Research On Web Application Vulnerability Detection Technology

In recent years,with the emergence of a large number of Web applications,it has brought convenience to people’s life and work.However,it is difficult to avoid various vulnerabilities in Web applications,which may cause privacy data leakage or abnormal network services.Therefore,it is necessary to conduct in-depth research on Web application vulnerability detection.This paper mainly focuses on the research on Web vulnerability detection technology.The main work and results are as follows:1.Analyze the typical Web application vulnerabilities.Firstly,the principle,causes and harm of six kinds of Web vulnerabilities are analyzed;At the same time,through the data statistics of Web vulnerabilities included in CNVD,this paper quantitatively analyzes the number and harm degree of six typical Web vulnerabilities,so as to provide target guidance for the later Web vulnerability detection research.2.Aiming at the public Web vulnerability detection,a Web application vulnerability scanning method based on fingerprint is proposed.Aiming at the disadvantages of high false positive rate and low accuracy of static matching vulnerability scanning method based on vulnerability library and the disadvantages of low efficiency,long time-consuming and unsuitable for batch verification of dynamic vulnerability verification method based on Po C,this paper proposes a Web vulnerability scanning method combining static matching and dynamic verification.Firstly,static vulnerability matching is carried out on the target based on vulnerability fingerprint,and then vulnerability dynamic verification is carried out on the suspicious target generated by static scanning,while improving the efficiency of vulnerability scanning,it reduces the false positive rate.66 vulnerabilities such as SQL injection,cross site script attack and unauthorized access are deeply studied,and the corresponding vulnerability fingerprint and Po C plugins are designed according to the vulnerability fingerprint specification and Po C plugins specification.The real network application and comparative experimental results show that the vulnerability fingerprint and its actuator designed in this paper run stably and well,and the accuracy of vulnerability verification is high;strong vulnerability scanning ability and high vulnerability scanning efficiency.3.For undisclosed Web vulnerability detection,a Web application vulnerability mining method based on fuzzy test is proposed.In order to solve the shortcomings of limited fuzzy test cases and low efficiency in the execution process of traditional Web applications,some scholars have tried to introduce genetic algorithm into the fuzzy test process to detect Web application vulnerabilities,but the detection effect is poor.This method is based on genetic algorithm,and a Web application fuzzy test script is designed,which can automatically detect the state change of Web application;A new fitness function is constructed,which can judge whether the test case is aggressive more accurately;an improved population mutation method is proposed,which can quickly evolve more aggressive test cases.The experimental results show that compared with X-ray,burp suite and other Web application fuzzy testing tools,the method proposed in this paper can mine more Web vulnerabilities,and the vulnerability detection effect is better.