JP5618861B2 - Information processing apparatus, information processing method, and program - Google Patents

Description

  The present invention relates to a technique for inspecting vulnerability to a Web page tampering attack.

Usually, in the development of a Web application, as in the case of development of a general application, a developer performs a test based on a development specification and confirms that the Web application operates according to the development specification before being released.
In recent years, the damage caused by attacks targeting web application vulnerabilities has increased, and for web applications, it is necessary to conduct not only functional operation tests based on development specifications but also web application security tests. It came out.
Generally, in this case, after completing the function test of the Web application and before publishing the Web application to the Internet, the Web application diagnostic service provided by the security service vendor is used to develop security vulnerabilities in the developed Web application. Make sure there is no.
This is because the web application security test requires specialized knowledge regarding the vulnerability of the web application, and the web application developer cannot perform a sufficient test.
However, since the security test of the Web application is performed after the Web application is completed, if a vulnerability is found in the Web application, a work period for correcting the vulnerability is separately required. Was an issue.

In order to solve the above problems, a system as a conventional technique for enabling a security test to be carried out even by a developer who does not have specialized knowledge about web application vulnerabilities in a web application development test. By setting the item attributes (data length, character data type, data range, etc.) related to the input items on the browser screen described in the specifications and design documents as specification information in advance, normal or abnormal evaluation data There is a technique that enables generation and testing to be performed automatically (for example, Patent Document 1).
Similarly, information on system specifications and design documents is set in advance, and based on the set specification information, whether or not the value included in the response message of the Web application matches the specification definition is automatically determined. An inspection method has also been proposed (for example, Patent Document 2 and Patent Document 3).

JP 2006-113993 A JP 2008-112300 A JP 2008-242738 A

In the security test of the conventional Web application, even if the parameter value included in the Web page output from the Web application is successfully altered, the meaning and security importance of the parameter value are unknown. However, it is a problem that it cannot be detected until it causes a security defect in later processing.
In other words, it is necessary to conduct a vulnerability check against tampering attacks with respect to important parameters that cause security problems. However, in the conventional technology, even important parameters are leaked from the vulnerability check against tampering attacks. There is a problem of end.

  The main object of the present invention is to solve the above-mentioned problems, and it is possible to surely check for vulnerabilities against tampering attacks on important parameters that could not be implemented by conventional Web application security tests. The main purpose is to improve the accuracy of Web application security testing.

An information processing apparatus according to the present invention includes:
A selection criterion information storage unit for storing selection criterion information in which selection criteria for selecting a Web page that is a target of a pseudo-tampering attack that is implemented as a vulnerability check against a tampering attack is defined;
A parameter information storage unit that stores parameter information in which a parameter that is a target of a pseudo-tampering attack is defined as a pseudo-attack target parameter;
A web page sorting unit that sorts out a pseudo-attack target web page that is a target of a pseudo-tampering attack from a plurality of candidate web pages that are candidates for a target of a pseudo-tampering attack based on the sorting criteria of the screening standard information;
The parameter corresponding to the pseudo attack target parameter defined in the parameter information is extracted from the parameters included in the pseudo attack target web page selected by the web page selection unit, and the parameter value of the extracted parameter is And a pseudo-tampering attack execution unit that performs a pseudo-tampering attack with a predetermined tampering value.

In the present invention, a pseudo attack target Web page is selected based on selection criteria information in which a selection criterion of a Web page to be attacked by a pseudo falsification attack is defined, and a parameter to be a target of a pseudo tamper attack is defined. Based on the parameter information, a parameter that is the target of the pseudo-tampering attack is extracted from the parameters included in the Web page targeted for the pseudo-attack, and the pseudo-tampering attack is performed using the parameter value of the extracted parameter as the tampering value.
For this reason, important Web pages that cause security problems are defined in the selection criteria information, and important parameters that cause security problems are defined in the parameter information. It is possible to inspect vulnerabilities against tampering attacks.

FIG. 3 is a diagram illustrating a configuration example of a Web application automatic test apparatus according to the first embodiment. FIG. 4 is a diagram illustrating an example of data stored in a test target page information DB according to the first embodiment. The figure which shows the example of the data memorize | stored in Web page screen transition information DB which concerns on Embodiment 1. FIG. FIG. 4 is a diagram showing an example of data stored in a Web page feature information DB according to the first embodiment. FIG. 4 shows an example of data stored in a Web page component DB according to the first embodiment. FIG. 4 is a flowchart showing an operation example of a Web page type identification unit according to the first embodiment. FIG. 4 is a flowchart showing an operation example of a Web page type identification unit according to the first embodiment. The figure which shows the example of the data memorize | stored in transaction flow pattern DB which concerns on Embodiment 1. FIG. FIG. 6 is a flowchart showing an operation example of a Web page importance degree determination unit according to the first embodiment. The figure which shows the example of the data memorize | stored in parameter attribute DB which concerns on Embodiment 1. FIG. FIG. 4 is a flowchart showing an operation example of an important parameter specifying unit according to the first embodiment. FIG. 4 is a flowchart showing an operation example of an important parameter specifying unit according to the first embodiment. The figure which shows the example of the data memorize | stored in Web page important parameter DB which concerns on Embodiment 1. FIG. FIG. 4 is a diagram illustrating a configuration example of a Web application automatic test apparatus according to a second embodiment. The figure which shows the example of the data memorize | stored in the specification DB which concerns on Embodiment 2. FIG. FIG. 9 is a flowchart showing an operation example of an evaluation item determination unit according to the second embodiment. FIG. 9 is a flowchart showing an operation example of an evaluation item determination unit according to the second embodiment. The figure which shows the example of the data memorize | stored in the vulnerability test data DB which concerns on Embodiment 1. FIG. FIG. 3 is a diagram showing a hardware configuration example of a Web application automatic test apparatus according to Embodiments 1 and 2.

