Research and design on Web application vulnerability scanning service

2014 IEEE 5th International Conference on Software Engineering and Service Science Pub Date : 2014-06-27 DOI:10.1109/ICSESS.2014.6933657

Wu Qianqian, L. Xiangjun

{"title":"Research and design on Web application vulnerability scanning service","authors":"Wu Qianqian, L. Xiangjun","doi":"10.1109/ICSESS.2014.6933657","DOIUrl":null,"url":null,"abstract":"Web application has got a remarkable change in the past few years, many new technologies are reshaping the pattern of Web applications. Since many manufacturers' promotion on HTML5 technology, more and more websites are using HTML5 gradually. The new technology provides users with a variety of Internet applications, but introduces new security problems at the same time. Currently, most Web application scanners can not detect the security problems with HTML5 features, which make HTML5 security issues become blind spots in security vulnerability scanning process. The paper focuses on a research among the existing Web application scanners firstly. Then we selected W3af(Web Application Attack and Audit Framework) as a basic platform for transformation, and by customizing scanning modules and scripts, we designed a Web application security scanning service. The practical scan results show that it can not only detect the Clickjacking vulnerabilities brought by HTML5, but also provide efficient Web application security scanning and evaluation services for the websites.","PeriodicalId":6473,"journal":{"name":"2014 IEEE 5th International Conference on Software Engineering and Service Science","volume":"134 1","pages":"671-674"},"PeriodicalIF":0.0000,"publicationDate":"2014-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE 5th International Conference on Software Engineering and Service Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSESS.2014.6933657","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

Abstract

Web application has got a remarkable change in the past few years, many new technologies are reshaping the pattern of Web applications. Since many manufacturers' promotion on HTML5 technology, more and more websites are using HTML5 gradually. The new technology provides users with a variety of Internet applications, but introduces new security problems at the same time. Currently, most Web application scanners can not detect the security problems with HTML5 features, which make HTML5 security issues become blind spots in security vulnerability scanning process. The paper focuses on a research among the existing Web application scanners firstly. Then we selected W3af(Web Application Attack and Audit Framework) as a basic platform for transformation, and by customizing scanning modules and scripts, we designed a Web application security scanning service. The practical scan results show that it can not only detect the Clickjacking vulnerabilities brought by HTML5, but also provide efficient Web application security scanning and evaluation services for the websites.

查看原文本刊更多论文

Web应用漏洞扫描服务的研究与设计

Web应用程序在过去的几年中发生了显著的变化，许多新技术正在重塑Web应用程序的模式。由于许多厂商对HTML5技术的推广，越来越多的网站逐渐开始使用HTML5。新技术为用户提供了多种互联网应用，但同时也带来了新的安全问题。目前，大多数Web应用程序扫描器无法检测到HTML5特性的安全问题，这使得HTML5安全问题成为安全漏洞扫描过程中的盲点。本文首先对现有的Web应用程序扫描器进行了研究。然后选择W3af(Web Application Attack and Audit Framework)作为基本的转换平台，通过定制扫描模块和脚本，设计了一个Web应用安全扫描服务。实际扫描结果表明，该方法不仅可以检测出HTML5带来的点击劫持漏洞，还可以为网站提供高效的Web应用安全扫描和评估服务。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE 5th International Conference on Software Engineering and Service Science

自引率

0.00%

发文量