Skip navigation

DSpace JSPUI

DSpace preserves and enables easy and open access to all types of digital content including text, images, moving images, mpegs and data sets

Learn More
DSpace logo
English
中文
  • Browse
    • Communities
      & Collections
    • Publication Year
    • Author
    • Title
    • Subject
    • Advisor
  • Search TDR
  • Rights Q&A
    • My Page
    • Receive email
      updates
    • Edit Profile
  1. NTU Theses and Dissertations Repository
  2. 電機資訊學院
  3. 資訊工程學系
Please use this identifier to cite or link to this item: http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/87280
Full metadata record
???org.dspace.app.webui.jsptag.ItemTag.dcfield???ValueLanguage
dc.contributor.advisor王凡zh_TW
dc.contributor.advisorFarn Wangen
dc.contributor.author古祐宗zh_TW
dc.contributor.authorYou-Zong Guen
dc.date.accessioned2023-05-18T16:48:30Z-
dc.date.available2023-11-09-
dc.date.copyright2023-05-11-
dc.date.issued2023-
dc.date.submitted2023-02-15-
dc.identifier.citation[1] G. A. Marin, “Network security basics” in IEEE Security & Privacy, vol. 3, no. 6, pp. 68-72, Nov.-Dec. 2005, doi: 10.1109/MSP.2005.153.
[2] A. Khalid and M. M. Yousif, “Dynamic analysis tool for detecting sql injection” International Journal of Computer Science and Information Security (IJCSIS), vol.14, no. 2, 2016.
[3] Elshazly, K. , Fouad, Y. , Saleh, M. and Sewisy, A. (2014) A Survey of SQL Injection Attack Detection and Prevention. Journal of Computer and Communications, 2, 1-9. doi: 10.4236/jcc.2014.28001.
[4] P. Sharma, R. Johari, and S. Sarma, "Integrated approach to prevent SQL injection attack and reflected cross site scripting attack," International Journal of System Assurance Engineering and Management, vol. 3, pp. 343-351, 2012.
[5] Limei Ma, Yijun Gao, Dongmei Zhao, and Chen Zhao. 2019. Research on SQL Injection Attack and Prevention Technology Based on Web. In Proceedings of the 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA). IEEE, Xi’an, China, 176–179.
[6] Aliero, M.S., Ghani, I., Qureshi, K.N. et al. An algorithm for detecting SQL injection vulnerability using black-box testing. J Ambient Intell Human Comput 11, 249–266 (2020).
[7] Geogiana Buja, Kumarularifin Bin Abd Jalil, “Detection model for SQL injection attack: An approach for preventing a web application from the SQL injection attack”, April 2014
[8] Yaohui Wang, Wenbing Zhoa, Yuan Liu, “Detecting SQL Vulnerability Attack based on the Dynamic and Static Analysis Technology”, 2015 IEEE 39th Annual Computer Software and Applications Conference
[9] M. S. Roobini, S. R. Srividhya, Sugnaya, K. Vennela and G. Nikhila, "Detection of SQL Injection Attack Using Adaptive Deep Forest," 2022 International Conference on Communication, Computing and Internet of Things (IC3IoT), 2022, pp. 1-6, doi: 10.1109/IC3IOT53935.2022.9767878.
[10] Kharche, Swapnil, Kanchan Gohad, and Bharti Ambetkar (2015). "Preventing SQL Injection attack using pattern matching algorithm." arXiv preprint arXiv:1504.06920.
[11] Bojken Shehu, Aleksander Xhuvani, “A literature review and comparative analyses on SQL injection : vulnerabilities, attcks and their preventation and detection techniques”, IJCSI International Journal of Computer Science Issues, vol 11, issue 4, no. 1, July 2014
[12] ” Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach “, ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis July 2014 Pages 259–269
[13] A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, “Automatic creation of SQL injection and cross-site scripting attacks,” in 2009 IEEE 31st International Conference on Software Engineering, pp. 199–209, May 2009.
[14] W. Tian, J.-F. Yang, J. Xu, and G.-N. Si, “Attack model based penetration test for sql injection vulnerability,” in Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops, 2012
[15] Halfond, A. Orso, and P. Manolios, “Wasp: Protecting web applications using positive tainting and syntax-aware evaluation,” IEEE Transactions on Software Engineering, vol. 34, pp. 65–81, Jan 2008.
[16] L. Yu, Y. Lei, R. Kacker, and D. Kuhn, “ACTS: A combinatorial test generation tool,” in Software Testing, Verification and Validation (ICST), 2013 IEEE Sixth International Conference on, pp. 370–375, 2013.
