本文選題：Web安全　切入點(diǎn)：滲透測(cè)試　出處：《北京郵電大學(xué)》2017年碩士論文

【摘要】：隨著互聯(lián)網(wǎng)技術(shù)的快速發(fā)展,Web應(yīng)用為人們提供著越來(lái)越豐富的網(wǎng)絡(luò)服務(wù),而技術(shù)革新導(dǎo)致的安全問(wèn)題也是層出不窮,這不僅會(huì)影響網(wǎng)站的正常使用,更會(huì)威脅到用戶的個(gè)人利益。隨著對(duì)網(wǎng)絡(luò)安全的重視,Web應(yīng)用系統(tǒng)的脆弱性檢測(cè)和安全防御變成了目前Web安全研究中最重要的兩個(gè)方向。在系統(tǒng)脆弱性檢測(cè)的過(guò)程中,黑盒漏洞檢測(cè)方案因其優(yōu)點(diǎn)一直備受青睞。但是隨著應(yīng)用防火墻等安全防護(hù)手段的介入,常規(guī)的黑盒漏洞檢測(cè)方案存在效率低下、針對(duì)性不足等問(wèn)題,這就使如何高效的在安全防護(hù)下進(jìn)行黑盒漏洞檢測(cè)成為了目前的迫切需求。本文通過(guò)對(duì)應(yīng)用防火墻過(guò)濾規(guī)則的深入分析,研究并設(shè)計(jì)了對(duì)應(yīng)的繞過(guò)規(guī)則,并且基于繞過(guò)規(guī)則提出了對(duì)存在應(yīng)用防火墻的Web應(yīng)用系統(tǒng)的XSS漏洞自動(dòng)化檢測(cè)方案。圍繞著上述研究主題,本文主要在以下幾個(gè)方面展開了相關(guān)工作:調(diào)研了目前Web應(yīng)用技術(shù)的發(fā)展形勢(shì)及其安全隱患,尤其是對(duì)國(guó)內(nèi)外的安全研究現(xiàn)狀做了詳盡了解;對(duì)XSS漏洞的相關(guān)技術(shù)進(jìn)行了分析和總結(jié),并對(duì)常見的Web安全攻擊和防護(hù)策略進(jìn)行了探討,其中著重對(duì)應(yīng)用防火墻的相關(guān)技術(shù)進(jìn)行了分析;深入分析應(yīng)用防火墻技術(shù)中過(guò)濾規(guī)則模塊,結(jié)合XSS漏洞檢測(cè)技術(shù)和手工滲透測(cè)試技術(shù)對(duì)過(guò)濾規(guī)則重新分類,針對(duì)性地構(gòu)建繞過(guò)規(guī)則,提出使用判別矩陣來(lái)實(shí)現(xiàn)有效規(guī)則的自動(dòng)化判斷,而后結(jié)合基于攻擊位置的XSS漏洞檢測(cè)方法生成具體的測(cè)試用例,為本文檢測(cè)方案的設(shè)計(jì)提供核心支持;基于上述的分析和研究,結(jié)合網(wǎng)絡(luò)爬蟲技術(shù)和漏洞自動(dòng)化檢測(cè)等技術(shù),利用腳本語(yǔ)言,模塊化設(shè)計(jì)并且開發(fā)了 XSS漏洞檢測(cè)系統(tǒng)。本文主要的創(chuàng)新之處在于為如何高效地對(duì)存在安全防護(hù)的Web應(yīng)用系統(tǒng)進(jìn)行脆弱性檢測(cè)這一具體的需求提供了一個(gè)全新的檢測(cè)思路�；趹�(yīng)用防火墻過(guò)濾規(guī)則的輸入控制是目前安全防護(hù)中主流的解決方案,傳統(tǒng)漏洞檢測(cè)方案是盡可能全面的生成測(cè)試用例進(jìn)行相關(guān)檢測(cè),其中大量的測(cè)試用例因?yàn)閼?yīng)用防火墻的存在都是無(wú)效的,這種被動(dòng)式的檢測(cè)思路是造成檢測(cè)效率過(guò)低的最根本原因,本文將被動(dòng)式生成測(cè)試用例改為主動(dòng)式探測(cè)過(guò)濾規(guī)則并且針對(duì)性生成測(cè)試用例,從而大幅度提高了檢測(cè)效率,這種檢測(cè)思路也可以作用在相同條件下其他漏洞的檢測(cè)上。為了驗(yàn)證根據(jù)本文檢測(cè)方案設(shè)計(jì)的檢測(cè)系統(tǒng)可以達(dá)到預(yù)期目標(biāo),本文最后針對(duì)性的搭建測(cè)試環(huán)境,通過(guò)對(duì)存在不同應(yīng)用防火墻的Web應(yīng)用系統(tǒng)進(jìn)行漏洞檢測(cè)的縱向?qū)Ρ群团c其他漏洞檢測(cè)工具的橫向?qū)Ρ?確定了該檢測(cè)方案的可行性和高效性。
[Abstract]:With the rapid development of Internet technology, Web applications provide more and more network services for people, and the security problems caused by technological innovation are endless, which will not only affect the normal use of websites. With the emphasis on network security, vulnerability detection and security defense of web applications have become the two most important directions in the research of Web security. Black box vulnerability detection scheme has been favored for its advantages. But with the application of firewall and other security measures involved, the conventional black box vulnerability detection scheme has some problems such as low efficiency, insufficient pertinence and so on. This makes it an urgent need to detect black box vulnerabilities efficiently under security protection. Through the in-depth analysis of the application of firewall filtering rules, the corresponding bypass rules are studied and designed. And based on the rules of bypass, an automatic detection scheme for XSS vulnerabilities in Web application systems with application firewall is proposed. This paper mainly in the