基於有限狀態機之模式產生器應用於網站模糊測試之框架

Han-Chi Wang; 王漢祺

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/50434

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	雷欽隆(Chin-Laung Lei)
dc.contributor.author	Han-Chi Wang	en
dc.contributor.author	王漢祺	zh_TW
dc.date.accessioned	2021-06-15T12:40:36Z	-
dc.date.available	2016-08-24
dc.date.copyright	2016-08-24
dc.date.issued	2016
dc.date.submitted	2016-07-27
dc.identifier.citation	[1] West, W., and Pulimood, S. M. (2012). Analysis of privacy and security in HTML5 web storage. Journal of Computing Sciences in Colleges, 27(3), 80-87. [2] Son, S., and Shmatikov, V. (2013, February). The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In NDSS. [3] Heiderich, M., Frosch, T., Jensen, M., and Holz, T. (2011, October). Crouching tiger-hidden payload: security risks of scalable vectors graphics. In Proceedings of the 18th ACM conference on Computer and communications security (pp. 239-250). ACM. [4] Mansfield-Devine, S. (2010). Divide and conquer: the threats posed by hybrid apps and HTML 5. Network Security, 2010(3), 4-6. [5] Demchenko, Y., Gommans, L., de Laat, C., and Oudenaarde, B. (2005, November). Web services and grid security vulnerabilities and threats analysis and model. In Proceedings of the 6th IEEE/ACM international workshop on grid computing (pp. 262-267). IEEE Computer Society. [6] Hoffman, D., Wang, H. Y., Chang, M., and Ly-Gagnon, D. (2009, September). Grammar based testing of html injection vulnerabilities in rss feeds. In Testing: Academic and Industrial Conference-Practice and Research Techniques, 2009. TAIC PART'09. (pp. 105-110). IEEE. [7] Jin, X., Hu, X., Ying, K., Du, W., Yin, H., and Peri, G. N. (2014, November). Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 66-77). ACM. [8] Kumar, P. (2013). The multi-tier architecture for developing secure website with detection and prevention of sql-injection attacks. International Journal of Computer Applications, 62(9). [9] Sutton, M., Greene, A., and Amini, P. (2007). Fuzzing: brute force vulnerability discovery. Pearson Education. [10] Oehlert, P. (2005). Violating assumptions with fuzzing. IEEE Security and Privacy, 3(2), 58-62. [11] Godefroid, P., Kiezun, A., and Levin, M. Y. (2008, June). Grammar-based whitebox fuzzing. In ACM Sigplan Notices (Vol. 43, No. 6, pp. 206-215). ACM. [12] Doupé, A., Cova, M., and Vigna, G. (2010, July). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 111-131). Springer Berlin Heidelberg. [13] Luchaup, D., Smith, R., Estan, C., and Jha, S. (2009, September). Multi-byte regular expression matching with speculation. In International Workshop on Recent Advances in Intrusion Detection (pp. 284-303). Springer Berlin Heidelberg. [14] Broberg, N., Farre, A., and Svenningsson, J. (2004, September). Regular expression patterns. In ACM SIGPLAN Notices (Vol. 39, No. 9, pp. 67-78). ACM. [15] Yu, F., Chen, Z., Diao, Y., Lakshman, T. V., and Katz, R. H. (2006, December). Fast and memory-efficient regular expression matching for deep packet inspection. In Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems (pp. 93-102). ACM. [16] Bekrar, S., Bekrar, C., Groz, R., and Mounier, L. (2011, March). Finding software vulnerabilities by smart fuzzing. In 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation (pp. 427-430). IEEE. [17] Wassermann, G., and Su, Z. (2008, May). Static detection of cross-site scripting vulnerabilities. In 2008 ACM/IEEE 30th International Conference on Software Engineering (pp. 171-180). IEEE. [18] Jovanovic, N., Kruegel, C., and Kirda, E. (2006, May). Pixy: A static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (pp. 6-pp). IEEE. [19] Xie, Y., and Aiken, A. (2006, July). Static Detection of Security Vulnerabilities in Scripting Languages. In USENIX Security (Vol. 6, pp. 179-192). [20] Jovanovic, N., Kruegel, C., and Kirda, E. (2006, June). Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the 2006 workshop on Programming languages and analysis for security (pp. 27-36). ACM. [21] Larochelle, D., and Evans, D. (2001, August). Statically Detecting Likely Buffer Overflow Vulnerabilities. In USENIX Security Symposium (Vol. 32). [22] Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. (2008, May). Saner: Composing static and dynamic analysis to validate sanitization in web applications. In 2008 IEEE Symposium on Security and Privacy (sp 2008) (pp. 387-401). IEEE. [23] Newsome, J., and Song, D. (2005). Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In In In Proceedings of the 12th Network and Distributed Systems Security Symposium. [24] Aggarwal, A., and Jalote, P. (2006, September). Integrating static and dynamic analysis for detecting vulnerabilities. In 30th Annual International Computer Software and Applications Conference (COMPSAC'06) (Vol. 1, pp. 343-350). IEEE. [25] Bisht, P., and Venkatakrishnan, V. N. (2008, July). XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 23-43). Springer Berlin Heidelberg. [26] Miller, C. (2007). How smart is intelligent fuzzing-or-how stupid is dumb fuzzing. Independent Security Evaluators. [27] Yang, Q., Li, J. J., and Weiss, D. M. (2009). A survey of coverage-based testing tools. The Computer Journal, 52(5), 589-597. [28] Gargantini, A., and Riccobene, E. (2001). ASM-based testing: Coverage criteria and automatic test sequence generation. Journal of Universal Computer Science, 7(11), 1050-1067. [29] Miller, B. P. (2007). Fuzz testing of application reliability. UW-Madison Computer Sciences. [30] The Mozilla Foundation and OperaSoftware (2004). Position Paper for the W3C Workshop on Web Applications and Compound Documents. [31] Hoy, M. B. (2011). HTML5: a new standard for the Web. Medical reference services quarterly, 30(1), 50-55. [32] Na, D. Y., and DeRocher, B. C. (2011). HTML5: What’s Different for User Experience Design and the Web?. Connectivity and the User Experience, 45. [33] Hypertext Transfer Protocol. https://datatracker.ietf.org/wg/httpbis/charter/ [34] HTTP/2 Frequently Asked Questions. https://http2.github.io/faq/ [35] Peon, R., and Ruellan, H. (2015). HPACK: Header Compression for HTTP/2 (No. RFC 7541). [36] fuzzdb. https://github.com/fuzzdb-project/fuzzdb [37] Berry, G., and Sethi, R. (1986). From regular expressions to deterministic automata. Theoretical computer science, 48, 117-126. [38] Tarjan, R. (1972). Depth-first search and linear graph algorithms. SIAM journal on computing, 1(2), 146-160. [39] Rubin, F. (1974). A search procedure for Hamilton paths and circuits. Journal of the ACM (JACM), 21(4), 576-580. [40] Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Doyle Navara, E., and O’Connor, E. S. Pfeiffer,' HTML5', W3C Recommendation REC-html5-20141028, October 2014. [41] Regular Expression URI Validation. http://jmrware.com/articles/2009/uri_regexp/URI_regex.html [42] 24 hour time regex for HTML 5. http://stackoverflow.com/questions/14772142/24-hour-time-regex-for-html-5 [43] Regex for Date DD-MM-YYYY. http://stackoverflow.com/questions/10925710/regex-for-date-dd-mm-yyyy
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/50434	-
dc.description.abstract	近年來，網際網路及網站的快速發展及大量應用，使網站的安全性成為開發者以及使用者都開始關注的重要議題。HTML5和HTTP/2為HTML以及HTTP兩種協定的最新版本，目前已逐漸被大量應用在建構現代網站上。然而，目前並沒有足夠的工具可以用來有效測試這些使用HTML5及HTTP/2技術的網站裡潛藏的安全性弱點。基於以上現象，我們實作了一個應用模糊測試來檢查網站的框架。在這個框架中，我們會找出所有可取得的網頁，分析每個網頁並找出可對網站伺服器發出攻擊的入口。為了產生測試資料，我們實作兩種演算法，一種是根據HTML5所規定的限制來變化，另一種則是將有限狀態機視為圖形，在圖中取出各種路徑並使用這些路徑來產生測試資料。HTTP/2部分，我們採用相同的流程及架構，在測試資料方面，我們的模糊測試框架將修改HTTP/2通信過程中的HEADERS封包，來檢測伺服器是否有正確的檢查並回應我們的攻擊封包。對以上兩種測試，我們設計了一個演算法來收集並整理測試的結果，以方便事後供測試員檢視。根據我們的實作結果，我們的框架可以在網站正式發布前進行測試，並找出有問題之頁面。	zh_TW
