1. NCCU Academic Hub
  2. Publications
  3. College of Informatics
  4. Theses
  5. Item

Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

題名 半自動化網站安全檢測系統建置之研究
A study of constructing the semi-automatic website security assessment system
作者 沈雅婷
Shen, Ya-Ting
貢獻者 左瑞麟
Tso, Ray-Lin
沈雅婷
Shen, Ya-Ting
關鍵詞 網站安全檢測
弱點掃描
滲透測試
自動化
Vulnerability assessment
VA
Penetration testing
PT
Website security assessment
日期 2017
上傳時間 9-Nov-2018 15:55:48 (UTC+8)
摘要 摘要

鑒於我國經濟結構體中,多以「中小企業」為主之公司行號組成,在其無法與大企業相比,資源上,欠缺專業資訊安全技術研究團隊或專責人員,進行網站、設備或內部資訊系統的安全檢測,亦無法負擔昂貴的安全檢測費用(如:弱點掃描或滲透測試)。半自動化網站安全檢測系統建置之研究(以下簡稱本研究)即以此為出發點進行構思與研究,建置一套專為中小企業所設計之半自動化(Semi-automatic)、操作簡易(Easy)及具智慧之網站安全檢測系統。

本研究將著重於中小企業該如何因應資訊安全弱點可能帶給組織之衝擊與影響,並以「網站安全檢測」作為研究主軸,一台網站主機可能同時包含系統、網頁伺服器(Application Server)、網站設定與網頁應用程式等多個面向,因此,本研究將分成兩個層面進行「半自動化網站安全檢測系統」實作,一為主機系統弱點,二為網頁應用程式弱點,利用易取得且具公信力的檢測工具,於主機系統弱點掃描,本研究採用Nessus Home Feed軟體,網頁應用程式弱點掃描則使用arachni免費工具,並另搭配使用sqlmap進行SQL Injection 弱點的自動化驗證。本研究會將兩個掃描結果進行專家分析與自動化驗證,找出企業現正面臨的「立即風險」,提供該系統弱點中含有已被釋出攻擊程式的立即風險與攻擊程式連結、立即風險弱點埠(port)、自動化驗證成功的SQL Injection弱點風險網址、參數、驗證語法及詳細驗證內容等。

中小企業的網站管理人員、系統管理人員可藉由專家報告,掌握網站正面臨的立即風險為何,並利用「修補建議報告」進行弱點修補,如:更新系統、關閉立即風險弱點埠或限制可存取之來源IP、更新或調整網頁伺服器及網站之錯誤設定、修正應用程式的撰寫疏漏等,強化網站安全性,進而提升企業的整體資訊安全。
Abstract

According to the official statistics from the Small and Medium Enterprise Administration, Ministry of Economic Affairs, the economic structure in Taiwan is composed of over 97% small and medium enterprises (SME). On the basis of the current market, the cost to hire a group of professionals in information security technology research or to hire dedicated experts to examine the information security status of a company’s website or internal information systems is higher than most of SME can afford, not to mention the cost of information security testing, such as the vulnerability assessment (VA) and penetration testing (PT).

Therefore, the main purpose of this study is to conduct a semi-automatic website security assessment system and help the administrators of these SMEs to review the information security status of their websites and systems.

This study will focus on helping these SMEs to detect and repair the vulnerabilities of websites & internal information systems, and to reduce the impact of the damages as well. A website may have lots of vulnerabilities from different parts. Like the operation system (OS), the application server and the web applications. For this reason, this study is divided into two directions to implement the "semi-automatic website security assessment system". One is to detect the vulnerability of the operation system and the other is to detect the weakness of the web application.

The Semi-automatic Website Security Assessment System contains five modules: user input module, information collection & analysis module, OS & web vulnerability assessment module, automatic verification module and the expert report module. The system administrators of the SMEs can improve the information security status of the websites and internal information systems by using the examining methodology and the semi-automatic website security assessment system of this study.
參考文獻 1. 經濟部中小企業處,「106年中小企業重要統計表(中小企業家數-按行業別分)」,民國106年,資料出處:https://www.moeasmea.gov.tw/dl.asp?filename=871616175071.pdf

2. Justin Clarke, (2012). SQL injection attacks and defense, Syngress.

3. Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D.Petkov, Anton Rager,Seth Fogie, (2007). XSS attacks - Cross site scripting exploits and defense, Syngress.

4. Dr.Patrick Engebretson, David Kennedy, (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing, Syngress.

5. Karen Scarfone, Paul Hoffman, (2009). Guidelines on Firewalls and Firewall Policy (NIST SP 800-41 Revision 1), National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

6. Eric Cole, (2013), Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Syngress.

7. Nishant Shrestha, (2012). Security Assessment via Penetration Testing: A Network and System Administrator’s Approach, Oslo University College.

