基于改进模糊测试的Web应用漏洞挖掘方法

doi:10.3969/j.issn.1006-2475.2016.08.021

计算机与现代化

基于改进模糊测试的Web应用漏洞挖掘方法

(中国航天科工集团第二研究院706所，北京 100854)

收稿日期:2016-02-23 出版日期:2016-08-18 发布日期:2016-08-11
作者简介:达小文(1989-)，男，湖南邵阳人，中国航天科工集团第二研究院706所硕士研究生，研究方向：计算机网络安全; 王晓程(1973-)，男，天津人，研究员，硕士生导师，硕士，研究方向：计算机网络安全; 陈志浩(1982-)，男，福建宁德人，高级工程师，硕士，研究方向：信息安全。

Web Application Vulnerabilities Mining Method Based on Improved Fuzzing

(Institute 706, Second Research Academy of CASIC, Beijing 100854, China)

Received:2016-02-23 Online:2016-08-18 Published:2016-08-11

摘要/Abstract

摘要： 为解决Web模糊测试挖掘漏洞速度较慢、发现漏洞数较少的问题，提出一种改进的Web模糊测试向量生成方法。在通用的Web应用模糊测试结构（Web Fuzzing）基础上，分析现有测试向量生成方法，引入遗传算法来改进Web模糊测试向量生成方法。基于该方法实现XSS模糊测试工具，使用该工具对2个Web应用系统进行测试，将结果与现有模糊测试工具测试结果对比，验证了使用该方法挖掘Web漏洞速度快，发现漏洞数更多，提高了漏洞挖掘效率。

关键词: Web安全, Web漏洞, 模糊测试, 遗传算法, 测试向量

Abstract: To solve the problems that slower speed and fewer number of vulnerabilities found of Web fuzzing for mining vulnerabilities, a method to improve the generation of vectors of Web fuzzing is proposed. On the basis of the structure of commonly-used fuzzing for Web application (Web fuzzing) and the analyses of the current methods of testing vectors generation, the genetic algorithm to improve testing vector generation of Web fuzzing is applied. Based on this method, a XSS fuzzing tool is implemented. The testing results of multiple Web applications with XSS fuzzing tool and that with current fuzzing tool are compared, which indicates that the efficiency of mining vulnerability is increased with the method.

Key words: Web security, Web vulnerability, fuzzing, genetic algorithm, test vector

中图分类号:

TP393.08

达小文，王晓程，陈志浩. 基于改进模糊测试的Web应用漏洞挖掘方法[J]. 计算机与现代化, doi: 10.3969/j.issn.1006-2475.2016.08.021.

DA Xiao-wen, WANG Xiao-cheng, CHEN Zhi-hao. Web Application Vulnerabilities Mining Method Based on Improved Fuzzing[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2016.08.021.

参考文献

[1] 陈衍铃,王正. 模糊测试研究进展[J]. 计算机应用与软件, 2011,28(7):291-293.

[2] 中国信息安全测评中心. 信息安全漏洞周报[DB/OL]. http://www.cnnvd.org.cn/news/vulreport#, 2015-12-04.

[3] Miller B P, Fredriksen L, So B. An empirical study of the reliability of Unix utilities[J]. Communications of the ACM, 1990,33(12):32-44.

[4] 彭越. Web脆弱性检测关键技术的研究与系统实现[D]. 北京:北京邮电大学, 2014.

[5] Hammersland R, Snekkenes E. Fuzz Testing of Web Applications[DB/OL]. http://www.aqualab.cs.northwestern.edu/conferences/HotWeb08/papers/Hammersland-FTW.pdf, 2012-12-20.

[6] Bozic J, Garn B, Kapsalis I, et al. Attack pattern-based combinatorial testing with constraints for Web security testing[C]// Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS). 2015:207-212.

[7] Garn B, Kapsalis I, Simos D E, et al. On the applicability of combinatorial testing to Web application security testing: A case study[C]// Proceedings of the 2014 Workshop on Joining AcadeMiA and Industry Contributions to Test Automation and Model-based Testing. 2014:16-21.

[8] Duchene F, Groz R, Rawat S, et al. XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]// Proceedings of the IEEE 5th International Conference on Software Testing, Verification and Validation. 2012:815-817.

[9] 李彤,黄轩,刘海燕,等. 基于Fuzzing的软件漏洞发掘技术[J]. 价值工程, 2014,33(3):197-199.

