CN109040128B - WAF reverse proxy detection method based on offline pcap flow packet - Google Patents
WAF reverse proxy detection method based on offline pcap flow packet Download PDFInfo
- Publication number
- CN109040128B CN109040128B CN201811088088.1A CN201811088088A CN109040128B CN 109040128 B CN109040128 B CN 109040128B CN 201811088088 A CN201811088088 A CN 201811088088A CN 109040128 B CN109040128 B CN 109040128B
- Authority
- CN
- China
- Prior art keywords
- request
- waf
- test server
- response
- test
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a WAF reverse proxy detection method based on an offline pcap flow packet, which comprises the following steps: step S100: configuring a test server at a site of the WAF system; step S200: the service server packages the service flow and stores the service flow as a package capturing file; step S300: the test server reads and analyzes the packet capturing file, and sends the analyzed request and response to the WAF system for security detection, and if the WAF system detects an attack, the WAF system returns an exception to the test server; otherwise, the test server is informed to process the response corresponding to the request, and the test server analyzes the data returned by the WAF system and detects the function of the WAF system. The invention adopts an off-line mode to carry out function test on the WAF system, improves the test efficiency, uses real user flow and business service response to carry out test, can find hidden problems to the maximum extent, does not occupy resources of a business server, and has no influence on the business server.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a WAF reverse proxy detection method based on an offline pcap flow packet.
Background
As WEB applications become more and more abundant, WEB servers are becoming the main target of attacks with their powerful computing power, processing performance and high implication value. SQL injection, web page tampering, web page horse hanging, and other security events occur frequently. In 2007, the total number of tampered websites in mainland China monitored by a national computer network emergency technology processing coordination center (CNCERT/CC for short) is 61228, which is increased by 1.5 times compared with 2006. The number of the tampered websites of the Chinese continental government reaches 4234 in each month. Users such as enterprises generally adopt firewalls as the first line of defense of security systems. However, in reality, they have such a problem that WAF (Web application protection system) is generated. Web application protection systems (WAF) represent a new class of information security technologies, and are used for solving the problem of Web application security that traditional devices such as firewalls are not qualified by hands. Unlike traditional firewalls, the WAF works at the application layer, thus having inherent technical advantages for Web application protection. Based on deep understanding of Web application service and logic, the WAF detects and verifies the content of various requests from a Web application program client, ensures the security and the legality of the requests, and blocks illegal requests in real time, thereby effectively protecting various website sites. With the development of the information age, a large number of WAF products are flooded in the market. Before the WAF product is on line, the stability and reliability of the WAF product need to be tested, but at present, no method for efficiently testing the WAF function exists.
Disclosure of Invention
The invention aims to provide a WAF reverse proxy detection method based on an offline pcap flow packet, which is used for solving the problem that a set of test method which does not influence a service system is lacked in the function test of a WAF product in the prior art.
The invention solves the problems through the following technical scheme:
a WAF reverse proxy detection method based on an offline pcap flow packet comprises the following steps:
step S100: configuring a test server at a site of the WAF system;
step S200: the service server packages the service flow and stores the service flow as a package capturing file;
step S300: the test server reads and analyzes the packet capturing file, and sends the analyzed request and response to the WAF system for security detection, and if the WAF system detects an attack, the WAF system returns an exception to the test server; otherwise, the test server is informed to process the response corresponding to the request, and the test server analyzes the data returned by the WAF system and detects the function of the WAF system.
The working principle is as follows:
the user initiates a request to the service server through the load balancing service, the service server captures and stores the flow data packet through the packet capturing tool for flow playback, the test server obtains the flow playback, and analyzes the packet capturing file by adopting a test program installed on the test server to obtain the request and the response. And sending the analyzed request to a WAF system, carrying out security detection on the received request by the WAF, if an attack is detected, returning an exception to a test server, if no attack is detected, returning the request to the test server, sending data corresponding to the returned request to the WAF system by the test server, carrying out security detection on the received request result by the WAF system, if an attack is detected, returning the exception to the test server, and if no attack is detected, returning the request result to the test server. The test server compares the sent request with the returned request, compares the data corresponding to the sent request with the request result returned by the WAF system, and respectively compares whether the quantity of the requests is consistent and whether the response corresponding to the requests is consistent, thereby realizing the test of the WAF function.
