Please use this identifier to cite or link to this item: https://ah.nccu.edu.tw/handle/140.119/120905


Title: 半自動化網站安全檢測系統建置之研究
A study of constructing the semi-automatic website security assessment system
Authors: 沈雅婷
Shen, Ya-Ting
Contributors: 左瑞麟
Tso, Ray-Lin
沈雅婷
Shen, Ya-Ting
Keywords: 網站安全檢測
弱點掃描
滲透測試
自動化
Vulnerability assessment
VA
Penetration testing
PT
Website security assessment
Date: 2017
Issue Date: 2018-11-09 15:55:48 (UTC+8)
Abstract: 摘要

鑒於我國經濟結構體中,多以「中小企業」為主之公司行號組成,在其無法與大企業相比,資源上,欠缺專業資訊安全技術研究團隊或專責人員,進行網站、設備或內部資訊系統的安全檢測,亦無法負擔昂貴的安全檢測費用(如:弱點掃描或滲透測試)。半自動化網站安全檢測系統建置之研究(以下簡稱本研究)即以此為出發點進行構思與研究,建置一套專為中小企業所設計之半自動化(Semi-automatic)、操作簡易(Easy)及具智慧之網站安全檢測系統。

本研究將著重於中小企業該如何因應資訊安全弱點可能帶給組織之衝擊與影響,並以「網站安全檢測」作為研究主軸,一台網站主機可能同時包含系統、網頁伺服器(Application Server)、網站設定與網頁應用程式等多個面向,因此,本研究將分成兩個層面進行「半自動化網站安全檢測系統」實作,一為主機系統弱點,二為網頁應用程式弱點,利用易取得且具公信力的檢測工具,於主機系統弱點掃描,本研究採用Nessus Home Feed軟體,網頁應用程式弱點掃描則使用arachni免費工具,並另搭配使用sqlmap進行SQL Injection 弱點的自動化驗證。本研究會將兩個掃描結果進行專家分析與自動化驗證,找出企業現正面臨的「立即風險」,提供該系統弱點中含有已被釋出攻擊程式的立即風險與攻擊程式連結、立即風險弱點埠(port)、自動化驗證成功的SQL Injection弱點風險網址、參數、驗證語法及詳細驗證內容等。

中小企業的網站管理人員、系統管理人員可藉由專家報告,掌握網站正面臨的立即風險為何,並利用「修補建議報告」進行弱點修補,如:更新系統、關閉立即風險弱點埠或限制可存取之來源IP、更新或調整網頁伺服器及網站之錯誤設定、修正應用程式的撰寫疏漏等,強化網站安全性,進而提升企業的整體資訊安全。
Abstract

According to the official statistics from the Small and Medium Enterprise Administration, Ministry of Economic Affairs, the economic structure in Taiwan is composed of over 97% small and medium enterprises (SME). On the basis of the current market, the cost to hire a group of professionals in information security technology research or to hire dedicated experts to examine the information security status of a company’s website or internal information systems is higher than most of SME can afford, not to mention the cost of information security testing, such as the vulnerability assessment (VA) and penetration testing (PT).

Therefore, the main purpose of this study is to conduct a semi-automatic website security assessment system and help the administrators of these SMEs to review the information security status of their websites and systems.

This study will focus on helping these SMEs to detect and repair the vulnerabilities of websites & internal information systems, and to reduce the impact of the damages as well. A website may have lots of vulnerabilities from different parts. Like the operation system (OS), the application server and the web applications. For this reason, this study is divided into two directions to implement the "semi-automatic website security assessment system". One is to detect the vulnerability of the operation system and the other is to detect the weakness of the web application.

The Semi-automatic Website Security Assessment System contains five modules: user input module, information collection & analysis module, OS & web vulnerability assessment module, automatic verification module and the expert report module. The system administrators of the SMEs can improve the information security status of the websites and internal information systems by using the examining methodology and the semi-automatic website security assessment system of this study.
Reference: 1. 經濟部中小企業處,「106年中小企業重要統計表(中小企業家數-按行業別分)」,民國106年,資料出處:https://www.moeasmea.gov.tw/dl.asp?filename=871616175071.pdf

2. Justin Clarke, (2012). SQL injection attacks and defense, Syngress.

3. Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D.Petkov, Anton Rager,Seth Fogie, (2007). XSS attacks - Cross site scripting exploits and defense, Syngress.

4. Dr.Patrick Engebretson, David Kennedy, (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing, Syngress.

5. Karen Scarfone, Paul Hoffman, (2009). Guidelines on Firewalls and Firewall Policy (NIST SP 800-41 Revision 1), National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

6. Eric Cole, (2013), Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Syngress.

7. Nishant Shrestha, (2012). Security Assessment via Penetration Testing: A Network and System Administrator’s Approach, Oslo University College.

8. Open Web Application Security Project, (2017). OWASP Top 10 2017, Retrieved from the World Wide Web: https://www.owasp.org/index.php/Top_10-2017_Top_10

9. ISECOM (Institute for Security and Open Methodologies), (2015). OSSTMM - Open Source Security Testing Methodology Manual, Retrieved from the World Wide Web: http://www.isecom.org/research/osstmm.html

10. Karen Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh, (2008). SP 800-115 - Technical Guide to Information Security Testing and Assessment, National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

11. 楊中皇、柯鈞凱,「結合弱點掃描和滲透測試之自動化 Web 安全檢測系統設計與實現」,國立高雄師範大學,資訊教育研究所,高雄,民國 99 年。

12. Johnny Long, Bill Gardner, Justin Brown, (2008). Google hacking for penetration testers volume 2, Syngress.

13. David Maynor, (2007). Metasploit toolkit for penetration testing, exploit development, and vulnerability research, Syngress.

14. Robert Shimonski, (2013). The Wireshark field guide: analyzing and troubleshooting network traffic, Syngress.

15. David A. Shelly, (2010). Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners, Virginia Polytechnic Institute and State University.

16. San-Tsai Sun, Ting Han Wei, Stephen Liu, Sheung Lau, (2007). Classification of SQL Injection Attacks, University of British Columbia, Electrical and Computer Engineering.
Description: 碩士
國立政治大學
資訊科學系碩士在職專班
103971013
Source URI: http://thesis.lib.nccu.edu.tw/record/#G0103971013
Data Type: thesis
Appears in Collections:[資訊科學系碩士在職專班] 學位論文

Files in This Item:

File SizeFormat
101301.pdf13481KbAdobe PDF0View/Open


All items in 學術集成 are protected by copyright, with all rights reserved.


社群 sharing