| Abstract:With the rapid development of Internet, web applications have been more and more used in various aspects of social life. While they provide people with great convenience, they bring unprecedented security risks. However, because of the complexity of the web application and its running environment, which has made the web application security issues more and more complex. As an important method of web application security testing, penetration testing can find vulnerabilities existed in the web application, and then help avoid their threads timely. But in the actual work, the result of web application penetration testing is often related to the tester’s experience and skill. In order to avoid the test result relies on individual skill and to improve efficiency of penetration testing, we need a more scientific and effective method.This article takes the subject’s research background as a starting point, firstly researches the related theories and technologies on the foundation of analysis on domestic and international research status for penetration testing. Then it puts forward a penetration testing method for web application that optimizes the design of penetration testing process and content, which divides the process into six stages including making penetration testing plan, collecting and analyzing relevant information, making a detailed work plan, implementing the work of penetration testing, assessing vulnerabilities’risk level and establishing penetration testing report. Besides, it divides the vulnerability testing range into seven categories including classes of authentication, data validation, information leakage, session, application logic, web service and third-part complement, also summarizes the testing methods and tools of SQL Injection and XSS. Lastly, combining with the actual project, the article gives a complete case for web application penetration testing, which verifies the effectiveness and practicality of the method for web application penetration testing. |
PDF Full Text Request