| With the finishing of "12th Five-Year" plan which began in 2011 in 2015, the network is more and more popular in China. There are 688 milli on people connected to the Internet, and become a member of the Internet Users. Internet has been integrated into people's lives. But the Internet se curity becomes more and more serious. Information security is drawing m ore and more attentions. China has begun to vigorously promote the legali zation of cyberspace. Although the level of network security has been imp roved, a variety of network security incidents for the web system is still h appening. Precise network fraud and extortion incident caused by informa tion leakage happened. How to improve the security of the web system is still worth discussing.Network technologies are many and varied. The attacks against the w eb system are also varied too. Traditional web system security tools mainl y focus on vulnerability scanning, and enhance security by repairing vuln erabilities. But they don't have a global view of web security. A lot of vul nerability scanners are based on C/S architecture, which is not easy to dep loy and use under normal circumstances. And new vulnerability scanning ability cannot update timely. Although some commercial scanner have go od technical support, it is so expensive that does not suitable for many sm all enterprises to protect their websites.Aiming at the above problems, this paper studies and analyses basic safety information collection and vulnerability information collection of t he web system, and the key technology to do the collection. And I designe d and implemented a high-availability platform of safety information coll ection for web system. This platform can collect the basic security inform ation of the web system, and help the administrator to evaluate the securit y risk. And the main work is as follows:1. Finished the research of security information collection of web sys tem. And based on the web system security, analyzed the basic security in formation of the web system. And finished the feasibility analysis and req uirement analysis of the security information collection platform for web system.2. Did the analysis of the main vulnerabilities of web system. Finishe d the Analysis of the different characteristics of web system vulnerability and vulnerability scanning technology, and analyzed the SQL injection an d cross site script vulnerabilities deeply with theory, exploit, harm and def ense methods.3 This paper studied the filtering mechanism of web server and analy zes the set of anti-filter rules. And applied these rules to the XSS vulnerab ility scanner to expand and optimize test case library and enhanced the XS S vulnerability scanning coverage.4 Finally finished the logical design of the safety information collecti on platform. And then designed and implemented the different modules of the platform in detail. Completed the testing of the information collectio n, vulnerability scanning and other aspects of the platform, Verified the a vailability and effectiveness of platform. And used this platform for a larg e number of websites for basic security information collection, and compl eted the corresponding information statistics, analysis. |
PDF Full Text Request