- 學位論文
網頁應用程式滲透測試案例之自動化產生
Automatic Generation of Penetration Test Cases for Web Applications
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
隨著網頁應用程式蓬勃發展,網頁應用程式的安全性日趨重要。目前有許多檢測工具可以幫助程式設計師找出程式中的安全性漏洞,然而依據檢測工具使用分析方法的不同各有其優缺點。分析方法大約分為兩類,一類是使用靜態分析方法直接對程式碼進行分析找出程式中可能的弱點,另一類則是透過動態分析方法在執行程式的環境下進行分析。其中,靜態分析方法為了評估程式所有可能的狀態,必須藉由抽象化的技術來表述,然而這樣的方式卻不可避免地造成分析結果有誤報的情形。至於動態分析方法的問題則在於程式執行的狀態下進行分析很難能夠完全涵蓋程式所有可能執行的路徑,因此分析結果易有漏報的情形。一般而言,嚴謹的程式碼檢測流程需要專家檢視工具分析的結果去排除誤報的情況,然而這樣的動作是非常耗時的,此外專家的知識也會影響判斷的正確性。 本篇論文的貢獻是整合靜態分析與動態測試方法產生滲透測試案例,並且透過自動化執行產生的測試案例來確認弱點,藉此減少專家需要檢視的弱點數量。主要方法是利用廣度優先演算法針對每個弱點使用反向資料流分析找出所有可走到弱點發生位置的源頭,並且針對每條從源頭到弱點發生位置的路徑蒐集限制條件式,再根據弱點種類附加相對應的攻擊字串,最後透過限制式解算器求出各個路徑是否存在一組可行解能夠滿足蒐集的限制條件式。如果存在一組可行解表示攻擊者可攻穿此條路徑的弱點,我們依據限制式解算器算出的結果產生滲透測試案例。接著透過自動化測試的方式執行測試案例,確認真實存在一個攻擊情境可攻穿工具找出的弱點。整體而言,藉由整合靜態分析與動態測試產生測試案例,並且在網站的架構下能夠自動化展示攻擊情境來確認弱點的存在,提供檢測者一個較具準確性的檢測結果。
並列摘要
As our daily life increasingly relies on the Web, security of Web applications has become more and more important. There exist quite a few analysis tools that can help programmers find vulnerabilities in Web applications, but there is still much room for improvement. These tools can be roughly divided into two groups by their analysis approaches. One uses static analysis, while the other uses dynamic analysis. The biggest difference between the two groups is that static analysis does not execute the Web applications when performing an analysis, but dynamic analysis does. Besides, static analysis needs to exercise over-approximation techniques to evaluate possible states of the program, which might introduce false positives to the analysis results. On the other hand, dynamic analysis encounters difficulties when it has to generate dynamically as many test cases as possible to cover all paths in the program. The results of dynamic analysis usually contain false negatives because of lower path coverage rates. In general, a rigorous code review process requires human experts to manually inspect the analysis result from analysis tools. It is an essential but time-consuming and error-prone task. In this thesis, we propose an approach for combining static analysis and dynamic testing to confirm the true vulnerabilities and hence reduce the number of vulnerabilities that human experts have to examine. We apply backward data flow analysis to explore all executable paths of the corresponding vulnerabilities in the target program. In the process of exploring all possible paths by the breadth-first search algorithm, our approach collects simultaneously constraint information along a path. Afterward, we append an attack pattern to the sink variable and try to generate test cases by manipulating constraint solvers to solve collected constraints. Furthermore, given a generated test case, we provide a Web-based testing which can automatically execute the test case and confirm the existence of vulnerabilities. On the whole, our approach integrates static analysis and dynamic testing to provide test cases generation and Web-based test cases execution, producing high-confidence results.
參考文獻
[11] Chen-I Chung. A static analyzer for PHP Web applications. Master's thesis, National Taiwan University, 2009.
[15] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the 13th International Conference on World Wide Web, pages 40-52. ACM, 2004.
[19] Yasuhiko Minamide. Static approximation of dynamically generated Web pages. In Proceedings of the 14th International Conference on World Wide Web, pages 432-441. ACM, 2005.
[23] GaryWassermann and Zhendong Su. Sound and precise analysis of Web applications for injection vulnerabilities. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 32-41. ACM, 2007.
[28] Fang Yu, Muath Alkhalaf, and Tev k Bultan. Generating vulnerability signatures for string manipulating programs using automata-based forward and backward symbolic analyses. In Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, pages 199-209. ACM, 2009.
延伸閱讀
- 柯鈞凱、楊中皇(2010)。結合弱點掃描和滲透測試之自動化Web安全檢測系統設計與實現。載於中華民國資訊安全學會(主編),全國資訊安全會議(頁186-190)。中華民國資訊安全學會。https://doi.org/10.29615/CISC.201005.0186
- Weng, M. H. (2014). 網頁應用程式之測試案例繁衍 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2014.00980
- 李其哲(2022)。全管線覆蓋的自我測試程式樣板開發〔碩士論文,國立臺灣大學〕。華藝線上圖書館。https://doi.org/10.6342/NTU202203404
- 廖祝湘(2014)。資訊產品自動化測試之研究〔碩士論文,國立中央大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0031-0412201511580175
- 林聖翔、卓信宏(2019)。Automatic Web Security Testing based on Artificial Intelligence。資訊安全通訊,25(3),40-56。https://www.airitilibrary.com/Article/Detail?DocID=a0000270-201908-201909060011-201909060011-40-56