發(fā)布時間：2018-08-15 17:44

【摘要】：伴隨著計算機網(wǎng)絡技術的快速發(fā)展，Web及其相關技術得到廣泛的應用，網(wǎng)站設計的需求越來越大，但同時其安全問題也日益突出，對它的安全性也越來越受關注，保障Web應用的安全性成為一個重要的課題。目前有許多用于防御Web應用攻擊的防護系統(tǒng)，但是會產(chǎn)生不小的性能損耗以及維護成本。因此盡早發(fā)現(xiàn)WEB漏洞并將其修復可以極大的降低后續(xù)軟件維護開銷，，避免不必要的損失。Web漏洞掃描是基于Web安全的一種應用非常廣泛的主動防御技術，它已經(jīng)在當前的網(wǎng)絡環(huán)境中得到普遍的應用，能有效的幫助檢測Web存在的漏洞，使漏洞檢測更加準確和高效[1]。 本文主要的工作重點在于對Web應用程序漏洞中的關鍵技術進行研究，在此基礎上針對Web應用程序漏洞的XSS和SQL注入的漏洞特征，基于網(wǎng)絡爬蟲設計的一個具有針對性和實用性的掃描系統(tǒng)。 本文以Web應用程序中的XSS和SQL注入漏洞為研究對象，主要有以下幾方面工作： 1.研究各種不同的Web應用程序漏洞的特性。詳細剖析了XSS及SQL注入等漏洞。主要包括原因、分類、危害和防御方法。 2.針對XSS和SQL注入漏洞的特性，設計實現(xiàn)了基于主題的網(wǎng)絡爬蟲模塊，主要解析含有參數(shù)的URL,手機可能存在XSS和SQL注入的頁面，同時設置爬蟲深度，直至爬蟲結束。 3.設計實現(xiàn)了基于注入惡意代碼進而進行靜態(tài)掃描代碼的方式XSS檢測模塊。 4.設計及實現(xiàn)了基于繞過用戶驗證的方式和基于注入錯誤代碼查看返回信息的方式SQL注入檢測模塊。 5.對結果以生成報告的形式進行展示。 6.對該系統(tǒng)進行黑盒測試。
[Abstract]:With the rapid development of computer network technology, Web and its related technologies have been widely used, the demand for website design is increasing, but at the same time, its security problems are becoming increasingly prominent, and its security has been paid more and more attention. Ensuring the security of Web applications has become an important issue. At present, there are many protection systems against Web application attack, but it will cause high performance loss and maintenance cost. Therefore, discovering WEB vulnerabilities as soon as possible and fixing them can greatly reduce the maintenance cost of subsequent software and avoid unnecessary loss .web vulnerability scanning is a very widely used active defense technology based on Web security. It has been widely used in the current network environment, can effectively help detect vulnerabilities in Web, make vulnerability detection more accurate and efficient [1]. The main work of this paper is to study the key technologies in Web application vulnerability, and then to analyze the vulnerability characteristics of XSS and SQL injection in Web application vulnerability. A specific and practical scanning system based on web crawler is designed. This paper focuses on the XSS and SQL injection vulnerabilities in Web applications. The main works are as follows: 1. Study the characteristics of vulnerabilities in various Web applications. The vulnerabilities such as XSS and SQL injection are analyzed in detail. Mainly include causes, classification, hazards and defense methods. 2. Aiming at the characteristics of XSS and SQL injection vulnerabilities, a theme-based web crawler module is designed and implemented, which mainly parses URLs with parameters. The mobile phone may have pages injected by XSS and SQL and set the crawler depth until the end of crawler. 3. 3. Design and implementation of XSS detection module based on injection of malicious code and then static scanning code. 4. Design and implementation of SQL injection detection module based on the way of bypassing user authentication and viewing return information based on injection error code. 5. The results are presented in the form of a report. 6. The system is tested in black box.
【學位授予單位】：中國海洋大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前7條

1 吳貴山;;SQL注入攻擊防御策略的研究[J];計算機與網(wǎng)絡;2012年09期

2 王偉軍;孫晶;;Web2.0的研究與應用綜述[J];情報科學;2007年12期

3 顧韻華;王興;丁妮;;Web應用安全掃描系統(tǒng)及關鍵技術研究[J];計算機工程與設計;2008年18期

4 陳金陽 ,蔣建中 ,郭軍利 ,張良勝;網(wǎng)絡攻擊技術研究與發(fā)展趨勢探討[J];信息安全與通信保密;2004年12期

5 余志高;周國祥;;Web應用中SQL注入攻擊研究[J];信息安全與通信保密;2010年04期

6 張博;;SQL注入攻擊與檢測技術研究[J];信息安全與通信保密;2010年05期

7 孫丹;胡勇;;淺析XSS漏洞檢測、利用及防范[J];信息安全與通信保密;2013年03期

本文編號：2184945