| With the development of the Internet and the popularity of computers,Web applications have entered thousands of households gradually,and people's information acquisition and online shopping are inseparable from Web applications.At the same time,security incidents caused by malicious use of Web applications can be found everywhere.If there is a vulnerability in the Web application and malicious exploitation by an attacker,then the impact of the user,and even the large amount of privacy data for user and company will suffer a great threat.This paper studies the security threats faced by Web applications,and builds an attack graph evaluation model,which is evaluated with the Markov chain discrete stochastic process theory.Based on the analysis of the attack state and attack behavior of the attack graph model,a secure Web framework is built,and a secure Web architecture attack graph model is generated.The model is evaluated and compared with the pre-protection.According to the project of a car-hailing service platform,the loopholes were scanned and compared before and after protection,and the conclusion was drawn.The content of the research and the main work results are as follows:(1)The security risks related to Web application are studied and analyzed,and the principles and hazards of XSS Attack,CSRF Attack,Sql Injection,Replay Attack,DDOS Attack,Extra-large payload Attack,HTTP Hijacking and Network Sniffing Attack are described in detail.And it is a foundation for building the architecture.(2)Based on the existing security threats,the attack graph model of Web application architecture is established,and the attack graph model is optimized for Web application architecture to solve the problem of attack path and state space explosion.Combining the mathematical principle of Markov chain,the formulas of attack probability index and attack realization index of attack graph model are given.(3)According to the generated attack graph model,the attack state and attack path are studied.According to the principle of each security threat,a Web application security architecture is constructed.The architecture is divided into four layers,including single data verification technology at the browser end,integrated data verification technology on the server side and distributed cluster deployment,HTTPS encrypted transmission protocol for the transmission channel.The database side adopts the technology of connecting database with low authority.(4)Combined with a car-hailing platform project,the XSS,CSRF and Sql Injection vulnerabilities before and after the security protection of the application were tested by using vulnerability scanning and evaluation technology.The test results show that the Web application security architecture can effectively defend against the above attacks in practical applications. |
PDF Full Text Request