ComputerEngineeringandApplications2009,45(25)1Web。Web。Web。2070RISOSResearchinSecuredOperatingSystemsPAProtectionAnalysisProject。。1994landwher、、[1]。1998COASTKrsul[2]。MITRE“”CommonVulnerabilityEnumerationCVE[3]。、。Wen-liangDuEAIEnvironmental-ApplicationInterac-tionfaultmodel[4]。EAI。。Web。Webhttp、。WebEAI。WebWebAHPWeb。2。Web1WebWebDUJing-nongLUYan-sheng430074CollegeofComputerScienceandTechnologyatHuazhongUniversityofScienceandTechnologyWuhan430074ChinaE-maildujl@sohu.comDUJing-nongLUYan-sheng.TaxonomyofWeb-basedapplicationvulnerabilities.ComputerEngineeringandApplica-tions2009452510-14.AbstractThispaperstudieshowtheenvironmentalfaultandstatesfaultcausethesecurityproblemsofWebapplicationanddescribesataxonomymodelusinganalytichierarchyprocessforclassifyingsecurityflawsofWebapplication.Thendesignanexperimenttoapplythetaxonomymodeltoclassify152securityflawsfromtheCVEsecurityflawdatabaseandcomparetheclassificationresultswiththatofusingEAImodeltoclassifysecurityflaws.TheresultsoftheexperimentrevealsthatthetaxonomymodeliseffectiveandapplicabletothesecuritytestinganddefendingofWeb-basedapplication.KeywordsWeb-basedapplicationsecurityflawtaxonomymodelWebWeb。CVEWebEAI。Web。WebDOI10.3778/j.issn.1002-8331.2009.25.0041002-8331200925-0010-05ATP393.08。1972-、1949-、、。2009-05-052009-06-18102009,45(25)Web������������������������������������������������������������!��#$�12������������������������������������������������������������!��#$�WebE22E11SQLE12E13E21DNSE31E32S11S12URLS21S22S31S32URLE1E2E3S1S2S3SEVWeb………………3Web2Web。WebWeb、Web。1。、cookies、sessionID。2。2.1Web。Web。Web。、。2.2Web。。httpWeb。。。WebJavascriptVBScript。JavaApplet。。。Web。Web。Web。2.3Web。。AHPTheAnalyticHierarchyProcess。WEB。3Web。2.4。。4。4。。Web11ComputerEngineeringandApplications2009,45(25)0000000000000000000000000001000100000000100101001001ESVE1E2E3S1S2S3E11E12E31E21S11S21S31S32………………………………4Web。V。E0E30010S2110010000。2。。3。3.1Web、。、。。OWASP。3.1.1SQLSQLSQLSQL[5]。stringquery=SELECT*FROMitemsWHEREowner=’+userName+’ANDitemname=’+ItemName.Text+’ItemName.Textname’OR’a’=’a。SQLSELECT*FROMitemsWHEREowner=’wiley’ANDitemname=’name’OR’a’=’a’。。3.1.2XSSXSS[6]。“scriptalert’attack!’/script”。。3.1.3。CGI、exedllWeb。3.1.4。finger“namels-al”“name\r\nls-al”。ls-al。3.1.5XpathXpathXpathXpath。FindUserXPath=//Employee[UserName/text=’+RequestUsername+’AndPassword/text=’+RequestPassword+’]“blah’or1=1or’a’=’a”“blah”//Employee[UserName/text=’blah’or1=1or’a’=’a’AndPassword/text=’blah’]。3.1.6。“”“”。html“�cscript�e”%“%253cscript%253e”。。Web、、、。DNSWeb。http。3.2Web、。。