The Vulnerabilities Detection Technology Research On The Business Logic Of Web Application

As Web applications continue to deepen into people’s work and lives,while its security has become more and more severe.The main trend on the security Web applications is that adversaries are finding the vulnerabilities from not only the system level but also the logic level.However,the existing Web application vulnerabilities detection tools can only deal with the vulnerabilities on the system level,and the logic level is only up to manual work.Although the logic vulnerabilities detection by manual work is of high accuracy,its efficiency is not so good as expected.To solve this problem,in this paper we study the business logic of Web application vulnerabilities including password recovery vulnerability,online shopping payment vulnerability,and business interface invoking vulnerability.In particular,we develop a detection system for business logic of Web application vulnerabilities by python to combine the advantages of automatic detection and manual detection.The main work of this paper is as follows:(1)We analyze the grim situation of Web application security and give an overview on present research including the trend of Web application security from traditional Web application vulnerabilities to business logic of Web application vulnerabilities;(2)We discuss the main penetration detection techniques used in current Web application vulnerabilities detection and give an introduction of the mainstream penetration testing tools,including packet sniffer,coding conversion and many other auxiliary tools.We also introduce the development language and environment,and the system architecture;(3)For password recovery vulnerability,online shopping payment vulnerability,and business interface invoking vulnerability and many other business logic of Web application vulnerabilities,we have done many penetration tests on these vulnerabilities.Furthermore,we analyze the exploit principles of these vulnerabilities,then summarize a generalized method for vulnerabilities detection and logic vulnerabilities;(4)We solve two major problems for Web-Crawler:one is the URL extraction and the other one is the core algorithm selection.We realize the auto vulnerabilities detection for password recovery vulnerability,online shopping payment vulnerability,and business interface invoking vulnerability;(5)With the system requirement analysis and design,we develop a detection system for business logic of Web application vulnerabilities which has good extensibility.We also give detailed explanations for the design and implementation of key modules.Then,we choose some popular Web applications and conduct function modules and performance evaluation.Finally,we verify the feasibility and efficiency of the system by analyzing the results of the evaluation.