检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:徐博文[1] 刘春晖[1] 曹维华[1] 陆小铭[1]
出 处:《网络安全技术与应用》2014年第2期60-62,共3页Network Security Technology & Application
摘 要:Web2.0的发展不断引发脚本安全问题,由跨站漏洞导致的Web实时会话劫持是跨站脚本攻击的一种技术应用。分析了基于跨站漏洞的Web实时会话劫持的技术原理,依据其技术特点和技术应用环境,提出了狭义攻击生命期和广义攻击生命期的概念,从HTML语言特性、网页结构特性和Web服务业务设计的角度分析了攻击生命期的时间线模型、页面结构模型和业务逻辑模型,指出了Web实时会话劫持攻击在社会工程学应用和漏洞点挖掘方面独具的特征,最后有针对性地提出了建立账户信息安全分级机制和客户端异常行为监测机制两项综合防范措施。The development of Web 2.0 continues to lead scripting secure issue. Web real-time session hijacking caused by cross-site vulnerabilities is a technical application of cross-site scripting( XSS )attack. This paper analyzes the technical principles of web real-time session hijacking attacks based on XSS vulnerability. According to the technical features and application environment, it presents a concept of"attacking life-time" with a narrow sense and generalized meaning, and analyzes three attacking life-time models: the time-line model, page structure model and business logic model, basing on the aspects of HTML language, web page structure and Web service design. It also points out the special features of Web real-time session hijacking on social engineering application and vulnerability digging. Finally, it puts forward two comprehensive preventive measures base on the analysis of attacking life-time.
关 键 词:WEB2 0 跨站脚本攻击 实时会话劫持 攻击生命期 社会工程学 漏洞点挖掘
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.28