因此本研究針對淡江大學網頁應用程式,透過弱點掃瞄工具偵測應用程式潛在之弱點後,以駭客角度進行入侵滲透測試,驗證弱點是否確實存在或存在其它潛在弱點,最後彙總出11種攻擊手法,以供網頁應用程式維護者檢測參考之用。瞭解網頁應用程式安全現況,以事前洞悉網頁應用程式潛在之弱點。研究發現,淡江大學之網頁應用程式弱點分佈為:資訊揭露與不適當的錯誤處置,佔23.26%;不安全的物件參考,佔15.95%;疏於限制URL存取,佔14.95%及其他,佔45.84%,而入侵滲透測試結果,實際造成瀏覽者、後端資料庫、管理者等密碼遭竊取與網頁資料遭修改之嚴重威脅,佔21.05%,共取得3個網頁應用程式之相關重要帳號、密碼;修改5個網頁應用程式內容。期望透過網頁應用程式弱點分析及11種攻擊手法,供網頁應用程式維護者及未來開發者較駭客早一步發現問題。 Cenzic "Web Application Security Trends Report Q1-Q2, 2009" pointed out that 90 percent of Web Applications were invaded by data leakage, cross-site attacks. During the first half of 2009, Cenzic discovered that the total number of reported vulnerabilities were up to 3100 incidents, and the percentage of Web vulnerabilities continued account for 78 percent, compared with the weaknesses found in the second half of 2008 increased by 10%. According to the present status of Web Application security, once the malicious attacks occur, often cause serious damage. While the post-processing often leads to inevitably affects on information leaks. For the reason above, we take Tamkang University Web Application vulnerability as an experiment with an view to observe the outcome through scanning tools and detect the application potential of weakness. The summary contains 11 methods of attack for the cyber administrator to test web applications as a defend reference. As for Web Application security condition, in order to advance insight into the potential of Web Application vulnerabilities.The distribution of Tamkang University Web Applications vulnerabilities is consisted as below: Information leakage and improper error handling 23.26%; Insecure direct object reference 15.95%; Failure to restrict URL access 14.95% and other 45.84%. While the invasion of penetration test results, the actual cause viewers, back-end database administrator password was stolen and other information with the page was to edit a serious threat 21.05%, a total of three important Web Applications related account password; modify the content of 5 web applications. We hoped that through the Web Application vulnerability analysis, and 11 methods of attack for the defenders and future web applications developers could find problems earlier than the hackers do.
