In the Web application security fuzzy testing,there are some problems such as low coverage of test cases,ineffective verification of test cases utilities and lack of quantitative evaluation of vulnerability detection results.In this paper,we proposed a method of generating dynamic features combination and protocol deformation test cases for typical Web security vulnerabilities.The rules of input feature combination and protocol deformation rules are devised,and the algorithm based on pollution propagation strategy and effectiveness validation method are established.Experiments show that the proposed method enhances the diversity and coverage of test cases,and reduces the false negative rate and false positive rate of vulnerability detection in the complex situation of web filtering environment.%在Web应用安全模糊测试中,存在测试用例覆盖率低、测试效用无法得到有效验证及漏洞检测结果无法得到有效评估等问题.提出了协议变形和动态特征并行混合的测试用例生成方法,建立了按典型漏洞分类的输入特征组合规则和协议变形规则,并形成了基于污染传播策略漏洞响应数据分析和有效性验证的方法.实验表明所提方法增大了测试用例的多样性以及提高了覆盖率,降低了在网站过滤环境复杂情况下的漏洞检测的漏报率和误报率.
展开▼