[1]陈春玲,张凡,余瀚.Web应用程序漏洞检测系统设计[J].计算机技术与发展,2017,27(09):101-105.
 CHEN Chun-ling,ZHANG Fan,YU Han. Design of Vulnerability Detection System for Web Application Program[J].,2017,27(09):101-105.
点击复制

Web应用程序漏洞检测系统设计()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
27
期数:
2017年09期
页码:
101-105
栏目:
安全与防范
出版日期:
2017-09-10

文章信息/Info

Title:
 Design of Vulnerability Detection System for Web Application Program
文章编号:
1673-629X(2017)09-0101-05
作者:
 陈春玲张凡余瀚
 南京邮电大学 计算机学院
Author(s):
 CHEN Chun-lingZHANG FanYU Han
关键词:
 跨站脚本漏洞Web应用漏洞检测网络爬虫
Keywords:
 cross-site scripting vulnerabilityWeb applicationvulnerability detectionWeb crawler
分类号:
TP302
文献标志码:
A
摘要:
 随着Web技术的普及,Web漏洞对网络安全的威胁越来越大.由于很多网站对用户的输入输出内容过滤不严,导致各大网站中普遍存在跨站脚本漏洞,而现有的Web漏洞检测方案及工具存在着效率低、漏检率高、误报率高等缺陷.为解决上述问题,设计并实现了一种Web应用中的跨站脚本漏洞检测系统.该系统在现有Web漏洞检测工具的基础上,添加了模拟用户登陆功能和验证码识别功能,解决了检测期间需要输入验证码或用户登陆后才可向服务器提交数据的问题,并根据现有Web漏洞检测工具的不足,对系统的网络爬虫、漏洞检测模块进行改进,同时根据XSS Filter过滤规则,构造出更多能够绕过XSS Filter的测试用例.实验结果表明,所构建的系统具有低漏检率、低误报率和较高的效率.
Abstract:
 With the popularity of Web technology,Web vulnerabilities become a growing threat for network security. Because many sites filter the user’s input and output contents not strictly,there exists cross-site scripting vulnerability in the Web sites while the existing Web vulnerability detection programs and tools contain many defects that result in low efficiency,high missed rate and false alarm rate. In order to solve these problems,a vulnerability detection system for cross-site scripting in Web application is designed and implemented. It is based on the existing vulnerability detection tools,adding function of simulated user login and recognizing verification code,solving the problem that the relevant data need to be submitted to the server after security codes have been inputted or login has been completed in the process of detection. According to the lack of existing web vulnerability detection tool,the Web crawler system and vulnerability detection module have been modified while most test cases have been generated,which can bypass XSS filter base with rules of XSS fil-ter. Experimental results show that it has low detection rate and false alarm rate,and high efficiency.

相似文献/References:

[1]王强,蔡皖东,姚烨.基于渗透测试的跨站脚本漏洞检测方法研究[J].计算机技术与发展,2013,(03):147.
 WANG Qiang,CAI Wan-dong,YAO Ye.Research on Cross-site Scripting Vulnerability Detection Method Based on Penetration Testing[J].,2013,(09):147.
[2]张志宏,吴庆波,邵立松,等.基于飞腾平台TOE协议栈的设计与实现[J].计算机技术与发展,2014,24(07):1.
 ZHANG Zhi-hong,WU Qing-bo,SHAO Li-song,et al. Design and Implementation of TCP/IP Offload Engine Protocol Stack Based on FT Platform[J].,2014,24(09):1.
[3]梁文快,李毅. 改进的基因表达算法对航班优化排序问题研究[J].计算机技术与发展,2014,24(07):5.
 LIANG Wen-kuai,LI Yi. Research on Optimization of Flight Scheduling Problem Based on Improved Gene Expression Algorithm[J].,2014,24(09):5.
[4]黄静,王枫,谢志新,等. EAST文档管理系统的设计与实现[J].计算机技术与发展,2014,24(07):13.
 HUANG Jing,WANG Feng,XIE Zhi-xin,et al. Design and Implementation of EAST Document Management System[J].,2014,24(09):13.
[5]侯善江[],张代远[][][]. 基于样条权函数神经网络P2P流量识别方法[J].计算机技术与发展,2014,24(07):21.
 HOU Shan-jiang[],ZHANG Dai-yuan[][][]. P2P Traffic Identification Based on Spline Weight Function Neural Network[J].,2014,24(09):21.
[6]李璨,耿国华,李康,等. 一种基于三维模型的文物碎片线图生成方法[J].计算机技术与发展,2014,24(07):25.
 LI Can,GENG Guo-hua,LI Kang,et al. A Method of Obtaining Cultural Debris’ s Line Chart Based on Three-dimensional Model[J].,2014,24(09):25.
[7]翁鹤,皮德常. 混沌RBF神经网络异常检测算法[J].计算机技术与发展,2014,24(07):29.
 WENG He,PI De-chang. Chaotic RBF Neural Network Anomaly Detection Algorithm[J].,2014,24(09):29.
[8]刘茜[],荆晓远[],李文倩[],等. 基于流形学习的正交稀疏保留投影[J].计算机技术与发展,2014,24(07):34.
 LIU Qian[],JING Xiao-yuan[,LI Wen-qian[],et al. Orthogonal Sparsity Preserving Projections Based on Manifold Learning[J].,2014,24(09):34.
[9]尚福华,李想,巩淼. 基于模糊框架-产生式知识表示及推理研究[J].计算机技术与发展,2014,24(07):38.
 SHANG Fu-hua,LI Xiang,GONG Miao. Research on Knowledge Representation and Inference Based on Fuzzy Framework-production[J].,2014,24(09):38.
[10]叶偲,李良福,肖樟树. 一种去除运动目标重影的图像镶嵌方法研究[J].计算机技术与发展,2014,24(07):43.
 YE Si,LI Liang-fu,XIAO Zhang-shu. Research of an Image Mosaic Method for Removing Ghost of Moving Targets[J].,2014,24(09):43.

更新日期/Last Update: 2017-10-20