Automated Detection Techonology Research On SQL Injection And XSS Attacks

Web applications are the most popular target for hackers, in response to the threat of attacking, more and more companies begin to focus on Web application-security testing. For the web system, penetration testing is more timeliness and effectiveness in auto detection techinques. Penetration testing is a simulation of the behavior of normal security attacks, and then analyzes the results of the response, then determines if there is a security breach, we call it a black box testing method. Many security researchers put a lot of effort on the study of the penetration testing, and have achieved many results. But there has not yet a mature theoretical model to optimize the penetration testing process and not yet given an appropriate theoretical methods to guide the generation and optimization of the test suite. This makes the penetration testing has a very big blindness, the efficiency and accuracy of the test is not ideal.In this paper, we pay more attention on the more popular and more harmful security vulnerabilities-SQL Injection and Cross Site Script. On the basis research of the effective generation and optimization of the test cases of this two vulnerabilities and the vulnerability analysis method, This paper proposed a new testing model for the SQL Injection test case generation and a new test case generation model which based on the attack location for the cross-site attacks. Using these model to guide、 optimize the test case generation process, and ultimately generate a optimal set of test cases. On the other hand, proposed a agent-based penetration testing model to optimize the penetration testing process, using this model, we can make the greatest possible to collect test data, avoid missing the point set of test inputs, and improve testing efficiency and accuracy.Through this research analysis, on one hand, through the test case model, this paper generated a new set of optimized test cases, and the effectiveness of the test cases were tested.On the other hand, by using new test cases, combined with the penetration of agent-based model, the validity of the model was verified and achieved a good result.