¾ÆÅ¥³×ƽ½º À¥ Ãë¾à¼º Á¡°Ëµµ±¸ - Review
A REAL WORLD REVIEW
MSI::Labs
2006³â 5¿ù
¾ÆÅ¥³×ƽ½º À¥ Ãë¾àÁ¡ Á¡°Ë µµ±¸´Â?
¾ÆÅ¥³×ƽ½º À¥ Ãë¾àÁ¡ Á¡°Ë µµ±¸´Â À¥ ¾ÖÇø®ÄÉÀ̼ǿ¡¼ º¸¾È ÇãÁ¡ – ÀÌ´Â °ø°ÝÀÚ°¡ ½Ã½ºÅÛ°ú µ¥ÀÌÅÍ·ÎÀÇ ºÒ¹ýÀûÀÎ Á¢±ÙÀ» ȹµæÇϱâ À§ÇØ ¾Ç¿ëµÉ ¼ö ÀÖ½À´Ï´Ù - À» ã¾Æ³»±â À§ÇØ ¸¸µé¾îÁø µµ±¸ÀÔ´Ï´Ù. ÀÌ´Â SQL injection, Cross Site Scripting°ú ¾ÏÈ£ Ãë¾àÁ¡ µîÀ» Æ÷ÇÔÇÑ ´ÙÁßÀÇ Ãë¾àÁ¡µéÀ» ã¾ÆÁÝ´Ï´Ù.
º»
Á¦Ç°Àº
À¥°ú
¾ÖÇø®ÄÉÀ̼Ç
Ãë¾àÁ¡À»
Á¡°ËÀ»
½ÇÇàÇϱâ
À§ÇØ
ÀÌ¿ëµÉ
¼ö
ÀÖ°í, È®ÀεÈ
¹®Á¦Á¡¿¡
´ëÇÑ
¸ðÀÇħÅõ
°Ë»ç¸¦
½ÇÇàÇϱâ
À§ÇØ
ÀÌ¿ë
µÉ
¼ö
ÀÖ½À´Ï´Ù. °¢
Ãë¾àÁ¡¿¡
Á¦°øµÇ´Â
¿ÏÈÁ¦¾Èµé(mitigation suggestions)Àº
°Ë»çµÈ
À¥
¼¹ö
¶Ç´Â
¾ÖÇø®ÄÉÀ̼ÇÀÇ
º¸¾È¼ºÀ»
Çâ»ó½ÃÅ°´Âµ¥
ÀÌ¿ë
µÉ
¼ö
ÀÖ½À´Ï´Ù.
º»
¸®ºä´Â
MicroSolved, Inc´Â Real World Å×½ºÆ®¿¡
¾ÆÅ¥³×ƽ½º¸¦
ÀÌ¿ëÇÏ¿´½À´Ï´Ù. ½ÇÁ¦
Ãë¾àÁ¡
Æò°¡¿Í
ħÅõ
Å×½ºÆ®
µ¿¾È
³ªÅ¸³½
³»¿ëÀ¸·Î
°Ë»çÇÏ¿´½À´Ï´Ù.
º»
µ¥½ºÆ®´Â
¼ö¸¹Àº
ħÅõÅ×½ºÆ®
°æÇè°ú
±¤¹üÀ§ÇÑ
»ó¿ë
¹×
¿ÀÇÂ
¼Ò½º
À¥/¾ÖÇø®ÄÉÀ̼Ç
Á¡°Ë
µµ±¸µé¿¡
´ëÇÑ
Áö½ÄÀ»
°âºñÇÑ
Àü¹®
Æгο¡
ÀÇÇØ
½ÇÇàµÇ¾ú½À´Ï´Ù. Å×½ºÆ®
µ¿¾È, ´Ù¼öÀÇ
À¥
»çÀÌÆ®°¡
Æò°¡µÇ¾ú½À´Ï´Ù. º»
À̵é
À¥
»çÀÌÆ®¿Í
º»
ħÅõÅ×½ºÆ®¿¡¼
Á¡°ËÇ׸ñÀº
º»
¸®ºä
Áß
ÀԷ°ªÃ³·³
ÀÌ¿ëµË´Ï´Ù. ¾ÆÅ¥³×ƽ½º
À¥
Ãë¾àÁ¡
ºÐ¼®µµ±¸ÀÇ
°¢
±â´ÉÀº 1-5ÀÇ
ôµµ·Î
Ç¥½ÃµÇ¾ú°í, 5°¡
°¡Àå
ÁÁÀº
Á¡¼ö°¡
µË´Ï´Ù.
