Most of the security testing tools lack of optimization of testing, configured strategy and intelligent analysis of testing results. These problems lead to the status that these tools can’t be used in Web application testing well. A fuzzing testing method towards Web application security based on HTTP proxy was proposed. The high-performance communication between HTTP proxy server and browser through the mechanism of asynchronous monitoring was realized. Configured strategy of testing cases based on pseudo code could help to do flexible and automatic tests. By using multi-dimensional ways to parse the packet, intelligent analysis of testing results was achieved. Experiments show that the tool supports mainstream Web application vulnerabilities detection and configured strategy of testing. It can detect the vulnerabilities such as directory traversal, SQL injection, cross-site scripting.%常用的Web应用测试工具普遍存在着测试功能欠优化、可配置程度较低、测试结果不够智能等问题,无法较好地辅助测试。进行了基于HTTP代理的模糊测试技术研究,设计了相应的测试工具。该工具应用模糊测试理论,异步监听实现了HTTP代理与服务器、浏览器间的高性能通信;采用基于伪码的可配置测试用例生成策略,灵活进行自动化测试;通过解析网络数据分组,为用户提供全面的测试分析结果。实验结果表明,该工具支持主流 Web 应用漏洞检测、测试策略配置,可检测出目录遍历、SQL 注入、跨站脚本等漏洞。
展开▼