8. Open Web Application Security Project, (2017). OWASP Top 10 2017, Retrieved from the World Wide Web: https://www.owasp.org/index.php/Top_10-2017_Top_10

9. ISECOM (Institute for Security and Open Methodologies), (2015). OSSTMM - Open Source Security Testing Methodology Manual, Retrieved from the World Wide Web: http://www.isecom.org/research/osstmm.html

10. Karen Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh, (2008). SP 800-115 - Technical Guide to Information Security Testing and Assessment, National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

11. 楊中皇、柯鈞凱,「結合弱點掃描和滲透測試之自動化 Web 安全檢測系統設計與實現」,國立高雄師範大學,資訊教育研究所,高雄,民國 99 年。

12. Johnny Long, Bill Gardner, Justin Brown, (2008). Google hacking for penetration testers volume 2, Syngress.

13. David Maynor, (2007). Metasploit toolkit for penetration testing, exploit development, and vulnerability research, Syngress.

14. Robert Shimonski, (2013). The Wireshark field guide: analyzing and troubleshooting network traffic, Syngress.

15. David A. Shelly, (2010). Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners, Virginia Polytechnic Institute and State University.

16. San-Tsai Sun, Ting Han Wei, Stephen Liu, Sheung Lau, (2007). Classification of SQL Injection Attacks, University of British Columbia, Electrical and Computer Engineering.
描述 碩士
國立政治大學
資訊科學系碩士在職專班
103971013
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0103971013
資料類型 thesis
dc.contributor.advisor 左瑞麟zh_TW
dc.contributor.advisor Tso, Ray-Linen_US
dc.contributor.author (Authors) 沈雅婷zh_TW
dc.contributor.author (Authors) Shen, Ya-Tingen_US
dc.creator (作者) 沈雅婷zh_TW
dc.creator (作者) Shen, Ya-Tingen_US
dc.date (日期) 2017en_US
dc.date.accessioned 9-Nov-2018 15:55:48 (UTC+8)-
dc.date.available 9-Nov-2018 15:55:48 (UTC+8)-
dc.date.issued (上傳時間) 9-Nov-2018 15:55:48 (UTC+8)-
dc.identifier (Other Identifiers) G0103971013en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/120905-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊科學系碩士在職專班zh_TW
dc.description (描述) 103971013zh_TW
dc.description.abstract (摘要) 摘要

鑒於我國經濟結構體中,多以「中小企業」為主之公司行號組成,在其無法與大企業相比,資源上,欠缺專業資訊安全技術研究團隊或專責人員,進行網站、設備或內部資訊系統的安全檢測,亦無法負擔昂貴的安全檢測費用(如:弱點掃描或滲透測試)。半自動化網站安全檢測系統建置之研究(以下簡稱本研究)即以此為出發點進行構思與研究,建置一套專為中小企業所設計之半自動化(Semi-automatic)、操作簡易(Easy)及具智慧之網站安全檢測系統。

本研究將著重於中小企業該如何因應資訊安全弱點可能帶給組織之衝擊與影響,並以「網站安全檢測」作為研究主軸,一台網站主機可能同時包含系統、網頁伺服器(Application Server)、網站設定與網頁應用程式等多個面向,因此,本研究將分成兩個層面進行「半自動化網站安全檢測系統」實作,一為主機系統弱點,二為網頁應用程式弱點,利用易取得且具公信力的檢測工具,於主機系統弱點掃描,本研究採用Nessus Home Feed軟體,網頁應用程式弱點掃描則使用arachni免費工具,並另搭配使用sqlmap進行SQL Injection 弱點的自動化驗證。本研究會將兩個掃描結果進行專家分析與自動化驗證,找出企業現正面臨的「立即風險」,提供該系統弱點中含有已被釋出攻擊程式的立即風險與攻擊程式連結、立即風險弱點埠(port)、自動化驗證成功的SQL Injection弱點風險網址、參數、驗證語法及詳細驗證內容等。

中小企業的網站管理人員、系統管理人員可藉由專家報告,掌握網站正面臨的立即風險為何,並利用「修補建議報告」進行弱點修補,如:更新系統、關閉立即風險弱點埠或限制可存取之來源IP、更新或調整網頁伺服器及網站之錯誤設定、修正應用程式的撰寫疏漏等,強化網站安全性,進而提升企業的整體資訊安全。		zh_TW
dc.description.abstract (摘要) Abstract

According to the official statistics from the Small and Medium Enterprise Administration, Ministry of Economic Affairs, the economic structure in Taiwan is composed of over 97% small and medium enterprises (SME). On the basis of the current market, the cost to hire a group of professionals in information security technology research or to hire dedicated experts to examine the information security status of a company’s website or internal information systems is higher than most of SME can afford, not to mention the cost of information security testing, such as the vulnerability assessment (VA) and penetration testing (PT).

Therefore, the main purpose of this study is to conduct a semi-automatic website security assessment system and help the administrators of these SMEs to review the information security status of their websites and systems.

This study will focus on helping these SMEs to detect and repair the vulnerabilities of websites & internal information systems, and to reduce the impact of the damages as well. A website may have lots of vulnerabilities from different parts. Like the operation system (OS), the application server and the web applications. For this reason, this study is divided into two directions to implement the "semi-automatic website security assessment system". One is to detect the vulnerability of the operation system and the other is to detect the weakness of the web application.

