CN104392170A - Cookie security testing method - Google Patents
Cookie security testing method Download PDFInfo
- Publication number
- CN104392170A CN104392170A CN201410655769.7A CN201410655769A CN104392170A CN 104392170 A CN104392170 A CN 104392170A CN 201410655769 A CN201410655769 A CN 201410655769A CN 104392170 A CN104392170 A CN 104392170A
- Authority
- CN
- China
- Prior art keywords
- cookie
- check
- attribute
- web
- web system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the field of Web system security testing technology, in particular to a Cookie security testing method. The method described by the invention first judges whether Cookies are used by a Web system; the Cookies are then shielded, selectively denied and/or tampered to test the reaction of the Web system; the encrypted and/or secure contents of the Cookies are checked to determine whether the encrypted and/or secure contents of the Cookies are secure or correct. The Cookie security testing method decreases the potential risk of the Web system used by users, and enhances the security of the Web system; the Cookie security testing method can be used for testing the security of Web systems.
Description
Technical field
The present invention relates to Web system safety test technical field, the method for particularly a kind of Cookie security test.
Background technology
Cookie provides a kind of method storing user specific information in web application, such as, store the information such as the last visit time of user.If do not carry out the user behavior that Cookie stores a website, so may cause following problem: user carry out purchase several commodity forward to clearing the page time, which part commodity is system ordered before how knowing user.Because one of them effect of Cookie is exactly the daily record of recording user operation system, and system is not merely store to Cookie, also has and reads, and be that is a mutual process between system and user, this is called state.
But Cookie is while the convenience bringing these to programme, also bring the problem in safety.The safety issue of Cookie is similar with the safety issue obtaining data from client, the user that Cookie regard another form as can be inputted, is therefore easy to illegally be utilized these data by hackers.Because Cookie is kept at client, because can directly see the data stored in Cookie in client, and the data of Cookie can be changed before browser sends Cookie to server end.Therefore, to the test of Cookie, the test of especially security aspect is extremely important, is the importance in the test of Web application system.
Summary of the invention
The technical matters that the present invention solves is to provide a kind of Cookie method for testing security; Solve Web application system Cookie safety issue.
The technical scheme that the present invention solves the problems of the technologies described above is:
Described method first judges whether Web system employs Cookie; Then, Cookie shielded, selectively refuse and/or distorts the reaction of test Web system; Safety or correct is confirmed whether to Cookie encryption and/or secure content inspection.
Described judges whether web system employs Cookie and be:
(1) find in computer the catalogue storing cookie, IE be generally placed on C: Documentsand Settings user Local Settings Temporary Internet Files;
(2) delete all Cookie, in IE, the temporary file of Cookie and buffer memory is stored together; Deletion Cookies file function in IE can be used to delete all Cookie, also can directly find the catalogue of stored cookie file to delete;
(3) IE is set, the automatic-prompting when using Cookie.
Described shielding Cookie; First close all browser instances, delete all Cookie in test machine, then run all major functions of Web system, many times there will be the situation that function can not normally be run; If user must activate Cookie, use arranges and normally could run Web system, then need to check whether Web server correctly can identify the Cookie facilities of client; When user shields Cookie, Web server should send a prompting page, tells that user activates Cookie and arranges ability use system.
5, the Cookie method for testing security according to any one of Claims 1-4, is characterized in that: described Refuse Cookie selectively; First delete all Cookie, then the Cookie option of IE is set, Cookie is set and automatically reminds; Then run all Web functions, when ejecting Cookie prompting, receiving some Cookie, refusing some Cookie; Check the working condition of Web system, see whether Web server can detect whether some Cookie has been rejected, occur correct information.
Described distorts Cookie; Distort or delete the Cookie that some has stored, detect Web system and there will be what problem; Search in test process and whether have service logic to rely on Cookie storing value and carrying out, if had, then attempt the value of amendment Cookie, see that whether to cause function abnormal, or service logic carelessly; Also can attempt selectively deleting Cookie; After Web applies a period of time in operation, wherein some Cookie file erase is fallen, then continues use Web system, see and there will be what situation whether can recover or whether have loss of data or entanglement.
Described Cookie encryption; Check the Cookie file content stored, see if there is the sensitive information such as user name, password and store, and unencryption process; Can Cookie file be opened by hand check, also can check by lion some Cookie edit tools.
Described Cookie secure content inspection comprises:
(1) Cookie expiration date the rationality that arranges: check whether the expiration date of Cookie arrange long;
(2) setting of HttpOnly attribute: be that True contributes to alleviating cross-site script and threatens the HttpOnly setup of attribute of Cookie, prevents Cookie to be stolen;
(3) setting be familiar with of Sccure: be True the Sccure setup of attribute of Cookie, use SSL to connect when transmitting Cookie, protected data is not tampered in transmitting procedure;
For these are arranged above, Cookie Editor can be utilized check and whether be correctly set up.
