JP4170243B2 - Web application inspection device - Google Patents

Description

  The present invention relates to a system for diagnosing the presence / absence of a security hole in a Web application. For example, the present invention relates to a web application inspection apparatus that inspects a web application.

  The web application is a service that operates on a web server and can be used by operating a form on a web page displayed on web browser software such as Microsoft Internet Explorer (registered trademark) of Microsoft Corporation. That is, the web application refers to software or a program that operates on a web server and provides a predetermined service. Data entered on the form is given a data name and transmitted to the Web application.

  FIG. 13 is a diagram showing the contents of information transmitted from a conventional inspection apparatus to a Web server. As shown in FIG. 13B showing the HTML source, the name of each input data is determined by the name attribute of the tag representing each form part. Data input from the form in this way is hereinafter referred to as “parameter” (input parameter).

  There are two main methods for transmitting parameters to a Web application. One is a method of transmitting as a part of a request URL (FIG. 13C), and the other is a method of transmitting as a body part of an HTTP request (FIG. 13D). Which method is used for transmission is specified by the HTML content of the page from which the parameter is input.

  In addition to the parameters, there are some data transmitted from the browser to the web application. A typical example is data called Cookie, but there are other Web applications that use a Referer header or User-Agent header in an HTTP request as an input.

  Vulnerability diagnosis of a Web application sends a request that includes pseudo attack data in the data input to the Web application, such as the above parameters and Cookie, and suggests the existence of a security hole in the response of the Web application to the request This is done by analyzing whether there are any traces. As a typical product, AppScan (registered trademark) of Sanctum, USA can be cited (for example, Non-Patent Document 1).

  FIG. 14 is a flowchart showing an outline of the operation of the conventional Web application diagnostic system. The operation of a conventional vulnerability diagnosis system for Web applications will be described with reference to FIG. The system first collects site configuration information (step 1802). This is a process of collecting information such as the structure of the site, correct parameters for moving to each page, and cookie. This processing is performed automatically or by monitoring the user's browser operation.

  Next, an inspection is performed based on the collected site configuration information (step 1803). At this time, the system modifies the correct request collected in step 1802, and generates and transmits a pseudo attack request. Since there are a plurality of patterns in the pseudo attack, generally, a plurality of pseudo attack requests are generated for one correct request. By analyzing the response from the Web application to the transmitted request, it is determined whether there is a vulnerability. Finally, the system outputs the test execution result and ends (step 1804).

As described above, in the conventional vulnerability diagnosis system for Web applications, an inspection request is generated based on the collected correct request. Therefore, the contents are always the same as those of the original correct request except for the part modified for inspection. For this reason, it is not possible to diagnose the page as described below.
First, there is a problem that it is not possible to inspect a page that does not accept data once used, such as user registration. This occurs because information such as the user name already used at the time of collecting the site configuration information is reused at the time of executing the inspection.

On the user registration page, a password or an e-mail address is often input twice in order to detect a user's typing error. Such constraints between input items cannot be determined from correct request information. For this reason, each item is individually inspected, and as a result, it is processed as an error input in the Web application, and a vulnerability that may exist in the course of normal registration processing cannot be inspected.
"SANCTUM AppScanTM 3.5 White Paper"

  The present invention makes it possible to describe as a macro a parameter for which a different value must be input each time at the time of inspection, and to specify a parameter group to which the same inspection character string must be input at the time of inspection. This is a Web application diagnosis system that can eliminate the point.

The web application inspection apparatus of the present invention is
In a web application inspection apparatus for inspecting a web application by transmitting inspection data for inspecting a web application operating on the web server to the web server,
Inspection means for generating inspection data including an input parameter used for input to a predetermined input item of the web application, and a macro indicating a replacement instruction to replace the input parameter with a predetermined value;
Macro execution means for replacing the input parameter with a predetermined value based on the macro included in the inspection data when the inspection data generated by the inspection means is transmitted to the web server;
Web access means for transmitting inspection data including an input parameter replaced with a predetermined value by the macro execution means to a web server.