[17] N. Antunes and M. Vieira, “Detecting SQL injection vulnerabilities in web services,” in Proc. 4th Latin-Am. Symp. Dependable Comput., 2009, pp. 17–24.
[18] D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan, “Automated testing for SQL injection vulnerabilities: An input mutation approach,” in Proc. Int. Symp. Softw. Testing Anal., 2014, pp. 259–269.
[19] L. Zhang, D. Zhang, C. Wang, J. Zhao and Z. Zhang, "ART4SQLi: The ART of SQL Injection Vulnerability Discovery," in IEEE Transactions on Reliability, vol. 68, no. 4, pp. 1470-1489, Dec. 2019, doi: 10.1109/TR.2019.2910285.
[20] X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for detecting SQL injection vulnerabilities,” in Proc. 31st Annu. Int. Comput. Softw. Appl. Conf., 2007, pp. 87–96.
[21] H. Shahriar and M. Zulkernine, “Music: Mutation-based SQL injection vulnerability checking,” in Proc. 8th Int. Conf. Quality Softw., 2008, pp. 77–86.
[22] A. Liu, Y. Yuan, D. Wijesekera, and A. Stavrou, “Sqlprob: a proxy-based architecture towards preventing SQL injection attacks,” pp. 2054–2061, 01 2009
[23] S. W. Boyd and A. D. Keromytis, “Sqlrand: Preventing sql injection attacks,” in Applied Cryptography and Network Security (M. Jakobsson, M. Yung, and J. Zhou, eds.), (Berlin, Heidelberg), pp. 292–302, Springer Berlin Heidelberg, 2004.
[24] D. E. Simos, J. Zivanovic and M. Leithner, "Automated Combinatorial Testing for Detecting SQL Vulnerabilities in Web Applications," 2019 IEEE/ACM 14th International Workshop on Automation of Software Test (AST), 2019, pp. 55-61, doi: 10.1109/AST.2019.00014.
[25] O. Ojagbule, H. Wimmer and R. J. Haddad, "Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP," SoutheastCon 2018, 2018, pp. 1-7, doi: 10.1109/SECON.2018.8479130.
[26] B. Zukran and M. M. Siraj, "Performance Comparison on SQL Injection and XSS Detection using Open Source Vulnerability Scanners," 2021 International Conference on Data Science and Its Applications (ICoDSA), 2021, pp. 61-65, doi: 10.1109/ICoDSA53588.2021.9617484.
[27] B. Hailpern and P. Santhanam, ‘‘Software debugging, testing, and verification,’’ IBM Syst. J., vol. 41, no. 1, pp. 4–12, 2002.
[28] A. Bajaj and O. P. Sangwan, "A Systematic Literature Review of Test Case Prioritization Using Genetic Algorithms," in IEEE Access, vol. 7, pp. 126355-126375, 2019, doi: 10.1109/ACCESS.2019.2938260.
[29] S. Yoo and M. Harman, ‘‘Regression testing minimization, selection and prioritization: A survey,’’ Softw. Testing, Verification Rel., vol. 22, no. 2, pp. 67–120, 2012.
[30] Spillner, A., Linz, T., Schaefer, H.: Software testing foundations: a study guide for the certified tester exam: foundation level, ISTQB compliant. Rocky Nook Inc, Santa Barbara (2014)
[31] P. Erik Strandberg, W. Afzal, T. J. Ostrand, E. J. Weyuker and D. Sundmark, "Automated System-Level Regression Test Prioritization in a Nutshell," in IEEE Software, vol. 34, no. 4, pp. 30-37, 2017, doi: 10.1109/MS.2017.92.
[32] P. E. Strandberg, D. Sundmark, W. Afzal, T. J. Ostrand and E. J. Weyuker, "Experience Report: Automated System Level Regression Test Prioritization Using Multiple Factors," 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), Ottawa, ON, Canada, 2016, pp. 12-23, doi: 10.1109/ISSRE.2016.23.
[33] S. Elbaum et al., “Techniques for Improving Regression Testing in Continuous Integration Development Environments,” Proc. 22nd Int’l Symp. Foundations of Software Eng. (FSE 14), 2014, pp. 235–245.		-
dc.identifier.urihttp://tdr.lib.ntu.edu.tw/jspui/handle/123456789/87280-
dc.description.abstract隨著網路應用發展日益蓬勃,網路攻擊的數量也是明顯增加,近年來,根據OWASP 10大項目2021年發布的報告,注入攻擊是在軟體專案中發現的前三大常見漏洞。阿卡邁科技是世界上最大的分散式計算平台之一,承擔了全球15-30%的網路流量,在阿卡邁科技的報告中所述,在 2019 年 11 月至 2021 年 3 月期間,SQL注入攻擊佔網絡攻擊的 65.1%。它還表明,不同類型的網路攻擊(例如 跨網站指令碼攻擊、本地文件包含漏洞攻擊 和 PHP注入攻擊)的數量一直有所增加,但它們的增長速度都沒有 SQL 注入攻擊快。在這種大環境底下,軟體測試的難度以及工作量不斷提升,為了支援快速的程式開發流程,像是新型態軟體開發方法-敏捷開發,我們試想有一套軟體測試工具,當測試人員送出一個待測軟體的版本與資訊之後,經過這個軟體測試工具,能針對不同的待測軟體,決定出一套量身打造的防禦函數,進而提升測試流程的效率,測試完之後呢,會回過來調整防禦強度向量以利之後的測試。本篇論文就是以基於前一次測試的結果,來提升下一次測試的效率這樣的核心概念來設計這個測試的方法。zh_TW