The Semi-automatic Website Security Assessment System contains five modules: user input module, information collection & analysis module, OS & web vulnerability assessment module, automatic verification module and the expert report module. The system administrators of the SMEs can improve the information security status of the websites and internal information systems by using the examining methodology and the semi-automatic website security assessment system of this study.		en_US
dc.description.tableofcontents 1. 緒論 1
1.1 研究背景與動機 1
1.2 研究目標與架構 2
2. 安全檢測簡介 3
2.1 安全檢測常見的方法、差異及國際標準 3
2.2 弱點掃描與滲透測試之差異 13
2.3 安全檢測國際標準 14
3. 網站安全檢測文獻探討暨安全檢測方法論 18
3.1 網站安全檢測文獻探討 18
3.2 安全檢測方法論 19
4. 安全檢測工具綜論 28
4.1 資訊搜集與列舉 28
4.2 弱點掃描與確認 31
4.3 弱點分析與驗證 37
4.4 滲透測試與提權 39
4.5 商業與免費弱點掃描軟體比較 42
5. 半自動化網站安全檢測系統 52
5.1 系統構想 52
5.2 系統架構與環境組態 52
6. 檢測過程與結果 70
6.1 建立基本資料 70
6.2 主機系統弱點掃描 (含主機資訊收集與分析) 71
6.3 網頁弱點掃描 (含網站及網頁資訊收集與分析) 85
7. 結論與未來研究 100
7.1 結論與貢獻 100
7.2 未來研究方向 101
8. 參考文獻 102
9. 附錄 104
9.1 Nessus 104
9.2 arachni 125
9.3 sqlmap 132		zh_TW
dc.format.extent 13804709 bytes-
dc.format.mimetype application/pdf-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0103971013en_US
dc.subject (關鍵詞) 網站安全檢測zh_TW
dc.subject (關鍵詞) 弱點掃描zh_TW
dc.subject (關鍵詞) 滲透測試zh_TW
dc.subject (關鍵詞) 自動化zh_TW
dc.subject (關鍵詞) Vulnerability assessmenten_US
dc.subject (關鍵詞) VAen_US
dc.subject (關鍵詞) Penetration testingen_US
dc.subject (關鍵詞) PTen_US
dc.subject (關鍵詞) Website security assessmenten_US
dc.title (題名) 半自動化網站安全檢測系統建置之研究zh_TW
dc.title (題名) A study of constructing the semi-automatic website security assessment systemen_US
dc.type (資料類型) thesisen_US
dc.relation.reference (參考文獻) 1. 經濟部中小企業處,「106年中小企業重要統計表(中小企業家數-按行業別分)」,民國106年,資料出處:https://www.moeasmea.gov.tw/dl.asp?filename=871616175071.pdf

2. Justin Clarke, (2012). SQL injection attacks and defense, Syngress.

3. Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D.Petkov, Anton Rager,Seth Fogie, (2007). XSS attacks - Cross site scripting exploits and defense, Syngress.

4. Dr.Patrick Engebretson, David Kennedy, (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing, Syngress.

5. Karen Scarfone, Paul Hoffman, (2009). Guidelines on Firewalls and Firewall Policy (NIST SP 800-41 Revision 1), National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

6. Eric Cole, (2013), Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Syngress.

7. Nishant Shrestha, (2012). Security Assessment via Penetration Testing: A Network and System Administrator’s Approach, Oslo University College.

8. Open Web Application Security Project, (2017). OWASP Top 10 2017, Retrieved from the World Wide Web: https://www.owasp.org/index.php/Top_10-2017_Top_10

9. ISECOM (Institute for Security and Open Methodologies), (2015). OSSTMM - Open Source Security Testing Methodology Manual, Retrieved from the World Wide Web: http://www.isecom.org/research/osstmm.html

10. Karen Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh, (2008). SP 800-115 - Technical Guide to Information Security Testing and Assessment, National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

11. 楊中皇、柯鈞凱,「結合弱點掃描和滲透測試之自動化 Web 安全檢測系統設計與實現」,國立高雄師範大學,資訊教育研究所,高雄,民國 99 年。

12. Johnny Long, Bill Gardner, Justin Brown, (2008). Google hacking for penetration testers volume 2, Syngress.

13. David Maynor, (2007). Metasploit toolkit for penetration testing, exploit development, and vulnerability research, Syngress.

14. Robert Shimonski, (2013). The Wireshark field guide: analyzing and troubleshooting network traffic, Syngress.

15. David A. Shelly, (2010). Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners, Virginia Polytechnic Institute and State University.

16. San-Tsai Sun, Ting Han Wei, Stephen Liu, Sheung Lau, (2007). Classification of SQL Injection Attacks, University of British Columbia, Electrical and Computer Engineering.		zh_TW
dc.identifier.doi (DOI) 10.6814/THE.NCCU.EMCS.013.2018.B02en_US