CN110084044A - For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission - Google Patents
For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission Download PDFInfo
- Publication number
- CN110084044A CN110084044A CN201910195290.2A CN201910195290A CN110084044A CN 110084044 A CN110084044 A CN 110084044A CN 201910195290 A CN201910195290 A CN 201910195290A CN 110084044 A CN110084044 A CN 110084044A
- Authority
- CN
- China
- Prior art keywords
- account
- test request
- operating right
- commission
- loophole
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of for the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission, it is related to contrast test field, this method comprises: creation has the first account and the second account of identical account operating right list, all account operating rights that the corresponding account of the account operating right list display possesses;Using first account, each account operating right obtain corresponding with reference to test request URL with reference to test request;Control test request is carried out to each account operating right, obtains corresponding control test request result using second account with reference to test request URL based on described;It is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level.The method increase the efficiency tested for horizontal loophole of going beyond one's commission.
Description
Technical field
The present invention relates to contrast test field, more particularly to for level go beyond one's commission method that loophole is tested automatically and
Relevant device.
Background technique
One framework is perfect, regular safe system, should accomplish every request to receiving, first to sending the request
User carry out permission judgement, then it is serviced accordingly.And in actual life, due to the engineering staff for the system of building
Careless omission, system can't carry out permission judgement to the transmission user of the request for the permission in certain permissions, and directly right
The user for sending request services.It could be used that the permission so as to cause the user without the permission, i.e., sent out in the permission
It has given birth to and has gone beyond one's commission.In going beyond one's commission, it is that level is gone beyond one's commission that one kind, which is gone beyond one's commission, i.e. attacker and the same permission group belonging to attacker, each one
The content of account number can only should be operated, but actually attacker by by into the request that system is sent oneself
Identity be revised as by the identity of attacker, to successfully be operated to by the authority content of attacker.Example
Such as: oneself identity into phylogenetic request is modified the identity for user B by user A, to successfully repair
The password of user B is changed, such case is exactly that level is gone beyond one's commission.
It in the prior art, is all experience by tester according to itself to the go beyond one's commission test of loophole progress of level,
It is tested manually.In this process, it may appear that artificially the case where omission, mistake, efficiency is lower.
Summary of the invention
Based on this, for solve in the related technology how from technological layer it is more efficiently automatic for level loophole of going beyond one's commission
Tested the technical issues of faced, the present invention provides it is a kind of for level go beyond one's commission method that loophole is tested automatically and
Relevant device.
In a first aspect, providing a kind of method tested automatically for horizontal loophole of going beyond one's commission, comprising:
Create first account and the second account with identical account operating right list, the account operating right list
Show all account operating rights that corresponding account possesses;
Using first account, each account operating right is carried out to obtain corresponding reference with reference to test request
Test request URL;
Each account operating right is compareed using second account with reference to test request URL based on described
Test request obtains corresponding control test request result;
It is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level.
In an exemplary embodiment of the disclosure, the creation has the first account of identical account operating right list
With the second account, comprising:
Create first account;
Create second account;
All account operating rights summarized in account operating right list are distributed into first account and described
Two accounts.
It is described to use first account in an exemplary embodiment of the disclosure, to each account operating right
Obtained corresponding with reference to test request URL with reference to test request, comprising:
To each account operating right, corresponding legitimate request URL is sent using first account, it will be described legal
Request URL is determined as corresponding described with reference to test request URL.
It is described to refer to test request URL based on described in an exemplary embodiment of the disclosure, use second account
Number, control test request is carried out to each account operating right, obtains corresponding control test request result, comprising:
From the reference test request URL that first account is sent, each mark with reference in test request URL is determined
Know parameter and the corresponding identification parameter of first account;
To each account operating right, it is based on the corresponding identification parameter of first account, determines corresponding control
Test request URL;
The corresponding control test request URL is sent using second account to each account operating right,
Corresponding returned packet is determined as the corresponding control test request result.
It is described to each account operating right in an exemplary embodiment of the disclosure, it is based on first account
Corresponding identification parameter determines corresponding control test request URL, comprising:
To each account operating right, the identification parameter in the corresponding legitimate request URL of second account is replaced
It is changed to the corresponding identification parameter of first account, obtains corresponding illegal request URL;
The illegal request URL is determined as the corresponding control test request URL.
In an exemplary embodiment of the disclosure, it is described based on the corresponding control test request as a result, determination is
It is no to go beyond one's commission loophole there are level, comprising:
To each account operating right, if corresponding control the test request result, corresponding returned packet
In confirmed the control test request, it is determined that go beyond one's commission loophole on the account operating right there are level.
