隨著網路應用發展日益蓬勃,網路攻擊的數量也是明顯增加,近年來,根據OWASP 10大項目2021年發布的報告,注入攻擊是在軟體專案中發現的前三大常見漏洞。阿卡邁科技是世界上最大的分散式計算平台之一,承擔了全球15-30%的網路流量,在阿卡邁科技的報告中所述,在 2019 年 11 月至 2021 年 3 月期間,SQL注入攻擊佔網絡攻擊的 65.1%。它還表明,不同類型的網路攻擊(例如 跨網站指令碼攻擊、本地文件包含漏洞攻擊 和 PHP注入攻擊)的數量一直有所增加,但它們的增長速度都沒有 SQL 注入攻擊快。在這種大環境底下,軟體測試的難度以及工作量不斷提升,為了支援快速的程式開發流程,像是新型態軟體開發方法-敏捷開發,我們試想有一套軟體測試工具,當測試人員送出一個待測軟體的版本與資訊之後,經過這個軟體測試工具,能針對不同的待測軟體,決定出一套量身打造的防禦函數,進而提升測試流程的效率,測試完之後呢,會回過來調整防禦強度向量以利之後的測試。本篇論文就是以基於前一次測試的結果,來提升下一次測試的效率這樣的核心概念來設計這個測試的方法。
With the increasingly vigorous development of network applications, the number of network attacks has also increased significantly. In recent years, according to the report released by OWASP Top 10 Projects in 2021, injection attacks are the top three common vulnerabilities found in software projects. Akamai technology is one of the largest decentralized computing platforms in the world, responsible for 15-30% of the world's Internet traffic. As described in Akamai technology's report, between November 2019 and March 2021 , SQL injection attacks accounted for 65.1% of network attacks. It also shows that the number of different types of web attacks such as XSS, LFI, and PHP injection has been increasing, but none of them are growing as fast as SQL injection attacks. Under such an environment, the difficulty and workload of software testing continue to increase. In order to support the rapid program development process, such as the new type of software development method - agile development. We imagine a set of software testing tools. When the tester sends a version and information of the software to be tested, through this software testing tool, a set of tailor-made defense functions can be determined for different software to be tested, thereby improving the efficiency of the testing process. After the test, it will go back and adjust defense strength vector for later testing. This paper is based on the core concept of improving the efficiency of the next test based on the results of the previous test to design this test method.