A generic web application testing and attack data generation method

Hsiao Yu Shih, Han Lin Lu, Chao Chun Yeh, Hsu Chun Hsiao, Shih-Kun Huang*

*Corresponding author for this work

研究成果: Conference contribution同行評審

1 引文 斯高帕斯(Scopus)

摘要

With the advances of diversified online services, there is an increasing demand for web applications. However, most web applications contain critical bugs affecting their security, allowing unauthorized access and remote code execution. It is challenging for programmers to identify potential vulnerabilities in their applications before releasing the service due to the lack of resources and security knowledge, and thus such hidden defects may remain unnoticed for a long time until being reported by users or third-party risk exposure. In this paper, we develop an automated detection method to support timely and flexible discovery of a wide variety of vulnerability types in web applications. The key insight of our work is adding a lightweight detecting sensor that differentiates attack types before performing symbolic execution. Based on the technique of symbolic execution, our work generates testing and attack data by tracking the address of program instruction and checking the arguments of dangerous functions. Compared to prior analysis tools that also use symbolic execution, our work flexibly supports the detection of more types of web attacks and improve system flexibility for users thanks to the detecting sensor. We have evaluated our solution by applying this detecting process to several known vulnerabilities on open-source web applications and CTF (Capture The Flag) problems, and detected various types of web attacks successfully.

原文English
主出版物標題Security with Intelligent Computing and Big-data Services
編輯Shiuh-Jeng Wang, Sheng-Lung Peng, Valentina Emilia Balas, Ming Zhao
發行者Springer Verlag
頁面232-247
頁數16
ISBN(列印)9783319764504
DOIs
出版狀態Published - 1 一月 2018
事件International Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017 - Hualien City, Taiwan
持續時間: 15 十二月 201717 十二月 2017

出版系列

名字Advances in Intelligent Systems and Computing
733
ISSN(列印)2194-5357

Conference

ConferenceInternational Conference on Security with Intelligent Computing and Big-data Services, SICBS 2017
國家Taiwan
城市Hualien City
期間15/12/1717/12/17

指紋 深入研究「A generic web application testing and attack data generation method」主題。共同形成了獨特的指紋。

引用此