OALib Journal期刊
ISSN: 2333-9721
费用：99美元

投递稿件

查看量	下载量

相关文章
更多...

- 2018

基于Fuzzing技术的云数据泄露漏洞检测

姜百合,傅建明,王应军,王亚丽,黄坚伟

Keywords: Web应用安全,信息泄露,Fuzzing测试,业务逻辑漏洞

Full-Text Cite this paper Add to My Lib

Abstract:

目前Web应用上存在接口枚举、越权与敏感信息回传三种逻辑漏洞,在SaaS服务模式的背景下,攻击者利用这些漏洞可以非法获取云端数据,给厂商和用户造成损失.主流的检测方案未实现自动化,依赖测试者经验的渗透测试,难以全面覆盖复杂的Web应用业务逻辑.本文分析云数据服务Web应用的业务逻辑,建立抽象三种逻辑漏洞的威胁模型,设计漏洞Fuzzing检测算法和系统框架,并实现了原型系统.实验结果表明,本文方案可检测造成云数据泄露的三种逻辑漏洞,与人工经验相结合,实现自动化的渗透测试.测试真实Web应用,发现了未被修补的三种逻辑漏洞,并已经得到厂商确认,提升了漏洞挖掘的覆盖度

References

[1]	冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.DOI:10.3724/SP.J.1001.2011.03958.FENG D G,ZHANG M,ZHANG Y,et al.Study on cloud computing security[J].Journal o f Software,2011,22(1):71-83.DOI:10.3724/SP.J.1001.2011.03958(Ch).
[2]	BISHT P,HINRICHS T,SKRUPSKY N,et al.WAPTEC:White box analysis of Web applications for parameter tampering exploit construction[C]//Proceedings o f the 18th ACM Con ference on Computer and Communications Security.New York:ACM,2011:575-586.DOI:10.1145/2046707.2046774.
[3]	LI X,XUE Y.LogicScope:Automatic discovery of logic vulnerabilities within web applications[C]//Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security.New York:ACM,2013:481-486.DOI:10.1145/2484313.2484375.
[4]	ZHAO J,CHEN S,LIANG S,et al.RFSM-fuzzing a smart fuzzing algorithm based on regression FSM[C]//P2P,Parallel,Grid,Cloud and Internet Computing(3PGCIC),2013 Eighth International Conference on IEEE.New York:IEEE,2013:380-386.DOI:10.1109/3PGCIC.2013.65.
[5]	RATHAUS N,EVRON G.Open Source Fuzzing Tools[M].Massachusetts:Syngress,2011:101-103.
[6]	DEEPA G,THILAGAM P S.Securing web applications from injection and logic vulnerabilities:Approaches and challenges[J].In formation and Software Technology,2016,74:160-180.DOI:10.1016/j.infsof.2016.02.005.
[7]	HAN X,WEN Q,ZHANG Z.A mutation-based fuzz testing approach for network protocol vulnerability detection[C]//Computer Science and Network Technology(ICCSNT).2012 2nd International Conference on IEEE.New York:IEEE,2012:1018-1022.DOI:10.1109/ICCSNT.2012.6526099.
[8]	BISHT P,HINRICHS T,SKRUPSKY N,et al.NoTamper:Automatic blackbox detection of parameter tampering opportunities in web applications[C]//Proceedings o f the 17th ACM Conference on Computer and Communications Security.New York:ACM,2010:607-618.DOI:10.1145/1866307.1866375.
[9]	BALDUZZI M,GIMENEZ C T,BALZAROTTI D,et al.Automated discovery of parameter pollution vulnerabilities in Web applications[DB/OL].[2017-03-21].http://www.iseclab.net/papers/balduzzi-ndssll.pdf.
[10]	TSANKOV P,DASHTI M T,BASIN D.SECFUZZ:Fuzz-testing security protocols[C]//Automation o f Software Test(AST),2012 7th International Workshop on IEEE.Piscataway:IEEE Press,2012:1-7.DOI:10.1109/IWAST.2012.6228985.
[11]	DOUPEA,COVA M,VIGNA G.Why Johnny can't pentest:An analysis of black-box web vulnerability scanners[C]//International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin:Springer-Verlag,2010:111-131.DOI:10.1007/978-3-642-14215-4_7.
[12]	OWAS P.Category:OWASP Top Ten Project[EB/OL].[2017-11-19].https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
[13]	ALKHALAF M,CHOUDHARY S R,FAZZINI M,et al.Viewpoints:Differential string analysis for discovering client-and server-side input validation inconsistencies[C]//Proceedings o f the 2012 International Symposium on So ft ware Testing and Analysis.New York:ACM,2012:56-66.DOI:10.1145/2338965.2336760.

Full-Text

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133