| With the development of network technology,the security issue has become an increasingly important topic.As an independent mechanism for the detection of network strategies,Penetration testing had become an extremely important Web application security testing technology.But in practice,the differences of technical ability and experience among penetration test engineers would directly affect the penetration test results.For complex vulnerability scan results,it is difficult to determine the threat level of these vulnerabilities and potential attack paths.In order to avoid penetration testing depending too much on the tester's personal ability,but also to improve the efficiency of penetration testing,it is necessary to research a set of scientific and effective penetration testing method.Based on B/S framework,this thesis designed and implemented a penetration testing platform,studied the vulnerability threat assessments deeply,proposed an evaluation mechanism of the complex vulnerabilities.Details are as follows:1.According to lack of assessment of vulnerability correlation problem in CVSS,this thesis designed vulnerability chain scoring standard based of common vulnerability scoring system.Through the definition of vulnerability chain,the standard calculated the relative threat value of the path of vulnerability,and drawn the threat of a vulnerability in the attack path by vulnerability correlation,the vulnerability of its own attributes and other objective factors.By testing experiments with real experimental environment,compared with the original CVSS single vulnerability assessment program,it is successful and effective to assess the threat level of attack paths finally.2.After analysis of the current needs of the multiple-vulnerability platform,combined with cross-platform and universality,this thesis designed the penetration testing platform based on Web.The user module of the platform used a variety of security policies to ensure its own security and reliability,the crawler module greatly improved the work efficiency of the crawler by multithread crawling,the vulnerability module drawn a suspicious vulnerability through matching the vulnerability database features.The system implemented the vulnerability assessment scheme proposed in this thesis;generated high readability analysis report;promoted users to guard against hacker attacks more effective so as to meet the needs of users for security better.Finally,the thesis verifies the availability and effectiveness of the platform by testing. |
PDF Full Text Request