- 學位論文
以注入點為檢測單位的自動化網頁注入弱點檢測系統
An Automated Vulnerability Scanner for Injection Attack Based on Injection Point
摘要
隨著網路的普及與網路應用的增加,網路應用程式已經進入人們的日常生活,因此網路安全越來越受重視。近年來,針對網路應用程式所攻擊的行為逐年增加,有許多網路應用程式缺乏輸入上的驗證,導致衍生了許多基於此的安全漏洞,稱為注入式攻擊,有名的例子如SQL注入式攻擊與跨網站指令碼(XSS)。雖然大多數的這類安全漏洞是能夠避免的,但開發人員缺乏網路安全意識,因此網路上仍然存在許多具有注入式攻擊漏洞的網路應用程式,這些網路應用程式是脆弱的。本篇論文實作了一個自動化的注入式攻擊漏洞掃描。 為此,我們設立了一個系統,用以自動掃描注入式攻擊漏洞,我們的系統會分析網站,並尋找其注入式攻擊漏洞存在何處。在本篇論文的最後,我們以7支來自National Vulnerability Database [14],實際存在的網路應用程式來驗證我們的系統。
並列摘要
As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper implemented an automated vulnerability scanner that for the injection attacks. To this end, we implemented a system that automated scan the injection attack vulnerabilities. Our system were automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. It was able to find many potentially vulnerable web sites. We picked 7 identified web sites with vulnerabilities from National Vulnerability Database [14] to verify our system.