Embodiment 1 FIG.
In the present embodiment, a configuration that realizes an improvement in accuracy of a security test for a Web application by enabling detection of a successful tampering attack on a parameter having an important meaning, which has not been understood in a security test for a conventional Web application. explain.

  FIG. 1 is a diagram showing an outline of the configuration of the Web application automatic test apparatus according to the first embodiment.

In FIG. 1, reference numeral 101 denotes a Web application automatic test apparatus, and reference numeral 102 denotes a Web server apparatus (hereinafter also simply referred to as a Web server) on which a Web application 131 to be tested operates.
The Web application automatic test apparatus 101 is an example of an information processing apparatus.

In FIG. 1, a test target page information DB 111 is a database that stores information on Web pages provided by a Web application to be tested.
The evaluation data generation unit 112 includes test target page information DB 111, vulnerability inspection data DB 113 storing vulnerability inspection data for inspecting security vulnerabilities of Web applications, and general evaluation items to be performed in Web application security tests. Evaluation data for testing the Web application is generated from the defined security evaluation item list 118.
Examples of general evaluation items defined in the security evaluation item list 118 include SQL injection, OS command injection / stealth command, path name and parameter unchecked / directory traversal, inadequate session management / forced browsing / secure mode Non-cookies, cross-site scripting, cross-site request forgery, HTTP header injection, third-party mail relay, missing access control and authorization control, hidden field manipulation, parameter tampering, backdoor and debugging options, cookie abuse And disclosure of unnecessary information.

The generated evaluation data is transmitted from the evaluation data transmitting unit 114 to the Web application 131 running on the Web server 102, and the response message is received by the response receiving unit 115.
The response message is sent to the evaluation result determination unit 116 where the presence / absence of vulnerability is determined and the determination result is displayed on the evaluation result display unit 117.

  Further, the web page type identification unit 122 uses the web page screen transition information DB 120, the web page feature information DB 121, and the web page component DB 123 to determine the web page category (product page, purchase form, confirmation) of the test target page. Page, payment completion page, user registration page, user information display / edit page, password change page, information list page, etc.).

  The Web page importance level determination unit 125 stores a transaction that stores the Web page category of the test target page specified by the Web page type specification unit 122, the Web page screen transition information DB 120, and the pattern of each transaction flow provided by the Web application. Based on the flow pattern DB 124, an important page in a series of transaction flows to be tested is specified.

  The important parameter specifying unit 127 is an important parameter (amount of money in the product purchase flow, which may cause a security defect in the subsequent processing due to a successful falsification attack among parameters passed between Web pages. User information, credit card number, etc.) are determined with reference to information in the parameter attribute DB 126 storing parameter strings that are important for each transaction flow.

  Information on important pages and important parameters included in important pages in the transaction flow (product purchase flow, user registration flow, user password change flow, etc.) specified by the Web page importance level determination unit 125 and the important parameter specification unit 127 Is stored in the Web page important parameter DB 128 and used in the subsequent determination of the success or failure of the important parameter falsification attack in the evaluation result determination unit 116.

  Here, before describing the operation of the Web application automatic test apparatus 101 in detail, an outline of the operation of the Web application automatic test apparatus 101 will be described.

The Web application automatic test apparatus 101 according to the present embodiment selects important Web pages (hereinafter also referred to as pseudo attack target Web pages) that are targets of a pseudo-tampering attack that is performed as a vulnerability check against tampering attacks. .
That is, the Web application automatic test apparatus 101 according to the present embodiment selects a pseudo attack target Web page from a plurality of test target pages (hereinafter also referred to as candidate Web pages) that are candidates for a pseudo tamper attack attack target. Then, a parameter that is a target of a pseudo-falsification attack (hereinafter, also referred to as a pseudo-attack target parameter) is extracted from the parameters in the selected Web page of the pseudo-attack attack, and the parameter value of the extracted parameter is changed to a predetermined falsification value to simulate Implement a tampering attack.
The pseudo-tampering attack is a test that simulates a tampering attack that is performed as a test item of a Web application test, and is a transmission of a Web page (evaluation data) with a parameter value set to a tampering value to the Web server 102. .
The vulnerability to the falsification attack of the pseudo attack target Web page can be evaluated by the pseudo falsification attack.
The pseudo attack target web page is, for example, a web page that is estimated to have a greater damage in the case of a falsification attack than other web pages.
In addition, the parameter that is the target of the pseudo-tampering attack is also a parameter that is estimated to have a greater damage compared to the other parameters when there is a tampering attack, for example.

In the Web page characteristic information DB 121, the Web page component DB 123, and the transaction flow pattern DB 124, selection criteria for selecting the pseudo attack target Web page are defined.
More specifically, the Web page feature information DB 121 shows a plurality of Web page categories (product page, purchase form, confirmation page, etc.), and for each category, the characteristics of the page configuration of the Web page belonging to each category and Data indicating characteristics of links to other Web pages is stored.
The Web page component DB 123 stores data indicating a character string that may appear in the link destination URL (Uniform Resource Locator) of the Web page.
Further, the transaction flow pattern DB 124 shows a plurality of transaction flows (product purchase flow, user registration flow, user password change flow, etc.) provided by the Web application, and is used in each transaction flow for each transaction flow. Web page categories are shown, and for each transaction flow, data indicating the categories of important pages, that is, the categories to be attacked by the pseudo-tampering attack, is stored.
Although details will be described later, for example, the data shown in FIG. 4 is stored in the Web page feature information DB 121, and the data shown in FIG. 5 is stored in the Web page component DB 123, for example. For example, data shown in FIG. 8 is stored in the DB 124.
Note that the data stored in the Web page feature information DB 121, the Web page component DB 123, and the transaction flow pattern DB 124 define a selection criterion for selecting a pseudo attack target Web page. Equivalent to.
Further, the Web page feature information DB 121, the Web page component DB 123, and the transaction flow pattern DB 124 correspond to an example of a selection criterion information storage unit.