122009,45(25)3.2.1Web。。1。inputtype=”hidden”name=”number”value=3。。Value。2CookieCookie。Cookie、、。。3URLURL。CGIGETURL。WebURL。http//site.com/getfile.asp?file=a.rar。getfile.asp?file=../../../etc/password.txt。。3.2.2。1html、、Web。2javascriptvbscript。3AppletApplet。、、applet。3.2.3Web。1URLURL。Web“—————————”。URL。2。。。4RISOSPA2090purdueCOASTALandwehr、KrsulBishop。。leuvenuniversityFrankPiessens2002[7]。、、、。19。、。Piessens。。“”“”“”“”。2004MarylandKantaJiwnaniLandwehr、[8]。、、8。。、、6。、、9。Jiwnani。。“”“”“”“”、“”。JiwnaniWeber2005Landwehr[9]。2007BazazArthur[10]。。3、I/O36“”“”I/O“”“”“”“”。。Bazaz。。WebSQLXSS。purdueCOASTAwenliangdu2000EAI。。WebEAI。WebWeb13ComputerEngineeringandApplications2009,45(25)1PiessensJiwnaniBazazEAIWebWeb210669.7%4328.3%32%3EAI8555.9%2113.8%4630.3%4EAI14910634698%69.7%。WebWeb。EAI。EAIWeb。EAIWeb。EAIWebWeb。CVEWeb。。。。、。。“、、、”。1。、。。、Web。、。。Bishop[11]。。Web、sessionC/S。.netJ2EEWeb。、。Web。WebWeb。5Web、。CVE152Web2。3。61.8%。EAI3。EAI30.3%Web。EAI。4。98%EAI69.7%。Web。6WebWeb。CVE152Web2014ComputerEngineeringandApplications2009,45(25)a∈I[0]I=I。a≈I0uv∈Ia-u=0-vv=0u-a=0u=a。a∈Ia-a=0-0a0∈Ia≈I0。4RDP1DSEAERDPDSEA。IEEa≈Ibef∈Ea-e=b-f。DvuvecenskijandPulmannova2000section3.1.2≈I1a茌b∈Ea1茌b1∈Ea≈Ia1b≈Ib1圯a茌b≈Ia1茌b12a≈Ib圯a′≈Ib′3a茌b∈Ec≈Ia圯d∈Eb≈Idd茌c∈E4a茌ba1茌b1∈Ea1≈Iaa1茌b1≈Ia茌b圯b1≈Ib。a/I=[a]=[a]I={b∈Eb≈Ia}E/I={[a]Ia∈E}[a]茌[b]=[c]a1∈[a]b1∈[b]c1∈[c]a1茌b1=c1。[0][1]E/I。[a]≤[b]a1∈[a]a1≤b。4.1IRDPDSEAE茌莓01。a1≈Ia2b1≈Ib2a1莓b1≈Ia2莓b2。[a]I莓[b]I=[a莓b]I[a]I茌[b]I=[a茌b]Iab∈E。E/IDSEA。fE→E/Ifa=[a]Ia∈E。[7]。4.2{Ei}i∈I仪i∈IEi。RDP仪i∈IEiRDP。。E{Ei}i∈IfE→仪i∈IEij∈Iπj莓fEEj。πj仪i∈IEiEjj。DSEAfEπj莓fDSEA。4.3RDP1DSEAE茚莓01RDPDSEA。、。[8]RDP{E/PPEP≠E}RDP。fE→仪PE/Pfa=[a]Pa∈E。4.1E/PDSEA。f、πP莓fEE/P。[1]GudderSGreechieR.Sequentialproductsoneffectalgebras[J].Re-portonMathematicalPhysics200249187-111.[2]GudderSGreechieR.Uniquenessandorderinsequentialeffectalgebras[J].InternationalJournalofTheoreticalPhysics2005447755-770.[3]JencaGPulmannovaS.Idealsandquotientsinlatticeorderedef-fectalgebras[J].SoftComputer20015376-380.[4]HabilED.Tensorproductofdistributivesequentialeffectalgebraandproducteffectalgebras[J].InternationalJournalofTheoreticalPhysics2008471280-290.[5]GudderSNagyG.Sequentialquantummeasurements[J].JMathPhys2001425212-5222.[6]DvurecenskijAPulmannovaS.Newtrendsinquantumstructures[M].DordrechtTheNetherlandsKluwer2000.[7]DvurecenskijA.Producteffectalgebras[J].InternationalJournalofTheoreticalPhysics200241101827-1839.[8]DvurecenskijA.Perfecteffectalgebrasarecategoricallyequivalentwithabelianinterpolationpo-groups[J].JournaloftheAustralianMathema
