Research and Implementation of Web Vulnerability Detection Technology Based on Rule Base and Web Crawler

doi:10.3969/j.issn.1671-1122.2014.10.007

Abstract

Abstract:

Web technology is the application using HTTP or HTTPS protocols to provide services. Web applications are becoming one of the main software development trends, but a variety of security vulnerabilities in Web applications are gradually exposed, such as SQL injection, XSS vulnerabilities. It brings a lot of economic loss. To solve the problem of Web site security, based on Web research for common vulnerabilities such as SQL injection and XSS, this paper presents a novel method for vulnerability detection which can detect Web vulnerabilities using Web Crawler constructing using URLs combined with vulnerability rule base. Web Crawler uses the HTTP protocol and URL links to traverse the acquisition Web page information through web links, and gradually read the rules in the rule library that configured to detect vulnerabilities link form, then initiate a GET request and a post request automatically. This process doesn’t repeats until all the rule library is read completed. And then using the Web Crawler and regular expressions to obtain Web page information, this will achieve the detection of SQL injection and XSS vulnerabilities purpose through repeating the process. This method is a means to enrich Web vulnerability detection, increasing the number of tested Web pages. At the same time, the HTTP GET and HTTP POST have done safety detection. Finally, the experiment can prove that the use of this technology on the Web site can be safety testing and detect whether the site has a SQL injection and XSS vulnerabilities.

Key words: Web Crawler, SQL injection, XSS vulnerabilities, rule base

CLC Number:

TP309

DU Lei, XIN Yang. Research and Implementation of Web Vulnerability Detection Technology Based on Rule Base and Web Crawler[J]. Netinfo Security, 2014, 14(10): 38-43.

Figures/Tables 8

References 14

[1]	付堂欢,白中英. 基于网络的Web漏洞扫描系统的分析与设计[D]. 北京:北京邮电大学,2012.
[2]	Symantec Corporation.Symatec Internet Security Threat Report, Trends for January-June 07[R]. Volume XII, 2007.
[3]	彭赓,范明钰. 基于改进网络爬虫技术的SQL注入漏洞检测[J]. 计算机应用研究,2010,27(7):2605-2607.
[4]	周大. 云环境下Web应用扫描中的网络爬虫技术探究[J]. 信息网络安全,2012,(5):20-23.
[5]	丁允超,范小花. SQL注入攻击原理及其防范措施[J]. 重庆科技学院学报(自然科学版),2012,14(5):136-137.
[6]	颜浩,蒋巍,蒋天发. SQLI和XSS漏洞检测与防御技术研究[J]. 信息网络安全,2011,(12):51-53.
[7]	潘发益,郭颖,崔宝江. 基于动态数据生成缺陷的XSS漏洞挖掘技术[J]. 信息网络安全,2012,(11):44-47.
[8]	沈寿忠,张玉清. 基于爬虫的XSS漏洞检测工具设计与实现[J]. 计算机工程,2009,35(21):151-154.
[9]	练坤梅,许静,田伟,等. SQL注入漏洞多等级检测方法研究[J]. 计算机科学与探索,2011,5(5):475-479.
[10]	黄超,李毅,麻荣宽. 网页漏洞挖掘系统设计[J]. 信息网络安全,2012,(9):76-80.
[11]	吴子敬,张宪忠,管磊,等. 基于反过滤规则集和自动爬虫的XSS漏洞深度挖掘技术[J]. 北京理工大学学报,2012,32(4):396.
[12]	徐有福,文伟平,万正苏. 基于漏洞模型检测的安全漏洞挖掘方法研究[J]. 信息网络安全,2011,(8):72-75.
[13]	刘金红,陆余良. 主题网络爬虫研究综述[J]. 计算机应用研究,2007,24(10):26.
[14]	文凯,何小东. 一种基于网络爬虫的跨站脚本漏洞检测方法[J]. 电脑编程技巧与维护,2012,(24):121.

[1]	HUANG Kaijie, WANG Jian, CHEN Jiongyi. A Large Language Model Based SQL Injection Attack Detection Method [J]. Netinfo Security, 2023, 23(11): 84-93.
[2]	GUO Chun, CAI Wenyan, SHEN Guowei, ZHOU Xuemei. Research on SQL Injection Attacks Detection Method Based on the Truncated Key Payload [J]. Netinfo Security, 2021, 21(7): 43-53.
[3]	WU Chi, SHUAI Junlan, LONG Tao, YU Junqing. Research on Detection Method of User Abnormal Operation Based on Linux Shell Commands [J]. Netinfo Security, 2021, 21(5): 31-38.
[4]	Jianwei HU, Wei ZHAO, Zheng YAN, Rui ZHANG. Analysis and Implementation of SQL Injection Vulnerability Mining Technology Based on Machine Learning [J]. Netinfo Security, 2019, 19(11): 36-42.
[5]	Lianqun YANG, Kui MENG, Bin WANG, Yong HAN. A New Detection Technique of SQL Injection Based on Hidden Markov Mode [J]. Netinfo Security, 2017, 17(9): 115-118.
[6]	Limin XUE, Qi WU, Jun LI. Research on User Customized Topic Web Crawler for Specialized Information Acquiration Technology [J]. Netinfo Security, 2017, 17(2): 12-21.
[7]	Hongling LI, Jianxin ZOU. Research of SQL Injection Detection Based on SVM and Text Feature Extraction [J]. Netinfo Security, 2017, 17(12): 40-46.
[8]	Xin LI, Weiwei ZHANG, Zichang SUI, Lixin ZHENG. Research and Analysis on the Novel SQL Injection and Defense Technique [J]. Netinfo Security, 2016, 16(2): 66-73.
[9]	Wen-sheng LIU, De-guang LE, Wei LIU. Research on SQL Injection Attack and Defense Technology [J]. Netinfo Security, 2015, 15(9): 129-134.
[10]	TIAN Yu-jie, ZHAO Ze-mao, WANG Li-jun, LIAN Ke. Research on Double Layer Defense Model for SQL Injection Attack Based on Classification [J]. Netinfo Security, 2015, 15(6): 1-6.
[11]	DI Hong-bo, YU Shao-hui, SU Ji-cheng. The Analysis and Comparison of Website Security Scanning Products [J]. 信息网络安全, 2014, 14(9): 180-183.
[12]	. The Design and Implementation for the Detection System of the SQL Injection Attack based on the Windows Environment [J]. , 2014, 14(7): 16-.
[13]	. The Design and Implementation of Suspicious Sample Collection System based on Windows Kernel Driver [J]. , 2014, 14(2): 41-.
[14]	. Common Source Code Vulnerability Analysis and Research [J]. , 2014, 14(2): 48-.
[15]	. Research and Realization of Crawling System for QVOD Resources [J]. , 2014, 14(2): 81-.