跳到主要內容

臺灣博碩士論文加值系統

(44.222.64.76) 您好!臺灣時間:2024/06/14 09:01
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:曾信田
研究生(外文):Hsin-Tien Tseng
論文名稱:自動化網頁滲透測試系統之設計與實作
論文名稱(外文):Design and Implementation of Automatic Web-Pages Penetration Testing System
指導教授:吳宗成吳宗成引用關係
指導教授(外文):Tzong-Chen Wu
口試委員:吳宗成
口試日期:2012-01-12
學位類別:碩士
校院名稱:國立臺灣科技大學
系所名稱:資訊管理系
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:中文
論文頁數:71
中文關鍵詞:網頁弱點滲透測試黑箱測試自動化
外文關鍵詞:web vulnerabilitypenetrationblack-box testingautomatic
相關次數:
  • 被引用被引用:0
  • 點閱點閱:496
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
隨著網路的普及,網路世界已成為人們生活中不可或缺的一部份。但由於駭客技術與網路安全事件不斷的成長,使得網路安全相關議題也越來越受到重視,如何確保個人與公司的網路安全與稽核技術也不斷的在發表。而在眾多網路安全與稽核技術中,滲透測試是一種常用來檢驗網路資訊系統的安全測試技術。滲透測試便是委由專業且受信任的第三方資訊安全團隊,對客戶所指定的資訊系統,透過各種網路安全相關的攻擊技術找出指定資訊系統的安全弱點,進而評估網路資訊系統所隱含安全風險的一種方法。
本研究以分散式的方法,將自動化網頁滲透測試系統佈署於網路架構之中。如此一來,資訊安全滲透測試人員只須透過網頁瀏覽器操作,即可執行網頁滲透測試任務。且滲透測試任務是透過網路派送至遠端伺服器之中,利用在遠端的網頁滲透測試系統進行,故於測試過程中,測試人員所使用的電腦並不會有系統過載的問題;在滲透任務執行完畢後,系統將自動產出滲透測試結果報表,供滲透測試人員讀取並分析;並且在同時間可測試的網路資訊系統數,也將隨分散式資源的增加而成長。
Internet has become part of life for most of people nowadays. More and more computer breach incidents make people aware of information security. While hackers keep improving their techniques to attack, protecting digital information and system has become extremely critical issues for everyone.
In order to secure network environment, computer security auditing is usually baseline protection for many enterprises. From technical perspective, penetration testing is the most effective approach among these auditing processes and methodologies. Penetration testing is one of highly technical approach to inspect and guarantee security for your network environment. Usually, penetration testing is performed by third party's professional service. Trusted security experts will simulate attacks to target systems in order to discover potential vulnerabilities and evaluate enterprise security risks.
This paper proposes a distributed architecture and methodology to improve performance of penetration testing and try to solve the overloading problem of attacking system. We deploy attack agents to different places in the network. The system will provide a web interface for penetration testers. By issuing command from UI, system will automatically dispatch attack commands to distributed agents and these agents will perform attacks against different targets at the same time.
Based on this design, the process loading could be shared and it also solved the problem of performance bottleneck on attack server. This design could also help the large scale penetration testing across different area/branches for large enterprises, with agent deployment, network traffic could be minimized. After performing the attacks, system will collect logs and results from agents, and produce well-formatted report.
中文摘要 II
ABSTRACT IV
第一章 緒論 1
第二章 文獻探討 5
2.1 名詞解釋 5
2.2 滲透測試國際準則 6
2.3 滲透測試工具 13
2.4 自動化滲透測試參考文獻 25
第三章 本研究所提出的方法 27
3.1 系統角色 28
3.2 系統運作流程 29
3.3 模組架構 31
3.4 模組流程 34
3.5模組實作 36
第四章 測試及結果分析 55
4.1 OWASP TOP 10 2010測試 55
4.2 CVE網頁弱點測試 58
第五章 結論與未來研究 62
參考文獻 64
附錄A 重要名詞之中、英文對照表 70
[Tam11]Tamper Data, “Add-ons for Firefox,”https://addons.mozilla.org/en-US/firefox/addon/tamper-data, 2011.
[AV09] N. Antunes and M. Vieira, “Detecting SQL Injection Vulnerabilities in Web Services,”Fourth Latin-American Symposium on Dependable Computing, Joao Pessoa, Brazil: IEEE Computer Society, 2009, pp. 17-24
[WAT11] WikiPedia, “Attack Tree,”http://en.wikipedia.org/wiki/Attack_tree.
[AWVS11]Web application security, “Acunetix Web Vulnerability Scanner,”http://www.acunetix.com/vulnerability-scanner/, 2011.
[Bru11]PortSwigger Web Security, “Brup Suite,”http://portswigger.net/brup/, 2011.