In an exemplary embodiment of the disclosure, it is described based on the corresponding control test request as a result, determination is
It is no that there are levels to go beyond one's commission after loophole, comprising:
The information of the account operating right in the presence of horizontal loophole of going beyond one's commission is sent to management end.
According to the second aspect of the disclosure, a kind of device tested automatically for horizontal loophole of going beyond one's commission, packet are provided
It includes:
Creation module, for creating the first account and the second account with identical account operating right list, the account
All account operating rights that the corresponding account of number operating right list display possesses;;
With reference to test request module, for using first account, each account operating right is carried out with reference to survey
Examination request obtains corresponding with reference to test request URL;
Test request module is compareed, for referring to test request URL based on described, using second account, to each institute
It states account operating right and carries out control test request, obtain corresponding control test request result;
Determining module is gone beyond one's commission loophole for being based on the corresponding control test request as a result, determining whether there is level.
According to the third aspect of the disclosure, provides and a kind of set for the level electronics that loophole is tested automatically of going beyond one's commission
It is standby, comprising:
Memory is configured to storage executable instruction;
Processor is configured to execute the executable instruction stored in memory, to realize the process described above.
According to the fourth aspect of the disclosure, a kind of computer readable storage medium is provided, computer program is stored with
Instruction makes computer execute the process described above when the computer instruction is computer-executed.
With in traditional technology be directed to level go beyond one's commission loophole automatically carry out test be to be carried out manually by tester compared with, this
Disclosed embodiment surveys account operating right by automatically creating the first account and the second account, using the second account
Examination improves the efficiency tested horizontal loophole of going beyond one's commission.
Other characteristics and advantages of the disclosure will be apparent from by the following detailed description, or partially by the disclosure
Practice and acquistion.
It should be understood that the above general description and the following detailed description are merely exemplary, this can not be limited
It is open.
Detailed description of the invention
Fig. 1 shows the process tested automatically for horizontal loophole of going beyond one's commission according to one example embodiment of the disclosure
Figure.
Fig. 2 shows gone beyond one's commission device that loophole is tested automatically according to the disclosure one example embodiment for level
Block diagram.
Fig. 3 shows the first account for having identical account operating right list according to the creation of one example embodiment of the disclosure
Number and the second account detail flowchart.
Fig. 4, which is shown, refers to test request URL based on described according to one example embodiment of the disclosure, uses described second
Account carries out control test request to each account operating right, obtains the detailed stream of corresponding control test request result
Cheng Tu.
Fig. 5 is shown according to one example embodiment of the disclosure to each account operating right, is based on first account
Number corresponding identification parameter determines the detail flowchart of corresponding control test request URL.
Fig. 6 shows the system tray tested automatically for horizontal loophole of going beyond one's commission according to one example embodiment of the disclosure
Composition.
Fig. 7 shows setting for the horizontal electronics that loophole is tested automatically of going beyond one's commission according to one example embodiment of the disclosure
Standby figure.
Fig. 8 shows the computer tested automatically for horizontal loophole of going beyond one's commission according to one example embodiment of the disclosure
Readable storage medium storing program for executing figure.
Specific embodiment
Example embodiment is described more fully with reference to the drawings.However, example embodiment can be with a variety of shapes
Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, thesing embodiments are provided so that the disclosure will more
Fully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.Described feature, knot
Structure or characteristic can be incorporated in any suitable manner in one or more embodiments.In the following description, it provides perhaps
More details fully understand embodiment of the present disclosure to provide.It will be appreciated, however, by one skilled in the art that can
It is omitted with technical solution of the disclosure one or more in the specific detail, or others side can be used
Method, constituent element, device, step etc..In other cases, be not shown in detail or describe known solution to avoid a presumptuous guest usurps the role of the host and
So that all aspects of this disclosure thicken.
In addition, attached drawing is only the schematic illustrations of the disclosure, it is not necessarily drawn to scale.Identical attached drawing mark in figure
Note indicates same or similar part, thus will omit repetition thereof.Some block diagrams shown in the drawings are function
Energy entity, not necessarily must be corresponding with physically or logically independent entity.These function can be realized using software form
Energy entity, or these functional entitys are realized in one or more hardware modules or integrated circuit, or at heterogeneous networks and/or place
These functional entitys are realized in reason device device and/or microcontroller device.
