跳到主要內容

臺灣博碩士論文加值系統

(35.172.136.29) 您好!臺灣時間:2021/07/29 08:01
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:高志忠
研究生(外文):Chih-ChungKao
論文名稱:網站應用程式弱點檢測平台設計與實作
論文名稱(外文):Design and implement for Web application vulnerabilities detection platform
指導教授:李忠憲李忠憲引用關係
指導教授(外文):Jung-Shian Li
學位類別:碩士
校院名稱:國立成功大學
系所名稱:電機工程學系專班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:中文
論文頁數:95
中文關鍵詞:網站應用程式弱點網站應用程式弱點檢測平台資訊安全
外文關鍵詞:Web Application VulnerabilityWeb Application Vulnerabilities Detection PlatformInformation Security
相關次數:
  • 被引用被引用:0
  • 點閱點閱:376
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
網際網路的蓬勃發展為生活帶來許多便利,若程式開發者與網站管理者未顧及網站應用程式之安全性,則網站可能因弱點而遭受攻擊造成許多損失。為提高網站安全,管理者多藉由弱點檢測工具來掃描網站弱點,但檢測工具可能因使用者操作不熟練,造成弱點判定發生誤報情況。多數工具使用者亦無能力解決誤報而造成後續修復之問題。

本論文獨立開發適用於大型網站之網站應用程式弱點檢測平台,並改善現有檢測工具架構,可視佈署時之資源現況改變檢測平台規模與效能並可大量縮減檢測時間。論文中提出6種網站應用程式弱點判定方法,可改進現有檢測工具弱點誤報發生機率,減低因誤報產生之修復問題。

The Internet has developed so vigorously that it has brought lots of convenience to people’s lives. However, if the web application developers and the website administers don’t pay attention to the security of the web application programs, the website might get attacked due to some vulnerabilities and that will bring a series of losses. To enhance the security of the website, the website administers can find out the vulnerabilities by the vulnerability scanner. But, the scanner might show misjudgment when judging the vulnerability because the users are not proficient in operation. Most users are not able to solve the misjudgment conditions, which bring about the following recovering problems.

Thesis we independently develop a web application vulnerabilities detection platform, which adapts to big scale websites and that also improves the present scanner framework. It can also change the scale and efficiency of the detection platform according to the resource condition and reduce a large quantity of the scanning time as well. The paper also brings up six common ways to judge the vulnerabilities of the web application programs. That can improve on the misjudgment percentage of the present scanner and reduce the recovering problems resulted from the vulnerability misjudgment.

目錄
中文摘要 I
Abstract II
誌謝 III
目錄 IV
表目錄 VI
圖目錄 VII
第一章 緒論 1
第一節 研究動機 2
第二節 論文貢獻 2
第三節 論文架構 3
第二章 文獻探討 5
第一節 超文本傳輸協定 5
第二節 網站應用程式弱點 13
第三節 相關檢測工具研究 26
第三章、Our Approach 37
第一節 多工與檢測規模可變架構 37
第二節 弱點檢測流程與方法 41
第四章、檢測平台開發與佈署 61
第一節 檢測平台簡介 61
第二節 檢測平台開發架構 62
第三節 檢測平台佈署 78
第五章、實驗結果與討論 81
第一節 實驗說明 81
第二節 檢測時間分析 82
第三節 檢測結果分析 82
第四節 實驗探討 88
第六章、結論與未來展望 90
參考文獻 91

