本文選題：Web漏洞挖掘 + 爬蟲　； 參考：《天津大學(xué)》2014年碩士論文

【摘要】：在Web2.0時代下，互聯(lián)網(wǎng)高速發(fā)展，網(wǎng)站開發(fā)的門檻越來越低，網(wǎng)站的數(shù)量也與日俱增，大多數(shù)網(wǎng)站存在著諸多Web應(yīng)用漏洞，據(jù)統(tǒng)計，75%的破壞活動是在Web客戶端發(fā)生的。例如網(wǎng)頁木馬、SQL注入所導(dǎo)致站點入侵、重要資料被修改或丟失等，日益普及的HTML5開發(fā)語言由于缺乏相應(yīng)的漏洞挖掘工具而潛在大量的Web應(yīng)用漏洞。 針對低門檻情境下Web應(yīng)用開發(fā)現(xiàn)狀，本文設(shè)計出面向HTML5的多類型網(wǎng)頁漏洞挖掘系統(tǒng)，以契合Web開發(fā)人員的檢測需求。本系統(tǒng)采用網(wǎng)絡(luò)爬蟲、多線程任務(wù)調(diào)度等技術(shù)，實現(xiàn)了SQL注入漏洞檢測、惡意鏈接檢測、XSS跨站檢測和網(wǎng)頁木馬檢測等各項關(guān)鍵技術(shù)，，使漏洞檢測更加準確、高效。 系統(tǒng)完成的主要工作如下： (1)采用域名遞歸查詢技術(shù)實現(xiàn)目標網(wǎng)站的子域查詢，在此基礎(chǔ)上利用寬度優(yōu)先遍歷和bloom過濾算法實現(xiàn)了高效的網(wǎng)頁爬行算法，為后續(xù)網(wǎng)頁漏洞檢測提供依據(jù)。 (2)針對惡意鏈接和惡意腳本代碼提出了采用反向域名查詢技術(shù)和信息熵算法實現(xiàn)有效檢測和識別。 (3)系統(tǒng)采用模糊隨機測試和注入測試相結(jié)合的方法對網(wǎng)頁的各種屬性進行有效分析，實現(xiàn)了靜態(tài)網(wǎng)頁和動態(tài)網(wǎng)頁的探測。注入測試主要根據(jù)現(xiàn)有安全漏洞的分析，采用滲透測試的方法實現(xiàn)漏洞檢測；模糊隨機測試根據(jù)HTTP協(xié)議的組成，針對不同字段構(gòu)造隨機的測試組合，實現(xiàn)漏洞檢測挖掘。 最后對各檢測模塊以及集成的系統(tǒng)進行測試，本系統(tǒng)能滿足各類已知漏洞的檢測，對于提升目標站點的安全級別有著顯著的效果。
[Abstract]:In the era of Web2.0, with the rapid development of the Internet, the threshold of website development is getting lower and lower, and the number of websites is also increasing. Most websites have many Web application vulnerabilities. According to statistics, 75% of the damage occurred in the Web client. For example, the site intrusion caused by the SQL injection of the web page Trojan horse, the important data is modified or lost and so on. Because of the lack of the corresponding vulnerability mining tools, the increasingly popular HTML5 development language has a lot of potential Web application vulnerabilities. In view of the current situation of Web application development in low threshold situation, this paper designs a multi-type web page vulnerability mining system to HTML5 in order to meet the needs of Web developers. The system adopts network crawler, multi-thread task scheduling and other key technologies to detect SQL injection vulnerability, malicious link detection, cross-station detection and page Trojan detection, which makes vulnerability detection more accurate and efficient. The main work of the system is as follows: 1) the domain name recursive query technique is used to realize the subdomain query of the target website. On this basis, a highly efficient web crawling algorithm is implemented by using the width-first traversal and bloom filtering algorithm, which provides the basis for the subsequent page vulnerability detection. For malicious link and malicious script code, reverse domain name query technology and information entropy algorithm are proposed to detect and identify effectively. The system adopts the method of combining fuzzy random test and injection test to analyze all kinds of attributes of web pages effectively and realizes the detection of static and dynamic web pages. Injection testing is mainly based on the analysis of existing security vulnerabilities, penetration testing is used to implement vulnerability detection, and fuzzy random testing constructs random test combinations for different fields according to the composition of HTTP protocol to realize vulnerability detection mining. Finally, the detection module and the integrated system are tested, the system can meet the detection of various known vulnerabilities, and has a significant effect on improving the security level of the target site.
【學(xué)位授予單位】：天津大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08;TP393.092

【相似文獻】

相關(guān)期刊論文 前10條

1 李Z腦

本文編號：1851780