CN111767542A - Unauthorized detection method and device - Google Patents
Unauthorized detection method and device Download PDFInfo
- Publication number
- CN111767542A CN111767542A CN202010081689.0A CN202010081689A CN111767542A CN 111767542 A CN111767542 A CN 111767542A CN 202010081689 A CN202010081689 A CN 202010081689A CN 111767542 A CN111767542 A CN 111767542A
- Authority
- CN
- China
- Prior art keywords
- request
- account
- server
- page
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 22
- 235000014510 cooky Nutrition 0.000 claims abstract description 31
- 238000000034 method Methods 0.000 claims abstract description 26
- 238000004590 computer program Methods 0.000 claims description 9
- 230000004044 response Effects 0.000 abstract description 7
- 238000012360 testing method Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 11
- 230000006399 behavior Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- BUGBHKTXTAQXES-UHFFFAOYSA-N Selenium Chemical compound [Se] BUGBHKTXTAQXES-UHFFFAOYSA-N 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 229910052711 selenium Inorganic materials 0.000 description 2
- 239000011669 selenium Substances 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an unauthorized detection method and device, and relates to the technical field of computers. One embodiment of the method comprises: presetting a resource positioning address in a preset linear table based on a first account number access, generating a first request and sending the first request to a server so as to receive a first message fed back by the server; accessing the resource positioning address based on the second account to generate a second request; acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server; and if the first message is the same as the second message, determining that the second account has an unauthorized behavior on the first account in the resource positioning address. The embodiment compares the response messages and automatically checks the response messages based on the account cookie replacement mode so as to check whether the unauthorized behavior exists between the accounts.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an unauthorized detection method and device.
Background
The unauthorized vulnerability in the field of security test is mainly divided into two types, one type is horizontal unauthorized, namely two users with equal authority can mutually see the sensitive data of the other side; one is a vertical override, i.e., a low-authorized user can see the data of a high-authorized user.
The existing vulnerability detection process mainly relies on manually analyzing URL (Uniform resource locator) links of Web pages, analyzing parameters (such as order numbers and user names) of the URL links, and guessing whether there is a possibility of unauthorized access.
In the process of implementing the invention, the inventor finds that the prior art has at least the following problems:
by guessing whether to override and manually verifying, the URL range of whether to override cannot be automatically verified and locked, and all URLs cannot be acquired by using a crawler method singly.
Disclosure of Invention
In view of this, embodiments of the present invention provide an unauthorized detection method and apparatus, which can at least solve the problems in the prior art that all urls cannot be crawled and that it is difficult to verify whether the urls have unauthorized vulnerabilities.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided an unauthorized detection method including:
presetting a resource positioning address in a preset linear table based on a first account number access, generating a first request and sending the first request to a server so as to receive a first message fed back by the server;
accessing the resource positioning address based on a second account to generate a second request; wherein the second account number has different permissions from the first account number;
acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server;
and if the first message is the same as the second message, determining that the second account has an unauthorized behavior on the first account in the resource positioning address.
Optionally, before the presetting accesses the resource location address in the preset linear table based on the first account, the method further includes:
determining operation items in an application page, and acquiring page elements corresponding to the operation items;
and determining the resource positioning address according to the hypertext reference attribute in the page element, and then storing the resource positioning address into the linear table.
Optionally, the storing the resource location address into the linear table further includes:
responding to the click operation of the resource positioning address, and if the page jump is successful, storing the resource positioning address into the linear table.
Optionally, the method further includes:
determining a first operation item in a jump page, and taking an element corresponding to the first operation item as a sub-element of the page element;
determining a first resource location address according to the hypertext reference attribute of the sub-element, and then storing the first resource location address into the linear table;
and repeating the page skipping and the sub-element obtaining operation until the sub-element corresponding to the current page element does not exist.
To achieve the above object, according to another aspect of embodiments of the present invention, there is provided an unauthorized detection apparatus including:
the address access module is used for presetting a resource positioning address in a preset linear table based on a first account number access, generating a first request and sending the first request to a server so as to receive a first message fed back by the server;
the request generating module is used for accessing the resource positioning address based on a second account and generating a second request; wherein the second account number has different permissions from the first account number;
the information replacement module is used for acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server;
and the override determining module is used for determining that the second account has an override behavior for the first account in the resource positioning address if the first message is the same as the second message.
