標題: CRAXweb: Automatic Web Application Testing and Attack Generation
作者: Huang, Shih-Kun
Lu, Han-Lin
Leong, Wai-Meng
Liu, Huan
資訊技術服務中心
Information Technology Services Center
關鍵字: Web security;Symbolic execution;Automatic exploit generation
公開日期: 2013
摘要: This paper proposes to test web applications and generate the feasible exploits automatically, including cross-site scripting and SQL injection attacks. We test the web applications with initial random inputs by detecting symbolic queries to SQL servers or symbolic responses to HTTP servers. After symbolic outputs detected, we are able to generate attack strings and reproduce the results, emulating the manual attack behavior. In contrast with other traditional detection and prevention methods, we can determine the presence of vulnerabilities and prove the feasibility of attacks. This automatic generation process is based on a dynamic software testing method-symbolic execution by (SE)-E-2. We have applied this automatic process to several known vulnerabilities on large-scale open source web applications, and generated the attack strings successfully. Our method is web platform independent, covering PHP, JSP, Rails, and Django due to the supports of the whole system environment of (SE)-E-2.
URI: http://hdl.handle.net/11536/23083
http://dx.doi.org/10.1109/SERE.2013.26
ISBN: 978-0-7695-5021-3
DOI: 10.1109/SERE.2013.26
期刊: 2013 IEEE 7TH INTERNATIONAL CONFERENCE ON SOFTWARE SECURITY AND RELIABILITY (SERE)
起始頁: 208
結束頁: 217
顯示於類別:會議論文


文件中的檔案:

  1. 000327102200027.pdf

若為 zip 檔案,請下載檔案解壓縮後,用瀏覽器開啟資料夾中的 index.html 瀏覽全文。