Design And Implementation Of Website Vulnerability Scanning Software WEBSCAN

With the rapid development of network technology, Web applications are widely used in various fields. However, along with the trend, attacks to Web applications turn into frequent occurrence. The massive attacks against Web applications, not only result in huge economic loss, but also severely affect the reputation of companies, which directly impair the vital interests of the users. Traditional network security devices can only protect Web application systems at network level, but can’t solve security issues caused by the inherent vulnerability of Web application systems.This paper describes a simple and effective Web application security vulnerability scanner, WEBSCAN, which simulates the way that hacker attacks websites and sends HTTP request with specific characteristics to servers, and then according to the responded characteristics, analyzes and estimates the security vulnerability of the Web application. Firstly, this paper introduces the severe situation that the Web application faced with and the develop status of Web application vulnerability detection techniques. Secondly, it describes key techniques of Web crawler, and makes comparison among different detection methods. After that, it designs the architecture and system processes for WEBSCAN, and then illustrate the detailed procedures for designing and implementing of all sub-modules in the system. Additionally, this paper analyzes integration testing methods and makes an analysis of the testing result. Finally, it makes a conclusion of the project work and introduces the future work. During the designing and implementing phase, the interface module and the HTTP session processing module were completed cooperatively, while the rest was completed independently by myself, which includes the Web crawler with attack module, database management module, historical data processing module and test report module.The testing result has shown that WEBSCAN is not only able to attack the website with crawler and injection quickly and comprehensively, but also meet the requirement for detecting the common types of vulnerability, such as SQL injection, XSS, integer overflow and URL redirection. Until now, WEBSCAN has been integrated into the version of TOPIDP_V5, which works stably and has high performance.