CN110011955B

CN110011955B - SSRF vulnerability or attack determination and processing method, device, equipment and medium

Info

Publication number: CN110011955B
Application number: CN201811484066.7A
Authority: CN
Inventors: 刘宇江; 王宇; 张园超
Original assignee: Ant Rongxin Chengdu Network Technology Co ltd
Current assignee: Ant Rongxin Chengdu Network Technology Co ltd
Priority date: 2018-12-06
Filing date: 2018-12-06
Publication date: 2022-03-04
Anticipated expiration: 2038-12-06
Also published as: CN110011955A

Abstract

The embodiment of the specification discloses a method, a device, equipment and a medium for determining and processing an SSRF vulnerability or attack, wherein the method for determining the SSRF vulnerability comprises the following steps: determining whether the network request meets the attention condition, wherein the attention condition comprises that the network request is from a public network IP address; if yes, determining whether a server processing the network request generates a connection record of a local area network IP address according to the network request; and if so, determining that the server has the SSRF vulnerability.

Description

SSRF vulnerability or attack determination and processing method, device, equipment and medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for determining and processing an SSRF vulnerability or attack.

Background

An SSRF (Server-Side Request broker) vulnerability is a security vulnerability constructed by an attacker to form a Request initiated by a Server. Typically, SSRF vulnerability attacks target local area network IP addresses that are inaccessible from the public network. The SSRF is a high-risk WEB attack, can be often used for penetrating the isolation of network strategies, attacks network systems and facilities with fragile internal network security from a public network, and does not have a good solution for the SSRF vulnerability at present.

In view of this, there is a need for more efficient and more universally applicable SSRF coping schemes.

Disclosure of Invention

The embodiment of the specification provides an SSRF vulnerability or attack determination and processing method, device and medium, which are used for solving the technical problem of how to more efficiently and more universally deal with SSRF.

In order to solve the above technical problem, the embodiments of the present specification are implemented as follows:

an embodiment of the present specification provides a method for determining an SSRF vulnerability, including:

determining whether the network request meets the attention condition, wherein the attention condition comprises that the network request is from a public network IP address;

if yes, determining whether a server processing the network request generates a connection record of a local area network IP address according to the network request;

and if so, determining that the server has the SSRF vulnerability.

An embodiment of the present specification provides a method for determining an SSRF vulnerability attack, including:

if yes, determining that the server has the SSRF vulnerability, and determining whether the server is attacked by the SSRF vulnerability according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the first time and/or the number of the local area network IP addresses connected with the server in the second time.

The embodiment of the present specification provides a method for processing an SSRF vulnerability, including;

if yes, determining that the server has an SSRF vulnerability and processing the SSRF vulnerability, and/or,

if yes, determining whether the server is attacked by the SSRF vulnerability, and processing the SSRF vulnerability attack.

An embodiment of the present specification provides an SSRF vulnerability determination apparatus, including:

the attention determining module is used for determining whether the network request meets attention conditions, wherein the attention conditions comprise that the network request is from a public network IP address;

the connection determining module is used for determining whether a server processing the network request generates a connection record of a local area network IP address according to the network request if the network request meets the attention condition;

and the vulnerability determining module is used for determining that the SSRF vulnerability exists in the server if the server has a connection record of the local area network IP address.

An embodiment of the present specification provides an SSRF vulnerability attack determination apparatus, including:

the vulnerability or attack determining module is used for determining that the server has an SSRF vulnerability if the server has a connection record of the IP address of the local area network; and if the server has the SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the first time and/or the number of the local area network IP addresses connected with the server in the second time.

An embodiment of the present specification provides an SSRF vulnerability processing apparatus, including:

the vulnerability or attack determining module is used for determining that the server has an SSRF vulnerability if the server has a connection record of the IP address of the local area network; if the server has the SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability;

and the vulnerability or attack processing module is used for processing the SSRF vulnerability and/or the SSRF vulnerability attack.

An embodiment of the present specification provides an SSRF vulnerability determination device, including:

at least one processor;

and the number of the first and second groups,

a memory communicatively coupled to the at least one processor;

wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to:

and if so, determining that the server has the SSRF vulnerability.

An embodiment of the present specification provides an SSRF vulnerability attack determination device, including:

at least one processor;

and the number of the first and second groups,

a memory communicatively coupled to the at least one processor;

wherein the content of the first and second substances,

at least one processor;

and the number of the first and second groups,

a memory communicatively coupled to the at least one processor;

wherein the content of the first and second substances,

Embodiments of the present specification provide a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of:

and if so, determining that the server has the SSRF vulnerability.

The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:

by analyzing and mining the network request intention and the connection condition with the local area network IP address, the existence of the SSRF vulnerability and the related utilization or attack behavior of the SSRF vulnerability can be confirmed in time before or when the SSRF vulnerability is mastered by the outside, so that processing measures are taken, the determination and processing efficiency of the SSRF vulnerability or attack are effectively improved, and the method has the characteristic of universality.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present specification or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without inventive labor.

Fig. 1 is a schematic diagram illustrating the operation of the SSRF vulnerability determination system in the first embodiment of this specification.

Fig. 2 is a schematic flow chart of an SSRF vulnerability determination method in a second embodiment of the present disclosure.

Fig. 3 is a schematic diagram of an SSRF vulnerability determination process in a second embodiment of the present specification.

Fig. 4 is a schematic diagram of the operation of the SSRF vulnerability attack determination system in the third embodiment of this specification.

Fig. 5 is a schematic flow chart of a SSRF vulnerability attack determination method in the fourth embodiment of this specification.

Fig. 6 is a schematic diagram of an SSRF vulnerability attack determination process in the fourth embodiment of this specification.

Fig. 7 is a schematic diagram of the operation of the SSRF vulnerability processing system in the fifth embodiment of the present specification.

Fig. 8 is a schematic flow chart of an SSRF vulnerability handling method in a sixth embodiment of this specification.

Fig. 9 is a schematic view of a SSRF vulnerability handling process in a sixth embodiment of this specification.

Fig. 10 is a schematic structural diagram of an SSRF vulnerability determination apparatus in a seventh embodiment of this specification.

Fig. 11 is a schematic structural diagram of an SSRF vulnerability determination apparatus in the eighth embodiment of this specification.

Fig. 12 is a schematic structural diagram of an SSRF vulnerability processing apparatus in the ninth embodiment of this specification.

Detailed Description

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any inventive step based on the embodiments of the present disclosure, shall fall within the scope of protection of the present application.

As shown in fig. 1, a first embodiment of the present specification provides an SSRF vulnerability determination system, and in particular, the SSRF vulnerability determination system determines whether a network request meets a condition of interest, where the condition of interest includes that the network request originates from a public network IP address; if yes, the SSRF vulnerability determination system determines whether a server processing the Network request has a connection record for a Local Area Network (LAN) IP address (IP-Internet Protocol, the IP address corresponds to a computer, a server and the like); if so, the SSRF vulnerability determination system determines whether a server processing the network request generates a connection record for the local area network IP address according to the network request; if yes, the SSRF vulnerability determining system determines that the SSRF vulnerability exists in the server.

In the embodiment, after a network request is generated, whether the network request is worth paying attention is analyzed and mined to determine whether the network request needs paying attention, and the connection condition between a server for processing the network request and an IP address of a local area network is analyzed and mined, and at this time, the purpose of the external network request may be only vulnerability detection, and whether an SSRF vulnerability exists in the server for processing the network request is not known yet (whether the SSRF vulnerability exists can be determined only by waiting for the feedback condition of the network request).

From the program perspective, the execution subject of the above-mentioned process may be a computer or a server or a corresponding SSRF vulnerability determination system, etc. In addition, the execution subject may also be assisted by a third-party application client to execute the above-mentioned flow.

Fig. 2 is a schematic flow chart of an SSRF vulnerability determination method in the second embodiment of the present specification, and fig. 3 is a process of SSRF vulnerability determination in the second embodiment of the present specification. With reference to fig. 2 and fig. 3, in this embodiment, the SSRF vulnerability determining method includes:

s101: determining whether the network request meets the concern condition, wherein the concern condition comprises that the network request is originated from a public network IP address.

After the network request (web request) is generated, the network request is processed by the corresponding server (of the application system or the service system). In this embodiment, after a certain network request is generated, it is determined whether the network request meets the following conditions: the network request originates from a public network IP address; and/or, the network request comes from the public network IP address and carries the access request parameter to the local area network IP address; and/or, the network request originates from a public network IP address and the network request does not comply with an override condition; and/or the network request is originated from a public network IP address and carries access request parameters for a local area network IP address, and the network request does not meet an ignoring condition. Specifically, the public network request may be determined or screened out through source IP address screening, data source screening (server, unified access, load balancing), and the like.

If the network request comes from the public network IP address; and/or, the network request is from the public network IP address and the network request does not conform to the neglect condition; and/or, the network request comes from the public network IP address and carries the access request parameter to the local network IP address; and/or the network request comes from a public network IP address and carries access request parameters for a local network IP address, and if the network request does not meet the neglect condition, the network request meets the attention condition. Specifically, a black list and a white list may be established, and if the source IP address of the network request does not exist in the white list and/or the source IP address of the network request exists in the black list, the network request does not satisfy the ignoring condition.

For the case that the network request carries the access request parameter to the IP address of the local area network, the following descriptions are respectively provided for different types of network requests that may occur:

1.1, the network request includes uniform Resource locator URL (uniform Resource locator)

For example, the network request http:// www.xxx.coma ═ 1& b ═ www.yyy.com (the network request in this specification is merely an example) includes a URL, and the IP address corresponding to the URL can be obtained by DNS (Domain Name System) resolution. Since the local network IP address is generally inaccessible to the public network (or the external network), if the network request includes an access request for the local network IP address, the URL corresponding to the local network IP address is generally placed in the network request parameter, for example, in the above example, a 1& b www.yyy.com is a network request parameter including a URL address such as www.yyy.com. Of course, the network request parameter may have other forms.