The purpose of the disclosure is to be tested automatically from technical aspect for level loophole of going beyond one's commission, and provides the effect of test
Rate.According to the method tested automatically for horizontal loophole of going beyond one's commission of an embodiment of the present disclosure, comprising: creation has identical
The first account and the second account of account operating right list, the corresponding account of the account operating right list display possess
All account operating rights;Using first account, each account operating right obtain with reference to test request
It is corresponding to refer to test request URL;Test request URL is referred to based on described, using second account, each account is grasped
Control test request is carried out as permission, obtains corresponding control test request result;Based on the corresponding control test request
It goes beyond one's commission loophole as a result, determining whether there is level.With in traditional technology be directed to level go beyond one's commission loophole automatically carry out test be to pass through
Tester compares manually, and embodiment of the disclosure uses the second account by automatically creating the first account and the second account
Number account operating right is tested, improves and go beyond one's commission the efficiency that loophole tested to level.
Fig. 1 shows the process tested automatically for horizontal loophole of going beyond one's commission according to one example embodiment of the disclosure
Figure:
Step S100: first account and the second account with identical account operating right list, the account behaviour are created
All account operating rights that corresponding account possesses are shown as permissions list;;
Step S110: using first account, carries out each account operating right with reference to test request, obtains pair
The reference test request URL answered;
Step S120: test request URL is referred to based on described, using second account, to each account operating rights
Limit carries out control test request, obtains corresponding control test request result;
Step S130: it is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level.
In the following, by conjunction with attached drawing in this example embodiment it is above-mentioned for level go beyond one's commission loophole test automatically it is each
Step carries out detailed explanation and explanation.
In the step s 100, creation has the first account and the second account of identical account operating right list, the account
All account operating rights that the corresponding account of number operating right list display possesses.
By this method, so that the first account and the second account suffer from the ground of equity to any account operating right
Position is gone beyond one's commission the test of loophole so as to further progress level.
In one embodiment, as shown in figure 3, step S100 includes:
Step S1001: creation first account;
Step S1002: creation second account;
Step S1003: all account operating rights summarized in account operating right list are distributed into first account
Number and second account.
In one embodiment, the first account and the second account are created first.In order to account operating rights more as far as possible into
Row level is gone beyond one's commission the test of loophole, and the account operating right summarized is open to the first account and the second account, so that server
It can go beyond one's commission the detection of loophole to each of account operating right account operating right carry out level is summarized.
In step s 110, using first account, each account operating right obtain with reference to test request
Test request URL is referred to corresponding.
Refer to reference to test request URL and is sent out from first account to account operating right to be tested, to tested test system
The request URL sent.
It carries out enabling the second account with reference to described with reference to test request with reference to test request by using the first account
URL, to go beyond one's commission the detection of loophole to account operating right further progress level.
In one embodiment, described to use first account, each account operating right ask with reference to test
It asks, comprising: to each account operating right, corresponding legitimate request URL is sent using first account, it will be described legal
Request URL is determined as corresponding described with reference to test request URL.
Legitimate request URL refer to account with the identity of oneself, the authority content of oneself is made requests when transmitted ask
Seek URL.
In the step s 120, test request URL is referred to based on described, using second account, each account is grasped
Control test request is carried out as permission, obtains corresponding control test request result.
Control test request URL, which refers to, refers to test request URL with reference to described, from second account to tested test system
The request URL of transmission.
Control test request result refers to tested system in response to the control test request, the corresponding response of return
Message.
Control test request is carried out by second account, is made it possible to according in corresponding control test request
Hold, judge that the corresponding account operating right whether there is level and go beyond one's commission loophole.
In one embodiment, as shown in figure 4, step S120 includes:
Step S1201: it from the reference test request URL that first account is sent, determines described with reference to test request
Each identification parameter and the corresponding identification parameter of first account in URL;
Step S1202: to each account operating right, it is based on the corresponding identification parameter of first account, is determined
Corresponding control test request URL;
Step S1203: is sent by the corresponding control and is surveyed using second account for each account operating right
Request URL is tried, corresponding returned packet is determined as the corresponding control test request result.
Identification parameter refer to by be tested systemic presupposition, identify according to unique parameter value each account identity or
The parameter of a certain item attribute of person, such as: " userID " corresponds to the identity of accounting number users, and " addressID " corresponds to account
The address mark of number user.
By this method, so that second account is able to use the identification parameter disguise as institute of first account
The first account is stated, so that the account operating right content trial to first account operates.
In one embodiment, as shown in figure 5, step S1202 includes:
Step S12021: to each account operating right, by the mark in the corresponding legitimate request URL of second account
Know parameter value and replace with the corresponding identification parameter of first account, obtains corresponding illegal request URL;
Step S12022: the illegal request URL is determined as the corresponding control test request URL.
Illegal request URL refers to account disguise as other accounts, attempts to make requests the authority content of other accounts
When the request URL that sends.