Optionally, the apparatus further includes an address determining module, configured to:
determining operation items in an application page, and acquiring page elements corresponding to the operation items;
and determining the resource positioning address according to the hypertext reference attribute in the page element, and then storing the resource positioning address into the linear table.
Optionally, the address determining module is further configured to: responding to the click operation of the resource positioning address, and if the page jump is successful, storing the resource positioning address into the linear table.
Optionally, the apparatus further includes an address extension module, configured to:
determining a first operation item in a jump page, and taking an element corresponding to the first operation item as a sub-element of the page element;
determining a first resource location address according to the hypertext reference attribute of the sub-element, and then storing the first resource location address into the linear table;
and repeating the page skipping and the sub-element obtaining operation until the sub-element corresponding to the current page element does not exist.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided an unauthorized detection electronic device.
The electronic device of the embodiment of the invention comprises: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement any of the above-described override detection methods.
To achieve the above object, according to a further aspect of the embodiments of the present invention, there is provided a computer readable medium having a computer program stored thereon, the program, when executed by a processor, implementing any of the above-mentioned unauthorized detection methods.
According to the scheme provided by the invention, one embodiment of the invention has the following advantages or beneficial effects: for a page, determining a plurality of jump pages based on page elements of the page, determining the jump pages based on the page elements of the page in each jump page, and so on to obtain all page URLs associated with the page and realize the construction of a page association linear table; and checking http request responses of different accounts by taking the crawled URL as input, and identifying whether the account and the URL have an unauthorized behavior.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic flow chart of a method for unauthorized detection according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart diagram of an alternative method of unauthorized detection according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart diagram of an alternative override detection method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of the main blocks of an unauthorized detection apparatus according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
FIG. 6 is a schematic block diagram of a computer system suitable for use with a mobile device or server implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The words and phrases related to this invention are to be interpreted as follows:
the white box test is also called a structure test or a logic drive test, and detects whether the internal action of a product is normally performed according to the specification of a design specification through a test according to a structure test program in the program, and checks whether each channel in the program can correctly work according to the preset requirement. The method is that a test object is regarded as an open box, a tester designs or selects test cases according to the relevant information of the internal logic structure of the program, tests all logic paths of the program, and determines whether the actual state is consistent with the expected state by checking the state of the program at different points.
White box testing is a test case design method, where a box refers to the software being tested, and where a white box refers to a box that is visible, you know what is inside the box and how it is going to work. The white box method is used for comprehensively knowing the internal logic structure of the program and testing all logic paths. The "white box" method is an exhaustive path test. In using this scheme, the tester must examine the internal structure of the program, and from the logical perspective of the inspection program, derive test data. The number of independent paths through the program is an astronomical number.
Referring to fig. 1, a main flowchart of an unauthorized detection method according to an embodiment of the present invention is shown, which includes the following steps:
s101: presetting a resource positioning address in a preset linear table based on a first account number access, generating a first request and sending the first request to a server so as to receive a first message fed back by the server;
s102: accessing the resource positioning address based on a second account to generate a second request; wherein the second account number has different permissions from the first account number;
s103: acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server;
s104: and if the first message is the same as the second message, determining that the second account has an unauthorized behavior on the first account in the resource positioning address.
In the above embodiment, in step S101, the present embodiment assumes that all URLs have an unauthorized vulnerability.
Preparing two test accounts A and B aiming at the same application, wherein the two test accounts can be unrelated accounts with different or same authority; different authorities correspond to vertical overrides, the same authority corresponds to horizontal overrides, but even if the horizontal overrides, the characteristic information of different accounts can be different, and the characteristic information is summarized by different authorities.
Some websites need to be browsed by account numbers to log in, some websites do not need to log in, and if the websites do not need to log in, the operation of logging in can be omitted; if logging in is needed, a selenium webdriver can be used for simulating operation in the browser, such as simulating click operation instead of manual click.
