WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology

Abstract

The invention provides a WEB vulnerability scanning method and a vulnerability scanner based on fingerprint recognition technology. Since a feature library based security scanning scheme is used to replace a common site security vulnerability scanning scheme based on fully crawling, the scanner is improved in terms of accuracy of vulnerability scanning, flexibility of further processing after detecting vulnerabilities, efficiency of discovering vulnerabilities, and the like, and accordingly a new scheme is provided for the system security scanning and the network vulnerability scanning. The scanner comprises a user side, a browser, a scanning host and a WEB server. According to the abstract appended drawing, the scanning host comprises a control module, a scan parameter setting module, a scan engine module, a WEB fingerprint library module and a WEB vulnerability library module. The user sets scanning parameters in the scan parameter setting module through the control module, the scanning engine is firstly used for fingerprint recognition on the basis of sent parameters, and finally, the vulnerability library is used for testing site vulnerabilities and sending a test report. The scanner is capable of accurately and rapidly helping users to test and analyze vulnerability of the target website, and directly perform corresponding operations on the browser with no need of installation of client side software.

Description

technical field [0001] The invention relates to a WEB loophole scanning method and a loophole scanner based on fingerprint identification technology, belonging to computer network technology. Background technique [0002] With the continuous development of the network, the number of websites has increased rapidly year by year. According to the CNNIC report, as of June 2012, there were 2.5 million websites in China alone. Correspondingly, the issue of website security has become more and more prominent, especially since the large-scale password leakage incidents of websites such as CSDN, website security has attracted more and more attention. [0003] With a large number of beautiful and practical open source or paid various types of website building program templates on the Internet, website builders mostly use ready-made website building template programs to build them based on cost and convenience considerations. For example, blog websites generally use WordPress to build,...

AI Technical Summary

Problems solved by technology

[0005] The above-mentioned website vulnerability detection method does not perform fingerprint identification on the target website, does not distinguish between different website programs, but only performs fool-like vulnerability scanning according to the strategy, and adopts the exact same vulnerability scanning process for all websites, so it cannot be used according to different websites. Adapt to vulnerability scanning, which leads to low efficiency and poor accuracy of vulnerability scanning

[0006] At the same time, due to the great differences between different website building systems, the above-mentioned vulnerability detection methods cannot perform fingerprint identification, so the existing website vulnerability scanning systems generally only detect some general vulnerabilities such as injection vulnerabilities and cross-site scripting vulnerabilities. etc., while ignoring the unique vulnerabilities of each website building system template, resulting in insufficient vulnerability scanning results

[0007] Existing website vulnerability scanning systems are generally released in the form of a single software, and the vulnerability library is integrated into the system. Users cannot customize and add the latest vulnerability information. They can only wait for the vulnerability scanning system to be upgraded to update the latest vulnerabilities. information, resulting in poor scalability of the scanning system

[0008] Therefore, there are many defects in the existing website vulnerability scanning system, which cannot fully meet the user's website vulnerability scanning needs.

Images