現今網頁應用程式應用相較於過去更加複雜,因此產生漏洞可能性也越大,本研究透過IBM的網頁應用程式弱點掃描軟體AppScan,針對淡江大學學術單位一、二級與一級行政單位,進行網頁應用程式的弱點掃描,研究目的有二,其一,透過弱點掃描之報告經過歸納整理後,找出學校內網頁應用程式最主要的弱點。其二,針對校內各單位目前之網頁應用程式弱點,提出網頁應用程式之弱點改善建議。 本研究採用OWASP 2010十大弱點分類,與AppScan的弱點分類對照,針對校內的網頁應用程式弱點進行歸納整理,並利用AppScan的掃描報告,將AppScan所提出的弱點改善建議提供給各單位,讓各單位了解本身的網頁應用程式弱點概況,也在改善網頁應用程式弱點時能有依據。 本研究發現目前淡江大學校內網頁應用程式弱點,以OWASP 2010十大弱點分類排名前四名依序為注入弱點風險(Injection)、遭破壞的鑑別與連線管理(Broken Authentication and Session Management)、跨站請求偽造(Cross Site Request Forgery)與跨腳本攻擊(Cross Site Scripting(XSS)),此四種弱點佔了校內網頁應用程式弱點超過89%。因此若針對此四種網頁應用程式弱點改善,將能有效改善校內網頁應用程式的安全。 The web applications today use more complex, resulting the safety problem in a greater danger. In this study, by IBM’s web application vulnerability detection software AppScan, we aim at the Tamkang University primary and secondary academic unit and primary administrative unit to do our web application scanning. There are two purposes in this study. First, by the report of the vulnerability detection, we can identify the major weakness of web applications in Tamkang University. Second, improve the existing weakness of web applications in Tamkang University. In this study, we contrast the OWASP 2010 Top Ten weakness with AppScan''s vulnerability classification. Found Tamkang University campus to the current the OWASP rank the top four in order to inject, Broken authentication and session management, Cross site request forgery and Cross site scripting four weaknesses.For this four weaknesses to improve, we can effectively improve the safety of the campus web applications.