¼³Ä¡
¹×
¾÷µ¥ÀÌÆ®
±¸Á¶
¼³Ä¡´Â
¹Ù·Î
ÁøÇàµË´Ï´Ù. ÀüÇüÀûÀÎ
À©µµ¿ì
¼³Ä¡
ÀýÂ÷°¡
½ÇÇà
°¡´ÉÇϵµ·Ï
Á¦°øµË´Ï´Ù. ¼³Ä¡¸¦
À§ÇØ
ÇÊ¿äÇÑ
À¯ÀÏÇÑ
ÀԷ°ªÀº
¹ß±ÞµÈ
¶óÀ̼¾½ºÀÔ´Ï´Ù. º»
ÇÁ·Î±×·¥Àº
¾÷µ¥ÀÌÆ®
±¸Á¶¸¦
³»ÀåÇÏ¿©
Á¦°øÇÏ°í
ÀÖ½À´Ï´Ù. ¾ÆÅ¥³×ƽ½º´Â
ÇÁ·Î±×·¥À»
Àç
½ÃÀÛÇÏÁö
¾Ê°íµµ
¾÷µ¥ÀÌÆ®µÈ
³»¿ëÀ»
Àû¿ëÇÏ´Â
°ÍÀÌ
°¡´ÉÇÕ´Ï´Ù. ¾ÆÅ¥³×ƽ½º´Â
½ÃÀÛ½Ã
¾÷µ¥ÀÌÆ®¸¦
È®ÀÎÇϰųª
¾÷µ¥ÀÌÆ®
±â´ÉÀ»
¸Å´º¾ó·Î
ÀÌ¿ëÇÒ
¶§¸¸
È®ÀÎÇÒ
¼ö
ÀÖµµ·Ï
¼³Á¤ÇÒ
¼ö
ÀÖ´Â
¼±ÅûçÇ×À»
°¡Áö°í
ÀÖ½À´Ï´Ù.
Á¡°Ë
µµ±¸
¼³¸í
Á¡°Ëµµ±¸ÀÇ
ÀÎÅÍÆäÀ̽º´Â
±â´É¿¡
ÀÇÇØ
¼öÇà¾÷¹«°¡
¹èºÐµË´Ï´Ù. µ¥ÀÌÅÍ°¡
µµ±¸°£¿¡
°øÀ¯, º¹»ç
±×¸®°í
ºÙ¿©Áö´Â
µ¿¾È, ÇØ´ç
ÀÎÅÍÆäÀ̽º´Â
À¥
¾ÖÇø®ÄÉÀ̼Ç
Æò°¡
½ÇÇà°ú
ÇÔ²²
¿¬°èµÇ¾î
¼öÇà
¾÷¹«¸¦
ó¸®ÇÏ´Â
³í¸®ÀûÀÌ°í
È¿°úÀûÀÎ
¹æ¹ýÀ»
»ý¼ºÇÕ´Ï´Ù. °¢°¢ÀÇ
°íÀ¯ÇÑ
µµ±¸¿Í
±â´ÉÀº
´ÙÀ½°ú
°°½À´Ï´Ù.
À¥ ½ºÄ³³Ê(Web Scanner):
Rating: 4.5
Á¡°Ë ´ë»ó ã±â µµ±¸(Target Finder):
´ë»ó ã±â µµ±¸´Â ÁÖ¾îÁø ÁÖ¼ÒÀÇ ¹üÀ§¿¡¼ À¥ »çÀÌÆ®¸¦ ãÀ» ¼ö ÀÖ°Ô ¼³°èµÈ °£´ÜÇÑ Æ÷Æ® ½ºÄ³³ÊÀÔ´Ï´Ù. ÁÖ¼ÒÀÇ ¹üÀ§´Â ÇÑÁ¤µÇÁö ¾Ê¾Ò°í, Ç¥ÁØÆ÷Æ®¸¦ »ç¿ëÇÏÁö ¾Ê´Â À¥ »çÀÌÆ®¸¦ ¹ß°ßÇÒ ¼ö ÀÖ°Ô ¿øÇÏ´Â Æ÷Æ®¸¦ ã¾Æº¼ ¼ö ÀÖµµ·Ï ƯÁ¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. ¶ÇÇÑ »ç¿ëÁßÀÎ À¥ ¼¹öÀÇ Á¾·ù¸¦ ÆǺ°Çϱâ À§ÇÑ ½Ãµµµµ ÇÕ´Ï´Ù.
