Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Haxonomy: A Taxonomy for Web Hacking
KTH, School of Electrical Engineering and Computer Science (EECS).
2019 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

This study aims to show that the information present in public vulnerability reports from bug bounty programs can be utilized to provide aid for individual security researchers when performing their research. This is done here by creating a taxonomy based on the attack surfaces on a website that were used by the author of a report when discovering a vulnerability. Reports are then indexed according to this taxonomy together with the discovered vulnerability, to provide statistics on which vulnerabilities are most commonly found on what attack surfaces. The taxonomy and the indexed reports, referred to as the Haxonomy, are then also used as the basis for a machine learning algorithm which is trained to provide guidance to bug bounty hunters. It is concluded that this proof-of-concept, if developed fully, can be used to improve the success rate of individual security researchers operating on bug bounty platforms.

Abstract [sv]

Syftet med denna studie är att visa att informationen som finns i offentliga sårbarhetsrapporter från så kallade bug-bounty program kan användas för att hjälpa individer att genomföra bättre sårbarhetstester. Detta görs här genom att skapa en taxonomi baserad på vilka attackytor på en hemsida som en författare av en sådan rapport har använt för att upptäcka sårbarheten. Sårbarhetsrapporter indexeras sedan enligt denna taxonomi, för att tillsammans med vilka sårbarheter som upptäckts ta fram statistik på vilka sårbarheter som man mest troligen kan hitta via vilka attackytor. Taxonomin och de indexerade rapporterna, tillsammans referrerade till som Haxonomin, används sedan också som material för att träna en algoritm med hjälp av maskininlärning, som kan vara till hjälp vid sårbarhetstester. Slutsatsen dras att detta konceptbevis kan utvecklas och användas för att hjälpa sårbarhetstestare att hitta fler sårbarheter i framtiden.

Place, publisher, year, edition, pages
2019. , p. 32
Series
TRITA-EECS-EX ; 2019:260
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:kth:diva-254639OAI: oai:DiVA.org:kth-254639DiVA, id: diva2:1334313
Supervisors
Examiners
Available from: 2019-07-02 Created: 2019-07-02 Last updated: 2019-07-02Bibliographically approved

Open Access in DiVA

fulltext(891 kB)25 downloads
File information
File name FULLTEXT01.pdfFile size 891 kBChecksum SHA-512
de864e4c3f681f6745221f0bca6526170adb7e8ac7fc88c1d1c807db70dcf758a787e898dc683ba0188499ef8cf02506dcbf33eefedce93b34dd57539e3712d6
Type fulltextMimetype application/pdf

By organisation
School of Electrical Engineering and Computer Science (EECS)
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 25 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 38 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf