近年來，由於網頁程式的應用普及，服務越來越多樣化，架構越趨龐大、複雜，卻因開發人員的疏忽，造成服務系統缺失，如 Facebook 與
LINE 等大型服務都曾發生駭客入侵事件，在此威脅情況下，必須發展自動化找尋潛在攻擊威脅的工具。

　　本論文改善先前發展的網頁攻擊生成平台(簡稱 CRAXWeb)，簡化原本複雜且不易使用的流程，並重新設計架構，不單只能逐一測試，而能夠同時大量測試、完全自動化的測試平台，稱之為 CRAXWeb 2.0。本系統基於 Docker 環境，改良 S2E 符號執行環境，透過具有模擬
Javascript 程式的爬蟲程式，取得目標網頁的所有路徑、安插符號變數，經符號資料偵測系統，以偵測可能的弱點與進行攻擊生成。經改善測試流程後，原先半小時以上的環境建立，縮短五分鐘以內。探索的路徑與組合測試的效能改善，顯著減少測試次數。

Due to the popularity of Web applications in recent years, with the diverse service types, the architecture is getting complicated. However, due to the ignorance of developers, the services were developed with flaws. Some well-known services such as Facebook and LINE have security incidences due to the flawed services. Under this circumstance, the need for automatically finding potential vulnerabilities is critical.

This paper improves web exploit generation tool called CRAXWeb to CRAXWeb 2.0, by simplifying the complicated process of the original design and we refactor the system to test the applications concurrently with fully automation. Based on the Docker environment, we improve the S2E symbolic execution environment, by the web crawler with the capability of emulating the JavaScript to retrieve all the web pages and injection of symbolic variables. Afterwards, the paths are sent to a server which has symbolic data detector to identify potential vulnerabilities for exploit generation. We improve the testing process from halt an hour to less than five minutes. The testing time has been significantly reduced due to the new path exploration method and the use of combinatorial testing.

摘要 II
誌謝 IV
目錄 1
表目錄 3
圖目錄 4
第一章 緒論 5
1-1 研究動機 5
1-2 研究目標 6
1-3 論文大綱 7
第二章 研究背景 8
2-1 軟體品質測試 8
2-1-1 符號執行 8
2-1-2 擬真執行 10
2-1-3 單一路徑擬真執行 11
2-1-4 基於 S2E 的符號環境 12
2-2 網頁應用程式安全 13
2-2-1 注入攻擊 Injection 13
2-2-2 跨站指令碼攻擊 Cross-Site Scripting 13
2-3 現有 CRAXWeb 架構 14
2-4 現有架構測試流程 15
2-5 現有問題 16
第三章 相關研究與技術 18
3-1 虛擬化方式 18
3-1-1 Virtual Machines 18
3-1-2 Docker 19
3-2 終端至終端測試 End-to-End Testing 20
3-3 組合測試 Combinatorial Testing 21
3-4 自動產生網頁應用程式攻擊系統 21
第四章 研究方法 23
4-1 基於 Docker 之 CRAXWeb 2.0架構 23
4-2 現代化網頁抓取 24
4-3 組合測試應用 26
4-4 改進測試流程 26
第五章 系統實作 30
5-1 各介面間溝通實作 30
5-2 代理伺服器實作 33
5-3 模擬瀏覽器與組合測試實作 34
第六章 實驗結果與分析 37
6-1 CRAXWeb 2.0 使用者介面與流程 37
6-2 網頁應用程式初篩 38
6-3 網頁路徑探索 40
第七章 結論與未來展望 42
7-1 結論 42
7-2 未來展望 42
參考文獻 43

[1] H. Liu and S.-K. Huang, "A Generic Web Application Testing and Attack Generation," 2012.
[2] W.-M. Leong, "Automatic Web Testing and Attack Generation," 交通大學網路工程研究所學位論文, pp. 1-35, 2012.
[3] C.-Y. Chao and S.-K. Huang, "A Cloud-based Benchmark Database for software Vulnerability Analysis and Discovery," 2012.
[4] S.-K. Huang, H.-L. Lu, W.-M. Leong, and H. Liu, "Craxweb: Automatic web application testing and attack generation," in Software Security and Reliability (SERE), 2013 IEEE 7th International Conference on, 2013, pp. 208-217.
[5] V. Chipounov, V. Kuznetsov, and G. Candea, "The S2E platform: Design, implementation, and applications," ACM Transactions on Computer Systems (TOCS), vol. 30, p. 2, 2012.
[6] C. Cadar, D. Dunbar, and D. R. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," in OSDI, 2008, pp. 209-224.
[7] C.-H. Lu and S.-K. Huang, "Web Platform Independent SQL injection Attack Generation," 交通大學資訊科學與工程研究所學位論文, pp. 1-29, 2014.
[8] P.-Y. Huang and S.-K. Huang, "Automated Exploit Generation for Control-Flow Hijacking Attacks," 2011.
[9] S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, "Unleashing mayhem on binary code," in Security and Privacy (SP), 2012 IEEE Symposium on, 2012, pp. 380-394.
[10] T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, M. Woo, and D. Brumley, "Automatic exploit generation," Communications of the ACM, vol. 57, pp. 74-84, 2014.
[11] Getting Started With Burp Proxy. Available: https://portswigger.net/burp/help/proxy_gettingstarted.html.
[12] What is Docker? Available: https://philipzheng.gitbooks.io/docker_practice/content/_images/virtualization.png
[13] Docker Manual. Available: https://www.gitbook.com/book/philipzheng/docker_practice/details
[14] Nightwatch.js, E2E Testing Framework. Available: http://nightwatchjs.org/guide
[15] Selenium, Automates Browsers. Available: http://www.seleniumhq.org/docs/
[16] B. Garn, I. Kapsalis, D. E. Simos, and S. Winkler, "On the applicability of combinatorial testing to web application security testing: a case study," in Proceedings of the 2014 Workshop on Joining AcadeMiA and Industry Contributions to Test Automation and Model-Based Testing, 2014, pp. 16-21.
[17] X. Fu and K. Qian, "SAFELI: SQL injection scanner using symbolic execution," in Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, 2008, pp. 34-39.
[18] S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, et al., "Finding bugs in dynamic web applications," in Proceedings of the 2008 international symposium on Software testing and analysis, 2008, pp. 261-272.
[19] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song, "A symbolic execution framework for javascript," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 513-528.
[20] Y.-Y. Huang, K. Chen, and S.-L. Chiang, "Finding Security Vulnerabilities in Java Web Applications with Test Generation and Dynamic Taint Analysis," in Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science, 2012, pp. 133-138.
[21] Flask - A Python Microframework. Available: http://flask.pocoo.org/
[22] Docker Engine API and SDKs. Available: https://docs.docker.com/engine/api/
[23] A terminal for your browser, using node/express/socket.io. Available: https://github.com/chjj/tty.js/