following aspects of the relevant work: the current development of Web application technology and its security risks, especially on the domestic and foreign security research status of a detailed understanding; The related technology of XSS vulnerability is analyzed and summarized, and the common security attack and protection strategy of Web are discussed, especially the related technology of applying firewall is analyzed. The filtering rules module in firewall technology is deeply analyzed, combined with XSS vulnerability detection technology and manual penetration testing technology, the filtering rules are reclassified, and the bypass rules are constructed. This paper proposes to use discriminant matrix to realize the automatic judgment of effective rules, and then combines the XSS vulnerability detection method based on attack location to generate specific test cases, which provides the core support for the design of the detection scheme. Based on the above analysis and research, combined with network crawler technology and vulnerability automatic detection technology, the use of scripting language, Modularized design and development of XSS vulnerability detection system. The main innovation of this paper is to provide a new requirement for how to efficiently detect vulnerability of Web application system with security protection. Input control based on the application of firewall filtering rules is the mainstream solution in security protection at present. The traditional vulnerability detection scheme is to generate test cases as comprehensively as possible for correlation detection, in which a large number of test cases are invalid because of the existence of application firewalls. This passive detection idea is the most fundamental reason for the low detection efficiency. In this paper, the passive generation test case is changed into the active detection filter rule and the test case is generated, which greatly improves the detection efficiency. In order to verify that the detection system designed according to the detection scheme of this paper can achieve the expected goal, this paper finally builds the test environment. The feasibility and high efficiency of the detection scheme are determined by comparing the Web application system with different application firewalls and other vulnerability detection tools.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 趙現(xiàn)軍;董明武;;漏洞檢測(cè)類產(chǎn)品核心指標(biāo)淺析[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2006年11期

2 ;漏洞檢測(cè)代表產(chǎn)品[J];每周電腦報(bào);2003年46期

3 楊闊朝,蔣凡;模擬攻擊測(cè)試方式的漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用;2005年07期

4 龍銀香;一種新的漏洞檢測(cè)系統(tǒng)方案[J];微計(jì)算機(jī)信息;2005年05期

5 賈永杰,王恩堂;一種新的漏洞檢測(cè)系統(tǒng)方案[J];中國(guó)科技信息;2005年09期

6 劉完芳;;基于網(wǎng)絡(luò)的漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)[J];湘潭師范學(xué)院學(xué)報(bào)(自然科學(xué)版);2006年03期

7 金怡;蔡勉;王亞軍;;基于中間件的漏洞檢測(cè)系統(tǒng)設(shè)計(jì)[J];信息安全與通信保密;2007年04期

8 花青;高嶺;張林;;分布式漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];東南大學(xué)學(xué)報(bào)(自然科學(xué)版);2008年S1期

9 張林;高嶺;湯聲潮;楊e，

本文編號(hào)：1656254