Review of cross-site scripting attack detection and defence techniques

Review of cross-site scripting attack detection and defence techniques
Wang Lingtonga,b
Wang Huilinga,b
Xu Miaoa,b
Qi Xiaolonga,b
a. School of Network Security & Information Technology, b. Key Laboratory of Intelligent Computing Research & Application, Yili Normal University, Yining Xinjiang 835000, China

摘要

Cross Site Scripting attack, also called XSS attack, is one of the most serious risks in Web security. With the widespread use of Web technologies such as Web services, APIs, and the emergence of new programming styles such as Ajax, CSS, and HTML5, the threat of XSS attacks has become more serious. Therefore, how to deal with the security risk of XSS attacks has become an important concern in Web security research. By investigating the literature on XSS attack detection and defence in recent years, the latest techniques for XSS attack detection and defence are reviewed for the first time from both non-adversarial and adversarial perspectives, based on whether the XSS attack is stealthy or not. Firstly, from the aspects of non-confrontational attack detection and confrontational attack detection, explore and analyse the methods of learning attack features from data and predicting attacks based on machine learning and optimising the detection model based on reinforcement learning to identify or generate confrontational sample strategies; secondly, elaborate the methods of non-confrontational attack defence to filter the XSS attacks based on rules, to reduce the success rate of attacks based on the randomness of the Moving Targets Defence (MTD) , and to isolation sandbox-based approach to prevent the propagation of XSS attacks. Finally, the future issues to be considered and outlooks of XSS attack detection and defence are presented in terms of sample characteristics, model features and limitations of CSP, and the wide range of uploading functions, respectively.

基金项目

新疆维吾尔自治区自然科学基金资助项目(2022D01C337,2021D01C467)
计算机软件新技术国家重点实验室(南京大学)(KFKT2022B30)
学实高层次人才岗位(YSXSQN22007)
伊犁师范大学提升学科综合实力专项自科重点项目(22XKZZ19)

出版信息

DOI: 10.19734/j.issn.1001-3695.2023.06.0286
出版期卷: 《计算机应用研究》 Accepted Paper, 2024年第41卷 第3期

发布历史

[2023-11-14] Accepted Paper

引用本文

王铃铜, 王慧玲, 徐苗, 等. 跨站脚本攻击检测与防御技术综述 [J]. 计算机应用研究, 2024, 41 (3). (2023-12-13). https://doi.org/10.19734/j.issn.1001-3695.2023.06.0286. (Wang Lingtong, Wang Huiling, Xu Miao, et al. Review of cross-site scripting attack detection and defence techniques [J]. Application Research of Computers, 2024, 41 (3). (2023-12-13). https://doi.org/10.19734/j.issn.1001-3695.2023.06.0286. )

关于期刊

  • 计算机应用研究 月刊
  • Application Research of Computers
  • 刊号 ISSN 1001-3695
    CN  51-1196/TP

《计算机应用研究》创刊于1984年,是由四川省科技厅所属四川省计算机研究院主办的计算技术类学术刊物。

《计算机应用研究》瞄准本学科领域迫切需要的前沿技术,及时反映国内外计算机应用研究的主流技术、热点技术及最新发展趋势。主要刊载内容包括本学科领域高水平的学术论文、本学科最新科研成果和重大应用成果。栏目内容涉及计算机学科新理论、计算机基础理论、算法理论研究、算法设计与分析、区块链技术、系统软件与软件工程技术、模式识别与人工智能、体系结构、先进计算、并行处理、数据库技术、计算机网络与通信技术、信息安全技术、计算机图像图形学及其最新热点应用技术。

《计算机应用研究》拥有众多高层次读者、作者,读者对象主要为从事计算机学科领域高、中级研究人员及工程技术人员,各高等院校计算机专业及相关专业的师生。多年来《计算机应用研究》的总被引频次及Web下载率一直名列本学科同类学术刊物前茅,所刊发的学术论文以其新颖性、学术性、前瞻性、导向性、实用性而备受广大读者的喜爱。


收录和评价

  • 第二届国家期刊奖百种重点期刊
  • 中国期刊方阵双效期刊
  • 全国中文核心期刊(北大2023年版)
  • 中国科技核心期刊
  • 中国科学引文数据库(CSCD)来源期刊
  • RCCSE中国核心学术期刊
  • 中国计算机学会会刊
  • 2020—2022年科技期刊世界影响力指数(WJCI)报告收录期刊
  • 中国科技期刊精品数据库全文来源期刊
  • 中国学术期刊综合评价数据库来源期刊
  • 《中国期刊网》《中国学术期刊(光盘版)》来源期刊
  • 2017—2019年中国国际影响力优秀学术期刊(自然科学与工程技术)
  • 中国精品科技期刊顶尖学术论文(F5000)项目来源期刊
  • 《中国工程技术电子信息网》《电子科技文献数据库》来源期刊
  • 英国《科学文摘》(INSPEC)来源期刊
  • 《日本科学技术振兴机构数据库》(JST)来源期刊
  • 俄罗斯《文摘杂志》(AJ, VINITI)来源期刊
  • 美国《艾博思科学术数据库》(EBSCO)全文来源期刊
  • 美国《剑桥科学文摘(自然科学)》(CSA(NS))核心期刊
  • 波兰《哥白尼索引》(IC)来源期刊
  • 美国《乌利希期刊指南(网络版)》(Ulrichsweb)收录期刊