基於流量分析的自動化黑箱檢測網路應用程式跨站請求偽造漏洞方法

劉俊强; Chun-Chiang Liu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/84733

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王凡	zh_TW
dc.contributor.advisor	Farn Wang	en
dc.contributor.author	劉俊强	zh_TW
dc.contributor.author	Chun-Chiang Liu	en
dc.date.accessioned	2023-03-19T22:22:50Z	-
dc.date.available	2023-11-10	-
dc.date.copyright	2022-09-12	-
dc.date.issued	2022	-
dc.date.submitted	2002-01-01	-
dc.identifier.citation	[1] W. Du. (2019). Computer & Internet Security: A Hands-on Approach. Createspace Independent Pub. ISBN 978-1-7330-0393-3. [2] A. Hoffman. (2020). Web Application Security: Exploitation and Countermeasures for Modern Web Applications. O’Reilly Media. ISBN 978-1-4920-5311-8. [3] J. Andress. (2019). Foundations of Information Security: A Straightforward Introduction. ISBN 978-1-7185-0004-4. [4] OWASP. (2016). OWASP Top Ten. OWASP. https://owasp.org/www-project-top-ten/ [5] MITRE. (2022). CWE Top 25. MITRE. https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html [6] A. Barth, C. Jackson, and J. C. Mitchell. (2008). Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 75-88. ACM. ISBN 978-1-5959-3810-7. [7] R. D. Kombade and B. B. Meshram. (2012). CSRF vulnerabilities and defensive techniques. International Journal of Computer Network and Information Security, 4(1), 31-37. ISSN 2074-9090. [8] P. Yadav and C. D. Parekha. (2017). A Report on CSRF Security Challenges & Prevention Techniques. In 2017 International Conference on Innovations in Information, Embedded and Communication Systems, pages 1-4. IEEE. ISBN 978-1-5090-3295-2. [9] P. Kour. (2020). A Study on Cross-Site Request Forgery Attack and its Prevention Measures. International Journal of Advanced Networking and Applications, 12(2), 4561-4566. ISSN 0975-0290. [10] X. Likaj, S. Khodayari, and G. Pellegrino. (2021). Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. In 24th International Symposium on Research in Attacks, Intrusions and Defenses, pages 370-385. ACM. ISBN 978-1-4503-9058-3. [11] OWASP. (2022). Cross-Site Request Forgery Prevention Cheat Sheet. OWASP. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html [12] B. Myers. (2021). What is Cross-Site Request Forgery (CSRF) ?. StackHawk. https://www.stackhawk.com/blog/what-is-cross-site-request-forgery-csrf/ [13] D. Wilson. (2021). Express.js Documentation: CSRF Protection. Express.js Community. http://expressjs.com/en/resources/middleware/csurf.html [14] R. Keith-Magee. (2022). Django Documentation: CSRF Protection. Django Community. https://docs.djangoproject.com/en/4.0/ref/csrf/ [15] R. Winch. (2021). Spring Documentation: CSRF Protection. VMware. https://docs.spring.io/spring-security/reference/features/exploits/csrf.html [16] T. Otwell. (2022). Laravel Documentation: CSRF Protection. Laravel Community. https://laravel.com/docs/9.x/csrf [17] F. Hasan, R. Anderson, and S. Smith. (2022). ASP.NET Core Documentation: CSRF Protection. Microsoft. https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-6.0 [18] M. Rocchetto, M. Ochoa, and M. T. Dashti. (2014). Model-based Detection of CSRF. IFIP Advances in Information and Communication Technology, 428, 30-43. ISSN 1868-4238. [19] S. Calzavara, M. Conti, R. Focardi, A. Rabitti, and G. Tolomei. (2019). Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pages 528-543. IEEE. ISBN 978-1-7281-1149-0. [20] G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow. (2017). Deemon: Detecting CSRF with dynamic analysis and property graphs. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1757-1771. ACM. ISBN 978-1-4503-4946-8. [21] S. Sadeghi and M. A. Hadavi. (2021). Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications. Journal of Computing and Security, 8(1), 19–32. ISSN 2322-4460. [22] M. Meucci and A. Muller. (2014). OWASP Testing Guide v4. OWASP [23] OWASP. (2022). OWASP ZAP Documentation. OWASP. https://www.zaproxy.org/docs/ [24] S. Rahalkar. (2020). A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities. Apress. ISBN 978-1-4842-6401-0. [25] PortSwigger. (2022). PortSwigger Burp Suite Documentation. PortSwigger. https://portswigger.net/burp/documentation [26] G. R. Chaudhari and M. V. Vaidya. (2014). A Survey on Security and Vulnerabilities of Web Application. International Journal of Computer Science and Information Technologies, 5(2), 1856-1860. ISSN 0975–9646. [27] S. Rafique, M. Humayun, B. Hamid, A. Abbas, M. Akhtar, and K. Iqbal. (2015). Web application security vulnerabilities detection approaches: A systematic mapping study. In 2015 IEEE/ACIS 16th International Conference on Software Engineering Artificial Intelligence Networking and Parallel/Distributed Computing, pages 469-474. IEEE. ISBN 978-1-4799-8676-7.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/84733	-