Rating: 4
HTTP Ç»Á®(HTTP Fuzzer):
Rating: 4
ÀÎÁõ °Ë»ç µµ±¸(Authentication Tester):
Rating: 4
º¸°í¼
±â´É(Reporting Capabilities)
º¸°í¼´Â ÃæºÐÇÒ ¸¸Å Á¦°øµË´Ï´Ù. º» º¸°í¼´Â Àß Á¤¸®µÇ¾î ÀÖ°í, ½±°Ô ÀÐÀ» ¼ö ÀÖÀ¸¸ç, Áß¿äÇÏÁö ¾ÊÀº Ãë¾àÁ¡µé¿¡ ´ëÇØ ºÎÀû´çÇÑ µî±ÞÀ» ÁÖÁö ¾Ê¾Ò½À´Ï´Ù. Àü¹ÝÀûÀÎ Ãë¾àÁ¡Àº ´Ù¸¥ ¸¹Àº Á¡°Ëµµ±¸ Áß¿¡¼µµ ºÒÇÕ¸®ÇÑ °øÆ÷³ª ÇൿÀ» Á¶ÀåÇÏÁö ¾ÊÀ» ¸¸Å ÀϹÝÀûÀÎ »ç·Êó·³ º¸¿©Áý´Ï´Ù. ÇÏÁö¸¸, º¸°í¼´Â HTML ÇüÅÂÀÇ ¹®¼·Î¸¸ ÀúÀåµÉ ¼ö ÀÖ½À´Ï´Ù. Acunetix´Â XML°ú °°Àº ´Ù¸¥ ÇüÅ·Π¹Ù²ãÁÙ ¼ö ÀÖ´Â Á÷Á¢ÀûÀÎ ¹æ¹ýÀ» °¡Áö°í ÀÖÁö ¾Ê°í, ÀÔ·ÂµÈ µ¥ÀÌÅ͸¦ ´Ù¸¥ º¸´Ù È®ÀåµÈ º¸°í¼ µµ±¸·Î ÀüÇØÁÙ ¹æ¹ýµµ ¾ø½À´Ï´Ù. ±âº»ÀûÀ¸·Î, ¾ÆÅ¥³×ƽ½º´Â ¸ðµç µ¥ÀÌÅ͸¦ MS Access µ¥ÀÌÅͺ£À̽º¿¡ ÀúÀåÇÒ ¼ö ÀÖ½À´Ï´Ù. Ȥ½Ã ¸¶ÀÌÅ©·Î¼ÒÇÁÆ® ¾×¼¼½º¸¦ ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù¸é, ¼ö¸¹Àº ´Ù¸¥ ÇüÅ·ΠÀüÇØÁÙ ¼ö ÀÖ½À´Ï´Ù. º¸°í¼´Â °£°áÇÏÁö¸¸, HTML ÇüÅ°¡ ¾Æ´Ñ µ¥ÀÌÅÍ·Î ÀüÇÒ Á÷Á¢ÀûÀÎ ¹æ¹ýÀÌ ¾ø¾î, »ç¿ëÀÚ°¡ ÇÊ¿ä·Î ÇÏ´Â º¸°í¼¿¡ ÀÇÇØ °áÁ¤µÇ´Â À̵鿡°Ô´Â ¹®Á¦°¡ µÉ ¼ö µµ ÀÖ½À´Ï´Ù.
Àü¹ÝÀûÀÎ
Á¦Ç°
ÆòÁ¡
»ó´çÇÑ
±â´É, »ç¿ë
ÆíÀǼº
±×¸®°í
ºü¸¥
󸮴ɷÂÀ¸·Î, ¾ÆÅ¥³×ƽ½º¿¡
º° 4°³ÀÇ
Àü¹ÝÀûÀÎ
ÆòÁ¡À»
ÁÖ¾ú½À´Ï´Ù.
ÀåÁ¡:
+ ºü¸¥
Á¡°Ë
±â´É
+ ÀÚüÁ¦ÀÛ
¿¡·¯
ÆäÀÌÁöµé¿¡
´ëÇÑ
ƯÁ¤
±â´É
+ ÇϳªÀÇ
¾ÖÇø®ÄÉÀ̼ǿ¡
Á¶ÇÕµÈ
¸¹Àº
µµ±¸µé
+ ³ôÀº
Ãë¾àÁ¡
ŽÁöÀ²
+ Áß¿äÇÏÁö
¾ÊÀº
Ãë¾àÁ¡¿¡
´ëÇÑ
ÀûÀýÇÑ
À§Çù
ºÐ·ù
´ÜÁ¡:
- ´Ù¾çÇÏ°Ô
Á¦°ø
µÇÁö
¸øÇÏ´Â
º¸°í±â´É
- ´ë»ó
Á¡°Ë
µµ±¸¿¡
¹ö±×°¡
ÀÖ¾î
º¸ÀÓ
- ¸î¸î
ÀÎÅÍÆäÀ̽º
Æ®À¨À»
»ç¿ëÇÒ
¼ö
ÀÖÀ½
¿ä¾à
¾ÆÅ¥³×ƽ½º´Â
À¥
»çÀÌÆ®ÀÇ
Ãë¾àÁ¡À»
¿Ïº®ÇÏ°Ô
ã¾Æº¼
¼ö
ÀÖµµ·Ï
Á¦°øµÇ´Â
¿Ïº®ÇÑ
µµ±¸µéÀÇ
¸ðÀ½À»
Æ÷ÇÔÇÑ
ÇϳªÀÇ
¾ÖÇø®ÄÉÀ̼ÇÀ»
¸¸µé±â
À§ÇØ
³ë·ÂÇß½À´Ï´Ù. Àü¹ÝÀûÀ¸·Î, ¾ÆÅ¥³×ƽ½º´Â
ÀÌ·¯ÇÑ
¸ñÇ¥¸¦
ÀÌ·ç¾úÁö¸¸, ´ÙÀ̾Ƹóµåó·³
ºû³ª´Â
¿ÏÀüÇÑ
ÆÐÅ°Áö·Î
¸¸µé±â
À§ÇØ
Á¦Ç°ÀÇ
Áß¿äÇÏÁö
¾ÊÀº
±â´É¿¡
¾î´À
Á¤µµ
³ë·ÂÀ»
°¡ÇØ
±×
ºûÀ»
´õÇÏ°Ô
ÇÒ
¼ö
ÀÖ¾ú½À´Ï´Ù.
¾ÕÀ¸·Î
°³¼±À»
À§ÇÑ
Á¦¾È
¾ÆÅ¥³×ƽ½º´Â
À̹Ì
°·ÂÇÑ
µµ±¸ÀÌÀÚ
Á¦Ç°ÀÌÁö¸¸, ¸î¸î
Áß¿äÇÏÁö
¾ÊÀº
ºÎ°¡ÀûÀÎ
±â´ÉÀ»
ÅëÇØ
À̹Ì
ÈǸ¢ÇÑ
µµ±¸·Î
Çâ»óÇÒ
¼ö
ÀÖ¾ú½À´Ï´Ù. º»
¸®ºä¸¦
ÅëÇØ
¸î
°¡Áö
Æ÷ÇԵžß
Çϰųª
¹Ù²î¾î¾ß
ÇÒ
¼Ò¼ÒÇÑ
ºÎºÐÀ»
¹ß°ßÇß½À´Ï´Ù. »ç¿ëÀÚ
ÀÎÅÍÆäÀ̽º°¡
Ä£
»ç¿ëÀÚÀûÀÌ°í, ÀÌ¿ë¿¡
Æí¸®ÇÔ¿¡µµ
ºÒ±¸ÇÏ°í
»ç¿ëÀÚ
ÀÎÅÍÆäÀ̽º´Â
Á¶±Ý
¼Õº¼
ÇÊ¿ä°¡
ÀÖÀ¸¸ç, Ưº°È÷
fuzzerÀÇ
°æ¿ì°¡
±×·¸½À´Ï´Ù. ÀÎÁõ
°Ë»çµµ±¸ÀÇ
°æ¿ì, HTML ºê·çÆ®
Æ÷½ÌÀ»
ÇÏ´Â
µ¿¾È
»ç¿ëÀÚ
À̸§
¾øÀÌ
¾ÏÈ£¸¸À»
ÁöÁ¤ÇÒ
¼ö
¾ø¾ú½À´Ï´Ù. ¾ÏÈ£
ÀԷ¸¸ÀÌ
¿ä±¸µÇ´Â
¸î¸î
¡°°ü¸®ÀÚ¡± À¥
ÆäÀÌÁö¿¡
½ÇÇàÇØ
º¸¾Ò½À´Ï´Ù¸¸, ÇØ´ç
ÆäÀÌÁö¸¦
ºê·çÆ®
Æ÷½º
ÇÒ
¹æ¹ýÀ»
ã¾Æ³»Áö
¸øÇß½À´Ï´Ù. °Ô´Ù°¡, ŸÀӾƿô
±â°£°ú
´ÙÁß
󸮸¦
¹Ù²Ù´Â
¹æ¹ý
¿ª½Ã
ȯ¿µ
¹ÞÀ»
¼ö
ÀÖ´Â
Ãß°¡»çÇ×ÀÔ´Ï´Ù. À̸¦
ÅëÇØ
Á¡°Ë
¼ÓµµÀÇ
Áõ°¡°¡
Á¦°øµÉ
°ÍÀÔ´Ï´Ù. ¼öÁý±â¿¡¼, ¼öÁýµÇ´Â
¸µÅ©ÀÇ
depth¸¦
Á¦ÇÑÇϱâ
À§ÇÑ
°ÍÀº
À¯¸®ÇÒ
¼ö
ÀÖ½À´Ï´Ù. ÀÌ´Â
¼öÁý±â°¡
¹«ÇÑ·çÇÁ¿¡
ºüÁ®
¹ß»ýÇÏ´Â
¹®Á¦¿¡
´ëÇÑ
´ë¾ÈÀ»
Á¦°øÇÒ
¼ö
ÀÖÀ»
°Í
ÀÔ´Ï´Ù.
Acunetix´Â (from www.acunetix.com)
Securing a company's web applications is today's most overlooked
aspect of securing the enterprise. Web applicationhacking is on the rise with as
many as 75% of cyber attacks done at web application level or via the web. Most
corpo-rations have secured their data at the network level, but have overlooked
the crucial step of checking whether theirweb applications are vulnerable to
attack. Web applications, which often have a direct line into the company's most
valuable data assets, are online 24/7, completely unprotected by a firewall and
therefore easy prey for attackers.
Acunetix was founded with this threat in mind. They realized the only
way to combat web site hacking was to de-velop an automated tool that could help
companies scan their web applications for vulnerabilities. In July 2005,
