【摘要】：近年來(lái),Web應(yīng)用程序以其開(kāi)發(fā)周期短、維護(hù)成本低、移植性強(qiáng)等優(yōu)點(diǎn)得到越來(lái)越廣泛的應(yīng)用,已經(jīng)成為我們?nèi)粘Ｉ钪幸环N流行和普遍的互動(dòng)媒體。Web應(yīng)用程序在給人們帶來(lái)極大便利的同時(shí),也引起攻擊者的強(qiáng)烈關(guān)注,危害用戶(hù)個(gè)人數(shù)據(jù)的漏洞時(shí)常被發(fā)現(xiàn)。Web應(yīng)用滲透技術(shù)是在近幾年Web應(yīng)用蓬勃興起的背景下發(fā)展起來(lái)的,通過(guò)滲透測(cè)試可以及早發(fā)現(xiàn)漏洞并將其消除,防患于未然,提升軟件產(chǎn)品的信譽(yù),且在軟件生命開(kāi)發(fā)周期中,漏洞發(fā)現(xiàn)的越早,用于修復(fù)和維護(hù)的費(fèi)用越少。Web應(yīng)用漏洞掃描軟件作為Web應(yīng)用滲透測(cè)試過(guò)程中的一類(lèi)重要的工具,通過(guò)自動(dòng)化或人工與自動(dòng)化相結(jié)合的方式有效輔助檢測(cè)者,減少檢測(cè)者的工作量,因此很有研究的必要。自動(dòng)化的Web漏洞掃描器經(jīng)常被Web應(yīng)用開(kāi)發(fā)人員和系統(tǒng)管理員用來(lái)測(cè)試Web應(yīng)用漏洞。本文分析了Web應(yīng)用漏洞及其產(chǎn)生原因、漏洞檢測(cè)方法和檢測(cè)關(guān)鍵技術(shù),針對(duì)現(xiàn)有Web漏洞檢測(cè)工具的不足,提出了一種高效的基于優(yōu)化爬蟲(chóng)和特征識(shí)別的Web應(yīng)用漏洞檢測(cè)機(jī)制。基于本文提出的漏洞檢測(cè)機(jī)制,為典型的Web漏洞XSS漏洞以及SQL注入漏洞設(shè)計(jì)了檢測(cè)方法,并實(shí)現(xiàn)了SQL注入漏洞的檢測(cè)方法,結(jié)果表明該檢測(cè)方法能夠有效的檢測(cè)SQL注入攻擊,同時(shí)也驗(yàn)證了本文提出的Web應(yīng)用漏洞檢測(cè)機(jī)制的有效性和可行性。
[Abstract]:In recent years, Web applications have been more and more widely used because of their advantages of short development cycle, low maintenance cost and strong portability. Has become a popular and universal interactive media. Web application in our daily life, which not only brings great convenience to people, but also arouses the strong concern of the attackers. The vulnerabilities that harm the personal data of users are often found. The penetration technology of web application is developed under the background of the flourishing of Web applications in recent years. Through penetration testing, the vulnerabilities can be detected and eliminated as soon as possible, and the problems can be prevented. Enhance the reputation of software products, and the earlier vulnerabilities are discovered in the software development cycle, the less money is spent on fixing and maintaining. Web-application vulnerability scanning software is an important tool in the process of Web application penetration testing. In order to reduce the workload of the examiner, it is necessary to assist the examiner effectively by the way of automation or the combination of manual and automation. Automated Web vulnerability scanners are often used by Web application developers and system administrators to test Web application vulnerabilities. This paper analyzes the Web application vulnerabilities and their causes, vulnerability detection methods and key technologies. In view of the shortcomings of existing Web vulnerability detection tools, an efficient Web application vulnerability detection mechanism based on optimized crawler and feature recognition is proposed. Based on the vulnerability detection mechanism proposed in this paper, a detection method for typical Web vulnerability, XSS vulnerability and SQL injection vulnerability is designed, and the detection method of SQL injection vulnerability is implemented. The results show that this detection method can detect SQL injection attack effectively. At the same time, it also verifies the effectiveness and feasibility of the Web application vulnerability detection mechanism proposed in this paper.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 ;漏洞檢測(cè)代表產(chǎn)品[J];每周電腦報(bào);2003年46期

2 楊闊朝,蔣凡;模擬攻擊測(cè)試方式的漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用;2005年07期

3 龍銀香;一種新的漏洞檢測(cè)系統(tǒng)方案[J];微計(jì)算機(jī)信息;2005年05期

4 賈永杰,王恩堂;一種新的漏洞檢測(cè)系統(tǒng)方案[J];中國(guó)科技信息;2005年09期

5 劉完芳;;基于網(wǎng)絡(luò)的漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)[J];湘潭師范學(xué)院學(xué)報(bào)(自然科學(xué)版);2006年03期

6 金怡;蔡勉;王亞軍;;基于中間件的漏洞檢測(cè)系統(tǒng)設(shè)計(jì)[J];信息安全與通信保密;2007年04期

7 花青;高嶺;張林;;分布式漏洞檢測(cè)系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[J];東南大學(xué)學(xué)報(bào)(自然科學(xué)版);2008年S1期

8 張林;高嶺;湯聲潮;楊e，

本文編號(hào)：2246787