  According to the present invention, it is possible to describe as a macro a parameter for which a different value must be input each time during vulnerability inspection, and avoid errors in inspection processing. In addition, when testing for vulnerabilities, a group of parameters that require the same test string to be entered can be specified as a group having the same value. For example, on the user registration page, the `` password entry item '' If the same password is not entered in the two items of "Re-enter password item for confirmation" and the case where an error occurs, the inspection can be performed.

  The embodiment will be described with reference to FIGS. FIG. 1 is a diagram showing a vulnerability diagnosis system 1000 according to the embodiment. The vulnerability diagnosis system 1000 has a configuration in which an inspection apparatus 101 (web application inspection apparatus) that diagnoses a vulnerability of a Web server is connected to an inspection target Web server 108 via a TCP / IP (Transmission Control Protocol / Internet Protocol) network. It is.

  The inspection apparatus 101 includes an inspection control unit 105 that controls each unit, a Web access unit 102, a macro execution unit 103, a session recovery unit 104 (acquisition unit), and inspection units 106a, 106b, and 106c. The session recovery unit 104 includes a storage unit 1041 that stores session management information described later.

  The inspection apparatus 101 uses the site configuration information 109, the inspection target page designation information 110, the macro definition information 111, and the equivalence parameter designation information 112 as input information. Such information will be described later. The inspection apparatus 101 inspects the vulnerability of a Web application (software or program) that runs on the inspection target Web server 108.

  FIG. 2 is a diagram showing an internal configuration of the inspection means 106a. The inspection units 106b and 106c have the same configuration. The inspection unit 106a includes an inspection request generation unit 1061 and a vulnerability determination unit 1062. The inspection request generation means 1061 receives the request information 1063 and outputs inspection request information 1064 (inspection data). The vulnerability determination unit 1062 receives the response 1065 from the Web server and outputs a vulnerability determination result 1066.

  As shown in FIG. 1, the inspection apparatus 101 includes a Web access unit 102, a macro execution unit 103, a session recovery unit 104 (acquisition unit), an inspection control unit 105, inspection units 106a, 106b, and 106c. The function of the component may be implemented in hardware. Moreover, it may be implemented by software. Alternatively, it may be implemented by both hardware and software. The inspection control unit 105 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), a magnetic magnetic storage device, and the like (not shown). The same applies to the other session recovery means 104 and the like. The web access unit 102 has a communication function. Further, the inspection apparatus 101 includes an input unit (not shown) for inputting the site configuration information 109 and the like. Further, an output unit (not shown) for outputting the inspection result is provided.

  Next, the site configuration information 109 will be described with reference to FIG. FIG. 3 is a diagram showing an example of the site configuration information 109 shown in FIG. The site configuration information 109 is information representing the configuration of the site to be inspected, and URL 1002 for accessing each page in the site and data (hereinafter referred to as “POST data 1003”) that must be given to the body part of the HTTP request. is described. The URL 1002 and the POST data 1003 are hereinafter collectively referred to as “link information 1004”. Each link information 1004 is assigned a unique ID in the site configuration information file called “link ID 1001”. Further, the link ID 1001 is generated by adding a hyphen (-) serial number to the ID of the page that is the link source to the page. For example, a link ID 1001 such as a link ID “1-1-1” or “1-1-2” is given to a page whose link ID is “1-1”. As shown in FIG. 3, the link ID 1001, URL 1002, and POST data 1003 are delimited by a pipe symbol (|) and described in one line.

  Next, the inspection target page designation information 110 will be described with reference to FIG. FIG. 4 is a diagram showing an example of the inspection target page designation information 110 shown in FIG. The inspection target page designation information 110 is a file for designating a target to be subjected to vulnerability inspection by the inspection apparatus 101 among the pages described in the site configuration information 109. The link IDs 1001 of the pages to be inspected are described side by side separated by commas or line breaks.

