【摘要】：摘要：隨著Internet的不斷發(fā)展,Web應(yīng)用程序越來越多地深入到社會生活的各個方面,給人們的生活提供了極大便利,同時也帶來了前所未有的安全風(fēng)險。但是,由于Web應(yīng)用程序本身及運行環(huán)境的復(fù)雜性,其安全問題日益復(fù)雜。滲透測試作為一種極其重要的Web應(yīng)用程序安全測試技術(shù),可以發(fā)現(xiàn)Web應(yīng)用程序中存在的漏洞,以便于及時消除相應(yīng)的威脅。但在實際工作中,滲透測試的結(jié)果往往與測試人員的經(jīng)驗、技巧直接相關(guān)。為了避免Web應(yīng)用程序滲透測試的結(jié)果太過于依賴測試人員的個人能力,也為了提高滲透測試效率,現(xiàn)在亟需一套科學(xué)有效的Web應(yīng)用程序滲透測試方法。 針對上述問題,論文從課題的研究背景出發(fā),首先分析滲透測試在國內(nèi)外的研究現(xiàn)狀及發(fā)展動態(tài),并對相關(guān)理論和技術(shù)進行研究；然后,提出一套Web應(yīng)用程序滲透測試方法,對Web應(yīng)用程序滲透測試的流程和內(nèi)容進行優(yōu)化設(shè)計,將測試流程分為6個階段,包括制定滲透測試方案、收集分析相關(guān)信息、制定詳細(xì)工作計劃、實施滲透測試工作、評估漏洞風(fēng)險等級和編制滲透測試報告,將漏洞測試范圍劃分成身份認(rèn)證類、數(shù)據(jù)驗證類、信息泄露類、Session類、應(yīng)用邏輯類、Web Service類和第三方組件類等7大類,并對SQL注入和XSS攻擊這兩種常見漏洞的測試方法及常用測試工具進行總結(jié)與分析；最后,論文結(jié)合實際項目,給出一個完整的Web應(yīng)用程序滲透測試方法應(yīng)用案例,驗證該方法的有效性和實用性。圖14幅,表14個,參考文獻(xiàn)51篇。
[Abstract]:Abstract: with the continuous development of Internet, more and more Web applications go deep into all aspects of social life, which provides great convenience to people's lives, and also brings unprecedented security risks. However, due to the complexity of the Web application itself and the running environment, its security problems are becoming more and more complex. As a very important security testing technology for Web applications, penetration testing can find vulnerabilities in Web applications, so that the corresponding threats can be eliminated in time. However, in practical work, the results of penetration testing are often directly related to the experience and skills of the tester. In order to avoid that the results of Web application penetration testing are too dependent on the individual ability of testers, and to improve the efficiency of penetration testing, a scientific and effective method for Web application penetration testing is urgently needed. In view of the above problems, this paper starts from the research background of the subject. Firstly, it analyzes the research status and development trend of penetration testing at home and abroad, and studies the related theory and technology. Then, a set of Web application penetration test method is proposed, which optimizes the process and content of Web application penetration test. The test process is divided into six stages, including establishing penetration test scheme, collecting and analyzing relevant information. Draw up detailed work plan, carry out penetration test work, evaluate vulnerability risk level and compile penetration test report, divide vulnerability test scope into authentication class, data verification class, information disclosure class, Session class, application logic class, etc. The Web Service class and the third party component class and so on 7 big classes, and to SQL injection and the XSS attack these two common loopholes test method and the commonly used test tool to carry on the summary and the analysis; Finally, combined with the actual project, a complete application case of Web application penetration test method is given, and the validity and practicability of the method are verified. Fig. 14, Table 14, 51 refs.
【學(xué)位授予單位】：中南大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 邢斌;高嶺;孫騫;楊威;;一種自動化的滲透測試系統(tǒng)的設(shè)計與實現(xiàn)[J];計算機應(yīng)用研究;2010年04期

2 王曉聰;張冉;黃峧東;;滲透測試技術(shù)淺析[J];計算機科學(xué);2012年S1期

3 路曉麗;董云衛(wèi);趙宏斌;;一種面向?qū)ο蟮腤eb Application測試模型[J];計算機科學(xué);2010年07期

4 王宜陽;宋苑;;淺談滲透測試在Web系統(tǒng)防護中的應(yīng)用[J];信息網(wǎng)絡(luò)安全;2010年09期

，

本文編號：2452962