隨著網路的普及，網路世界已成為人們生活中不可或缺的一部份。但由於駭客技術與網路安全事件不斷的成長，使得網路安全相關議題也越來越受到重視，如何確保個人與公司的網路安全與稽核技術也不斷的在發表。而在眾多網路安全與稽核技術中，滲透測試是一種常用來檢驗網路資訊系統的安全測試技術。滲透測試便是委由專業且受信任的第三方資訊安全團隊，對客戶所指定的資訊系統，透過各種網路安全相關的攻擊技術找出指定資訊系統的安全弱點，進而評估網路資訊系統所隱含安全風險的一種方法。
本研究以分散式的方法，將自動化網頁滲透測試系統佈署於網路架構之中。如此一來，資訊安全滲透測試人員只須透過網頁瀏覽器操作，即可執行網頁滲透測試任務。且滲透測試任務是透過網路派送至遠端伺服器之中，利用在遠端的網頁滲透測試系統進行，故於測試過程中，測試人員所使用的電腦並不會有系統過載的問題；在滲透任務執行完畢後，系統將自動產出滲透測試結果報表，供滲透測試人員讀取並分析；並且在同時間可測試的網路資訊系統數，也將隨分散式資源的增加而成長。

Internet has become part of life for most of people nowadays. More and more computer breach incidents make people aware of information security. While hackers keep improving their techniques to attack, protecting digital information and system has become extremely critical issues for everyone.
In order to secure network environment, computer security auditing is usually baseline protection for many enterprises. From technical perspective, penetration testing is the most effective approach among these auditing processes and methodologies. Penetration testing is one of highly technical approach to inspect and guarantee security for your network environment. Usually, penetration testing is performed by third party's professional service. Trusted security experts will simulate attacks to target systems in order to discover potential vulnerabilities and evaluate enterprise security risks.
This paper proposes a distributed architecture and methodology to improve performance of penetration testing and try to solve the overloading problem of attacking system. We deploy attack agents to different places in the network. The system will provide a web interface for penetration testers. By issuing command from UI, system will automatically dispatch attack commands to distributed agents and these agents will perform attacks against different targets at the same time.
Based on this design, the process loading could be shared and it also solved the problem of performance bottleneck on attack server. This design could also help the large scale penetration testing across different area/branches for large enterprises, with agent deployment, network traffic could be minimized. After performing the attacks, system will collect logs and results from agents, and produce well-formatted report.

[Tam11] Tamper Data, “Add-ons for Firefox,”https://addons.mozilla.org/en-US/firefox/addon/tamper-data, 2011.
[AV09] N. Antunes and M. Vieira, “Detecting SQL Injection Vulnerabilities in Web Services,”Fourth Latin-American Symposium on Dependable Computing, Joao Pessoa, Brazil: IEEE Computer Society, 2009, pp. 17-24
[WAT11] WikiPedia, “Attack Tree,”http://en.wikipedia.org/wiki/Attack_tree.
[AWVS11]Web application security, “Acunetix Web Vulnerability Scanner,”http://www.acunetix.com/vulnerability-scanner/, 2011.
[Bru11] PortSwigger Web Security, “Brup Suite,”http://portswigger.net/brup/, 2011.
[CAN11] IMMUNITY, “Canvas,”http://immunityinc.com/products-canvas.shtml, 2011.
[CI11] Core Security Technologies, “Core Impact Pro Penetration Testing Software,”http://www.coresecurity.com/content/core-impact-overview, 2011.
[Cor11] Core Security Technologies, “Core Security Technologies,” http://www.coresecurity.com/, 2011.
[WDL11] WikiPedia, “Deadlock,” http://en.wikipedia.org/wiki/Deadlock, 2011.
[WDT11] WikiPedia, “Directory traversal attack,”http://en.wikipedia.org/wiki/Directory_traversal_attack, 2011.
[OFB11] OWASP, “Forced browsing,”https://www.owasp.org/index.php/Forced_browsing, 2011.
