Research And Design Of A Browser-based XSS Detection System

With the advent of the Web 2.0 era,users have become the core contributors and sharers of Web content,which further promotes the prosperity of the Internet and information technology,but because of the untrustworthy input of users,it also brings more serious security problems.XSS(Cross-Site Scripting)is one of the most important security threats in the Web 2.0 era.It arises from vulnerabilities in Web applications,but poses a double threat to ordinary users and Web service providers.According to the OWASP research report,until 2017,XSS is still the second most common security issue in OWASP Top 10 list,which exists in nearly two-thirds of applications,and because it is easy to be used and easy to be ignored,XSS can often lead to serious security incidents.In order to alleviate the current situation of XSS flooding,this paper proposes a browser-based XSS detection system to solve problems existing XSS detection systems are faced with,such as the lack of universality,single detection direction and separation from the real browser environment,the following improvements have been made to XSS detection:1.Improved the detection environment,based on the browser runtime to obtain the key data required for XSS detection and implement detection,ensures a high degree of consistency between the detection environment and the XSS generation environment and improves the universality of the XSS detection system.2.In the defense against XSS attacks,the environment-specific Parser is integrated first,and the communication problem about extracting script data is solved.Based on the above improvements,the request parameters and response scripts are incrementally parsed,improving Parser performance and maintainability,the detection of XSS attacks is completed based on the comparison verification algorithm,and the implementation details of the algorithm are improved.The construction of the generalized suffix tree is completed in the browser environment for the first time,which improves the detection efficiency.3.When mining XSS vulnerabilities,we first use the idea of fuzzing to detect,and based on the advantages provided by the browser runtime,an innovative solution by using invisible ifr-ame tags in the background is proposed,which makes continuous testing without intrution become possible.Then based on the classification discussion method,the attack vector set is pre-generated according to the location and calling mode of the malicious script in the response message,and the attack vector^can be reused.Last but not least,this paper studies and designs additional methods for capturing abnormal results for the problem of high false negative rate of traditional fuzzing test,which reduces the false negative rate of vulnerability mining.This paper researches and designs a comprehensive XSS detection system based on browser runtime.The system integrates XSS attack defense module and XSS vulnerability mining module into one,which has stronger cross-platfommity.Experiments show that the system can effectively detect XSS vulnerabilities and reflective XSS attacks,and has a low false positive rate and false negative rate.