漏洞掃描自動化與利用開發者社群診斷建議之測試報告加值技術

Abstract

現代網站技術多元,網頁前端與後端伺服器、資料庫都會針對使用者需求設計與部屬對應服務,而網站應用程式對外提供的服務任何人都存取,因此攻擊事件層 出不窮且逐年攀升,甚至有像是 Shodan 等搜尋引擎專門探索與揭露世界各地的網路設備,這些防護能力不足的網站,往往是駭客攻擊的主要對象。 然而並非所有開發商都有足夠能力與資本來完善其產品在資安方面的需求, 產生漏洞並被駭客利用,達成惡意癱瘓、竊取個人資料等目的,造成企業與使用者的損失。本篇論文開發的一套自動化測試程序,在網站開發後期階段進行滲透測試,對受測的 IP 位址進行資料蒐集,取得開啟的端口運作狀況,並從資料庫中比對其 服務與作業系統版本及類型是否存在已知弱點,評估與歸納漏洞並結合量化的指標、開發者社群建議,產生一份報告供開發者作為改善服務品質的依據。 我們在自行建立的實驗環境中對多個目標進行測試,並用自動化程式以及安全漏洞資料庫,對受測服務進行全面掃描後自動上傳至追蹤系統,幫助開發者發掘並管理可能的安全漏洞。

We are using web application every day. The services of application are designed and deployed as a web application based on a different purpose. These websites are available to everyone in the world and attract a lot of cyberattacks if the developer didn't protect their web application properly. However, some developers do not have enough knowledge and funds to meet the requirements of cybersecurity. A vulnerable web service reveals sensitive information to hackers for illegal behaviors such as stealing user information and destroy a specified target. In this thesis, we focus on penetration testing on the deployment stage of web development. Initially, we collect information from the target's IP or hostname list the activate ports. Use the information to leverage the advanced detection and analysis based on the services. Furthermore, we try to extract from the vulnerability database which includes known vulnerabilities in the past years. It will finally be evaluated and summarize as a test report with ecosystem suggestions. To provide a guideline that web developers can follow up. We propose a non-intrusive method to scan the targets and extract risk information from the vulnerability database to help users improve their products. The method reduces the disruptive impact and reveals the possible vulnerabilities without causing instability of services. We have tested on many websites as targets with the automatic process, scanning tools, and vulnerability database to discover any potential risks. The experiments have been proved that can help the developer to improve the security of their products.