Abstract: Addressing the limitations of current vulnerability detection methods in directory acquisition capabilities and detection coverage, this paper proposes a Web vulnerability detection scheme that integrates LSTM (Long ShortTerm Memory) for directory acquisition. The proposed solution incorporates Arjun for efficient parameter bruteforcing technique to obtain basic directory paths and introduces an LSTMbased approach to generate fuzzy directory paths, constructing a comprehensive directory path pool that penetrates hidden directories and quickly acquires a larger number of valid directory paths. To overcome the challenge of detecting atypical Web vulnerabilities, the proposed solution has been implemented as an automated, universal vulnerability detection and verification tool. This tool is suitable for both typical and atypical vulnerabilities and is equipped with capabilities for directory acquisition, vulnerability detection, and bypassing techniques for cookies and IP blocking. Experimental results demonstrate that this solution outperforms typical directory bruteforcing tools by acquiring more valid directory paths, exhibiting excellent directory acquisition capabilities, and effectively detecting and covering a wider range of Web vulnerabilities with high efficiency and a low false positive rate.

Key words: Web security, vulnerability detection, LSTM, black box testing, automated tools

摘要： 针对当前漏洞检测方案在目录获取能力和漏洞检测范围的不足，提出了融合长短时记忆网络(LSTM)目录获取的Web漏洞检测方案，集成Arjun参数爆破高效获取基础目录路径，提出融合LSTM的目录获取方案，生成模糊目录路径，构造总体目录路径池，穿透隐藏目录，达到在短时间内获取更多有效目录路径数的目的.为解决当前漏洞检测方案难以覆盖非典型Web漏洞这一问题，将已提出的方案实现为一款自动化通用漏洞检测及验证工具，适用于典型及非典型漏洞，赋予其目录获取、漏洞检测及绕过Cookie，IP封锁等功能.实验仿真结果表明，该方案比典型目录爆破工具能够获取更多的有效目录路径，具备出色的目录获取能力，能以高效率、低误报率检测和覆盖更多类型的Web漏洞.

关键词: Web安全, 漏洞检测, 长短时记忆网络, 黑盒测试, 自动化工具