| As Web applications are more widely used, the concentration to its security has risen to an increasingly high level. How to protect the security of Web applications has become an important research topic. Currently there are many protection systems are used for defense against Web application attacks, these systems to some extent, enhance the security of Web applications, but it requires a lot of performance loss and maintenance cost. Therefore, early detection of vulnerability and its elimination can be effective preventive measures to enhance the security of Web application itself, it also can greatly reduce the back for the cost of software maintenance and enhance the credibility of the software products. Web application vulnerability scanning software is an important tool for the detection process, which can effectively support the work of the testers, greatly reduce the detection workload. So the research on it is very necessary.First, this paper studies the causes of the Web application vulnerabilities and the corresponding detection methods. To the characteristics of Web applications, a practical Web application vulnerability scanning software framework is proposed. Second, two important technologies are in-depth studied which are vulnerability scanning information access and web application vulnerability detection mechanism. Third, A design and implementation about the technologies is given.To the Web vulnerability scanning information accessing, this paper gives an in-depth study of its goals, select and design a process for scanning information obtained. On the basis of the scan information, a design and realization of web content extraction module based on regular expression technical is proposed. Next, an in-depth study on the craw of the interactive form content is carried out. Designed and implemented an automatic form filling module with the ability of simple semantic identifies. Then, in order to apply the information which is obtained during the scanning phase to the Web vulnerability detection phase and the report generation phase, a scanning information model is proposed.To the Web application vulnerability detection technology, according to the constantly updated detection technology and the changing nature of the detection technology, in this paper, a variety of scalable vulnerability detection mechanism are compared and analyzed. By take advantages of the characteristics of the Web application vulnerability detection methods, a vulnerability detection mechanism which is based on rule-based extensions and plug-in extensions is designed and implemented. Then, an in-depth study on the working principle and process of vulnerability analyzer is carried out. Based on the previous detection mechanism, a vulnerability analyzer is designed and implemented. Next, in order to compensate for the lack of pure automated scanning tools, a series of assisted detection tools are researched and designed, they are used to improve the efficiency of Web application vulnerability testing.The test showed that the Web application vulnerability scanning software which is described in this paper can detect SQL injection vulnerabilities, blind SQL injection vulnerabilities, XSS vulnerabilitiesas well as the detection of backup file etc. |
PDF Full Text Request