The control test request is carried out by using second account, is enabled the server to according to tested test system
To the returned packet for compareing test request, judge whether tested test system has identified the control test request right and wrong
Method request, so that it is determined that tested test system is gone beyond one's commission loophole in the configuration of corresponding account operating right with the presence or absence of level.
In one embodiment, the first account sends a series of legitimate request URL to tested test system, used here as natural language
Speech statement, such as: " my userID is 02, my password is xxx, I wants login account ", " I will delete addressID
34 address information ", " my userID is 02, I will change head portrait " ... therefrom can determine, the first account is to identification parameter
The parameter value of " userID " is " 02 ", and the parameter value to identification parameter " addressID " is " 34 ".
Meanwhile second account be " 03 " to the parameter value of identification parameter " userID ", to identification parameter " addressID "
Parameter value is " 57 ".Then for " checking personal information " this account operating right, the second account should be sent to tested test system
Legitimate request URL are as follows: " I to check userID be 03 user personal information." to test " checking personal information " this
Account operating right is gone beyond one's commission loophole with the presence or absence of level, and the control test request that the second account need to carry out is answered are as follows: " I will check
The personal information for the user that userID is 02." equally, for " change shipping address " this account operating right, the second account
The legitimate request URL that should be sent to tested test system are as follows: " I will change the address information that addressID is 57 ", it is corresponding right
It is answered according to test request are as follows: " I will change the address information that addressID is 34 ".
In step s 130, it is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level.
By the judgement to tested test system to the returned packet content of the control test request, enable the server to
Determine whether tested test system has carried out permission judgement to the sender of the control test request, so that it is determined that in corresponding account
It goes beyond one's commission loophole on number operating right with the presence or absence of level.
In one embodiment, described to be gone beyond one's commission based on the corresponding control test request as a result, determining whether there is level
Loophole, comprising: to each account operating right, if corresponding control the test request result, corresponding return report
It confirmed the control test request in text, it is determined that go beyond one's commission loophole on the account operating right there are level.
Such as: the first account is " 02 " to the parameter value of identification parameter " userID ", and the second account is to identification parameter
The parameter value of " userID " is " 03 ".To " checking personal information " this account operating right, the control that the second account is sent is surveyed
Examination request are as follows: " I will check that userID is the personal information of 02 user." if test system is tested " checking personal information "
If configuration on this account operating right is improved safely, tested test system can be according to session table or other reliable
Verification mode, whether the userID for verifying second account is strictly " 02 ", and one is verified, be tested test system it finds that
Second account does not have permission to check that userID is the personal information of the account of " 02 ", and tested test system will refuse described the
The control test request of two accounts returns to the information of the refusal control test request.
If tested test system is gone beyond one's commission leakage in the configuration of " checking personal information " this account operating right there are level
If hole, tested test system would not carry out whether its userID is really the verifying of " 02 " to second account, but straight
The control test request for confirming second account is connect, and returns to the personal information of corresponding first account.Therefore, by checking
Compare the content of test request result, it is determined that tested test system whether there is water in the configuration of corresponding account operating right
Flat loophole of going beyond one's commission.
In one embodiment, it is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level
Later, comprising: the information of the account operating right in the presence of horizontal loophole of going beyond one's commission is sent to management end.That is, to an account
Operating right determines that there are levels to go beyond one's commission after loophole, sends the account operating right to management end and goes beyond one's commission loophole there are level
Information.
In one embodiment, as shown in Fig. 2, providing a kind of device tested automatically for horizontal loophole of going beyond one's commission,
It specifically includes:
Creation module 210, it is described for creating the first account and the second account with identical account operating right list
All account operating rights that the corresponding account of account operating right list display possesses;
Each account operating right is referred to for using first account with reference to test request module 220
Test request obtains corresponding with reference to test request URL;
Test request module 230 is compareed, for referring to test request URL based on described, using second account, to each
The account operating right carries out control test request, obtains corresponding control test request result;
Determining module 240 is gone beyond one's commission leakage for being based on the corresponding control test request as a result, determining whether there is level
Hole.
The function of modules and the realization process of effect are specifically detailed in above-mentioned apparatus above-mentioned goes beyond one's commission loophole for level
Automatically the realization process of step is corresponded in the method tested, details are not described herein.
It should be noted that although being referred to several modules or list for acting the equipment executed in the above detailed description
Member, but this division is not enforceable.In fact, according to embodiment of the present disclosure, it is above-described two or more
Module or the feature and function of unit can embody in a module or unit.Conversely, an above-described mould
The feature and function of block or unit can be to be embodied by multiple modules or unit with further division.
