Design And Implementation Of Web Application Vulnerability Scanning System Based On Plug-in

With the rapid development of Internet technology,Web applications are becoming more and more popular.In the process of enterprise information construction,various applications are set up on the web platform.The rapid development of web services also has attracted the strong attention of hackers and that followed by the increasingly serious problem of web application security.Hackers can gain control rights of web servers easily by exploiting vulnerabilities in web applications,such as file upload and SQL injection.Through these means,hackers can obtain the control privileges of web servers to tamper with contents of the page easily.And it is also possible for hackers to steal important internal data.What is even worse is that users are attacked when they access the web pages injected by malicious codes of hackers.As a key technology,web application vulnerability scanning can discover and solve most of the security problems of web applications in advance,and it can also be widely used in penetration testing,security reinforce of information system,classification protection and other work,which is of great significance and value.In this thesis,the plug-in based on the web application vulnerability scanning system is designed after in-depth research of the mainstream web application vulnerability scanning technology and rigorous analysis of the key features of some favorite web application vulnerability scanning products.The system is developed mainly by Python,multi-threading and object-oriented technology.It can scan common vulnerabilities such as SQL injection,XSS attacks,and has the characteristics of strong ductility and plug-ins.When serious security vulnerabilities appear,the system will customize scanning plug-ins of web vulnerability application to scan,analyze,verify and count the affected assets of the web application in the cyberspace instantly,and then analyze and report the potential harm caused by fragile web application assets in the cyberspace.This thesis takes vulnerability detection of web applications as the research object and mainly does the following work:(1)Because traditional crawlers rely on static analysis,they cannot capture AJAX requests accurately in the page dynamically and update content.This thesis combines traditional web application crawlers with dynamic crawlers by researching and implementing crawlers based on dynamic parsing,and greatly improves the ability of URL grabbing in the scanning system.(2)The traditional web application vulnerability scanning system generally traverses all vulnerability rules of the vulnerability database when it scans the target vulnerabilities.But the efficiency is extremely low when it scans large application systems.This thesis studies and realizes the web application fingerprint recognition technology.The performance and scanning speed of the web application vulnerability scanning system can be greatly improved by identifying the web application fingerprint information and using the relevant vulnerability scanning plug-in.(3)The traditional web application vulnerability scanning system mostly sends HTTP requests,matches keywords in the HTTP response characteristics for identification.This direct way of detecting will lead to omissions in some special circumstances.This thesis studies and realizes a kind of indirect leak detection method based on DNS Log technology that can greatly improve the coverage of vulnerability scanning.