自動化網頁測試與攻擊產生

Abstract

在資訊科技發達的年代，人們透過網頁方便的瀏覽或取得豐富的網路資源，但在急促的開發腳步下，開發者在開發過程中往往容易忽略安全的考量，導致駭客們能透過開發者的粗心，非法地存取或破壞資源。為了減少與彌補這類的安全問題，在網頁安全的領域上，已有各種不同的方法嘗試去防止或找出這類問題。本論文嘗試扮演攻擊者的角色，以自動產生攻擊字串為目標，達到駭客手動攻擊的相同效果。相較於其他傳統的檢測方法，更能確定漏洞的存在與證明攻擊的可行性。這樣的自動產生過程主要是基於一種動態的軟體測試方法－符號執行(symbolic execution)。最後以此自動化過程，測試幾個開源的大型網頁應用程式，針對已知的漏洞進行實驗，能成功產生相對應的攻擊字串。

In the well-developed information age, people are easy to get the rich internet resource through web pages. However, in the rapid development process, developers often tend to ignore the security concern carelessly. This leads to access or destroy the resource illegally by hackers. In order to reduce and fix these types of security issues, various methods have been proposed and attempted to locate or prevent them in the field of web security. This thesis attempts to act as an attacker and exploit web applications directly. Our target is to automatically generate the attack string and reproduce the results, emulating the manual attack behavior. In contrast with other traditional detection and prevention methods, this thesis can certainly determine the presence of vulnerabilities and prove the feasibility of attacks. This automatic generation process is mainly based on a dynamic software testing method－symbolic execution. Finally, we have applied this automatic process to several known vulnerabilities on large-scale open source web applications, and generated the attack strings successfully.