(18.206.12.76) 您好!臺灣時間:2021/04/23 10:05
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:蔡忠宏
研究生(外文):Chung-Hung Tsai
論文名稱:一個Web應用程式的錯誤殖入測試平台設計
論文名稱(外文):The Design of a Software Testing Platform- For Applying Fault Injection to Web Applications
指導教授:黃世昆黃世昆引用關係
指導教授(外文):Shih-Kun Huang
學位類別:碩士
校院名稱:國立交通大學
系所名稱:資訊工程系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2003
畢業學年度:91
語文別:中文
論文頁數:35
中文關鍵詞:Web應用程式軟體測試錯誤殖入資料隱碼安全評估
外文關鍵詞:Web ApplicactionSoftware testingFault InjectionSQL InjecitonSecurity assessmentCross site scripting
相關次數:
  • 被引用被引用:3
  • 點閱點閱:192
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:33
  • 收藏至我的研究室書目清單書目收藏:0
Web Application的設計缺失經常能引起系統問題,致使線上服務停擺,或是產生SQL Injection、Cross-Site Scripting..等網路攻擊的安全問題,而造成電子商務公司、政府機構的損失。為了能夠有效地預防這些問題的產生,因此我們提出了一個能自動化檢測Web Application設計缺失的機制並且實作了其測試平台。
而這個測試平台的設計理念則是基於我們於WWW2003會議所發表的論文” Web Application Security Assessment by Fault Injection and Behavior Monitoring”中所提出的方法,其利用了Software Fault Injection這種軟體工程的檢測技術來對於Web Application做安全評估,以找出系統中可能的安全缺陷。這篇碩士論文則將更深入的探討Web Application在套用 Fault Injection的相關議題,主要包括自動化測試的實現,以及提高測試效能的方法,同時我們將驗證這些方法確實是可行且有效的。

Since Web Application flaw always causes system problems, such as SQL Injection and Cross-Site Scripting, and sometimes perplex e-business companies, government and many end users. In order to prevent the trouble caused by WA flaw, we require feasible and effective flaw detecting mechanism. In this thesis, we propose a novel automatic detecting mechanism and discuss related issues on the design of automatic testing platform.
The mechanism of testing platform is based on our previous research in WWW2003 that applied a software engineering technique- Software Fault Injection for assessing Web application security. In this thesis, we’ll intensively discuss the related issues on applying Fault Injection to detect Web application flaw, including automatic Fault Injection and efficient Fault Injection. And we also demonstrate our method is feasible, effective and efficient.

目錄      
中文提要 …………………………………………………………i
英文提要 …………………………………………………………ii
誌謝 …………………………………………………………iii
目錄 …………………………………………………………iv
圖表目錄 …………………………………………………………vi
一、 緒論……………………………………………………1
1.1 研究動機………………………………………………1
1.2 背景說明………………………………………………1
二、 相關研究………………………………………………4
2.1 Web Application測試的相關研究 …………………4
2.1.1 靜態網頁的自動化測試 ……………………………4
2.1.2 動態網頁的自動化測試 ……………………………4
2.1.3 WA Security相關的研究 ……………………………4
三、 Fault Injection ……………………………………6
3.1 Fault Injection的介紹 ……………………………6
3.1.1 Fault Injection的動機 ……………………………6
3.2 電腦系統的Fault Injection ………………………6
3.2.1 Hardware Fault Injection ………………………6
3.2.2 Software Fault Injection…………………………7
四、 設計機制 ……………………………………………10
4.1 介紹 …………………………………………………10
4.2 自動化測試平台的基礎- Crawler ………………11
4.3 自動化測試平台的核心- IKM………………………11
4.4 Automatic Fault Injection………………………12
4.4,1 HTML文件的Parsing機制……………………………12
4.4.2 Test Pattern的填寫 ………………………………13
4.4.3 Description Extraction的困難點 ………………15
4.4.4 克服Description Extraction難題的方法 ………16
4.4.5 Injection的結果分析………………………………16
4.5 Efficient Fault Injection………………………17
4.5.1 擴大Test Coverage…………………………………17
4.5.2 Form Complete………………………………………17
4.5.3 Smart Fault Injection……………………………19
五、 實驗部份 ……………………………………………20
5.1 實驗目標 ……………………………………………20
5.2 Fault Injection的執行 …………………………20
5.3 Form Complete能力…………………………………21
5.3.1 Semantic Rate對Form Complete的影響 …………21
5.4 Test Coverage Expansion…………………………22
5.5 Smart Fault Injection……………………………24
六、 結論 …………………………………………………25
參考文獻 ……………………………………………………… 26