In addition, although describing each step of method in the disclosure in the accompanying drawings with particular order, this does not really want
These steps must be executed in this particular order by asking or implying, or having to carry out step shown in whole could realize
Desired result.Additional or alternative, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/
Or a step is decomposed into execution of multiple steps etc..
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented
Mode can also be realized by software realization in such a way that software is in conjunction with necessary hardware.Therefore, according to the disclosure
The technical solution of embodiment can be embodied in the form of software products, which can store non-volatile at one
Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are so that a calculating
Equipment (can be personal computer, server, mobile terminal or network equipment etc.) is executed according to disclosure embodiment
Method.
Fig. 6 shows the system tray tested automatically for horizontal loophole of going beyond one's commission according to one example embodiment of the disclosure
Composition.The system architecture includes: test system 310 to be measured, database 320, the first virtual client 330, the second virtual client
340.Wherein, the first virtual client 330 carries out test operation using the first account, and the second virtual client 340 uses second
Account carries out test operation.
In one embodiment, the first virtual client 330 sends to test system 310 to be measured and refers to test request URL, data
The described of storage is sent to the second virtual client 340 with reference to test request URL by library 320, and the second virtual client 340 will connect
Receive it is described with reference to test request URL as reference, treat test macro 310 and carry out control test request, and receive by
The control test request result that test macro 310 returns.
By the way that above to the description of system architecture, those skilled in the art is it can be readily appreciated that system architecture described herein
It can be realized the function shown in Fig. 2 for modules in the horizontal device that loophole is tested automatically of going beyond one's commission.
In an exemplary embodiment of the disclosure, a kind of electronic equipment that can be realized the above method is additionally provided.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or
Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete
The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here
Referred to as circuit, " module " or " system ".
The electronic equipment 400 of this embodiment according to the present invention is described referring to Fig. 7.The electronics that Fig. 7 is shown
Equipment 400 is only an example, should not function to the embodiment of the present invention and use scope bring any restrictions.
As shown in fig. 7, electronic equipment 400 is showed in the form of universal computing device.The component of electronic equipment 400 can wrap
It includes but is not limited to: at least one above-mentioned processing unit 410, at least one above-mentioned storage unit 420, the different system components of connection
The bus 430 of (including storage unit 420 and processing unit 410).
Wherein, the storage unit is stored with program code, and said program code can be held by the processing unit 410
Row, so that various according to the present invention described in the execution of the processing unit 410 above-mentioned " illustrative methods " part of this specification
The step of illustrative embodiments.For example, the processing unit 410 can execute step S100 as shown in fig. 1: creation has
The first account and the second account of identical account operating right list, the corresponding account of the account operating right list display
All account operating rights possessed;Step S110: first account is used, each account operating right is referred to
Test request obtains corresponding with reference to test request URL;Step S120: test request URL is referred to based on described, using described
Second account carries out control test request to each account operating right, obtains corresponding control test request result;Step
S130: it is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level.
Storage unit 420 may include the readable medium of volatile memory cell form, such as Random Access Storage Unit
(RAM) 4201 and/or cache memory unit 4202, it can further include read-only memory unit (ROM) 4203.
Storage unit 420 can also include program/utility with one group of (at least one) program module 4205
4204, such program module 4205 includes but is not limited to: operating system, one or more application program, other program moulds
It may include the realization of network environment in block and program data, each of these examples or certain combination.
Bus 430 can be to indicate one of a few class bus structures or a variety of, including storage unit bus or storage
Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures
Local bus.
Electronic equipment 400 can also be with one or more external equipments 500 (such as keyboard, sensing equipment, bluetooth equipment
Deng) communication, can also be enabled a user to one or more equipment interact with the electronic equipment 400 communicate, and/or with make
Any equipment (such as the router, modulation /demodulation that the electronic equipment 400 can be communicated with one or more of the other calculating equipment
Device etc.) communication.This communication can be carried out by input/output (I/O) interface 450.Also, electronic equipment 400 can be with
By network adapter 460 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public network,
Such as internet) communication.As shown, network adapter 460 is communicated by bus 430 with other modules of electronic equipment 400.
It should be understood that although not shown in the drawings, other hardware and/or software module can not used in conjunction with electronic equipment 400, including but not
Be limited to: microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and
Data backup storage system etc..
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented
Mode can also be realized by software realization in such a way that software is in conjunction with necessary hardware.Therefore, according to the disclosure
The technical solution of embodiment can be embodied in the form of software products, which can store non-volatile at one
Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are so that a calculating
Equipment (can be personal computer, server, terminal installation or network equipment etc.) is executed according to disclosure embodiment
Method.
In an exemplary embodiment of the disclosure, a kind of computer readable storage medium is additionally provided, energy is stored thereon with
Enough realize the program product of this specification above method.In some possible embodiments, various aspects of the invention may be used also
In the form of being embodied as a kind of program product comprising program code, when described program product is run on the terminal device, institute
Program code is stated for executing the terminal device described in above-mentioned " illustrative methods " part of this specification according to this hair
The step of bright various illustrative embodiments.
Refering to what is shown in Fig. 8, describing the program product for realizing the above method of embodiment according to the present invention
600, can using portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device,
Such as it is run on PC.However, program product of the invention is without being limited thereto, in this document, readable storage medium storing program for executing can be with
To be any include or the tangible medium of storage program, the program can be commanded execution system, device or device use or
It is in connection.
Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letter
Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic, optical, electromagnetic, infrared ray or
System, device or the device of semiconductor, or any above combination.The more specific example of readable storage medium storing program for executing is (non exhaustive
List) include: electrical connection with one or more conducting wires, portable disc, hard disk, random access memory (RAM), read-only
Memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read only memory
(CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
Computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal,
In carry readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetic signal,
Optical signal or above-mentioned any appropriate combination.Readable signal medium can also be any readable Jie other than readable storage medium storing program for executing
Matter, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or and its
The program of combined use.
The program code for including on readable medium can transmit with any suitable medium, including but not limited to wirelessly, have
Line, optical cable, RF etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., further include conventional
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating
Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far
Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind, including local area network (LAN) or wide area network
(WAN), it is connected to user calculating equipment, or, it may be connected to external computing device (such as utilize ISP
To be connected by internet).
In addition, above-mentioned attached drawing is only the schematic theory of processing included by method according to an exemplary embodiment of the present invention
It is bright, rather than limit purpose.It can be readily appreciated that the time that above-mentioned processing shown in the drawings did not indicated or limited these processing is suitable
Sequence.In addition, be also easy to understand, these processing, which can be, for example either synchronously or asynchronously to be executed in multiple modules.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the disclosure
His embodiment.This application is intended to cover any variations, uses, or adaptations of the disclosure, these modifications, purposes or
Adaptive change follow the general principles of this disclosure and including the undocumented common knowledge in the art of the disclosure or
Conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the disclosure are by claim
It points out.
Claims (10)
1. a kind of method tested automatically for horizontal loophole of going beyond one's commission characterized by comprising
Create first account and the second account with identical account operating right list, the account operating right list display
All account operating rights that corresponding account possesses;
Using first account, each account operating right obtain corresponding with reference to test with reference to test request
Request URL;
Control test is carried out to each account operating right using second account with reference to test request URL based on described
Request, obtains corresponding control test request result;
It is gone beyond one's commission loophole based on the corresponding control test request as a result, determining whether there is level.
2. the method according to claim 1, wherein the creation has the of identical account operating right list
One account and the second account, comprising:
Create first account;
Create second account;
All account operating rights summarized in account operating right list are distributed into first account and second account
Number.
3. being grasped the method according to claim 1, wherein described use first account to each account
Obtain corresponding with reference to test request URL with reference to test request as permission, comprising:
To each account operating right, corresponding legitimate request URL is sent using first account, by the legitimate request
URL is determined as corresponding described with reference to test request URL.
4. the method according to claim 1, wherein described refer to test request URL based on described, using described
Second account carries out control test request to each account operating right, obtains corresponding control test request as a result, packet
It includes:
From the reference test request URL that first account is sent, each mark ginseng with reference in test request URL is determined
The corresponding identification parameter of several and described first account;
To each account operating right, it is based on the corresponding identification parameter of first account, determines corresponding control test
Request URL;
The corresponding control test request URL is sent using second account to each account operating right, it will be right
The returned packet answered is determined as the corresponding control test request result.
5. according to the method described in claim 4, it is characterized in that, described to each account operating right, based on described the
The corresponding identification parameter of one account determines corresponding control test request URL, comprising:
To each account operating right, the identification parameter in the corresponding legitimate request URL of second account is replaced with
The corresponding identification parameter of first account, obtains corresponding illegal request URL;
The illegal request URL is determined as the corresponding control test request URL.
6. the method according to claim 1, wherein it is described be based on the corresponding control test request as a result,
The level of determining whether there is is gone beyond one's commission loophole, comprising:
To each account operating right, if in the corresponding control test request result, corresponding returned packet really
It accepts the control test request, it is determined that go beyond one's commission loophole on the account operating right there are level.
