多樣化 Web 程式攻擊生成方法

Abstract

隨著萬物互聯與多元化線上服務的發展趨勢，網頁應用程式的需求也與日俱增。然而，大多數的軟體都存在可能影響安全性的嚴重漏洞。軟體弱點的揭發常常引起使用者與開發者的恐慌。軟體的漏洞檢測不易，開發者經常是透過使用者回報錯誤訊息或是透過第三方漏洞揭露才能得知問題。在本篇論文中，延續符號化執行（Symbolic Execution）網頁攻擊框架 – CRAXWeb，提出利用追蹤網頁應用程式執行位址與檢測符號化變數的方式，達到更多種網頁攻擊型態偵測的目標。使用者可透過撰寫 Python 腳本選擇偵測的攻擊型態，動態控制系統的偵測目標。相較於先前的系統和其他同為採用符號化執行的網頁檢測系統，更增進了攻擊型態多樣化與系統使用彈性。此框架以數種開源的大型網頁應用程式及CTF（Capture The Flag）比賽題目為測試目標，已能偵測多種型態的攻擊。

With the thriving of The Internet of Everything (IoE) and diversified online services, there is an increasing demand for web applications. However, most web applications have critical bugs affecting their security. The exposure of software vulnerabilities always causes damage to not only the web programmers but also the users. It is not easy for the programmers to figure out the potential vulnerabilities in their applications before release. They often notice the hidden defect by the feedback from users or the risk exposure from third parties. In this paper, we implement a detection method for multiple vulnerability types of detection for web applications, by extending the former web attack generation framework called CRAXWeb. Based on the technique of symbolic execution, our work tracks the address of program instruction and checks the arguments of dangerous functions to discover different types of web vulnerabilities. Compared to the former framework and the other analysis tools that also use symbolic execution, our work supports more types of web attacks and improve the system flexibility for users. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and problems of CTF (Capture The Flag), and detected various types of web attacks successfully.