| Web applications open and universal,resulting in more than 70%of the world's network security issues are from Web security attacks.XSS(Cross Site Scripting)has exceeded traditional buffer overflow attacks,become the top security threat type,At the same time SQL(Structured Query Language)code injection is also a Web application of the mainstream attack type.The major well-known sites have been found in the presence of XSS and SQL security vulnerabilities,so the detection of security vulnerabilities has been a hot issue in the research of Web application security.This article mainly studies XSS vulnerabilities and SQL injection vulnerabilities,and design and implement a vulnerability detection XST(XSS&SQL Tool).Based on the research background and current situation of Web Vulnerability Detector,this paper focuses on the study of XSS and SQL injection,analyze the causes of the vulnerability,the principle of attack,the attack method and the attack process,This paper introduces two commonly used detection methods of source code audit and fuzzy test.Finally,the vulnerability detector XST described in the design,the Python language to achieve the detector XST.Locate a platform that contains a variety of vulnerabilities DVWA(Damn Vulnerable Web Application)to detect the detector test.For XSS vulnerabilities,when testing a vulnerability detector,the detector XST sends a randomly generated.attack string to the platform DVWA server,The server receives the request information of the checker and returns the response information,and the detector matches the response information with a regular expression.If the response information returned by the server matches the corresponding XSS attack string,it indicates that there is an XSS vulnerability.Otherwise,it indicates that there is no vulnerability.For SQL injection vulnerabilities,in the vulnerability detector for testing,the detector XST sends a specially constructed SQL test string to the platform DWA server,the server receives the request information of the checker and returns the response information,making a further determination based on the return response information,Detector work process:1,to the server to send attack statements;2,access to server-side response information;3,analysis of response information and vulnerability detection;4,according to the test results to determine whether there are vulnerabilities.The test can prove the XST Vulnerability Detector can successfully detect the XSS vulnerabilities and SQL injection vulnerabilities in the DVWA vulnerability platform and the operating sites such as Zhu Ming Art Museum and Duo Wan.At the same time,in the testing process also found that the design of the vulnerability detector there are some areas need to be improved. |
PDF Full Text Request