跳到主要內容

臺灣博碩士論文加值系統

(18.97.9.175) 您好!臺灣時間:2024/12/06 22:06
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:陳俊杰
研究生(外文):Jiun-Jie Chen
論文名稱:開放式網站應用程式安全分析研究
論文名稱(外文):The Analysis of Open Web Application Security
指導教授:林詠章林詠章引用關係
指導教授(外文):Iuon-Chang Lin
口試委員:曹世昌鄭辰仰
口試委員(外文):Shyh-Chang TsaurChen-Yang Cheng
口試日期:2017-07-12
學位類別:碩士
校院名稱:國立中興大學
系所名稱:資訊管理學系所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2017
畢業學年度:105
語文別:中文
論文頁數:34
中文關鍵詞:網站資訊安全OWASP弱點攻擊態樣弱點防護
外文關鍵詞:Web Application SecurityOWASPvulnerability attack patternsvulnerability protection
相關次數:
  • 被引用被引用:0
  • 點閱點閱:346
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
網站應用程式因網際網路的持續發展也逐漸多元複雜,因應各種需求產生的新技術,及快速開發軟體方式,使得開發者對於前端(front end)與後端(back-end)應用程式的資訊安全,都難有準備足夠的知識;而管理者對於許多網站應用程式已知及未知的漏洞遭駭客攻擊,管理時也常應接不暇,使得網站應用程式成為重要資安問題。本研究主要以OWASP(Open Web Application Security Project)Top 10 2013所調查公佈的開放式網站應用程式十大弱點為研究主題,研究分析十大弱點攻擊態樣:蒐整文獻資料,利用測試網站及攻擊工具進行實驗測試;以十大弱點進行防護方法分析,希望能使網站開發者能在程式設計上有多面向資訊可參考,也能提供給網站管理者漏洞防護能力的資訊,以有效降低遭受駭客惡意程式攻擊之風險。
Web applications are increasingly evolving due to the continued development of Internet, new technologies generated from various needs, and rapid development of software, enabling developers to use information about front end and back-end applications. It's hard to prepare enough knowledge, and managers are often overwhelmed by the known and unknown vulnerabilities of many web applications, making the web app an important security issue. This study focuses on the top ten weaknesses of the open website application survey published by OWASP (Top Webcast Security Project) Top 10 2013, and analyzes the ten most vulnerable scenarios: the search of the literature, the use of test sites and attacks tools for experimental testing; to the top ten weaknesses of the protection method analysis, hoping to enable web developers in the program design for information can refer to, but also to provide web site administrator vulnerability protection information to effectively reduce the fear of hacking The risk of a malicious attack.
誌 謝 i
摘 要 ii
Abstract iii
目 錄 iv
第一章 緒論 1
第一節 研究動機及背景 1
第二節 研究目的與範圍 2
第三節 研究架構 2
第二章 文獻探討 3
第一節 網站應用程式定義 3
第二節 OWASP 2013十大弱點 3
第三節 測試環境與工具 6
第三章 研究方法 12
第一節 攻擊態樣 12
第二節 攻擊態樣分析 20
第四章 結果與分析 21
第一節 防護方法 21
第二節 防護方法分析 30
第五章 結論 31
第一節 研究結論 31
參考文獻 32
中文文獻
[1]Cisco 思科2017年網路安全報告. https://wwwciscocom/c/dam/assets/m/zh_tw/security/security_2017acrreport_whitepaper_tc.pdf,上網日期:2017/05/10
[2]Tseng HC-Y, Chia B, Juang T-Y (2015) Web Forensic Evidence of SQL Injection Analysis (針對SQL Injection攻擊鑑識之分析). International Journal of Science and Engineering 5 (1):157-162. doi:10.6159/ijse.2015.(5-1).22
[3]TWNIC 2016年台灣頻寬網路使用調查報告. https://wwwtwnicnettw/download/200307/20160922e.pdf,上網日期:2017/5/10
[4]T客邦-ifanr Google改進CAPTCHA驗證機制. http://wwwtechbangcom/posts/21308-google-updated-the-captcha-verification-mechanism-in-more-intelligent-ways-to-prove-youre-human,上網日期:2017/4/15
[5]行政院國家資通安全會報技術服務中心 (2016) 政府機關近期常見系統弱點與補強建議. https://googl/asRoon,上網日期:2017/3/11
[6]翁銘宏 (2014) 網頁應用程式之測試案例繁衍. 臺灣大學,
[7]許振銘,許登凱 (2014) 以Andorid實驗案例探討OWASP行動裝置應用程式之十大威脅. 資訊安全通訊 20 (2):77-96
[8]陳照明 (2015) kali Linux滲透測試工具(第二版). 碁?出版社
[9]黃明祥,林詠章,周永振 (2017/01/01) 資訊與網路安全實務. 高立圖書
[10]楊欣哲,林裕倫 (2014) 企業資訊網站設計之資訊安全的評估模式與評量工具之研究 (An Approach to Assessment Model and Metric Tool of Information Security in Designing EIP). 資訊管理學報 21 (2):107-137
[11]詹益璋 (2012) 校園網頁應用程式安全之研究-以淡江大學為例. 淡江大學,
[12]維基百科 (2016) 網路應用程式. https://zhwikipediaorg/wiki/%E7%BD%91%E7%BB%9C%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F,上網日期:2017/03/02
[13]網智數位 FCKEditor攻擊手法說明與防護建議. http://wwwnetqnacom/2014/03/fckeditor.html,上網日期:2017/4/16
[14]劉作仁,洪光鈞,羅允廷,陳培德 台灣網站常見弱點之分析與探討. In, 2011. vol 第21屆. 中華民國資訊安全學會, pp 368-374
[15]盧芊慧 (2014) 跨網頁語言平台之SQL Injection攻擊產生系統. 交通大學,
[16]錢鉦津 (2014) OWASP ASVS應用軟體安全性驗證標準之新舊安全性等級劃分 (Security Levels between 2009 and 2014 Edition on OWASP Application Security Verification Standard). 品質月刊 50 (9):7-10
[17]謝孟峰 (2014) 針對SQL Injection攻擊鑑識之分析. 臺北大學,
[18]趨勢科技 TrendLabs 2016 年資訊安全總評. http://wwwtrendmicrotw/cloud-content/tw/pdfs/security-intelligence/reports/trendlabs_2016_annual_information_security_review.pdf,上網日期:2017/4/20
英文文獻