  Next, FIG. 5 is a diagram showing an example of the macro definition information 111 shown in FIG. FIG. 6 is a diagram illustrating an example of macro insertion site configuration information 1300 in which a macro is inserted into the site configuration information 109. In the figure, a portion surrounded by back quotes (図) is a macro insertion unit 1301 in which a macro is inserted. A “macro” is a program code written in an interpreted language. Macro expansion is performed by executing the macro part in the macro execution means 103 and replacing the macro part with the return value (character string). By defining the function used in the macro in advance in the macro definition information 111, the function can be called from the macro in the site configuration information.

  FIG. 7 is a diagram illustrating an example of the equivalency parameter specifying information 112 illustrated in FIG. The equivalence parameter designation information 112 includes a URL 1401 that does not include a parameter and an equivalence parameter designation 1402. The “equivalent parameter designation” is a group of two or more parameter groups that must be equivalent and separated by an equal sign (=). When a plurality of equivalence parameters are designated for the same URL 1401, each equivalence parameter designation is described by being connected with a pipe symbol (|) as shown in the figure.

  FIG. 8 is a flowchart showing the process of the inspection process. The operation of the inspection process of the inspection apparatus 101 will be described with reference to FIGS. Each step of the flowchart is referred to as step 601 or S601, for example. The inspection control unit 105 of the inspection apparatus 101 performs inspection by controlling the Web access unit 102, the macro execution unit 103, the session recovery unit 104, the inspection unit 106a, and the like.

  The inspection apparatus 101 receives as input the files called site configuration information 109, inspection target page designation information 110, macro definition information 111, and equivalence parameter designation information 112 at the time of activation. However, the inspection target page designation information 110, the macro definition information 111, and the equivalence parameter designation information 112 can be omitted. When the inspection target page designation information 110 is omitted, all pages described in the site configuration information 109 are regarded as inspection targets.

  The inspection control unit 105 extracts the link ID 1001 of the inspection target page in order from the site configuration information 109 (S601), and executes the inspection process shown in FIG.

  First, the inspection control unit 105 searches the site configuration information 109 from the link ID 1001 (variable id) of the inspection target page and takes out the corresponding link information 1004 (step 602). Next, the inspection control means 105 inspects this link using the inspection means 106a, 106b, etc. in order. In step 603, the inspection control unit 105 searches for an inspection unit that has not been executed for this link, and stores a reference to the inspection unit in the variable d. If d is a null value (step 604), all the inspections for the link have been completed, so the inspection process is terminated (step 616).

  If d is a reference to an effective inspection means (when there is an inspection means that has not been executed), the process proceeds to S605 and thereafter. Here, it is assumed that the inspection means 106a exists as an inspection means that has not been executed. In step S605, the inspection control unit 105 searches the “equivalent parameter specification information 112” and checks whether an equivalent parameter group is specified for the inspection target link (step 605). The “equivalent parameter group” means a group of parameters that are processed as an error unless the same value is always set according to the specifications of the Web site. For example, in the user registration page, an error occurs if the same password is not entered in the two items “password entry item” and “password re-entry item for confirmation”. When such a page is inspected, an error can be avoided by specifying in advance the parameter names corresponding to “password” and “confirmation password” as “equivalent parameter group”. For example, “register.asp = pass = pass2” shown in FIG. If the equivalence parameter group exists as a result of the check in step 605, the inspection control means 105 registers the equivalence parameter group in d (inspection means 106a) (step 606).

  Thereafter, steps 607 to 615 are looped until all the inspections performed by d (inspection means 106a) are completed. When the inspection of d (inspection means 106a) is completed, the inspection processing returns to step 603, and the same processing is performed for another inspection means (for example, inspection means 106b).

  Next, step 607 to step 615 will be described below. First, in step 607, the inspection control means 105 confirms whether all the inspections performed by the inspection means d (inspection means 106a) have been completed. If there is still an inspection to be performed by the inspection means 106a, the process proceeds to step 608, and session recovery is performed. “Session recovery” is a process of acquiring session management information such as Cookie by performing Web access according to the configuration of the site from the top page of the site to the inspection target page. Details of this processing will be described later (FIG. 9).

  In step 608, after session recovery is performed by the session recovery means 104, in step 609, request information for accessing the page indicated by link is generated, and in step 610, the request information is passed to d (inspection means 106a). It is. Based on the request information, d (inspection means 106a) generates an inspection request (inspection data) using the internal inspection request generation means 1061 (step 611). The inspection request generation means 1061 is different for each inspection means (for each inspection means 106a, 106b, 106c, etc.). As a result, various inspection items can be realized. Next, Web access is performed based on the inspection request generated by d (inspection means 106a) (step 612). The response (response) from the Web site is again delivered to d (inspection means 106a) and analyzed by vulnerability determination means 1062 inside d (inspection means 106a). If it is determined that there is a vulnerability as a result of the analysis (step 614), the vulnerability determination means 1062 outputs a vulnerability detection message (step 615). Thereafter, the process returns to step 607 again, and this loop continues until all the inspections by d (inspection means 106a) are completed.

  Next, session recovery processing will be described with reference to FIG. The session recovery process is performed by the session recovery unit 104 under the control of the inspection control unit 105. FIG. 9 is a flowchart showing the session recovery process in step 608. In the session recovery process, first, in step 501, the target link ID is received as a parameter (variable id). Next, in step 502, the session management information acquired in the previous session recovery is cleared. As described above, the link ID is generated by being derived from the link source between pages. For this reason, it is possible to easily check the link source ID of a given link ID. If the link ID does not include a hyphen (-), it means that the page is not linked from anywhere, that is, the top of the site. If the link ID indicates the top of the site (step 503), the session recovery process is not performed and the process ends immediately.

  If the link source is present in the link ID, the link source ID is extracted by the character string processing of the variable id and substituted into the variable parent_id (step 504). Next, session recovery processing is recursively called for parent_id (step 505). When the recursive call of the session recovery process is completed, the session recovery for the parent_id is completed.

  Next, by accessing the parent_id itself in steps 506 to 509, the session recovery for the id given first is completed. For this purpose, link information corresponding to parent_id is searched from the site configuration information in step 506 (variable link). Next, request information generation processing corresponding to the link is performed (step 507), and web access is performed via the web access means 102 based on the request information (session management information acquisition data) (step 508). Session management information storage processing is called in step 509 with the response and link from the website as input (S1501 in FIG. 10), and session management information such as Cookie is stored in the storage means 1041. This completes the session recovery process.

  Next, session management information storage processing will be described with reference to FIG. FIG. 10 is a flowchart showing a session management information saving process. The session management information storage called in step 509 is implemented as shown in FIG. This process is performed based on the “response information” returned from the website and the “link information” that is the source of the response. First, “Referer information” and “hidden parameter information” saved in the previous session management information saving process (saved in the saving unit 1041) are cleared (step 1502). Next, the URL included in the “link information” is stored in the storage unit 1041 as “Refer information” (step 1503). Next, information referred to by the header name “Set-Cookie” is extracted from the header information of “response information”, and is stored in the storage unit 1041 as “Cookie information” (steps 1504 to 1505). Next, the HTML included in the response is analyzed to find a hidden tag (<input type = hidden> tag), and the name attribute and value attribute are stored in the storage unit 1041 (steps 1506 to 1507). Thus, the session management information saving process ends.

  Next, the request information generation process will be described with reference to FIG. FIG. 11 is a flowchart showing the process of request information generation processing. The request information generation process is performed in step 609 in FIG. 8 (inspection process) and step 507 in FIG. 9 (session recovery process). In step 609, the inspection control means 105 generates. In step 507, the session recovery means 104 generates. The request information generation process (S609) in the inspection process is for generating an inspection request. The request information generation process (S507) of the session recovery process is for acquiring session management information.

  The request information generation process is called with link information as a parameter (variable link). Next, the referer information, the cookie information, and the hidden parameter group acquired when the session management information storing process is last performed are acquired (steps 1602 to 1604). Next, the link parameter is replaced using the acquired hidden parameter group (step 1605). For example, it is assumed that a parameter named “sessionid” exists in the link and its value is “1234abcd”. If a parameter named “sessionid” exists in the hidden parameter group and its value is “5678 wxyz”, the “sessionid parameter” of the link is replaced with “5678 wxyz”. As a result, Web access can be performed correctly even on a Web site that manages sessions using the hidden parameter. Finally, request information is generated based on the referer information, the cookie information, and the corrected link information, and returned to the caller (steps 1606 to 1607).

  Next, Web access processing will be described with reference to FIG. FIG. 12 is a flowchart showing Web access processing. The Web access process is performed by an inspection process (step 612 in FIG. 8) and a session recovery process (step 508 in FIG. 9). This is because in the case of the inspection process, an inspection request is transmitted to the inspection target Web server 108. This is because session management information is acquired in the session recovery process. The Web access process is called with request information as a parameter (step 301). Next, the link information of the request information is extracted (step 302), and the macro therein is expanded. That is, as described with reference to FIG. 11, the request information is generated based on the link information, and the link information is, for example, a portion after the link ID in FIG. Therefore, it contains a macro.

  By using a macro, it is possible to always set different values for a specific parameter. For example, it is possible to avoid a situation in which a user cannot be registered because a parameter such as a user name already used at the time of collecting site configuration information is reused at the time of inspection execution. In macro setting, different values are set for specific parameters in accordance with parameter input items (for example, user name input). By setting different values for the user name, it is possible to avoid duplication with past input and to perform inspection.

  A “macro” is a program code written in an interpreted language. As described above, the macro can be described in the site configuration information by surrounding it with back quotes (構成) like “macro insertion unit 1301” in FIG. Macro expansion is performed by executing the macro part on the macro execution means 103 and replacing the macro part with the return value (character string). Like the macro definition information 111 shown in FIG. 5, by defining a function to be used in the macro in advance, the function can be called from a macro in the macro insertion site configuration information 1300, for example. In the present embodiment, it is assumed that a Perl interpreter is used as the macro execution means 103, but other interpreter languages can also be used.

  After the macro expansion, in step 304, HTTP request data that is actually transmitted is generated from the link information, cookie information, referer information, and other header information. In step 305, the HTTP request data is transmitted to the Web site (inspection target Web server 108). . As a result, the HTTP response data received from the Web site is used as the return value of this process, and the process is terminated (steps 306 to 307).

  As described above, in the embodiment, the session recovery process (S608) is always performed before the inspection request generation (S611). However, this may be performed only once per inspection process. In that case, the inspection time can be shortened.

  Since the inspection apparatus 101 according to the present embodiment uses a macro, in the Web access of the session recovery process (S508) and the inspection process (S612), the user name used once, for example, as in the user registration page It is possible to inspect even a page that causes an error when using again.

  In addition, by making it possible to describe a macro in the link information in the site configuration information, it is possible to inspect Web sites having pages that do not allow duplication with past input.

  The session recovery process by the inspection apparatus 101 has an effect that it is possible to inspect even a Web site that performs session management. Further, since the link ID is used in the session recovery process, the session recovery process can be performed efficiently.

  Further, in the session recovery process by the inspection apparatus 101, since a macro is executed, it is possible to always use different values for specific parameters.

  The inspection apparatus 101 can also inspect a Web site having a page to which the same value must be input by making it possible to specify an equivalence parameter group.

It is a figure which shows a diagnostic system. It is a figure which shows the structure of a test | inspection means. It is a figure which shows the example of site structure information. It is a figure which shows the example of inspection object page designation information. It is a figure which shows the example of macro definition information. It is a figure which shows the example of the site structure information using a macro. It is a figure which shows the example of equivalence parameter designation | designated information. It is a figure which shows operation | movement of the test | inspection process of a diagnostic system. It is a figure which shows operation | movement of a session recovery process. It is a figure which shows operation | movement of the preservation | save process of session management information. It is a figure which shows operation | movement of the production | generation process of request information. It is a figure which shows operation | movement of a web access process. It is a figure which shows the content of the information transmitted to the conventional web server. It is a flowchart which shows the outline | summary of operation | movement of the conventional web application diagnostic system.

Explanation of symbols

  101 inspection apparatus, 102 Web access means, 103 macro execution means, 104 session recovery means, 105 inspection control means, 106 inspection means, 107 TCP / IP network, 108 inspection target Web server, 109 site configuration information, 110 inspection target page designation Information, 111 macro definition information, 112 equivalence parameter designation information, 201 inspection means, 202 inspection request generation function, 203 vulnerability determination function, 204 request template information, 205 inspection request information, 206 response, 207 determination result, 1000 vulnerability diagnosis System, 1001 link ID, 1002 URL, 1003 POST data, 1004 link information, 1041 storage means, 1001 link ID, 1061 inspection request generation means, 062 vulnerability determination unit 1063 requests information, 1064 inspection request information, 1065 response, 1066 judgment result, 1300 macro insertion site configuration information, 1301 macro insertion portion, 1401 URL, 1402 equivalent parameters specified.

Claims (6)

In a web application inspection apparatus for inspecting the web application by transmitting inspection data for inspecting a web application operating on the web server to the web server,
Site configuration information indicating the configuration of a site provided by the web application operating on the web server, and used as an input value to a URL (Uniform Resource Locator) of the site and a predetermined input item of the web application From the site configuration information including a macro that indicates a replacement instruction that replaces an input parameter that is once input to the input item and that is rejected to be input next time by the web application with a different value. Inspection control means that includes the URL and the macro and generates request information for accessing the web server;
Based on the request information generated by the inspection control unit, the inspection unit includes the URL and the macro and sequentially generates a plurality of inspection data for inspecting the web application;
Macro execution means for executing the macro included in the generated inspection data and replacing the input parameter with a different value each time the inspection data is sequentially generated by the inspection means;
Web access means for sequentially transmitting the inspection data, in which the macro has been executed by the macro execution means, to the web server;
A web application inspection apparatus comprising: The web application inspection device includes:
further,
Access to the web server by accessing the web server via the web access means when the inspection data is generated by the inspection means and before the inspection data is generated. Including an acquisition means for acquiring session management information including a history;
The inspection control means includes
Each time the session management information is acquired by the acquisition means, the request information is generated using the session management information,
The inspection means includes
The web application inspection apparatus according to claim 1, wherein the inspection data is created based on the request information generated using the session management information. The acquisition means includes
When acquiring the session management information, the data used to acquire the session management information is an input parameter used as an input value to a predetermined input item of a web application and is input once to the input item Then, the web application generates session management information acquisition data including a macro indicating a replacement command for replacing an input parameter for which input of the same value is rejected next time with a different value, and the generated session management information acquisition data is stored in the web Sent to the web server via access means,
The macro execution means is:
The web access means, when transmitting session management information acquisition data to the web server, executing the macro included in the session management information acquisition data to replace the input parameter with a different value. 2. The web application inspection device according to 2. The acquisition means includes
Obtaining the session management information including a hidden parameter as the access history;
The inspection control means includes
Generating the request information including the hidden parameter;
The inspection means includes
The web application inspection apparatus according to claim 2, wherein the inspection data including the hidden parameter is generated. The macro execution means is:
When executing the macro and replacing the input parameter with a different value, the function is used to call the function according to macro definition information in which a function that generates a different value is defined. The web application inspection apparatus according to claim 1, wherein an input parameter is replaced. The site configuration information is
The web application inspection apparatus according to claim 1, wherein the macro includes a replacement instruction for replacing a user name with a different value.

Images