The web page type identification unit 122 assigns each candidate web page from a plurality of categories based on the features in the page configuration for each category shown in the web page feature information DB 121 and the features in the link with other web pages. Classify into one of the categories.
That is, each candidate Web page is classified into a corresponding category such that Web page A is a product page, Web page B is a purchase form, and Web page C is a confirmation page.
In addition, the web page importance level determination unit 125 includes a plurality of candidate web pages out of a plurality of transaction flows based on the transaction flow pattern in the transaction flow pattern DB 124 and the classification result of the candidate web page category by the web page type identification unit 122. Which transaction flow is supported is determined.
Further, the web page importance level determination unit 125 selects an important page (that is, a pseudo attack target web page) in the determined transaction flow based on the transaction flow pattern of the transaction flow pattern DB 124.
As described above, the transaction flow pattern indicates the category of the important page, that is, the category to be attacked by the pseudo-tampering attack.
For this reason, the Web page importance level determination unit 125 refers to the transaction flow pattern, and selects, as the Web page targeted for the pseudo attack, the Web page classified into the category targeted for the pseudo-tampering attack for the determined transaction flow. .
The web page type identification unit 122 and the web page importance determination unit 125 are examples of a web page selection unit.
Also, the important page sorting process by the web page type specifying unit 122 and the web page importance level judging unit 125 corresponds to a web page sorting step.
In addition, the process of reading the information of the Web page feature information DB 120 and the information of the Web page component DB 123 by the Web page type identification unit 122 and the process of reading the information of the transaction flow pattern DB 124 by the Web page importance level determination unit 125 This corresponds to the reading step.

The parameter attribute DB 126 stores important parameters, that is, data defining parameters to be subjected to a pseudo-tampering attack.
Data stored in the parameter attribute DB 126 is an example of parameter information, and the parameter attribute DB 126 corresponds to an example of a parameter information storage unit.

The important parameter specifying unit 127 extracts a parameter corresponding to the important parameter defined in the parameter attribute DB 126 from the parameters included in the pseudo attack target web page selected by the web page importance level judging unit 125.
The parameters extracted as corresponding to the important parameters correspond to examples of pseudo attack target parameters.
In addition, the evaluation data generation unit 112 and the evaluation data transmission unit 114 perform a pseudo-tampering attack.
Specifically, the evaluation data generation unit 112 generates a Web page (evaluation data) in which the parameter value of the parameter extracted by the important parameter specifying unit 127 is a predetermined falsification value, and the evaluation data transmission unit 114 Data is transmitted to the Web server 102.
The important parameter identification unit 127, the evaluation data generation unit 112, and the evaluation data transmission unit 114 correspond to an example of a pseudo-tamper attack execution unit.
Note that the important parameter extraction processing and the pseudo tampering attack execution processing performed by the important parameter specifying unit 127, the evaluation data generating unit 112, and the evaluation data transmitting unit 114 correspond to a pseudo tampering attack execution step.
Also, the process of reading information from the parameter attribute DB 126 by the important parameter specifying unit 127 corresponds to a parameter information reading step.

  Next, the operation of the Web application automatic test apparatus 101 according to the present embodiment will be described in detail with reference to the drawings.

First, as a preparation, acquisition of a list of Web pages provided by the Web application and generation of screen transition information thereof are performed.
In addition, the web page list provided by the web application 131 may be collected by the tester manually accessing the web application, or using a technology for automatically collecting the web page list (web crawling technology). May be collected.
As for the screen transition information of Web pages, by extracting the link relations of pages described in HTML (Hyper Text Markup Language) of the collected Web pages, it is a directed graph with each page as a vertex and the link relation as an edge. Generate.
The screen transition information of the extracted web page is stored in the web page screen transition information DB 120.

FIG. 2 shows the structure (200) of the test target page information DB 111 that stores a list of Web pages provided by the Web application 131.
In FIG. 2, the URL of the test target page, the transmission message to the Web application 131, and the response message (Web page) from the Web application 131 to the transmission message are stored in association with each other.

FIG. 3 shows the structure (300) of the Web page screen transition information DB 120.
In FIG. 3, the link source URL and the link destination URL for the test target page URL are stored.
With respect to the URL of the test target page linked from a plurality of link source URLs, a plurality of rows having different link source URLs are stored.
The same applies to the test target page URL having a plurality of link destination URLs.
Based on the information in the Web page screen transition information DB 120, the link relation of the URL of the test target page can be extracted as a directed graph.

  Next, the important page (pseudo attack target Web page) and the important page stored in the Web page important parameter DB 128 used for determining whether the falsification attack of the important parameter (pseudo attack target parameter) is successful in the evaluation result determination unit 116. A method for determining important parameters included in a page will be described.

The web page type identification unit 122 identifies the feature information for identifying the type of the web page stored in the web page feature information DB 121 and the component of the web page stored in the web page component element DB 123. The type (category) of the read Web page (candidate Web page) is specified based on the component specifying character string.
Examples of the types of Web pages include a product information display page, a purchase form input page for purchase, a confirmation page for a value entered in the purchase form input, a purchase settlement completion page, and the like for a product transaction.
Each page has a feature that indicates its type.

FIG. 4 shows the structure (400) of the Web page feature information DB 121.
In FIG. 4, for the sake of simplicity, the features for each Web page type are described in text, but in actuality, they are described by conditional expressions and numerical values so that they can be easily processed by a computer.
As a feature indicating the type of Web page, for example, in the case of a purchase settlement completion page, the link path from the top page tends to be long.
In addition, the purchase settlement completion page may have components such as, for example, a print button displayed, an email address input for transmitting the result, and a link to a post-purchase questionnaire input screen.
A score is assigned to each of these components, and the scores of the components constituting the page are added, and when the obtained score exceeds a predetermined threshold, the purchase settlement completion page is specified. .
Note that the threshold value used in the determination may be set for each page type, or may be the same threshold value between page types.

