Detection And Optimization Of Context Sensitive XSS Flaws

With the rapid development of the new era of Internet,more and more service products related to network appear one after another.Domain name management system is a professional domain name software to help users solve most of the problems encountered in the process of website creation and subsequent management and maintenance.However,due to the rapid development of the new general top-level domain,the competition of such products in the Internet market is increasingly fierce.In order to improve the competitiveness of the domain name management system developed by an enterprise in Shenzhen,it is decided to upgrade the existing security defense system to obtain more user retention and conversion rates.In the process of implementation,the development team found that the domain name management system has the possibility of context sensitive XSS flaws(Content Sensitive XSS Flaws,is abbreviated to ‘CSXF').However,there is no detection tools or methods that can be applied to the development framework of the system and be effectively detected the context sensitive XSS flaws.To solve this problem,this paper proposes a detection mechanism that can effectively detect the context sensitive XSS flaws in the domain name management system.In this paper,we design and implement the context sensitive XSS flaws detection mechanism(CSXF for short)by combining the technical knowledge of dynamic trace stain technology,regular expression,internal rendering process in Vue and so on,including the improved dynamic trace module,model browser and contrast decision module.The improved dynamic tracking module first uses the common XSS attack features and regular expressions to preprocess the external untrusted data.Then it dynamically tracks the tainted data and records the data information and filters related information throughout the process;the model browser is designed and modified based on the internal rendering process of the Vue framework used by the domain name management system.Its purpose is to achieve the simulation browser and analysisprocess of generating the page,so as to obtain the display results of the tainted data in the page in advance,is called the pre-context;the comparison and determination module is to integrate the information obtained by the improved dynamic tracking module with the pre generated context obtained by the model browser,and obtain the final detection result by analyzing and determining whether the pre-context of the tainted data is in the data set which has been correctly processed after all the filters have passed.Combining the designed detection mechanism with the security defense system in the domain name management system,it is proved that it can effectively detect the context sensitive XSS vulnerability by functional test and performance test.For this system,the detection success rate is 22.6% higher than that of the previous detection tools,and the impact on the performance is small,and the page opening speed is only reduced by about 4%.The context sensitive XSS flaws detection mechanism designed in this paper greatly improves the success rate of XSS flaws detection,helps the domain name management system eliminate more security risks,reduces the security risks of the domain name management system,makes the defense system of the domain name management system more perfect,and thus improves the competitiveness of the system in the market,makes contributions to the enterprise's income generation.