[CAN11]IMMUNITY, “Canvas,”http://immunityinc.com/products-canvas.shtml, 2011.
[CI11] Core Security Technologies, “Core Impact Pro Penetration Testing Software,”http://www.coresecurity.com/content/core-impact-overview, 2011.
[Cor11]Core Security Technologies, “Core Security Technologies,” http://www.coresecurity.com/, 2011.
[WDL11]WikiPedia, “Deadlock,” http://en.wikipedia.org/wiki/Deadlock, 2011.
[WDT11]WikiPedia, “Directory traversal attack,”http://en.wikipedia.org/wiki/Directory_traversal_attack, 2011.
[OFB11]OWASP, “Forced browsing,”https://www.owasp.org/index.php/Forced_browsing, 2011.
[HCO09]W.G.J. Halfond, S.R. Choudhary, and A. Orso, “Penetration testing with improved input vector identification,”International Conference on Software Testing Verification and Validation, 2009. ICST’09., 2009,p. 346-355.
[HHLT03] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application security assessment by fault injection and behavior monitoring,”Proceedings of the 12th international conference on World Wide Web, Budapest, Hungary: ACM, 2003, pp. 148-159
[HS11] WikiPedia, “HTTP Secure,” http://en.wikipedia.org/wiki/HTTP_Secure, 2011.
[HTML11] WikiPedia, “HTML,”http://en.wikipedia.org/wiki/HTML, 2011.
[IMM11]IMMUNITY, “Knowing You’re Secure,”http://immunityinc.com/, 2011.
[JQu11]jQuery, “The Write Less, Do More, JavaScript Library,”http://jquery.com, 2011.
[ISE11]ISECOM, “Making Sense of Security,”http://www.isecom.org/, 2011.
[NIST11] NIST, “National Institute of Standards and Technology,”http://www.nist.gov/index.html, 2011.
[NS11] Net-Square, “httprint,”http://net-square.com/httprint/, 2011.
[OT11] OWASP, “OWASP Top10,” https://www.owasp.org/index.php/Top_10_2010-Main, 2011.
[OTG11]OWASP, “OWASP Testing Guide v3 Table of Contents,”https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents, 2011.
[OWAS11] OWASP, “The Open Web Application Security Project,” http://www.owasp.com/index.php/Main_Page, 2011.
[OWG11]OWASP, “OWASP WebGoat Project,” https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project, 2011.
[Her08]P. Herzog, “Open-Source Security Testing Methodology Manual,” Institute for Security and Open Methodologies, Dec. 2008, pp. 11-50.
[SB99] SCHNEIER, B., “Attack Trees,” Dr. Dobbs Journal, December 1999.
[SIGI11] WikiPedia, “SIGINT(POSIX),”http://en.wikipedia.org/wiki/SIGINT_(POSIX), 2011.
[SOB99]C. SALTER, O. SAYDJARI, B. SCHNEIER, and J.WALLNER, “Toward a Secure System Engineering Methodology,” Proceedings of New Security Paradigms Workshop, Charlottesville, Virginia, September, 1998.
[SSC08]K. Scarfone, M. Souppay, A. Cody and A.Orebaugh, “Technical Guide to Information Security Testing and Assessment ,” Nation Institute of Standards and Technology, Sep. 2008, pp. 36-39.
[GSF11]Google, “Skipfish - Web application security scanner,” http://code.google.com/p/Skipfish/, 2011.
[URL11]WikiPedia, “Uniform resource locator,” http://en.wikipedia.org/wiki/Uniform_resource_locator, 2011.
[Par11]Parosproxy.org, “Web Application Security,”http://www.parosproxy.org/, 2011.
[WEI73]C. WEISSMAN, “System Security Analysis/Certification Methodology and Results,”SP-3728, System Development Corporation, Santa Monica, CA, October 1973.
[WEI95]C. WEISSMAN, “Penetration Testing, In Handbook for the Computer Security Certification of Trusted Systems. ,“Naval Research Laboratory Technical Memorandum 5540:082a, 24 January 1995.
[WEBK11] Google Project, “Convert html to pdf using webkit,” http://code.google.com/p/wkhtmltopdf/
[XGZS10] Bin Xing, Ling Gao, Jing Zhang, Deheng Sun, “Design and Implementation of an XML-based Penetration Testing System,”Intelligence Information Processing and Trusted Computing, 2010.
[XML11]WikiPedia, “XML,” http://en.wikipedia.org/wiki/XML
[ZCZ08]ZHU Ning, CHEN Xin-yuan, ZHANG Yong-fu, XIN Si-yuan, “Design and Application of Penetration Attack Tree Model Oriented to Attack Resistance Test, ”IEEE ICCSS, 2008.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top