Research On Security Assessment Method Of Web Applications

With the Internet technology rapid development, Web applications are been used in every area of people’s production and life. However, Web application procedures is faced with serious security threats. So,it become particularly important to how to detect vulnerability and security assess for Web applications.Web application security assessment method can be divide into two parts: on one hand, it scans whether Web application has vulnerability or not by penetration test includes. on the other hand,it give a security assessment based on the vulnerability report.In penetration test stage,the system mainly gathers and analyse information,attack test,Firstly,using web crawler crawl destination website in order to obtain URL information. Meanwhile, collecting CMS information of the destination website and server’s network port, operating system information. Then, obtaining attack scripts that are used to generate test case for attack-test by matching these information and attack pattern base,vulnerability base. Then judging whether the Web application has vulnerability or not according to the state information that server returned and generating vulnerability report simultaneously. Security assessment stage fully refer to the idea of CVSS, evaluating single vulnerability and evaluate overall vulnerabilities respectively. Concerned that indexes of CVSS base index group are more sweeping,meanwhile,it’s not concrete and refined for describing vulnerability. Thus,we divide base index into two groups which represent base impact and probability that vulnerability is utilized,then obtain more concrete CVSS’s base indexes values to evaluate single vulnerability by permuting and combinating two groups.It divides all vulnerabilities into three grades which are low-risk,medium-risk,high-risk. Giving every grade has different weight factor,then we can obtain the system’s assessment score by weighted calculation of average value of every grade.Experimental results show that the system is efficient and has low false negative rate and on detecting vulnerabilities. Meanwhile, the new assessment method is more objective and comprehensive.