Design And Implementation Of Web Application Security Penetration Testing Tool

With the rapid development of network technology, web application has becomean indispensable part of people’s daily life, however, Web application has graduallybecome the main target of hackers and malicious users. Therefore, how to ensure thesecurity of Web applications have become the major challenges that government,enterprises, and even the banks and other financial industries faced. So, webapplication security penetration testing should be conducted in order to improve thesecurity of web applications. That is, we should detect vulnerabilities and fix thembefore malicious users to attack the web application.In this paper, we specializes in the reasons and the corresponding defense aboutcommon web applications vulnerability, such as Injection, Cross SiteScripting, Broken Authentication and Session Management, Insecure Direct ObjectReferences, Cross Site Request Forgery, Security Misconfiguration. Then weintroduce something about penetration technology by which we can detectvulnerability. Based on the above research, we have designed and implemented a webapplication security penetration testing tools. The major contributions of this paper arelisted as follows:(1) We have designed and implemented a Web crawler module. Webcrawler using breadth-first crawling strategy and multi-threaded crawling strategy, itcan get all the URL of the target site by parsing the pages, formatting URL andfiltering URL.(2) We have designed and implemented the security penetrationinjected module. Analyzed the principle of permeation injection, then analyzed theinjection point and injection parameters, at last constructed malicious URLs and sentto the Web server automatically.(3) We have designed and implemented the analysismodule. We have studied and summarized the Vulnerability decision rule table. Wecan recognize the type of web application vulnerabilities by comparing the expectedoutput in the rule table to the web server response. At last, vulnerabilities are showedin html format.This tool has the following three advantages: High efficiency, it can discover webapplication vulnerability comprehensive; High accuracy, it can show detailedvulnerability detection report; High scalability, it can add new vulnerability detectionplugin easily without changing the original control logic.