Article Preview
Top1. Introduction
With the continuous emergence of advanced Web application technologies in the Internet era, related Web vulnerabilities are also emerging. Web vulnerabilities may be due to lack of consideration of web security by website developers when developing websites, resulting in related security vulnerabilities in applications. Common web security vulnerabilities include SQL injection vulnerabilities, cross-site scripting vulnerabilities, and cross-site request forgery vulnerabilities. etc. (Yang Guofeng. 2019). Hackers can conduct penetration tests on target websites and use Web vulnerabilities to escalate privileges on website servers to achieve the purpose of invading websites. Based on these security threats, there is some value in using vulnerability scanners to detect vulnerabilities on websites.
The scanning process of traditional scanners is generally to obtain the URL of the website through a crawler, send a request with attack parameters to the website to obtain the payload, and output the corresponding vulnerability report if the payload is successfully verified. If the verification fails, continue to send the next request. Due to the high concurrency between modules, the next task can only be started after the completion of the previous task. The Web vulnerability detection analyzer designed in this paper can collect website information in batches to achieve high concurrency between modules, and tasks can be processed between crawlers and plug-ins at the same time, improving the efficiency of scanning websites, and the vulnerability script of the system has Scalability is conducive to the improvement and upgrade of the system. The vulnerability detection analyzer adopts a callable plug-in framework, which can automate the scanning process, actively send a request with parameters to the target website, and detect website vulnerabilities according to the obtained response.
Contributions made in this paper include:
- 1.
According to the process analysis of website vulnerability scanning, the overall architecture of the web vulnerability detection analyzer and the functional requirements of the four modules are designed.
- 2.
According to the cross-platform operation requirements of vulnerability scanning, the system is written in Python language.
- 3.
According to the requirements of vulnerability verification, this paper uses a custom PoC plug-in to verify website vulnerabilities, uses multi-process concurrent engine operation mode, uses logs to record the response information returned by website requests, and provides targets for vulnerability verification.
- 4.
For the completed system, the vulnerability scanning test of the website is carried out to test whether the function of the system is complete and the efficiency of scanning website vulnerabilities. This paper conducts vulnerability scanning tests on hundreds of websites, and divides these websites into three different scales. Test the total scan time of the website and the accuracy of website vulnerability results.
Top2. Background
The essence of Web application security problems stems from the quality of software. Compared with traditional software, web applications are usually considered to be enterprise-specific applications, and functions in them need to be changed frequently to maintain normal business, which leads to a longer development cycle for web applications; due to the communication between the client and the server. The process is cumbersome, and it is not easy for many development technicians to sort out the communication logic, which leads to problems in the security of Web applications.