FIG. 5 shows the structure (500) of the Web page component DB 123.
As shown in FIG. 5, when a component specific character string is defined for each component, and there is a character string that matches the component specific character string in the link destination URL (component) of the test target page. The component name can be specified.
With respect to the URL, there is a high possibility that a character string related to the main content appears in the URL.
For example, in the case of a URL to a print page, the content that performs page shaping optimal for printing is the main content. Therefore, a character string of a character string related to printing (for example, print, output, etc.) is included in the URL. There is a high possibility.
The constituent elements of the test target page are specified using the character string related to the main content appearing in the URL as a clue.
In addition, as shown in FIG. 5, you may define a component specific character string using a regular expression.
By using regular expressions, a plurality of similar component element specifying character strings can be defined together, so that the amount of data stored in the Web page component element DB 123 can be reduced.

Next, details of the operation of the Web page type identification unit 122 will be described.
6 and 7 show flowcharts of processing of the Web page type specifying unit 122. FIG.

The web page type identification unit 122 first reads one response message (web page) from the web application 131 stored in the test target page information DB 111 (S601).
Next, based on the URL of the test target page (candidate Web page), the Web page type specifying unit 122 refers to the Web page screen transition information DB 120 and calculates the length of the link from the TOP page (S602). .
At this time, a redundant path or loop may occur in a Web application having a complicated screen transition structure.
With regard to these, existing techniques for searching for the shortest route can be applied.
For example, the Dijkstra method is famous.
Next, the web page type specifying unit 122 reads information in the web page feature information DB 121 based on the obtained link length from the TOP page, and searches for a web page type whose link length matches the condition. (S603).
If a Web page type that applies to the link length feature is extracted by the search, the score of the Web page type that applies the feature is added (S604, S605).
Next, the Web page type specifying unit 122 extracts the link destination URL of the test target page from the Web page screen transition information DB 120 (S606), selects one link destination (S607), and extracts the characters of the extracted link destination URL. The Web page component DB 123 is searched based on the column, the corresponding information is read, and the component of the test target page is specified (S608).
Next, the Web page type specifying unit 122 specifies components for all link destination URLs extracted from the Web page screen transition information DB 120 (S609).

Next, the Web page type specifying unit 122 selects one of the specified components (S610), and as a result of searching the Web page feature information DB 121 (S611), there is a Web page type to which the feature of the component applies. If so, the score is added to the Web page type to which the feature applies (S612, S613).
After searching the Web page feature information DB 121 for all the components of the test target page specified in S609 and completing the addition of the Web page type score (S614), there is one Web page type to which the score is added. If it does not exist, the Web page type specifying unit 122 determines that the Web page type related to the test target page read in S601 is unknown (S615, S616).
When there is even one web page type to which the score is added, the web page type specifying unit 122 determines whether the score exceeds a threshold value (S617).
When there is only one web page type whose score exceeds the threshold, it is determined that the test target page is the web page type (S618, S622).
When there are a plurality of Web page types that exceed the threshold value and there are no Web page types that exceed the threshold value, the Web page type is determined from the size of the score.
If a plurality of Web page types having the highest score have the same score, it is determined that the test target page has characteristics of a plurality of Web page types (S619, S620, S622).
If there is only one web page type having the highest score, it is determined as the web page type of the test target page (S619, S621, S622).
Finally, the process ends when the web page type can be specified for all the test target pages included in the test target page information DB 111 (S623).

For example, if a purchase settlement completion page is specified, a page linked to the purchase settlement completion page is linked to the confirmation page, and a page linked to the confirmation page is linked to the purchase form entry page or purchase form entry page. It is possible to specify the type of each Web page by going back to the page, such as a product information display page.
In addition, each page type has characteristics such as the title of the page, and the confirmation page includes parameters with random numbers for CSRF (Cross Site Request Forgeries) countermeasures. By using this information together, the accuracy of specifying the type of Web page is improved.

Next, the operation of the Web page importance level determination unit 125 will be described.
The web page importance level determination unit 125 identifies an important page in a series of transaction flows to be tested based on the transaction flow pattern DB 124 that stores patterns of each transaction flow provided by the web application.

FIG. 8 shows the structure (700) of the transaction flow pattern DB 124.
As shown in FIG. 8, an important flag for an important page in the page link pattern and the transaction flow pattern is defined for each transaction flow pattern, with information on the link source and link destination of the Web page.

In the transaction flow pattern DB 124, an important flag is set for an important page in the transaction flow (confirmation page in FIG. 8).
For example, in a product purchase flow, a confirmation page that finally transitions to a purchase settlement completion page is important.
Because the parameter sent from the confirmation page to the purchase settlement completion page may be used for the purchase settlement process as it is, if the parameter sent from the confirmation page to the purchase settlement completion page is tampered with, Otherwise, there is a risk that the payment process will be performed with the altered value.
Therefore, the web page importance level determination unit 125 identifies the test target page that means the confirmation page as the important page (pseudo attack target web page) based on the information of the important flag in each transaction flow.

FIG. 9 is a flowchart showing important page specifying processing in the Web page importance level determination unit 125.
The processing of the Web page importance level determination unit 125 will be described with reference to FIG.

First, the Web page importance level determination unit 125 selects the URL of the test target page and the Web page type from the Web page type specification result of the test target page, which is the output of the Web page type specifying unit 122 (S801). .
Next, the web page importance level determination unit 125 searches the web page screen transition information DB 120 based on the URL of the test target page, and acquires the link source URL and link destination URL of the test target page (S802).
Next, the web page importance determination unit 125 identifies the web page type of the link source URL and the link destination URL from the output of the web page type identification unit 122, and based on these and the web page type of the test target page. Then, the information of the transaction flow pattern DB 124 is searched to acquire (read out) the transaction flow pattern and the important flag (S803).
When the transaction pattern is specified (S804), the Web page importance level determination unit 125 stores the test target page, the transaction flow pattern, and the importance flag as the transaction flow specification result (S805).
When the specific process of the transaction flow pattern is completed for all the test target pages, the web page importance level determination unit 125 selects the test target page whose importance flag is 1 on the transaction flow from the specific result of the transaction flow pattern. Extract as important pages, output the transaction flow pattern and important page (s) as important page identification results, and end the process (S806, S807, S808).

