基于协议混合变形的Web安全模糊测试与效用评估方法

doi:10.11896/j.issn.1002-137X.2017.05.025

摘要/Abstract

摘要： 在Web应用安全模糊测试中,存在测试用例覆盖率低、测试效用无法得到有效验证及漏洞检测结果无法得到有效评估等问题。提出了协议变形和动态特征并行混合的测试用例生成方法,建立了按典型漏洞分类的输入特征组合规则和协议变形规则,并形成了基于污染传播策略漏洞响应数据分析和有效性验证的方法。实验表明所提方法增大了测试用例的多样性以及提高了覆盖率,降低了在网站过滤环境复杂情况下的漏洞检测的漏报率和误报率。

关键词: 安全测试,协议变形,污染传播策略,测试有效性

Abstract: In the Web application security fuzzy testing,there are some problems such as low coverage of test cases,in-effective verification of test cases utilities and lack of quantitative evaluation of vulnerability detection results.In this paper,we proposed a method of generating dynamic features combination and protocol deformation test cases for typical Web security vulnerabilities.The rules of input feature combination and protocol deformation rules are devised,and the algorithm based on pollution propagation strategy and effectiveness validation method are established.Experiments show that the proposed method enhances the diversity and coverage of test cases,and reduces the false negative rate and false positive rate of vulnerability detection in the complex situation of web filtering environment.

Key words: Security testing,Protocol deformation,Pollution propagation strategy,Testing efffectiveness

涂玲,马跃,程诚,周彦晖. 基于协议混合变形的Web安全模糊测试与效用评估方法[J]. 计算机科学, 2017, 44(5): 141-145. https://doi.org/10.11896/j.issn.1002-137X.2017.05.025

TU Ling, MA Yue, CHENG Cheng and ZHOU Yan-hui. Hybrid Protocol Deformation Based Web Security Fuzzy Testing and Utility Evaluation Approach[J]. Computer Science, 2017, 44(5): 141-145. https://doi.org/10.11896/j.issn.1002-137X.2017.05.025