Taking the account A as an example, simulating the account A to log in a Web browser so as to acquire a cookie corresponding to the account A from a local storage of the browser; the cookie is data stored on the user local terminal, and refers to data (usually encrypted) stored on the user local terminal by the website for session tracking to identify the user identity.
And traversing and clicking the URL in a preset linear table (the acquisition mode is described with reference to the subsequent figure 2) to generate http requests for a single URL link, and then sending the http requests to the server one by one, or sending the assembled http requests to the server.
The server side responds to the http request, returns a response message and stores the response message in the local browser for subsequent data comparison; the message is a data unit exchanged and transmitted in the network, that is, a data block to be sent by the station at one time, and the message includes complete data information to be sent, and the message is very different in length, and the length is not limited and is variable.
Finally, the corresponding relation is obtained:
an account A, a request parameter and a first message >; and the request parameter is the parameter of the first http request.
For step S102, similarly for account B, simulating an operation in the browser by using a selenium webdriver, for example, logging in account B, traversing URLs in the linear table one by one, and generating a second http request.
For step S103, traversing all http requests of the account B, replacing the second Cookie in the second http request of the account B with the first Cookie in the first http request of the account a (the Cookie is a part of the http request, and only replaces this part), re-sending the second http request to the server, and then receiving the second message fed back by the server.
It should be noted that, according to the fact that the structure of the data in the message obtained by the account B should be the same as that of the data obtained by the account a, the correspondence relationship is finally obtained:
< account B, request parameter, second message >; and the request parameter is the parameter of the second http request.
In step S104, the second message obtained by the account B is compared with the first message of the account a, and if the second message is the same as the first message of the account a, it indicates that the account B has an unauthorized action with respect to the account a in the URL, and if the second message is different from the first message of the account a, the next request analysis is continued.
It should be noted that, for the same URL, even if the account B has an unauthorized action with respect to the account a, the obtained message data may not be completely the same, and at this time, the key field may be extracted to check whether the message data are the same.
According to the method provided by the embodiment, the response messages are compared and automatically checked based on the account cookie replacement mode, so that whether the unauthorized behavior exists between the accounts is checked.
Referring to fig. 2, a schematic flow chart of an alternative unauthorized detection method according to an embodiment of the present invention is shown, which includes the following steps:
s201: determining operation items in an application page, and acquiring page elements corresponding to the operation items;
s202: determining the resource positioning address according to the hypertext reference attribute in the page element;
s203: responding to the click operation of the resource positioning address, and if the page jump is successful, storing the resource positioning address into the linear table.
In the above embodiment, as for step S201, the present embodiment is used to crawl all URLs in the application as input for the unauthorized automatic verification.
Logging in a page of an Application through a Webdriver, and acquiring all page elements Webelement of the page by utilizing an API (Application Program Interface); for example, the merchant homepage contains more operation menus, such as a primary menu and a secondary menu, and a main page can be omitted, and only one page is randomly selected because the pages have an association relationship.
For steps S202 and S203, a herf (hypertext reference, used to specify a target address of a link) attribute with a tag of < li, < a in the WebElement is obtained, so as to obtain a URL, and the URL is saved in a linear table; where herf is one of the css codes, the value of its attribute can be the relative or absolute URL of any valid document, including the fragment identifier and JavaScript code fragment.
Furthermore, some URLs may be links without practical significance, such as blank pages, and the like, so that before the URLs are added into the linear table, the URLs can be traversed, a simulation browser clicks each URL, and only the successfully clicked URL is saved in the linear table, so that the preset linear table applied to the unauthorized detection is obtained.
In the method provided by the embodiment, all URLs associated with the current page are acquired based on the page elements of the page, so that the URL crawling operation is realized, and the acquisition range of the URL is expanded.
