Research And Implementation Of XSS Vulnerability Detection Tool Based On Fuzzing Test And WEB Crawler

Before the Web1.0 era,users only got the information provided by the Web server through the browser,so cross-site scripting vulnerabilities were not common in that era.In the Web 2.0 era,Web servers pay more attention to user interaction,dynamic web technologies and AJAX technologies,making the XSS vulnerability blowout.XSS(Cross-site scripting)is consistently top-three in OWASP's list of top ten Web vulnerabilities and XSS vulnerabilities require a scripted environment because of their simpler running environment than traditional buffer overflow vulnerabilities,So the damage is even greater.The Web stores a large number of user information,so this also caused serious harm to the information security of network users.Vulnerability scanning technology is a technical means to examine the security of Web applications from the standpoint of an attacker.It can detect potential security leaks in web applications and become one of the important technologies for securing your network.Therefore,the research of vulnerability scanning technology is extremely important.The existing XSS vulnerability detection techniques have the disadvantages of high false alarm rate,low utilization efficiency of the detection library and low success rate of the vulnerability matching.Therefore,in this paper,the principle of XSS vulnerability detection,the detection principle,the fuzziness testing used in the detection,Crawler technology conducted in-depth study,completed the main work is as follows:1.This paper studies the formation mechanism of Web application security vulnerabilities and the related fuzzing test techniques,and analyzes the formation,attack and utilization of XSS vulnerabilities in detail.2.The theory involved in the fuzzing test is studied,the current mainstream fuzzing test scheme is introduced,and some defects of the existing test flow are introduced.The techniques used by current web crawlers are introduced and the disadvantages of crawlers in tools are analyzed.3.Through the use of fuzzing test and web crawler technology,we design a new XSS vulnerability detection scheme and innovate in the generation of attack payload in the testing process and fuzzing test.4.For the actual existence of vulnerability but can not match the problem,this article also through the same system interactive data packets and the system returned HTML page analysis,designed a new vulnerability matching program to improve the vulnerability of the matching success rate.Finally,an initial version of the XSS vulnerability detection tool based on fuzzy testing and web crawler is implemented.The experiment proves that this tool achieves better performance than the common one by comparing the vulnerability testing process,the method of generating attack payload and the matching of vulnerabilities.Vulnerability testing tools higher attack payload utilization,while reducing the false negative rate,verify the feasibility and effectiveness of the program.