Further, the step S300 specifically includes:
step S310: the test server reads and analyzes the packet capturing file to obtain a request and a response;
step S320: the test server preprocesses the analyzed request and response;
step S330: the test server sends the preprocessed request to the WAF system, the WAF system carries out safety detection on the received request, and if an attack is detected, an exception is returned to the test server; otherwise, the WAF system forwards the request to the test server;
step S340: the test server finds out a corresponding request response according to the request ID, and returns data corresponding to the request forwarded by the WAF system to the WAF system;
step S350: the WAF system carries out security detection on the received data, and if an attack is detected, an exception is returned to the test server; otherwise, the WAF system forwards the response to the test server;
step S360: and the test server compares and analyzes the sent request and response with the request and response returned by the WAF system to obtain a detection result.
The test server analyzes the packet capturing file to obtain a request and a response, preprocesses the request and the response, assembles the same data request in different data packets, and assembles the response of the same request in different data packets. And identifies the true source and unique identification for the request. Firstly, a test server sends a preprocessed request to a WAF system, the WAF system carries out security detection on the request, if the attack exists in the request, an exception is returned to the test server, if the attack does not exist, the request is returned to the test server, the test server records and judges whether the sent request is consistent with the returned request, a response corresponding to the returned request is sent to the WAF system, the WAF system carries out security detection on the received response, if the attack is detected, the exception is returned to the test server, if the attack is not detected, the response is returned to the test server, the test server records and detects whether the response returned by the WAF system corresponds to the sent request, and the function of the WAF system is analyzed and judged. The test server is internally provided with a test program, and the test program realizes the functions of two aspects: (1) reading and analyzing the packet capturing file, and sending the request and a response corresponding to the request ID returned by the WAF system to the WAF system; (2) and statistically analyzing and outputting a test report according to a response result returned by the WAF system, wherein three results of error reporting abnormal response, attack response and normal response are obtained.
Further, in the step S330, the test server sends the preprocessed request to the WAF system according to the sequence of the packet capturing files; step S360 further includes determining whether all the requests are sent, and if yes, ending the process; otherwise, return to step S330.
The test server obtains the packet capturing file of the service server, analyzes the packet capturing file in an off-line mode, tests the WAF system after preprocessing, sends the request according to the sequence of the packet capturing file, can completely simulate the real flow of the service server, and does not occupy the resource of the service server and has no influence on the service server due to the adoption of the off-line pcap flow packet.
Further, the preprocessing the request in step S320 includes assembling TCP packets of the same request, and adding an xff header in an http header of the request to identify a real source client of the request, and adding a request-test-id header in the http header of the request to uniquely identify the request; the step S320 of preprocessing the response includes assembling the response content of the TCP data packet of the same request, and performing a segmentation process according to the response encoding format.
Because the request packet is segmented, that is, there may be multiple requests in one data packet, or one request is in different data packets, it is necessary to assemble the same request in different data packets, add an xff header and a request-test-id header in the httpheider of the request, identify the real source client and the unique identifier, and trace the source of the request. Since the responses corresponding to the same request may also be stored in a plurality of data packets, preprocessing the responses requires assembling the responses corresponding to the same request.
Further, the capture package in the step S200 adopts a tcpdump/pcap tool.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the invention adopts an off-line mode to carry out function test on the WAF system, improves the test efficiency, uses real user flow and business service response to carry out test, can find hidden problems to the maximum extent, does not occupy resources of a business server, and has no influence on the business server.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1:
referring to fig. 1, a method for detecting a WAF reverse proxy based on an offline pcap traffic packet includes:
step S100: configuring a test server at a site of the WAF system;
step S200: the service server adopts tcpdump/pcap to packet the service flow and stores the packet as a packet capturing file;
step S300: the test server reads and analyzes the packet capturing file, and sends the analyzed request and response to the WAF system for security detection, and if the WAF system detects an attack, the WAF system returns an exception to the test server; otherwise, informing the test server to process the response corresponding to the request, analyzing the data returned by the WAF system by the test server, and detecting the functions of the WAF system:
step S310: the test server reads and analyzes the packet capturing file to obtain a request and a response;
step S320: the test server preprocesses the analyzed request and response: assembling the same request of different data packets, and adding an xff header in an http header of the request for carrying out real source client identification on the request, and adding a request-test-id header in the http header of the request for carrying out unique identification on the request; the preprocessing of the response in step S320 includes assembling the responses of the same request in different data packets;
step S330: the test server sends the preprocessed request to the WAF system according to the sequence of the packet capturing file, the WAF system carries out safety detection on the received request, and if an attack is detected, an exception is returned to the test server; otherwise, the WAF system forwards the request to the test server;
step S340: the test server finds out a corresponding request response according to the request ID, and returns data corresponding to the request forwarded by the WAF system to the WAF system;
step S350: the WAF system carries out security detection on the received data, and if an attack is detected, an exception is returned to the test server; otherwise, the WAF system forwards the response to the test server;
step S360: the test server compares and analyzes the sent request and response with the request and response returned by the WAF system to obtain a detection result; judging whether all the requests are sent, if so, ending the process; otherwise, return to step S330.
