Design And Implementation Of High Performance Web Application Vulnerability Scanning System

With the rapid development of the Internet,information transmission and sharing are more and more dependent on the network.As a key of the development of the Internet,web application brings convenience and serious security thr-eats to people's life.If the attackers attack web applications by using vulnerabilities in it,it will bring serious losses to enterprises and users.In order to ensure the security of web applications,the research on scanning and repairing web application vulnerabilities has become extremely important.The essence of web application vulnerability scanning technology is to imitate the operation of attackers.Based on the URL which is crawled by the web crawler,by sending pre-constructed data packets to the web application server and analyzing the responding information of the server,it determines whether there is a vulnerability in web applications and discovers the potential security risks of web applications.The specific work of the paper is as following:(1)This paper analyzes and summaries the research status of web security.It gives a detailed description of the web crawler technology,URL de-duplication algorithm and vulnerability scanning technology in Web application vulnerability scanning.It also analyzes and explains the priciples and scanning methods of XSS vulnerability and sensitive path leakage vulnerability.(2)This paper analyzes the function requirements of the high performance Web application vulnerability scanning system and designs the overall architecture of the system.It gives the detailed descriptions of the design and implementation of parameters configuration module,network crawler module,vulnerability scanning module,report generation module and system management module.Since the URL crawled by the web crawler module is the input of the vulnerability scanning module,the efficiency of the crawler module directly affects the efficiency of the system.The system chooses a width-first traversal crawling strategy so as to capture as many Web application URLs as possible in the web crawler module which improves the rate of the crawler.The system improves the bloom filter algorithm,and proposes a double bloom filter algorithm,which can reduce the error rate of bloom filter in URL de-duplicating and improve the quality of the crawler.In the web crawler module,the efficiency of the crawler is improved by the above two aspects,and the performance of the system is also improved.In vulnerability scanning module,the system designs two kinds of vulneratility scanning modes named auditing and sniffing which focus on two kinds of general vulneratility named payload-injection vulnerability and information leakage vulnerability.It can improve the rate of the system for the system can detect vulneratility in a specific scanning mode when scanning a specific type of vulnerability.The system also designs and writes the POC for the non-generic vulneratility in vulneratility library as vulnerability scanning plug-in which can improve the vulnerability scanning correct rate of the system.In the vulnerability scanning module,the performance of the system is optimized and improved through the above two aspects.This paper focuses on the design and implementation of XSS vulnerability of payload-injection vulnerability scanning plug-in,sensitive path leakage vulnerability of information lekage vulnerability scanning plug-in and CNNVD-201811-248 PHP CMS code injection vulnerability scanning plug-in in the vulnerability scanning module.(3)This paper tests the high performance Web application vulnerability scanning system.By comparing the scanning time,false alarm rate and missing rate of this system with other common vulnerability scanning tools,this paper proves that the scanning speed and accuracy of this system are both high,it's a high performance system.