Research Of Web Applications Security Detection Based On Fuzzing Test

With the continuous development of the Internet, users' life has become more convenient and efficient. As the limit of the development resources and time, the complexity and uncontrollability of the user environment and some other reasons, there are still a large number of risks of security vulnerabilities in Web applications. In order to guarantee security of Web applications, imitating user input for possible loopholes is essential in safety testing before the deployment and using of Web applications. In related methods of security testing, fuzzing model has been widely used in security vulnerability testing of Web application. However, the existing Web application fuzzing mostly based on the process of "Get Data- Input Attack test- analyze vulnerability data", the test process has shown the problems such as it can't dynamically expand, the vulnerability respond can't effectively to be verified and the results of vulnerability test can't be evaluated quantitatively, which leads to false negative and false positive of more loopholes in the test results.As the coverage rate of test case is low, this paper proposes a test case generation method based on dynamically generation and protocol deformation. according to the filter rules after analyzing adopting the corresponding deformation methods to guide test case generation, this method extracts features to generate a feature library for typical XSS and SQL injection, and then dynamically generates a large number of test cases through combining rules; meanwhile, analyzes the website's filtering mechanism, Experiments show that our method has a low false negative rate compared with dynamic generation method and random enumeration generation method under the complex website's filter circumstance.As vulnerability results are still difficult to be effectively verified, this paper proposes a vulnerability data analysis method based on pollution spread strategy. The method obtained SQL injection and XSS injection point data after fuzzing as data sources, on the base of pollution spread rules to track data dynamically and finally through pollution detection analysis to verify whether there are loopholes. Experiments show that this method has a low false alarm rate compared with the current testing tools' vulnerability response analysis methods.As it is difficult to quantify and assess Vulnerability detection results, this paper proposes a quantification and assessment method. The method, according to the number of vulnerabilities of high-risk sites, medium risk and low-risk, quantifies and computes Web security test results, so that Web security evaluation practitioners have a more intuitive understanding of Web applications security conditions, the experimental results show that this method can represent Web application loopholes situation intuitively.