外文翻译
- 格式:pdf
- 大小:644.59 KB
- 文档页数:23
AtestingframeworkforWebapplicationsecurityassessmentq
Yao-WenHuanga,b,*,Chung-HungTsaib,Tsung-PoLinb,Shih-KunHuanga,c,D.T.Leea,b,c,Sy-YenKuoa,b
aDepartmentofElectricalEngineering,NationalTaiwanUniversity,Taipei106,TaiwanbInstituteofInformationScience,AcademiaSinica,Taipei115,TaiwancDepartmentofComputerScienceandInformationEngineering,NationalChiao-TungUniversity,Hsinchu300,TaiwanAvailableonline12February2005
AbstractTherapiddevelopmentphasesandextremelyshortturnaroundtimeofWebapplicationsmakeitdifficulttoelim-inatetheirvulnerabilities.HerewestudyhowsoftwaretestingtechniquessuchasfaultinjectionandruntimemonitoringcanbeappliedtoWebapplications.WeimplementedourproposedmechanismsintheWebApplicationVulnerabilityandErrorScanner(WAVES)—ablack-boxtestingframeworkforautomatedWebapplicationsecurityassessment.Real-worldsituationsareusedtotestWAVESandtocompareitwithothertools.OurresultsshowthatWAVESisafeasibleplatformforassessingWebapplicationsecurity.Ó2005ElsevierB.V.Allrightsreserved.Keywords:Webapplicationtesting;Securityassessment;Faultinjection;Black-boxtesting;Completecrawling
1.Introduction
OnFeb2,2000,CERTissuedanadvisory[16]on‘‘cross-sitescripting’’(XSS)attacksonWebapplications.Thishard-to-eliminatethreatsoondrewtheattentionandspawnedactivediscussionsamongsecurityresearchers[40].DespitetheeffortsofresearchersintheprivatesectorandacademiatopromotedeveloperawarenessandtodeveloptoolstoeliminateXSSattacks,hackersarestillusingthemtoexploitWebapplications.Astudy
1389-1286/$-seefrontmatterÓ2005ElsevierB.V.Allrightsreserved.
doi:10.1016/j.comnet.2005.01.003qSupportedbytheNCERTproject(No.910444)ofInstituteforInformationIndustry,sponsoredbyMinistryofEconomicAffairs,andbytheNationalScienceCouncilunderthegrantsNo.NSC92-2422-H-001-004,NSC-93-2213-E-002-122,NSC-93-2213-E-001-013,NSC-93-2422-H-001-0001,andNSC-93-2752-E-002-005-PAE.*Correspondingauthor.Address:DepartmentofElectricalEngineering,NationalTaiwanUniversity,Taipei106,Taiwan.E-mailaddresses:ywhuang@openwaves.net(Y.-W.Huang),chtsai@openwaves.net(C.-H.Tsai),lancelot@iis.sinica.edu.tw(T.-P.Lin),skhuang@iis.sinica.edu.tw(S.-K.Huang),dtlee@iis.sinica.edu.tw(D.T.Lee),sykuo@cc.ee.ntu.edu.tw(S.-Y.
