| With the rapid development of Internet and Web2.0technologies, Web application vulnerability has become one of the most serious security risks in the Internet. To ensure the security of Web applications, it is very necessary to exploring Web application vulnerabilities as early as possible. Malicious attacks can be reduced or avoided by discovering and patching vulnerabilities as early as possible.In this paper, on the basis of analyzing the principles and common mining technology of Web application vulnerabilities, Fuzzing technology in mining Web application vulnerability including SQL injection, reflected-XSS, stored-XSS vulnerability was in-depth analyzed. The works of this paper are mainly as follows:1) The types, principles and characteristics of Web application vulnerability were analyzed.2) Common Web application vulnerabilities discovery technology and Fuzzing technology were analyzed.3) The principle and detection methods of Fuzzing in Web applications were in-depth analyzed.4) For the SQL injection and reflected-XSS vulnerabilities which are the most common Web application vulnerabilities, this paper designed and realized a tool which can discover SQL injection and reflected-XSS vulnerability automatically based on Fuzzing technology. The system includes a Web crawler module and a vulnerability testing and detection module.5) For stored XSS vulnerability, this paper designed a tool which can generate Stored XSS attack vectors automatically. WebFuzz which is a open source Fuzzer was also improved by this paper. Combined the two tools, the technology of exploring stored XSS vulnerability automatically was achieved.6) The vulnerability mining systems were tested in some Web applications, and a large number of vulnerabilities were found. |
PDF Full Text Request