本文選題：Web安全 + Web漏洞　； 參考：《北京郵電大學(xué)》2014年碩士論文

【摘要】：隨著B(niǎo)/S架構(gòu)的Web應(yīng)用飛速發(fā)展,其帶來(lái)的安全威脅也與日俱增,深深地影響到人們的生活。近年來(lái)屢見(jiàn)不鮮的Web安全事件,引起人們對(duì)信息安全的重視。本文通過(guò)對(duì)當(dāng)前的Web應(yīng)用漏洞進(jìn)行深入全面的分析,研究各種Web安全漏洞產(chǎn)生原因、觸發(fā)場(chǎng)景、利用方式、攻擊場(chǎng)景以及可能造成的危害,構(gòu)建了Web安全威脅模型和攻擊模型。然后通過(guò)真實(shí)環(huán)境的測(cè)試,印證了上述Web攻擊模型,并根據(jù)測(cè)試結(jié)果分析了Web安全現(xiàn)狀,產(chǎn)生的危害,以及防御建議。最后從安全設(shè)計(jì)、安全開(kāi)發(fā)、測(cè)試、運(yùn)維和安全應(yīng)急響應(yīng)等方面提出了系統(tǒng)的安全防御體系,具體的內(nèi)容包括： (1)安全設(shè)計(jì)方面,構(gòu)建了Web安全架構(gòu)。 (2)安全開(kāi)發(fā)方面,提供了安全開(kāi)發(fā)應(yīng)考慮的安全威脅和根據(jù)實(shí)踐經(jīng)驗(yàn)總結(jié)的有效安全編碼規(guī)范,能夠有效避免多種漏洞的產(chǎn)生,從而在開(kāi)發(fā)階段消除潛在的安全問(wèn)題。 (3)安全運(yùn)維方面,制定了安全運(yùn)維策略,提出基于惡意行為的Web應(yīng)用層入侵檢測(cè)思想,改進(jìn)了傳統(tǒng)基于特征匹配的安全檢測(cè)方法,從而能夠檢測(cè)更為復(fù)雜的攻擊手段。 (4)安全響應(yīng)方面,強(qiáng)調(diào)了應(yīng)急響應(yīng)的重要作用并研究了目前比較好的響應(yīng)策略。 通過(guò)本文的研究,對(duì)Web安全攻擊有一個(gè)比較系統(tǒng)的認(rèn)識(shí),可以識(shí)別大多數(shù)的Web安全攻擊。本文提出構(gòu)建系統(tǒng)的Web安全防御體系是一個(gè)全方位的安全防御解決方案,能夠從避免漏洞產(chǎn)生、抵御各種Web攻擊兩方面阻止Web安全事件的發(fā)生。在不同的防御階段的改進(jìn)思想可供參考和進(jìn)一步研究。
[Abstract]:With the rapid development of the Web application based on the B / S architecture, the security threat brought by it is also increasing, which deeply affects people's life. In recent years, the common Web security incidents have aroused people's attention to information security. Based on the thorough and comprehensive analysis of the current Web application vulnerabilities, this paper studies the causes, triggering scenarios, ways of exploitation, attack scenarios and possible hazards of various Web security vulnerabilities, and constructs a Web security threat model and an attack model. Then, the above Web attack model is verified by testing in real environment. According to the test results, the present situation of Web security, the harm caused and the defense suggestions are analyzed. Finally, from the aspects of security design, security development, testing, transportation and peacekeeping security emergency response, the system security defense system is put forward. The specific contents include: (1) security design, (2) in the aspect of security development, it provides the security threats that should be considered in security development and the effective security coding standard summarized according to the practical experience, which can effectively avoid the occurrence of many kinds of vulnerabilities. In order to eliminate the potential security problems in the development phase. (3) in the aspect of security operation and maintenance, the security operation and maintenance policy is formulated, and the idea of Web application layer intrusion detection based on malicious behavior is proposed. The traditional security detection method based on feature matching is improved to detect more complex attack methods. (4) in the aspect of security response, the important role of emergency response is emphasized and the better response strategy is studied. Through the research of this paper, there is a relatively systematic understanding of Web security attacks, which can identify most of the Web security attacks. This paper proposes that constructing the system's Web security defense system is a comprehensive security defense solution, which can prevent the occurrence of Web security events from the aspects of avoiding vulnerabilities and resisting all kinds of Web attacks. The improved ideas in different defense stages can be used for reference and further study.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前5條

1 沈忠誠(chéng);;淺談Web應(yīng)用防火墻[J];福建電腦;2012年11期

2 李莉;翟征德;;一種基于Web應(yīng)用防火墻的主動(dòng)安全加固方案[J];計(jì)算機(jī)工程與應(yīng)用;2011年25期

3 沈壽忠;張玉清;;基于爬蟲(chóng)的XSS漏洞檢測(cè)工具設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)工程;2009年21期

4 安靖;劉志;;HTML5對(duì)Web應(yīng)用產(chǎn)生的影響及安全問(wèn)題研究[J];信息網(wǎng)絡(luò)安全;2011年11期

5 符泉麟;;基于OWASP的WEB應(yīng)用安全檢測(cè)與防范[J];微型電腦應(yīng)用;2012年08期

，

本文編號(hào)：2068381