Cross Site Scripting (XSS) is currently the most common attack type on the Internet. An attacker may attack a WEB site through XSS to obtain sensitive information (for example, user name and password, etc.) of a WEB site user, forge a user identity, etc. Thus, XSS is one of the attack types that threatens the security of the WEB the most.
Currently, defense against a XSS attack is generally implemented in the following two manners:
1) Vulnerabilities on an access page are detected by collecting all URLs on a WEB site through WEB crawlers set in a vulnerability scanning system, constructing a special URL with an XSS attack attribute, initiating a detection request to all the URLs successively on the WEB site, and examining characters in results returned by a WEB server to determine whether a vulnerability exists on the page by the vulnerability scanning system. A WEB site administrator fixes the vulnerabilities on the WEB site according to the scanning results. However, this manner can only construct a vulnerability detection request after analysis of URL character strings in a page text using crawlers in this manner. In the era of WEB2.0, a large amount of scripts (JavaScript) are used on a WEB site to achieve dynamic effects. In addition to the dynamic generation of URLs, this makes the crawlers very difficult to collect URLs, resulting in false negatives for uncollected URLs. A detection principle of vulnerability scanning is to perform attack detection in a way of constructing an attack request and checking a response text. This type of static text detection method can only be used to discover some relatively simple vulnerabilities. The vulnerability scanning system is a general-purpose scanning system, which is used for discovering typical vulnerabilities in many web pages using some preset rules. However, vulnerability discovery methods used by attackers generally target at specific services on a website to perform deep mining. Some unknown means may also be used in this process, which is beyond the reach of the vulnerability scanning system.
2) A Web Application Firewall (WAF) technology is adopted to detect vulnerabilities in a page access request. A technical person deploys one or more sets of software and hardware of WAF systems before a WEB site. A page access request sent by a browser to a server needs to pass through the WAF systems first. The WAF systems detect characters in the request from the browser according to specific rules and determine whether an attack feature exists in the request. The WAF will block a malicious request, and allow a normal request to pass through. Disadvantages of this type of method includes: a WAF being deployed before a WEB site to receive and forward all requests that are sent to the WEB site. Due to performance limits, a WAF is only able to check static texts in requests sent to a WEB server according to rules, and effective against attack types such as SQL injection and Cross-site request forgery (CSRF), while being ineffective against elaborately constructed XSS attack requests. The WAF can only detect characters in a page access request. If a website has been under a stored XSS attack before a WAF is deployed, damages resulting from the attack cannot be detected or defended against even if the WAF is deployed subsequently.