網路應用程式之繞穿安全檢測

Abstract

網路應用程式安全檢測中，輸入檢驗測試包含了許多網路應用程式的重大漏洞，如SQL隱碼攻擊 (SQL Injection)、跨網站指令碼 (Cross-site Scripting)等。為了避免因這些漏洞受到攻擊，網路應用程式需針對使用者所輸入的資料做檢驗與處理。現今已有若干自動化的掃描工具可供弱點掃描之用，如OWASP Zed Attack Proxy (ZAP)以及w3af。然而，當網路應用程式已經擁有過濾函式或部署網路應用程式防火牆時，這些掃描工具發現漏洞的機會將隨之大幅減低。目前雖已有研究發現，利用各式繞過技巧來進行檢測能更有機會繞過這些保護機制並找到漏洞，且組合這些繞過技巧亦可能產生新的攻擊。但實際上在結合這些繞過技巧時，若是窮舉其至少以N^2成長的可能攻擊組合，將造成嚴重的效率低落，不但耗費系統資源，亦浪費大量寶貴的網路頻寬。同時，前述的工具亦未考慮繞過技巧在各系統間的差異，以及依據系統差異所衍生的其他繞過技巧。在本研究中，我們說明了這些繞過技巧之間具有衝突關係以及使用順序上的相互關係，因此基於繞過技巧分類以及目標資訊收集等方法，本研究在組合繞過技巧時可引入上述二種相互關係，此舉可大量減少無效的排列組合。例如彼此互相衝突的技巧不會被搭配使用，也可避免因使用順序錯誤造成無效的嘗試，同時本研究亦考慮了僅針對特定系統生效的特殊繞過技巧。最後關於實驗的部分，我們的測試工具已用來檢測過許多實際上線服務，和已具備保護機制的網路應用程式。相較於其他開源的自動化掃描工具，在合理的網路與系統資源消耗之下，本研究能比前述的系統找到更多的漏洞。

Input validation testing includes major vulnerabilities in web applications such as SQL injection, Cross-site scripting. In order to prevent attacks targeting these vulnerabilities, web applications should validate and sanitize user’s inputs before using them. Nowadays, several security scanners, such as OWASP Zed Attack Proxy (ZAP) and w3af, were proposed for vulnerability assessment. However, it is hard to find remained vulnerabilities by using these kinds of scanner when a website has been protected by WAFs (web application firewalls) or filters. Previous work found that it has more chance to circumvent the WAF with evasion techniques, and also the combinations of these evasion techniques can generate new attacks. When we generate these possible combinations exhaustively in growth rate of N2, it is inefficient and cost a lot of system and network resource usages. Also they didn’t consider the difference in evasion techniques between different systems, and the evasion techniques which is works on specific system. In this research, the conflict-relation and order-relation are clarified between evasion techniques. Based on the classification of evasion techniques and information gathering, we use them when we combined the evasion techniques and this makes efficient pruning of unnecessary combination possible. For example, the conflict techniques will not be used together and we don’t need to test the combination with wrong order. Also we considered the difference between evasion techniques in different systems. Finally, our framework has been used to evaluate various web applications, which are actually on-line in the real Internet. Compared with other open-source scanners, more vulnerabilities are located without unreasonably increase of system and network resource usages.