CN108696481A - leak detection method and device - Google Patents
leak detection method and device Download PDFInfo
- Publication number
- CN108696481A CN108696481A CN201710225292.2A CN201710225292A CN108696481A CN 108696481 A CN108696481 A CN 108696481A CN 201710225292 A CN201710225292 A CN 201710225292A CN 108696481 A CN108696481 A CN 108696481A
- Authority
- CN
- China
- Prior art keywords
- uniform resource
- resource locator
- transfer protocol
- script
- hypertext transfer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
This application discloses leak detection methods and device.One specific implementation mode of this method includes:Obtain the first hypertext transfer protocol requests for including destination Uniform Resource finger URL and uniform resource locator parameter for being sent to destination server;The value of uniform resource locator parameter is changed according to preset script, and sends modified first hypertext transfer protocol requests to destination server, wherein modified first hypertext transfer protocol requests are used to execute cross-site attack operation to destination server;Include the second hypertext transfer protocol requests of destination Uniform Resource finger URL to destination server transmission;In response to receive destination server return the second hypertext transfer protocol requests response message, detection response message whether with scripts match;If matching, it is determined that going out destination server, there are loopholes.The embodiment realizes the security breaches detection of uniform resource locator, and the accuracy and completeness of effective guarantee detection process simultaneously greatly improve testing efficiency.
Description
Technical field
This application involves field of computer technology, and in particular to Internet technical field more particularly to leak detection method
And device.
Background technology
WEB (WWW) holds the entrance as Internet application system, and safety is extremely important, the safety of WEB service
It can be with personal information such as the property of effective protection user, privacies.XSS (Cross Site Script, cross-site scripting attack) type
Security breaches be wherein most commonly seen one kind, further can be divided into reflection-type XSS (Reflection XSS) again, store
Type XSS (Persistent XSS) and XSS (DOM Based XSS) based on DOM, existing security sweep tool can not
Support storage-type XSS loopholes.
Storage-type XSS loopholes need be tested and be manually detected.The process of artificial detection need change parameter repeatedly
Value, the accuracy and completeness of test process cannot all ensure, and efficiency is low.
Invention content
The purpose of the application is to propose a kind of improved leak detection method and device, to solve background above technology department
Divide the technical issues of mentioning.
In a first aspect, the embodiment of the present application provides a kind of leak detection method, this method includes:Acquisition is sent to target clothes
The first hypertext transfer protocol requests for including destination Uniform Resource finger URL and uniform resource locator parameter of business device;According to
The value of preset script modification uniform resource locator parameter, and send modified first Hyper text transfer to destination server
Agreement request, wherein modified first hypertext transfer protocol requests are used to execute cross-site attack operation to destination server;
Include the second hypertext transfer protocol requests of destination Uniform Resource finger URL to destination server transmission, and receives destination service
The response message for the second hypertext transfer protocol requests that device returns;Detect response message whether with scripts match;If matching,
Determining destination server, there are loopholes.
In some embodiments, this method further includes:In response to determining destination server, there are loopholes, to target user
Terminal push destination Uniform Resource finger URL and uniform resource locator parameter.
In some embodiments, the first hypertext transfer protocol requests include multiple uniform resource locator parameters;And
The value of uniform resource locator parameter is changed according to preset script, including:By preset regular expression library from the first surpassing
Multiple uniform resource locator parameters are parsed in text transfer protocol request;At least one unification is changed according to preset script
Resource Locator parameter.
In some embodiments, there is uniform resource locator parameter detection to indicate, for identifying uniform resource locator
Whether parameter had detected, and preset script includes multiple and different script, and when each cross-site attack operation uses a script;
And this method further includes:If mismatching, the uniform resource locator parameter by modification detection mark is had been used to not detect
The script of value, which is changed to, is not used for modification detection mark as the script for the uniform resource locator parameter value not detected, and executes such as
Lower detecting step:Uniform resource locator parameter according to the script modification detection mark after replacement not detect;It is taken to target
Business device sends modified first hypertext transfer protocol requests;Include destination Uniform Resource finger URL to destination server transmission
The second hypertext transfer protocol requests, and the response of the second hypertext transfer protocol requests for receiving destination server return disappears
Breath;Detect response message whether with scripts match;If matching, it is determined that going out destination server, there are loopholes;If mismatching, after
Then the inspection for the uniform resource locator parameter changed is arranged until having replaced each script in the continuous above-mentioned detecting step of execution
Mark will is to have detected, and the uniform resource locator parameter value changed is reverted to the uniform resource locator parameter before modification
Value, and above-mentioned detecting step is continued to execute, until having detected each uniform resource locator parameter.
In some embodiments, script includes preset character string;And detection response message whether with scripts match, packet
It includes:Detect whether response message includes preset character string;If including response message and scripts match;If not including, ring
Message is answered to be mismatched with script.
Second aspect, the embodiment of the present application provide a kind of Hole Detection device, which includes:Acquiring unit is used for
Obtain the first hypertext biography including destination Uniform Resource finger URL and uniform resource locator parameter for being sent to destination server
Defeated agreement request;First transmission unit, the value for changing uniform resource locator parameter according to preset script, and to target
Server sends modified first hypertext transfer protocol requests, wherein modified first hypertext transfer protocol requests
For executing cross-site attack operation to destination server;Second transmission unit, for including target system to destination server transmission
Second hypertext transfer protocol requests of one Resource Locator, and receive the second hypertext transfer protocol of destination server return
The response message of request;Detection unit, for detect response message whether with scripts match;Determination unit, if for matching,
Determining destination server, there are loopholes.
