计算机科学 ›› 2017, Vol. 44 ›› Issue (5): 141-145.doi: 10.11896/j.issn.1002-137X.2017.05.025
涂玲,马跃,程诚,周彦晖
TU Ling, MA Yue, CHENG Cheng and ZHOU Yan-hui
摘要: 在Web应用安全模糊测试中,存在测试用例覆盖率低、测试效用无法得到有效验证及漏洞检测结果无法得到有效评估等问题。提出了协议变形和动态特征并行混合的测试用例生成方法,建立了按典型漏洞分类的输入特征组合规则和协议变形规则,并形成了基于污染传播策略漏洞响应数据分析和有效性验证的方法。实验表明所提方法增大了测试用例的多样性以及提高了覆盖率,降低了在网站过滤环境复杂情况下的漏洞检测的漏报率和误报率。
[1] LUO Y X.Static Code Analysis and Defense for Software Secu-rity Defects [D].Bejing:Institute of Software,Chinese Academy of Sciences,2007.(in Chinese) 罗宇翔.面向软件安全缺陷的静态代码分析及防御[D].北京:中国科学院软件研究所,2007. [2] KULENOVIC M,DONKO D.A survey of static code analysis methods for security vulnerabilities detection[C]∥International Convention on Information and Communication Technology,Electronics and Microelectronics.2014:1381-1386. [3] WASSERMANN G,SU Z.Static detection of cross-site scripting vulnerabilities[C]∥ACM/IEEE 30th International Conference on Software Engineering,2008(ICSE’08).IEEE,2008:171-180. [4] BALZAROTTI D,COVA M,FELMETSGER V,et al.Saner:Composing static and dynamic analysis to validate sanitization in web applications[C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).IEEE,2008:387-401. [5] PIETRASZEK T,BERGHE C V.Defending against injection attacks through context-sensitive string evaluation[C]∥Recent Advances in Intrusion Detection.Springer Berlin Heidelberg,2005:124-145. [6] HALFOND W G J,ORSO A,MANOLIOS P.WASP:Protecting Web applications using positive tainting and syntax-aware eva-luation[J].IEEE Transactions on Software Engineering,2008,34(1):65-81. [7] BALZAROTTI D,COVA M,FELMETSGER V,et al.Saner:Composing static and dynamic analysis to validate sanitization in web applications[C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).IEEE,2008:387-401. [8] PAN G B,ZHOU Y H.Finding XSS Vulnerabilities Based on Static Analysis and Dynamic Testing [J].Computer Science,2012,9(B06):51-53.(in Chinese) 潘古兵,周彦晖.基于静态分析和动态检测的XSS漏洞发现[J].计算机科学,2012,39(B06):51-53. [9] WIN W,HTUN H H.A simple and efficient framework for detection of sql injection attack[J].IJCCER,2013,1(2):26-30. [10] WANG J,PHAN R C W,WHITELY J N,et al.Augmented attack tree modeling of SQL injection attacks[C]∥2010 The 2nd IEEE International Conference on Information Management and Engineering (ICIME).IEEE,2010:182-186. [11] WEI C T.Research on Key Technology of SQL Injection and XSS Attack Automated Detection[D].Beijing:Beijing University of Posts and Telecommunications,2015.(in Chinese) 韦存堂.SQL注入与XSS攻击自动化检测关键技术研究[D].北京:北京邮电大学,2015. [12] LI Z,XU X,LIAO L J,et al.Using Templates Combination to Generate Testing Vectors Dynamically in Detecting Web Applications Vulnerabilities[J].Application Research of Computers,2015,2(10):3004-3008.(in Chinese) 李政,许欣,廖乐健,等.使用模板组合动态生成测试用例的Web应用漏洞发掘方法[J].计算机应用研究,2015,32(10):3004-3008. [13] JIANG H,XU Z Y,WANG X.XSS Attack Defense Method Based on Behavior [J].Computer Engineering and Design,2014,5(6):1911-1914.(in Chinese) 蒋华,徐中原,王鑫.基于行为的XSS攻击防范方法[J].计算机工程与设计,2014,35(6):1911-1914. [14] DUCHENE F,RAWAT S,RICHIER J L,et al.LigRE:Rever-se-engineering of control and data flow models for black-box XSS detection[C]∥2013 20th Working Conference on Reverse Engineering (WCRE).IEEE,2013:252-261. [15] DUCHENE F,GROZ R,RAWAT S,et al.XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]∥SECTEST 2012-3rd International Workshop on Security Testing (affiliated with ICST).IEEE Computer Society,2012:815-817. [16] CAO L B,CAO T J.Research on Cross-site Scripting Vulnerability Detection Method Based on Dynamic Testing [J].Computer Application and Software,2015,2(8):272-275.(in Chinese) 曹黎波,曹天杰.基于动态测试的XSS漏洞检测方法研究[J].计算机应用与软件,2015,32(8):272-275. [17] WANG Q,BAI M.Research about Using Tool of SqlMap GET injection and Principle Analyzing on Linux Platform [J].Computer Security,2013(6):74-76.(in Chinese) 王琦,白淼.渗透工具SqlMap GET注入使用及原理分析[J].计算机安全,2013(6):73-76. [18] LV Z Y,HUANG S,HUI Z W.Improvement of Defect Detection Mode for Function Return Value Based on FindBugs[J].Journal of PLA University of Science and Technology (Nature Science Edition),2015,16(6):518-523.(in Chinese) 吕增援,黄松,惠战伟.基于FindBugs的函数返回值缺陷检测模式的改进[J].解放军理工大学学报(自然科学版),2015,16(6):518-523. [19] CHENG C,ZHOU Y H.Finding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm [J].Computer Science, 2016,3(6A):328-333.(in Chinese) 程诚,周彦晖.基于模糊测试和遗传算法的XSS漏洞挖掘[J].计算机科学,2016,3(6A):328-333. [20] TANG H P,HUANG S G,ZHANG L.Detection Algorithm for Leak Detection in Pollution Propagation Analysis [J].Journal of Chinese Computer System,2010(11):2227-2230.(in Chinese) 唐和平,黄曙光,张亮.污染传播分析的漏洞利用检测算法[J].小型微型计算机系统,2010(11):2227-2230. [21] LIU L C,FAN W J.From the Viewpoint of Software Software Process to Approach the Reusable Requirement Analysis-Pas-singly Review Analysis Between CMM and ISO9000[J].Journal of Chongqing University of Technology(Natural Science),2012,6(1):53-60.(in Chinese) 刘兆存,范玮佳.软件过程中可复用需求分析[J].重庆理工大学学报(自然科学版),2012,6(1):53-60. |
No related articles found! |
|