基於流量分析的自動化黑箱檢測網路應用程式跨站請求偽造漏洞方法

Abstract

跨站請求偽造，亦稱CSRF，即為一種網路攻擊類型，係指攻擊者欺騙受害者的網路瀏覽器，使其對含有漏洞之網路應用程式發送一個具有鑒權的HTTP請求，進而在未經受害者同意之情況下執行一項狀態改變的操作。自2000年代初期以來，CSRF漏洞長期被視為十大網路應用程式安全風險與二十五大軟體安全弱點之一。因近年CSRF漏洞的通報數據呈現上升趨勢，故網路應用程式CSRF漏洞之檢測方法越來越受到人們的關注。惟現存方法於檢測採用synchronizer token pattern技術、cookie-to-header技術與/或double submit cookie技術作為令牌式CSRF保護之網路應用程式潛在CSRF漏洞時，其等效能方面尚有提升空間，爰本論文對此提出方法透過流量分析既被動也語言獨立實現自動化黑箱檢測網路應用程式潛在CSRF漏洞予以改進，並且進行實驗加以佐證。

Cross-site request forgery, also known as CSRF, is a type of attack that occurs when an attacker tricks the victim's web browser into sending an authenticated HTTP request to a vulnerable web application, thereby executing a state-changing operation without the victim's consent. It has been regarded as one of the top 10 web application security risks and the top 25 software security weaknesses for a long period of time since its discovery in the early part of the 2000s. In recent years, the detection of CSRF vulnerabilities in web applications has gained increasing attention due to the upward trend in the number of CSRF vulnerabilities. Since existing approaches still have room for improvement in terms of their performance of the detection of potential CSRF vulnerabilities in web applications adopting the synchronizer token pattern technique, the cookie-to-header token technique, and/or the double submit cookie technique as token-based CSRF protection, we proposed a traffic-analysis approach being simultaneously automatic, black-box, passive, and language-independent to improve them that is proven with the experimental evidence.