In some embodiments, which further includes:Push unit, in response to determining whether destination server is deposited
In loophole, the Hole Detection knot of destination Uniform Resource finger URL and uniform resource locator parameter is pushed to the terminal of target user
Fruit further illustrates specifically there is leakage if there are loopholes for the uniform resource locator and uniform resource locator parameter
The parameter name in hole, and used default script when triggering loophole.
In some embodiments, the first hypertext transfer protocol requests include multiple uniform resource locator parameters;And
First transmission unit is further used for:It is parsed from the first hypertext transfer protocol requests by preset regular expression library
Multiple uniform resource locator parameters;The value of at least one uniform resource locator parameter is changed according to preset script.
In some embodiments, there is uniform resource locator parameter detection to indicate, for identifying uniform resource locator
Whether parameter had detected;And the device further includes:Setting unit, for when response message and script mismatch, being arranged
The detection mark for the uniform resource locator parameter changed is to have detected, by the value for the uniform resource locator parameter changed
Revert to the value of the uniform resource locator parameter before modification;Selecting unit, for from multiple uniform resource locator parameters
It is the uniform resource locator parameter not detected to choose detection mark, and changes the selected unified resource taken out according to script and position
Accord with the value of parameter.
In some embodiments, script includes preset character string;And detection unit is further used for:Detection response disappears
Whether breath includes preset character string;If including response message and scripts match;If not including, response message and script
It mismatches.
The third aspect, the embodiment of the present application provide a kind of equipment, including:One or more processors;Storage device is used
In the one or more programs of storage, when one or more programs are executed by one or more processors so that at one or more
Device is managed to realize such as method any in first aspect.
Fourth aspect, the embodiment of the present application provide a kind of computer readable storage medium, are stored thereon with computer journey
Sequence is realized when the program is executed by processor such as method any in first aspect.
Leak detection method and device provided by the embodiments of the present application, by obtain be sent to destination server include target
First hypertext transfer protocol of URL (Uniform Resource Locator, uniform resource locator) and URL parameter
(http, Hyper Text Transfer Protocol) is asked, and after use attack script modification URL parameter value, then should
Http request is sent to destination server to carry out cross-site attack, retransmits the second http request later and is carried out to cross-site attack effect
Verification, if the response message of the second http request received is matched with the expected attack result of attack script, it is determined that go out
There are loopholes for destination server.To quickly and accurately orient the security breaches of destination server.
Description of the drawings
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, the application's is other
Feature, objects and advantages will become more apparent upon:
Fig. 1 is that this application can be applied to exemplary system architecture figures therein;
Fig. 2 is the flow chart according to one embodiment of the leak detection method of the application;
Fig. 3 is the schematic diagram according to an application scenarios of the leak detection method of the application;
Fig. 4 is the flow chart according to another embodiment of the leak detection method of the application;
Fig. 5 is the structural schematic diagram according to one embodiment of the Hole Detection device of the application;
Fig. 6 is adapted for the structural schematic diagram of the computer system of the detection service device for realizing the embodiment of the present application.
Specific implementation mode
The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that in order to
Convenient for description, is illustrated only in attached drawing and invent relevant part with related.
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase
Mutually combination.The application is described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Fig. 1 shows the exemplary system of the embodiment of the leak detection method or Hole Detection device that can apply the application
System framework 100.
As shown in Figure 1, system architecture 100 may include terminal device 101,102,103, detection service device 104 and target
Server 105.Detection service device 104 is asked to intercept and capture http between terminal device 101,102,103 and destination server 105
It asks, then changes the http request using attack script to carry out cross-site attack to destination server 105.Detection service device 104
It is attached by various modes between terminal device 101,102,103 and destination server 105, may include various connections
Type, such as wired, wireless communication link or fiber optic cables etc..
Detection service device 104 is equipped with Fiddler, and (a http protocol debugging acts on behalf of tool, it is able to record and checks
Http communications between computer and internet, are arranged breakpoint, check the data of all " disengaging " Fiddler, and can arbitrarily repair
Change the data of all " disengaging " Fiddler) etc. tools, be sent to for intercepting and capturing user's using terminal equipment 101,102,103
The http request of destination server 105.Various telecommunication customer end applications, example can be installed on terminal device 101,102,103
Such as web browser applications, the application of shopping class, searching class application, instant messaging tools, mailbox client, social platform software
Deng.
Terminal device 101,102,103 can be the various electronic equipments with display screen and supported web page browsing, packet
Include but be not limited to smart mobile phone, tablet computer, E-book reader, MP3 player (Moving Picture Experts
Group Audio Layer III, dynamic image expert's compression standard audio level 3), MP4 (Moving Picture
Experts Group Audio Layer IV, dynamic image expert's compression standard audio level 4) it is player, on knee portable
Computer and desktop computer etc..
Detection service device 104 can be to provide the server of various services, such as be carried out to the loophole of destination server 105
The server of detection.Detection service device 104 can modify to data such as the http requests that receives, and will be modified
Http request (such as http request comprising attack script) issues destination server 105.It is fed back according to destination server 105
Response message determines that destination server 105 then can be to terminal device 101,102,103 if there is loophole with the presence or absence of loophole
Push Hole Detection result.
It should be noted that the leak detection method that the embodiment of the present application is provided generally is executed by detection service device 104,
Correspondingly, Hole Detection device is generally positioned in detection service device 104.
It should be understood that the number of the terminal device, detection service device and destination server in Fig. 1 is only schematical.
According to needs are realized, can have any number of terminal device, detection service device and server.
With continued reference to Fig. 2, the flow 200 of one embodiment of the leak detection method according to the application is shown.The leakage
Hole detection method includes the following steps:
Step 201, it obtains and is sent to joining including destination Uniform Resource finger URL and uniform resource locator for destination server
The first several hypertext transfer protocol requests.
In the present embodiment, electronic equipment (such as the detection service shown in FIG. 1 of leak detection method operation thereon
Device) destination server can be sent to by the crawl of the tools such as Fiddler includes destination Uniform Resource finger URL and unified resource
First hypertext transfer protocol requests of locator parameter.Destination server is the server of pending Hole Detection, for example, net
Site server.Uniform resource locator (that is, URL) is the address of Internet resources, for example, network address www.test.com.Target URL
Refer to the network address to be detected on the server of pending Hole Detection.Uniform resource locator parameter (that is, URL parameter) refers to
Be http request request body.When usual user is by the browser access target URL of terminal, terminal can be to destination server
Initiate http request.The http request that destination address is target URL can be crawled out by Fiddler and be used as the first http
Request.Filtering rule can be set in Fiddler, the http request that destination address is target URL is filtered out, purpose is filtered out
Address is the http request of other addresses.For example, terminal altogether sent out 3 http requests, respectively include URL1, URL2 and
URL3.If setting target URL as URL3, after setting the filtering rule of Fiddler, Fiddler is sent to target in reception
To include URL1 when the message of server, the http request of URL2 filters out, and only retains the http request for including URL3.In loophole
Two or more http requests can be generally related in detection process, there may be the http requests of loophole with first writing data
Http request indicates that the http request for reading data-triggered loophole is indicated with the second http request.It is prepared in advance to be scanned
Target url list, every record includes the first http request and second for the Hole Detection of a target URL in list
The original complete data of http request.First http request and the second http request include statusline, request header and request body.Shape
State row includes request path, request method and Release parameter collection.Request header includes the first http request and the 2nd http
Other data in request, such as Referer (Tell server is from coming which page link), Cookie (is stored in user
Data on local terminal) and Host (indicating the original server of request URL or the position of gateway) etc..POST (is generally used to
Update request is sent out to destination server, and with request body) in the case of request method, ask the data in body as URL ginsengs
Number.
Step 202, the value of the uniform resource locator parameter is changed according to preset script, and to the destination service
Device sends modified first hypertext transfer protocol requests.
In the present embodiment, since preset script is cross-site attack script, modified first Hyper text transfer
Agreement request is used to execute cross-site attack operation to destination server.It is defeated to user using procedure site that cross-site attack refers to attacker
It is insufficient to enter filtering, input may be displayed on the HTML code impacted to other users on the page, to steal subscriber data,
Certain action is carried out using user identity or a kind of attack pattern of virus infraction is carried out to visitor.Script is exactly to operate in
Text application on web page server, such as:ASP, PHP, CGI, JSP, ISAP etc., the attack of script are exactly to utilize these texts
The setting of part and mistake when writing or carelessness are improper, and attacker can reach oneself attack purpose using these.Example
Such as, the request of certain website setting user name is as follows:
http://www.test.com/setnameUserid=100&Username=abc can successively be changed such as
Lower parameter value:
Userid=<script>alert(1)</script>&Username=abc, whether to verify userid parameter
It is leaky;Userid=100&Username=<script>alert(1)</script>, whether to verify username parameters
It is leaky.
Step 203, it is asked to the second hypertext transfer protocol that destination server transmission includes destination Uniform Resource finger URL
It asks, and receives the response message of the second hypertext transfer protocol requests of destination server return.
In the present embodiment, the second hypertext transfer protocol requests can be sent by Fiddler and receive response message.
Second hypertext transfer protocol requests are used to verify the attack result of the first hypertext transfer protocol requests.Target of attack server
Success is different with the content of response message of the second hypertext transfer protocol requests that target of attack server failure returns.If
Success attack can then change the content of the response message of the second hypertext transfer protocol requests of return.
Step 204, detection response message whether with scripts match.
In the present embodiment, preset script is to complete attack for replacing original URL parameter value in the first http request
Script.Normal content can be tampered in the response message of the second http request after preset script success attack.It can be advance
According to script setting intended response message corresponding with the script.May be tampered in intended response message head response and/or
Respond text.For example, script may distort the location information in head response after executing, no matter the URL of the second http request is
What, all directly redirects the client to the position of predetermined page.It, will after receiving the response message of the second http request
The response message of reception is matched with the content of intended response message, if comprising pre- in the head response of the response message received
The location information for determining the page, then illustrate response message and scripts match.
In some optional realization methods of the present embodiment, it is contemplated that may include in the response text of response message preset
Character string.When whether detecting response message with preset scripts match, need to detect whether response message includes preset character
String;If including response message and preset scripts match;If not including, response message is mismatched with preset script.When
After the response message for receiving the second http request, the response message of reception is matched with the content of intended response message.