[19]A. K TK, Liu H, Thomas JP, Mylavarapu G Identifying Sensitive Data Items within Hadoop. In: 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems, 24-26 Aug. 2015 2015. pp 1308-1313. doi:10.1109/HPCC-CSS-ICESS.2015.293
[20]Alqahtani SS, Eghan EE, Rilling J SV-AF — A Security Vulnerability Analysis Framework. In: 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), 23-27 Oct. 2016 2016. pp 219-229. doi:10.1109/ISSRE.2016.12
[21]Aziz NA, Shamsuddin SNZ, Hassan NA Inculcating Secure Coding for beginners. In: 2016 International Conference on Informatics and Computing (ICIC), 28-29 Oct. 2016 2016. pp 164-168. doi:10.1109/IAC.2016.7905709
[22]DVWA Damn Vulnerable Web Application. http://wwwdvwa.co.uk/,accessed 2017/02/05
[23]Eshete B, Villafiorita A, Weldemariam K Early Detection of Security Misconfiguration Vulnerabilities in Web Applications. In: 2011 Sixth International Conference on Availability, Reliability and Security, 22-26 Aug. 2011 2011. pp 169-174. doi:10.1109/ARES.2011.31
[24]Exposures CVa Search this CVE Website. https://cvemitreorg/find/
[25]Farah T, Shojol M, Hassan M, Alam D Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF. In: 2016 Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), 21-23 July 2016 2016. pp 74-78. doi:10.1109/DICTAP.2016.7544004
[26]Guamán D, Guamán F, Jaramillo D, Sucunuta M Implementation of techniques and OWASP security recommendations to avoid SQL and XSS attacks using J2EE and WS-Security. In: 2017 12th Iberian Conference on Information Systems and Technologies (CISTI), 21-24 June 2017 2017. pp 1-7. doi:10.23919/CISTI.2017.7975981
[27]Huang HC, Zhang ZK, Cheng HW, Shieh SW (2017) Web Application Security: Threats, Countermeasures, and Pitfalls. Computer 50 (6):81-85. doi:10.1109/MC.2017.183
[28]Jiménez RELd Pentesting on web applications using ethical - hacking. In: 2016 IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), 9-11 Nov. 2016 2016. pp 1-6. doi:10.1109/CONCAPAN.2016.7942364
[29]Lin X, Zavarsky P, Ruhl R, Lindskog D Threat Modeling for CSRF Attacks. In: 2009 International Conference on Computational Science and Engineering, 29-31 Aug. 2009 2009. pp 486-491. doi:10.1109/CSE.2009.372
[30]OWASP Home. https://wwwowasporg/indexphp/Main_Page,accessed 2017/02/05
[31]OWASP Mutillidae II. https://sourceforgenet/projects/mutillidae/,accessed 2017/02/05
[32]OWASP OWASP Top 10 2013 document. https://storagegoogleapiscom/google-code-archive-downloads/v2/codegooglecom/owasptop10/OWASP%20Top%2010%20-%202013.pdf,accessed 2017/02/05
[33]Salas MIP, Geus PLD, Martins E Security Testing Methodology for Evaluation of Web Services Robustness - Case: XML Injection. In: 2015 IEEE World Congress on Services, June 27 2015-July 2 2015 2015. pp 303-310. doi:10.1109/SERVICES.2015.53
[34]SriNithi D, Elavarasi G, Raj TFM, Sivaprakasam P (2014) Improving Web Application Security Using Penetration Testing. Research Journal of Applied Sciences, Engineering and Technology 8 (5):658-663
[35]Sudhodanan A, Carbone R, Compagna L, Dolgin N, Armando A, Morelli U Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), 26-28 April 2017 2017. pp 350-365. doi:10.1109/EuroSP.2017.45
[36]Suju DA, Gandhi GM An automaton based approach for forestalling cross site scripting attacks in web application. In: 2015 Seventh International Conference on Advanced Computing (ICoAC), 15-17 Dec. 2015 2015. pp 1-6. doi:10.1109/ICoAC.2015.7562786
[37]Wang CH, Zhou YS A New Cross-Site Scripting Detection Mechanism Integrated with HTML5 and CORS Properties by Using Browser Extensions. In: 2016 International Computer Symposium (ICS), 15-17 Dec. 2016 2016. pp 264-269. doi:10.1109/ICS.2016.0060
[38]Xiao L, Matsumoto S, Ishikawa T, Sakurai K SQL Injection Attack Detection Method Using Expectation Criterion. In: 2016 Fourth International Symposium on Computing and Networking (CANDAR), 22-25 Nov. 2016 2016. pp 649-654. doi:10.1109/CANDAR.2016.0116
[39]Zalbina MR, Septian TW, Stiawan D, Idris MY, Heryanto A, Budiarto R Payload recognition and detection of Cross Site Scripting attack. In: 2017 2nd International Conference on Anti-Cyber Crimes (ICACC), 26-27 March 2017 2017. pp 172-176. doi:10.1109/Anti-Cybercrime.2017.7905285
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top