期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于规则库和网络爬虫的漏洞检测技术研究与实现 被引量:11

Research and Implementation of Web Vulnerability Detection Technology Based on Rule Base and Web Crawler
下载PDF
导出
摘要 Web技术是采用HTTP或HTTPS协议对外提供服务的应用程序,Web应用也逐渐成为软件开发的主流之一,但Web应用中存在的各种安全漏洞也逐渐暴露出来,如SQL注入、XSS漏洞,给人们带来巨大的经济损失。为解决Web网站安全问题,文章通过对Web常用漏洞如SQL注入和XSS的研究,提出了一种新的漏洞检测方法,一种基于漏洞规则库、使用网络爬虫检测SQL注入和XSS的技术。网络爬虫使用HTTP协议和URL链接来遍历获取网页信息,通过得到的网页链接,并逐步读取漏洞规则库里的规则,构造成可检测出漏洞的链接形式,自动对得到的网页链接发起GET请求以及POST请求,这个过程一直重复,直到规则库里的漏洞库全部读取构造完毕,然后继续使用网络爬虫和正则表达式获取网页信息,重复上述过程,这样便实现了检测SQL注入和XSS漏洞的目的。此方法丰富了Web漏洞检测的手段,增加了被检测网页的数量,同时涵盖了HTTP GET和HTTP POST两种请求方式,最后通过实验验证了利用此技术对Web网站进行安全检测的可行性,能够准确检测网站是否含有SQL注入和XSS漏洞。 Web technology is the application using HTTP or HTTPS protocols to provide services. Web applications are becoming one of the main software development trends, but a variety of security vulnerabilities in Web applications are gradually exposed, such as SQL injection, XSS vulnerabilities. It brings a lot of economic loss. To solve the problem of Web site security, based on Web research for common vulnerabilities such as SQL injection and XSS, this paper presents a novel method for vulnerability detection which can detect Web vulnerabilities using Web Crawler constructing using URLs combined with vulnerability rule base. Web Crawler uses the HTTP protocol and URL links to traverse the acquisition Web page information through web links, and gradually read the rules in the rule library that configured to detect vulnerabilities link form, then initiate a GET request and a post request automatically. This process doesn't repeats until all the rule library is read completed. And then using the Web Crawler and regular expressions to detection of SQL injection and XSS vulnerabilities is a means to enrich Web vulnerability detection, obtain Web page information, this will achieve the purpose through repeating the process. This method increasing the number of tested Web pages. At the same time, the HTTP GET and HTTP POST have done safety detection. Finally, the experiment can prove that the use of this technology on the Web site can be safety testing and detect whether the site has a SQL injection and XSS vulnerabilities.
作者 杜雷 辛阳
机构地区 北京邮电大学信息安全中心
出处 《信息网络安全》 2014年第10期38-43,共6页 Netinfo Security
基金 国家自然科学基金[61121061 61161140320] 中央高校基本科研业务费专项资金[2012RC0215 2012RC0216]
关键词 网络爬虫 SQL注入 XSS漏洞 规则库 Web Crawler SQL injection XSS vulnerabilities rule base
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献12

二级参考文献107

  • 1邵林,张小松,苏恩标.一种基于fuzzing技术的漏洞发掘新思路[J].计算机应用研究,2009,26(3):1086-1088. 被引量:17
  • 2卢英佳,卿斯汉.网络漏洞扫描技术[J].桂林电子工业学院学报,2004,24(3):32-36. 被引量:7
  • 3李卫,刘建毅,何华灿,王枞.基于主题的智能Web信息采集系统的研究与实现[J].计算机应用研究,2006,23(2):163-166. 被引量:15
  • 4陈小兵,张汉煜,骆力明,黄河.SQL注入攻击及其防范检测技术研究[J].计算机工程与应用,2007,43(11):150-152. 被引量:72
  • 5Chinotec Technologies Company. Paros--for Web Application Security Assessment[EB/OL]. (2008-08-15). http://www, parosproxy. org/index,shtml.
  • 6OWASE OWASP Testing Project[EB/OL]. (2008-08-10). http:// www.owasp.org/.
  • 7Klein A. DOM Based Cross Site Scripting or XSS of the Third Kind[EB/OL]. (2008-07-28). http://www, Webappsec.org/projeets/ articles/071105.html,.
  • 8Fortify Software Inc.. Cross-site Scripting(XSS)[EB/OL]. (2008-04- 07). http://www.owasp.org/index.php/Cross-site Scripting_(XSS).
  • 9Ismail O, Etoh M, Kadobayashi Y. A Proposal and Implementation of Automatic Detection/Collection System for Cross-site Scripting Vulnerability[C]//Proc. of the 18th International Conference on Advanced Information Networking and Applications. Washington D C., USA: IEEE Computer Society. 2004.
  • 10什么是云计算[EB/OL].http://www.1upawodd.com/149890/viewspace_42692.html.

共引文献222

同被引文献72

引证文献11

二级引证文献69

信息网络安全
2014年 第10期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部