Full metadata record
DC FieldValueLanguage
dc.contributor.author宋穎昌en_US
dc.contributor.authorSong, Yin-Changen_US
dc.contributor.author謝續平en_US
dc.contributor.authorShieh, Shiuh-Pyngen_US
dc.date.accessioned2014-12-12T01:43:23Z-
dc.date.available2014-12-12T01:43:23Z-
dc.date.issued2009en_US
dc.identifier.urihttp://140.113.39.130/cdrfb3/record/nctu/#GT079755533en_US
dc.identifier.urihttp://hdl.handle.net/11536/45877-
dc.description.abstract根據OWASP 2010 TOP 10的資料,跨站偽造要求攻擊已經在危險程度中爬升到第五名。由於社交網站的出現,使得一般使用者與網頁伺服器之間有了新的互動方式,瀏覽器本身也支援AJAX語法來增強互動性,但是也同時增進偽造要求攻擊的能力。倘若攻擊者使用AJAX來發動偽造要求攻擊,現有的防禦機制將可輕易的被攻破。 本論文提出了一個輕量級的防禦機制來解決新型態的偽造要求攻擊。我們將針對攻擊的行為特性來擬定解決方案,且為了減輕伺服器端的負擔,捨棄了過往字串過濾或者是重新編寫JavaScript的方法,而是利用隔離使用者所提供之字串來達成的防禦機制。把網頁中的內容分成可信任及不可信任,當這些內容對網站發出要求(HTTP request)時,皆標上相對應的標籤,讓伺服器端可以根據這些標籤來判斷要求是否具有危險性。最後根據隔離出來的可疑要求,觀察其是否已達成伺服器所提供具有隱私資訊的服務來決定要求是否為偽造要求攻擊。網站的管理者可自定詳細的規則以達成更有效且精準的防禦機制。在論文的最後,我們將實作出這個概念並且測量其效能來證明此方法之可行性。zh_TW
dc.description.abstractInteractive website is the current trend of the Internet, but it has also created another opportunity for Cross-site request forgery (CSRF/CSRF). According to OWASP 2010 Top 10[1], CSRF/CSRF was listed as one of the most serious web vulnerability. Unfortunately, current protection approaches are not suitable when CSRF attack can use AJAX (Asynchronous JavaScript and XML) under the same website. This paper presents a light-weight CSRF protection approach by introducing quarantine and inspecting suspicious scripts to the server-side. Instead of filtering and rewriting, our solution is based on labeling mechanism which helps web server to distinguish malicious requests from harmless requests. Once the administrator of the website indicates the critical services, the services that contain sensitive data or privacy information about users, labeling mechanism can prevent CSRF attack effectively without changing user-created contents (UCC). At the end of this paper, we implemented the proposed scheme and evaluated the performance of the implementation.en_US
dc.language.isoen_USen_US
dc.subject跨站台偽造要求攻擊zh_TW
dc.subject偽造要求zh_TW
dc.subject輕量級的防禦機制zh_TW
dc.subjectCSRFen_US
dc.subjectXSRFen_US
dc.subjectWeb 2.0en_US
dc.subjectAJAXen_US
dc.title利用隔離使用者內容實現輕量級跨站偽造要求zh_TW
dc.titleLight-Weight CSRF Protection by Labeling User-Createden_US
dc.typeThesisen_US
dc.contributor.department資訊科學與工程研究所zh_TW
Appears in Collections:Thesis


Files in This Item:

  1. 553301.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.