Cross site scripting(XSS)is one of the most popular Web application attacks. Django as the relatively hot Web application development framework has no effective defense XSS function for Web application. In this paper,we use a variety of technologies such as middleware,black and white list, SBT,character entropy and N-gram to design a XSS defense component for Django. The components were tested for functionality and performance.The false negative rate and false alarm rate are less than 3%. The average response delay of 5%.It can effectively solve the original Django in XSS protection relies on the template variables and adapt to the rich text application scene.The system is safe and reliable.%跨站脚本攻击(XSS)是当前最流行的Web应用攻击方式之一,而Django作为目前比较火热的Web应用开发框架,并没有为其开发的Web应用提供有效的XSS防御功能.本文针对此问题,采用中间件,黑白名单,SBT,字符熵以及N-gram等多种技术,为Django设计了一个XSS防御组件.基于该组件分别进行了功能及性能测试,其中漏报率和误报率都低于3%,平均响应延迟5%,并能有效解决原生Django在XSS防护时过分依赖模板变量且不能适应富文本应用场景等问题,系统安全可靠.
展开▼