Can arranging IE browser, making IE browser automatic spring prompt window when using Cookie, during to know test definitely when, what feature operation used Cookie.
Present invention reduces the potential risk that user uses Web system, improve the security of Web system.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Fig. 1 is method flow diagram of the present invention.
Embodiment
As shown in Figure 1, Cookie method for testing security of the present invention, specifically comprises following step:
Step 1: how to judge whether web system employs Cookie before this;
(1) catalogue storing cookie is found in computer.IE be generally placed on C: Documentsand Settings user Local Settings Temporary Internet Files.
(2) all Cookie are deleted.In IE, the temporary file of Cookie and buffer memory is stored together.Deletion Cookies file function in IE can be used to delete all Cookie, also can directly find the catalogue of stored cookie file to delete.
(3) IE is set, the automatic-prompting when using Cookie.If think to know that the Web system of test employs Cookie somewhere definitely, can be carried out some to IE browser to arrange, when allowing IE browser automatic spring prompt window when using Cookie, just can know like this during test, what feature operation used Cookie.。
Step 2: shielding Cookie; This is the simplest Cookie method of testing, checks what problem is Web system there will be when Cookie conductively-closed.First close all browser instances, delete all Cookie in test machine, then run all major functions of Web system, many times there will be the situation that function can not normally be run.If user must activate Cookie, use arranges and normally could run Web system, then need to check whether Web server correctly can identify the Cookie facilities of client, when user shields Cookie, Web server should send a prompting page, tells that user activates Cookie and arranges ability use system.
Step 3: Refuse Cookie selectively; First delete all Cookie, then the Cookie option of IE is set, Cookie is set and automatically reminds.Then run all Web functions, when ejecting Cookie prompting, receiving some Cookie, refusing some Cookie.Check the working condition of Web system, see whether Web server can detect whether some Cookie has been rejected, occur correct information.Likely can there is mistake, collapse, data entanglement because of such in Web system, or other irregular behaviors.
Step 4: distort Cookie; Distort or delete the Cookie that some has stored, detect Web system and there will be what problem.Search in test process and whether have service logic to rely on Cookie storing value and carrying out, if had, then attempt the value of amendment Cookie, see that whether to cause function abnormal, or service logic carelessly.Also can attempt selectively deleting Cookie.After Web applies a period of time in operation, wherein some Cookie file erase is fallen, then continues use Web system, see and there will be what situation whether can recover or whether have loss of data or entanglement.
Step 5:Cookie encrypts; Check the Cookie file content stored, see if there is the sensitive information such as user name, password and store, and unencryption process.The data instant encryption of some type can not be stored in Cookie.Such as: credit number.Method of testing can be opened Cookie file to check by hand, also can check by lion some Cookie edit tools.Such as: Cookie Editor.
Step 6:Cookie secure content checks:
(1) Cookie expiration date the rationality that arranges: check whether the expiration date of Cookie arrange long;
(2) setting of HttpOnly attribute: be that True contributes to alleviating cross-site script and threatens the HttpOnly setup of attribute of Cookie, prevents Cookie to be stolen;
(3) setting be familiar with of Sccure: be True the Sccure setup of attribute of Cookie, use when transmitting Cookie SSL to connect, can protected data not be tampered in transmitting procedure.
For these are arranged above, Cookie Editor can be utilized check and whether be correctly set up.
Claims (15)
1. a method for Cookie security test, is characterized in that: described method first judges whether Web system employs Cookie; Then, Cookie shielded, selectively refuse and/or distorts the reaction of test Web system; Safety or correct is confirmed whether to Cookie encryption and/or secure content inspection.
2. Cookie method for testing security according to claim 1, is characterized in that: described judges whether web system employs Cookie and be:
(1) find in computer the catalogue storing cookie, IE be generally placed on C: Documentsand Settings user Local Settings Temporary Internet Files;
(2) delete all Cookie, in IE, the temporary file of Cookie and buffer memory is stored together; Deletion Cookies file function in IE can be used to delete all Cookie, also can directly find the catalogue of stored cookie file to delete;
(3) IE is set, the automatic-prompting when using Cookie.
3. Cookie method for testing security according to claim 1, is characterized in that: described shielding Cookie; First close all browser instances, delete all Cookie in test machine, then run all major functions of Web system, many times there will be the situation that function can not normally be run; If user must activate Cookie, use arranges and normally could run Web system, then need to check whether Web server correctly can identify the Cookie facilities of client; When user shields Cookie, Web server should send a prompting page, tells that user activates Cookie and arranges ability use system.