[1] Anley Chris,“Advanced SQL Injection In SQL Server Applications”, An NGSSoftware Insight Security Research (NISR) Publication, 2002
[2] Apache,“Cross Site Scripting Info.”, http://httpd.apache.org/info/css-security/
[3] Benedikt M., Freire J., Godefroid P., ”VeriWeb:Automatically Testing Dynamic Web Sites”, In: Proceedings of the 11th International Conference on the World Wide Web, May 2002, Honolulu, Hawaii
[4] Chen, H., Wagner, D., “MOPS: an Infrastructure for Examining Security Properties of Software”, In: ACM conference on computer and communication security, Nov 2002 Washington, D.C.
[5] Henrique Madeira, Diamantino Costa, Marco Vieira., “On the Emulation of Software Faults by Software Fault Injection”, In: International Conference on Dependable Systems and Networks (DSN 2000), 2000, New York, NY
[6] J. Arlat, M. Aguera, L. Amat, Y. Crouzet, J.-C. Fabre, J.-C. Laprie, "Fault Injection for Dependability Validation: A Methodology and Some Applications", IEEE Transactions on Software Engineering, 16 (2), pp.166-82, 1990
[7] J. Voas, “A Tutorial on Software Fault Injection”, IEEE Spectrum ,2000
[8] J. Voas, G. McGraw, L. Kassab, L. Voas, “Fault-Injection:A Crystal Ball for Software Quality”, IEEE Computer, June 1997, Volume 30, Number 6, pp. 29-36
[9] J. Voas, McGraw, G., “Software Fault Injection: Inoculating Programs Against Errors”, John Wiley & Sons, 47-48, 1997
[10] J. Voas, “Software testability Measurement for Assertion Placement and Fault Localization”, In: Proceedings of 2nd Int'l. Workshop on Automated and Algorithmic Debugging (AADEBUG'95), St. Malo, France, May, 1995
[11] J. Voas, K. Miller, “Using Fault Injection to assess Software Engineering Standards”, In: Proceedings of Int'l. Symp. on Software Engineering Standards, August, 1995
[12] Manber, U., Smith, M., Gopal B., "WebGlimpse - Combining Browsing and Searching", In: Proceedings of the USENIX 1997 Annual Technical Conference, Jan 1997, Anaheim, California
[13] MICHAEL K. BERGMAN, “DeepWeb White Paper”, http://www.brightplanet.com/
[14] OWASP, “Open Web Application Security Project”, http://www.owasp.org/
[15] Raghavan, S., Garcia-Molina, ”Crawling the Hidden Web”, In: Proceedings of the 27th VLDB Conference (Roma, Italy, Sep 2001), 129-138
[16] Rational, Inc., “UML.”, http://www.rational.com/uml/index.jsp
[17] Ricca, F., Tonella, P., “Analysis and Testing of Web Applications”, In: Proceedings of the 23rd IEEE International Conference on Software Engineering, May 2001, Toronto, Canada
[18] Scott, D., Sharp, R., “Abstracting Application-Level Web Security”, In: The Eleventh International Conference on the World Wide Web, May 2002, Honolulu, Hawaii
[19] Sebastien@ailleret.com, “Larbin — A Multi-Purpose Web Crawler”
[20] Stephen W.Liddle, David W.Embley, Del T.Scott and Sai Ho Yau, “Extracting Data Behind Web Forms”, In: Workshop on Conceptual Modeling Approaches for e-Business:A Web Service Perspective - eCOMO 2002
[21] T.A. DeLong, A.K. Ghosh, B.W. Johnson, J.A., “Fault Injection for Logic Synthesis Design using VHDL”, In: Mentor Users' Group Symposium 12th Annual International Conference , October 23-27, 1995, Portland, OR
[22] Tennyson Maxwell InFormation Systems, Inc., ”Teleport Webspiders”, http://www.tenmax.com/teleport/home.htm
[23] VeriSoft, http://www.bell-labs.com/projects/verisoft
[24] W3C,“DOM” http://www.w3.org/DOM/
[25] W3C, “LABEL” http://www.w3.org/TR/REC-html40/interact/Forms.html
[26] Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin , Chung-Hung Tsai, ”Web Application Security Assessment by Fault Injection and Behavior Monitoring”., In: The 13th International World Wide Web Conference, 2003, Budapest, Hungary

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