| Hacking attack has shifted from application layer to network layer these years. Because more and more attacking has come through by taking the advantage of software Vulnerabilities, traditional security system is unable to make so much effective protection as it used to do. As the network construction and information industry boomed recent years, the integration of important national information system and the Internet business model brings us economic benefit and security challenge at the same time. One of the functions of my department is the vulnerabilities Analysis and to discover Hidden danger for important national information system.Base on the survey of Gartner,75% attack aims at not network layer but Web application layer. Data shows that 2/3 Web sites are quite fragile and vulnerable.Penetration Testing is one of the best methods to figure out the security hidden danger. America represented by information developed countries has already set about researching the Penetration Testing, which influences almost the whole world of risk assessment. Now, the complication of Web systems structure and difference of the integrated software in our country make penetration testing be all-important so as to meet the Web system security penetration testing requirements and establish the credible information work system.This thesis starts from Web security risk. It raises the top ten lists of security risks according to OWASP and analyzes the common high-risk vulnerabilities on the basis of actual project experience in-depth. The whole penetration testing has been designed, and the main content has been explained as well. At the same time, this thesis researches aversion of the penetration testing and emergency measures. At the end of the article, I sorted out of penetration testing tool in several levels.1. According to OWASP’s list of high risk and actual project experience, we made in-depth analysis of the Web system of common principles of high-risk vulnerabilities, hazards and preventive measures, including SQL injection vulnerability, cross-site scripting attacks, file upload vulnerability and security configuration errors.2. Penetration testing process design and content is divided into five phases including the preparation stage, the information gathering stage, the penetration testing phase (the use of high-risk vulnerabilities and general weakness), risk analysis and report writing stages. The thesis make the discussion that the content must be completed in each stage and the execution sequence. Finally, the program gives a complete example application testing methods.3. Penetration testing process is at risk,which has to avoid, especially to do a backup of important data, otherwise the consequences are disastrous.4. In order to improve the efficiency of penetration testing, we need the help of automated penetration testing tool. So at the end of the thesis, we summarized the tool from respects of predefined tool, free ones and business editions, and listed their main features.We also stressed that not all of the security hidden danger can be found through one penetration test because of the time, technology and other factors. Meanwhile, in order not to damage the test objectives, some attack methods are not recommended because of the potential negative impact. |
PDF Full Text Request