dc.description.abstract	Web security has become a significant issue for web service providers and users due to the rapid development of web technologies. Recently, HTML5 and HTTP/2 have been widely used in establishing modern websites; however, there are still few applications or tools for detecting potential vulnerabilities of these websites. In this paper, we design a fuzzing framework to investigate possible vulnerabilities in newly defined input types in HTML5. Our framework traverses all accessible web pages in websites, and analyzes each page to find entries for injecting our attacking test cases. We design a finite state machine based algorithms to generate test cases for fuzzing. We treat the finite state machines as graphs and extract path among them to generate test patterns. This method could be used on not only HTML5 but any input data which could be represented as regular expressions. Additionally, we propose a fuzzing tool for HTTP/2 protocol which test target server by modifying the HEADERS packet in HTTP/2 communication. For both fuzzers, we present a result aggregation algorithm to offload the effort of examining results. From our implementation, we are able to test architecture of a website and scan its vulnerabilities before its official operation.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T12:40:36Z (GMT). No. of bitstreams: 1 ntu-105-R03921042-1.pdf: 2707254 bytes, checksum: 9ac0d790ef35f5e4dc84434f8428dc7f (MD5) Previous issue date: 2016	en
dc.description.tableofcontents	口試委員會審定書 # 誌謝 i 中文摘要 ii ABSTRACT iii CONTENTS iv LIST OF FIGURES vi LIST OF TABLES viii Chapter 1 Introduction 1 Chapter 2 Related work 3 Chapter 3 Background 4 3.1 HTML5 4 3.1.1 Difference from HTML4 4 3.1.2 New input types in HTML5 5 3.2 HTTP/2 6 3.2.1 Difference from HTTP/1.1 7 Chapter 4 Fuzzing framework 9 4.1 HTML fuzzer 9 4.1.1 Web Traversal 10 4.1.2 Webpage analyzer 11 4.1.3 Test input generator 11 4.1.4 Intelligent injector 13 4.1.5 Result examining modules 14 4.2 HTTP/2 fuzzer 15 4.2.1 Session-definition module 16 4.2.2 Generation module 20 4.2.3 Transmission module 21 4.2.4 Examining module 21 Chapter 5 Finite State Machine based Pattern Generator 22 5.1 Overview 22 5.2 Sink state 23 5.3 Path Selection 25 5.3.1 Path Selection on SCC 25 5.3.2 Path Selection on DAG 27 5.4 Test Pattern Generator 28 Chapter 6 Evaluation 29 6.1 Abnormal websites 29 6.2 Results 31 6.3 Effect on SCC 37 6.4 Effect on DAG 37 6.5 Discussion 38 Chapter 7 Conclusion 39 Bibliography 40
dc.language.iso	en
dc.subject	網站測試	zh_TW
dc.subject	模糊測試	zh_TW
dc.subject	HTML5	zh_TW
dc.subject	HTTP/2	zh_TW
dc.subject	有限狀態機	zh_TW
dc.subject	測試資料生成	zh_TW
dc.subject	模糊測試	zh_TW
dc.subject	網站測試	zh_TW
dc.subject	HTML5	zh_TW
dc.subject	HTTP/2	zh_TW
dc.subject	有限狀態機	zh_TW
dc.subject	測試資料生成	zh_TW
dc.subject	finite state machine	en
dc.subject	fuzz testing	en
dc.subject	test case generation	en
dc.subject	finite state machine	en
dc.subject	HTTP/2	en
dc.subject	HTML5	en
dc.subject	web testing	en
dc.subject	fuzz testing	en
dc.subject	web testing	en
dc.subject	test case generation	en
dc.subject	HTML5	en
dc.subject	HTTP/2	en
dc.title	基於有限狀態機之模式產生器應用於網站模糊測試之框架	zh_TW
dc.title	A Framework for Fuzzing Website using Finite State Machine Based Pattern Generator	en
dc.type	Thesis
dc.date.schoolyear	104-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	黃秋煌(Chua-Huang Huang),莊文勝(Wen-Shenq Juang),郭斯彥(Sy-Yen Kuo),顏嗣鈞(Hsu-Chun Yen)
dc.subject.keyword	模糊測試,網站測試,HTML5,HTTP/2,有限狀態機,測試資料生成,	zh_TW
dc.subject.keyword	fuzz testing,web testing,HTML5,HTTP/2,finite state machine,test case generation,	en
dc.relation.page	44
dc.identifier.doi	10.6342/NTU201601391
dc.rights.note	有償授權
dc.date.accepted	2016-07-28
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-105-1.pdf 未授權公開取用	2.64 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。