Recently, a focus on software security has been turned to network attacks in a client terminal from network attacks in a server terminal. Cross site scripting (XSS) attacks are regarded as the main threat for the security of networking programs. The cross site scripting attacks usually happen by using security loopholes of a program and other network vulnerabilities to cause devastating results. Sometimes the cross site scripting attacks may be turned into a virus or a network worm that can be self-propagated, therefore causing more serious damage. For example, the website “Myspace” was attacked by a cross site scripting attack to cause an enormous number of clients to receive a degree of a million requests, and thereafter the website was forced to shut down in 2005. In 2009, the website “Twitter” was attacked by two cross site scripting attacks that caused a huge amount of client terminals to post praise articles for a worm. In 2010, the website “Apache Foundation” was attacked by a reflective cross site scripting attack through the website's program for question tracking purposes. In addition, on 28 Jun. 2011, a large scale of cross site scripting attack occurred on the website “Sina Weibo” that caused severe damage to its account security.
Since cross site scripting attacks were identified, people have started to study how to detect and further defend against them. The tools for detecting cross site scripting attacks are mainly classified as a centralized detecting tool and a client terminal detecting tool.
The centralized detecting tools generally are designed to attack a visiting link by sending a structured attacking string to a website, inserting the attaching string into the transferring parameters of a program, monitoring the related response, and determining whether the website has a security risk of a cross site scripting attack. If the attack strings appears in its original form in a response, it is confirmed that the program is vulnerable to cross site scripting attacks. However, there are a limited number of attacking strings that can be defined; so the method thereof cannot cover all kinds of attacking situations. Therefore, this method cannot fully detect all situations, and therefore has a low protecting efficiency. This method is used as a basic checking tool.
On the other hand, a client detecting tool is required to be installed in the client terminal by a user. This tool detects whether a risky function of an operating system is performed in interfaces of the user's operating system, and determines whether the client terminal is attacked by analyzing the calling of functions of the operating system. However, analyzing the calling of the functions of the operating system requires obtaining a relative permission, and this tool has to be installed on the client terminal. This results in high costs. Moreover, the tool focuses more on protection for a client terminal; so the protection in relation to the website is not enough. In addition, this tool cannot automatically notify the service providers who are vulnerable to solve or prevent the vulnerability.
Furthermore, the conventional tools for detecting cross site scripting attacks cannot monitor the clients' behaviors; so it is difficult to effectively obtain the attack sources. Therefore, the conventional tools cannot warn and notify users to trigger an automatic defense while the attacks are occurring.