[1]Absinthe, http://sourceforge.net/projects/absinthe/
[2]Achilles, http://mavensecurity.com/Achilles.php
[3]Acunetix web vulnerability scanner, http://www.acunetix.com
[4]Brutus, http://www.hoobie.net/brutus/
[5]Burp suite, http://portswigger.net/burp/
[6]CAL9000, http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
[7]Cirt , http://cirt.net/passwords
[8]Default Password, http://www.default-password.info/
[9]E.V. Nava, D. Lindsay, “Our Favorite XSS Filters and How to Attack Them, BlackHat USA, Auguest 2009.
[10]30Elizabeth Fong, Romain Gaucher, Vadim Okun, Paul E. Black, “Building a Test Suite for Web Application Scanners, Proceedings of the 41st Hawaii International Conference on System Sciences 2008.
[11]Engin Kirda, Christopher Kruegel, Giovanni Vigna, Nenad Jovanovic, “Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks, SAC’06 Proceedings of the 2006 ACM symposium on Applied computing pp.330-337.
[12]Fscan v1.0, http://www.tarasco.org/
[13]G. Buehrer, B.W. Weide, P.A. Sivilotti, “Using parse tree validation to prevent SQL injection attacks, Proceedings of the 5th International Workshop on Software Engineering and Middleware, 2005, pp. 105–113.
[14]Gamja, http://sourceforge.net/projects/gamja/
[15]Grabber, http://rgaucher.info/beta/grabber/
[16]Grendel-Scan, http://grendel-scan.com/
[17]Hossain Shahriar, Mohammad Zulkernine, “MUTEC: Mutation-based Testing of Cross Site Scripting, IWSESS '09 Proceedings of the 2009 ICSE Workshop on software Engineering for Secure Systems.
[18]Httrack, http://www.httrack.com/
[19]HTTP Protocol, http://en.wikibooks.org/wiki/Communication_Networks/HTTP_Protocol
[20]IETF, http://www.ietf.org/
[21]IIS Xploit, http://www.geocities.com/server_tools/misc_tools.htm
[22]Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, “State of the Art: Automated Black-Box Web Application Vulnerability Testing, IEEE Symposium on Security and Privacy 2010.
[23]Joomla Security Scanner, http://sorceforge.net/projects/joomscan/
[24]JSky, http://nosec.org/jsky.html
[25]Kamal Kumar, Sandeep Jain, “An Authentication Mechanism against SQL Injection on Web Platform, International Journal of Engineering and Information Technology, 2011, pp. 5-14.
[26]Kayra, http://www.softpedia.com/get/Internet/Servers/Server-Tools/KayRa.shtml
[27]Lilith, http://angelo.scanit.biz
[28]Mass SQL Injection 2011/07, http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html
[29]Mass SQL Injection 2011/10, http://www.zdnet.com/blog/security/over-a-million-web-sites-affected-in-mass-sql-injection-attack/9662
[30]Nessus, http://www.nessus.org
[31]Nikto, http://www.cirt.net/nikto2/
[32]N-Stalker, http://www.nstalker.com/nstealth/
[33]OWASP, http://www.owasp.org
[34]Pangolin, http://www.nosec.org/
[35]Paros, http://www.parosproxy.org/
[36]Passwordsdatabase, http://www.passwordsdatabase.com/
[37]Powerfuzzer, http://www.powerfuzzer.com
[38]R. McClure, I. Krüger, “SQL DOM: compile time checking of dynamic SQL statements, Proceedings of the 27th International Conference on Software Engineering, 2005, pp. 88–96.
[39]R.Fielding, J. Gettys, J. C. Mogul, H.Frystyk, L. Masinter, P. Leach, T. Berners-Lee, “Hypertext Transfer Protocol – HTTP/1.1, Request for Comments 2616, Internet Engineering Task Force (IETF), June 1999
[40]Ratproxy, http://code.google.com/p/ratproxy/
[41]Remote PHP Vulnerability Scanner, http://overdose.tcpteam.org/
[42]Sandcat, http://www.syhunt.com/?n=Sandcat.Sandcat
[43]Scrawlr, https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php
[44]SFX-SQLi, http://www.kachakil.com/papers/SFX-SQLi-en.htm
[45]SiteScope, http://www.mcafee.com/us/downloads/free-tools/sitescope.aspx
[46]SPIKE proxy, http://www.immunitysec.com/spkieproxy.html
[47]Sprajax, https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
[48]Springenwerk Security Scanner, XSS, http://springenwerk.org/
[49]SQL Power Injection, SQL Injection, http://www.sqlpowerinjector.com/
[50]Sqlninja, SQL Injection, http://sqlninja.sourceforge.net/
[51]SSDLC, http://www.amxecure.com/index.php/zh/weapssdlc
[52]Stefan Kals, Engin Kirda, Christopher Kruegel, Nenad Jovanovic, “ SecuBat: A Web Vulnerability Scanner, WWW 2006.
[53]SWFIntruder, XSS, http://code.google.com/p/swfintruder/
[54]T.C. Pietraszek, V. Berghe, “Defending against injection attacks through context–sensitive string evaluation, Proceeding of Recent Advances in Intrusion Detection, in: LNCS, vol. 3858, 2006, pp. 124–145.
[55]Teleport Pro, http://www.tenmax.com/teleport/pro/home.htm
[56]THC-Hydra, http://freeworld.thc.org/thc-hydra/
[57]Top 125 Network Security Tools, http://sectools.org/tag/web-scanners/
[58]Vmware, http://www.vmware.com/
[59]W.G. Halfond, A. Orso, “AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, 2005, pp. 174–183.
[60]W3af, http://w3af.sourceforge.net/
[61]W3C, http://www.w3.org/
[62]Wapiti, http://wapiti.sourceforge.net/
[63]WASAT, http://www.instisec.com/publico/descargas/
[64]Web Scanner, http://sourceforge.net/projects/webscanner/
[65]WebInspect, https://download.hpsmartupdate.com/webinspect/
[66]WebScarab, https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
[67]Wfuzz, http://www.edge-security.com/wfuzz.php
[68]Wikto, http://www.sensepost.com/
[69]William G.J. Halfond, Jeremy Viegas, Alessandro Orso, “A Classification of SQL Injection Attacks and Countermeasures, Proceeding on International Symposium on Secure Software Engineering, Raleigh, NC, USA, 2006, pp. 65–81.
[70]Wscan, http://www.lengmo.net/post/1048/
[71]WSTOOL, http://wstool.sourceforge.net/
[72]XSSS, http://www.sven.de/xsss/
[73]Z. Su, G. Wassermann, “The essence of command injection attacks in web applications, Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372–382.
[74]Zone-h, http://www.zone-h.org/
[75]盧建同,鍾沛原,高志忠,劉志威,賴溪松,網站應用程式弱點檢測平台之建置,「第二十屆資訊安全會議研討會(CISC2010)」,國立交通大學
[76] 盧建同,高志忠,鍾沛原,賴溪松,李忠憲,應用網站應用程式弱點檢測平台於TANet連線單位網站安全之研究,「TANet2011臺灣網際網路研討會」,國立宜蘭大學

連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top