and accuracy, this thesis poses a revised method, based on multithread network spider and automatic code generator, which is time-saving by altering the network spider from single thread to multithread; and improves the detecting accuracy through abandoning the use of database and utilizing the code generator which is able to generate attacking code automatically according to the content before or after the injecting spot. Therefore, more effective attacking codes are available. Meanwhile, the realization of this revised syetem is explicated including its principle theory of each mode, detailed description of key techniques and its effection.The revised detecting system is realized through Visual Studio 2005 and C# language. At last, the revised detecting method proves its function and accuracy by comparing its time consumption with the formerly-mentioned method and the false positive and false negative with the two dynamic detecting tools, Paros and AWVS, when they are respectively used to detect two real web sites. |
PDF Full Text Request