7. the method according to claim 1, wherein it is described be based on the corresponding control test request as a result,
The level of determining whether there is is gone beyond one's commission after loophole, comprising:
The information of the account operating right in the presence of horizontal loophole of going beyond one's commission is sent to management end.
8. a kind of device tested automatically for horizontal loophole of going beyond one's commission characterized by comprising
Creation module, for creating the first account and the second account with identical account operating right list, the account behaviour
All account operating rights that corresponding account possesses are shown as permissions list;
With reference to test request module, for using first account, each account operating right ask with reference to test
It asks, obtains corresponding with reference to test request URL;
Test request module is compareed, for referring to test request URL based on described, using second account, to each account
Number operating right carries out control test request, obtains corresponding control test request result;
Determining module is gone beyond one's commission loophole for being based on the corresponding control test request as a result, determining whether there is level.
9. a kind of electronic equipment tested automatically for horizontal loophole of going beyond one's commission characterized by comprising
Memory is configured to storage executable instruction;
Processor is configured to execute the executable instruction stored in memory, to realize any of -7 institute according to claim 1
The method stated.
10. a kind of computer readable storage medium, which is characterized in that it is stored with computer program instructions, when the computer
When instruction is computer-executed, computer is made to execute method described in any of -7 according to claim 1.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910195290.2A CN110084044A (en) | 2019-03-14 | 2019-03-14 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
| PCT/CN2019/122940 WO2020181841A1 (en) | 2019-03-14 | 2019-12-04 | Method for automatically testing horizontal over-permission vulnerabilities and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910195290.2A CN110084044A (en) | 2019-03-14 | 2019-03-14 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110084044A true CN110084044A (en) | 2019-08-02 |
Family
ID=67412442
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910195290.2A Pending CN110084044A (en) | 2019-03-14 | 2019-03-14 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110084044A (en) |
| WO (1) | WO2020181841A1 (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110674507A (en) * | 2019-09-19 | 2020-01-10 | 深圳开源互联网安全技术有限公司 | Method and system for detecting web application override |
| CN110688659A (en) * | 2019-09-10 | 2020-01-14 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
| CN111125713A (en) * | 2019-12-18 | 2020-05-08 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting horizontal override vulnerability and electronic equipment |
| CN111416811A (en) * | 2020-03-16 | 2020-07-14 | 携程旅游信息技术(上海)有限公司 | Unauthorized vulnerability detection method, system, equipment and storage medium |
| WO2020181841A1 (en) * | 2019-03-14 | 2020-09-17 | 深圳壹账通智能科技有限公司 | Method for automatically testing horizontal over-permission vulnerabilities and related device |
| CN111767542A (en) * | 2020-02-06 | 2020-10-13 | 北京沃东天骏信息技术有限公司 | Unauthorized detection method and device |
| CN113242257A (en) * | 2021-05-26 | 2021-08-10 | 中国银行股份有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN113949578A (en) * | 2021-10-20 | 2022-01-18 | 重庆邮电大学 | Automatic detection method and device for unauthorized vulnerability based on flow and computer equipment |
| CN116502202A (en) * | 2023-06-25 | 2023-07-28 | 深圳开源互联网安全技术有限公司 | Method and device for judging consistency of user permission model based on NLP technology |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060271491A1 (en) * | 2005-05-26 | 2006-11-30 | International Business Machines Corporation | Apparatus and method for a software catalog having proxy entries |
| CN108696490A (en) * | 2017-04-11 | 2018-10-23 | 腾讯科技(深圳)有限公司 | The recognition methods of account permission and device |
| CN109302388A (en) * | 2018-09-19 | 2019-02-01 | 平安科技(深圳)有限公司 | Access authority filter method, system, computer equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109902022A (en) * | 2019-03-14 | 2019-06-18 | 深圳壹账通智能科技有限公司 | The method and relevant device tested automatically for loophole of vertically going beyond one's commission |
| CN110084044A (en) * | 2019-03-14 | 2019-08-02 | 深圳壹账通智能科技有限公司 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
-
2019
- 2019-03-14 CN CN201910195290.2A patent/CN110084044A/en active Pending
- 2019-12-04 WO PCT/CN2019/122940 patent/WO2020181841A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060271491A1 (en) * | 2005-05-26 | 2006-11-30 | International Business Machines Corporation | Apparatus and method for a software catalog having proxy entries |
