A ROBUST DEFENCE AGAINST CONTENT-SNIFFING XSS ATTACKS
콘텐츠 스니핑을 통한 크로스사이트 스크립팅 공격의 방어 기법
- 주제(키워드) Computer Engineering
- 주제(KDC) 500
- 주제(DDC) 000
- 발행기관 아주대학교
- 지도교수 이 경 석
- 발행년도 2010
- 학위수여년월 2010. 8
- 학위명 석사
- 학과 및 전공 일반대학원 컴퓨터공학과
- 실제URI http://www.dcollection.net/handler/ajou/000000010972
- 본문언어 영어
- 저작권 아주대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
Many Web sites such as MySpace, Facebook and Twitter allow their users to upload files. However when a Web sites Content- Sniffing algorithm differs from a browsers Content- Sniffing algorithm, an attacker can often mount a Content-Sniffing XSS attack on the visitor. That is, by carefully embedding HTML code containing malicious script into a non-HTML file and uploading this file to the Web site, an attacker can deceive the visitors browser into assuming the file as HTML file and run the script code. However Content- Sniffing XSS attack can be avoided if files uploaded on the server are checked for HTML codes. In this paper we implemented a server-side ingress filter that aims to protect vulnerable browsers which may treat non-HTML files as HTML files. Our filter examines user-uploaded files against a set of potentially dangerous HTML elements (a set of regular expressions). The results of our experiment show that our automata-based scheme is highly efficient and more accurate than existing signature-based approach.
more목차
1.Introduction 1
1.1 Purpose of Research 2
1.2 Contents and Method of Research 4
2 Related Work 7
3 Attack Example 11
4 Proposed Scheme 16
5 Analysis of the Proposed Scheme 23
5.1 False Positive 23
5.2 False Negative 24
5.3 Time Overhead 25
6.Conclusion and future work 26