Acu-netix Web Vulnerability Scanner was released -a tool that crawls the website
for vulnerabilities to SQL injection, cross-site scripting and other web attacks
before hackers do.
The Acunetix development team consists of highly experienced security
developers who have each spent years de-veloping network security scanning
software prior to starting development on Acunetix WVS. The managementteam is
backed by years of experience in marketing and selling security software.
Acunetix is a privately held company with its offices in the
MicroSolved, Inc.˼
MicroSolved, Inc. was founded in 1992 by L. Brent Huston. MSI was
created to provide solutions that empower organizations to mitigate risks and
create privacy while maintaining the practice of doing business in the online
world. The projects MSI engages in range from managed security services to
unique solutions crafted to answer complex security problems. Our work includes
protecting the largest government and commercial networks in the world.
MSI¡¯s public work includes engagements on the Federal, State, and
local level. Our work with the federal govern-ment includes protecting some of
our nation¡¯s most sensitive networks, working to secure some of the largest
HIPAAnetworking concerns, and working with federal auditing agencies to help
them implement an auditing process thateffects real world security. MSI has
received accolades for its work for the
MSI¡¯s work in the commercial sector includes a wide variety of
vertical markets. MSI enjoys long-term relationshipswith some of the world¡¯s
largest financial and telecom providers. Our work with various regulations
including GLBAand HIPAA has made us an obvious choice for financial and
healthcare organizations of all sizes. In the commercialsector our work ranges
from the fortune 50 to working within the budget needs of small businesses.
What we¡¯re most proud of, however, is our work for the community. MSI
has sponsored and contributed to variousopen source initiatives. We¡¯ve
contributed intellectual capital pro bono to various working groups and security
orga-nizations.
Our goal with each engagement is to preach security philosophy, transfer knowledge to client stakeholders, and to build a long-term relationship steeped in trust, understanding, and open communication.