English  |  正體中文  |  简体中文  |  Items with full text/Total items : 49645/84944 (58%)
Visitors : 7699771      Online Users : 84
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library & TKU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    Please use this identifier to cite or link to this item: http://tkuir.lib.tku.edu.tw:8080/dspace/handle/987654321/52140


    Title: 網頁應用程式原始碼弱點分析之研究 : 以淡江大學為例
    Other Titles: Source code vulnerability analysis study of web application : a case study of Tamkang university
    Authors: 蔡震天;Tsai, Chen-tien
    Contributors: 淡江大學資訊管理學系碩士班
    黃明達
    Keywords: 網頁應用程式安全;原始碼檢測;網頁弱點;Web Application Security;Source Code Analysis;Web Vulnerability
    Date: 2010
    Issue Date: 2010-09-23 16:54:38 (UTC+8)
    Abstract: 根據IBM Internet Security Systems 2009年 「X-Force年中安全趨勢與風險評估報告」中指出在 2009 年上半年間,X-Force 共分析並記錄 3,240 筆弱點,其中有50.4%是網頁應用程式弱點,然而從2006年至2009年,每年均有高達6,000多筆以上新弱點被揭露,但2009年上半年統計卻有49%已知弱點尚未進行修補。目前網頁應用程式主要有兩種弱點檢測手法:原始碼檢測(Source Code Analysis)與弱點掃描(Vulnerability Assessment),弱點掃描可從駭客角度實際對系統進行測試,但卻有高漏報率、低準確性與無法明確指出原因等特性,且模擬攻擊的行為可能直接影響資料庫造成運行不便。而原始碼檢測則是最基本的網頁應用程式稽核方式,也是可以找出最多網頁弱點的檢測類型,並可直接指出原始碼弱點處,易於改善。
    本研究收集淡江大學部分學院與系所網站之網頁應用程式原始碼,透過原始碼檢測工具做弱點檢測,並搭配弱點掃描工具,進一步驗證原始碼修補後之改善結果。本研究成果包含:透過本研究之結果可發現目前校園內系所網頁應用程式之原始碼弱點分類比例為跨網站指令碼(15.04%)、跨網站的偽造要求(14.75%)、注入缺失(3.7%)、資訊揭露與不當錯誤訊息處理(3.67%)、不安全的加密與儲存器(2.82%)與其他不能分類至OWASP之弱點(60.04%)。針對淡江大學資訊中心所導入的原始碼檢測軟體,本研究已透過實際操作擬定了一個弱點檢測與修補流程,此流程整合校內資安服務隊之運作,透過此流程可作為未來進行校內其他網頁應用程式原始碼弱點檢測之參考。此外,針對較嚴重與部分較多弱點之類別本研究已整理出6類共13項的修補範例,透過此修補範例日後將可幫助各系所網站或其他相關之網頁應用程式維護人員能針對各弱點類別進行改善。
    According to IBM Internet Security Systems 2009 "X-Force security trends in the risk assessment report" in the first half of 2009, the total record of 3,240 document analysis and weaknesses, among 50.4% were web application vulnerabilities; however, during 2006 to 2009, each year up to more than 6,000 new vulnerabilities were discovered. Solely in the first half of 2009, there are 49% of known vulnerabilities yet to be repaired .Currently, there are two web application techniques for vulnerability detection: Source Code Analysis and Vulnerability Assessment, while the Source Code Analysis is the basic model, which is able to identify most types of Web vulnerability detection and is able to direct the easy way to improve weaknesses Department.
    This research contains the collected web application source code of some departments in Tamkang University. By conducting source code analysis and vulnerability assessment could further resolve the aftermath of vulnerable exploitation. The dedication of this study is discovering web application vulnerability proportion among campus. The distribution on web application vulnerability includes 15.04% of Cross-Site Scripting, 14.75% of Cross-Site Request Forgery, 3.7% of Injection Flaw, 3.67% of Leakage and Improper Error Handling, 2.82% of Insecure Cryptographic Storage and other vulnerability which can’t be classified into that of OWASP. With a view to make the best of Source Code Analysis software installed by Tamkang University Centre, we perform a series of vulnerability detection and resolution process by working with information security think-tank on campus. Through the operation of this process, the results can be used as a reference for future web security improvement. In addition, for the most serious weaknesses of the categories, our research has come up with a total of 6 groups overall 13 solutions. Hopefully, in the future it will help to reduce the potential weaknesses.
    Appears in Collections:[資訊管理學系暨研究所] 學位論文

    Files in This Item:

    File SizeFormat
    index.html0KbHTML248View/Open

    All items in 機構典藏 are protected by copyright, with all rights reserved.


    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library & TKU Library IR teams. Copyright ©   - Feedback