Web应用程序渗透测试方法研究
发布时间:2019-04-03 05:56
【摘要】:摘要:随着Internet的不断发展,Web应用程序越来越多地深入到社会生活的各个方面,给人们的生活提供了极大便利,同时也带来了前所未有的安全风险。但是,由于Web应用程序本身及运行环境的复杂性,其安全问题日益复杂。渗透测试作为一种极其重要的Web应用程序安全测试技术,可以发现Web应用程序中存在的漏洞,以便于及时消除相应的威胁。但在实际工作中,渗透测试的结果往往与测试人员的经验、技巧直接相关。为了避免Web应用程序渗透测试的结果太过于依赖测试人员的个人能力,也为了提高渗透测试效率,现在亟需一套科学有效的Web应用程序渗透测试方法。 针对上述问题,论文从课题的研究背景出发,首先分析渗透测试在国内外的研究现状及发展动态,并对相关理论和技术进行研究;然后,提出一套Web应用程序渗透测试方法,对Web应用程序渗透测试的流程和内容进行优化设计,将测试流程分为6个阶段,包括制定渗透测试方案、收集分析相关信息、制定详细工作计划、实施渗透测试工作、评估漏洞风险等级和编制渗透测试报告,将漏洞测试范围划分成身份认证类、数据验证类、信息泄露类、Session类、应用逻辑类、Web Service类和第三方组件类等7大类,并对SQL注入和XSS攻击这两种常见漏洞的测试方法及常用测试工具进行总结与分析;最后,论文结合实际项目,给出一个完整的Web应用程序渗透测试方法应用案例,验证该方法的有效性和实用性。图14幅,表14个,参考文献51篇。
[Abstract]:Abstract: with the continuous development of Internet, more and more Web applications go deep into all aspects of social life, which provides great convenience to people's lives, and also brings unprecedented security risks. However, due to the complexity of the Web application itself and the running environment, its security problems are becoming more and more complex. As a very important security testing technology for Web applications, penetration testing can find vulnerabilities in Web applications, so that the corresponding threats can be eliminated in time. However, in practical work, the results of penetration testing are often directly related to the experience and skills of the tester. In order to avoid that the results of Web application penetration testing are too dependent on the individual ability of testers, and to improve the efficiency of penetration testing, a scientific and effective method for Web application penetration testing is urgently needed. In view of the above problems, this paper starts from the research background of the subject. Firstly, it analyzes the research status and development trend of penetration testing at home and abroad, and studies the related theory and technology. Then, a set of Web application penetration test method is proposed, which optimizes the process and content of Web application penetration test. The test process is divided into six stages, including establishing penetration test scheme, collecting and analyzing relevant information. Draw up detailed work plan, carry out penetration test work, evaluate vulnerability risk level and compile penetration test report, divide vulnerability test scope into authentication class, data verification class, information disclosure class, Session class, application logic class, etc. The Web Service class and the third party component class and so on 7 big classes, and to SQL injection and the XSS attack these two common loopholes test method and the commonly used test tool to carry on the summary and the analysis; Finally, combined with the actual project, a complete application case of Web application penetration test method is given, and the validity and practicability of the method are verified. Fig. 14, Table 14, 51 refs.
【学位授予单位】:中南大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2452962
[Abstract]:Abstract: with the continuous development of Internet, more and more Web applications go deep into all aspects of social life, which provides great convenience to people's lives, and also brings unprecedented security risks. However, due to the complexity of the Web application itself and the running environment, its security problems are becoming more and more complex. As a very important security testing technology for Web applications, penetration testing can find vulnerabilities in Web applications, so that the corresponding threats can be eliminated in time. However, in practical work, the results of penetration testing are often directly related to the experience and skills of the tester. In order to avoid that the results of Web application penetration testing are too dependent on the individual ability of testers, and to improve the efficiency of penetration testing, a scientific and effective method for Web application penetration testing is urgently needed. In view of the above problems, this paper starts from the research background of the subject. Firstly, it analyzes the research status and development trend of penetration testing at home and abroad, and studies the related theory and technology. Then, a set of Web application penetration test method is proposed, which optimizes the process and content of Web application penetration test. The test process is divided into six stages, including establishing penetration test scheme, collecting and analyzing relevant information. Draw up detailed work plan, carry out penetration test work, evaluate vulnerability risk level and compile penetration test report, divide vulnerability test scope into authentication class, data verification class, information disclosure class, Session class, application logic class, etc. The Web Service class and the third party component class and so on 7 big classes, and to SQL injection and the XSS attack these two common loopholes test method and the commonly used test tool to carry on the summary and the analysis; Finally, combined with the actual project, a complete application case of Web application penetration test method is given, and the validity and practicability of the method are verified. Fig. 14, Table 14, 51 refs.
【学位授予单位】:中南大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前4条
1 邢斌;高岭;孙骞;杨威;;一种自动化的渗透测试系统的设计与实现[J];计算机应用研究;2010年04期
2 王晓聪;张冉;黄峧东;;渗透测试技术浅析[J];计算机科学;2012年S1期
3 路晓丽;董云卫;赵宏斌;;一种面向对象的Web Application测试模型[J];计算机科学;2010年07期
4 王宜阳;宋苑;;浅谈渗透测试在Web系统防护中的应用[J];信息网络安全;2010年09期
,本文编号:2452962
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2452962.html
