期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

Web安全性测试技术综述 被引量:12

Survey on Web security testing technologies
在线阅读 下载PDF
导出
摘要 对Web应用程序进行有效彻底的测试是及早发现安全漏洞、提高Web应用安全质量的一种重要手段。首先介绍了Web应用安全威胁分类,总结了常见的Web应用安全漏洞;然后对当前Web安全性测试技术的研究进行了全面概述,比较了静态技术和动态技术各自的优缺点,同时对在Web安全性测试中新兴涌现的模糊测试技术进行了详细的介绍和总结;最后指出了Web安全测试中有待解决的问题以及未来的研究方向。 A thorough test for Web application programs can be beneficial to finding security vulnerabilities promptly and improving the security quality of Web application.This paper firstly introduced the classification of Web application security threat and summarized common Web application security vulnerabilities.Then it comprehensively surveyed the state of Web security testing technology research,respectively compared weaknesses and merits of the static technologies and the dynamic technologies.At the same time,it introduced and concluded the detail of fuzzing,which was the new emerging technology in Web security testing.At last,this paper presented the problem to be solved and the future research direction.
作者 于莉莉 杜蒙杉 张平 纪玲利
机构地区 北京航空航天大学计算机科学与技术系 二炮软件测评中心 空军装备研究院通信导航与指挥自动化研究所 二炮装备研究院
出处 《计算机应用研究》 CSCD 北大核心 2012年第11期4001-4005,共5页 Application Research of Computers
基金 二炮研究院青年创新基金资助项目(2011619) 国家自然科学基金资助项目(90718018)
关键词 Web应用安全漏洞 静态分析 动态分析 模糊测试 Web application security vulnerabilities static analysis dynamic analysis fuzzing
分类号 TP391 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献32

  • 1CNNIC.中国互联网发展状况统计报告(2012年1月)[R/OL].(2012-01-16) http://www. cnnic. net. cn/hlfzyj/hlwxzbg/201201/ P020120709345264469680. pdf.
  • 2Symantec Corporation. Symatec Internet security threat report, trends for January-June 07, Volume Ⅻ[R]. 2007.
  • 3TIPTON H F, KRAUSE M. Information security management handbook[ M ]. 6th ed. New York : Auerbach Publictions,2006.
  • 4Open Web Application Security Project. OWASP top 10-2010: the ten most critical Web application security risks[ R]. 2010.
  • 5IEEE STD 610.12-1990. IEEE standard glossary of software engineering terminology [ S ]. New York : IEEE, 1990.
  • 6HUANG Yao-wen, HUANG S K, LIN T P, et al. Web application security assessment by fault injection and behavior monitoring [ C ]// Proc of the 12th International World Wide Web Conference. New York : ACM Press ,2003 : 148-159.
  • 7SHIREY R. RFC 2828, Internet security glossay[ S ]. 2000.
  • 8ZHANG Jin, DIMITROFF A. The impact of metadata implementation on Webpage visibility in search engine results (part Ⅱ) [ J]. Information Processing and Management,2005,41 (3) :691-715.
  • 9CHESS B, WEST J.安全编程:代码静态分析[M].董启雄,韩年,译.北京:机械工业出版社,2008.
  • 10JOVANOVIC N, KRUEGEL C , KIRDA E. Pixy : a static analysis tool for detecting Web application culnerabilities ( short paper) [ C ]//Proc of IEEE Symposium on Security and Privacy. Washington DC:IEEE Computer Society,2006:258- 263.

二级参考文献49

  • 1邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):1086-1088. 被引量:17
  • 2MILLER B P, FREDRIKSON L, SO B. An empirical study of the reliablity of UNIX utilities[ J]. Communications of the ACM, 1990, 33(2) :32.
  • 3AITEL D. The advantages of block-based protocol analysis for security testing[ R]. New York: Immunity Inc, 2002.
  • 4SPIKE [ EB/OL ]. ( 2009- 06 ). http ://www. immunitysec, com/resources-freesoftware, shtml.
  • 5GODEFROID P, LEVIN M, MOLNAR D. Active property checking [ C]//Proc of the 8th ACM International Conference on Embedeling Software. 2008 : 19-24.
  • 6GODEFROID P, LEVIN M, MOLNAR D. Automated whitebox fuzz testing[ C ]//Proc of Network Distributed Security Symposium. 2005.
  • 7MILLER B P, KOSKI D, LEE C P,et al. Fuzzing revisted: a reexamination of the reliability of UNIX utilities and services [ R]. Madison: University of Wisconsin Madison, 1995.
  • 8SUTTON M, GREENE A, AMINI P. Fuzzing: brute vulnerability discovery[ M]. [ S. l. ] : Pearson Education Inc, 2007 : 16.
  • 9ANDREA L, LORENZO M, MATTIA M,et al. A smart fuzzer for x86 executables[ C ]//Proc of the 3rd International Workshop on Software Engineering for Secure Systems. [ S. l. ] : IEEE Computer Society, 2007:7.
  • 10OEHLERT P. Violating assumption with fuzzing[ J]. IEEE Security and Privacy,2005,3(2) :58-62.

共引文献32

同被引文献69

  • 1黄景文.SQL注入攻击的一个新的防范策略[J].微计算机信息,2008,24(6):74-75. 被引量:11
  • 2张慧琳,诸葛建伟,宋程昱,韩心慧,邹维.基于网页动态视图的网页木马检测方法[J].清华大学学报(自然科学版),2009(S2):2126-2132. 被引量:8
  • 3马琳,罗铁坚,宋进亮,叶世伟.Web性能测试与预测[J].中国科学院研究生院学报,2005,22(4):472-479. 被引量:8
  • 4杨银辉.《电子商务网站组建与管理》课程改革研究[J].职业教育研究,2007(5):92-93. 被引量:9
  • 5CNNIC.中国互联网络发展状况统计报告[R/OL].(2011-01-19)[2011-05-15].http://www.cnnic.net.cn/dtygg/dtgg/201101/P020110119328960192287.pdf.
  • 6STOUT G A. Testing a website: best practices[ EB/OL]. [ 2013-10- 10]. http://www, heromotocorp, com/sp-pe/uploads/Annual_Re- ports/pdf/20130315113443 -pdf-68. pdf.
  • 7CNNIC.中国互联网发展状况统计报告(2011年1月)[R/OL].[2012-01-16].http://www.cnnic.net.cn/hlfzyj/hlwxzbg/201201/P020120709345264469680.pdf.
  • 8RICCA F, TONELLA P. Analysis and testing of Web applications [ C]//ICSE 2001 : Proceedings of the 23rd International Conference on Software Engineering. Piscataway: IEEE Press, 2011:25 -34.
  • 9TORSEL A M. A testing tool for Web applications using a domain- specific modeling language and the NuSMV model checker [ C ]// Proceedings of the 2013 IEEE 6th International Conference on Soft- ware Testing, Verification and Validation. Piscataway: IEEE Press, 2013:383 - 390.
  • 10IEEE STD610.12-1990.IEEE standard glossary of soft- ware engineeringterminology [ S] .New York: IEEE, 1990.

引证文献12

二级引证文献24

计算机应用研究
2012年 第11期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部