| With the development and application of the Internet,more and more people are aware of the common web application security.The structure of network itself is exposed to various risks,especially those files which can be read and written by others.Users may make wiser choices to deal with such risks by learning and analyzing the web application attack methods.Nowadays,most enterprises get the security benefit from firewall and data encryption mechanisms.This can help resolve most of the web application security issues.Actually,it could avoid some vulnerabilities,but it's not that comprehensive.It is hard to predict the web application security scope as both security technologies and hacker skills are continually developing.This paper is to identify system's own security vulnerabilities,the resolution of them,and to increase the awareness in the security testing and prevent the possible hacker attacks.This paper includes the general principles of web application security,and discussions on the importance of web application security testing.Having a review at Top 10 security vulnerabilities,which provided by OWASP(Open Web Application Security Project),on both 2010 and 2013 versions,it is concluded that SQL injection and Cross-site scripting(XSS)are the most common security vulnerabilities.Taking advantage of different features for the web application security testing tools,it can improve the system or the existing components for security purpose.It helps us identify and verify vulnerabilities based on SQL injection and cross-site scripting(XSS)attacks.If there are loopholes,it gives a reasonable solution in order to improve the software security in code side.The main contribution of this paper can be summarized as followed:(1)This paper compares the differences among the Web application security test tools.It concludes that security testing tools can be divided into two types,one for a specific vulnerability,and the other for comprehensive scan.Users can choose the appropriate test tool for different projects.(2)According to the analysis of the security test steps,content and strategy,users canmake the security test plan,execute the SQL injection and the XSS vulnerability testing by manually or automatically with tools Sqlmap and Fiddler.(3)This paper proposes a method of security testing based on data mining.According to the experience of development and testing,users could create corresponding search rules and test points,and then classify and locate the vulnerabilities by analyzing the results and find out the correlation among them.Through data mining,it reduces the testing scope and improves the testing efficiency,which provides a new way for security testing.(4)Based on the security test of the OWASP vulnerabilities,this paper generates a priority of security test list,which resolves the problem of low efficiency and less scope in the security test.According to the twenty-eighty law,it can improve the efficiency and coverage of the security test.(5)Through setting up a local laboratory management system,this paper carries out the experiments and researches on the security test,proves SQL injection and XSS vulnerabilities in the system.This paper generates an issue report for the testing website with the tool Burp Suite.In the report,it represents the new issues besides SQL injection and XSS vulnerabilities.With the vulnerabilities fixed,author enhances the security and reduces the risk for the lab system.Particularly,author acknowledges the vulnerabilities can be avoided by both coder and framework.(6)In this paper,the manual security test and the automatic security test are carried out for the local experimental environment.The combination of the two methods increases the coverage and reduces the leakage test rate of the security test.Manual security testing can be served as a complement to automated testing,as well as the reproduce of steps and the removal of false alarms,thereby further improving the accuracy of test results. |
PDF Full Text Request