  In the Web page importance level determination unit 125, for example, a transaction flow pattern in which a product information display page, a purchase form input page, a confirmation page, and a purchase settlement completion page are sequentially linked is specified as a product purchase flow.

Next, the operation of the important parameter specifying unit 127 will be described.
The important parameter specifying unit 127 refers to the parameter attribute DB 126 from the transaction flow pattern and the important page included in the important page specifying result, which is the output of the web page importance determining unit 125, and sets the important parameter (pseudo attack target parameter). Is identified.

The important parameter (pseudo attack target parameter) refers to a variable in a form tag of HTML (HyperText Markup Language) in which a value that may cause a security defect in subsequent processing is set.
Therefore, at least one form tag exists in the test target page where the important parameter exists.
The variable in the form tag is sent to the Web application and processed when the screen transitions to the next screen.

FIG. 10 shows the configuration (900) of the parameter attribute DB 126.
As shown in FIG. 10, an important parameter character string is defined for each transaction flow.
As shown in FIG. 10, the important parameter character string may be defined using a regular expression.
By using regular expressions, a plurality of similar parameter names can be defined together, so that the amount of data stored in the parameter attribute DB 126 can be reduced.

  The important parameter specifying unit 127 first searches the parameter attribute DB 126 based on the transaction flow specified by the Web page importance determining unit 125, and acquires an important parameter character string.

FIG. 11 and FIG. 12 are flowcharts showing the important parameter specifying process in the important parameter specifying unit 127.
The process of the important parameter specifying unit 127 will be described with reference to FIGS. 11 and 12.

The important parameter specifying unit 127 first determines whether there are a plurality of form tags on the important page specified by the Web page importance level determining unit 125 (S1001).
If the important page includes a plurality of form tags, one form tag is selected from them (S1002).
Next, the important parameter specifying unit 127 refers to the Web page screen transition information DB 120 based on the value of the action (link destination page) in the selected form tag, and displays all pages linked to the link destination page. Extract (S1003). That is, it is determined whether or not there is another Web page that uses the link destination page as the link destination.
If there are multiple pages linked to the linked page as a result of the extraction (if there are other web pages that link to the linked page), the linked page can be an advertisement page or a search page, The link is determined to be unrelated to the transaction flow, and the next form tag is selected (S1004).
The important parameter specifying unit 127 repeats the processing from S1002 to S1004, and forms tag to the page linked from only the important page (that is, form tag in which there is no other web page linked to the linked web page) ).
Note that since there is always one page that changes only from the form tag including the important parameter, the loop from S1002 to S1004 always ends.
If there is only one form tag in the important page, and if a form having a link to a page linked only from this page is identified in the important page by the processing from S1002 to S1004, the process proceeds to S1005. .
In S1005, the important parameter specifying unit 127 searches the parameter attribute DB 126 based on the transaction flow pattern specified by the Web page importance level determining unit 125, and extracts (reads out) an important parameter character string.

Next, the important parameter specifying unit 127 selects one parameter included in the form of the important page (S1006), and compares the parameter name in the selected form tag with the important parameter character string (S1007).
As a result of the comparison, if a parameter name that matches the important parameter character string exists in the form tag, the parameter is stored as an important parameter (S1008).
The important parameter specifying unit 127 compares all the parameter names existing in the form tag (S1009), and then outputs the important parameter (s) obtained as a result of the comparison (S1010).
The output URL of the important page, the action value of the form tag including the important parameter, and the important parameter are stored in the Web page important parameter DB 128 (S1011).

FIG. 13 shows the structure (1100) of the Web page important parameter DB 128.
In the Web page important parameter DB 128, the URL of the important page, the action value (link destination page) set in the form tag including the important parameter, and the parameter name of the important parameter are stored in association with each parameter name of the important parameter.
These pieces of information are referred to later in the evaluation result determination unit 116, and are used in the determination of the success or failure of the falsification attack related to the important parameter.

For all important pages included in the test target page, after the important parameters are specified in the Web page important parameter DB 128, the Web application automatic test apparatus 101 starts testing the Web application 131 operating on the Web server 102. To do.
In the test, all the tests described in the security evaluation item list 118 are performed on the test target page in the evaluation data generation unit 112 based on the information of the test target page information DB 111 and the vulnerability inspection data DB 113. It starts from the generation of the evaluation data necessary to do this.

FIG. 18 shows the structure (1500) of the vulnerability check data DB 113.
As shown in FIG. 18, in the vulnerability inspection data DB 113, test items and vulnerability inspection data used for inspecting the test items are stored in association with each other.
The evaluation data generation unit 112 generates an evaluation page by changing the important parameter value of the important page to a falsification value based on the test items and vulnerability check data defined in the vulnerability check data DB 113.
For example, for the product ID included in the important parameter name of FIG. 13, the evaluation data generation unit 112 generates a Web page in which a product name that does not actually exist is set as evaluation data.
After the creation of the evaluation data is completed, the evaluation data transmission unit 114 transmits the created evaluation data to the Web application 131 that is the test target page provider for each test target page.
The response reception unit 115 receives a response message from the Web application for the transmitted evaluation data.

  The evaluation result determination unit 116 compares the response message received by the response reception unit 115 with the response message from the Web application 131 when the Web application 131 stored in the test target page information DB 111 is normally accessed, It is determined whether or not a change is found in the response message of the Web application 131 based on the transmitted evaluation data.

  The above-described evaluation data creation process in the evaluation data generation unit 112, the process of the evaluation data transmission unit 114 that transmits the created evaluation data to the Web application 131, and the response reception unit 115 that receives a response from the Web application 131. In the process other than the critical parameter falsification attack success determination process in the evaluation result determination unit 116 for determining the response message from the Web application 131 received by the response reception unit 115, various methods are disclosed as existing technologies. In this embodiment, it is assumed that the same implementation as the existing technology is performed.

