CSA  >> Vol. 6 No. 6 (June 2016)

    基于爬虫技术的Web应用程序漏洞检测方法
    A Web Application Vulnerability Detection Method Based on Web Crawler Technology

  • 全文下载: PDF(523KB) HTML   XML   PP.340-346   DOI: 10.12677/CSA.2016.66042  
  • 下载量: 1,215  浏览量: 7,406   国家自然科学基金支持

作者:  

王全民,雷佳伟,张程,赵小桐:北京工业大学计算机学院,北京

关键词:
XSSWeb应用Scrapy爬虫攻击向量XSS Web Application Scrapy Attack Vectors

摘要:

随着Web应用不断的发展,随之而产生的包括XSS在内的各种安全漏洞也越来越多。今天,XSS传统防御技术的缺陷已经越来越多地显现,例如防御种类单一、防御强度低、防御手段落后等,这就迫切需要不断提高和完善防御的方法和手段。针对此问题,提出了一种基于Scrapy的爬虫框架的Web应用程序漏洞检测方法。通过框架提供的便利条件对页面进行提取分析,根据不同的攻击方式生成特有的攻击向量,最后使页面注入点与攻击向量组合达到测试是否具有漏洞的目的。实验结果表明,这种漏洞检测方法在爬取页面以及漏洞检测的效率上都有了很大的提高。

With the continuous development of Web applications, a variety of security vulnerabilities, in-cluding XSS, also generate more and more. Today, the defects of the traditional XSS defense tech-nology have been more and more appear, such as a single type of defense, defense strength low, defense means backward. There is an urgent need to continuously improve and perfect the me-thods and means of defense. Aiming at this problem, this paper proposes a Web application vul-nerability detection method based on Scrapy. Through the framework to provide convenient con-ditions to the page for extraction and analysis, specific attack vector is generated according to the different ways of attacks. Finally, we make the combination of page injection points and attack vector to achieve the objective to test whether it is vulnerable. Experimental results show that this vulnerability detection method has a great improvement in the efficiency of crawling pages and vulnerability detection.

文章引用:
王全民, 雷佳伟, 张程, 赵小桐. 基于爬虫技术的Web应用程序漏洞检测方法[J]. 计算机科学与应用, 2016, 6(6): 340-346. http://dx.doi.org/10.12677/CSA.2016.66042

参考文献

[1] Wichers, D. (2013) The Top 10 Most Critical Web Application Secutity Rishk. OWASP.
[2] 吴耀斌, 王科, 龙岳红. 基于跨站脚本的网络漏洞攻击与防范[J]. 计算机系统应用, 2008(1): 38.
[3] 维基百科. 跨站点脚本[EB-OL]. http://zh.wikipedia.org.wiki/XSS
[4] 酷壳-CoolShell.cn. 新浪的XSS攻击[EB/OL]. http://coolshell.cn/articles/4914.html
[5] 陈嘉讯. 论跨站脚本攻击(XSS)的危害、成因及防范[J]. 网络与信息, 2008, 22(9):80-80.
[6] Schafer, J.B. Frankowski, D. Herlocker, J. and Sen. S. (2007) Collaborative Filtering Re-commender Systems. In: The Adaptive Web, Volume 4321 of the Series Lecture Notes in Computer Science, 291-324.
http://dx.doi.org/10.1007/978-3-540-72079-9_9
[7] 张宗之. 基于爬虫技术的web应用漏洞挖掘的研究[D]: [硕士学位论文]. 北京邮电大学, 2013.
[8] 肖征. 基于网络爬虫的网络漏洞扫描检测系统的设计与实现[D]: [硕士学位论文]. 长春: 吉林大学, 2014.
[9] Maedche, A. (2006) Ontology Learning for the Semantic Web. Kluwer Academic Publishers.
[10] Bradshaw. S. (2004) Reference Directed Indexing: Redeeming Relevance for Subject Search in Citation Indexes. In: ECDL, 499-510.
[11] 凌妍妍, 孟小峰, 刘伟. 基于属性相关的Web数据库大小估算方法[J]. 软件学报, 2008, 19(2): 224-236.
[12] Friedl, J.E.F. (2006) Mastering Regular Expressions. 3rd Edition, O’reilly Media Inc., 12(18): 4140-4143.
[13] Bates, D. (2010) Regular Expressions Considered Harmful in Client-Side XSS Filters. ACM.WWW 2010. USE:ACM, 91-100.
[14] Klein, A. Dom Based Cross Site Scripting or XSS of the Third Kind. http://www.Webappsec.org/projects/articles/071105.html
[15] 王津涛. HTML, CSS, Javascript整合详解. 北京: 机械工业出版社出版, 2008.
[16] 风信子, 施威铭研究室. Javascript最新网页制作. 北京: 人民邮电出版社, 2001.