Research And Implementation Of Web Application Vulnerabilities Detecting Technology

With the development of Web technology,the site bring better experience to people.Especially Web 2.0,goodbye to a heavy request-return mode,using the lighter partial refresh mode,which improves the users’ experience. Wherein,Ajax technology dominated in Web 2.0.However,Ajax technology will be part of the logical processing from server to the client,it exposes more interfaces,increasing the number of security threats to Web applications,where the highest severity is SQL injection attacks and Cross-Site Scripting attacks. OWASP announced the top ten most serious Web application security vulnerabilities chart,in this chart,we can see that SQL Injection and Cross-Site Scripting attack have been in the top three. These vulnerabilities can be attacked without the knowledge of users.For now, preventive measures are passive behavior,such as the firewall and so on.This is so overlooked application-level serurity issues obviously,which absence of high-level and effective precautionary approach. Therefore,based on the cause and detection of Cross-Site Scripting attack and SQL Injection,design and implement of automatic detection system of Web application’s security vulnerabilities as a supplementary tool for detecting of application-level issues early and be avoided.The main work of this article is as follows:(1)Analyzes the workflow of Web application and a variety of security vulnerabilities.Reviewed the classification principles of Cross-Site Scripting attack and SQL Injection attack,and give the research status of vulnerability detection,as well as compared the predecessors’studies.(2)Analysis the problems of different types of Web crawler process,design an efficient and appropriate Web Crawler’s System,and then innovative proposed attack vectors split function and random combinations and variation rules to improve the accuracy of detection system through the SQL Injection’s and XSS attack’s research.(3)Present a detection algorithm of based on page code behavior and based on the XMLHttpRequest of JavaScript.Based on Web crawler to extract the input entry point, inject erroneous data, use of dynamic detection technology to testing the XSS vulnerabilities and SQL injection vulnerabilities which Web application exist.(4)Design the System,using C# to implement the vulnerability detection tool SXFINDER And describe of the system design process and various functional sub-modules in detail.(5)Put this System in real projects, carried out a detailed functional module testing and performance testing, and compare with the other security vulnerability detection software to verify the proposed algorithm that is feasible, the software is reliability.Innovation of this article is mainly reflected in the following aspects:(1)Improve the Web carwler,mainly in three aspects:①suitable crawler search strategy; ②correct URL legality requirements;③high efficiency removal of duplicate URL.(2)Present a way to generate attack vector of spliting combinations and making up randomly,then put it in various rules to change.The main idea is to split attack vectors according the different types of function to different template library,andrandom combination through the template library and added rules to generate a lot of, various attack vectors.(3)Present a method that bases on page code behavior for Web application, proved to have lower rate of false positive and time-saving.(4)Present a method that based on the XMLHttpRequest of JavaScript, to achieve a more comprehensive testing for Ajax Web application.(5)Using C# Programming to design and implement a prototype system SXFINDER for detecting XSS and SQL Injection vulnerabilities.