The working principle is as follows:
the user initiates a request to the service server through the load balancing service, the service server captures and stores the flow data packet through the packet capturing tool for flow playback, the test server obtains the flow playback, and analyzes the packet capturing file by adopting a test program installed on the test server to obtain the request and response, namely, an off-line pcap flow packet is adopted to test the WAF system. Because the request packet is segmented, that is, there may be multiple requests in one data packet, or one request is in different data packets, it is necessary to assemble the same request in different data packets, add an xff header and a request-test-id header in the http header of the request, identify the real source client and the unique identifier, and trace the source of the request. Because the responses corresponding to the same request may also be stored in a plurality of data packets, preprocessing the responses requires assembling the responses corresponding to the same request, that is, completing preprocessing the request and the response. The test server sends the preprocessed request to the WAF system, the WAF system carries out security detection on the request, if the attack exists in the request, the request is returned to the test server, if the attack does not exist, the request is returned to the test server, the test server records and judges whether the sent request is consistent with the returned request or not, and sends a response corresponding to the returned request to the WAF system, the WAF system carries out security detection on the received response, if the attack is detected, the request is returned to the test server, if the attack is not detected, the response is returned to the test server, a test program is installed in the test server, the test program carries out comparison according to the sent request and the returned request, and carries out comparison according to the data corresponding to the sent request and the request result returned by the WAF system, and respectively compares whether the quantity of the requests is consistent or not, and whether the response corresponding to the request is consistent or not, so that the test of the WAF function is realized, the defect of unknown function can be found before the WAF system is on line, because the test server adopts an off-line mode to obtain the service request and the service response from the packet capturing of the service server, and the request is sent according to the sequence of the packet capturing files, the real flow of the service server can be completely simulated, and because the off-line pcap flow packet is adopted, the resources of the service server are not occupied, and the influence on the service server is not generated.
Although the present invention has been described herein with reference to the illustrated embodiments thereof, which are intended to be preferred embodiments of the present invention, it is to be understood that the invention is not limited thereto, and that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure.
Claims (4)
1. A WAF reverse proxy detection method based on an offline pcap flow packet is characterized by comprising the following steps:
step S100: configuring a test server at a site of the WAF system;
step S200: the service server packages the service flow and stores the service flow as a package capturing file;
step S310: the test server reads and analyzes the packet capturing file to obtain a request and a response;
step S320: the test server preprocesses the analyzed request and response;
step S330: the test server sends the preprocessed request to the WAF system, the WAF system carries out safety detection on the received request, and if an attack is detected, an exception is returned to the test server; otherwise, the WAF system forwards the request to the test server;
step S340: the test server finds out a response corresponding to the request according to the request ID, and returns data corresponding to the request forwarded by the WAF system to the WAF system;
step S350: the WAF system carries out security detection on the received data, and if an attack is detected, an exception is returned to the test server; otherwise, the WAF system forwards the response to the test server;
step S360: and the test server compares and analyzes the sent request and the sent response with the request and the response returned by the WAF system, and respectively compares whether the quantity of the requests is consistent and whether the responses corresponding to the requests are consistent to realize the test of the WAF system function.
2. The WAF reverse proxy detection method based on the offline pcap traffic packet according to claim 1, wherein the sending of the preprocessed request to the WAF system by the test server in the step S330 is according to the sequence of the packet capturing files; step S360 further includes determining whether all the requests are sent, and if yes, ending the process; otherwise, return to step S330.
3. The method for detecting the WAF reverse proxy based on the offline pcap traffic packet according to claim 2, wherein the preprocessing of the request in the step S320 includes assembling TCP data packets of the same request, adding an xff header in an http header of the request for identifying a real source client of the request, and adding a request-test-id header in an httpeader of the request for uniquely identifying the request; the step S320 of preprocessing the response includes assembling the response content of the TCP data packet of the same request, and performing a segmentation process according to the response encoding format.
