| Web applications have been integrated into the daily life of netizens, with convenient use and rich function. The emergence of Web2.0promoted the development of the Internet and a revolutionary. With the development of Web2.0, Web application security vulnerabilities changed gradually from the traditional security technology vulnerabilities toward business logic vulnerabilities. Web application is a system having complex business logic, and omission of the security details in it often leads to serious security problems, not only affecting the user for the normal use of the Web application, or even damaging the user’s personal interests.The existing commercial or open source Web application security scanning tools have been able to do the Web application system safety assessment and vulnerability detection, and this can assist penetration testing and system maintenance personnel to significantly reduce the safety risk of the Web application system. However, these scanning tools only have very good detection effect for traditional security vulnerabilities of Web application, and they do not have a good cover on the business logic vulnerabilities. For the business logic vulnerabilities of the Web application, manual artificial penetration testing ways are presently adopted, not only inefficient, but also difficult to put into practical use.In this paper, research was done in-depth on Web application vulnerabilities detection technology, in the direction of penetration testing. Tried to combine the advantages of both automatic scanning test system tools and manual artificial penetration test, and proposed a solution of Web application business logic vulnerability detection, which had both exploring ability for business logic vulnerabilities, and high exploring efficiency.Surrounding the research subject, this paper carried out the following research contents:researched the latest Web application implementation technology and potential safety hazard, and did a detailed understanding of the Web security research status at home and abroad; did a large number of actual penetration tests to the business logic function of Web application, summarized the formation reasons and detection methods of business logic vulnerabilities, and improved the detection methods; made a careful study on the realization of Web crawler, developed Web crawler for Web application vulnerabilities detection to assist better research work on vulnerability detection; on the basis of the above study, according to various Web application business logic vulnerabilities detection methods, using scripting languages developed vulnerability detection tools; in order to facilitate the users, after studying on developing technology based on the Web application framework, in the form of a plug-in, integrated the developed vulnerability detection tools together as a Web application vulnerability detection system.In this paper, the main innovation lies in combining the advantage of Web application vulnerability scanning and artificial penetration testing, applied automated vulnerability detection and Web application function analysis technology to detection of the Web application business logic vulnerabilities. At the same time, improved the Web crawler for vulnerability detection, on the basis of the Web application link crawling added the function of matching page content analysis, through the analysis further explored the starting point of vulnerability detection.To test the usability of the detection system, at the last of this paper did actual tests to the vulnerability detection system, and analyzed the result of the test. On the basis of analyzing the test result, affirmed the usability and efficiency of the system. |
PDF Full Text Request