跨站脚本攻击检测与防御技术综述  被引量：1

作　　者：王铃铜 王慧玲 徐苗 綦小龙 Wang Lingtong;Wang Huiling;Xu Miao;Qi Xiaolong(School of Network Security&Information Technology,Yili Normal University,Yining Xinjiang 835000,China;Key Laboratory of Intelligent Computing Research&Application,Yili Normal University,Yining Xinjiang 835000,China)

机构地区：[1]伊犁师范大学网络安全与信息技术学院,新疆伊宁835000 [2]伊犁师范大学伊犁河谷智能计算研究与应用重点实验室,新疆伊宁835000

出　　处：《计算机应用研究》2024年第3期652-662,共11页Application Research of Computers

基　　金：国家自然科学基金地区科学基金项目(6236070453);新疆维吾尔自治区自然科学基金资助项目(2022D01C337,2021D01C467);计算机软件新技术国家重点实验室(南京大学)资助项目(KFKT2022B30);学实高层次人才岗位项目(YSXSQN22007);伊犁师范大学提升学科综合实力专项自科重点项目(22XKZZ19)。

摘　　要：跨站脚本(cross site scripting,XSS)攻击是Web安全中最严重的风险之一。随着Web服务、API等Web技术的广泛使用,以及AJAX、CSS和HTML5等新编程风格的出现,XSS攻击的威胁变得更加严重,因此如何处理XSS攻击安全风险已成为Web安全研究的重要关注点。通过对近年来XSS攻击检测和防御技术的调研,根据XSS攻击是否具有隐蔽性,首次从非对抗和对抗两个角度综述了XSS攻击检测和防御的最新技术。首先,从非对抗攻击检测和对抗攻击检测两个方面探讨分析了基于机器学习从数据中学习攻击特征、预测攻击的方法,以及基于强化学习识别或生成对抗样本策略来优化检测模型的方法;其次,阐述了非对抗攻击防御基于规则过滤XSS攻击、基于移动目标防御(MTD)随机性降低攻击成功率和基于隔离沙箱防止XSS攻击传播的方法;最后,分别从样本特征、模型特点和CSP的局限性、上传功能的广泛性等方面提出了XSS攻击检测和防御未来需要考虑的问题并作出展望。Cross site scripting attack,also called XSS attack,is one of the most serious risks in Web security.With the widespread use of Web technologies such as Web services,APIs,and the emergence of new programming styles such as AJAX,CSS and HTML5,the threat of XSS attacks has become more serious.Therefore,how to deal with the security risk of XSS attacks has become an important concern in Web security research.By investigating the literature on XSS attack detection and defence in recent years,this paper reviewed the latest techniques for XSS attack detection and defence from both non-adversarial and adversarial perspectives,based on whether the XSS attack was stealthy or not.Firstly,from the aspects of non-confrontational attack detection and confrontational attack detection,this paper explored and analysed the methods of learning attack features from data and predicting attacks based on machine learning and optimising the detection model based on reinforcement learning to identify or generate confrontational sample strategies.Secondly,it elaborated the methods of non-confrontational attack defence to filter the XSS attacks based on rules,to reduce the success rate of attacks based on the randomness of the moving targets defence(MTD),and to isolation sandbox-based approach to prevent the propagation of XSS attacks.Finally,this paper presented the future issues to be considered and outlooks of XSS attack detection and defence in terms of sample characteristics,model features and limitations of CSP,and the wide range of uploading functions,respectively.

关 键 词：XSS攻击 机器学习 非对抗攻击检测 对抗攻击检测 非对抗攻击防御 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]