Web Application Penetration Technology Research And Security Defense Design

With the rapid development of web applications which are based on B/S architecture, its security threat is growing, which deeply affects people’s life. Frequent Web security incidents in recent years have drawn people’s attention to information security. Based on a deep research and comprehensive analysis of the current web application vulnerabilities, including the reasons they occur, triggering scenarios, exploit methods, the attack scenarios and harms they may bring, this paper try to build a web security threat model and the attack model. And then through a series of tests in real environment, the results confirm the web attack model. This paper also analyzes the present situation of current web application security and the harm they may cause, and put forward some defense suggestions. At last a security defense solution is proposed, which cover secure design, secure development, secure test, secure operations and secure emergency response. The specific work is as follows:(1) In secure design aspect, it builds the web security architecture.(2) In secure development aspect, it provides security threats which should be considered during the development and effective security coding standards according to the practical experience, which can effectively avoid most vulnerabilities so that most security problems can be avoided during the development phase.(3) In secure operation aspect, it develops the secure operational strategy and proposes a web application layer intrusion detection method based on malicious behavior, which improves the traditional security detection method based on feature matching, so that more complex attack methods can be detected.(4) In security response aspect, it stressed the importance of emergency response and makes a research on the current security response strategy.Through the study of this article, the readers will have a systematic understanding of web security attacks and can identify most of them. The web security defense system which is proposed by this paper is a full range of security defense solution, which can prevent security incidents from both avoiding vulnerabilities and defending attacks. The improvement ideas about defense in different stages are worthy to reference and further research.