五、 結論與未來研究方向
5.2 未來研究方向
在平台的實作上,仍有可以加強改善的部份:這個系統是 Open 的,所 以將接受各種開發人員的習慣、手法所開發出來的功能單元,要讓功能單 元順利部署且正常執行,則功能單元中各原始碼的版本及 namespace 的控管 是非常重要的,目前是以規範使用者的方式達到控管。針對此問題,可以 使用別的方法來實作,例如:系統直接修改功能單元中的 source code,以 解決該問題。
在平台的加值應用上:PL-SWAP 是一個獨立且有完整功能的應用程 式,但是若我們以應用程式整合的角度觀察它,也許我們可以將它與測驗 系統做整合:以 PL-SWAP 擔任題庫及出題系統的角色,搭配一個前端測驗 系統,將成為一個學習 Web 應用程式安全的測驗系統。
參考文獻
[1] G.A. Di Lucca, A.R. Fasolino, M. Mastoianni, P. Tramontana, Identifying cross site scripting vulnerabilities in Web applications, Proceedings, Sixth IEEE International Workshop on Web Site Evolution, WSE 2004, pp. 71–80, Sept 2004.
[2] OWASP, WebGoat Project,
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project, August 2008.
[3] OWASP Taiwan, 最新 2007 年OWASP十大Web資安漏洞, http://www.owasp.org/index.php/Taiwan, July 2008.
[4] OWASP Taiwan BLOG, OWASP不只提供Guide與Top 10, http://owasp.org.tw/blog, May 2007.
[5] P. Neff, Web Application Security,
http://patrice.ch/en/computer/web/articles/2002/jul_18, July 2002.
[6] WASC, Web Application Security Scanner Evaluation Criteria, http://www.webappsec.org, August 2007.
[7] 施茂林,吳謀焰,犯罪被害事件分類保護護照,三版,台北,法務部,
民國 88 年。
[8] 曹乙帆,Watchfire AppScan 7.5 網頁應用程式弱點掃描與網站安全開發 測試的首選, DIGITIMES ,August 2007。
[9] 林錦雲,利用XML驗證之網頁安全防護機制,碩士論文,國立暨南國 際大學資訊管理研究所,民國 92 年。
[10] 網路攻防戰,XSS測試語法大全,
http://anti-hacker.blogspot.com/2007/07/xss.html, April 2007.
附錄一:PL-SWAP 資料庫 Entity Detail
Entity: sys_challengeExam Entity details:
Description 針對不同的會員制定的不同考卷
Primary key
constraint name PK_sys_challengeExam Attributes:
Key Attribute name Data type Not null Description
PK ce_id INTEGER Yes
FK ce_gid INTEGER Yes
FK ce_exid INTEGER Yes
ce_roleid INTEGER Yes
FK ce_userid NVARCHAR Yes
ce_ok CHAR Yes
Relationships:
Relationship name Type Parent Child Cardinality
sys_checkPointInfo_
sys_challengeExam
Non
Identifying sys_checkPointInfo sys_challengeExam Zero Or More sys_examCreate_
sys_challengeExam
Non
Identifying sys_examCreate sys_challengeExam Zero Or More sys_userInfo_
sys_challengeExam
Non
Identifying sys_userInfo sys_challengeExam Zero Or More Constraints:
Constraint name Type Level Constraint
Column
Null ce_roleid Column
Constraint
Not
Null ce_userid PK_sys_challengeExam Table
Constraint
Primary
Key PRIMARY KEY (ce_id)
sys_checkPointInfo_sys_challengeExam Table Constraint
Foreign Key
FOREIGN KEY (ce_gid) REFERENCES
sys_checkPointInfo(g_id) sys_examCreate_sys_challengeExam Table
Constraint
Foreign Key
FOREIGN KEY (ce_exid) REFERENCES
sys_examCreate(ex_id) sys_userInfo_sys_challengeExam Table
Constraint
Foreign Key
FOREIGN KEY
(ce_userid) REFERENCES sys_userInfo(userid) Entity: sys_challengeKey
Entity details:
Description 每一個關卡的 Secret Key Primary key
constraint name PK_sys_challengeKey Attributes:
Key Attribute
name Data type Not
null Description
PK c_id INTEGER Yes
FK c_gid INTEGER Yes 此 Secret Key 對應的關卡
c_secretKey VARCHAR Yes 針對每一個關卡, 系統會自動產生一個
Secret Key Relationships:
Relationship name Type Parent Child Cardinality
sys_checkPointInfo_
sys_challengeKey
Non
Identifying sys_checkPointInfo sys_challengeKey Zero Or One Constraints:
Constraint name Type Level Constraint
Column Constraint
Not
Null c_secretKey Column PK_sys_challengeKey Table
Constraint
Primary
Key PRIMARY KEY (c_id) sys_checkPointInfo_sys_challengeKey Table
Constraint
Foreign Key
FOREIGN KEY (c_gid) REFERENCES
sys_checkPointInfo(g_id)
Entity details:
Description 每一個關卡的提示
Primary key
constraint name PK_sys_checkPointHint Attributes:
Key Attribute name Data type Not null Description
PK h_id INTEGER Yes
FK h_gid INTEGER Yes 此關卡提示對應的關卡
h_filename NVARCHAR Yes 此關卡提示的檔名
h_count BIGINT Yes
Relationships:
Relationship name Type Parent Child Cardinality
sys_checkPointInfo_
sys_checkPointHint
Non
Identifying sys_checkPointInfo sys_checkPointHint Zero Or More Constraints:
Constraint name Type Level Constraint
Column
Null h_filename PK_sys_checkPointHint Table
Constraint
Primary
Key PRIMARY KEY (h_id) sys_checkPointInfo_sys_checkPointHint Table
Constraint
Foreign Key
FOREIGN KEY (h_gid) REFERENCES
sys_checkPointInfo(g_id) Entity: sys_checkPointInfo
Entity details:
Description 功能單元的詳細資料
Primary key
constraint name PK_sys_checkPointInfo Attributes:
Key Attribute
name Data type Not
null Description
PK g_id INTEGER Yes
g_type INTEGER Yes 功能單元所屬 OWASP TOP 10 的類型
g_description NVARCHAR Yes g_createdate DATETIME Yes Relationships:
Relationship name Type Parent Child Cardinality
sys_checkPointInfo_
sys_challengeExam
Non
Identifying sys_checkPointInfo sys_challengeExam Zero Or More sys_checkPointInfo_
sys_challengeKey
Non
Identifying sys_checkPointInfo sys_challengeKey Zero Or One sys_checkPointInfo_
sys_checkPointHint
Non
Identifying sys_checkPointInfo sys_checkPointHint Zero Or More sys_checkPointInfo_
sys_checkPointSolution Non
Identifying sys_checkPointInfo sys_checkPointSolution Zero Or More Constraints:
Constraint name Type Level Constraint
Column Constraint Not Null g_createdate Column Constraint Not Null g_id
Column Constraint Not Null g_type Column Constraint Not Null g_class Column Constraint Not Null g_status Column Constraint Not Null g_author Column Constraint Not Null g_url
Column Constraint Not Null g_description
PK_sys_checkPointInfo Table Constraint Primary Key PRIMARY KEY (g_id) Entity: sys_checkPointSolution
Entity details:
Description 針對每一個功能單元問題的解決方案
Primary key
constraint name PK_sys_checkPointSolution Attributes:
Key Attribute name Data type Not null Description
PK gs_id INTEGER Yes
FK gs_gid INTEGER Yes 此解決方案 (功能單元) 對應的問題
gs_author VARCHAR Yes 此解決方案 (功能單元) 的作者
gs_url VARCHAR Yes 此解決方案 (功能單元) 的 URL
gs_description NVARCHAR Yes gs_createdate DATETIME Yes Relationships:
Relationship name Type Parent Child Cardinality
sys_checkPointInfo_
sys_checkPointSolution Non
Identifying sys_checkPointInfo sys_checkPointSolution Zero Or More Constraints:
Constraint name Type Level Constraint Column
Constraint Not Null gs_createdate Column
Constraint Not Null gs_id Column
Constraint Not Null gs_gid Column
Constraint Not Null gs_author Column
Constraint Not Null gs_url Column
Constraint Not Null gs_description PK_sys_checkPointSolution Table
Constraint
Primary
Key PRIMARY KEY (gs_id) sys_checkPointInfo_
FOREIGN KEY (gs_gid) REFERENCES
sys_checkPointInfo(g_id) Entity: sys_examCreate
Entity details:
Description 考卷的詳細資料 Primary key
constraint name PK_sys_examCreate Attributes:
Key Attribute name Data type Not null Description
PK ex_id INTEGER Yes
ex_name NVARCHAR Yes 此問卷的名稱
ex_createdate DATETIME Yes Relationships:
Relationship name Type Parent Child Cardinality sys_examCreate_
sys_challengeExam
Non
Identifying sys_examCreate sys_challengeExam Zero Or More Constraints:
Constraint name Type Level Constraint
Column Constraint Not Null ex_createdate Column Constraint Not Null ex_id
Column Constraint Not Null ex_name
PK_sys_examCreate Table Constraint Primary Key PRIMARY KEY (ex_id) Entity: sys_userInfo
Entity details:
Description 平台的會員資料 Primary key
constraint name PK_sys_userInfo Attributes:
Key Attribute name Data type Not null Description
PK userid NVARCHAR Yes 會員帳號
passwd NVARCHAR Yes 會員密碼
username NVARCHAR Yes 會員姓名
roleid INTEGER Yes 會員所屬角色
createdate DATETIME Yes
Relationships:
Relationship name Type Parent Child Cardinality sys_userInfo_
sys_challengeExam Non Identifying sys_userInfo sys_challengeExam Zero Or More Constraints:
Constraint name Type Level Constraint
Column Constraint Not Null createdate Column Constraint Not Null userid Column Constraint Not Null passwd Column Constraint Not Null username Column Constraint Not Null roleid
PK_sys_userInfo Table Constraint Primary Key PRIMARY KEY (userid)