Kuo).ComputerNetworks48(2005)
739–761www.elsevier.com/locate/comnetbyOhmaki[43]foundthatalmost80%ofalle-commercesitesinJapanwerestillvulnerabletoXSS.AsearchonGoogleNewsforXSSadvisoriesonnewlydiscoveredXSSvulnerabilitieswithinthemonthofMarch2004aloneyielded24reports,amongthesewereconfirmedvulnerabilitiesinMicrosoftHotmail[70]andYahoo!Mail[32],bothofwhicharepopularweb-basedemailservices.ScottandSharp[58,59]haveassertedthatWebapplicationvulnerabilitiesare(a)inherentinWebapplicationcodes;and(b)independentofthetech-nologyinwhichtheapplicationinquestionisimplemented,thesecurityoftheWebserver,andtheback-enddatabase.Currenttechnologiessuchasanti-virussoftwareprogramsandnetworkfire-wallsoffercomparativelysecureprotectionatthehostandnetworklevels,butnotattheapplicationlevel[18].However,whennetworkandhost-levelentrypointsarerelativelysecure,thepublicinter-facesofWebapplicationsbecomethefocusofattacks[18].Recently,effortsonautomatedsecurityverifica-tionofCprogramshaveyieldedpromisingresults.InourprojectWebSSARIv.1(WebapplicationSecurityAnalysisandRuntimeInspection)[24],weadoptedatypestate-basedalgorithmforidenti-fyingvulnerabilitiesinPHPcode.InWebSSARIv.2[25],weshowedhowthisstrategycanbeim-provedusingboundedmodelchecking.Thoughourresultsshowthatsuchwhite-boxverificationcanbesuccessfullyusedforautomatedWebappli-cationsecurityassessment,theyhaveseveraldraw-backs.Onemajordrawbackistheirneedforsourcecodewhichinmanycasesmaynotbeeasilyavailable.Anotheristhattheyverifyagainstsimu-latedruntimebehaviorsbasedonprogramabstraction,whilewhetherornottheabstractioncorrectlyreflectstheactualprogramisleftinques-tion.Therefore,whilethesetechniquesfailtoade-quatelyconsidertheruntimebehaviorofWebapplications,itisgenerallyagreedthatthemassivenumberofruntimeinteractionsbetweenvariouscomponentsiswhatmakesWebapplicationsecu-ritysuchachallengingtask[28,58].Inthispaper,wedescribeourblack-boxtestingframeworkforWebapplicationsecurityassess-ment.ThemaindifficultyindesigningaWebapplicationtestingframeworkliesinprovidingefficientinterfacemechanisms.SinceWebapplica-tionsinteractwithusersbehindbrowsersandactaccordingtouserinput,suchinterfacesmusthavetheabilitytomimicboththebrowserandtheuser.Inotherwords,theinterfacemustprocesscontentthatismeanttoberenderedbybrowsersandlaterinterpretedbyhumans.Ourinterfacetakestheformofacrawler,whichallowsforablack-box,dynamicanalysisofWebapplications.Usingacompletecrawlingmechanism,areverseengineer-ingofaWebapplicationisperformedtoidentifyalldataentrypoints.Then,withthehelpofaself-learninginjectionknowledgebase,faultinjec-tiontechniquesareappliedtodetectSQLinjectionvulnerabilities.UsingourproposedTopicModel,theknowledgebaseselectsthebestinjectionpat-ternsaccordingtoexperienceslearnedthroughpreviousinjectionfeedback,andthenexpandstheknowledgebaseasmorepagesarecrawled.Bothpreviousexperiencesandknowledgeexpan-sioncontributetothegenerationofbetterinjec-tionpatterns.Wealsoproposeanovelreplyanalysisalgorithminordertohelpthecrawlerinterpretinjectionreplies.Byimprovingtheobservability[72]oftheWebapplicationbeingtested,thealgorithmhelpsfacilitateadeepinjec-tionmechanismthateliminatesfalsenegatives.Toimitatereal-worldinteractionswithWebapplications,ourcrawlerisequippedwiththesamecapabilitiesasafull-fledgedbrowser,thusmakingitvulnerabletomaliciousscriptsthatmayhavebeeninsertedintoaWebapplicationviacross-sitescripting.Sinceamaliciousscriptthatiscapableofattackinganinteractingbrowserisalsocapableofattackingthecrawler,asecureexecutionenvironment(SEE)thatenforcesananomalydetectionmodelwasbuiltaroundthecrawler.Duringthereverseengineeringphase,allpagesofaWebapplicationareloadedintothecrawlerandexecuted.Inputstimuli(i.e.,simulateduserevents)aregeneratedbythecrawlertotestthebehaviorofthepageÕsdynamiccomponents.AnyabnormalbehaviorwillcausetheSEEtoimmedi-atelyhaltthecrawlerandaudittheinformation.Thus,whileofferingself-protection,thislayeralsodetectsmaliciousscriptshiddeninsideWebapplications.740Y.-W.Huangetal./ComputerNetworks48(2005)739–761