Research And Implementation Of Web Application Vulnerability Scanning System Based-on Network

Nowadays more and more attacks aim at web applications with vulnerabilities. Using web application vulnerability scanner based-on network, administrators or developers can find out the flaws and take some measures to avoid the attacks. This kind of scanner has three strongpoints. The first is easy to use and flexible to upgrade. The second is that no software need be installed in the target system. The third lies in the detecting way that is similar to what the hackers do. The current scanner and attacking tools are imperfect in detecting unkown vulnerabilities and traversing the target system completely. Therefore, to study this kind of scanning system is significative.In the paper, a web application vulnerability detecting system based-on network is designed and its prototype is implemented. After the research to Cross-Site Scripting vulnerability, two groups of detecting parameters are presented. Lastly a test is carried out to validate the feasibility of the design and rationality of detecting parameters.In the paper there are four innovations:Firstly a way to detect the web application vulnerabilities based-on detecting parameter database is presented, and an improved system is implemented that can probe the unknown vulnerabilities. In the system detecting parameters are not designed for any unique web application, but can be used to detect all web applications with the same kind of vulnerability. At the same time the parameters are not binded with programs, that make upgrade easily and flexibly.Secondly the new system can find out all the web applications which need be inspected. In the system an authorization table is used by the parsing engine to assemble correct requests, upon that the scanner can discover all the interactive elements behind or in the active pages by analyzing the resposes from the target server.Thirdly blind tests are avoided. Interactive elements are extracted in the traversing stage which let out the web applications. Therefore every detecting request made by the analysing engine aims to a certain web application.Fourthly the method of designing parameters for detecting Cross-Site Scripting...