Preset character string is matched as regular expression with response message, illustrates success attack if matching, if not
Matching then illustrates attack failure.Preset script has an a plurality of different script, and every script includes that (this two parts can be with for two parts
It is different), for example wherein one as follows:
{'<script>alert(000)</script>','<script>alert(000)</script>'}
Part before comma is to be used when attack, i.e., some parameter value Xiu Gaicheng < of the first http request;
script>alert(000)</script>, then launch a offensive.The subsequent part of comma is to be used when detection, i.e.,
In the returned data for detecting the second http request, if contain (matching) <script>alert(000)</script>.
Why in this way design, be because attack script in, can play attack effect spcial character have it is multiple, it is common
It is exactly </>.And destination server is possible to filter out part spcial character therein, and then in the data returned, differ
Surely it is complete attack script, so default script above-mentioned is needed to be divided into two parts, a part is used for changing URL ginsengs
Number attack, whether the response message that a part is used for detecting the second http request includes preset character string, that is, is matched.
Step 205, if matching, it is determined that going out destination server, there are loopholes.
In the present embodiment, if the response message of destination server intended response match messages corresponding with script,
Think that current attack is effective, that is, there are the XSS security breaches of storage-type for destination server.
In some optional realization methods of the present embodiment, in response to determining destination server, there are loopholes, to mesh
Mark the terminal push destination Uniform Resource finger URL and uniform resource locator parameter of user.For example, passing through mail, instant messaging
The tools such as tool push destination Uniform Resource finger URL and uniform resource locator parameter to the terminal of target user, to convenient
User's orientation problem accurately and in time.
It is a schematic diagram according to the application scenarios of the leak detection method of the present embodiment with continued reference to Fig. 3, Fig. 3.
In the application scenarios of Fig. 3, step 301 is first carried out in user:Initiate the first http request.The request is sent to destination server, but
Server intercepts are detected, detection service device executes step 302:URL parameter is changed according to preset script, that is, will attack foot
The first http request of this write-in.Then detection service device executes step 303:Send modified first http request.Target takes
After business device execution step 304 receives modified first http request, and attacked by script.Detection service device executes step 305:
Send the second http request.Destination server executes step 306 after receiving the second http request:Send the sound of the second http request
Answer message.Detection service device receives after the response message of the second http request that message and script execute step 307 according to response:
Detect whether that there are loopholes.
The method that above-described embodiment of the application provides is by first sending destination server first with attack script
It after http request, then sends out the second http request and is detected whether attack succeeds, can quickly and accurately position loophole, improve
Detection efficiency.
With further reference to Fig. 4, it illustrates the flows 400 of another embodiment of leak detection method.The Hole Detection
The flow 400 of method, includes the following steps:
Step 401, it obtains and is sent to joining including destination Uniform Resource finger URL and uniform resource locator for destination server
The first several hypertext transfer protocol requests.
Step 402, the value of the uniform resource locator parameter is changed according to preset script, and to the destination service
Device sends modified first hypertext transfer protocol requests.
Step 403, it is asked to the second hypertext transfer protocol that destination server transmission includes destination Uniform Resource finger URL
It asks, and receives the response message of the second hypertext transfer protocol requests of destination server return.
Step 404, detection response message whether with scripts match.
Step 401-404 and step 201-204 are essentially identical, therefore repeat no more.
Step 405, it is determined whether traversed each URL parameter.
In the present embodiment, can there are multipair first hypertext transfer protocol requests and the second hypertext transfer protocol requests
Combination.For example,
{http://www.test.com/setnameUserid=100&Username=abc, http://
www.test.com/getnameUserid=100 }, { http://www.test.com/setaddressUserid=
100&Address=abc, http://www.test.com/getaddressUserid=100 }.A pair is taken the first to surpass every time
Text transfer protocol is asked and the combination of the second hypertext transfer protocol requests is detected, if having traversed each URL parameter
The detection mark of all uniform resource locator parameters is then reverted to and does not detect and choose another pair again by success attack not yet
The combination of first hypertext transfer protocol requests and the second hypertext transfer protocol requests is detected, all until having traversed
The combination of first hypertext transfer protocol requests and the second hypertext transfer protocol requests.
Step 406, it is determined whether replaced each script.
In the present embodiment, preset script includes multiple and different script, and one is used when each cross-site attack operates
Script.If changing non-success attack after the value of uniform resource locator parameter using a script, need to execute step 407
Continue to attack.
Step 407, script is replaced.
In the present embodiment, modification detection mark will be had been used to as the script for the uniform resource locator parameter not detected
It is changed to and is not used for modification detection mark as the script for the uniform resource locator parameter not detected.And according to the script after replacement
Execute step 402-404.
Step 408, the detection mark for the uniform resource locator parameter that setting is changed is to have detected, the system that will be changed
One Resource Locator Parameter reconstruction is at the uniform resource locator parameter value before modification.
In the present embodiment, the first hypertext transfer protocol requests include multiple uniform resource locator parameters;And root
The value of uniform resource locator parameter is changed according to preset script, including:By preset regular expression library from the first surpassing text
Multiple uniform resource locator parameters are parsed in the request of this transport protocol;According at least one unified money of preset script modification
Source locator parameter.A URL parameter can be only changed when modification every time, the URL parameter changed is marked, next time not
Repeat modification.And it does again when detecting next time, the URL parameter changed before restoring, to ensure to send http every time
When request is attacked, only changed there are one URL parameter in http request.It, can be accurately in this way when detection springs a leak
The URL parameter there are loophole is oriented, staff is facilitated accurately to carry out loophole reparation.Selection never detected every time
URL parameter is detected, and avoids repeating to change.Cycle executes step 402-408, and until determining destination server, there are loopholes
Or until having detected each URL parameter.
Step 409, if matching, it is determined that going out destination server, there are loopholes.
Step 409 is essentially identical with step 205, therefore repeats no more.
Cycle executes step 401-408, until determining destination server there are loophole or until having detected each pair of the
The combination of one hypertext transfer protocol requests and the second hypertext transfer protocol requests.
Figure 4, it is seen that compared with the corresponding embodiments of Fig. 2, the flow of the leak detection method in the present embodiment
400 highlight the step of being detected to single URL parameter.The scheme of the present embodiment description can improve Hole Detection as a result,
Accuracy rate, to realize more comprehensively, more effective Hole Detection.
With further reference to Fig. 5, as the realization to method shown in above-mentioned each figure, this application provides a kind of Hole Detection dresses
The one embodiment set, the device embodiment is corresponding with embodiment of the method shown in Fig. 2, which specifically can be applied to respectively
In kind electronic equipment.
As shown in figure 5, the Hole Detection device 500 of the present embodiment includes:Acquiring unit 501, the first transmission unit 502,
Second transmission unit 503, detection unit 504 and determination unit 505.Wherein, acquiring unit 501 is sent to destination service for obtaining
The first hypertext transfer protocol requests for including destination Uniform Resource finger URL and uniform resource locator parameter of device;First hair
Value of the unit 502 for changing uniform resource locator parameter according to preset script is sent, and sends and changes to destination server
The first hypertext transfer protocol requests afterwards, wherein modified first hypertext transfer protocol requests are used for destination service
Device executes cross-site attack operation;Second transmission unit 503 is used to destination server transmission include destination Uniform Resource finger URL
The second hypertext transfer protocol requests, and the response of the second hypertext transfer protocol requests for receiving destination server return disappears
Breath;Detection unit 504 for detect response message whether with scripts match;If determination unit 505 is for matching, it is determined that go out mesh
Marking server, there are loopholes.
In the present embodiment, the specific processing of Hole Detection device 500 can be with the step in 2 corresponding embodiment of reference chart
201, step 202, step 203, step 204.
In some optional realization methods of the present embodiment, which further includes:Push unit (not shown) is used
In in response to determining destination server there are loophole, destination Uniform Resource finger URL and uniformly is pushed to the terminal of target user
Resource Locator parameter.
In some optional realization methods of the present embodiment, the first hypertext transfer protocol requests include multiple unified moneys
Source locator parameter;And first transmission unit 502 be further used for:By preset regular expression library from the first hypertext
Multiple uniform resource locator parameters are parsed in transport protocol request;At least one unified resource is changed according to preset script
The value of locator parameter.
In some optional realization methods of the present embodiment, there is uniform resource locator parameter detection to indicate, be used for
Whether mark uniform resource locator parameter had detected;And the device 500 further includes:Setting unit (not shown), is used for
When response message and script mismatch, the detection mark that the uniform resource locator parameter changed is arranged is to have detected, will
The uniform resource locator Parameter reconstruction changed is at the uniform resource locator parameter before modification;Selecting unit (not shown),
Modification detection mark is not used for as the script for the uniform resource locator parameter not detected for being chosen from multiple scripts.
In some optional realization methods of the present embodiment, script includes preset character string;And detection unit into
One step is used for:Detect whether response message includes preset character string;If including response message and scripts match;If not wrapping
It includes, then response message is mismatched with script.
Below with reference to Fig. 6, it illustrates the computer systems suitable for the detection service device for realizing the embodiment of the present application
600 structural schematic diagram.Detection service device shown in Fig. 6 is only an example, should not to the function of the embodiment of the present application and
Use scope brings any restrictions.
As shown in fig. 6, computer system 600 includes central processing unit (CPU) 601, it can be read-only according to being stored in
Program in memory (ROM) 602 or be loaded into the program in random access storage device (RAM) 603 from storage section 608 and
Execute various actions appropriate and processing.In RAM 603, also it is stored with system 600 and operates required various programs and data.
CPU 601, ROM 602 and RAM 603 are connected with each other by bus 604.Input/output (I/O) interface 605 is also connected to always
Line 604.
It is connected to I/O interfaces 605 with lower component:Importation 606 including keyboard, mouse etc.;It is penetrated including such as cathode
The output par, c 607 of spool (CRT), liquid crystal display (LCD) etc. and loud speaker etc.;Storage section 608 including hard disk etc.;
And the communications portion 609 of the network interface card including LAN card, modem etc..Communications portion 609 via such as because
The network of spy's net executes communication process.Driver 610 is also according to needing to be connected to I/O interfaces 605.Detachable media 611, such as
Disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on driver 610, as needed in order to be read from thereon
Computer program be mounted into storage section 608 as needed.