After the network request is generated, the URL address may be extracted from the network request parameter, and the extracted URL address is associated with the DNS resolution record, so as to determine the IP address corresponding to the URL address. And if the determined IP address is the local area network IP address, determining that the network request carries an access request parameter for the local area network IP address (equivalently, the network request implies an access request or an access destination for the local area network IP address).

1.2, IP address is included in network request

For example, the network request http:// www.xxx.coma ═ 1.1.1:8888 includes the IP address. As above, since the local network IP address is generally inaccessible to the public network (or the external network), if the network request includes an access request for the local network IP address, the local network IP address is generally placed in the network request parameter, and as in the above example, a is 1.1.1.1:8888, which is a network request parameter, and includes an IP address a is 1.1.1.1 (assuming that 1.1.1.1 is the local network IP address). Specifically, the network request parameter may further include port information, and as in the above example, the port 8888 of 1.1.1 is included in the a ═ 1.1.1: 8888. Of course, the network request parameter may have other forms.

After a network request is generated, if the network request contains an IP address, whether the contained IP address is a local area network IP address is determined, if so, the network request is determined to carry access request parameters for the local area network IP address (equivalently, the network request implies an access request or an access purpose for the local area network IP address).

In this embodiment, it may be determined whether the network request parameter includes a URL or an IP address, and then whether the IP address corresponding to the URL is a local area network IP address, or whether the IP address (directly) included in the network request parameter includes a local area network IP address, and then whether the network request includes an access request for the local area network IP address. The following description will be made by taking a URL or an IP address in the network request parameter as an example.

S102: if so (i.e., if the network request meets the attention condition), determining whether a server processing the network request generates a connection record for the local area network IP address according to the network request.

When a network request is generated, the real back-end server to which the network request is forwarded, i.e. the server that processes the network request, may be extracted from the load balancing facility. If the URL address is contained in the secondary network request parameter, the URL address is associated with the DNS resolution record. The time of the associated DNS resolution record may be limited to be no earlier than the time of the initiation of the secondary network request (or limited to be within a first time period after the initiation of the secondary network request, where the first time period is determined or changed as needed), so as to avoid associating the DNS resolution record before the initiation of the secondary network request, and reduce an association error rate (there may be no DNS resolution record for the URL in the parameter of the secondary network request before the initiation of the secondary network request).

It is determined whether the server processing the secondary network request has a connection record for the determined local network IP address (or whether the server processing the secondary network request generates a connection record for the determined local network IP address from or based on the secondary network request). Similarly, the connection log time may be limited to be no earlier than the initiation time of the secondary network request (or to be determined or changed as needed in the first time period after the initiation of the secondary network request), so as to avoid associating the connection log before the initiation of the secondary network request, and reduce the error rate (there may be no log of the local area network IP address in the secondary network request parameter before the initiation of the secondary network request).

As before, since the determined lan IP address may contain port information, in this case, it may be determined whether the server processing the secondary network request generates a connection record for the port contained in the lan IP address based on or based on the secondary network request (which is equivalent to the connection record for the lan IP address, and the time limit may be the same), thereby narrowing the range of the viewed connection records (from the lan IP address to the contained port).

S103: if so (i.e. if the server processing the network request has a connection record to the local area network IP address), determining that the server has an SSRF vulnerability.

In this embodiment, if the server processing the network request has a connection record for the determined local area network IP address, it indicates that an IP address (public network IP address) outside the local area network can access the local area network IP address through the "server processing the network request" (and further attack the local area network IP address), so that it can be determined that the server processing the network request has an SSRF vulnerability.

For example, if the network request is http:// www.xxx.coma ═ 1.1.1:8888, where www.xxx.com is the domain name that the network request is to access and the domain name is publicly accessible, the parameters include IP address 1.1.1.1 (assuming local network IP address) and port 8888. It can be seen that although the network request is apparently to access www.xxx.com, the system server www.xxx.com (i.e., the server processing the network request) determines the IP address 1.1.1.1 and the port 8888 according to the parameters, so that the access request to the IP address 1.1.1.1 and the port 8888 can be implicit through controlling the parameters of the network request, except that the implicit network request is to be performed by the system server www.xxx.com. If the system server of www.xxx.com determines the IP address 1.1.1.1 and the port 8888, and initiates an access request to the port 8888 of the IP address (i.e., establishes a connection with the IP address), it is realized that the public network accesses the local network IP address 1.1.1.1 through the system server, so as to determine that the system server of www.xxx.com has an SSRF vulnerability.

For another example, if the network request is http:// www.xxx.coma ═ 1& b ═ www.yyy.com, where www.xxx.com is the domain name to be accessed by the network request and the domain name is accessible to the public network, the system server (i.e., the server processing the network request) of www.xxx.com queries the parameter value of a ═ 1, and then sends the query result to b ═ www.yyy.com (assuming that the IP address corresponding to the URL is a local area network IP address). Then the system server at www.xxx.com may determine the above parameters and query for data with a ═ 1, then initiate a request to www.yyy.com (corresponding IP address), send the query result to the past, and after sending the query result to www.yyy.com, return a feedback result of www.yyy.com to the network requestor with http:// www.xxx.coma ═ 1& b ═ www.yyy.com. In the process, the system server of www.xxx.com can access www.yyy.com, so that the system server of www.xxx.com can be judged to have an SSRF vulnerability.