Referring to fig. 3, a schematic flow chart of an alternative unauthorized detection method according to an embodiment of the present invention is shown, which includes the following steps:
s301: determining operation items in an application page, and acquiring page elements corresponding to the operation items;
s302: determining the resource positioning address according to the hypertext reference attribute in the page element;
s303: responding to the clicking operation of the resource positioning address, and if the page jump is successful, storing the resource positioning address into the linear table;
s304: determining a first operation item in a jump page, and taking an element corresponding to the first operation item as a sub-element of the page element;
s305: determining a first resource location address according to the hypertext reference attribute of the sub-element, and then storing the first resource location address into the linear table;
s306: and repeating the page skipping and the sub-element obtaining operation until the sub-element corresponding to the current page element does not exist.
In the above embodiment, for steps S301 to S303, reference may be made to the descriptions of steps S201 to S203 shown in fig. 2, and details are not repeated here.
In the above embodiment, in steps S304 to S306, in order to enlarge the range of acquiring the URL, the URL may be acquired based on the sub-elements of the page element in addition to the page element of the current page.
Specifically, a sub-element corresponding to the page element is obtained from the storage information of the page, and the URL is determined based on the sub-element and the herf attribute thereof.
For example, clickable page elements in the current page include < E1, E2, E3>, and after clicking element E1, jumping to a new page, where all clickable page elements in the new page are < E1, E2,. E3>, the URL determination is performed based on the herf attribute in the new page element.
And whether the URL of the traversal child element can be clicked or not is judged, if yes, the URL is stored in the linear table, and finally the obtained URL is stored in the linear table.
The operation is repeated until the page element has no child element, that is, the current element is a leaf node, and the recursion mode is ended.
The method provided by the embodiment adopts an algorithm thought of UI automatic test, circulation and recursion, and performs new URL determination based on the sub-elements of the page elements of the current page on the basis of the current page, so as to expand the URL acquisition range and achieve the purpose of automatically acquiring all request URLs.
Referring to fig. 4, a schematic diagram of main modules of an unauthorized detection apparatus 400 according to an embodiment of the present invention is shown, including:
the address access module 401 is configured to preset a resource location address in a preset linear table accessed based on a first account, generate a first request, and send the first request to a server, so as to receive a first message fed back by the server;
a request generating module 402, configured to access the resource location address based on a second account, and generate a second request; wherein the second account number has different permissions from the first account number;
an information replacing module 403, configured to obtain a first cookie in the first request, replace a second cookie in the second request with the first cookie, and send the replaced second request to the server, so as to receive a second packet fed back by the server;
an override determining module 404, configured to determine that the second account has an override behavior with respect to the first account if the first message is the same as the second message.
The apparatus further includes an address determining module 405 (not shown) for:
determining operation items in an application page, and acquiring page elements corresponding to the operation items;
and determining the resource positioning address according to the hypertext reference attribute in the page element, and then storing the resource positioning address into the linear table.
In the device for implementing the present invention, the address determining module 405 is further configured to: responding to the click operation of the resource positioning address, and if the page jump is successful, storing the resource positioning address into the linear table.
The apparatus further includes an address extension module 406 (not shown) for:
determining a first operation item in a jump page, and taking an element corresponding to the first operation item as a sub-element of the page element;
determining a first resource location address according to the hypertext reference attribute of the sub-element, and then storing the first resource location address into the linear table;
and repeating the page skipping and the sub-element obtaining operation until the sub-element corresponding to the current page element does not exist.
In addition, the detailed implementation of the device in the embodiment of the present invention has been described in detail in the above method, so that the repeated description is not repeated here.
Fig. 5 illustrates an exemplary system architecture 500 to which embodiments of the invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505 (by way of example only). The network 504 serves to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 501, 502, 503 to interact with a server 505 over a network 504 to receive or send messages or the like. Various communication client applications may be installed on the terminal devices 501, 502, 503.
The terminal devices 501, 502, 503 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server (for example only) providing support for shopping websites browsed by users using the terminal devices 501, 502, 503.
It should be noted that the method provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the apparatus is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks, and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a block diagram of a computer system 600 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an address access module, a request generation module, an information replacement module, and an override determination module. Where the names of these modules do not in some cases constitute a limitation on the module itself, for example, the override determination module may also be described as an "account override determination module".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise:
presetting a resource positioning address in a preset linear table based on a first account number access, generating a first request and sending the first request to a server so as to receive a first message fed back by the server;
accessing the resource positioning address based on a second account to generate a second request; wherein the second account number has different permissions from the first account number;
acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server;
and if the first message is the same as the second message, determining that the second account has an unauthorized behavior on the first account.