[[1]0] Hydara I, Sultan A B M, Zulzalil H, et al. An approach for cross-site scripting detection and removal based on genetic algorithms[C]// Proceedings of the 9th International Conference on Software Engineering Advances. 2014:227-232.

[[1]1] 边霞,米良. 遗传算法理论及其应用研究进展[J]. 计算机应用研究, 2010,27(7):2425-2429.

[[1]2] Srivastava P R, Kim T. Application of genetic algorithm in software testing[J]. International Journal of Software Engineering and Its Applications, 2009,3(4):87-96.

[[1]3] Banković Z, Stepanović D, Bojanić S, et al. Improving network security using genetic algorithm approach[J]. Computers & Electrical Engineering, 2007,33(5-6):438-451.

[[1]4] Islam A B M, Azad A, Alarm K, et al. Security attack detection using genetic algorithm (GA) in policy based network[C]// Proceedings of the 2007 International Conference on Information and Communication Technology. 2007:341-347.

[[1]5] DeMott J D, Enbody R J, Punch W F. Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing[DB/OL]. https://www.blackhat.com/presentations/bh-usa-07/DeMott_Enbody_and_Punch/Whitepaper/bh-usa-07-demott_enbody_and_punch-WP.pdf, 2007-12-20.

[[1]6] Del Grosso C, Antoniol G, Merlo E, et al. Detecting buffer overflow via automatic test input data generation[J]. Computers & Operations Research, 2008,35(10):3125-3143.

[1]	林启钊, 彭志平, 郭棉, 崔得龙. 基于双向多步预测的炉管温度场重构方法[J]. 计算机与现代化, 2024, 0(01): 53-58.
[2]	刘显茁, 邓韦斯, 谢恩彦. 考虑分布式发电并网的配电网自适应保护系统[J]. 计算机与现代化, 2023, 0(09): 120-126.
[3]	张志霞, 谢宝强. 基于FCGA-LSTM与迁移学习的天然气负荷预测[J]. 计算机与现代化, 2023, 0(07): 7-12.
[4]	汪敏, 徐英豪, 朱习军. 基于改进遗传算法优化BP神经网络的糖尿病并发症预测模型#br#[J]. 计算机与现代化, 2022, 0(11): 69-74.
[5]	王扬, 陈梅, 李晖. FOCoR:一种基于特征选择优化的课程推荐技术[J]. 计算机与现代化, 2022, 0(10): 1-7.
[6]	冉昊杰, 王宏智. 基于改进模拟退火算法的生鲜农产品配送中心选址[J]. 计算机与现代化, 2022, 0(10): 36-40.
[7]	战俊伟, 庄毅. 基于能耗与延迟优化的移动边缘计算任务卸载模型及算法[J]. 计算机与现代化, 2022, 0(08): 86-93.
[8]	吴代漾, 赵洁, 梁家铭, 董振宁, 梁周扬. C2C在线短租跨平台房东匹配算法[J]. 计算机与现代化, 2022, 0(06): 43-48.
[9]	徐胜超, 熊茂华. 基于遗传算法的容器云资源配置优化[J]. 计算机与现代化, 2022, 0(01): 108-112.
[10]	徐明, 张剑铭, 陈松航, 陈豪. 柔性作业车间调度问题的多目标优化算法[J]. 计算机与现代化, 2021, 0(12): 1-6.
[11]	张林鹏, 汪西原, 李强. 基于双池化特征加权结构CNN的图像分类[J]. 计算机与现代化, 2021, 0(11): 67-71.
[12]	陈春燕, 刘梦赤. 基于粒子群遗传算法的智能组卷策略[J]. 计算机与现代化, 2021, 0(08): 16-23.
[13]	杨晓东. 基于遗传算法的会计资源共享管理风险评估模型[J]. 计算机与现代化, 2021, 0(06): 24-28.
[14]	刘军, 彭慧娴, 黄斌, 托尼·谢伊. 基于BP-GamysBoost的乳腺癌诊断模型[J]. 计算机与现代化, 2021, 0(04): 8-14.
[15]	徐胜超. 利用遗传算法完成虚拟机放置策略的优化[J]. 计算机与现代化, 2020, 0(12): 25-31.

基于改进模糊测试的Web应用漏洞挖掘方法

Web Application Vulnerabilities Mining Method Based on Improved Fuzzing

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价