It can be seen that, if the network request implies an access request to the local area network IP address, the local area network IP address may also process the implicit access request, for example, receive www.xxx.com data sent by the system server and feed back the result. In this embodiment, the "server processing the network request" refers to a server processing a (originally initiated) "network request implying an access request to a local area network IP address", that is, the system server of www.xxx.com described above.

In fact, the purpose of the initiator of the network request may be only to perform vulnerability detection, that is, to detect whether the server processing the network request has an SSRF vulnerability, which needs to be determined by the feedback condition of the network request, so that the initiator of the network request may not know whether the server processing the network request has the SSRF vulnerability. In this embodiment, after the network request is generated, whether the network request is of concern (including whether the network request originates from a public network, whether the access destination relates to a local area network IP address) is analyzed and mined, and analyzes and mines the connection condition of the server processing the network request and the IP address of the local area network, and combines the two, therefore, whether the server processing the network request has the SSRF loophole can be judged without waiting for the feedback of the network request, so that an initiator can discover the SSRF loophole in one step, and timely taking processing measures to prevent SSRF vulnerability attack after SSRF vulnerability detection (a certain time difference exists between the detection of the SSRF vulnerability from the outside and the utilization of the SSRF vulnerability), effectively improving the determination and processing efficiency of the SSRF vulnerability and the prevention effect on the SSRF vulnerability attack, and has universality characteristics for various SSRF vulnerability detection behaviors and various subjects (such as various servers) in which the SSRF vulnerability can exist.

In this embodiment, if the server has an SSRF vulnerability, the (SSRF) vulnerability level of the server may be determined according to the network protocol requested by the network. Specifically, a first type of network protocol may be determined, and if the server has an SSRF vulnerability, a vulnerability level of the server may be determined according to whether the network protocol requested by the network belongs to the first type of network protocol. For example, the first type of network protocol may include HTTP and HTTPs protocols, and accordingly, other types (e.g., the second type) of network protocols may be determined, and the other types of network protocols may be network protocols capable of performing high-risk level operations (reading files, executing commands, etc.), such as gopher, rmi, file, ldap, dct, jdbc, etc., so that the first type of network protocol or the other types of network protocols may be determined according to the risk level (or assigning or rating the risk level) of the executable operations of the network protocol. Of course, the first type of network protocol may be a low-risk level network protocol, such as HTTP or HTTPs, and the other type of network protocol may be a high-risk level network protocol, and if the network protocol of the network request belongs to the first type of network protocol, the server vulnerability level is low; or the first type of network protocol may be a high-risk level network protocol, and the other types of network protocols may be low-risk level network protocols, and if the network protocol of the network request belongs to the first type of network protocol, the server vulnerability level is higher.

The above network requests are merely examples, and the network request or the network request parameter may include various forms in a practical context.

As shown in fig. 4, a third embodiment of the present specification provides an SSRF vulnerability determination system, and specifically, the SSRF vulnerability determination system determines whether a network request meets a condition of interest, where the condition of interest includes that the network request is from a public network IP address; if so, the SSRF vulnerability determination system determines whether a server processing the network request generates a connection record of a local area network IP address according to the network request; if yes, the SSRF vulnerability determination system determines that the server has the SSRF vulnerability, and determines whether the server suffers the SSRF vulnerability attack according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the first time and/or the number of the local area network IP addresses connected with the server in the second time.

In the embodiment, after a network request is generated, whether the network request is worth paying attention to is analyzed and mined, and the connection condition between a server for processing the network request and an IP address of a local area network is analyzed and mined, but at this time, the external network request may be only used for vulnerability detection, and whether an SSRF vulnerability exists in the server for processing the network request is not known yet (whether the SSRF vulnerability exists can be determined only by waiting for the feedback condition of the network request), so that the embodiment can timely confirm the existence of the SSRF vulnerability and the related utilization or attack behavior of the SSRF vulnerability before the external world knows the SSRF vulnerability or knows the SSRF vulnerability, thereby taking processing measures, effectively improving the determination and processing efficiency of the SSRF vulnerability or attack, and having the characteristic of universality.

From the program perspective, the execution subject of the above-mentioned flow may be a computer or a server or a corresponding SSRF vulnerability determination system, etc. In addition, the execution subject may also be assisted by a third-party application client to execute the above-mentioned flow.

Fig. 5 is a schematic flow chart of a method for determining an SSRF vulnerability attack in a fourth embodiment of this specification, and fig. 6 is a process for determining an SSRF vulnerability attack in the fourth embodiment of this specification. With reference to fig. 5 and fig. 6, in this embodiment, the method for determining an SSRF vulnerability includes:

s201: determining whether the network request meets the concern condition, wherein the concern condition comprises that the network request is originated from a public network IP address.