参考文献

[1] LUO Y X.Static Code Analysis and Defense for Software Secu-rity Defects [D].Bejing:Institute of Software,Chinese Academy of Sciences,2007.(in Chinese) 罗宇翔.面向软件安全缺陷的静态代码分析及防御[D].北京:中国科学院软件研究所,2007.
[2] KULENOVIC M,DONKO D.A survey of static code analysis methods for security vulnerabilities detection[C]∥International Convention on Information and Communication Technology,Electronics and Microelectronics.2014:1381-1386.
[3] WASSERMANN G,SU Z.Static detection of cross-site scripting vulnerabilities[C]∥ACM/IEEE 30th International Conference on Software Engineering,2008(ICSE’08).IEEE,2008:171-180.
[4] BALZAROTTI D,COVA M,FELMETSGER V,et al.Saner:Composing static and dynamic analysis to validate sanitization in web applications[C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).IEEE,2008:387-401.
[5] PIETRASZEK T,BERGHE C V.Defending against injection attacks through context-sensitive string evaluation[C]∥Recent Advances in Intrusion Detection.Springer Berlin Heidelberg,2005:124-145.
[6] HALFOND W G J,ORSO A,MANOLIOS P.WASP:Protecting Web applications using positive tainting and syntax-aware eva-luation[J].IEEE Transactions on Software Engineering,2008,34(1):65-81.
[7] BALZAROTTI D,COVA M,FELMETSGER V,et al.Saner:Composing static and dynamic analysis to validate sanitization in web applications[C]∥IEEE Symposium on Security and Privacy,2008(SP 2008).IEEE,2008:387-401.
[8] PAN G B,ZHOU Y H.Finding XSS Vulnerabilities Based on Static Analysis and Dynamic Testing [J].Computer Science,2012,9(B06):51-53.(in Chinese) 潘古兵,周彦晖.基于静态分析和动态检测的XSS漏洞发现[J].计算机科学,2012,39(B06):51-53.
[9] WIN W,HTUN H H.A simple and efficient framework for detection of sql injection attack[J].IJCCER,2013,1(2):26-30.
[10] WANG J,PHAN R C W,WHITELY J N,et al.Augmented attack tree modeling of SQL injection attacks[C]∥2010 The 2nd IEEE International Conference on Information Management and Engineering (ICIME).IEEE,2010:182-186.
[11] WEI C T.Research on Key Technology of SQL Injection and XSS Attack Automated Detection[D].Beijing:Beijing University of Posts and Telecommunications,2015.(in Chinese) 韦存堂.SQL注入与XSS攻击自动化检测关键技术研究[D].北京:北京邮电大学,2015.
[12] LI Z,XU X,LIAO L J,et al.Using Templates Combination to Generate Testing Vectors Dynamically in Detecting Web Applications Vulnerabilities[J].Application Research of Computers,2015,2(10):3004-3008.(in Chinese) 李政,许欣,廖乐健,等.使用模板组合动态生成测试用例的Web应用漏洞发掘方法[J].计算机应用研究,2015,32(10):3004-3008.
[13] JIANG H,XU Z Y,WANG X.XSS Attack Defense Method Based on Behavior [J].Computer Engineering and Design,2014,5(6):1911-1914.(in Chinese) 蒋华,徐中原,王鑫.基于行为的XSS攻击防范方法[J].计算机工程与设计,2014,35(6):1911-1914.
[14] DUCHENE F,RAWAT S,RICHIER J L,et al.LigRE:Rever-se-engineering of control and data flow models for black-box XSS detection[C]∥2013 20th Working Conference on Reverse Engineering (WCRE).IEEE,2013:252-261.
[15] DUCHENE F,GROZ R,RAWAT S,et al.XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]∥SECTEST 2012-3rd International Workshop on Security Testing (affiliated with ICST).IEEE Computer Society,2012:815-817.
[16] CAO L B,CAO T J.Research on Cross-site Scripting Vulnerability Detection Method Based on Dynamic Testing [J].Computer Application and Software,2015,2(8):272-275.(in Chinese) 曹黎波,曹天杰.基于动态测试的XSS漏洞检测方法研究[J].计算机应用与软件,2015,32(8):272-275.
[17] WANG Q,BAI M.Research about Using Tool of SqlMap GET injection and Principle Analyzing on Linux Platform [J].Computer Security,2013(6):74-76.(in Chinese) 王琦,白淼.渗透工具SqlMap GET注入使用及原理分析[J].计算机安全,2013(6):73-76.
[18] LV Z Y,HUANG S,HUI Z W.Improvement of Defect Detection Mode for Function Return Value Based on FindBugs[J].Journal of PLA University of Science and Technology (Nature Science Edition),2015,16(6):518-523.(in Chinese) 吕增援,黄松,惠战伟.基于FindBugs的函数返回值缺陷检测模式的改进[J].解放军理工大学学报(自然科学版),2015,16(6):518-523.
[19] CHENG C,ZHOU Y H.Finding XSS Vulnerabilities Based on Fuzzing Test and Genetic Algorithm [J].Computer Science, 2016,3(6A):328-333.(in Chinese) 程诚,周彦晖.基于模糊测试和遗传算法的XSS漏洞挖掘[J].计算机科学,2016,3(6A):328-333.
[20] TANG H P,HUANG S G,ZHANG L.Detection Algorithm for Leak Detection in Pollution Propagation Analysis [J].Journal of Chinese Computer System,2010(11):2227-2230.(in Chinese) 唐和平,黄曙光,张亮.污染传播分析的漏洞利用检测算法[J].小型微型计算机系统,2010(11):2227-2230.
[21] LIU L C,FAN W J.From the Viewpoint of Software Software Process to Approach the Reusable Requirement Analysis-Pas-singly Review Analysis Between CMM and ISO9000[J].Journal of Chongqing University of Technology(Natural Science),2012,6(1):53-60.(in Chinese) 刘兆存,范玮佳.软件过程中可复用需求分析[J].重庆理工大学学报(自然科学版),2012,6(1):53-60.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed