디지털융복합연구 (Journal of Digital Convergence)

  • 제11권12호
  • /
  • Pages.327-332
  • /
  • 2013
  • /
  • 2713-6434(pISSN)
  • /
  • 2713-6442(eISSN)
한국디지털정책학회 (The Society of Digital Policy and Management)
권호 표지
DOI QR코드

DOI QR Code

XSS 공격과 대응방안

XSS Attack and Countermeasure: Survey

  • 홍성혁 (백석대학교, 정보통신학부 정보보호 전공)
  • Hong, Sunghyuck (Baekseok University, Division of Information and Communication)
  • 투고 : 2013.10.15
  • 심사 : 2013.12.20
  • 발행 : 2013.12.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

XSS는 공격자가 상대방의 브라우저에 Script를 실행할 수 있게 하여 사용자의 Session을 가로채거나 웹 사이트 변조, 악의적 컨텐츠 삽입, 피싱 공격을 할 수 있다. XSS공격은 저장(Stored)XSS와 반사(Reflected)XSS 이렇게 크게 두 가지 공격이 있다. XSS 공격의 형태는 Cookie Sniffing, 스크립트 암호화 및 우회, 악성코드 유포, Key Logger, Mouse Sniffer, 거짓정보 추가가 있다. XSS 공격은 스크립트 언어 그리고 취약한 코드들이 공격 대상이 된다. XSS 공격의 대응 방법에는 관리자의 대응과 사용자의 대응 두 가지를 제한 하였다.

XSS is an attacker on the other party of the browser that is allowed to run the script. It is seized session of the users, or web site modulation, malicious content insertion, and phishing attack which is available. XSS attacks are stored XSS and reflected XSS. In that, two branch attacks. The form of XSS attacks are cookie sniffing, script encryption, bypass, the malignant cord diffusion, Key Logger, Mouse Sniffer, and addition of lie information addition. XSS attacks are target of attack by script language. Therefore, the countermeasure of XSS is presented and proposed to improve web security.

키워드

참고문헌

  1. Shaikh, F.B.; Haider, S., "Security threats in cloud computing," Internet Technology and Secured Transactions (ICITST), 2011 International Conference for , vol., no., pp.214-219, Dec. 11-14, 2011
  2. Open Web Application Security Project(OWASP). "OWASP Top 10 for 2013". 12 June, 2013.
  3. Shahriar, H.; Zulkernine, M., "S2XS2: A Server Side Approach to Automatically Detect XSS Attacks," Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on, vol., no., pp.7,14, Dec. 2011.
  4. Yi Wang; Zhoujun Li; Tao Guo, "Program Slicing Stored XSS Bugs in Web Application," Theoretical Aspects of Software Engineering (TASE), 2011 Fifth International Symposium on, vol., no., pp.191-194, Aug. 2011
  5. Chomsiri, T., "Sniffing Packets on LAN without ARP Spoofing," Convergence and Hybrid Information Technology, 2008. ICCIT '08. Third International Conference on , vol.2, no., pp. 472-477, Nov. 2008
  6. Hui Zhao; Wen Chen, "A Web Page Malicious Script Detection Method Inspired by the Process of Immunoglobulin Secretion," Intelligence Information Processing and Trusted Computing (IPTC), 2010 International Symposium on , vol., no., pp.241-245, Oct. 2010
  7. Mirtalebi, A.; Khayyambashi, M.R., "Enhancing security of Web service against WSDL threats," Emergency Management and Management Sciences (ICEMMS), 2011 2nd IEEE International Conference on , vol., no., pp. 920-923, Aug. 2011
  8. Bozic, J.; Wotawa, F., "XSS pattern for attack modeling in testing," Automation of Software Test (AST), 2013 8th International Workshop on , vol., no., pp.71-74, May, 2013
  9. Ross, P.E., "Microsoft to spammers: go phish [e-mail security]," Spectrum, IEEE , vol.43, no.1, pp. 48-49, Jan. 2006
  10. Matsuda, T.; Koizumi, D.; Sonoda, M., "Cross site scripting attacks detection algorithm based on the appearance position of characters," Communications, Computers and Applications (MIC-CCA), 2012 Mosharaka International Conference on , vol., no., pp. 65-70, Oct. 2012.