- 著者
-
オマル イスマイル
衛藤 将史
門林 雄基
山口 英
- 出版者
- 一般社団法人情報処理学会
- 雑誌
- 情報処理学会研究報告インターネットと運用技術(IOT) (ISSN:09196072)
- 巻号頁・発行日
- vol.2005, no.2, pp.7-13, 2005-01-19
Cross-Site Script (XSS) is caused by the failure of Web applications to properly validate user input before returning it to the client's Web browser. Although some approaches exist for defending against XSS attacks XSS vulnerabilities continue to appear in Web applications. These weaknesses which often resulted from poorly developed Web applications and data processing system allow attackers to embed maliciuos HTML-based contents such as Javascripts within HTTP requests pr response messages. Through embedding HTML code and scripting elements it is possible to steal session ID information thus reslting in the leakage of private information. The classic XSS attack involves social engineering to trick the victims to click on a link with embedded scripts created by attackers. The victims do not necessarily have to click on a link. XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags ets We call this the "one-way XSS attack". We propose a system that not only detects and collects XSS attack-related information but also identifies the potential XSS attack codes. This system detects and more importantly identifies new types of XSS attacks by manipulating HTTP server response. The system also shares collected vulnerability information via a central repository.Cross-Site Script (XSS) is caused by the failure of Web applications to properly validate user input before returning it to the client's Web browser. Although some approaches exist for defending against XSS attacks, XSS vulnerabilities continue to appear in Web applications. These weaknesses, which often resulted from poorly developed Web applications and data processing system, allow attackers to embed maliciuos HTML-based contents, such as Javascripts, within HTTP requests pr response messages. Through embedding HTML code and scripting elements, it is possible to steal session ID information, thus reslting in the leakage of private information. The classic XSS attack involves social engineering to trick the victims to click on a link with embedded scripts created by attackers. The victims do not necessarily have to click on a link. XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags, ets, We call this the "one-way XSS attack". We propose a system that not only detects and collects XSS attack-related information but also identifies the potential XSS attack codes. This system detects and, more importantly identifies new types of XSS attacks by manipulating HTTP server response. The system also shares collected vulnerability information via a central repository.