著者
イスマイル オマル 衛藤 将史 門林 雄基 山口 英
出版者
一般社団法人電子情報通信学会
雑誌
電子情報通信学会技術研究報告. IA, インターネットアーキテクチャ (ISSN:09135685)
巻号頁・発行日
vol.104, no.554, pp.7-13, 2005-01-12

Cross-Site Scripting (XSS) is caused by the failure of Web applications to properly validate user input before returning it to the client's Web browser. Although some approaches exist for defending against XSS attacks, XSS vulnerabilities continue to appear in Web applications. These weaknesses, which often resulted from poorly developed Web applications and data processing systems, allow attackers to embed maliciuos HTML-based contents, such as Java Scripts, within HTTP requests or response messages. Through embedding HTML code and scripting elements, it is possible to steal session ID information, thus resulting in the leakage of private information. The classic XSS attack involves social engineering to trick the victims to click on a link with embedded scripts created by attackers. The victims do not necessarily have to click on a link. XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags, etc., We call this the "one-way XSS attack". We propose a system that not only detects and collects XSS attack-related information but also identifies the potential XSS attack codes. This system detects and, more importantly identifies new types of XSS attacks by manipulating HTTP server response. The system also shares collected vulnerability information via a central repository.
著者
イスマイル オマル 衛藤 将史 門林 雄基 山口 英
出版者
一般社団法人電子情報通信学会
雑誌
電子情報通信学会技術研究報告. MoMuC, モバイルマルチメディア通信 (ISSN:09135685)
巻号頁・発行日
vol.104, no.553, pp.7-13, 2005-01-12

Cross-Site Scripting (XSS) is caused by the failure of Web applications to properly validate user input before returning it to the client's Web browser. Although some approaches exist for defending against XSS attacks, XSS vulnerabilities continue to appear in Web applications. These weaknesses, which often resulted from poorly developed Web applications and data processing systems, allow attackers to embed maliciuos HTML-based contents, such as JavaScripts, within HTTP requests or response messages. Through embedding HTML code and scripting elements, it is possible to steal session ID information, thus resulting in the leakage of private information. The classic XSS attack involves social engineering to trick the victims to click on a link with embedded scripts created by attackers. The victims do not necessarily have to click on a link. XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags, etc, . We call this the "one-way XSS attack". We propose a system that not only detects and collects XSS attack-related information but also identifies the potential XSS attack codes. This system detects and, more importantly identifies new types of XSS attacks by manipulating HTTP server response. The system also shares collected vulnerability information via a central repository.