The evaluation result determination unit 116 compares the response message of the Web application 131 when the evaluation data with the altered parameter is transmitted with the transition information of the Web application 131 stored in the Web page screen transition information DB 120, resulting in an error. If the page does not transition to a page different from the normal page, such as a page, the pseudo-tampering attack may have succeeded.
In this case, the evaluation result determination unit 116 refers to the Web page important parameter DB 128 and determines whether the parameter that succeeded in the pseudo-tampering attack is an important parameter.
In other words, if the response from the Web application 131 to the evaluation data in which the important parameter has been altered is not a response indicating that an abnormality has been detected in the Web application 131 such as an error page, the pseudo-falsification attack in which the important parameter has been altered is successful. It is determined that
If the parameter that succeeded in the pseudo-tampering attack is an important parameter, it is detected as a successful alteration attack of the parameter important for security.
Other than that, it means that the Web application 131 has detected a parameter with a low security risk even if it has been tampered with or has been tampered with, and is not regarded as a successful tampering attack.
Finally, the result determined by the evaluation result determination unit 116 is displayed on the evaluation result display unit 117 and notified to the user.

As described above, in this embodiment, the type of the test target page is specified based on the feature information of the Web page, and based on the transaction flow pattern information from the context of the specified Web page, Specify the type, specify a Web page that is important for security for the specified transaction flow, and specify important parameters that may cause security problems in subsequent processing if a tampering attack occurs in the parameter value. Keep specific.
For this reason, it is possible to detect the success or failure of a falsification attack of an important parameter that has been difficult until now.
In addition, when specifying an important parameter, it is possible to accurately specify an important parameter even when there are a plurality of form tags on the important page.
This improves the security test accuracy in the Web application test.

As described above, in the present embodiment,
A means for specifying the type of the test target page based on the characteristic information of the Web page and a means for specifying the type of the Web transaction flow based on the transaction flow pattern information from the context of the specified Web page A means to identify Web pages that are important to security for the transaction flow, a means to identify important parameters that may cause security problems in subsequent processing when a parameter value tampering attack occurs, and important A Web application automatic test apparatus having a means for checking the success or failure of a parameter alteration attack has been described.

Embodiment 2. FIG.
In the first embodiment described above, the success or failure of the falsification attack of the important parameter is determined by specifying the important page in the Web page output by the Web application to be tested and specifying the important parameter included in the important page. Next, a mode in which the test is efficiently performed will be described.

FIG. 14 is a diagram illustrating a configuration outline of the Web application automatic test apparatus 101 according to the second embodiment.
In FIG. 14, a specification DB 1201 is a database that stores Web application specification information input by the user.
The evaluation item determination unit 1202 determines the evaluation items to be executed in the test based on the information in the test target page information DB, the specification DB 1201, and the security evaluation item list 118 that defines general evaluation items to be performed in the Web application security test. Determine automatically.
More specifically, the evaluation item determination unit 1202 inputs a security evaluation item list 118 (example of test item information) in which a plurality of evaluation items (test items) for the Web page are shown, and refers to the specification information. Thus, for each test target page, it is determined whether or not the target attribute targeted by the evaluation item (test item) shown in the security evaluation item list 118 is included.
Then, if the test target page does not include the target attribute, the evaluation item corresponding to the target attribute is excluded from the test item (test test item) for the test target page, and is performed for each test target page. Determine the item.
The evaluation item determination unit 1202 is an example of a test execution item determination unit.
Reference numerals 111 to 131 are the same as those in FIG.

Next, the operation will be described.
First, it is assumed that a series of processes up to output of information to the Web page important parameter DB 128 described in Embodiment 1 (S1011 in FIG. 12) has already been completed.
When starting a Web application test, the user inputs specification information of the Web application from the user interface.
The input specification information of the Web application is stored in the specification DB 1201.

FIG. 15 shows an example of the specification DB structure and Web application specification information input by the user (1300).
As shown in FIG. 15, the specification information indicates attributes set in the test target page for each test target page.
Note that the test target page described as DB in the setting item has an attribute of performing DB access.
Further, the test target page in which “PARAM” is described in the setting item and “hidden” is described in the type has an attribute that the hidden parameter exists.
Moreover, the test target page described as SSL in the setting item has an attribute of performing SSL communication.
Further, the test target page described as “COOKIE” in the setting item has an attribute of using Cookie.
Further, the test target page described as MAIL in the setting item has an attribute of performing e-mail transmission.

  Next, the evaluation item determination unit 1202 automatically determines items to be tested for each page from the security evaluation item list 118 based on the information in the specification DB 1201 and the test target page information DB 111.

16 and 17 show flowcharts of the operation in the evaluation item determination unit 1202.
The operation in the evaluation item determination unit 1202 will be described with reference to FIGS. 16 and 17.