4. Cookie method for testing security according to claim 2, is characterized in that: described shielding Cookie; First close all browser instances, delete all Cookie in test machine, then run all major functions of Web system, many times there will be the situation that function can not normally be run; If user must activate Cookie, use arranges and normally could run Web system, then need to check whether Web server correctly can identify the Cookie facilities of client; When user shields Cookie, Web server should send a prompting page, tells that user activates Cookie and arranges ability use system.
5. the Cookie method for testing security according to any one of Claims 1-4, is characterized in that: described Refuse Cookie selectively; First delete all Cookie, then the Cookie option of IE is set, Cookie is set and automatically reminds; Then run all Web functions, when ejecting Cookie prompting, receiving some Cookie, refusing some Cookie; Check the working condition of Web system, see whether Web server can detect whether some Cookie has been rejected, occur correct information.
6. the Cookie method for testing security according to any one of Claims 1-4, is characterized in that: described distorts Cookie; Distort or delete the Cookie that some has stored, detect Web system and there will be what problem; Search in test process and whether have service logic to rely on Cookie storing value and carrying out, if had, then attempt the value of amendment Cookie, see that whether to cause function abnormal, or service logic carelessly; Also can attempt selectively deleting Cookie; After Web applies a period of time in operation, wherein some Cookie file erase is fallen, then continues use Web system, see and there will be what situation whether can recover or whether have loss of data or entanglement.
7. Cookie method for testing security according to claim 5, is characterized in that: described distorts Cookie; Distort or delete the Cookie that some has stored, detect Web system and there will be what problem; Search in test process and whether have service logic to rely on Cookie storing value and carrying out, if had, then attempt the value of amendment Cookie, see that whether to cause function abnormal, or service logic carelessly; Also can attempt selectively deleting Cookie; After Web applies a period of time in operation, wherein some Cookie file erase is fallen, then continues use Web system, see and there will be what situation whether can recover or whether have loss of data or entanglement.
8. the Cookie method for testing security according to any one of Claims 1-4, is characterized in that: described Cookie encryption; Check the Cookie file content stored, see if there is the sensitive information such as user name, password and store, and unencryption process; Can Cookie file be opened by hand check, also can check by lion some Cookie edit tools.
9. Cookie method for testing security according to claim 5, is characterized in that: described Cookie encryption; Check the Cookie file content stored, see if there is the sensitive information such as user name, password and store, and unencryption process; Can Cookie file be opened by hand check, also can check by lion some Cookie edit tools.
10. Cookie method for testing security according to claim 6, is characterized in that: described Cookie encryption; Check the Cookie file content stored, see if there is the sensitive information such as user name, password and store, and unencryption process; Can Cookie file be opened by hand check, also can check by lion some Cookie edit tools.
11. Cookie method for testing security according to any one of Claims 1-4, is characterized in that: described Cookie secure content inspection comprises:
(1) Cookie expiration date the rationality that arranges: check whether the expiration date of Cookie arrange long;
(2) setting of HttpOnly attribute: be that True contributes to alleviating cross-site script and threatens the HttpOnly setup of attribute of Cookie, prevents Cookie to be stolen;
(3) setting be familiar with of Sccure: be True the Sccure setup of attribute of Cookie, use SSL to connect when transmitting Cookie, protected data is not tampered in transmitting procedure;
For these are arranged above, Cookie Editor can be utilized check and whether be correctly set up.
12. Cookie method for testing security according to claim 5, is characterized in that: described Cookie secure content inspection comprises:
(1) Cookie expiration date the rationality that arranges: check whether the expiration date of Cookie arrange long;
(2) setting of HttpOnly attribute: be that True contributes to alleviating cross-site script and threatens the HttpOnly setup of attribute of Cookie, prevents Cookie to be stolen;
(3) setting be familiar with of Sccure: be True the Sccure setup of attribute of Cookie, use SSL to connect when transmitting Cookie, protected data is not tampered in transmitting procedure;
For these are arranged above, Cookie Editor can be utilized check and whether be correctly set up.
13. Cookie method for testing security according to claim 6, is characterized in that: described Cookie secure content inspection comprises:
(1) Cookie expiration date the rationality that arranges: check whether the expiration date of Cookie arrange long;
(2) setting of HttpOnly attribute: be that True contributes to alleviating cross-site script and threatens the HttpOnly setup of attribute of Cookie, prevents Cookie to be stolen;
(3) setting be familiar with of Sccure: be True the Sccure setup of attribute of Cookie, use SSL to connect when transmitting Cookie, protected data is not tampered in transmitting procedure;
For these are arranged above, Cookie Editor can be utilized check and whether be correctly set up.
