互動式 Web 程式測試與攻擊生成環境

Abstract

近年來，由於網頁程式的應用普及，服務越來越多樣化，架構越趨龐大、複雜，卻因開發人員的疏忽，造成服務系統缺失，如 Facebook 與 LINE 等大型服務都曾發生駭客入侵事件，在此威脅情況下，必須發展自動化找尋潛在攻擊威脅的工具。

本論文改善先前發展的網頁攻擊生成平台(簡稱 CRAXWeb)，簡化原本複雜且不易使用的流程，並重新設計架構，不單只能逐一測試，而能夠同時大量測試、完全自動化的測試平台，稱之為 CRAXWeb 2.0。本系統基於 Docker 環境，改良 S2E 符號執行環境，透過具有模擬 Javascript 程式的爬蟲程式，取得目標網頁的所有路徑、安插符號變數，經符號資料偵測系統，以偵測可能的弱點與進行攻擊生成。經改善測試流程後，原先半小時以上的環境建立，縮短五分鐘以內。探索的路徑與組合測試的效能改善，顯著減少測試次數。

Due to the popularity of Web applications in recent years, with the diverse service types, the architecture is getting complicated. However, due to the ignorance of developers, the services were developed with flaws. Some well-known services such as Facebook and LINE have security incidences due to the flawed services. Under this circumstance, the need for automatically finding potential vulnerabilities is critical.

This paper improves web exploit generation tool called CRAXWeb to CRAXWeb 2.0, by simplifying the complicated process of the original design and we refactor the system to test the applications concurrently with fully automation. Based on the Docker environment, we improve the S2E symbolic execution environment, by the web crawler with the capability of emulating the JavaScript to retrieve all the web pages and injection of symbolic variables. Afterwards, the paths are sent to a server which has symbolic data detector to identify potential vulnerabilities for exploit generation. We improve the testing process from halt an hour to less than five minutes. The testing time has been significantly reduced due to the new path exploration method and the use of combinatorial testing.