没有合适的资源?快使用搜索试试~ 我知道了~
首页提升HTML5移动应用的安全防护:代码注入攻击检测与防范
提升HTML5移动应用的安全防护:代码注入攻击检测与防范
0 下载量 53 浏览量
更新于2024-08-28
收藏 507KB PDF 举报
本文主要探讨"HTML5基应用中的代码注入攻击检测与预防"。随着移动设备安全需求的日益增长,HTML5因其跨平台的特性,被广泛应用于移动应用程序开发。然而,HTML5允许在网页技术中混合数据和代码,这使得基于HTML5的应用特别容易受到类似于跨站脚本(XSS)的代码注入攻击。 作者们首先提出了一种新型的代码注入威胁——编码型攻击(Coding-Based Attacks)。这种新型攻击更为隐蔽,JavaScript代码被编码成人类难以识别的形式,使得恶意代码能在用户不知情的情况下执行。为了应对这一挑战,研究人员利用机器学习分类算法对HTML5应用进行分析,以识别是否存在此类编码型代码注入行为。 他们可能采用了多种机器学习技术,如特征提取、模式识别或异常检测,来训练模型区分正常代码和恶意编码。这些技术可能包括支持向量机(SVM)、决策树、随机森林或者深度学习神经网络,通过分析代码结构、字符频率、API调用模式等特征来判断是否检测到攻击迹象。 此外,文中可能会探讨几种防御策略,比如对用户输入进行严格的验证和清理,使用安全编码实践,以及在运行时监控代码行为,以便及时发现并阻止编码型攻击。还可能提到利用浏览器沙箱、HTTP头检查、内容安全策略(CSP)等技术手段来强化安全性。 这篇研究论文旨在提升HTML5应用的安全性,通过揭示编码型攻击的新颖性,并提出有效的检测和预防方法,为开发者提供了一套实用的指导框架,以应对日益复杂的Web应用安全威胁。阅读此论文将有助于理解现代移动应用防护的关键技术和最佳实践,对于保障用户数据安全和维护良好的用户体验具有重要意义。
资源详情
资源推荐
Detection and Prevention of Code Injection Attacks
on HTML5-based Apps
Xi Xiao
a
, Ruibo Yan
a
, Runguo Ye
b
, Qing Li
a
, Sancheng Peng
c
,Yong Jiang
a
a
Graduate School at Shenzhen, Tsinghua University, Shenzhen, China
b
China Electronics Standardization Institute, Beijing, China
c
School of Computer Science, Zhaoqing University, Zhaoqing, China
Email: xiaox@ sz.tsinghua.edu.cn, yrb15@mails.tsinghua.edu.cn, wudi@isccc.gov.cn, li.qing@sz.tsinghua.edu.cn,
psc346@aliyun.com, jiangy@ sz.tsinghua.edu.cn
Abstract—Security on mobile devices is becoming increasingly
important. HTML5 are widely used to develop mobile
applications due to its portability on multi platforms. However it
is allowed to mix data and code together in web technology.
HTML5-based applications are prone to suffer from code
injection attacks that are similar to XSS. In this paper, at first,
we introduce a more hidden type of code injection attacks,
coding-based attacks. In the new type of code injection attacks,
JavaScript code is encoded in a human-unreadable form. Then
we use classification algorithms of machine learning to determine
whether an app suffers from the code injection attack or not. The
experimental result shows that the Precision of our detection
method reaches 95.3%. Compare with the other method, our
approach improves a lot in detection speed with the precision
nearly unchanged. Furthermore, an improved access control
model is proposed to mitigate the attack damage. In addition,
filters are adopted to remove JavaScript code from data to
prevent the attacks. The effectiveness and rationality have been
validated through extensive simulations.
