| With the popularization of computer and the development of network technology,especially since the birth of Web in 1990,Web applications have been developing rapidly.Web technology is widely used in business systems and academic fields.However,the Web application system is faced with serious security risks.Security experts have developed some security systems to protect the Web application from attacking,such as intrusion detection system,security gateway and firewall devices,but most of these systems are deployed on server side,which will not only cause additional performance loss,but also increase the difficulty on system deployment and maintenance.Finding and repairing the vulnerabilities before they expose can not only eliminate safety hazards in early stage but also reduce the cost of software maintenance greatly.Therefore,scholars and engineers in academic research and commercial fields have spent a lot of energy and resources developing Web application security scanning tools.Web security penetration testing technology is a kind of active defense technology for Web application.Before the Web application is put into use,we sniff the target system in the way of hackers,helping enterprises find vulnerabilities in advance and avoiding unnecessary losses.Some Internet companies have developed a set of mature commercial vulnerability scanning systems,and the systems are powerful and efficient.But purchasing the software needs a lot of money,and many small and medium companies can't afford it.So a low cost,high efficiency,easy-use Web application vulnerability scanning system is needed.This paper studies some dangerous Web application vulnerabilities in recent years,such as injection vulnerabilities,cross site scripting attacks,failure of authentication and session.This paper analyses the causes of vulnerabilities and studies the detection method.And then,by comparing the different schemes,the paper uses the breadth first crawling strategy and the extension mechanism based on the plugin and the configuration file.The Web vulnerability software is developed on the basis of existing vulnerability scanning software,and adds the strategy to deal with anti-crawler and Fuzzing testing technology,and we uses dichotomy searching method to accelerate the use of vulnerability.Web application vulnerability scanning software is developed with Python.Due to the addition of the configuration file mechanism and DNS optimization,we speed up the vulnerability scanning rate.In order to facilitate test,we build a simple Web application containing some vulnerabilities in local computer.By analyzing the final test results of Web application vulnerability detection software,we could find that the software can detect most SQL injection vulnerabilities,but not include other vulnerabilities.At the end of this paper,combining with the practical development experience,we give three kinds of defense suggestions. |
PDF Full Text Request