As in S101.

S202: if so (i.e., if the network request meets the attention condition), determining whether a server processing the network request generates a connection record for the local area network IP address according to the network request.

The same as S102.

S203: if so (namely if the server processing the network request has a connection record of the local area network IP address), determining that the server has the SSRF vulnerability, and determining whether the server is attacked by the SSRF vulnerability according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the first time and/or the number of the connection times of the server to the local area network IP address in the second time.

S203 may be divided into the following two parts:

s2031: if the server processing the network request has a connection record for the local area network IP address, it is determined that the server has an SSRF vulnerability, which is the same as S103.

S2032: if the server for processing the network request has the SSRF vulnerability, whether the server is attacked by the SSRF vulnerability is determined according to the network protocol of the network request and/or according to the number of the local area network IP addresses connected with the server in the first time and/or according to the number of times of connection of the server to the local area network IP addresses in the second time.

Generally, SSRF vulnerability detection or attack is performed for the following purposes:

and 2.1, traversing the IP address of the local area network and detecting the structure of the local area network.

2.2, traversing different ports of the same local area network IP address, and grasping the port opening condition of a certain internal machine.

And 2.3, carrying out payload delivery on the same machine or a plurality of machines in the local area network.

Whether the presence server is subject to an SSRF vulnerability attack may be determined as follows:

3.1 network protocol for network requests

As in the second embodiment, a second type of network protocol (the same as or different from the classification in the second embodiment) may be determined, and if the server has an SSRF vulnerability, whether the server is attacked by the SSRF vulnerability may be determined according to whether the network protocol requested by the network belongs to the second type of network protocol. If the network request (including the network request for determining the SSRF vulnerability or the network request for the local area network IP address based on the server having the SSRF vulnerability after the SSRF vulnerability is determined) belongs to the network protocol with high risk level, the server having the SSRF vulnerability is determined to be attacked by the SSRF vulnerability.

3.2 number of local area network IP addresses (or ports) connected by server with SSRF vulnerability

For example, a first time (i.e., a first time period, which may be the same as or different from the "first time period" in the second embodiment, and may be determined or changed as needed) may be determined, and whether the server suffers from the SSRF vulnerability attack may be determined according to the number of local area network IP addresses connected to the server during the first time when the server with the SSRF vulnerability is determined. A first threshold (which may vary) may be set that determines that the server is subject to an SSRF attack when the number of local area network IP addresses connected through the server meets and/or exceeds the first threshold.

The local network IP address may be exchanged for a local network IP address port.

3.3 number of connections of server with SSRF loophole to local area network IP address (or port)

For example, a second time (i.e., a second time period, determined or changed as needed) may be determined, and whether the server suffers from an SSRF vulnerability attack may be determined according to the number of times the server determines that the server with the SSRF vulnerability is connected to the local network IP address (which may be a single IP address or multiple IP addresses) within the second time. A second threshold (which may vary) may be set that determines that the server is subject to an SSRF attack when the number of connections to the local area network IP address by the server meets and/or exceeds the second threshold.

In this embodiment, if the network request includes a local area network IP address and the local area network IP address includes port information, it can be determined whether the server has an SSRF vulnerability by processing a connection record between the server and the port of the network request, and then determining whether the server is attacked by SSRF attack by the above method, as in the second embodiment.

3.1 above may be used to determine whether the purpose of the SSRF vulnerability detection or attack is 2.3 above; in the above 2.1 and 2.2 cases there are usually a large number of local area network IP addresses or ports connected and so the decision can be made by the above 3.2 and 3.2. The above-mentioned applications 3.1, 3.2, and 3.3 may have a sequence, for example, the network protocol is judged first, and if the network protocol is not a high risk level, the number of connected local area network IP addresses or the connection times is judged.

In the embodiment, whether the server has the SSRF vulnerability or not can be determined, whether the server suffers the SSRF vulnerability or not can be determined at the beginning of the SSRF vulnerability attack, and therefore, measures can be taken in time, so that the determination and processing efficiency of the SSRF vulnerability attack are effectively improved, and the method has the universality characteristic for various SSRF vulnerability attack behaviors and various subjects (such as various servers) which may have the SSRF vulnerability or may suffer the SSRF vulnerability attack.

As shown in fig. 7, a fifth embodiment of the present specification provides an SSRF vulnerability processing system, and in particular, the SSRF vulnerability processing system determines whether a network request meets a condition of interest, where the condition of interest includes that the network request originates from a public network IP address; if so, the SSRF vulnerability processing system determines whether a server processing the network request generates a connection record of the local area network IP address according to the network request; if so, the SSRF vulnerability processing system determines that the SSRF vulnerability exists in the server and processes the SSRF vulnerability; and/or the SSRF vulnerability processing system determines whether the server is attacked by the SSRF vulnerability and processes the SSRF vulnerability attack.

