| With the development of Internet and the arrival of Web 2.0, web application information site are widely built in many industries, meanwhile, those web applications are constantly under attack in many ways.The security of web application have already become an urgent problem, traditional security protection measures can only provide limited protection from attack. Network firewall must pass 80 port HTTP requests, most of the servers don’t check the legitimacy of HTTP requests carefully, the above issues make application become an exposed target on the Internet. For this reason,increased research in Internet security has recently generated a great deal of interests in the root causes and detection technologies of web application vulnerability, showing its foundation application value.Aiming at the emerging Web security vulnerabilities, this paper studied common key root causes and detection rules, such as SQL injection, XSS(reflective, DOM and storage type) and CSRF. Furthermore, we studied the rule text organization form which is suitable for scanning system during storage and release period. And also, we achieved implemention of Crawler with analytic function of javascript.After being tested in the local set up, the proposed test cases were abled to detected most of common vulnerabilities, however, there are no automation solutions for stored XSS vulnerabilities. Besides, the proposed test cases also found some vulnerabilities in actual site, showing that the studied rules could be useful in practical application. The crawler we studied not only can climb out URL link of static pages, but also be able to climb out of the link which need javascript parsing. The proposed organization form of text XML rules can be extended to adapt to other rules, which can provide convenience for rules analyse and ownward development of scanner. |
PDF Full Text Request