Particularly, in accordance with an embodiment of the present disclosure, it may be implemented as computer above with reference to the process of flow chart description
Software program.For example, embodiment of the disclosure includes a kind of computer program product comprising be carried on computer-readable medium
On computer program, which includes the program code for method shown in execution flow chart.In such reality
It applies in example, which can be downloaded and installed by communications portion 609 from network, and/or from detachable media
611 are mounted.When the computer program is executed by central processing unit (CPU) 601, limited in execution the present processes
Above-mentioned function.It should be noted that computer-readable medium described herein can be computer-readable signal media or
Computer readable storage medium either the two arbitrarily combines.Computer readable storage medium for example can be --- but
Be not limited to --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or arbitrary above combination.
The more specific example of computer readable storage medium can include but is not limited to:Electrical connection with one or more conducting wires,
Portable computer diskette, hard disk, random access storage device (RAM), read-only memory (ROM), erasable type may be programmed read-only deposit
Reservoir (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory
Part or above-mentioned any appropriate combination.In this application, computer readable storage medium can any be included or store
The tangible medium of program, the program can be commanded the either device use or in connection of execution system, device.And
In the application, computer-readable signal media may include the data letter propagated in a base band or as a carrier wave part
Number, wherein carrying computer-readable program code.Diversified forms may be used in the data-signal of this propagation, including but not
It is limited to electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be computer
Any computer-readable medium other than readable storage medium storing program for executing, the computer-readable medium can send, propagate or transmit use
In by instruction execution system, device either device use or program in connection.Include on computer-readable medium
Program code can transmit with any suitable medium, including but not limited to:Wirelessly, electric wire, optical cable, RF etc., Huo Zheshang
Any appropriate combination stated.
Flow chart in attached drawing and block diagram, it is illustrated that according to the system of the various embodiments of the application, method and computer journey
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part for a part for one module, program segment, or code of table, the module, program segment, or code includes one or more uses
The executable instruction of the logic function as defined in realization.It should also be noted that in some implementations as replacements, being marked in box
The function of note can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are actually
It can be basically executed in parallel, they can also be executed in the opposite order sometimes, this is depended on the functions involved.Also it to note
Meaning, the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart can be with holding
The dedicated hardware based system of functions or operations as defined in row is realized, or can use specialized hardware and computer instruction
Combination realize.
Being described in unit involved in the embodiment of the present application can be realized by way of software, can also be by hard
The mode of part is realized.Described unit can also be arranged in the processor, for example, can be described as:A kind of processor packet
Include acquiring unit, the first transmission unit, the second transmission unit, detection unit and determination unit.Wherein, the title of these units exists
The restriction to the unit itself is not constituted in the case of certain, " acquisition is sent to target for example, acquiring unit is also described as
The first hypertext transfer protocol requests including destination Uniform Resource finger URL and uniform resource locator parameter of server
Unit ".
As on the other hand, present invention also provides a kind of computer-readable medium, which can be
Included in device described in above-described embodiment;Can also be individualism, and without be incorporated the device in.Above-mentioned calculating
Machine readable medium carries one or more program, when said one or multiple programs are executed by the device so that should
Device:It includes that destination Uniform Resource finger URL and uniform resource locator parameter the first surpass text to obtain be sent to destination server
This transport protocol is asked;The value of uniform resource locator parameter is changed according to preset script, and is repaiied to destination server transmission
The first hypertext transfer protocol requests after changing, wherein modified first hypertext transfer protocol requests are used to take target
Business device executes cross-site attack operation;Include the second Hyper text transfer association of destination Uniform Resource finger URL to destination server transmission
View request;Response message in response to the second hypertext transfer protocol requests for receiving destination server return, detection response
Message whether with scripts match;If matching, it is determined that going out destination server, there are loopholes.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.People in the art
Member should be appreciated that invention scope involved in the application, however it is not limited to technology made of the specific combination of above-mentioned technical characteristic
Scheme, while should also cover in the case where not departing from the inventive concept, it is carried out by above-mentioned technical characteristic or its equivalent feature
Other technical solutions of arbitrary combination and formation.Such as features described above has similar work(with (but not limited to) disclosed herein
Can technical characteristic replaced mutually and the technical solution that is formed.
Claims (10)
1. a kind of leak detection method, which is characterized in that the method includes:
It includes that destination Uniform Resource finger URL and uniform resource locator parameter the first surpass text to obtain be sent to destination server
This transport protocol is asked;
Change the value of the uniform resource locator parameter according to preset script, and after sending modification to the destination server
The first hypertext transfer protocol requests, wherein modified first hypertext transfer protocol requests be used for the mesh
It marks server and executes cross-site attack operation;
Include the second hypertext transfer protocol requests of the destination Uniform Resource finger URL to destination server transmission, and
Receive the response message for second hypertext transfer protocol requests that the destination server returns;
Detect the response message whether with the scripts match;
If matching, it is determined that going out the destination server, there are loopholes.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
In response to determining the destination server, there are loopholes, and it is fixed to push the destination Uniform Resource to the terminal of target user
Position symbol and the uniform resource locator parameter.
3. according to the method described in claim 1, it is characterized in that, first hypertext transfer protocol requests include multiple institutes
State uniform resource locator parameter;And
The value that the uniform resource locator parameter is changed according to preset script, including:
Multiple unified resources are parsed by preset regular expression library from first hypertext transfer protocol requests to determine
Position symbol parameter;
At least one uniform resource locator parameter is changed according to preset script.
4. according to the method described in claim 3, it is characterized in that, the uniform resource locator parameter have detection indicate,
For identifying whether the uniform resource locator parameter had detected, the preset script includes multiple and different script,
A script is used when each cross-site attack operation;And
The method further includes:
If mismatching, modification detection mark will be had been used to and replaced for the script for the uniform resource locator parameter value not detected
To be not used for modification detection mark as the script for the uniform resource locator parameter value not detected, and execute following detecting step:
Uniform resource locator parameter according to the script modification detection mark after the replacement not detect;To the destination server
Send modified first hypertext transfer protocol requests;Include that the destination Uniform Resource is fixed to destination server transmission
Second hypertext transfer protocol requests of position symbol, and receive second hypertext transfer protocol that the destination server returns
The response message of request;Detect the response message whether with the scripts match;If matching, it is determined that go out the destination service
There are loopholes for device;
If mismatching, above-mentioned detecting step is continued to execute, until having replaced each script, then the unified money changed is set
The detection mark of source locator parameter is to have detected, by the uniform resource locator Parameter reconstruction changed at the unification before modification
Resource Locator parameter, and above-mentioned detecting step is continued to execute, until having detected each uniform resource locator parameter.
5. according to the method described in claim 1, it is characterized in that, the script includes preset character string;And
The detection response message whether with the scripts match, including:
Detect whether the response message includes preset character string;
If including the response message and the scripts match;
If not including, the response message is mismatched with the script.
6. a kind of Hole Detection device, which is characterized in that described device includes:
Acquiring unit is sent to joining including destination Uniform Resource finger URL and uniform resource locator for destination server for obtaining
The first several hypertext transfer protocol requests;
First transmission unit, the value for changing the uniform resource locator parameter according to preset script, and to the mesh
It marks server and sends modified first hypertext transfer protocol requests, wherein the modified first Hyper text transfer association
View request to the destination server for executing cross-site attack operation;
Second transmission unit includes that the destination Uniform Resource finger URL the second surpasses text for being sent to the destination server
This transport protocol is asked, and the response for receiving second hypertext transfer protocol requests that the destination server returns disappears
Breath;
Detection unit, for detect the response message whether with the scripts match;
Determination unit, if for matching, it is determined that going out the destination server, there are loopholes.
7. device according to claim 6, which is characterized in that described device further includes:
Push unit, in response to determining that the destination server whether there is loophole, being pushed to the terminal of target user
The Hole Detection of the destination Uniform Resource finger URL and the uniform resource locator parameter is as a result, if the unified resource
There are loopholes for finger URL and uniform resource locator parameter, then further illustrate that specifically there are the parameter names of loophole, and triggering
Used default script when loophole.
8. device according to claim 6, which is characterized in that first hypertext transfer protocol requests include multiple institutes
State uniform resource locator parameter;And
First transmission unit is further used for:
Multiple unified resources are parsed by preset regular expression library from first hypertext transfer protocol requests to determine
Position symbol parameter;
At least one uniform resource locator parameter is changed according to preset script.
9. a kind of equipment, including:
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors so that one or more of processors are real
The now method as described in any in claim 1-5.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The method as described in any in claim 1-5 is realized when execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710225292.2A CN108696481A (en) | 2017-04-07 | 2017-04-07 | leak detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710225292.2A CN108696481A (en) | 2017-04-07 | 2017-04-07 | leak detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108696481A true CN108696481A (en) | 2018-10-23 |
Family
ID=63842957
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710225292.2A Pending CN108696481A (en) | 2017-04-07 | 2017-04-07 | leak detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108696481A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110460612A (en) * | 2019-08-15 | 2019-11-15 | 中国平安财产保险股份有限公司 | Safety detecting method, equipment, storage medium and device |
| CN111767542A (en) * | 2020-02-06 | 2020-10-13 | 北京沃东天骏信息技术有限公司 | Unauthorized detection method and device |
| CN111931100A (en) * | 2020-06-22 | 2020-11-13 | 北京旷视科技有限公司 | Request processing system, method, device, electronic equipment and computer readable medium |
| CN113839957A (en) * | 2021-09-29 | 2021-12-24 | 杭州迪普科技股份有限公司 | Unauthorized vulnerability detection method and device |
| CN113949738A (en) * | 2021-12-21 | 2022-01-18 | 深圳佑驾创新科技有限公司 | Advertisement pushing method and device and computer readable storage medium |
| CN113965363A (en) * | 2021-10-11 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Vulnerability studying and judging method and device based on Web user behaviors |
| CN114584330A (en) * | 2020-11-16 | 2022-06-03 | 华为技术有限公司 | Vulnerability testing method and device |