4. The method for detecting WAF reverse proxy based on offline pcap traffic packet according to claim 1, wherein the packet capturing in step S200 employs tcpdump/pcap tool.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811088088.1A CN109040128B (en) | 2018-09-18 | 2018-09-18 | WAF reverse proxy detection method based on offline pcap flow packet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811088088.1A CN109040128B (en) | 2018-09-18 | 2018-09-18 | WAF reverse proxy detection method based on offline pcap flow packet |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040128A CN109040128A (en) | 2018-12-18 |
CN109040128B true CN109040128B (en) | 2020-09-22 |
Family
ID=64616710
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811088088.1A Active CN109040128B (en) | 2018-09-18 | 2018-09-18 | WAF reverse proxy detection method based on offline pcap flow packet |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040128B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110868380B (en) * | 2018-12-19 | 2022-08-23 | 北京安天网络安全技术有限公司 | Network flow safety monitoring method and device, electronic equipment and storage medium |
CN109981408B (en) * | 2019-03-26 | 2021-08-03 | 网宿科技股份有限公司 | CDN server offline test method, device and system |
CN111209959B (en) * | 2020-01-05 | 2022-03-04 | 西安电子科技大学 | Encrypted webpage flow division point identification method based on data packet time sequence |
CN111464383A (en) * | 2020-03-30 | 2020-07-28 | 中国建设银行股份有限公司 | System capacity testing method and device based on production environment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105959179A (en) * | 2016-06-08 | 2016-09-21 | 微梦创科网络科技(中国)有限公司 | Reverse proxy nginx testing system and method |
CN106453299A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Network security monitoring method and device, and cloud WEB application firewall |
CN106470214A (en) * | 2016-10-21 | 2017-03-01 | 杭州迪普科技股份有限公司 | Attack detection method and device |
CN107426206A (en) * | 2017-07-17 | 2017-12-01 | 北京上元信安技术有限公司 | A kind of protector and method to web server |
CN107454096A (en) * | 2017-08-24 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of wrong report removing method based on daily record playback |
CN107634964A (en) * | 2017-10-13 | 2018-01-26 | 杭州迪普科技股份有限公司 | A kind of method of testing and device for WAF |
-
2018
- 2018-09-18 CN CN201811088088.1A patent/CN109040128B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105959179A (en) * | 2016-06-08 | 2016-09-21 | 微梦创科网络科技(中国)有限公司 | Reverse proxy nginx testing system and method |
CN106453299A (en) * | 2016-09-30 | 2017-02-22 | 北京奇虎科技有限公司 | Network security monitoring method and device, and cloud WEB application firewall |
CN106470214A (en) * | 2016-10-21 | 2017-03-01 | 杭州迪普科技股份有限公司 | Attack detection method and device |
CN107426206A (en) * | 2017-07-17 | 2017-12-01 | 北京上元信安技术有限公司 | A kind of protector and method to web server |
CN107454096A (en) * | 2017-08-24 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of wrong report removing method based on daily record playback |
CN107634964A (en) * | 2017-10-13 | 2018-01-26 | 杭州迪普科技股份有限公司 | A kind of method of testing and device for WAF |
Non-Patent Citations (3)
Title |
---|
"Anomaly detection using negative security model in web application";Auxilia, M., & Tamilselvan, D;《In 2010 International Conference on Computer Information Systems and Industrial Management Applications (CISIM)》;20101030;第 481-486页 * |
"使用tcpcopy导入线上流量进行功能和压力测试";送人玫瑰手留余香;《CSDN,https://blog.csdn.net/h348592532/article/details/50547207》;20160120;第1-4页 * |
Rabbit_Dale."Dale工作学习笔记--正向代理与反向代理总结".《博客园,https://www.cnblogs.com/Anker/p/6056540.htm》.2016, * |
Also Published As
Publication number | Publication date |
---|---|
CN109040128A (en) | 2018-12-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109040128B (en) | WAF reverse proxy detection method based on offline pcap flow packet | |
CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
CN109194680B (en) | Network attack identification method, device and equipment | |
EP3058472B1 (en) | System and method for reporting on automated browser agents | |
US9386028B2 (en) | System and method for malware detection using multidimensional feature clustering | |
CN105049291A (en) | Method for detecting network traffic anomaly | |
CN110365674B (en) | Method, server and system for predicting network attack surface | |
CN111885007B (en) | Information tracing method, device, system and storage medium | |
Kiani et al. | Evaluation of anomaly based character distribution models in the detection of SQL injection attacks | |
CN112953971A (en) | Network security traffic intrusion detection method and system | |
US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
CN104219221A (en) | Network security flow generating method and network security flow generating system | |
US10701087B2 (en) | Analysis apparatus, analysis method, and analysis program | |
US20240146753A1 (en) | Automated identification of false positives in dns tunneling detectors | |
CN114244564A (en) | Attack defense method, device, equipment and readable storage medium | |
CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
CN106713242B (en) | Data request processing method and processing device | |
CN110381047B (en) | Network attack surface tracking method, server and system | |
CN112217777A (en) | Attack backtracking method and equipment | |
Yassin et al. | Packet header anomaly detection using statistical analysis | |
CN117061257A (en) | Network security assessment system | |
CN108650274B (en) | Network intrusion detection method and system | |
CN101453454B (en) | Internal tracking method and network attack detection | |
Yan et al. | Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |