Penetration Testing Based Logical Vulnerability Detection Technology

Web logic vulnerabilities are new types of vulnerabilities that have emerged in recent years,and are different from traditional vulnerabilities such as sql injection,cross-site scripting attacks,and file inclusion.This kind of loophole is an error in people's thinking logic.Generally,it is through the use of business processes and HTTP/HTTPS requests to tamper with.After finding the key points,the attack can often be completed without constructing a malicious request.It is easy to bypass various security protection measures.Moreover,there is no fixed pattern for the attack methods of logic loopholes,so it is difficult to detect them using conventional vulnerability detection tools.Password recovery,Transaction tampering,and Ultra vires flaws are the most common types of logic loopholes.Hackers can easily use these vulnerabilities to easily bypass identity authentication mechanisms,modify transaction amounts,and steal information from others,causing great harm to businesses and individuals.Although the logic loopholes have been exploited by hackers many times,the detection methods of logic loopholes still rely on manual detection.The accuracy rate is high but the efficiency is extremely low.Because it is a logical design flaw,there is a problem with the service flow.This type of vulnerability is not limited to the network layer,system layer,code layer,etc.,but also can escape the protection devices of various network layers and application layers.Targeted automated inspection tools.In order to alleviate these problems,there presents an extensible solution for automated logic vulnerability detection.The following is the main content of this article:(1)Research on key technologies and issues.Research and summarize traditional manual detection methods and improve them to make them suitable for automatic detection;design rule bases for web filtering;finally design a solution to automatically detect three kinds of logical vulnerabilities: password recovery,transaction tampering and unauthorized defects.(2)System design.Apply the above designed solution to the actual situation and complete the automated logic vulnerability detection system.The proposed system is mainly divided into a user interface,a management control module,a webpage acquisition module,a vulnerability detection module,and a detection report module.Then complete the system design.(3)Test and analysis.Select multiple web applications for testing and generate test reports.By comparing with the artificial penetration testing method,the efficiency of logic vulnerability detection is improved.