dc.description.abstractWith the increasingly vigorous development of network applications, the number of network attacks has also increased significantly. In recent years, according to the report released by OWASP Top 10 Projects in 2021, injection attacks are the top three common vulnerabilities found in software projects. Akamai technology is one of the largest decentralized computing platforms in the world, responsible for 15-30% of the world's Internet traffic. As described in Akamai technology's report, between November 2019 and March 2021 , SQL injection attacks accounted for 65.1% of network attacks. It also shows that the number of different types of web attacks such as XSS, LFI, and PHP injection has been increasing, but none of them are growing as fast as SQL injection attacks. Under such an environment, the difficulty and workload of software testing continue to increase. In order to support the rapid program development process, such as the new type of software development method - agile development. We imagine a set of software testing tools. When the tester sends a version and information of the software to be tested, through this software testing tool, a set of tailor-made defense functions can be determined for different software to be tested, thereby improving the efficiency of the testing process. After the test, it will go back and adjust defense strength vector for later testing. This paper is based on the core concept of improving the efficiency of the next test based on the results of the previous test to design this test method.en
dc.description.provenanceSubmitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-05-18T16:48:30Z
No. of bitstreams: 0		en
dc.description.provenanceMade available in DSpace on 2023-05-18T16:48:30Z (GMT). No. of bitstreams: 0en
dc.description.tableofcontents誌謝 i
中文摘要 ii
ABSTRACT iii
CONTENTS iv
LIST OF FIGURES vi
LIST OF TABLES viii
Chapter 1 Introduction 1
1.1 Background 1
1.2 Motivation 3
1.3 Contributions 7
1.4 Organization 7
Chapter 2 Preliminaries 8
2.1 Network Security 8
2.2 Software Testing 9
2.3 Penetration Testing 9
2.4 SQL Injection 10
2.5 Test Prioritization 11
Chapter 3 Related Work 12
3.1 Sqlmap 12
3.2 OWASP ZAP 12
3.3 ART4SQLi 13
Chapter 4 Framework and Algorithm 15
4.1 Framework of Penetration Testing 15
4.2 Test Prioritization Algorithm Pseudocode 16
4.3 Test Prioritization Algorithm Unit 18
4.4 Profiling Defense Update Function 19
Chapter 5 Implementation 20
5.1 Parameter Testing Panel 20
5.2 Test Prioritization Panel 21
5.3 Exploit Panel 22
5.4 Report Panel 27
Chapter 6 Experiment 28
6.1 Environment of Experiment 28
6.2 Vulnerabilities Modules 28
6.2.1 DVWA 28
6.2.2 Open source software 28
6.3 Methodology of collecting time data of various techniques 29
6.4 Comparing with sqlmap 36
6.5 Security testing of same target 40
6.6 Different order of payload according to column 45
6.7 Different order of payload according to DBMS 47
Chapter 7 Conclusion 50
REFERENCE 51		-
dc.language.isoen-
dc.subject優先度測試zh_TW
dc.subjectSQL注入攻擊zh_TW
dc.subject資訊安全zh_TW
dc.subject自動化測試zh_TW
dc.subject滲透測試zh_TW
dc.subject軟體測試zh_TW
dc.subjectInformation Securityen
dc.subjectTesting Priorityen
dc.subjectAutomatic Testingen
dc.subjectPenetration Testingen
dc.subjectSQL Injectionen
dc.subjectSoftware Testingen
dc.title網路應用SQL弱點注入之測試優先度zh_TW
dc.titleTest Prioritization of SQL-Injection Vulnerability in Web Applicationen
dc.typeThesis-
dc.date.schoolyear111-1-
dc.description.degree碩士-
dc.contributor.oralexamcommittee林宗男;黃世昆;田謹維zh_TW
dc.contributor.oralexamcommitteeTsung-Nan Lin;Shih-Kun Huang;Chin-Wei Tienen
dc.subject.keyword軟體測試,滲透測試,自動化測試,資訊安全,SQL注入攻擊,優先度測試,zh_TW
dc.subject.keywordSoftware Testing,Penetration Testing,Automatic Testing,Information Security,SQL Injection,Testing Priority,en
dc.relation.page55-
dc.identifier.doi10.6342/NTU202300252-
dc.rights.note同意授權(限校園內公開)-
dc.date.accepted2023-02-16-
dc.contributor.author-college電機資訊學院-
dc.contributor.author-dept資訊工程學系-
dc.date.embargo-lift2028-02-12-
Appears in Collections:資訊工程學系

Files in This Item:
File SizeFormat 
ntu-111-1.pdf
  Restricted Access 		3.08 MBAdobe PDFView/Open
Show simple item record


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.

社群連結
聯絡資訊
10617臺北市大安區羅斯福路四段1號
No.1 Sec.4, Roosevelt Rd., Taipei, Taiwan, R.O.C. 106
Tel: (02)33662353
Email: ntuetds@ntu.edu.tw
意見箱
相關連結
館藏目錄
國內圖書館整合查詢 MetaCat
臺大學術典藏 NTU Scholars
臺大圖書館數位典藏館
本站聲明
© NTU Library All Rights Reserved