In the embodiment, after a network request is generated, whether the network request is worth paying attention to is analyzed and mined, and the connection condition between a server for processing the network request and an IP address of a local area network is analyzed and mined, but at this time, the external network request may be only used for vulnerability detection, and whether an SSRF vulnerability exists in the server for processing the network request is not known yet (whether the SSRF vulnerability exists can be determined only by waiting for the feedback condition of the network request).

From the program perspective, the execution subject of the above flow may be a computer or a server or a corresponding SSRF vulnerability processing system, etc. In addition, the execution subject may also be assisted by a third-party application client to execute the above-mentioned flow.

Fig. 8 is a schematic flow chart of an SSRF vulnerability handling method in a sixth embodiment of this specification, and fig. 9 is an SSRF vulnerability handling process in the sixth embodiment of this specification. With reference to fig. 8 and fig. 9, in this embodiment, the SSRF vulnerability processing method includes:

s301: determining whether the network request meets the concern condition, wherein the concern condition comprises that the network request is originated from a public network IP address.

As in S101.

S302: if so (i.e., if the network request meets the attention condition), determining whether a server processing the network request generates a connection record for the local area network IP address according to the network request.

The same as S102.

S303: if yes, determining that the server has an SSRF vulnerability and processing the SSRF vulnerability, and/or,

S303 may be divided into the following two parts:

s3031: if the server for processing the network request has the connection record of the local area network IP address, determining that the server has the SSRF loophole (same as S103), and processing the SSRF loophole.

In this embodiment, if it is determined that the SSRF vulnerability exists, processing measures may be taken, for example, adding an interception rule and a repair to the server with the SSRF vulnerability, for example, limiting the incoming of a URL or an IP address to a certain parameter of the server with the SSRF vulnerability; and for example, limiting access of certain source IP addresses to servers that have SSRF vulnerabilities; and for example, stopping using the server with the SSRF loophole.

S3032: and if the server for processing the network request has a connection record of the local area network IP address, determining that the server has the SSRF vulnerability attack, and processing the SSRF vulnerability attack.

The SSRF vulnerability attack determination may be the same as the fourth embodiment, that is, whether the server is subjected to the SSRF vulnerability attack is determined according to the network protocol requested by the network and/or according to the number of the local area network IP addresses connected to the server in the third time and/or according to the number of times the server connects to the local area network IP addresses in the fourth time. The network protocol specifically comprises the following steps: and determining a third type of network protocol, and if the server has an SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability according to whether the network protocol of the network request belongs to the third type of network protocol. The third time or the fourth time is determined in the same manner as in the fourth embodiment.

In this embodiment, if an SSRF vulnerability attack is determined, a processing measure may be taken. For example, as above, an interception rule is added, or an attack source or an attack destination is investigated (as in S2032), and a processing policy is customized for different attack sources or attack destinations. After the SSRF attack is processed, the SSRF vulnerability can be processed as above.

If the network request includes the local area network IP address and the local area network IP address includes the port information in this embodiment, it can be determined whether the server has an SSRF vulnerability and/or is under an SSRF attack by processing the connection record between the server and the port of the network request in the second and fourth embodiments.

In this embodiment, it may be determined whether the server has an SSRF vulnerability, and it may also be determined whether the server is under the SSRF vulnerability at the beginning of the SSRF vulnerability attack, so that even if processing measures are taken, the determination and processing efficiency of the SSRF vulnerability or attack are effectively improved, and the method has a universal characteristic for various SSRF vulnerability attack behaviors and various subjects (such as various servers) that may have the SSRF vulnerability or may be under the SSRF vulnerability attack.

As shown in fig. 10, a seventh embodiment of the present specification provides an SSRF vulnerability determining apparatus, including:

an attention determining module 401, configured to determine whether the network request meets an attention condition, where the attention condition includes that the network request originates from a public network IP address;

a connection determining module 402, configured to determine, if the network request meets the attention condition, whether a server that processes the network request generates a connection record for the local area network IP address according to the network request;

a vulnerability determining module 403, configured to determine that an SSRF vulnerability exists in the server if the server has a connection record for the local area network IP address.

Optionally, the attention condition further includes:

the network request is from a public network IP address and carries access request parameters for the local network IP address;

and/or the presence of a gas in the gas,

the network request is from a public network IP address and the network request does not conform to an ignoring condition;

and/or the presence of a gas in the gas,

the network request is from a public network IP address and carries access request parameters for a local area network IP address, and the network request does not conform to an ignoring condition.

Optionally, the network request failing to comply with the ignore condition includes:

the source IP address of the network request is not present in a white list and/or the source IP address of the network request is present in a black list.

Optionally, the network request carrying access request parameters for the local area network IP address includes:

determining whether the network request contains a Uniform Resource Locator (URL) or an IP address;

if the network request contains a URL, determining whether an IP address obtained after the URL is analyzed is a local area network IP address;

if so, determining that the network request carries an access request parameter for the IP address of the local area network;

if the network request contains the IP address, determining whether the contained IP address is a local area network IP address, and if so, determining that the network request carries access request parameters for the local area network IP address.

