一個Web 應用程式的錯誤殖入測試平台設計

Abstract

Web Application的設計缺失經常能引起系統問題，致使線上服務停擺，或是產生SQL Injection、Cross-Site Scripting..等網路攻擊的安全問題，而造成電子商務公司、政府機構的損失。為了能夠有效地預防這些問題的產生，因此我們提出了一個能自動化檢測Web Application設計缺失的機制並且實作了其測試平台。 而這個測試平台的設計理念則是基於我們於WWW2003會議所發表的論文” Web Application Security Assessment by Fault Injection and Behavior Monitoring”中所提出的方法，其利用了Software Fault Injection這種軟體工程的檢測技術來對於Web Application做安全評估，以找出系統中可能的安全缺陷。這篇碩士論文則將更深入的探討Web Application在套用 Fault Injection的相關議題，主要包括自動化測試的實現，以及提高測試效能的方法，同時我們將驗證這些方法確實是可行且有效的。

Since Web Application flaw always causes system problems, such as SQL Injection and Cross-Site Scripting, and sometimes perplex e-business companies, government and many end users. In order to prevent the trouble caused by WA flaw, we require feasible and effective flaw detecting mechanism. In this thesis, we propose a novel automatic detecting mechanism and discuss related issues on the design of automatic testing platform. The mechanism of testing platform is based on our previous research in WWW2003 that applied a software engineering technique- Software Fault Injection for assessing Web application security. In this thesis, we’ll intensively discuss the related issues on applying Fault Injection to detect Web application flaw, including automatic Fault Injection and efficient Fault Injection. And we also demonstrate our method is feasible, effective and efficient.