The Study of Integrated Website White-box Security Detection Mechanisms

• Main Authors: LIN,WU-ZHEN, 林武震
• Other Authors: JUANG,WEN-SHENG
• Format: Others
• Language: zh-TW
• Published: 2018
• Online Access: http://ndltd.ncl.edu.tw/handle/x66353

碩士 === 國立高雄第一科技大學 === 資訊管理系碩士班 === 106 === The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focusing on improving the security of software. The risk ranking of web security vulnerabilities is based on OWASP Top 10. Top 10 Important Security Risks in 2017 Web Security are (1) Injection (2) Broken Authentication (3) Sensitive Data Exposure (4) XML External Entities (XXE) (5) Broken Access Control (6) Security Misconfiguration (7) Cross-Site Scripting (XSS) (8) Insecure Deserialization (9) Using Components with Known Vulnerabilities (10) Insufficient Logging&Monitoring, and it is also used as an important indicator when a company reviews the company's website security. The main reason for the web vulnerability is that when the website is developed, users’ inputs are trusted too much. There are some tools and services for static analysis of website source code on the Internet, such as RIPS, Pixy, and Fortify. Through the white box security detection method, the source code is directly associated with user parameters and vulnerability function data flow to analyze whether it is possible to trigger a loophole. In the past, all of the above tools used static methods to parse the source code. They lacked the necessary input to create a logic problem of the judgment type and the user controlled input variables and dangerous functions. At present, the main languages of well-known services such as Facebook and Yahoo are all based on PHP. In addition, many famous website frameworks such as Laravel, Wordpress, CodeIgniter and Joomla are also developed in PHP. PHP is the most popular development language nowadays, and it is also the language that causes the most development compatibility problems. Therefore, PHP is used as the website language for security detection. We uses the integrated static and dynamic analysis to improve the above shortcomings. It uses static analysis for website security vulnerabilities. It then imports the input variables and vulnerability triggering process into the dynamic analysis, detects the status and logic of the program in the judgmental time variable, and interprets and analyzes the result. The inputted values are interpreted and analyzed to generate a condition that triggers a vulnerability.