The evaluation item determination unit 1202 first refers to the test target page information DB 111 and acquires a list of test target pages (S1401).
Next, the evaluation item determination unit 1202 selects one test target page from the list of acquired test target pages (S1402).
Next, the evaluation item determination unit 1202 acquires specification information from the specification DB 1201 regarding the selected test target page (S1403).
Next, the evaluation item determination unit 1202 reads the security evaluation item list 118, and sets to execute all items described in the security evaluation item list 118 as an initial setting (S1404).
Next, the evaluation item determination unit 1202 sets unnecessary evaluation items to be ineffective based on the specification information acquired from the specification document DB 1201 (S1405 to S1416).
In step S1405, the evaluation item determination unit 1202 determines whether or not the test target page performs DB access based on the specification information. If the DB access is not performed, the evaluation item determination unit 1202 sets the SQL injection item to non-execution (S1406).
In step S1407, the evaluation item determination unit 1202 determines whether the test target page includes a hidden parameter. If there is no hidden parameter, the evaluation item determination unit 1202 sets the operation item in the hidden field to be ineffective (S1408).
In step S1409, the evaluation item determination unit 1202 determines whether there is a parameter on the test target page. If there is no parameter, the evaluation item determination unit 1202 sets the parameter alteration item and the cross-site scripting item to be ineffective (S1410).
In step S1411, the evaluation item determination unit 1202 determines whether the cookie is used on the diagnosis target page. If the cookie is not used, the evaluation item determination unit 1202 sets the cookie abuse item to be not implemented (S1412).
In step S1413, the evaluation item determination unit 1202 determines whether the test target page performs SSL communication. If not, the evaluation item determination unit 1202 sets the cookie item that is not in the secure mode to non-execution (S1414).
In step S1415, the evaluation item determination unit 1202 determines whether to send an email on the diagnosis target page. If the email is not sent, the evaluation item determination unit 1202 sets the third-party relay item of the email to ineffective (S1416). ).
When the process reaches S1417, it is determined whether or not the test items have been determined for all the test target pages described in the list of test target pages acquired in S1401, and if there are remaining items, the processing from S1402 is performed again.
Finally, if it is determined in S1417 that the test items have been determined for all the test target pages, the evaluation items for each test target page are output and the operation is terminated (S1418).

In the evaluation item determination unit 1202, after the test execution items for all the test target pages are determined, the evaluation data generation unit 112 performs the test execution items determined for each page by the evaluation item determination unit, the specification DB 1201, and Evaluation data for each page is created based on the information in the vulnerability inspection data DB 113.
The data set in the evaluation data is based on the range (minimum value, maximum value) that can be taken by the parameter value set in the parameter DB 1201 in the specification document DB 1201 (item whose setting item is PARAM in FIG. 15). It is determined.
The created evaluation data is transmitted to the Web application 131 via the evaluation data transmission unit 114.
The subsequent processing from the reception of the response message from the Web application 131 until the evaluation result is displayed on the evaluation result display unit 117 is the same as in the first embodiment.

  As described above, in the present embodiment, in addition to the first embodiment, the security evaluation items to be tested for each page are determined based on the Web application specification information input by the user. By creating evaluation data, tests that are not required in the specifications are not performed on the Web application, so the efficiency of the entire Web application test can be improved and the test execution time can be shortened. it can.

As described above, in the present embodiment,
A web application automatic test apparatus comprising means for inputting specification information of a web application, means for automatically determining a test item based on the inputted web application specification information and security evaluation item list information explained.

Finally, a hardware configuration example of the Web application automatic test apparatus 101 shown in the first and second embodiments will be described.
FIG. 19 is a diagram illustrating an example of hardware resources of the Web application automatic test apparatus 101 described in the first and second embodiments.
The configuration in FIG. 19 is merely an example of the hardware configuration of the Web application automatic test apparatus 101. The hardware configuration of the Web application automatic test apparatus 101 is not limited to the configuration illustrated in FIG. It may be a configuration.

19, the Web application automatic test apparatus 101 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
The “˜DB” described in the first and second embodiments is realized by the RAM 914 and the magnetic disk device 920.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

The communication board 915 is connected to the network.
For example, the communication board 915 is connected to a LAN (local area network), the Internet, a WAN (wide area network), a SAN (storage area network), and the like.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the Web application automatic test apparatus 101 is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores programs that execute the functions described as “˜unit” and “˜means” in the description of the first and second embodiments. The program is read and executed by the CPU 911.

In the description of the first and second embodiments, the file group 924 includes “determination of”, “calculation of”, “addition of”, “comparison of”, “selection of”, and “specification of”. ”,“ Extraction of ”,“ evaluation of ”,“ search for ”,“ update of ”,“ setting of ”,“ registration of ”,“ generation of ”, etc. Information, data, signal values, variable values, and parameters indicating the results are stored as items of “˜file” and “˜database”.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, operation, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowcharts described in the first and second embodiments mainly indicate input / output of data and signals, and the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, DVDs, and the like. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

Further, in the description of the first and second embodiments, what is described as “to part” and “to means” may be “to circuit”, “to device”, and “to device”. It may be “˜step”, “˜procedure”, “˜processing”.
That is, the information processing method according to the present invention can be realized by the steps, procedures, and processes shown in the flowcharts described in the first and second embodiments.
In addition, what is described as “˜unit” and “˜means” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “˜unit” and “˜means” of the first and second embodiments. Alternatively, the procedures and methods of “to part” and “to means” of the first and second embodiments are executed by a computer.

  As described above, the Web application automatic test apparatus 101 shown in the first and second embodiments includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, and a display device as an output device. The computer includes a communication board and the like, and implements the functions indicated as “˜unit” and “˜means” using the processing device, the storage device, the input device, and the output device as described above.

  DESCRIPTION OF SYMBOLS 101 Web application automatic test apparatus, 102 Web server, 111 Test object page information DB, 112 Evaluation data generation part, 113 Vulnerability inspection data DB, 114 Evaluation data transmission part, 115 Response reception part, 116 Evaluation result determination part, 117 Evaluation Result display section, 118 Security evaluation item list, 120 Web page screen transition information DB, 121 Web page feature information DB, 122 Web page type specifying section, 123 Web page component DB, 124 Transaction flow pattern DB, 125 Web page importance Determination unit, 126 Parameter attribute DB, 127 Important parameter specifying unit, 128 Web page important parameter DB, 131 Web application, 1201 Specification DB, 1202 Evaluation item determination unit.

