Research And Implementation Of The Web Vulnerability Detection System For Web Security

Web and related techniques are widely used as a rapid development of the computer and Internet technology. As a result, Web security deserves special concerns. Web Vulnerability Detection is a Web security-oriented active defense technology which is very important and hence frequently applied in the existing network environment. Currently research on Web Vulnerability Detection has gained tremendous development, but in spite of such progress, there are still some problems crying out for solutions in the aspects of incomplete scanning function, complex and confusing user configuration, lack of perfect risk analysis, furthermore, it is easy to leak web site information for source code-based Vulnerability Detection, thus triggering new security problems such as privacy disclosure.In order to solve the problems discussed above, we introduce black-box testing idea and fuzzy testing technology to design a high efficiency and low cost Web Vulnerability Detection system. First, the function of the Web Vulnerability Detection system is analyzed. And the requirements of the detection function of the system are also given in our thesis. We also give the whole design of the system, including the architecture design and the function design. In function design, the SQL injection vulnerability detection module, cross-site scripting vulnerability detection module, contents guessing vulnerability detection module, directory traversal vulnerability detection module etc. is given. And the module is transparent for the users. The controlling module choose which the detection module is to be used for the users and send the detection results to the user interface.First, we construct specific Http request with fuzzy testing scanning parameters according to the target URL and vulnerability scanning type submitted by users. Second, system sends the requests to target website server to be scanned, and determines the existence of loopholes by analyzing server's return value or wrong code, moreover, it is possible to indicate types and related links of the loopholes. Based on the ideas introduced above, we design and implement a fuzzy testing-based Web vulnerability detection system. The system consists of web page analysis module, web crawler module, vulnerability detection module, detection control module, user interface module, exponential function-based risk analysis module and risk report module. The system being designed will be applied to implement functions of Web vulnerability detection including SQL injection vulnerability detection, cross-site scripting vulnerability detection, contents guessing vulnerability detection, directory traversal vulnerability detection etc. In addition, it could provide perfect risk analysis report of Web vulnerability detection by utilizing exponential function-based risk analysis algorithm.The system is implemented in Linux. We introduce modularized design and Py-Qt compiling to facilitate updating. We employ black-box testing idea and fuzzy testing technology to scan the loopholes, besides; the source code of target web site is absolute users-invisible to ensure the Web site privacy requirement at the same time. In order to validate the availability and Vulnerability detection function, we compare with other systems in aspects of efficiency and function and conclude that there are advantages to the proposed system.