Web Vulnerability Detection Analyzer Based on Python

Web Vulnerability Detection Analyzer Based on Python

Dawei Xu (Changchun University, China), Tianxin Chen (Changchun University, China), Zhonghua Tan (Hainan Normal University, China), Fudong Wu (Changchun University, China), Jiaqi Gao (Changchun University, China) and Yunfan Yang (Changchun University, China)
Copyright: © 2022 |Pages: 17
DOI: 10.4018/IJDCF.302875
Article PDF Download
Open access articles are freely available for download

Abstract

In the information age, hackers will use Web vulnerabilities to infiltrate websites, resulting in many security incidents. To solve this problem, security-conscious enterprises or individuals will conduct penetration tests on websites to test and analyze the security of websites, but penetration tests often take a lot of time. Therefore, based on the traditional Web vulnerability scanner, the Web vulnerability detection analyzer designed in this article uses vulnerability detection technologies such as sub-domain scanning, application fingerprint recognition, and web crawling to penetrate the website. The vulnerability scanning process of the website using log records and HTML output helps users discover the vulnerability information of the website in a short time, patch the website in time. It can reduce the security risks caused by website vulnerabilities.
Article Preview
Top

1. Introduction

With the continuous emergence of advanced Web application technologies in the Internet era, related Web vulnerabilities are also emerging. Web vulnerabilities may be due to lack of consideration of web security by website developers when developing websites, resulting in related security vulnerabilities in applications. Common web security vulnerabilities include SQL injection vulnerabilities, cross-site scripting vulnerabilities, and cross-site request forgery vulnerabilities. etc. (Yang Guofeng. 2019). Hackers can conduct penetration tests on target websites and use Web vulnerabilities to escalate privileges on website servers to achieve the purpose of invading websites. Based on these security threats, there is some value in using vulnerability scanners to detect vulnerabilities on websites.

The scanning process of traditional scanners is generally to obtain the URL of the website through a crawler, send a request with attack parameters to the website to obtain the payload, and output the corresponding vulnerability report if the payload is successfully verified. If the verification fails, continue to send the next request. Due to the high concurrency between modules, the next task can only be started after the completion of the previous task. The Web vulnerability detection analyzer designed in this paper can collect website information in batches to achieve high concurrency between modules, and tasks can be processed between crawlers and plug-ins at the same time, improving the efficiency of scanning websites, and the vulnerability script of the system has Scalability is conducive to the improvement and upgrade of the system. The vulnerability detection analyzer adopts a callable plug-in framework, which can automate the scanning process, actively send a request with parameters to the target website, and detect website vulnerabilities according to the obtained response.

Contributions made in this paper include:

  • 1.

    According to the process analysis of website vulnerability scanning, the overall architecture of the web vulnerability detection analyzer and the functional requirements of the four modules are designed.

  • 2.

    According to the cross-platform operation requirements of vulnerability scanning, the system is written in Python language.

  • 3.

    According to the requirements of vulnerability verification, this paper uses a custom PoC plug-in to verify website vulnerabilities, uses multi-process concurrent engine operation mode, uses logs to record the response information returned by website requests, and provides targets for vulnerability verification.

  • 4.

    For the completed system, the vulnerability scanning test of the website is carried out to test whether the function of the system is complete and the efficiency of scanning website vulnerabilities. This paper conducts vulnerability scanning tests on hundreds of websites, and divides these websites into three different scales. Test the total scan time of the website and the accuracy of website vulnerability results.

Top

2. Background

The essence of Web application security problems stems from the quality of software. Compared with traditional software, web applications are usually considered to be enterprise-specific applications, and functions in them need to be changed frequently to maintain normal business, which leads to a longer development cycle for web applications; due to the communication between the client and the server. The process is cumbersome, and it is not easy for many development technicians to sort out the communication logic, which leads to problems in the security of Web applications.

Complete Article List

Search this Journal:
Reset
Volume 15: 1 Issue (2023): Forthcoming, Available for Pre-Order
Volume 14: 2 Issues (2022)
Volume 13: 6 Issues (2021)
Volume 12: 4 Issues (2020)
Volume 11: 4 Issues (2019)
Volume 10: 4 Issues (2018)
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing