CN117370176A

CN117370176A - Application security test method, device, computer equipment and storage medium

Info

Publication number: CN117370176A
Application number: CN202311330914.XA
Authority: CN
Inventors: 张卉; 杨洋; 翁丛
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-10-13
Filing date: 2023-10-13
Publication date: 2024-01-09

Abstract

The application relates to an application security test method, an application security test device, computer equipment, a storage medium and a computer program product, and relates to the technical field of information security. The method comprises the following steps: acquiring application information of a target application, and respectively acquiring page control information contained in each front-end page of the target application; determining target to-be-tested items of each front-end page in the target application from each test item included in the test item library based on the application name of the target application, the internet standard resource address of the target application and the page control information of each front-end page in the target application; aiming at each front-end page in the target application, testing the front-end page according to a testing strategy corresponding to a target item to be tested of the front-end page, obtaining a testing result corresponding to the front-end page, and constructing a security testing result of the target application. By adopting the method, the efficiency and the accuracy of the safety test are improved.

Description

Application security test method, device, computer equipment and storage medium

Technical Field

The present application relates to the field of information security technologies, and in particular, to an application security test method, an apparatus, a computer device, a storage medium, and a computer program product.

Background

With the development of information security technology, application of security test technology has emerged.

The current security test is mainly divided into two main types, namely manual test and scanning test, wherein the manual test is used for intercepting and falsifying a message by a user and manually judging whether security risks exist according to the content of a response message or page display; the scanning test is to test the attack vector preset by the scanning test tool, and then analyze the response message to judge whether the application has safety risk.

However, the current manual testing method needs to consume more manpower resources, and the attack vector preset in the scanning testing method is an attack vector built in the scanning testing tool, and because the attack vector built in the scanning testing tool needs to be tested for various applications, a large number of problems that the application to be tested does not need to be modified can be generated, so that the false alarm rate of the security test is higher.

Disclosure of Invention

Based on this, it is necessary to provide an application security test method, apparatus, computer device, computer readable storage medium and computer program product capable of automatically performing security test of an application and having higher accuracy, in view of the above-described technical problems.

In a first aspect, the present application provides an application security test method. The method comprises the following steps:

acquiring application information of a target application, wherein the application information comprises an application name and an Internet standard resource address;

respectively acquiring page control information contained in each front-end page aiming at each front-end page of the target application;

determining target items to be tested of each front-end page in the target application from each test item included in a test item library based on the application name of the target application, the internet standard resource address of the target application and page control information of each front-end page in the target application;

and aiming at each front-end page in the target application, carrying out test processing on the front-end page according to a test strategy corresponding to a target item to be tested of the front-end page to obtain a test result corresponding to the front-end page, and constructing a security test result of the target application according to the test result corresponding to each front-end page.

In one embodiment, the determining, based on the application name of the target application, the internet standard resource address of the target application, and page control information of each front-end page in the target application, from each test item included in a test item library, a target item to be tested of each front-end page in the target application includes:

Searching historical test information of the target application in a historical test record based on the application name of the target application and the Internet standard resource address of the target application;

and determining target test items corresponding to any front-end page from a test item library according to the history test information aiming at any front-end page under the condition that the history test information of the target application exists.

In one embodiment, the method further comprises:

searching a target front-end page matched with the front-end page from a history test record according to page control information of the front-end page aiming at any front-end page under the condition that history test information of the target application does not exist;

searching the historical test information corresponding to the target front-end page in the historical test record, and determining the target test item corresponding to the front-end page from a test item library according to the historical test information corresponding to the front-end page.

In one embodiment, the determining, according to the historical test information, the target test item corresponding to the front page from the test item library includes:

Searching a test item identifier corresponding to a target test state from the historical test information, wherein the target test state is used for representing test item test failure corresponding to the test item identifier;

and determining a target test item corresponding to the front page from a test item library according to the test item identifier.

In one embodiment, the page control information includes a page control category, and searching, according to a page control of the front-end page, a target front-end page matched with the front-end page from a history test record includes:

acquiring page control categories included in front-end pages which are tested completely from the history test record;

and determining a target front-end page matched with the front-end page from the front-end pages subjected to the test according to the page control types of the front-end pages in the target application and the page control types included in the front-end pages subjected to the test.

In one embodiment, the testing the front-end page according to the testing policy corresponding to the target item to be tested of the front-end page to obtain the testing result corresponding to the front-end page includes:

Executing request operation of the front-end page corresponding to each target item to be tested according to the front-end page, and acquiring a success request message and a success response message corresponding to each target item to be tested of the front-end page;

according to the test strategy corresponding to each target to-be-tested item and the successful request message of the front-end page for each target to-be-tested item, performing test processing to obtain a test response message corresponding to each target to-be-tested item;

and comparing the data length of the test response message corresponding to the target item to be tested with the data length of the successful response message of the target item to be tested aiming at any target item to be tested to obtain a comparison result, and determining the test result of the front page according to the comparison result.

In one embodiment, the method further comprises:

and under the condition that a target front-end page matched with the front-end page does not exist in the history test record, taking all items to be tested in the test item library as target items to be tested of the front-end pages in the target application.

In a second aspect, the present application also provides an application security test apparatus. The device comprises:

The first acquisition module is used for acquiring application information of a target application, wherein the application information comprises an application name and an Internet standard resource address;

the second acquisition module is used for respectively acquiring page control information contained in each front-end page aiming at each front-end page of the target application;

the first determining module is used for determining target items to be detected of all front-end pages in the target application from all test items included in a test item library based on the application name of the target application, the internet standard resource address of the target application and page control information of all front-end pages in the target application;

the testing module is used for testing the front-end pages according to the testing strategies corresponding to the target items to be tested of the front-end pages aiming at each front-end page in the target application, obtaining testing results corresponding to the front-end pages, and constructing safety testing results of the target application according to the testing results corresponding to the front-end pages.

In one embodiment, the first determining module is specifically configured to:

In one embodiment, the test module is specifically configured to:

In one embodiment, the apparatus further comprises:

In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the application security test method of the first aspect when the processor executes the computer program.

In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the application security test method of the first aspect described above.

In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the application security test method of the first aspect described above.

The application security testing method, the device, the computer equipment, the storage medium and the computer program product acquire application information of a target application, wherein the application information comprises an application name and an Internet standard resource address; respectively acquiring page control information contained in each front-end page aiming at each front-end page of the target application; determining target items to be tested of each front-end page in the target application from each test item included in a test item library based on the application name of the target application, the internet standard resource address of the target application and page control information of each front-end page in the target application; and aiming at each front-end page in the target application, carrying out test processing on the front-end page according to a test strategy corresponding to a target item to be tested of the front-end page to obtain a test result corresponding to the front-end page, and constructing a security test result of the target application according to the test result corresponding to each front-end page. The target to-be-tested items of each target front end page in the target application can be determined in the test item library based on the application name of the target application, the Internet standard resource address of the target application and the page control of each target front end page in the target application. The user does not need to manually analyze each target front-end page of the target application, the items to be tested of the target application are judged, and the efficiency of safety test of the target application is improved. And moreover, the target to-be-tested items suitable for each target front end page in the target application can be selected from the test item library, so that the accuracy of the safety test is improved.

Drawings

FIG. 1 is a diagram of an application environment in which a security test method is applied in one embodiment;

FIG. 2 is a flow chart of a security test method according to an embodiment;

FIG. 3 is a flowchart of determining a target test item corresponding to a front page according to an embodiment;

FIG. 4 is a flowchart illustrating a process of determining a target test item corresponding to a front page according to another embodiment;

FIG. 5 is a flowchart of determining a target test item corresponding to a front page from a test item library according to an embodiment;

FIG. 6 is a flow diagram of determining a target front page that matches the front page in one embodiment;

FIG. 7 is a flowchart of determining a test result of a front page according to a success request message and a success response message of the front page in another embodiment;

FIG. 8 is a block diagram of an embodiment of an application safety test device;

fig. 9 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

The application security testing method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the first server 104 and the second server 106 through a network. The data storage system may store data that needs to be processed by the first server 104 and the second server 106. The data storage system may be integrated on the first server 104 and the second server 106, respectively, or may be located on the cloud or other network server. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The first server 104 and the second server 106 may be implemented by using independent servers or a server cluster formed by a plurality of servers, where the first server 104 is a server corresponding to a target application, and the second server 106 is a server corresponding to a test system, and the test system includes a history test record and a test item library.

In one embodiment, as shown in fig. 2, an application security test method is provided, and the application of the method to the terminal in fig. 1 is taken as an example and illustrated, and the method includes the following steps:

step 202, obtaining application information of a target application.

The target application is an application to be subjected to security test, and may not be limited to various mobile terminal applications, PC (Personal Computer ) terminal applications, web page terminal applications, and the like, and the application information includes an application name and an internet standard resource address (URL, uniform Resource Locator, i.e., uniform resource locator).

In the embodiment of the application, the terminal establishes communication connection with the server corresponding to the target application through the pre-installed browser. Illustratively, the terminal obtains a HTTP (Hyper Text Transfer Protocol) proxy (i.e., proxy server) corresponding to the target application. Then, the terminal configures the HTTP proxy of the browser according to the HTTP proxy corresponding to the target application through the pre-installed browser, and specifically, the terminal may configure the HTTP proxy of the browser according to the IP (Internet Protocol Address ) address and port number of the proxy server.

And then, the terminal acquires the application information of the target application according to the HTTP proxy corresponding to the target application through the browser. Optionally, the terminal may further directly obtain application information of the target application according to user input when the security test starts.

For the configuration process of the HTTP proxy of the terminal browser and the target application, any method capable of configuring the HTTP proxy of the browser according to the IP address and the port number of the proxy server may be applied in the present application, which is not limited in the embodiments of the present application.

Step 204, for each front-end page of the target application, respectively acquiring page control information contained in each front-end page.

The page control information may include a page control category and a page control number. The page controls are front-end input controls of various types in the front-end page, such as input controls, button controls, and the like.

In the embodiment of the present application, the terminal may obtain, through a pre-installed browser, each front-end page corresponding to the target application according to the HTTP proxy corresponding to the target application. After the terminal obtains each front-end page corresponding to the target application, the terminal can refer to the page control of each front-end page through the low-code generation platform, select the page control in a dragging selection mode and the like, generate the low-code front-end page corresponding to each front-end page, and can determine the page control information corresponding to the front-end page through the low-code front-end page.

Optionally, the terminal may further identify the page control of each front end page in an image identification manner, so as to obtain page control information corresponding to each front end page, or may also obtain page control information of each front end page by analyzing code information of each front end page, where in the embodiment of the present disclosure, the manner of obtaining page control information of each front end page is not specifically limited.

For the image recognition mode, any image recognition algorithm capable of obtaining page control information according to a front-end page may be applied to the application, for example, a UI (User Interface) recognition algorithm based on deep learning, which is not limited in the embodiment of the application.

Step 206, determining target items to be tested of each front-end page in the target application from each test item included in the test item library based on the application name of the target application, the internet standard resource address of the target application and the page control information of each front-end page in the target application.

The test item library is a database including a plurality of test items, such as a weak password test item, a tamper override access item, a bypass override access item, an anti-replay item, an XSS (Cross-site script) test item, an SQL (Structured Query Language ) injection test item, and the like. The test item library may be stored in the terminal or may be obtained by the terminal through a server storing the test item library.

In the embodiment of the application, the terminal matches target to-be-tested items of each front-end page in the target application from all the test items included in the test item library based on the application name of the target application and the internet standard resource address of the target application. The terminal can also determine target items to be tested of each front-end page in the target application from each test item included in the test item library according to page control information of each front-end page in the target application.

Step 208, for each front-end page in the target application, performing test processing on the front-end page according to a test strategy corresponding to a target item to be tested of the front-end page, obtaining a test result corresponding to the front-end page, and constructing a security test result of the target application according to the test result corresponding to each front-end page.

The test result comprises page control information corresponding to each front-end page, target test items corresponding to each front-end page, test item identifiers of the target test items corresponding to each front-end page and test states, wherein the test item identifiers are used for representing item names of the target test items; the test state is used for testing the test result of the target test item corresponding to each front-end page as test success or test failure; the security test results include a plurality of test results.

In the embodiment of the application, a terminal acquires a test strategy corresponding to a target to-be-tested item of each front-end page aiming at each front-end page in a target application, and tests the front-end page according to the test strategy corresponding to the target to-be-tested item of the front-end page to obtain a test result corresponding to the front-end page. And then, the terminal constructs a security test result of the target application according to the test results corresponding to the front-end pages.

The terminal can send the security test result of the target application to a server corresponding to the history test record, and update the history test record to obtain a history test record after the security test of the target application.

In the application security test method, application information of the target application is obtained, wherein the application information comprises an application name and an Internet standard resource address; respectively acquiring page control information contained in each front-end page aiming at each front-end page of a target application; determining target to-be-tested items of each front-end page in the target application from each test item included in the test item library based on the application name of the target application, the internet standard resource address of the target application and the page control information of each front-end page in the target application; aiming at each front-end page in the target application, testing the front-end page according to a testing strategy corresponding to a target item to be tested of the front-end page to obtain a testing result corresponding to the front-end page, and constructing a security testing result of the target application according to the testing result corresponding to each front-end page. The target to-be-tested items of each target front end page in the target application can be determined in the test item library based on the application name of the target application, the Internet standard resource address of the target application and the page control of each target front end page in the target application. The user does not need to manually analyze each target front-end page of the target application, the items to be tested of the target application are judged, and the efficiency of safety test of the target application is improved. And moreover, the target to-be-tested items suitable for each target front end page in the target application can be selected from the test item library, so that the accuracy of the safety test is improved.

In one embodiment, as shown in FIG. 3, step 206 includes:

step 302, searching historical test information of the target application in the historical test record based on the application name of the target application and the Internet standard resource address of the target application.

The history test record comprises history test information of each application in the history test process, and for any history test information, the history test information comprises application names of the applications, internet standard resource addresses and corresponding security test results, and the history test record is stored in a server corresponding to the test system.

In the embodiment of the application, the terminal establishes communication connection with the server corresponding to the history test record to obtain the history test record. And the terminal searches whether historical test information of which the application name and the Internet standard resource address are consistent with the application name and the Internet standard resource address of the target application exists in the historical test record based on the application name and the Internet standard resource address of the target application.

Optionally, the terminal may further search, in the history test record, whether there is history test information in which the content of the remove-to-host field in the internet standard resource address is consistent with the application name of the target application and the content of the remove-to-host field in the internet standard resource address, based on the application name of the target application and the content of the remove-to-host field (i.e., the page path) in the internet standard resource address of the target application.

The internet standard resource address format is as follows: < protocol >:// < host domain name or IP address >: < port number >/< path >, the host field is a field in the URL that includes a host domain name, IP address, port number.

The terminal searches the history test record for the application name of the target application, namely the application A, the internet standard resource address of https:// ip address 1/search, and the internet standard resource address of https:// host domain name 1/search. Since the content (i.e. search) of the remove field in the internet standard resource address is consistent, the history test information is used as the history test information of the target application, i.e. the history test information of the target application exists in the history test record.

Step 304, determining, for any front-end page, a target test item corresponding to the front-end page from the test item library according to the history test information when the history test information of the target application exists.

The test item library includes a plurality of test items and test strategies corresponding to the test items, for example, test programs written by a programming language, test functions packaged by a test data packet and a message processing mode, and the like.

In the embodiment of the application, when the history test information of the target application exists in the history test record, the terminal determines, for any front-end page, a target test item corresponding to each front-end page from a test item library according to the test item corresponding to each front-end page of the target application in the history test information.

In this embodiment, the terminal searches the history test information consistent with the application name and the internet standard resource address of the target application in the history test record, so as to determine whether the target application is subjected to the security test in the test system, and in the case that the target application is subjected to the security test, the server can obtain the target to-be-tested item of each front end page in the target application according to the history test information of the target application, thereby performing the application security test on the target application. Because the history test record of the target application is considered, after the target application is tested for the first time and correspondingly adjusted, retests of related test items can be quickly carried out, the user does not need to manually analyze each target front-end page of the target application, then the items to be tested of the target application are judged, and the test efficiency of the application safety test is improved.

In one embodiment, as shown in fig. 4, the method further includes:

step 402, searching a target front-end page matched with the front-end page from a history test record according to page control information of the front-end page for any front-end page under the condition that no history test information of the target application exists.

In the embodiment of the application, under the condition that the history test information of the target application does not exist in the history test record, the terminal performs matching processing on the page control information of the front page and the page control information corresponding to the front page of each application in the history test record for any front page, so as to obtain a matching result, and according to the matching result, the target front page matched with the page control information of the front page is determined in the history test record.

Step 404, searching the history test information corresponding to the target front-end page in the history test record, and determining the target test item corresponding to the front-end page from the test item library according to the history test information corresponding to the front-end page.

In the embodiment of the application, the terminal queries the historical test information corresponding to the target front-end page in the historical test record, and determines the target test item corresponding to the front-end page from the test item library according to the test item corresponding to the target front-end page in the historical test information.

In this embodiment, under the condition that there is no history test information of the target application, a target front-end page matched with the front-end page can be searched from the history test record according to the page control information of the front-end page, so as to obtain a target test item. When the primary test of the target application is achieved, the target front-end page matched with the page control information of the front-end page is determined according to the page control information of each front-end page of the target application, and then target test items corresponding to each front-end page are obtained, so that the effect of target items to be tested of the target application is rapidly determined, and the test efficiency of the application security test is improved.

In one embodiment, as shown in FIG. 5, step 404 includes:

step 502, searching the test item identifier corresponding to the target test state from the historical test information.

The target test state is used for representing test item failure corresponding to the test item identifier. The test item identifier is used for representing the item name of the test item, and for the test item identifier, a character type identifier, a digital type identifier and the like can be adopted, and the data type of the test item identifier is not particularly limited in the embodiment of the application.

In the embodiment of the application, a terminal acquires test item identifiers corresponding to test items of front-end pages in a target application from historical test information corresponding to the target application. Then, the terminal acquires the test item identifier with the test status of failed test from the test item identifiers, and takes the test status of failed test as a target test status.

Step 504, determining a target test item corresponding to the front page from the test item library according to the test item identification.

In the embodiment of the application, the terminal acquires the test item corresponding to the test item identifier according to the test item identifier in the test failure state, namely, the test item name in the test failure state, and then, the terminal determines that the test item corresponding to the test item identifier is the target test item corresponding to the front-end page from the test item library.

In this embodiment, by using the test status in the history test information corresponding to the target application, it can be determined whether the test result of each test item is a test success or a test failure, and when the test status corresponding to the test item identifier is a test failure, it is indicated that the target application has a corresponding security problem for the item. Then, the terminal takes the test item as a target test item, and the effect of determining the target test item according to the test item identification and the corresponding test state is achieved.

In one embodiment, as shown in FIG. 6, step 402 includes:

step 602, obtaining page control types included in each front-end page after completing the test from the history test record.

The page control category can comprise a text input control, a password input control, a radio selection control, a check control, a button control, a link control and a scroll bar control.

In the embodiment of the application, the terminal acquires the page control category included in each front-end page which has completed the test according to the history test record.

The terminal obtains three front-end pages of the application A of the history test record according to the history test record, wherein the three front-end pages are respectively a front-end page A1, a front-end page A2 and a front-end page A3, and page control types of the front-end page A1 are text input controls and submission controls; the page control types of the front page A2 are a text input control, a password input control and a submission control; the page control class of the front page A3 is a single-selection control and a submission control.

Step 604, determining a target front-end page matched with the front-end page from the front-end pages which have been tested according to the page control types of the front-end pages in the target application and the page control types included in the front-end pages which have been tested.

In the embodiment of the present application, for each front-end page, the terminal determines, according to the page control class of the front-end page and the page control class included in each front-end page that has completed the test, whether there is a front-end page that has completed the test, where the page control class is consistent with the page control class of the front-end page.

And under the condition that the front-end page with the page control category consistent with the page control category of the front-end page exists, the terminal takes the front-end page with the completed test as a target front-end page. In the case that a plurality of target front-end pages exist, the terminal can also determine the target front-end pages according to the number of page controls of the front-end pages.

The terminal may determine, in each target front-end page, a target front-end page having the closest number of page controls corresponding to each page control category to the number of page controls corresponding to each page control category according to the number of page controls corresponding to each page control category of the front-end page.

Optionally, the terminal may further determine, from the front-end pages that have completed the test, a front-end page whose number of page controls corresponds to the number of page controls corresponding to the front-end page's page control category, as the target front-end page, according to the front-end page's page control category, and the number of page controls included in each front-end page that has completed the test.

In this embodiment, the terminal may determine, according to the page control type of the front-end page and the page control types included in each front-end page that has completed the test, an effect of the target front-end page that is more matched with the front-end page of the target application. And the target to-be-detected items corresponding to the front-end page of the target application are conveniently obtained according to the target front-end page.

In one embodiment, as shown in FIG. 7, step 208 includes:

step 702, for the front-end page, executing the request operation corresponding to each target to-be-tested item by the front-end page, and obtaining the success request message and the success response message corresponding to each target to-be-tested item by the front-end page.

The successful request message is a request message sent by the terminal to a server where the target application is located through a browser; the successful response message is a response message sent to the terminal by the server where the target application is located.

In the embodiment of the application, aiming at a front-end page, a terminal acquires a success request message and a success response message corresponding to a target item to be tested according to each target item to be tested corresponding to the front-end page.

For the login page, the terminal executes a login request operation according to a preset account number and a password under the condition that the target item to be tested is a weak password test item or a tampered unauthorized access item. The terminal acquires a successful request message and a successful response message which are generated when a preset account number and a password are logged in. For example, a preset account number is acquired: AAA, presetting a password BBB, and recording a success request message and a success response message generated by presetting an account number and a password in login by a recording program when the terminal executes login request operation through a pre-installed browser, so as to obtain a success request message and a success response message corresponding to a weak password test item or a falsified unauthorized access item.

The weak password test item is used for detecting whether the target application has a security problem of weak password security in the object database; the falsification unauthorized access item is used for detecting whether the target application is falsified by the request message, so that the security problem that a user logs in and views the permission pages of other users is realized.

In an exemplary embodiment, when the target item to be tested is a bypass access item, the terminal executes a submitting or resource transferring request operation, and when the submitting or resource transferring request operation is executed, a recording program records a success request message and a success response message generated when the submitting is successful or the resource transferring is successful, so as to obtain a success request message and a success response message corresponding to the bypass access item.

The bypass access item is used for detecting whether the target application has a security problem with a relaxed interaction link, for example, a vulnerability exists in a judging process of the target application.

In an exemplary embodiment, when the target item to be tested is an anti-replay item, the terminal executes a submitting or resource transferring request operation, and when the submitting or resource transferring request operation is executed, records a success request message and a success response message generated when the submitting is successful or the resource transferring is successful through a recording program, so as to obtain the success request message and the success response message corresponding to the anti-replay item.

Wherein the anti-replay item is used to detect whether the target application has a replay problem, such as a security problem that multiple requests are successful in the case where only a single request operation can be implemented.

In an exemplary embodiment, when the target item to be tested is an XSS test item, the terminal executes a text submission request operation, and records, by using a recording program, a success request message and a success response message generated when the text submission request operation is executed, so as to obtain a success request message and a success response message corresponding to the XSS test item.

The XSS test item is used for detecting whether a security problem of malicious instruction codes exists in a front-end page of the target application.

For the login page, in the case that the target item to be tested is the SQL injection test item, the terminal executes the login request operation, and records a success request message and a success response message generated when the login request is successful through a recording program when the login request operation is executed, so as to obtain a success request message and a success response message corresponding to the SQL injection test item.

The SQL injection test item is used for detecting whether the target application has the security problem of database statement loopholes.

The preset account number and password are the account number and password which can be successfully logged in the application.

Step 704, performing test processing according to the test strategy corresponding to each target to-be-tested item and the successful request message of the front page for each target to-be-tested item, so as to obtain the test response message corresponding to each target to-be-tested item.

In the embodiment of the application, the terminal performs test processing on a successful request message of a front-end page for each target to-be-tested item according to a test strategy corresponding to each target to-be-tested item, so as to obtain a test request message corresponding to the successful request message. And then, the terminal sends a test request message to the target application according to the pre-installed browser to obtain test response messages corresponding to all target items to be tested.

The test request message is a request message sent by the terminal to a server where the target application is located through a browser; the test response message is a response message sent to the terminal by the server where the target application is located in response to the test request message.

For the login page, the terminal obtains the target item to be tested as a preset account number and a password attack vector based on the condition that the target item to be tested is a weak password test item or a falsified unauthorized access item, and falsifies the successfully requested message.

Specifically, the terminal queries and locates the account number and the password field in the successful request message to obtain the positions of the account number and the password field in the successful response message. And then, the terminal performs replacement processing on the account number and the password in the successful response message according to the preset account number and password attack vector and the positions of the account number and the password field in the successful response message. Preferably, the terminal queries and locates the account number, the password, the transcoding of the account number and the transcoding segment of the password in the success request message, and obtains the positions of the account number, the password, the transcoding of the account number and the transcoding of the password in the success response message. And then, the terminal performs replacement processing on the account number, the password, the transcoding of the account number and the password in the successful response message according to the preset account number attack vector, the password attack vector, the transcoding of the account number attack vector, the transcoding of the password attack vector and the positions of the fields in the successful response message, so as to obtain a test request message corresponding to the successful request message.

For example, the account attack vector includes m attack vectors, and the password attack vector includes n attack vectors, so that m×n different combination attacks are performed on the account and the password; optionally, for account numbers and passwords, an attack policy is filled in sequence: and (3) m attack vectors of the account number and n attack vectors of the password are respectively filled in the first m account numbers and the first n passwords in sequence, and when m is not equal to n, fewer attack vectors are subsequently input to be blank.

As shown in table 1, taking the account number as abc as an example, multiple types of transcoding corresponding to the account number are obtained, and for the type of transcoding, any type of transcoding may be applied in the present application, which is not specifically limited in the embodiment of the present application.

TABLE 1

Plaintext	abc
		Base64 transcoding	YWJj
URL transcoding	％61％62％63
		HTML transcoding	&#x61；&#x62；&#x63；

And then, the terminal sends a test request message to a server corresponding to the target application according to the pre-installed browser to obtain a test response message corresponding to the weak password test item or the tamper override access item.

The preset account number and password attack vector can be set according to technicians or according to a prestored attack vector data packet, which is not limited in the embodiment of the application; and obtaining the account number, the password, the transcoding of the account number and the position of the transcoding of the password in the successful response message at a plurality of positions in the successful request message, and then carrying out substitution test on each position of the account number, the password, the transcoding of the account number and the permutation and combination of the transcoding of the password.

The terminal queries and locates the judgment statement in the success request message to obtain the position of the judgment statement in the success response message under the condition that the target item to be detected is the bypass override access item. And the terminal falsifies the judging statement according to the position of the judging statement in the successful response message, for example, the terminal falsifies the flag=0 in the successful request message into flag=1 and falsifies the false into true to obtain a test request message corresponding to the successful request message.

And then, the terminal sends a test request message to a server corresponding to the target application according to the pre-installed browser, and a test response message corresponding to the bypass unauthorized access item is obtained.

The tamper mode for bypassing the unauthorized access item may also be set in practical application according to a technician, and the embodiment of the application is not specifically limited.

In an exemplary embodiment, when the target item to be tested is an anti-replay item, the terminal sends the successful request message to the server corresponding to the target application for multiple times, and the multiple request messages are used as multiple test request messages. Then, the terminal obtains a test response message corresponding to the anti-replay item.

The number of times of sending the test request message of the anti-replay item may also be set in practical application according to a technician, and the embodiment of the application is not specifically limited.

In an exemplary embodiment, when the target item to be tested is an XSS test item, the terminal obtains preset XSS text content, executes a text submission request operation, and when executing the text submission request operation, uses a recording program to take a request message generated when the submission is successful as a test request message. And then, the terminal receives a test response message sent by the server where the target application is located, and the terminal inquires whether XSS text contents exist in the test response message. For example, the terminal will XSS content: and inputting < script > alert ('TEST') < script > to the text input control, and submitting the XSS content to obtain a TEST response message of the XSS content. And the terminal searches an alert ('TEST') in the TEST response message to obtain a search result. And under the condition that the searching result is that the searching is successful, the terminal determines that the security problem of malicious instruction codes exists in the target application.

The XSS text content of the XSS test item may also be set by a technician in practical application, and the embodiment of the application is not specifically limited.

For the login page, the terminal queries and locates the characteristic information fields, such as account number and password, in the successful request message under the condition that the target item to be tested is the SQL injection test item, so as to obtain the position of the characteristic information field in the successful response message. The terminal falsifies the characteristic information field according to the position of the characteristic information field in the successful response message, for example, under the condition that the characteristic information is an account number and the account is admin, the terminal falsifies the admin in the successful request message into admin and 2>1, namely, the characteristic information and the forever type substitution characteristic information are used to obtain a test request message corresponding to the successful request message.

The specific tampering mode of the SQL injection test item may also be set in practical application according to a technician, and the embodiment of the application is not specifically limited.

Step 706, comparing the data length of the test response message corresponding to the target to-be-tested item with the data length of the successful response message of the target to-be-tested item to obtain a comparison result, and determining the test result of the front page according to the comparison result.

In the embodiment of the application, the terminal compares the test response message corresponding to each target to-be-tested item with the successful response message of the front page aiming at each target to-be-tested item to obtain a comparison result. And the terminal determines the test result of each target to-be-tested item of the front page according to the comparison result, and obtains the test result of the front page according to the test result of each target to-be-tested item of the front page.

The comparison result is used for representing the difference between the test response message corresponding to each target item to be tested and the successful response message of the front page aiming at each target item to be tested.

Specifically, for any target item to be tested, the terminal obtains the data length of the successful response message and the data length of the test response message according to the successful response message and the test response message corresponding to the target item to be tested. And then, the terminal compares the data length of the test response message corresponding to each target item to be tested with the data length of the successful response message of each target item to be tested on the front page, and a comparison result is obtained.

And the terminal determines the data length difference of each test response message and each successful response message according to the comparison result, and the safety problem of the target test item corresponding to the target application is indicated under the condition that the test response message is a successful response in the test process. Therefore, under the condition that the data length difference is smaller than the preset data length threshold value (namely, the test response message represents that the test is unsuccessful), the terminal determines that the test result of the target item to be tested corresponding to the test response message is successful (namely, the target application has no safety problem for the target test item); under the condition that the data length difference is greater than or equal to a preset data length threshold value (namely, the test response message represents a test success response), the terminal determines that the test result of the target item to be tested corresponding to the test response message is test failure (namely, the target application has a safety problem aiming at the target test item).

For example, when the target item to be tested is a tamper unauthorized access item, if the data length difference between the test response message and the successful response message is smaller than the preset data length threshold value under the condition that the successful response message is obtained based on the account AAA, the terminal can also search whether related information of other accounts exists in the test response message or other front-end pages. For example, if the test response message or other relevant information with the account number CCC exists in the front-end page, the terminal judges that the target application has a security problem of tamper and unauthorized access.

The preset data length threshold may be in a range of 95% to 105% of the data length of the successful response message, for example, the data length of the successful response message is 1000 bytes, and the preset data length threshold may be 950 to 1050 bytes.

In one embodiment, the method further comprises:

and under the condition that a target front-end page matched with the front-end page does not exist in the history test record, taking all the items to be tested in the test item library as target items to be tested of all the front-end pages in the target application.

In the embodiment of the application, under the condition that a target front-end page matched with the front-end page does not exist in the history test record, the terminal acquires all the items to be tested in the test item library, and takes all the items to be tested in the test item library as target items to be tested of all the front-end pages in the target application. And then, the terminal tests all front-end pages of the target application based on all the items to be tested to obtain test results of all the front-end pages aiming at all the items to be tested.

In this embodiment, when there is no target front-end page matching the front-end page in the history test record, that is, the target application is the primary test in the test system, and there is no history test record matching the front-end page of the target application. Therefore, by testing all items to be tested on the target application, the security test result of the target application can be obtained, and the security test result is sent to the server corresponding to the test system, so that the history test record is updated, the next test on the target application and the reference of similar applications in the security test are facilitated, and the robustness of the test system is improved.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides an application security testing device for realizing the application security testing method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitations in one or more embodiments of the application security test device provided below may be referred to above as limitations of the application security test method, and will not be described herein.

In one embodiment, as shown in FIG. 8, an application security test apparatus 800 is provided, comprising: a first acquisition module 802, a second acquisition module 804, a first determination module 806, and a test module 808, wherein:

a first obtaining module 802, configured to obtain application information of a target application, where the application information includes an application name and an internet standard resource address.

The second obtaining module 804 is configured to obtain, for each front-end page of the target application, page control information included in each front-end page.

A first determining module 806, configured to determine, from each test item included in the test item library, a target item to be tested of each front page in the target application based on an application name of the target application, an internet standard resource address of the target application, and page control information of each front page in the target application.

And the test module 808 is configured to perform test processing on the front-end pages according to a test policy corresponding to a target to-be-tested item of the front-end pages for each front-end page in the target application, obtain a test result corresponding to the front-end pages, and construct a security test result of the target application according to the test result corresponding to each front-end page.

By adopting the application security testing device provided by the embodiment of the disclosure, the target items to be tested of each target front-end page in the target application can be determined in the test item library based on the application name of the target application, the Internet standard resource address of the target application and the page control of each target front-end page in the target application. The user does not need to manually analyze each target front-end page of the target application, the items to be tested of the target application are judged, and the efficiency of safety test of the target application is improved. And moreover, the target to-be-tested items suitable for each target front end page in the target application can be selected from the test item library, so that the accuracy of the safety test is improved.

In one embodiment, the first determining module 806 is specifically configured to:

In one embodiment, the test module 808 is specifically configured to:

In one embodiment, the apparatus further comprises:

The above-described modules in the application security test device may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 9. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements an application security test method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in fig. 9 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application applies, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the method embodiments described above. In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to comply with the related laws and regulations and standards of the related countries and regions.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims

1. An application security test method, the method comprising:

2. The method according to claim 1, wherein the determining, from the test items included in the test item library, the target to-be-tested item of each front-end page in the target application based on the application name of the target application, the internet standard resource address of the target application, and the page control information of each front-end page in the target application includes:

3. The method according to claim 2, wherein the method further comprises:

4. The method according to claim 2, wherein determining the target test item corresponding to the front page from the test item library according to the historical test information comprises:

5. The method according to claim 3, wherein the page control information includes a page control category, and the searching for a target front-end page matching the front-end page from the history test record according to the page control of the front-end page includes:

6. The method of claim 1, wherein the performing test processing on the front-end page according to the test policy corresponding to the target item to be tested of the front-end page to obtain the test result corresponding to the front-end page includes:

7. A method according to claim 3, characterized in that the method further comprises:

8. An application security test device, the device comprising:

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.

11. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.