| CN108696490A (en) * | 2017-04-11 | 2018-10-23 | 腾讯科技(深圳)有限公司 | The recognition methods of account permission and device |
| CN109302388A (en) * | 2018-09-19 | 2019-02-01 | 平安科技(深圳)有限公司 | Access authority filter method, system, computer equipment and storage medium |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020181841A1 (en) * | 2019-03-14 | 2020-09-17 | 深圳壹账通智能科技有限公司 | Method for automatically testing horizontal over-permission vulnerabilities and related device |
| CN110688659A (en) * | 2019-09-10 | 2020-01-14 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
| CN110674507A (en) * | 2019-09-19 | 2020-01-10 | 深圳开源互联网安全技术有限公司 | Method and system for detecting web application override |
| CN111125713A (en) * | 2019-12-18 | 2020-05-08 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting horizontal override vulnerability and electronic equipment |
| CN111125713B (en) * | 2019-12-18 | 2022-04-08 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting horizontal override vulnerability and electronic equipment |
| CN111767542A (en) * | 2020-02-06 | 2020-10-13 | 北京沃东天骏信息技术有限公司 | Unauthorized detection method and device |
| CN111416811A (en) * | 2020-03-16 | 2020-07-14 | 携程旅游信息技术(上海)有限公司 | Unauthorized vulnerability detection method, system, equipment and storage medium |
| CN111416811B (en) * | 2020-03-16 | 2022-07-22 | 携程旅游信息技术(上海)有限公司 | Unauthorized vulnerability detection method, system, equipment and storage medium |
| CN113242257A (en) * | 2021-05-26 | 2021-08-10 | 中国银行股份有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN113949578A (en) * | 2021-10-20 | 2022-01-18 | 重庆邮电大学 | Automatic detection method and device for unauthorized vulnerability based on flow and computer equipment |
| CN113949578B (en) * | 2021-10-20 | 2023-11-24 | 广州名控网络科技有限公司 | Automatic detection method and device for unauthorized loopholes based on flow and computer equipment |
| CN116502202A (en) * | 2023-06-25 | 2023-07-28 | 深圳开源互联网安全技术有限公司 | Method and device for judging consistency of user permission model based on NLP technology |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020181841A1 (en) | 2020-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110084044A (en) | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission | |
| US10298591B2 (en) | Secure integration of independent cloud foundry applications in a fiori launchpad | |
| CN109194673A (en) | Authentication method, system, equipment and storage medium based on authorized user message | |
| US9864852B2 (en) | Approaches for providing multi-factor authentication credentials | |
| US9069976B2 (en) | Risk adjusted, multifactor authentication | |
| CN109598117A (en) | Right management method, device, electronic equipment and storage medium | |
| US9306954B2 (en) | Apparatus, systems and method for virtual desktop access and management | |
| US10362026B2 (en) | Providing multi-factor authentication credentials via device notifications | |
| US20160182487A1 (en) | Permission architecture for remote management and capacity instances | |
| KR20160006185A (en) | Two factor authentication | |
| CN109902022A (en) | The method and relevant device tested automatically for loophole of vertically going beyond one's commission | |
| CN103930896A (en) | Indirect authentication | |
| US10282537B2 (en) | Single prompt multiple-response user authentication method | |
| US10841297B2 (en) | Providing multi-factor authentication credentials via device notifications | |
| CN107040518A (en) | A kind of private clound server log method and system | |
| CN110162994A (en) | Authority control method, system, electronic equipment and computer readable storage medium | |
| CN110147664A (en) | The method and relevant device of authentication based on centralization database | |
| CN103975567B (en) | Two-factor authentication method and virtual machine facility | |
| CN110348237A (en) | Data managing method and device, storage medium, electronic equipment based on block chain | |
| CN106331003A (en) | Method and device for accessing application portal system on cloud desktop | |
| Ponticello et al. | Exploring Authentication for {Security-Sensitive} Tasks on Smart Home Voice Assistants | |
| CN107835162B (en) | Software digital permit server gives the method and software digital permit server that permission is signed and issued in the license of software developer's software digital | |
| CN105069366B (en) | A kind of Account Logon and management method and device | |
| CN110365634A (en) | Abnormal data monitoring method, device, medium and electronic equipment | |
| CN113158196A (en) | Login verification method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information |
Address after: 201, room 518000, building A, No. 1, front Bay Road, Qianhai Shenzhen Guangdong Shenzhen Hong Kong cooperation zone (Qianhai business secretary) Applicant after: Shenzhen one ledger Intelligent Technology Co., Ltd. Address before: 518000 Guangdong city of Shenzhen province Qianhai Shenzhen Hong Kong cooperation zone before Bay Road No. 1 building 201 room A Applicant before: Shenzhen one ledger Intelligent Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |