The Research And Implement Of Automated Security Test Tool Based On .NET Websites

With the rapid development of the Internet and the correlative technologies, the security of websites has become a more and more serious issue. As far as website security test is concerned, to test and remedy the potential security bug of the website before its issue is undoubtedly the most favorable way of security precaution. Thus the security test tool has become a research field gaining more and more attention from researchers. The security test tool in common use at present adopts only the black box test and has the weak points of bug analysis inaccuracy and failure in bug repair etc.This paper makes an analysis of the deficiency of the security test tool in common use at present, aiming directly at its weak points. Based on the relative theories and key technologies,then this paper does a profound research in technologies of bug positioning and bug repair and puts forward a white and black box combinative test module which puts together the peculiarities of black box's time saving and white box's comprehensive analysis. Relying on this module, this paper realizes STTC (The abbreviation of Security Test Tool in C#) particularly applied to .NET websites. STTC mainly includes two sub-modules, namely the black box test module and the white box test module. The black box test module tests the web pages of websites and records the program and type of the bug while the white box module abstracts and analyzes the program of the bug, positions and repairs the bug tentatively. An attack database is built in the black box test sub-module to imitate the artificial attack. Attack pattern matching database for each type of the bugs is built in the white box sub-module to prevent attack efficiently, to position the bug accurately through program tracking and to repair the bug automatically through program instrumentation. Finally a specific test report will be sent back to the user in Word file and a comprehensive and secure solving plan will also be provided.This paper makes an overall review of the design strategies and realization of the main modules and examines the test and repair ability of STTC through experiments. Then a comparison is drawn between the commercial test tool Acunetix Web Vulnerability Scanner and STTC to analyze its performance. At last, this paper comes to a conclusion and states clearly the research work to be done in the future.