According to the technical scheme of the embodiment of the invention, for one page, a plurality of jump pages are determined based on the page elements of the page, the jump pages are determined based on the page elements of the page in each jump page, and by analogy, all page URLs relevant to the page can be obtained, and the construction of a page association linear table is realized; and checking http request responses of different accounts by taking the crawled URL as input, and identifying whether the account and the URL have an unauthorized behavior.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. An unauthorized detection method, comprising:
accessing a resource positioning address in a preset linear table based on a first account, generating a first request and sending the first request to a server so as to receive a first message fed back by the server;
accessing the resource positioning address based on a second account to generate a second request; wherein the second account number has different permissions from the first account number;
acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server;
and if the first message is the same as the second message, determining that the second account has an unauthorized behavior on the first account in the resource positioning address.
2. The method according to claim 1, before the presetting accesses the resource location address in the preset linear table based on the first account, further comprising:
determining operation items in an application page, and acquiring page elements corresponding to the operation items;
and determining the resource positioning address according to the hypertext reference attribute in the page element, and then storing the resource positioning address into the linear table.
3. The method of claim 2, wherein storing the resource location address in the linear table further comprises:
responding to the click operation of the resource positioning address, and if the page jump is successful, storing the resource positioning address into the linear table.
4. The method of claim 3, further comprising:
determining a first operation item in a jump page, and taking an element corresponding to the first operation item as a sub-element of the page element;
determining a first resource location address according to the hypertext reference attribute of the sub-element, and then storing the first resource location address into the linear table;
and repeating the page skipping and the sub-element obtaining operation until the sub-element corresponding to the current page element does not exist.
5. An unauthorized detection device, comprising:
the address access module is used for presetting a resource positioning address in a preset linear table based on a first account number access, generating a first request and sending the first request to a server so as to receive a first message fed back by the server;
the request generating module is used for accessing the resource positioning address based on a second account and generating a second request; wherein the second account number has different permissions from the first account number;
the information replacement module is used for acquiring a first cookie in the first request, replacing a second cookie in the second request with the first cookie, and sending the replaced second request to the server to receive a second message fed back by the server;
and the override determining module is used for determining that the second account has an override behavior for the first account in the resource positioning address if the first message is the same as the second message.
6. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, implement the method of any of claims 1-4.
7. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010081689.0A CN111767542A (en) | 2020-02-06 | 2020-02-06 | Unauthorized detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010081689.0A CN111767542A (en) | 2020-02-06 | 2020-02-06 | Unauthorized detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111767542A true CN111767542A (en) | 2020-10-13 |
Family
ID=72718665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010081689.0A Pending CN111767542A (en) | 2020-02-06 | 2020-02-06 | Unauthorized detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111767542A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032787A (en) * | 2021-03-12 | 2021-06-25 | 北京安全共识科技有限公司 | System vulnerability detection method and device |
| CN113411333A (en) * | 2021-06-18 | 2021-09-17 | 杭州安恒信息技术股份有限公司 | Unauthorized access vulnerability detection method, device, system and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001817A (en) * | 2011-09-16 | 2013-03-27 | 厦门市美亚柏科信息股份有限公司 | Method and device for real-time detection of webpage cross-domain requests |
