本文選題：Fuzzing　切入點：漏洞檢測　出處：《大連海事大學》2017年碩士論文

【摘要】：隨著網(wǎng)絡技術的迅速發(fā)展,Web技術被廣泛應用到了各個領域,比如網(wǎng)上購物、繳費充值、網(wǎng)上銀行以及各種社交網(wǎng)站。這些Web應用給我們帶來便利的同時也存在一定的安全隱患。因為開發(fā)系統(tǒng)的程序員技術水平不同,導致其開發(fā)的Web應用難免會存在漏洞,SQL注入漏洞是最常見的漏洞之一。黑客往往會利用這些漏洞通過SQL注入的方式挖掘用戶信息,盜取敏感數(shù)據(jù)以謀取巨大利益。所以,對于檢測SQL注入漏洞問題的研究有非常重要的現(xiàn)實意義。本文首先介紹Web應用在安全問題上的嚴峻形勢,研究和學習國內外在檢測Web應用SQL注入漏洞方面所使用方法的優(yōu)點并分析它們的不足,了解SQL注入漏洞產(chǎn)生的原因、SQL注入攻擊原理以及常用的SQL注入漏洞檢測方法。針對目前存在的SQL注入漏洞檢測系統(tǒng)存在漏報、誤報率高的問題,采用多線程的爬蟲技術,并使用MD5算法對爬取的鏈接進行過濾和去重;提出一種基于Fuzzing技術的生成測試用例方法。首先,根據(jù)用例特征的不同建立不同的特征模板。然后,隨機組合這些測試用例特征模板,動態(tài)生成許多的測試用例。最后,根據(jù)Web應用過濾規(guī)則生成變形規(guī)則對測試用例進行變形處理。這樣,測試用例就可以繞過Web應用的過濾機制,提高檢測出漏洞的準確率;采用基于DOM樹序列值比對的頁面對比算法檢測是否存在漏洞;通過使用漏洞量化評估方法,對Web應用的安全狀況進行量化評估,判斷該Web應用的安全等級。在此基礎上,設計并實現(xiàn)基于Fuzzing的SQL注入漏洞檢測系統(tǒng)。將本文設計實現(xiàn)的系統(tǒng)與其他檢測工具進行對比實驗,并通過檢出量、漏報率以及誤報率三個評價指標進行對比分析。實驗結果表明本文實現(xiàn)的SQL注入漏洞檢測系統(tǒng)能夠較準確地檢測出漏洞,能夠有效降低漏洞的漏報率和誤報率。
[Abstract]:With the rapid development of network technology, Web technology has been widely used in various fields, such as online shopping, charging, online banking and various social networking sites.These Web applications bring us convenience, but also there are certain security risks.Because of the different technical level of the programmers in the development system, it is inevitable that there will be vulnerabilities in the Web applications developed by them. SQL injection vulnerability is one of the most common vulnerabilities.Hackers often exploit these vulnerabilities to mine user information through SQL injection and steal sensitive data for huge profits.Therefore, the research on detecting SQL injection vulnerability has very important practical significance.This paper first introduces the severe situation of Web application in security issues, studies and studies the advantages and disadvantages of the methods used in detecting SQL injection vulnerabilities in Web applications, and analyzes their shortcomings.Understand the cause of SQL injection vulnerability and the principle of SQL injection vulnerability detection.Aiming at the problem of high false alarm rate and false alarm rate in the existing SQL injection vulnerability detection system, the crawler technique of multi-thread is adopted, and the MD5 algorithm is used to filter and remove the crawling link.A test case generation method based on Fuzzing technology is proposed.Firstly, different feature templates are established according to the features of use cases.Then, these test case feature templates are randomly combined to generate many test cases dynamically.Finally, the test cases are deformed according to the deformation rules generated by the filter rules applied by Web.In this way, test cases can bypass the filtering mechanism of Web application, improve the accuracy of detecting vulnerabilities; use page comparison algorithm based on DOM tree sequence value alignment to detect whether there are vulnerabilities;The security status of Web application is evaluated quantitatively and the security grade of the Web application is judged.On this basis, SQL injection vulnerability detection system based on Fuzzing is designed and implemented.The system designed and implemented in this paper is compared with other detection tools, and compared with three evaluation indexes: detection quantity, false alarm rate and false alarm rate.The experimental results show that the proposed SQL injection vulnerability detection system can detect the vulnerabilities accurately and reduce the false alarm rate and false alarm rate effectively.
【學位授予單位】：大連海事大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【相似文獻】

相關期刊論文 前10條

1 趙現(xiàn)軍;董明武;;漏洞檢測類產(chǎn)品核心指標淺析[J];網(wǎng)絡安全技術與應用;2006年11期

2 ;漏洞檢測代表產(chǎn)品[J];每周電腦報;2003年46期

3 楊闊朝,蔣凡;模擬攻擊測試方式的漏洞檢測系統(tǒng)的設計與實現(xiàn)[J];計算機應用;2005年07期

4 龍銀香;一種新的漏洞檢測系統(tǒng)方案[J];微計算機信息;2005年05期

5 賈永杰,王恩堂;一種新的漏洞檢測系統(tǒng)方案[J];中國科技信息;2005年09期

6 劉完芳;;基于網(wǎng)絡的漏洞檢測系統(tǒng)的設計[J];湘潭師范學院學報(自然科學版);2006年03期

7 金怡;蔡勉;王亞軍;;基于中間件的漏洞檢測系統(tǒng)設計[J];信息安全與通信保密;2007年04期

8 花青;高嶺;張林;;分布式漏洞檢測系統(tǒng)的設計與實現(xiàn)[J];東南大學學報(自然科學版);2008年S1期

9 張林;高嶺;湯聲潮;楊e，

本文編號：1713874