基于爬虫的渗透测试系统的研究与实现

发布时间：2018-06-10 16:34

本文选题：Bloom过滤器 + 网页爬虫　；参考：《东北大学》2012年硕士论文

【摘要】：随着网络应用的发展,Web应用在社会各个领域都得到了极为广泛的应用,伴随而来的针对Web应用的攻击则不断攀升。当Web应用程序存在能够被利用的漏洞时,黑客便可以对其实施攻击从而实现获取信息资料、病毒木马植入、伪装钓鱼网站、恶意插入广告等非法操作。普通用户在浏览这些Web页面的过程中很容易导致计算机中毒或遭受财产损失。在Web应用程序开发过程中,如果开发人员缺乏良好的安全编程意识和编程习惯,或者在网站的部署过程中,网站管理人员的安全意识薄弱,都容易导致Web应用程序出现安全隐患,给恶意攻击者留下可乘之机,因此对网站Web应用的安全检测是十分必要的。论文首先阐述了研究背景以及渗透测试系统的目的及深远意义,分析了Web应用中几种主要的安全威胁以及针对各种漏洞的检测手段,并针对以往爬虫方案存在存储代价过高问题,提出了基于Bloom过滤器的网页爬虫算法,该算法有效地解决了网页爬虫爬行过程中对系统内存资源消耗过多的缺点。在此基础之上设计与实现了一个基于爬虫的渗透测试系统,该系统检测手段可分为自动检测和手动检测,能够对SQL注入漏洞、XSS脚本攻击漏洞、敏感目录及第三方编辑器漏洞进行检测,并能够基于SQL注入漏洞进一步对数据库信息进行获取,检测过程中会动态向测试人员提供检测信息并在检测结束后显示测试结果。该系统通过模拟黑客的攻击行为对网站Web应用进行渗透测试,发现网站运行过程中存在的漏洞,为网站管理人员或渗透测试工作人员提供可靠、有效的安全弱点信息。系统测试结果表明,系统运行良好,可以有效地检测Web应用中存在的安全漏洞,为用户提供有效的安全检测系统和技术保障。
[Abstract]:With the development of network applications, Web applications have been widely used in all fields of society, and the accompanying attacks against Web applications have been increasing. When a Web application has a vulnerability that can be exploited, hackers can attack it to obtain information, plant virus Trojans, camouflage phishing sites, insert malicious advertisements and other illegal operations. In the course of browsing these Web pages, ordinary users are prone to computer poisoning or property loss. During the development of a Web application, if the developer lacks a good sense of security programming and programming habits, or during the deployment of a Web site, the security awareness of the site manager is weak, Can easily lead to a security risk for a Web application, leaving a malicious attacker with a chance to take advantage of it. Therefore, it is very necessary to detect the security of web application. Firstly, the research background, the purpose and the profound significance of the penetration test system are expounded in this paper. This paper analyzes several main security threats and detection methods for various vulnerabilities in Web applications, and proposes a web crawler algorithm based on Bloom filter to solve the problem of high storage cost in previous crawler schemes. This algorithm effectively solves the problem of excessive consumption of memory resources in web crawler crawling process. On this basis, a reptilian based penetration testing system is designed and implemented, which can be divided into automatic detection and manual detection, and can attack the vulnerability of XSS script on SQL injection vulnerability. Sensitive directories and third party editor vulnerabilities can be detected and database information can be obtained based on SQL injection vulnerability. The detection information will be dynamically provided to testers during the detection process and the test results will be displayed after the detection. By simulating the attack behavior of hackers, the system tests the Web application, and finds the loopholes in the process of website operation, and provides reliable and effective security vulnerability information for website managers or penetration testing staff. The system test results show that the system runs well and can effectively detect the security vulnerabilities in Web applications and provide users with effective security detection system and technical support.
【学位授予单位】：东北大学
【学位级别】：硕士
【学位授予年份】：2012
【分类号】：TP393.092

【参考文献】