| CN114598524A (en) * | 2022-03-07 | 2022-06-07 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for detecting agent tool |
| CN114640506A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN114884730A (en) * | 2022-05-07 | 2022-08-09 | 深信服科技股份有限公司 | Request detection method, device, equipment and readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894237A (en) * | 2010-08-03 | 2010-11-24 | 南开大学 | Method for automatically generating cross site script (XSS) vulnerability detection parameter by using genetic algorithm |
| CN104657659A (en) * | 2013-11-20 | 2015-05-27 | 腾讯科技(深圳)有限公司 | Storage cross-site attack script vulnerability detection method, device and system |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| US20160110547A1 (en) * | 2014-10-21 | 2016-04-21 | Veracode, Inc. | Systems and methods for analysis of cross-site scripting vulnerabilities |
| CN105678170A (en) * | 2016-01-05 | 2016-06-15 | 广东工业大学 | Method for dynamically detecting cross site scripting (XSS) bugs |
| CN106302337A (en) * | 2015-05-22 | 2017-01-04 | 腾讯科技(深圳)有限公司 | leak detection method and device |
-
2017
- 2017-04-07 CN CN201710225292.2A patent/CN108696481A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894237A (en) * | 2010-08-03 | 2010-11-24 | 南开大学 | Method for automatically generating cross site script (XSS) vulnerability detection parameter by using genetic algorithm |
| CN104657659A (en) * | 2013-11-20 | 2015-05-27 | 腾讯科技(深圳)有限公司 | Storage cross-site attack script vulnerability detection method, device and system |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| US20160110547A1 (en) * | 2014-10-21 | 2016-04-21 | Veracode, Inc. | Systems and methods for analysis of cross-site scripting vulnerabilities |
| CN106302337A (en) * | 2015-05-22 | 2017-01-04 | 腾讯科技(深圳)有限公司 | leak detection method and device |
| CN105678170A (en) * | 2016-01-05 | 2016-06-15 | 广东工业大学 | Method for dynamically detecting cross site scripting (XSS) bugs |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110460612B (en) * | 2019-08-15 | 2022-05-20 | 中国平安财产保险股份有限公司 | Security test method, device, storage medium and apparatus |
| CN110460612A (en) * | 2019-08-15 | 2019-11-15 | 中国平安财产保险股份有限公司 | Safety detecting method, equipment, storage medium and device |
| CN111767542A (en) * | 2020-02-06 | 2020-10-13 | 北京沃东天骏信息技术有限公司 | Unauthorized detection method and device |
| CN111931100A (en) * | 2020-06-22 | 2020-11-13 | 北京旷视科技有限公司 | Request processing system, method, device, electronic equipment and computer readable medium |
| CN111931100B (en) * | 2020-06-22 | 2024-04-26 | 北京旷视科技有限公司 | Request processing system, method, apparatus, electronic device, and computer readable medium |
| CN114584330A (en) * | 2020-11-16 | 2022-06-03 | 华为技术有限公司 | Vulnerability testing method and device |
| CN113839957B (en) * | 2021-09-29 | 2024-02-09 | 杭州迪普科技股份有限公司 | Unauthorized vulnerability detection method and device |
| CN113839957A (en) * | 2021-09-29 | 2021-12-24 | 杭州迪普科技股份有限公司 | Unauthorized vulnerability detection method and device |
| CN113965363A (en) * | 2021-10-11 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Vulnerability studying and judging method and device based on Web user behaviors |
| CN113949738A (en) * | 2021-12-21 | 2022-01-18 | 深圳佑驾创新科技有限公司 | Advertisement pushing method and device and computer readable storage medium |
| CN114640506A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN114640506B (en) * | 2022-02-28 | 2023-10-31 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN114598524A (en) * | 2022-03-07 | 2022-06-07 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for detecting agent tool |
| CN114598524B (en) * | 2022-03-07 | 2023-11-17 | 北京百度网讯科技有限公司 | Method, device, equipment and storage medium for detecting agent tool |
| CN114884730B (en) * | 2022-05-07 | 2023-12-29 | 深信服科技股份有限公司 | Request detection method, device, equipment and readable storage medium |
| CN114884730A (en) * | 2022-05-07 | 2022-08-09 | 深信服科技股份有限公司 | Request detection method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108696481A (en) | leak detection method and device | |
| CN107070735B (en) | Method, test terminal and the system of asynchronous interface test | |
| Vidas et al. | QRishing: The susceptibility of smartphone users to QR code phishing attacks | |
| US20170243003A1 (en) | Identifying bots | |
| CN105025041B (en) | The methods, devices and systems that file uploads | |
| JP6559694B2 (en) | Automatic SDK acceptance | |
| CN103368957B (en) | Method and system that web page access behavior is processed, client, server | |
| US8543869B2 (en) | Method and system for reconstructing error response messages under web application environment | |
| CN104486140B (en) | It is a kind of to detect device and its detection method that webpage is held as a hostage | |
| Xing et al. | Integuard: Toward automatic protection of third-party web service integrations | |
| US9178899B2 (en) | Detecting automated site scans | |
| CN108459953A (en) | test method and device | |
| CN105871947B (en) | The method and device of cross-domain request data | |
| CN110022298A (en) | The method, apparatus of proof validation based on block chain, electronic equipment | |
| CN104573520B (en) | The method and apparatus for detecting resident formula cross site scripting loophole | |
| CN107357914B (en) | Information processing method and device | |
| CN110198248A (en) | The method and apparatus for detecting IP address | |
| CN110460612A (en) | Safety detecting method, equipment, storage medium and device | |
| CN109688130A (en) | Webpage kidnaps detection method, device and computer storage medium | |
| WO2017219733A1 (en) | Method and device for responding to request | |
| CN107547524A (en) | A kind of page detection method, device and equipment | |
| CN103647652B (en) | A kind of method for realizing data transfer, device and server | |
| CN109672658A (en) | Detection method, device, equipment and the storage medium of JSON abduction loophole | |
| CN105701198B (en) | Page verification method and device | |
| CN111404937B (en) | Method and device for detecting server vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181023 |
|
| RJ01 | Rejection of invention patent application after publication |