Research On The Automatic Reproduction Method Of Web Application Vulnerability Based On Vulnerability Report

Vulnerability reports record the process of triggering vulnerabilities,which can effectively assist testers in recovering vulnerabilities,and then analyze and fix them to improve the security of Web applications.However,the existing work of reproducing Web application vulnerabilities based on vulnerability reports mainly relies on manual completion,resulting in low efficiency of vulnerability reproduction,and with the increasing complexity of Web application functions,the cost of manually reproducing vulnerabilities is also getting higher.Therefore,how to effectively analyze the key information in the vulnerability report and automatically reproduce the vulnerabilities described in it,to improve the efficiency of software testing is an urgent problem.In this paper,we design an automatic construction method for understanding vulnerability trigger information and vulnerability reproduction event sequences for Web application vulnerability reports.For the vulnerability report,based on the description characteristics of the operation triggering the vulnerability,a vulnerability report automatic understanding strategy is proposed to formalize the information related to the triggering vulnerability into a sequence of vulnerability triggering steps;for the Web application,a visual-features-based GUI event identification algorithm for Web applications is studied to analyze the GUI event information in the page through visual appearance to better fit the description scenarios of such information in reports to improve the success rate of vulnerability recurrence;finally,a dynamic exploration-based vulnerability reproduction event sequence construction method is designed.Guided by the sequence of vulnerability triggering steps,the corresponding GUI event triggers are selected to dynamically explore the Web application,and the sequence of vulnerability reproduction events is automatically built and visual scripts are generated during the exploration process to realize the automatic reproduction of Web application vulnerabilities.This paper designs and conducts a series of experiments to verify the effectiveness of the method.First,26 vulnerability reports are collected for automatic vulnerability report understanding experiments,which show that the automatic vulnerability report understanding strategy can correctly identify77% of the vulnerability trigger operations;second,10 types of Web applications use visual features for GUI event The experimental results show that this paper’s event recognition strategy has an average recognition recall rate of 76% for the main events on Web pages;finally,an automatic vulnerability reproduction experiment was conducted to automatically construct a sequence of vulnerability reproduction events using dynamic exploration for correctly identified GUI event operation type vulnerability reports,and the reproduction success rate was 55%,which is 19.6% higher than the existing methods of vulnerability reproduction based on DOM structure.The above experimental results show that this method can effectively extract the key information of vulnerability reports,build a sequence of vulnerability reproduction events and generate a visual script with more advantages than DOM scripts,which effectively reduces manual operations and improves the efficiency of vulnerability reproduction.