| Web Application Firewall(WAF)is the key defense mechanism for the application level of web application software system.With the rapid development of web application attack,the defense methods of web application firewall are constantly updated.The work of testing whether the web application firewall can resist the current mainstream web attacks is also put on the agenda.However,there is no complete and effective mechanism to test the security of web application firewall.This paper focuses on three common web application attacks:SQL injection attack,XSS attack,and command execution attack.But our method is not limited to these three attacks.This paper presents a security test system based on machine learning model to test the security of web application firewall.At first,the initial random attack load of corresponding attack is generated randomly based on the predefined syntax library,and then it is submitted to the web application system protected by WAF for testing and labeling.Then the machine learning model will learn the bypass mode and slice information related to bypass WAF through the initial random attack load set.Then,the attack load will be changed into the attack load which is more likely to bypass WAF by using the piecewise replacement mutation algorithm in the load variation module.Through repeated load generation,load learning and load variation,a large number of attack loads can be generated effectively bypassing WAF.This paper implements the method of this paper on a tool,and evaluates the bypass test on three main WAF(ModSecurity,The NSFOCUS web application firewall,The YunSuo web application firewall).In this paper,the corresponding web attacks are compared with the same kind of web attack testing tools.The experimental results show that the system can successfully generate the corresponding attack load of three different attacks against different WAFS.Compared with other similar tools,the load generated by this system is more effective to bypass WAF. |
PDF Full Text Request