English  |  正體中文  |  简体中文  |  Items with full text/Total items : 88295/117812 (75%)
Visitors : 23402157      Online Users : 117
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    Please use this identifier to cite or link to this item: http://nccur.lib.nccu.edu.tw/handle/140.119/120905


    Title: 半自動化網站安全檢測系統建置之研究
    A study of constructing the semi-automatic website security assessment system
    Authors: 沈雅婷
    Shen, Ya-Ting
    Contributors: 左瑞麟
    Tso, Ray-Lin
    沈雅婷
    Shen, Ya-Ting
    Keywords: 網站安全檢測
    弱點掃描
    滲透測試
    自動化
    Vulnerability assessment
    VA
    Penetration testing
    PT
    Website security assessment
    Date: 2017
    Issue Date: 2018-11-09 15:55:48 (UTC+8)
    Abstract: 摘要

    鑒於我國經濟結構體中,多以「中小企業」為主之公司行號組成,在其無法與大企業相比,資源上,欠缺專業資訊安全技術研究團隊或專責人員,進行網站、設備或內部資訊系統的安全檢測,亦無法負擔昂貴的安全檢測費用(如:弱點掃描或滲透測試)。半自動化網站安全檢測系統建置之研究(以下簡稱本研究)即以此為出發點進行構思與研究,建置一套專為中小企業所設計之半自動化(Semi-automatic)、操作簡易(Easy)及具智慧之網站安全檢測系統。

    本研究將著重於中小企業該如何因應資訊安全弱點可能帶給組織之衝擊與影響,並以「網站安全檢測」作為研究主軸,一台網站主機可能同時包含系統、網頁伺服器(Application Server)、網站設定與網頁應用程式等多個面向,因此,本研究將分成兩個層面進行「半自動化網站安全檢測系統」實作,一為主機系統弱點,二為網頁應用程式弱點,利用易取得且具公信力的檢測工具,於主機系統弱點掃描,本研究採用Nessus Home Feed軟體,網頁應用程式弱點掃描則使用arachni免費工具,並另搭配使用sqlmap進行SQL Injection 弱點的自動化驗證。本研究會將兩個掃描結果進行專家分析與自動化驗證,找出企業現正面臨的「立即風險」,提供該系統弱點中含有已被釋出攻擊程式的立即風險與攻擊程式連結、立即風險弱點埠(port)、自動化驗證成功的SQL Injection弱點風險網址、參數、驗證語法及詳細驗證內容等。

    中小企業的網站管理人員、系統管理人員可藉由專家報告,掌握網站正面臨的立即風險為何,並利用「修補建議報告」進行弱點修補,如:更新系統、關閉立即風險弱點埠或限制可存取之來源IP、更新或調整網頁伺服器及網站之錯誤設定、修正應用程式的撰寫疏漏等,強化網站安全性,進而提升企業的整體資訊安全。
    Abstract

    According to the official statistics from the Small and Medium Enterprise Administration, Ministry of Economic Affairs, the economic structure in Taiwan is composed of over 97% small and medium enterprises (SME). On the basis of the current market, the cost to hire a group of professionals in information security technology research or to hire dedicated experts to examine the information security status of a company’s website or internal information systems is higher than most of SME can afford, not to mention the cost of information security testing, such as the vulnerability assessment (VA) and penetration testing (PT).

    Therefore, the main purpose of this study is to conduct a semi-automatic website security assessment system and help the administrators of these SMEs to review the information security status of their websites and systems.

    This study will focus on helping these SMEs to detect and repair the vulnerabilities of websites & internal information systems, and to reduce the impact of the damages as well. A website may have lots of vulnerabilities from different parts. Like the operation system (OS), the application server and the web applications. For this reason, this study is divided into two directions to implement the "semi-automatic website security assessment system". One is to detect the vulnerability of the operation system and the other is to detect the weakness of the web application.

    The Semi-automatic Website Security Assessment System contains five modules: user input module, information collection & analysis module, OS & web vulnerability assessment module, automatic verification module and the expert report module. The system administrators of the SMEs can improve the information security status of the websites and internal information systems by using the examining methodology and the semi-automatic website security assessment system of this study.
    Reference: 1. 經濟部中小企業處,「106年中小企業重要統計表(中小企業家數-按行業別分)」,民國106年,資料出處:https://www.moeasmea.gov.tw/dl.asp?filename=871616175071.pdf

    2. Justin Clarke, (2012). SQL injection attacks and defense, Syngress.

    3. Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D.Petkov, Anton Rager,Seth Fogie, (2007). XSS attacks - Cross site scripting exploits and defense, Syngress.

    4. Dr.Patrick Engebretson, David Kennedy, (2013). The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing, Syngress.

    5. Karen Scarfone, Paul Hoffman, (2009). Guidelines on Firewalls and Firewall Policy (NIST SP 800-41 Revision 1), National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

    6. Eric Cole, (2013), Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization, Syngress.

    7. Nishant Shrestha, (2012). Security Assessment via Penetration Testing: A Network and System Administrator’s Approach, Oslo University College.

    8. Open Web Application Security Project, (2017). OWASP Top 10 2017, Retrieved from the World Wide Web: https://www.owasp.org/index.php/Top_10-2017_Top_10

    9. ISECOM (Institute for Security and Open Methodologies), (2015). OSSTMM - Open Source Security Testing Methodology Manual, Retrieved from the World Wide Web: http://www.isecom.org/research/osstmm.html

    10. Karen Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh, (2008). SP 800-115 - Technical Guide to Information Security Testing and Assessment, National Institute of Standards and Technology, Retrieved from the World Wide Web: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

    11. 楊中皇、柯鈞凱,「結合弱點掃描和滲透測試之自動化 Web 安全檢測系統設計與實現」,國立高雄師範大學,資訊教育研究所,高雄,民國 99 年。

    12. Johnny Long, Bill Gardner, Justin Brown, (2008). Google hacking for penetration testers volume 2, Syngress.

    13. David Maynor, (2007). Metasploit toolkit for penetration testing, exploit development, and vulnerability research, Syngress.

    14. Robert Shimonski, (2013). The Wireshark field guide: analyzing and troubleshooting network traffic, Syngress.

    15. David A. Shelly, (2010). Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners, Virginia Polytechnic Institute and State University.

    16. San-Tsai Sun, Ting Han Wei, Stephen Liu, Sheung Lau, (2007). Classification of SQL Injection Attacks, University of British Columbia, Electrical and Computer Engineering.
    Description: 碩士
    國立政治大學
    資訊科學系碩士在職專班
    103971013
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0103971013
    Data Type: thesis
    DOI: 10.6814/THE.NCCU.EMCS.013.2018.B02
    Appears in Collections:[資訊科學系碩士在職專班] 學位論文

    Files in This Item:

    File SizeFormat
    101301.pdf13481KbAdobe PDF0View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback