| The issues of Web application security has increasingly become outstanding for thepatency,easy-to-use of Website and the simply development of Web application. It is quitenecessary to test and evaluate the Web application security in a scientific,efficient and accurateway, which is a key subject all the Web applications have been faced. Thus, the comprehensiveresearch on test and detecting technologies of Web application security is of great theoreticalmeaning and practical value.A model of the host-based Web application security detecting system is proposed based onthe deep research on the characteristics of Web application vulnerabilities and the key technologyof Web application security detecting. After CVE and AVDL which describe the methods toillustrate the vulnerability is investigated, a new model of Web application vulnerabilities basedon XML—WAML is designed and discussed in detail. The structure and the main modules ofthe Web application security detecting system is designed and implemented according to thestudy process on the structure and functions of the present vulnerability detectors.The technologies related to the implement of each module are studied for the requirementsof the system's functions, such as how to obtain the website's topology in the traverse phase, theinformation abstraction from the Web pages and the design of the HTML tag parser, the workingmodule of HTTP protocol and the parsing method of the XML files, and the security accountingtechnology base on theⅡS log files, etc. All the achievements of the research construct a solidfoundation for the vulnerability detection and analysis operations. The HTML Parser, thesimulated HTTP client and the XML editor & parser are completed by the reuse and developmentof the open source package HTML Parser, HttpClient and the standard development kits SUNJDK1.6, which offer some good operating interfaces to the information collection, the contentand function extension, and the optimization of the rules in Web application vulnerability libraryand the intercommunication of the client and server in Web application.The prototype of Web application security detection system is preliminarily implemented,which runs on the server as a common application and supply the information detection andanalysis services. Based on the users' requirements, a variety of different Web applicationvulnerabilities are able to be probed, and a complete and detailed security report which illustratesthe necessary information is given out to help the developers to optimize the codes, show thewebsite administrators the secure management policy and give the evidence for the analysis andassessment to the security experts. |
PDF Full Text Request