安全防护下的WEB应用系统脆弱性检测技术研究

发布时间：2018-03-24 02:15

本文选题：Web安全　切入点：渗透测试　出处：《北京邮电大学》2017年硕士论文

【摘要】：随着互联网技术的快速发展,Web应用为人们提供着越来越丰富的网络服务,而技术革新导致的安全问题也是层出不穷,这不仅会影响网站的正常使用,更会威胁到用户的个人利益。随着对网络安全的重视,Web应用系统的脆弱性检测和安全防御变成了目前Web安全研究中最重要的两个方向。在系统脆弱性检测的过程中,黑盒漏洞检测方案因其优点一直备受青睐。但是随着应用防火墙等安全防护手段的介入,常规的黑盒漏洞检测方案存在效率低下、针对性不足等问题,这就使如何高效的在安全防护下进行黑盒漏洞检测成为了目前的迫切需求。本文通过对应用防火墙过滤规则的深入分析,研究并设计了对应的绕过规则,并且基于绕过规则提出了对存在应用防火墙的Web应用系统的XSS漏洞自动化检测方案。围绕着上述研究主题,本文主要在以下几个方面展开了相关工作:调研了目前Web应用技术的发展形势及其安全隐患,尤其是对国内外的安全研究现状做了详尽了解;对XSS漏洞的相关技术进行了分析和总结,并对常见的Web安全攻击和防护策略进行了探讨,其中着重对应用防火墙的相关技术进行了分析;深入分析应用防火墙技术中过滤规则模块,结合XSS漏洞检测技术和手工渗透测试技术对过滤规则重新分类,针对性地构建绕过规则,提出使用判别矩阵来实现有效规则的自动化判断,而后结合基于攻击位置的XSS漏洞检测方法生成具体的测试用例,为本文检测方案的设计提供核心支持;基于上述的分析和研究,结合网络爬虫技术和漏洞自动化检测等技术,利用脚本语言,模块化设计并且开发了 XSS漏洞检测系统。本文主要的创新之处在于为如何高效地对存在安全防护的Web应用系统进行脆弱性检测这一具体的需求提供了一个全新的检测思路。基于应用防火墙过滤规则的输入控制是目前安全防护中主流的解决方案,传统漏洞检测方案是尽可能全面的生成测试用例进行相关检测,其中大量的测试用例因为应用防火墙的存在都是无效的,这种被动式的检测思路是造成检测效率过低的最根本原因,本文将被动式生成测试用例改为主动式探测过滤规则并且针对性生成测试用例,从而大幅度提高了检测效率,这种检测思路也可以作用在相同条件下其他漏洞的检测上。为了验证根据本文检测方案设计的检测系统可以达到预期目标,本文最后针对性的搭建测试环境,通过对存在不同应用防火墙的Web应用系统进行漏洞检测的纵向对比和与其他漏洞检测工具的横向对比,确定了该检测方案的可行性和高效性。
[Abstract]:With the rapid development of Internet technology, Web applications provide more and more network services for people, and the security problems caused by technological innovation are endless, which will not only affect the normal use of websites. With the emphasis on network security, vulnerability detection and security defense of web applications have become the two most important directions in the research of Web security. Black box vulnerability detection scheme has been favored for its advantages. But with the application of firewall and other security measures involved, the conventional black box vulnerability detection scheme has some problems such as low efficiency, insufficient pertinence and so on. This makes it an urgent need to detect black box vulnerabilities efficiently under security protection. Through the in-depth analysis of the application of firewall filtering rules, the corresponding bypass rules are studied and designed. And based on the rules of bypass, an automatic detection scheme for XSS vulnerabilities in Web application systems with application firewall is proposed. This paper mainly in the following aspects of the relevant work: the current development of Web application technology and its security risks, especially on the domestic and foreign security research status of a detailed understanding; The related technology of XSS vulnerability is analyzed and summarized, and the common security attack and protection strategy of Web are discussed, especially the related technology of applying firewall is analyzed. The filtering rules module in firewall technology is deeply analyzed, combined with XSS vulnerability detection technology and manual penetration testing technology, the filtering rules are reclassified, and the bypass rules are constructed. This paper proposes to use discriminant matrix to realize the automatic judgment of effective rules, and then combines the XSS vulnerability detection method based on attack location to generate specific test cases, which provides the core support for the design of the detection scheme. Based on the above analysis and research, combined with network crawler technology and vulnerability automatic detection technology, the use of scripting language, Modularized design and development of XSS vulnerability detection system. The main innovation of this paper is to provide a new requirement for how to efficiently detect vulnerability of Web application system with security protection. Input control based on the application of firewall filtering rules is the mainstream solution in security protection at present. The traditional vulnerability detection scheme is to generate test cases as comprehensively as possible for correlation detection, in which a large number of test cases are invalid because of the existence of application firewalls. This passive detection idea is the most fundamental reason for the low detection efficiency. In this paper, the passive generation test case is changed into the active detection filter rule and the test case is generated, which greatly improves the detection efficiency. In order to verify that the detection system designed according to the detection scheme of this paper can achieve the expected goal, this paper finally builds the test environment. The feasibility and high efficiency of the detection scheme are determined by comparing the Web application system with different application firewalls and other vulnerability detection tools.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【相似文献】