14. Cookie method for testing security according to claim 8, is characterized in that: described Cookie secure content inspection comprises:
(1) Cookie expiration date the rationality that arranges: check whether the expiration date of Cookie arrange long;
(2) setting of HttpOnly attribute: be that True contributes to alleviating cross-site script and threatens the HttpOnly setup of attribute of Cookie, prevents Cookie to be stolen;
(3) setting be familiar with of Sccure: be True the Sccure setup of attribute of Cookie, use SSL to connect when transmitting Cookie, protected data is not tampered in transmitting procedure;
For these are arranged above, Cookie Editor can be utilized check and whether be correctly set up.
15. Cookie method for testing security according to claim 2, it is characterized in that: can arrange IE browser, make IE browser automatic spring prompt window when using Cookie, during to know test definitely when, what feature operation used Cookie.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410655769.7A CN104392170A (en) | 2014-11-17 | 2014-11-17 | Cookie security testing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410655769.7A CN104392170A (en) | 2014-11-17 | 2014-11-17 | Cookie security testing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104392170A true CN104392170A (en) | 2015-03-04 |
Family
ID=52610072
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410655769.7A Pending CN104392170A (en) | 2014-11-17 | 2014-11-17 | Cookie security testing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104392170A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107852338A (en) * | 2015-03-26 | 2018-03-27 | 微软技术授权有限责任公司 | Hydraulic performance decline during detection and alarm feature oblique ascension |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103200A1 (en) * | 2002-11-23 | 2004-05-27 | Microsoft Corporation | Method and system for improved internet security via HTTP-only cookies |
| US20050154887A1 (en) * | 2004-01-12 | 2005-07-14 | International Business Machines Corporation | System and method for secure network state management and single sign-on |
| CN103685494A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for recognizing Cookies and method and device clearing Cookies |
-
2014
- 2014-11-17 CN CN201410655769.7A patent/CN104392170A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103200A1 (en) * | 2002-11-23 | 2004-05-27 | Microsoft Corporation | Method and system for improved internet security via HTTP-only cookies |
| US20050154887A1 (en) * | 2004-01-12 | 2005-07-14 | International Business Machines Corporation | System and method for secure network state management and single sign-on |
| CN103685494A (en) * | 2013-12-05 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for recognizing Cookies and method and device clearing Cookies |
Non-Patent Citations (1)
| Title |
|---|
| 陈能技: "《.NET软件测试实战技术大全:测试基础 流行工具 典型案例》", 31 December 2008 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107852338A (en) * | 2015-03-26 | 2018-03-27 | 微软技术授权有限责任公司 | Hydraulic performance decline during detection and alarm feature oblique ascension |
| CN107852338B (en) * | 2015-03-26 | 2021-02-05 | 微软技术许可有限责任公司 | Performance degradation during detection and alarm feature ramp-up |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10789361B2 (en) | Ransomware attack remediation | |
| US9608881B2 (en) | Service compliance enforcement using user activity monitoring and work request verification | |
| US20130124861A1 (en) | Shielding a sensitive file | |
| US9027123B2 (en) | Data dependence analyzer, information processor, data dependence analysis method and program | |
| CN108429638B (en) | Server operation and maintenance method, device and system and electronic equipment | |
| US20160080383A1 (en) | Recovery from rolling security token loss | |
| KR101389459B1 (en) | Method and apparatus for privacy information outflow prevention, and method and server apparatus for supprot privacy information protection in client apparatus | |
| TW201530346A (en) | Method, device, and system for client authentication using social relationship data | |
| CN103473501B (en) | A kind of Malware method for tracing based on cloud security | |
| EP3501158B1 (en) | Interrupt synchronization of content between client device and cloud-based storage service | |
| CN105827574A (en) | File access system, file access method and file access device | |
| US10635839B2 (en) | Fixed-location IoT device for protecting secure storage access information and method for protecting secure storage access information of fixed-location IoT device | |
| KR20140071573A (en) | System capable of Providing Specialized Function for Host Terminal based Unix and Linux | |
| CN104361297B (en) | A kind of file encryption-decryption method based on (SuSE) Linux OS | |
| CN106612283B (en) | Method and device for identifying source of downloaded file | |
| CN108427889A (en) | Document handling method and device | |
| CN104392170A (en) | Cookie security testing method | |
| CN109871703B (en) | Big data transaction management method, device, storage medium and server | |
| US20120089849A1 (en) | Cookie management system and method | |
| CN106294017A (en) | A kind of information security back-up method | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| US20160210474A1 (en) | Data processing apparatus, data processing method, and program | |
| CN111695113B (en) | Terminal software installation compliance detection method and device and computer equipment | |
| US11856085B2 (en) | Information management system and method for the same | |
| JP6258189B2 (en) | Specific apparatus, specific method, and specific program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150304 |
|
| WD01 | Invention patent application deemed withdrawn after publication |