[HCO09] W.G.J. Halfond, S.R. Choudhary, and A. Orso, “Penetration testing with improved input vector identification,”International Conference on Software Testing Verification and Validation, 2009. ICST’09., 2009,p. 346-355.
[HHLT03] Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application security assessment by fault injection and behavior monitoring,”Proceedings of the 12th international conference on World Wide Web, Budapest, Hungary: ACM, 2003, pp. 148-159
[HS11] WikiPedia, “HTTP Secure,” http://en.wikipedia.org/wiki/HTTP_Secure, 2011.
[HTML11] WikiPedia, “HTML,”http://en.wikipedia.org/wiki/HTML, 2011.
[IMM11] IMMUNITY, “Knowing You’re Secure,”http://immunityinc.com/, 2011.
[JQu11] jQuery, “The Write Less, Do More, JavaScript Library,”http://jquery.com, 2011.
[ISE11] ISECOM, “Making Sense of Security,”http://www.isecom.org/, 2011.
[NIST11] NIST, “National Institute of Standards and Technology,”http://www.nist.gov/index.html, 2011.
[NS11] Net-Square, “httprint,”http://net-square.com/httprint/, 2011.
[OT11] OWASP, “OWASP Top10,” https://www.owasp.org/index.php/Top_10_2010-Main, 2011.
[OTG11] OWASP, “OWASP Testing Guide v3 Table of Contents,”https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents, 2011.
[OWAS11] OWASP, “The Open Web Application Security Project,” http://www.owasp.com/index.php/Main_Page, 2011.
[OWG11] OWASP, “OWASP WebGoat Project,” https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project, 2011.
[Her08] P. Herzog, “Open-Source Security Testing Methodology Manual,” Institute for Security and Open Methodologies, Dec. 2008, pp. 11-50.
[SB99] SCHNEIER, B., “Attack Trees,” Dr. Dobbs Journal, December 1999.
[SIGI11] WikiPedia, “SIGINT(POSIX),”http://en.wikipedia.org/wiki/SIGINT_(POSIX), 2011.
[SOB99] C. SALTER, O. SAYDJARI, B. SCHNEIER, and J.WALLNER, “Toward a Secure System Engineering Methodology,” Proceedings of New Security Paradigms Workshop, Charlottesville, Virginia, September, 1998.
[SSC08] K. Scarfone, M. Souppay, A. Cody and A.Orebaugh, “Technical Guide to Information Security Testing and Assessment ,” Nation Institute of Standards and Technology, Sep. 2008, pp. 36-39.
[GSF11] Google, “Skipfish - Web application security scanner,” http://code.google.com/p/Skipfish/, 2011.
[URL11] WikiPedia, “Uniform resource locator,” http://en.wikipedia.org/wiki/Uniform_resource_locator, 2011.
[Par11] Parosproxy.org, “Web Application Security,”http://www.parosproxy.org/, 2011.
[WEI73] C. WEISSMAN, “System Security Analysis/Certification Methodology and Results,”SP-3728, System Development Corporation, Santa Monica, CA, October 1973.
[WEI95] C. WEISSMAN, “Penetration Testing, In Handbook for the Computer Security Certification of Trusted Systems. ,“Naval Research Laboratory Technical Memorandum 5540:082a, 24 January 1995.
[WEBK11] Google Project, “Convert html to pdf using webkit,” http://code.google.com/p/wkhtmltopdf/
[XGZS10] Bin Xing, Ling Gao, Jing Zhang, Deheng Sun, “Design and Implementation of an XML-based Penetration Testing System,”Intelligence Information Processing and Trusted Computing, 2010.
[XML11] WikiPedia, “XML,” http://en.wikipedia.org/wiki/XML
[ZCZ08] ZHU Ning, CHEN Xin-yuan, ZHANG Yong-fu, XIN Si-yuan, “Design and Application of Penetration Attack Tree Model Oriented to Attack Resistance Test, ”IEEE ICCSS, 2008.