Claims (12)

A selection criterion information storage unit for storing selection criterion information in which selection criteria for selecting a Web page that is a target of a pseudo-tampering attack that is implemented as a vulnerability check against a tampering attack is defined;
A parameter information storage unit for storing parameter information in which parameters to be subjected to a pseudo-tampering attack are defined;
A web page sorting unit that sorts out a pseudo-attack target web page that is a target of a pseudo-tampering attack from a plurality of candidate web pages that are candidates for a target of a pseudo-tampering attack based on the sorting criteria of the screening standard information;
A parameter corresponding to the parameter defined in the parameter information is extracted as a pseudo attack target parameter from the parameters included in the Web page selected by the web page selection unit, and the extracted pseudo attack target An information processing apparatus comprising: a pseudo-tampering attack execution unit that performs a pseudo-tampering attack by setting a parameter value of a parameter to a predetermined tampering value. The selection criteria information storage unit
Multiple categories of web pages are shown, and for each category, the features of the web page within each web page and the features of links to other web pages are shown as features of web pages belonging to each category. Multiple transaction flows to be displayed, and for each transaction flow, the category of the Web page used in each transaction flow is indicated, and for each transaction flow, the category to be attacked by the pseudo-tampering attack is indicated Memorize the reference information,
The web page sorting unit
Based on the characteristics of the link between the feature and other Web pages in the page configuration of each category are shown in the selection based reference information, classifies each candidate Web page to one of the categories of a plurality of categories, Based on the classification result of the category of the candidate Web page, it is determined which of the plurality of transaction flows corresponds to the plurality of candidate Web pages, and a pseudo-tampering attack in the determined transaction flow The information processing apparatus according to claim 1, wherein a Web page classified into a target category is selected as a pseudo attack target Web page. The selection criteria information storage unit
For each transaction flow, the category of the Web page used in each transaction flow and the link relationship between the categories are shown, and the selection criteria information that indicates the category that is the target of the pseudo-tampering attack for each transaction flow Remember
The web page sorting unit
After classifying each candidate web page into one of a plurality of categories, the link relationship between the plurality of candidate web pages is analyzed, and the plurality of candidate web pages are included in the plurality of transaction flows. The information processing apparatus according to claim 2, wherein the transaction flow is determined. The parameter information storage unit
Stores parameter information that defines parameters subject to pseudo-tampering attacks for each transaction flow,
The pseudo-tamper attack execution unit
The parameter corresponding to the transaction flow determined by the Web page selection unit is acquired from the parameter information, and the parameter acquired from the parameters included in the pseudo attack target Web page selected by the Web page selection unit The information processing apparatus according to claim 2, wherein a parameter corresponding to is extracted as a pseudo attack target parameter. The pseudo-tamper attack execution unit
A parameter corresponding to a parameter defined in the parameter information is extracted from parameters included in a form tag in a Web page targeted by a pseudo attack selected by the Web page selecting unit. The information processing apparatus according to claim 1. The pseudo-tamper attack execution unit
For each form tag in the Web page targeted by the pseudo attack selected by the Web page selection unit, it is determined whether or not there is another Web page that has the link destination Web page specified by the action value as a link destination,
A parameter corresponding to the parameter defined in the parameter information is extracted as a pseudo attack target parameter from the parameters included in the form tag in which there is no other Web page linked to the linked Web page. The information processing apparatus according to claim 5. The pseudo-tamper attack execution unit
A pseudo-attack attack is performed by transmitting a pseudo-attack target web page in which the parameter value of the pseudo-attack target parameter is set to a predetermined falsification value to the web server device that provides the pseudo-attack target web page. The information processing apparatus according to claim 1. The selection criteria information storage unit
It stores selection criteria information that defines the selection criteria for selecting a Web page that is assumed to have a greater damage in the case of a tampering attack than other Web pages as an attack target for a pseudo-tampering attack,
The parameter information storage unit
The information according to any one of claims 1 to 7, characterized by storing parameter information in which parameters that are assumed to be greater damage than other parameters are defined when there is a falsification attack. Processing equipment. The information processing apparatus further includes:
Enter test item information that shows multiple test items for a web page,
When it is determined whether or not the target attribute targeted by the test item indicated in the test item information is included for each Web page to be tested, and the target attribute is not included in the Web page 2. A test execution item determination unit that determines a test execution item for each Web page by excluding a test item corresponding to the target attribute from a test execution item in a test for the Web page. Information processing apparatus in any one of -8. The test execution item determination unit
The information processing apparatus according to claim 9, wherein it is determined whether or not a target attribute is included in the Web page with reference to specification information of the Web page to be tested. Selection criteria information read by a computer that reads selection criteria information in which selection criteria for selecting a Web page that is the target of a pseudo-tampering attack that is implemented as a vulnerability check against alteration attacks is read from a predetermined storage area Steps,
A parameter information reading step in which the computer reads parameter information in which parameters to be subjected to a pseudo-tampering attack are defined from a predetermined storage area; and
A Web page for selecting, from the plurality of candidate Web pages that are candidates for an attack target of the pseudo-tampering attack, the computer from which the pseudo-attack attack target Web page is targeted by the computer based on the selection criteria of the selection criteria information A sorting step;
The computer extracts, as a pseudo attack target parameter, a parameter corresponding to the parameter defined in the parameter information from the parameters included in the pseudo attack target Web page selected by the Web page selection step. And a pseudo-falsification attack execution step of performing a pseudo-falsification attack with the parameter value of the target parameter for the pseudo-attack as a predetermined falsification value. A selection criterion information reading step for reading out selection criterion information defining a selection criterion for selecting a Web page to be attacked by a pseudo-tampering attack performed as a vulnerability check against a tampering attack, from a predetermined storage area;
A parameter information reading step for reading out parameter information in which a parameter subject to a pseudo-tampering attack is defined from a predetermined storage area;
A Web page selection step of selecting a pseudo-attack target Web page that is an attack target of the pseudo-tampering attack from a plurality of candidate Web pages that are candidates for an attack target of the pseudo-tampering attack based on the selection criteria of the selection standard information;
A parameter corresponding to the parameter defined in the parameter information is extracted as a pseudo attack target parameter from the parameters included in the Web page selected by the web page selection step, and the extracted pseudo attack target A program that causes a computer to execute a pseudo-falsification attack execution step for performing a pseudo-falsification attack by setting a parameter value of a parameter to a predetermined falsification value.

Images