• 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
Advanced Search
Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.
Citation: Liu Qixu, Wen Tao, Wen Guanxing. Detection of XSS Vulnerabilities in Online Flash[J]. Journal of Computer Research and Development, 2014, 51(7): 1624-1632.

Detection of XSS Vulnerabilities in Online Flash

More Information
  • Published Date: July 14, 2014
  • Popular websites such as YouTube, Yahoo! and CNN, contain a large number of Flash files to deliver dynamic contents. However, many Flash objects are exposed to cross-site scripting (abbreviated as XSS, a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites) vulnerabilities as they are usually coded without properly purifying their inputs. In this paper, we study the technology of XSS in online Flash and introduce an engine called FXD (Flash XSS Detector), which is designed to automatically scramble webpages with embedded Flash objects and check whether or not they are vulnerable to XSS attacks. We evaluate FXD on a large collection of XSS vulnerable Flash testing samples we created, which cover all common Flash XSS vulnerabilities. FXD performs efficiently in detecting Flash XSS by providing wide coverage of different kinds of Flash XSS which is higher than all related works we know. We also use FXD to test real-world websites, and find that there are still many embedded Flash objects vulnerable to XSS even in Alexa Top 100 websites. Finally, we discover a new trend that Flash XSS nowadays is mainly caused by combination of key functions in different categories.
  • Related Articles

    [1]Wang Xiaoxi, Liu Qixu, Liu Chaoge, Zhang Fangjiao, Liu Xinyu, Cui Xiang. Survey of Web Tracking[J]. Journal of Computer Research and Development, 2023, 60(4): 839-859. DOI: 10.7544/issn1000-1239.202110681
    [2]Wang Yi, Li Zhoujun, Guo Tao. Literal Tainting Method for Preventing Code Injection Attack in Web Application[J]. Journal of Computer Research and Development, 2012, 49(11): 2414-2423.
    [3]Zhang Xianchao, Xu Wen, Gao Liang, and Liang Wenxin. Combining Content and Link Analysis for Local Web Community Extraction[J]. Journal of Computer Research and Development, 2012, 49(11): 2352-2358.
    [4]Ban Zhijie, Gu Zhimin, Jin Yu. A Survey of Web Prefetching[J]. Journal of Computer Research and Development, 2009, 46(2): 202-210.
    [5]Deng Xiaopeng, Xing Chunxiao, Cai Lianhong. Progress in Testing for Web Applications[J]. Journal of Computer Research and Development, 2007, 44(8): 1273-1283.
    [6]Xue Xiaobing, Han Jieling, Jiang Yuan, and Zhou Zhihua. Link Recommendation in Web Index Page Based on Multi-Instance Learning Techniques[J]. Journal of Computer Research and Development, 2007, 44(3).
    [7]Li Shijun, Yu Junqing, Ou Weijie. Web Information Extraction Based on HTML Pattern Algebra[J]. Journal of Computer Research and Development, 2006, 43(9): 1644-1650.
    [8]Wang Bennian, Gao Yang, Chen Shifu, Xie Junyuan. A Review of Web Intelligence Research[J]. Journal of Computer Research and Development, 2005, 42(5): 721-727.
    [9]Xu Mingwei, Hu Chunming, Liu Xudong, and Ma Dianfu. Research and Implementation of Web Service Differentiated QoS[J]. Journal of Computer Research and Development, 2005, 42(4): 669-675.
    [10]Yang Nan, Gong Danzhi, Li Xian, and Meng Xiaofeng. Survey of Web Communities Identification[J]. Journal of Computer Research and Development, 2005, 42(3): 1.

Catalog

    Article views (1222) PDF downloads (831) Cited by()

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return