Research And Implementation Of Web Security Audit System Based On Graph Traversal

With the rapid development of the Internet,the scale of Internet users in China is expanding day by day,and the total number of websites is also on the rise,which makes all kinds of practical requirements in real life put forward higher level requirements for the development of websites.Websites have also changed from the most original static HTML pages to comprehensive sites written in various dynamic languages that provide various complex services.Because of the simplicity and flexibility of PHP language,PHP has always occupied a very high proportion in website development.However,because web servers often need to store high-value information such as personal information and business data of users,web servers have gradually become the primary target of hackers' attacks.At the same time,the lack of security awareness of developers leads to the uneven quality of website security and frequent vulnerabilities.Therefore,how to design an accurate and reliable web application security audit system is a hot topic in the field of web security.In this paper,after a deep study of grammar,data flow and fuzzing and hook technologies in static analysis and dynamic analysis,a web application security audit system based on graph traversal algorithm is proposed in combination with the actual scene and the experience of exploiting web application vulnerabilities.In the process of static analysis,the graph building technology is introduced,the source code of web application is transformed into the form of graph,and the global code property graph is constructed.The method of locating the danger function in the graph and traversing algorithm is used to trace the taint variable and accurately output the data flow graph of taint variable.At the same time,by establishing the library of attack payload,constructing the constraint conditions based on the data flow of the taint variable and using constraint solution,the available attack payloads can be automatically generated.In the process of dynamic analysis,the crawler technology is introduced to build the access relationship between web sites through the crawler mechanism,and then build the access path graph of Web sites.At the same time,after comparing the traditional shortest path algorithm,exhaustive depth first traversal algorithm is chosen to find the access path to exploit the vulnerability.Then,two kinds of vulnerability verification rules are defined,starting from the results and data flow of vulnerability verification.They complement each other and work together to improve the success rate and accuracy rate of vulnerability verification.At last,through the experiment,the function test and performance test are carried out to verify the feasibility of the system in vulnerability detection and verification.The experimental results show that the web application security audit system based on graph traversal implemented in this paper can effectively detect the tainted vulnerabilities of the web application and apply the static results to the dynamic analysis.The combination of these two analysis methods can effectively improve the speed and accuracy of vulnerability verification,and performs well in the false alarm rate and accruacy rate.