| Web application system is currently one of the mainstream applications of the Internet,providing the majority of users with a variety of convenient services,more and more business are transferred to the Web application system.Therefore Web system has been classified as the focus of the attack targets by hackers since it births.As technology of Web developing continues to develop,PHP scripting language has beening more and more attracted and accepted by developers and users,becoming the mainstream programming language.However PHP language itself has flexible syntax,diverse feature and updated very frequently,but programmer's quality varies greatly,developed numerous bugs,resulting in the "fact" that PHP Web applications can easily be attacked by"hacker".As the state and society's increasing emphasis on information security,Web application security has also been paid more and more attention.PHP Web application as the focus of Web security's high-risk areas is being given more attentions.There are two ways to upgrade the security of PHP Web application,one is to enhance the quality of application developers,and the other is auditing the developed PHP Web application before deployed.For the former,it will spend a lot of time,resources,cost and effect can't be guaranteed,while the latter has become the most recognized program.Currently,the methods of PHP application code audit are divided into two from the macro level,which are static testing and dynamic testing.These two have different ideas and the test results would be different,but each one has big problems to make the code audit alone,and the test results are also difficult to achieve satisfaction.This paper analyzes the principle and characteristics of static testing and dynamic testing and also as the subjective factors analyzes the inherent weakness of both detection technologies with objective reasons of the new development model of PHP Web application.On this basis,we propose a new code audit idea of combine of HHVM based static code security detection and URL parameters restructuring based dynamic f.uzzing test.1.Static detection is based on HHVM that is an open source PHP project of Facebook used to compile PHP code.It tracks tainted data,records spread relationship on the syntax and semantics level during the process of traversing program syntax structure through on the program compiling and ultimately to determine whether there's a security defects.2.The dynamic fuzz technology based on arrangement of reorganization for URL parameter is seen as our independent innovation.By differentiating URL parameter types,restructuring arrangement for different types of parameters,construct a new URL-based links,doing dynamic black box fuzzing test along with traditional fuzz technology.3.The combination of both is the key point of our thesis.With dynamic test results it helps static detection streamlining the process,and static analysis results are used as input to help the dynamic test by generating new more logical permutation links which can achieve higher dynamic detection coverage.By assisting with each other,it can overcome their own birth defects that are difficult to resolve,achieve the best detection results. |
PDF Full Text Request