|
|
- 2016
一种有效的Web指纹识别方法
|
Abstract:
摘要 准确获取Web服务器及其承载的应用的类型及版本对Web站点的安全测试有重要意义.针对Web服务器Banner易被修改,提出使用黑盒测试方法对主流Web服务器进行分析,进而选取可有效防止Banner欺骗的Web服务器指纹;针对Web应用关键字易被删除,提出使用源码审计方法对主流开源Web应用进行分析,进而选取与其功能相关的Web应用指纹,并构建Web指纹库.在此基础上,设计并实现Web指纹识别工具——WebEye.实验结果表明,与主流工具相比,WebEye能更快速准确地识别Web服务器及应用,并具有良好的可扩展性.
| [1] | Watson D. The evolution of web application attacks[J]. Network Security, 2007(11):7-12. |
| [2] | Goethem T V, Chen P, Nikiforakis N, et al. Large-scale security analysis of the web:challenges and findings[J]. Lecture Notes in Computer Science, 2014, 8564:110-126. |
| [3] | Fielding R, Gettys J, Mogul J, et al. Hypertext transfer protocol-HTTP/1.1[EB/OL]. (1999)[2016-01-20]. http://www.rfc-base.org/txt/rfc-2616.txt. |
| [4] | Yang K, Hu L, Zhang N, et al. Improving the Defence against Web Server Fingerprinting by Eliminating Compliance Variation[C]//Proceedings of the 2010 Fifth International Conference on Frontier of Computer Science and Technology. IEEE Computer Society, 2010:227-232. |
| [5] | Huang Z, Xia C, Sun B, et al. Analyzing and summarizing the web server detection technology based on HTTP[C]//Software Engineering and Service Science (ICSESS), 20156th IEEE International Conference on. IEEE, 2015:1042-1045. |
| [6] | Thomas P. BlindElephant:Web application fingerprinter & vulnerability inferencing[EB/OL]. (2010-07-28)[2016-01-20]. https://media.blackhat.com/bh-us-10/presentations/Thomas/BlackHat-USA-2010-Thomas-BlindElephant-WebApp-Fingerprinting-slides.pdf. |
| [7] | Kozina M, Golub M, Gro? S. A method for identifying Web applications[J]. International Journal of Information Security, 2009, 8(6):455-467. |
| [8] | netcraft. Web server survey[EB/OL]. (2015-08-30)[2016-01-20]. http://news.netcraft.com/archives/2015/08/13/august-2015-Web-server-survey.html. |
| [9] | Karthik R, Kamath S. W3-Scrape-A windows based reconnaissance tool for web application fingerprinting[R]. arXiv:1306.6839. |
| [10] | <p> ZoomEye. ZoomEye网络空间搜索引擎[EB/OL].[2016-01-20]. https://www.zoomeye.org/. |
| [11] | Dukes L S, Yuan X, Akowuah F. A case study on web application security testing with tools and manual testing[C]//Southeastcon, 2013 Proceedings of IEEE. IEEE, 2013:1-6. |
| [12] | Lee D, Rowe J, Ko C, et al. Detecting and defending against Web-server fingerprinting[C]//Proceedings of Computer Security Applications Conference, 2002. 18th Annual. IEEE, 2002:321-330. |
| [13] | Book T, Witick M, Wallach D S. Automated generation of web server fingerprints[R]. arXiv:1305.0245. |
| [14] | Muller A, Meucci M, Keary E, et al. OWASP testing guide 4.0[EB/OL].(2014)[2016-01-20]. https://www.owasp.org/images/1/19/OTGv4.pdf. |
| [15] | 开源中国社区. 建站系统开源软件[EB/OL].[2016-01-20]. http://www.oschina.net/project/tag/256/web-system. |
| [16] | Net-square. Httprint signatures file[EB/OL].[2016-01-20]. http://www.net-square.com/signature.txt.</p> |