Optionally, if the network request meets the attention condition, and the network request includes a local area network IP address, and the local area network IP address includes port information, the connection determining module 402 determines whether the server processing the network request generates a connection record for the port according to the network request;

if the server has a connection record for the port, the vulnerability determination module 403 determines that an SSRF vulnerability exists in the server.

Optionally, if the server has an SSRF vulnerability, the vulnerability determination module 403 determines the vulnerability level of the server according to the network protocol of the network request.

Optionally, the first type of network protocol is determined, and if the server has an SSRF vulnerability, the vulnerability determining module 403 determines the vulnerability level of the server according to whether the network protocol of the network request belongs to the first type of network protocol.

Optionally, determining whether the server processing the network request generates a connection record for the local area network IP address according to the network request includes:

and after the network request is initiated, whether a server processing the network request generates a connection record of the local area network IP address according to the network request is determined.

As shown in fig. 11, an eighth embodiment of the present specification provides an SSRF vulnerability determination apparatus, including:

an attention determining module 501, configured to determine whether a network request meets an attention condition, where the attention condition includes that the network request originates from a public network IP address;

a connection determining module 502, configured to determine, if a network request meets a concern condition, whether a server that processes the network request generates a connection record for an IP address of a local area network according to the network request;

a vulnerability or attack determining module 503, configured to determine that an SSRF vulnerability exists in the server if the server has a connection record for the local area network IP address; and if the server has the SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the first time and/or the number of the local area network IP addresses connected with the server in the second time.

Optionally, the attention condition further includes:

and/or the presence of a gas in the gas,

Optionally, if the network request meets the attention condition, and the network request includes a local area network IP address, and the local area network IP address includes port information, the connection determining module 502 determines whether the server processing the network request generates a connection record for the port according to the network request;

if yes, the vulnerability or attack determination module 503 determines that the server has an SSRF vulnerability, and determines whether the server is attacked by the SSRF vulnerability according to the network protocol requested by the network, and/or according to the number of local area network IP addresses connected to the server in the first time and/or according to the number of times the server connects to the local area network IP addresses in the second time.

Optionally, a second type of network protocol is determined, and if the server has an SSRF vulnerability, the vulnerability or attack determination module 503 determines whether the server is attacked by the SSRF vulnerability according to whether the network protocol of the network request belongs to the second type of network protocol.

As shown in fig. 12, a ninth embodiment of the present specification provides an SSRF vulnerability processing apparatus, including:

an attention determining module 601, configured to determine whether a network request meets an attention condition, where the attention condition includes that the network request originates from a public network IP address;

a connection determining module 602, configured to determine, if a network request meets a concern condition, whether a server that processes the network request generates a connection record for an IP address of a local area network according to the network request;

a vulnerability or attack determining module 603, configured to determine that an SSRF vulnerability exists in the server if the server has a connection record for the local area network IP address; if the server has the SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability;

a vulnerability or attack processing module 604 for processing the SSRF vulnerability and/or SSRF vulnerability attack.

Optionally, the attention condition further includes:

and/or the presence of a gas in the gas,

Optionally, if the network request meets the attention condition, and the network request includes a local area network IP address, and the local area network IP address includes port information, the connection determining module 602 determines whether the server processing the network request generates a connection record for the port according to the network request;

if yes, the vulnerability or attack processing module 604 determines that an SSRF vulnerability exists in the server; if the server has the SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability;

optionally, the determining whether the server is attacked by the SSRF vulnerability includes:

and determining whether the server is attacked by the SSRF loophole according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the third time and/or the number of the local area network IP addresses connected with the server in the fourth time.

Optionally, a third type of network protocol is determined, and if the server has an SSRF vulnerability, the vulnerability or attack determination module 603 determines whether the server is attacked by the SSRF vulnerability according to whether the network protocol of the network request belongs to the third type of network protocol.

A tenth embodiment of the present specification provides an SSRF vulnerability determination device, including:

at least one processor; and the number of the first and second groups,

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

and if so, determining that the server has the SSRF vulnerability.

An eleventh embodiment of the present specification provides an SSRF vulnerability attack determination device, including:

at least one processor; and the number of the first and second groups,

A twelfth embodiment of the present specification provides an SSRF vulnerability processing apparatus, including:

at least one processor; and the number of the first and second groups,

A thirteenth embodiment of the present specification provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, perform the steps of:

and if so, determining that the server has the SSRF vulnerability.

A fourteenth embodiment of the present specification provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, perform the steps of:

A fifteenth embodiment of the present specification provides a computer-readable storage medium having stored thereon computer-executable instructions that, when executed by a processor, perform the steps of:

The above embodiments may be used in combination.

While certain embodiments of the present disclosure have been described above, other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily have to be in the particular order shown or in sequential order to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, device, and non-volatile computer-readable storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some portions of the description of the method embodiments.

The apparatus, the device, the nonvolatile computer readable storage medium, and the method provided in the embodiments of the present specification correspond to each other, and therefore, the apparatus, the device, and the nonvolatile computer storage medium also have similar advantageous technical effects to the corresponding method.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), AHDL (advanced Hardware description IP address) Language, traffic, CUPL (core University Programming Language), HDCal, JHDL (Java Hardware description IP address Language), Lava, Lola, HDL, PALASM, and rhyd (Hardware runtime Hardware Language), which are currently used by Hardware compiler-Language (Hardware Language-Language). It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, MicrochIP address PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.

As will be appreciated by one skilled in the art, the present specification embodiments may be provided as a method, system, or computer program product. Accordingly, embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.

The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present specification, and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A method for SSRF vulnerability determination,

after a network request is generated, determining whether the network request meets the attention condition, wherein the attention condition comprises that the network request is from a public network IP address;

and if so, determining that the server for processing the network request has an SSRF vulnerability.

2. The method of claim 1, wherein the condition of interest further comprises:

and/or the presence of a gas in the gas,

3. The method of claim 2, wherein the network request not complying with an ignore condition comprises:

4. The method of claim 2, wherein the network request carrying access request parameters for a local area network IP address comprises:

5. The method of claim 4, wherein the method further comprises:

if the network request meets the attention condition, the network request comprises a local area network IP address, and the local area network IP address comprises port information, determining whether a server processing the network request generates a connection record of the port according to the network request;

and if so, determining that the server has the SSRF vulnerability.

6. The method of any of claims 1 to 5, further comprising:

and if the server has the SSRF loophole, determining the loophole level of the server according to the network protocol of the network request.

7. The method of claim 6,

and determining a first type of network protocol, and if the server has an SSRF vulnerability, determining the vulnerability level of the server according to whether the network protocol of the network request belongs to the first type of network protocol.

8. The method of any of claims 1 to 5, wherein determining whether a server processing the network request generates a connection record for a local area network IP address from the network request comprises:

9. A SSRF vulnerability attack determination method is characterized in that,

if yes, determining that the server processing the network request has the SSRF vulnerability, and determining whether the server is attacked by the SSRF vulnerability according to the network protocol of the network request and/or the number of the local area network IP addresses connected with the server in the first time and/or the number of the local area network IP addresses connected with the server in the second time.

10. The method of claim 9, wherein the condition of interest further comprises:

and/or the presence of a gas in the gas,

11. The method of claim 9 or 10,

and determining a second type of network protocol, and if the server has an SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability according to whether the network protocol of the network request belongs to the second type of network protocol.

12. A SSRF vulnerability processing method is characterized in that,

if yes, determining that the server processing the network request has an SSRF vulnerability and processing the SSRF vulnerability, and/or,

and if so, determining whether the server processing the network request is attacked by the SSRF vulnerability, and processing the SSRF vulnerability attack.

13. The method of claim 12, wherein the condition of interest further comprises:

and/or the presence of a gas in the gas,

14. The method of claim 12 or 13, wherein determining whether the server is subject to an SSRF vulnerability attack comprises:

15. The method of claim 14,

and determining a third type of network protocol, and if the server has an SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability according to whether the network protocol of the network request belongs to the third type of network protocol.

16. An apparatus for SSRF vulnerability determination, comprising:

the system comprises an attention determining module, a judging module and a judging module, wherein the attention determining module is used for determining whether a network request accords with an attention condition after the network request is generated, and the attention condition comprises that the network request is from a public network IP address;

a connection determining module, configured to determine whether a server processing the network request generates a connection record for a local area network IP address according to the network request if the network request meets a concern condition;

and the vulnerability determining module is used for determining that the SSRF vulnerability exists in the server for processing the network request if the server has the connection record of the local area network IP address.

17. An apparatus for SSRF vulnerability determination, comprising:

a vulnerability or attack determination module, configured to determine that an SSRF vulnerability exists in a server that processes the network request if the server has a connection record for the local area network IP address; and if the server for processing the network request has the SSRF vulnerability, determining whether the server is attacked by the SSRF vulnerability according to the network protocol of the network request and/or according to the number of the local area network IP addresses connected with the server in the first time and/or according to the number of times of connection of the server to the local area network IP addresses in the second time.

18. An SSRF vulnerability processing apparatus, comprising:

a vulnerability or attack determination module, configured to determine that an SSRF vulnerability exists in a server that processes the network request if the server has a connection record for the local area network IP address; if the server processing the network request has an SSRF vulnerability, determining whether the server processing the network request is attacked by the SSRF vulnerability;

19. An SSRF vulnerability determination device, comprising:

at least one processor;

and the number of the first and second groups,

a memory communicatively coupled to the at least one processor;

wherein the content of the first and second substances,

20. An SSRF vulnerability determination device, comprising:

at least one processor;

and the number of the first and second groups,

a memory communicatively coupled to the at least one processor;

wherein the content of the first and second substances,

21. An SSRF vulnerability processing device, comprising:

at least one processor;

and the number of the first and second groups,

a memory communicatively coupled to the at least one processor;

wherein the content of the first and second substances,

22. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, perform the steps of:

23. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, perform the steps of:

24. A computer-readable storage medium having computer-executable instructions stored thereon which, when executed by a processor, perform the steps of: