摘要
由于物联网设备多且Web登录页面复杂多样,弱口令自动化探测难度较大。针对此问题,设计一套面向物联网设备Web应用系统的弱口令自动化探测框架。结合HTML特征和所提规则,解决口令探测中自动化控件定位和结果判断的难题。基于该框架开发一套自动化弱口令探测系统,对北京市、山东省和浙江省的公网物联网设备进行Web弱口令探测,共发现12 179台存在Web弱口令的设备,占所有发现物联网设备的7.58%,验证了所提框架的有效性。
IoT(internet of things)devices have characters of large quantity,complicated web login pages,and poor automated detection performance for weak password.Aiming at this problem,an automatic web weak key detection framework for IoT equipment was designed.The problem of automatic control positioning and result judgment in automatic weak key detection was solved by combining HTML features and proposed rules.Based on this framework,a set of automatic weak password detection system was developed and applied to detect the IoT devices in Beijing,Shandong and Zhejiang province.The system identifies 12 179 IoT devices with Web weak password,which constitutes 7.58% of all discovered IoT devices.The results verify the effectiveness of the proposed framework.
引文
[1]Mahmoud R,Yousuf T,Aloul F,et al.Internet of things(IoT)security:Current status,challenges and prospective measures[C]//Internet Technology and Secured Transactions.IEEE,2016:336-341.
[2]Cui A,Stolfo SJ.Reflections on the engineering and operation of a large-scale embedded device vulnerability scanner[C]//Proceedings of the 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security.ACM,2011:8-18.
[3]Patton M,Gross E,Chinn R,et al.Uninvited connections:A study of vulnerable devices on the Internet of things(IoT)[C]//IEEE Joint Intelligence and Security Informatics Conference.IEEE Computer Society,2014:232-235.
[4]CHEN Chunling,ZHANG Fan,YU Han.Design of Web application vulnerability detection system[J].Computer Technology and Development,2017,27(8):101-105(in Chinese).[陈春玲,张凡,余瀚.Web应用程序漏洞检测系统设计[J].计算机技术与发展,2017,27(8):101-105.]
[5]Yu Shiyuan,Wang Y,Liu X.Burpsuite extender apply in vulnerability scanning[J].Netinfo Security,2016(9):94-97.
[6]Tripp O,Ferrara P,Pistoia M.Hybrid security analysis of web javascript code via dynamic partial evaluation[C]//Proceedings of the International Symposium on Software Testing and Analysis.ACM,2014:49-59.
[7]Vibhandik R,Bose AK.Vulnerability assessment of web applications-a testing approach[C]//4th International Conference on E-Technologies and Networks for Development.IEEE,2015:1-6.
[8]Durumeric Z, Wustrow E, Halderman JA. ZMap:Fast internet-wide scanning and its security applications[C]//USENIX Security Symposium,2013:47-53.
[9]Fielding R,Reschke J.Hypertext transfer protocol(HTTP/1.1):Authentication[J].Faculty of Arts&Sciences,2014,30(4):595-599.
[10]XU Shunchao.Design and implementation of web weak key detection system for internet of things devices[D].Taiyuan:Taiyuan University of Technology,2018(in Chinese).[徐顺超.面向物联网设备的web弱密钥探测系统的设计与实现[D].太原:太原理工大学,2018.]
[11]Stenberg D.HTTP2explained[J].ACM Sigcomm Computer Communication Review,2014,44(3):120-128.
[12]Achilleos AP,Kapitsaki GM.Enabling cross-platform mobile application development:A context-aware middleware[C]//International Conference on Web Information Systems Engineering,2014:304-318.
[13]Adam Freeman.The definitive guide to HTML5[M].Beijing:Posts&Telecom Press,2014:100-200(in Chinese).[Adam Freeman.HTML5权威指南[M].北京:人民邮电出版社,2014:100-200.]
[14]Wiberg M. Methodology for materiality:Interaction design research through a material lens[J].Personal and Ubiquitous Computing,2014,18(3):625-636.
[15]RetoréC.The montagovian generative lexicon lambda Tyn:A type theoretical framework for natural language semantics[C]//19th International Conference on Types for Proofs and Programs,2014:202-229.