Research On Web Application Vulnerability Mining Based On Genetic Algorithm And Fuzzing Technology

With the development of Internet,Web application system based on B/S architect ure is gradually replacing traditional application system based on C/S architecture.A l ot of privacy information of Internet uses transfers and gets processed on Web applic ation.All of these make Web application become the hardest hit area of cyber attacks.Building a high effective and high accurate mechanism of Web application vulnerabili ties mining to find out security problems in target systems and reduce the possibility o f target systems being attacked maliciously has important theoretical significance and practical value.Firstly this paper analyzes and studies the basic principle,the basic testing proced ure and core technology of Fuzzing technology on the basis of comparing traditional white box,black box and grey box testing technology.Meanwhile,analyzing and introd ucing the basic principle of common Web application security vulnerabilities Accordi ng to the characteristics of Web application vulnerabilities mining.Secondly according to the blindness of Fuzzing technology,introduce the genetic algorithm to optimize the test data of Web application vulnerabilities mining,improve the quality of test data,decrease the randomness of Fuzzing and improve the efficienc y of vulnerabilities mining.The main research content is designing the fitness function based on vulnerability feature set,optimizing the traditional two-point crossover algor ithm and basic bit mutation algorithm according to the particularity of the test case of Web application vulnerabilities mining.At last design the Web Fuzzer Based on Genetic Algorithm.The Fuzzer mainly c ontains 5 modules:Input Vector Construction Module,Fuzzing Testing Data Generati on Module,Genetic Optimization Module,Testing Data Execution Module and Except ion Detection Module.Implement the main program of WFBGA based on WebFuzz a nd the Genetic Optimization Module of WFBGA based on Python.Input Vector Const ruction Module generates the input variables set of Fuzzing test.Design two types of t est data generation method which are exploratory method and heuristic method in Fuz zing Testing Data Generation Module.Genetic Optimization Module mainly optimize s the initial test data.Testing Data Execution Module mainly completes the encapsulati on and sending of test data.Exception Detection Module analyzes and records the resu lt returned by the server.The result of experiment shows that WFBGA has a better mining performance of than WebFuzz and SPIKE on injection vulnerabilities,XSS and CSRF.But the mining performance on security configuration error and unencrypted transportation needs im provement.