dc.description.abstract	跨站請求偽造，亦稱CSRF，即為一種網路攻擊類型，係指攻擊者欺騙受害者的網路瀏覽器，使其對含有漏洞之網路應用程式發送一個具有鑒權的HTTP請求，進而在未經受害者同意之情況下執行一項狀態改變的操作。自2000年代初期以來，CSRF漏洞長期被視為十大網路應用程式安全風險與二十五大軟體安全弱點之一。因近年CSRF漏洞的通報數據呈現上升趨勢，故網路應用程式CSRF漏洞之檢測方法越來越受到人們的關注。惟現存方法於檢測採用synchronizer token pattern技術、cookie-to-header技術與/或double submit cookie技術作為令牌式CSRF保護之網路應用程式潛在CSRF漏洞時，其等效能方面尚有提升空間，爰本論文對此提出方法透過流量分析既被動也語言獨立實現自動化黑箱檢測網路應用程式潛在CSRF漏洞予以改進，並且進行實驗加以佐證。	zh_TW
dc.description.abstract	Cross-site request forgery, also known as CSRF, is a type of attack that occurs when an attacker tricks the victim's web browser into sending an authenticated HTTP request to a vulnerable web application, thereby executing a state-changing operation without the victim's consent. It has been regarded as one of the top 10 web application security risks and the top 25 software security weaknesses for a long period of time since its discovery in the early part of the 2000s. In recent years, the detection of CSRF vulnerabilities in web applications has gained increasing attention due to the upward trend in the number of CSRF vulnerabilities. Since existing approaches still have room for improvement in terms of their performance of the detection of potential CSRF vulnerabilities in web applications adopting the synchronizer token pattern technique, the cookie-to-header token technique, and/or the double submit cookie technique as token-based CSRF protection, we proposed a traffic-analysis approach being simultaneously automatic, black-box, passive, and language-independent to improve them that is proven with the experimental evidence.	en
dc.description.provenance	Made available in DSpace on 2023-03-19T22:22:50Z (GMT). No. of bitstreams: 1 U0001-0609202214280300.pdf: 2791067 bytes, checksum: a4aecb87422fefb56e39b548224fc4cb (MD5) Previous issue date: 2022	en
dc.description.provenance	Item reinstated by admin ntu (admin@lib.ntu.edu.tw) on 2023-06-20T03:31:50Z Item was in collections: 電機工程學系 (ID: 1c1c5c41-70be-41d2-9d08-6256e0538c45) No. of bitstreams: 1 ntu-110-2.pdf: 2791285 bytes, checksum: 76cdf9fd4c39eafc72462500546f7857 (MD5)	en
dc.description.tableofcontents	口試委員會審定書 i 誌謝 ii 中文摘要 iii ABSTRACT iv CONTENTS v LIST OF FIGURES viii LIST OF TABLES x Chapter 1 Introduction 1 1.1 Background 1 1.2 Motivation 4 1.3 Contributions 6 1.4 Organization 6 Chapter 2 Related Work 8 2.1 Industrial Innovations 8 2.1.1 OWASP ZAP 8 2.1.2 PortSwigger Burp Suite 9 2.2 Academic Research 10 Chapter 3 Preliminaries 12 3.1 Web Application Security 12 3.2 Web Application Vulnerability 12 3.3 CSRF 12 3.4 Token-Based Defenses against CSRF Attacks 13 3.4.1 Synchronizer Token Pattern Technique 13 3.4.2 Cookie-to-Header Token Technique 13 3.4.3 Double Submit Cookie Technique 14 3.5 Non-Token-Based Defenses against CSRF Attacks 14 Chapter 4 Methodology 15 4.1 Detect Potential CSRF Vulnerabilities 15 4.2 Identify Cookie-to-Header Token 18 4.3 Apply Primary Rule 20 4.4 Identify Double Submit Cookie 22 4.5 Apply Separation Rule 24 4.6 Apply Request-Level Precision Rule, Apply Session-Level Precision Rule, and Apply Comprehensive Precision Rule 26 4.7 Apply Request-Level Confidence Rule and Apply Session-Level Confidence Rule 32 4.8 Identify Synchronizer Token Pattern 35 Chapter 5 Implementations and Evaluations 37 5.1 Programming Language and Environment Setup 37 5.2 Standard Libraries and Third-Party Libraries 39 5.3 Ad hoc Data Structures 39 5.4 Web Applications for Evaluative Processes 41 5.5 Results of the Detection of Potential CSRF Vulnerabilities in Web Applications 43 5.5.1 Web Applications Adopting the Synchronizer Token Pattern Technique as Token-Based CSRF Protection 43 5.5.2 Web Applications Adopting the Cookie-to-Header Token Technique as Token-Based CSRF Protection 46 5.5.3 Web Applications Adopting the Double Submit Cookie Technique as Token-Based CSRF Protection 50 Chapter 6 Conclusion and Future Work 53 REFERENCES 54	-
dc.language.iso	en	-
dc.subject	黑箱測試	zh_TW
dc.subject	網路應用程式安全	zh_TW
dc.subject	跨站請求偽造	zh_TW
dc.subject	自動化測試	zh_TW
dc.subject	Black-Box Testing	en
dc.subject	Web Application Security	en
dc.subject	Cross-Site Request Forgery	en
dc.subject	Test Automation	en
dc.title	基於流量分析的自動化黑箱檢測網路應用程式跨站請求偽造漏洞方法	zh_TW
dc.title	A Traffic-Analysis Approach to the Automatic Black-Box Detection of CSRF Vulnerabilities in Web Applications	en
dc.type	Thesis	-
dc.date.schoolyear	110-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃世昆;雷欽隆;林宗男;田謹維	zh_TW
dc.contributor.oralexamcommittee	Shih-Kun Huang;Chin-Laung Lei;Tsung-Nan Lin;Chin-Wei Tien	en
dc.subject.keyword	網路應用程式安全,跨站請求偽造,自動化測試,黑箱測試,	zh_TW
dc.subject.keyword	Web Application Security,Cross-Site Request Forgery,Test Automation,Black-Box Testing,	en
dc.relation.page	57	-
dc.identifier.doi	10.6342/NTU202203194	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2022-09-06	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
dc.date.embargo-lift	2022-09-12	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-110-2.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	2.73 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。