XSS detection method and device
First Claim
1. A cross-site scripting (XSS) detection method for detecting XSS vulnerabilities in a web page, comprising steps of:
- determining a set of parameter-value pairs that can be accepted by the web page;
and for each parameter-value pair in the set;
constructing a parameter-value pair in which a dedicated script is inserted;
assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted, wherein the URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script;
wherein in assembling the URL corresponding to the web page, a plurality of URLs are assembled by changing the sequence of the parameter-value pairs and by inserting other special codes in the URL;
acquiring dynamic web page content corresponding to the assembled URL;
simulating the execution of the dynamic web page content, wherein the steps of acquiring the dynamic web page content and simulating the execution of the dynamic web page content are performed respectively for each one of the plurality of URLs, anddetermining when the dedicated script is executed, that the processing of the parameter-value pair in the web page contains XSS vulnerabilities.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.
30 Citations
9 Claims
-
1. A cross-site scripting (XSS) detection method for detecting XSS vulnerabilities in a web page, comprising steps of:
-
determining a set of parameter-value pairs that can be accepted by the web page; and for each parameter-value pair in the set; constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted, wherein the URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script; wherein in assembling the URL corresponding to the web page, a plurality of URLs are assembled by changing the sequence of the parameter-value pairs and by inserting other special codes in the URL; acquiring dynamic web page content corresponding to the assembled URL; simulating the execution of the dynamic web page content, wherein the steps of acquiring the dynamic web page content and simulating the execution of the dynamic web page content are performed respectively for each one of the plurality of URLs, and determining when the dedicated script is executed, that the processing of the parameter-value pair in the web page contains XSS vulnerabilities. - View Dependent Claims (2, 3, 4)
-
-
5. A cross-site scripting (XSS) detection device for detecting XSS vulnerabilities in a web page, comprising hardware and:
-
a web page parameter-value pair set determining unit configured to determine a set of parameter-value pairs that can be accepted by the web page; a testing URL assembler configured to assemble a testing URL for each parameter-value pair in the set of parameter-value pairs, wherein a dedicated script is inserted in the value of the parameter-value pair during the assembly of the testing URL and, wherein the testing URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the testing URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script;
wherein the testing URL assembler is configured to assemble a plurality of testing URLs by changing the sequence of the parameter-value pair and by inserting other special codes in the URL when assembling the testing URL;a communicator configured to send each testing URL to a web server and receive dynamic web page content returned from the web server in order to detect XSS vulnerabilities for each testing URL; and a simulator configured to simulate the execution of the dynamic web page content and determine the existence of XSS vulnerabilities in the parameter-value pair when the dedicated script has been executed. - View Dependent Claims (6, 7, 8)
-
-
9. A non-volatile computer readable medium including instructions that, when executed by a microprocessor, cause the following steps to be performed:
determining a set of parameter-value pairs that can be accepted by a web page; and
for each parameter-value pair in the set;constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted, wherein the URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script; wherein in assembling the URL corresponding to the web page, a plurality of URLs are assembled by changing the sequence of the parameter-value pairs and by inserting other special codes in the URL; acquiring dynamic web page content corresponding to the assembled URL; simulating the execution of the acquired dynamic web page content, wherein the steps of acquiring the dynamic web page content and simulating the execution of the dynamic web page content are performed respectively for each one of the plurality of URLs, and when the dedicated script is executed, it is determined that the processing of the parameter-value pair in the web page contains cross-site scripting (XSS) vulnerabilities.
Specification