Keywords—code injection; classification algorithm; machine
learning; access control model; filter
I. INTRODUCTION
Mobile devices are becoming increasingly popular. Many
attackers have focused on mobile applications(apps). Security
on mobile devices is more important[1,2]. HTML5[3]
technology is used widely because of its portability on multi
platforms. An increasing number of applications are
developed by HTML5, CSS and JavaScript. Especially when
middlewares, such as PhoneGap, come out, many developers
adopt HTML5 technology to develop mobile applications that
have the same functions as native apps. But in web technology,
it is allowed to mix data and code together. Thus HTML5-
based apps can easily suffer from code injection attacks[4,5]
that are similar to Cross Site Scripting (XSS). The IndexedDB
is introduced in HTML5, which brings a new distributed
approach to processing big data. So solving security problems
of HTML5-based apps can benefit security on big data.
In all the middlewares, PhoneGap is a typical one and is
widely used. It is a free and open source framework that
allows us to create mobile apps for the platforms you care
about with standardized web APIs[6]. Developers can write
code that runs on multi platforms using web technologies
through PhoneGap. Since Android OS is open source and
widely used in thousands of and millions of smartphones, in
this paper, we focus on analyzing Android, but the idea can
also be extended to other platforms. The source code of
PhoneGap contains two parts: JavaScript framework and Java
Native framework. Java Native framework consists of the
bridge part and the plugins part and it is developed by native
language to access the resources of mobile devices, such as
contacts, SMS, camera etc.
The code injection attack is similar to XSS. XSS is a type
of computer security vulnerability typically in web
applications. XSS enables attackers to inject client-side
JavaScript code into web pages which are viewed by other
users[7]. When other users view these web pages, the injected
JavaScript code will be executed. Through XSS, the attackers
can collect information of the client environment, steal user’s
cookies, redirect to other web pages and so on. XSS mostly
happens in web applications, but code injection attacks happen
in mobile applications. Attackers can inject malicious code
into contacts, SMS, barcode and meta information of files.
Once these data are displayed by applications written by
PhoneGap, the injected code will be triggered. In this way,
code injection attacks happen.
The code injection attack is firstly proposed in [4], but the
JavaScript code is injected in plain text. In this case, the
injected code is not hidden and application users can recognize
injected code easily. [5] presented a detection method using
static analysis to find call function sequences. But the time
complexity is very high. It takes 15.38 seconds averagely to
detect whether an app is vulnerable for the attack.
To solve the problems mentioned above, at first, we
introduce coding-based code injection attacks which encode
the JavaScript code in a human-unreadable format.
Furthermore, we extract permissions, JavaScript functions in
PhoneGap JavaScript frameworks and unsafe JavaScript APIs
as the features. Then nine machine learning methods are used
to classify whether an application is vulnerable. 578 normal
apps and 408 vulnerable apps are downloaded from Google
Play as the experimental data. In the experimental results, our
method costs no more than 2 seconds to detect one application
and the precision can achieve up to 95.3%. In addition, we
improve an existing access control model to mitigate the
damage. Filters are also adopted to remove the JavaScript
This work is supported by the NSFC projects (61202358, 61371078,
61379041), the National Basic research Program of China (2012CB315803),
the National High-Tech R&D Program of China (2014ZX03002004), the
Research Fund for the Doctoral Program of Higher Education of China
(20130002110051) and the Shenzhen Key Laboratory of Software Defined
Networking.
下载后可阅读完整内容,剩余7页未读,立即下载
weixin_38723105
- 粉丝: 4
- 资源: 968
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- ExtJS 2.0 入门教程与开发指南
- 基于TMS320F2812的能量回馈调速系统设计
- SIP协议详解:RFC3261与即时消息RFC3428
- DM642与CMOS图像传感器接口设计与实现
- Windows Embedded CE6.0安装与开发环境搭建指南
- Eclipse插件开发入门与实践指南
- IEEE 802.16-2004标准详解:固定无线宽带WiMax技术
- AIX平台上的数据库性能优化实战
- ESXi 4.1全面配置教程:从网络到安全与实用工具详解
- VMware ESXi Installable与vCenter Server 4.1 安装步骤详解
- TI MSP430超低功耗单片机选型与应用指南
- DOS环境下的DEBUG调试工具详细指南
- VMware vCenter Converter 4.2 安装与管理实战指南
- HP QTP与QC结合构建业务组件自动化测试框架
- JsEclipse安装配置全攻略
- Daubechies小波构造及MATLAB实现
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功