Web应用渗透技术研究及安全防御方案设计

发布时间：2018-06-26 01:14

本文选题：Web安全 + Web漏洞　；参考：《北京邮电大学》2014年硕士论文

【摘要】：随着B/S架构的Web应用飞速发展,其带来的安全威胁也与日俱增,深深地影响到人们的生活。近年来屡见不鲜的Web安全事件,引起人们对信息安全的重视。本文通过对当前的Web应用漏洞进行深入全面的分析,研究各种Web安全漏洞产生原因、触发场景、利用方式、攻击场景以及可能造成的危害,构建了Web安全威胁模型和攻击模型。然后通过真实环境的测试,印证了上述Web攻击模型,并根据测试结果分析了Web安全现状,产生的危害,以及防御建议。最后从安全设计、安全开发、测试、运维和安全应急响应等方面提出了系统的安全防御体系,具体的内容包括： (1)安全设计方面,构建了Web安全架构。 (2)安全开发方面,提供了安全开发应考虑的安全威胁和根据实践经验总结的有效安全编码规范,能够有效避免多种漏洞的产生,从而在开发阶段消除潜在的安全问题。 (3)安全运维方面,制定了安全运维策略,提出基于恶意行为的Web应用层入侵检测思想,改进了传统基于特征匹配的安全检测方法,从而能够检测更为复杂的攻击手段。 (4)安全响应方面,强调了应急响应的重要作用并研究了目前比较好的响应策略。通过本文的研究,对Web安全攻击有一个比较系统的认识,可以识别大多数的Web安全攻击。本文提出构建系统的Web安全防御体系是一个全方位的安全防御解决方案,能够从避免漏洞产生、抵御各种Web攻击两方面阻止Web安全事件的发生。在不同的防御阶段的改进思想可供参考和进一步研究。
[Abstract]:With the rapid development of the Web application based on the B / S architecture, the security threat brought by it is also increasing, which deeply affects people's life. In recent years, the common Web security incidents have aroused people's attention to information security. Based on the thorough and comprehensive analysis of the current Web application vulnerabilities, this paper studies the causes, triggering scenarios, ways of exploitation, attack scenarios and possible hazards of various Web security vulnerabilities, and constructs a Web security threat model and an attack model. Then, the above Web attack model is verified by testing in real environment. According to the test results, the present situation of Web security, the harm caused and the defense suggestions are analyzed. Finally, from the aspects of security design, security development, testing, transportation and peacekeeping security emergency response, the system security defense system is put forward. The specific contents include: (1) security design, (2) in the aspect of security development, it provides the security threats that should be considered in security development and the effective security coding standard summarized according to the practical experience, which can effectively avoid the occurrence of many kinds of vulnerabilities. In order to eliminate the potential security problems in the development phase. (3) in the aspect of security operation and maintenance, the security operation and maintenance policy is formulated, and the idea of Web application layer intrusion detection based on malicious behavior is proposed. The traditional security detection method based on feature matching is improved to detect more complex attack methods. (4) in the aspect of security response, the important role of emergency response is emphasized and the better response strategy is studied. Through the research of this paper, there is a relatively systematic understanding of Web security attacks, which can identify most of the Web security attacks. This paper proposes that constructing the system's Web security defense system is a comprehensive security defense solution, which can prevent the occurrence of Web security events from the aspects of avoiding vulnerabilities and resisting all kinds of Web attacks. The improved ideas in different defense stages can be used for reference and further study.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】