| CN104881608A (en) * | 2015-05-21 | 2015-09-02 | 北京工业大学 | XSS vulnerability detection method based on simulating browser behavior |
| CN107506649A (en) * | 2017-08-25 | 2017-12-22 | 福建中金在线信息科技有限公司 | A kind of leak detection method of html web page, device and electronic equipment |
| CN107770183A (en) * | 2017-10-30 | 2018-03-06 | 新华三信息安全技术有限公司 | A kind of data transmission method and device |
| CN108696481A (en) * | 2017-04-07 | 2018-10-23 | 北京京东尚科信息技术有限公司 | leak detection method and device |
| CN108833365A (en) * | 2018-05-24 | 2018-11-16 | 杭州默安科技有限公司 | A kind of service logic leak detection method and its system based on flow |
| CN109902022A (en) * | 2019-03-14 | 2019-06-18 | 深圳壹账通智能科技有限公司 | The method and relevant device tested automatically for loophole of vertically going beyond one's commission |
| CN110084044A (en) * | 2019-03-14 | 2019-08-02 | 深圳壹账通智能科技有限公司 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
-
2020
- 2020-02-06 CN CN202010081689.0A patent/CN111767542A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001817A (en) * | 2011-09-16 | 2013-03-27 | 厦门市美亚柏科信息股份有限公司 | Method and device for real-time detection of webpage cross-domain requests |
| CN104881608A (en) * | 2015-05-21 | 2015-09-02 | 北京工业大学 | XSS vulnerability detection method based on simulating browser behavior |
| CN108696481A (en) * | 2017-04-07 | 2018-10-23 | 北京京东尚科信息技术有限公司 | leak detection method and device |
| CN107506649A (en) * | 2017-08-25 | 2017-12-22 | 福建中金在线信息科技有限公司 | A kind of leak detection method of html web page, device and electronic equipment |
| CN107770183A (en) * | 2017-10-30 | 2018-03-06 | 新华三信息安全技术有限公司 | A kind of data transmission method and device |
| CN108833365A (en) * | 2018-05-24 | 2018-11-16 | 杭州默安科技有限公司 | A kind of service logic leak detection method and its system based on flow |
| CN109902022A (en) * | 2019-03-14 | 2019-06-18 | 深圳壹账通智能科技有限公司 | The method and relevant device tested automatically for loophole of vertically going beyond one's commission |
| CN110084044A (en) * | 2019-03-14 | 2019-08-02 | 深圳壹账通智能科技有限公司 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032787A (en) * | 2021-03-12 | 2021-06-25 | 北京安全共识科技有限公司 | System vulnerability detection method and device |
| CN113032787B (en) * | 2021-03-12 | 2024-05-07 | 北京基调网络股份有限公司 | System vulnerability detection method and device |
| CN113411333A (en) * | 2021-06-18 | 2021-09-17 | 杭州安恒信息技术股份有限公司 | Unauthorized access vulnerability detection method, device, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105940654B (en) | Franchise static web application in trust | |
| CN106911693B (en) | Method and device for detecting hijacking of webpage content and terminal equipment | |
| US8533328B2 (en) | Method and system of determining vulnerability of web application | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| US9785778B2 (en) | Directed execution of dynamic programs in isolated environments | |
| US8621613B1 (en) | Detecting malware in content items | |
| CN111552854A (en) | Webpage data capturing method and device, storage medium and equipment | |
| CN111104675A (en) | Method and device for detecting system security vulnerability | |
| CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
| CN107547524A (en) | A kind of page detection method, device and equipment | |
| CN111767542A (en) | Unauthorized detection method and device | |
| CN102946396B (en) | User agent's device, host web server and user authen method | |
| US11062019B2 (en) | System and method for webpages scripts validation | |
| CN103647652A (en) | Method, device and server for achieving data transmission | |
| CN104375935A (en) | Method and device for testing SQL injection attack | |
| US9348977B1 (en) | Detecting malware in content items | |
| CN113569179A (en) | Subsystem access method and device based on unified website | |
| CN112749351B (en) | Link address determination method, device, computer readable storage medium and equipment | |
| US9398041B2 (en) | Identifying stored vulnerabilities in a web service | |
| CN113162937A (en) | Application safety automatic detection method, system, electronic equipment and storage medium | |
| CN107634942B (en) | Method and device for identifying malicious request | |
| CN113609516B (en) | Information generation method and device based on abnormal user, electronic equipment and medium | |
| CN102946397B (en) | User authen method and system | |
| CN111368231B (en) | Method and device for testing heterogeneous redundancy architecture website | |
| Cvitić et al. | Defining Cross-Site Scripting Attack Resilience Guidelines Based on BeEF Framework Simulation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |