CN101902470A - Form feature-based Web security vulnerability dynamic testing method - Google Patents
Form feature-based Web security vulnerability dynamic testing method Download PDFInfo
- Publication number
- CN101902470A CN101902470A CN2010102264716A CN201010226471A CN101902470A CN 101902470 A CN101902470 A CN 101902470A CN 2010102264716 A CN2010102264716 A CN 2010102264716A CN 201010226471 A CN201010226471 A CN 201010226471A CN 101902470 A CN101902470 A CN 101902470A
- Authority
- CN
- China
- Prior art keywords
- test
- test case
- list
- value
- web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 191
- 238000000034 method Methods 0.000 claims abstract description 62
- 238000001514 detection method Methods 0.000 claims description 19
- 239000000284 extract Substances 0.000 claims description 11
- 235000014510 cooky Nutrition 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 3
- 150000001875 compounds Chemical class 0.000 claims description 2
- 238000010187 selection method Methods 0.000 abstract 1
- 238000012038 vulnerability analysis Methods 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 6
- 238000011076 safety test Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- LTXREWYXXSTFRX-QGZVFWFLSA-N Linagliptin Chemical group N=1C=2N(C)C(=O)N(CC=3N=C4C=CC=CC4=C(C)N=3)C(=O)C=2N(CC#CC)C=1N1CCC[C@@H](N)C1 LTXREWYXXSTFRX-QGZVFWFLSA-N 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013142 basic testing Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000002386 leaching Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000031068 symbiosis, encompassing mutualism through parasitism Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a form feature-based Web security vulnerability dynamic testing method. The method comprises the following steps of: 1) extracting automation features of a page to be tested of Web application, a form and a form domain thereof; and acquiring and storing data; 2) endowing each form domain with a group of test candidate values by taking the form as a testing unit; primarily generating an all-combination test case set; computing a weight value for each test case; and generating a test case set by using a maximal weight selection method; 3) executing the test case set; and 4) performing potential security vulnerability analysis aiming at an execution result of each test case, and summarizing and generating a test report. The method endows the form domain with a security vulnerability testing value in a targeted way by using field knowledge by performing feature analysis on the Web form, interacts with a Web server to acquire a server response, and automatically tests a potential security vulnerability in the Web application according to a response result.
Description
Technical field
The present invention relates to Web and use that the security breaches based on the list input domain detect in the automatization testing technique, being particularly related to the Web list becomes under the situation of one of main path that the Web application safety attacks, effectively analyze and the feature of utilization list, give security breaches test value targetedly for each input domain of list and detect the security breaches of Web in using.
Background technology
Web application safety leak dynamic testing method has been applied in the safety test work of Web application at present.Safety test is a requisite link in the Web application development process, and its final goal is fail safe and the reliability that guarantees that Web uses.Along with the increasingly sophisticated of Web application system scale and deep day by day to social life influence, the demand of Web application safety test is also more and more outstanding.Traditional Hole Detection method needs Web application testing personnel to utilize professional standing and experience, and with user identity operation Web application system, Web application safety leak is sought in the imitation assault.This makes security breaches testing result tested person personnel ability, state and the influence of Web being used familiarity to a great extent.And the automation safety test requires to produce a large amount of test cases at Web application safety leak, compares and can improve the test effect simultaneously at saving test resource and cost with the manual testing.The code structure of Web application and the information of functional specification aspect need be effectively used in the automation safety test.
Present existing security flaw detection method can roughly be divided into technique of dynamic measurement and static analysis technology.The Web session information is auxiliary to generate test case to technique of dynamic measurement by collecting, but such technology still is difficult to fully detect the various leaks that exist in the Web application at present.The static analysis technology adopts control flow graph and data flow diagram that the source code that Web uses is analyzed, and this class Technology Need obtains tested Web application source code and directly related with concrete Web application programming language.
Summary of the invention
Main purpose of the present invention is, poor expandability limited at traditional Web application safety Hole Detection method application scenarios and the not high problem of performance, a kind of Web application safety leak dynamic testing method based on form feature is proposed, the utilization domain knowledge generates test value for the list input domain targetedly, with the list is test cell, and the mode by dynamic test detects Web and uses potential security breaches.
For achieving the above object, the present invention adopts following step:
1) the Web form feature is collected: the automation feature of the page to be measured, its list and the form fields that Web is used is extracted, collect and preserve following data: Web page feature, the HTML imformosome that comprises Status-Line, contains the header of Cookie and contain list; Form feature comprises action (action), method (method) and data form (enctype); The form fields feature comprises type (type), title (name) and initial value (initial_value);
2) test use cases generates: with the list is measuring unit, for each form fields of each list is given one group of specific security breaches test candidate value, and passes through the full compound mode of form fields candidate value, tentatively generates the full combined test set of uses case of this list; According to the harmfulness of security breaches, calculate weights of representing its Hole Detection ability for each test case then, weights are big more, represent that its Hole Detection ability is strong more; At last, utilize maximum weights back-and-forth method, select one by one to generate the test use cases of given size;
3) test use cases is carried out: based on test use cases a series of HTTP requests for each list generates, and the corresponding test case of each HTTP request, the value of each form fields is provided by the test case of correspondence in the list; The HTTP request is submitted to Web server one by one and is collected http response, as the execution result of this list under this test use cases;
4) potential security hole detects: with the list is unit, execution result at each test case, execution result to test case carries out the potential security hole analysis, at first obtains the testing result of single list, and then gathers the security breaches test report that generates the Web application.
Above-mentioned steps 2) giving one group of specific security breaches test candidate value process for each form fields of each list in is: at first make up a Web application safety leak assignment rule storehouse R
s, and by rule base R
sFinish the automatic assignment of each form fields; Rule base R
sMiddle rule schemata is as follows:
Rule ≡<constraint, test_target, value 〉, wherein constraint is a constraints, represents with regular expression, determines whether a form fields can use this rule; Test_target be at security breaches or attack type; Value is the test value that satisfies the test_target type leak of constraint constraint.
On behalf of the process of the weights of its Hole Detection ability, calculate one for each test case above-mentioned steps 2) be: to rule base R
sEach leak type (test_target) of middle rule according to its size to Web application security threaten degree, is endowed a weight w (0<w≤1); Rule base R
SThe leak type of middle test_target correspondence includes: XSS, SQLI and NORMAL type, and the security breaches threaten degree sorts as follows from big to small: SQLI>XSS>NORMAL, the leak that threaten degree is big is given bigger weights; According to the weight w of each security breaches type (test_target), give each concentrated test case t of candidate's test case again
sCalculate a weights W (t
s), described t
s=<v
1, v
2..., v
n, v
iExpression test case t
sI form fields f
iValue; The formula that calculates the test case weights is as follows:
D (v wherein
i) expression form fields f
iValue v
iThe time be test case t
sThe weights of contribution, and calculate by following formula:
Above-mentioned steps 2) process that adopts maximum weights back-and-forth method to generate test use cases in is: a given list F=<f that n form fields arranged
1, f
2..., f
n, form fields f
iBe endowed and comprise k
iThe assignment set of>0 candidate's test value
Adopt full combined method will produce a scale to be
Candidate's test use cases; Further adopt greedy method, choose test case successively with maximum weights, till test use cases reaches given size or does not have optional test case, thus the test use cases that is configured for carrying out.
Above-mentioned steps 3) process that test use cases is carried out is: at the Web page at tested list and list place, to each test case, create and a HTTP request of initialization Req, and, specifically comprise: request row (Request-Line), header (containing Cookie), new line (CRLF) and message body with the tested Web page and tested form information initialization request Req wherein; Fill the Req content according to test case, make test case t
s=<v
1, v
2..., v
n, extract each form fields f
iName and v
iValue form " name-value pair " (name-value), (GET or POST) does following processing by the request mode:
1) HTTP request mode is GET, then with t
sAll name-value append among the URI of request row;
2) HTTP request mode is POST, then with t
sAll name-value assignment submit Req request and waiting for server response with client identity to Web server then for the POST parameter of message body.
Above-mentioned steps 4) detailed process is: according to the web server response sign indicating number, extract response results Result, it is carried out the analysis of tested list potential security hole, and then gather and generate Web application safety leak test report, wherein the processing of obtaining response results Result according to web server response information has following several situation:
1) answer code is " 1xx ", and expression HTTP request is received, needs to continue the further response of waiting for server;
2) answer code is " 2xx ", and expression HTTP ask successfully, and the HTML content that this moment collection responds is saved in as a result among the Result;
3) answer code is " 3xx ", and the expression resource request is redirected, and needs waiting for server further to handle.If be redirected successfully, collect the HTML content of response, be saved in as a result among the Result;
4) answer code is " 4xx ", and the expression client is sent the serviced device end refusal of false request, can ignore;
5) answer code is " 5xx ", and the expression server error attempt to be collected error message and is saved in as a result among the Result.
If collect unsuccessful expression unknown error, the security breaches of having found unknown (UNKNOWN) be described.
Above-mentioned steps 4) according to Hole Detection rule base R
dDetect potential security hole, be specially: at first make up security breaches and detect rule base R
d, regular Kuku R
dMiddle rule format is as follows: rule ≡<vulnerability_type, regular_expression 〉, wherein vulnerability_type is the security breaches type, regular_expression is the used regular expression of match responding result;
In the potential security hole analytic process, to each value v of performed test case
i, this v
iCorresponding form fields f
i, at rule base R
dThe same v of middle retrieval
i.test_target Dui Ying security breaches detect regular r, i.e. r.vulnerability_type==v
i.test_target; Regular expression regular_expression with the regular r that retrieves mates the server response results Result that collects, the match is successful then represents to find the potential Web application safety leak that type is r.vulnerability_type, when checking, the test_target of test case all values represents that the test result inspection of this test case finishes when finishing.
The inventive method proposes a cover Web application safety leak automation dynamic testing method at the feature of list and input domain thereof.Method from the Web form feature collect, test case generates, test case is carried out, detect until potential security hole, whole flow process can full automation, saves testing time and human cost greatly, and is particularly suitable for loaded down with trivial details Web application testing.On the other hand, the present invention is based on form feature and attack type, making up and use Web application safety leak domain knowledge base to carry out the form fields assignment (needs security breaches assignment rule storehouse R
s) and security breaches detect and (to need security breaches to detect rule base R
d), have good expandability: detect for new security breaches, only need to generate corresponding assignment rule respectively and detect rule, and add assignment rule storehouse R to according to the test value and the detection method of this leak
sWith detection rule base R
dIn, carry out the inventive method then and get final product.We adopt the inventive method to finish case study, and the result shows that this method can effectively detect potential security breaches in the Web application.Experiment detects more than 20 potential security hole (comprising cross-site scripting attack and SQL injection attacks) from more than 50 lists, through manually checking, more than the rate of accuracy reached to 95%.
Be elaborated below in conjunction with accompanying drawing.
Description of drawings
Fig. 1 is based on the overall construction drawing of the Web application safety leak dynamic testing method of form feature,
Fig. 2 is the workflow diagram of Web application safety leak dynamic testing method,
Fig. 3 is the process chart that the Web form feature extracts,
Fig. 4 is the process chart of each form fields assignment of Web list,
Fig. 5 is meant the process chart of set pattern mould test use cases generating algorithm,
Fig. 6 is the process chart at the list implementation of test cases,
Fig. 7 is the process chart of list potential security hole detection algorithm.
Embodiment
As shown in Figure 1, analyze the architecture tissue of four modules based on the Web application safety leak dynamic testing method of form feature by the collection of Web form feature, test use cases generation, test use cases execution and potential security hole according to stream.Wherein Web form feature collection module is compiled Web page info and the form feature that is comprised, each edit field that comprises list is (as the input form fields of text, password type, and textarea form fields) and non-edit field (as the input form fields of radio, checkbox, submit, reset, hidden type, the select form fields), general designation list input domain (abbreviation form fields).The test use cases generation module is a unit with the list, utilizes Web application safety leak domain knowledge, for each input domain of list is given one group of particular vulnerability candidate test value; For list generates test use cases, wherein each test case is specified a test value for each form fields then.The test use cases Executive Module generates a series of HTTP requests at given list, and each HTTP request is at a test case, and wherein each list valuation of a field of list is determined by test case; Submit to Web server more one by one and collect http response, as the execution result of this list under this group test case.The potential security hole detection module is unit with the list, at the execution result of each test case of list, utilizes Web application safety leak domain knowledge, analyzes potential security breaches in the list; And then gather and generate the potential security hole examining report that whole Web uses.
Workflow of the present invention as shown in Figure 2.
The Web form feature collection module of step 1 be responsible for collecting the Web page, comprise list, and the information of each form fields of list.At first, generate a HTTP request that is used for obtaining this Web page form information, submit to Web server and waiting for server response (the 1.1st step) according to the URL of the tested Web page.Receive and preserve the response data of Web server then, comprising: responsive state capable (Status-Line), header (contain Cookie data are set), new line symbol (CRLF), and imformosome (HTML that contains list) (the 1.2nd step).The form feature that carries out the Web page at last extracts (the 1.3rd step).
The detailed process flow process of Web page list feature extraction as shown in Figure 3.Each list F in the Web page, carry out following two steps successively:
1) extracts the feature of list F, comprise action (action), method (method), the data form (enctype) of list
Three attributes (1.3.1 step);
2) each form fields f of extraction list F
iFeature, comprise type (type), title (name), three attributes of initial value (initial_value) (1.3.2 step);
The form feature that the test use cases generation module of step 2 extracts according to step 1 generates the test use cases at this list.This part is created by the present invention.At first the candidate value of finishing each form fields in the list in the 2.1st step calculates; Generating the whole of all form fields according to full combined method then in the 2.2nd step may value make up, and constitutes full combined test set of uses case; In the 2.3rd step, carry out the weights estimation at last, sort from big to small based on weights and extract the test case of specified quantity, the test use cases that is configured for carrying out according to security breaches and Hole Detection ability that each test case covered.
Wherein the detailed process handled of the Web form fields assignment in the 2.1st step as shown in Figure 4, the core of this algorithm is indicated by 2.1.1 among the figure.Algorithm need be used an assignment rule storehouse R
s, each regular form is as follows in the storehouse: rule ≡<constraint, test_target, value 〉, wherein constraint is a constraints, represents with the canonical formula, determines whether a form fields can use this rule; As " fieldtype: " text " ", represent the input territory of this application of rules " text " type; Test_target be at security breaches or attack type, as " XSS " (cross-site scripting attack), " SQLI " (SQL injection attacks) and " NORMAL " (non-leak-be normal type); Value is the test value that satisfies the test_target type leak of constraint constraint, as "<div style=" background:url (javascript:alert ()) "〉".
At given list, for each form fields f of list
i, use f
iAttribute remove matching rule base R
sIn the constraints constraint of each bar rule r.
1), then be f if the match is successful for regular r
iAdd a candidate value v
i, v
iValue provide by r.value, at be that the security breaches of r.test_target type are (by v
j.test_target mark).For example: given following regular r
0:
r
0≡<constraint:{fieldname:“/username?|usrname?|us|(usr\w*)/i”,fieldtype:“text”,
maxlength:l00},testtarget:”XSS”value:’<div?style=
“background:url(javascript:alert())”>’>,
If form fields f
iTitle meet the described Naming conventions of fieldname field in the constraints, type is no more than 100 for " text " and maximum length, will be f so
iAdding a type (test_target) is " XSS " (cross-site scripting attack), and value (value) is the candidate value v of "<div style=" background:url (javascript:alert ()) "〉"
i
2) if in rule base, do not find the rule of coupling, then be form fields f
iCompose default value: leak type test_target field assignment " NORMAL " (not at any leak), test value value field can assignment be f
iInitial value (initial_value).
By above-mentioned processing, finish form fields f
iAfter the assignment, f
iOne group of test value V will be arranged
i,
K wherein
i>0 is form fields f
iThe candidate's test value quantity that is had.
The leak type of test_target correspondence mainly contains among the rule base Rs at present: XSS, SQLI and NORMAL type.The leak type can be augmented, and the constructing technology of rule base does not belong to the category of the inventive method.Each leak type is endowed a weight w (0<w≤1) according to its size to Web application security threaten degree.The present invention sorts as follows to these security breaches threaten degrees from big to small: SQLI>XSS>NORMAL, the leak that threaten degree is big will be given bigger weights.
The full combined test set of uses case generative process in the 2.2nd step might be combined into capable enumerating to the institute of the candidate value of this each form fields of list, thereby produces candidate's test use cases in large scale.For example: a given list F=<f that n form fields arranged
1, f
2..., f
n, form fields f
iThere is one to comprise k
iThe assignment set of>0 candidate's test value
This step will produce a scale and be so
Test use cases, each test case shape as:
0<s
i≤ k
i
The algorithm process flow process that generates test use cases by given size in the 2.3rd step as shown in Figure 5, this algorithm generates the test case of specified quantity at given list, mainly is divided into following steps:
1) all test cases in the full combined test set of uses case of this list is carried out weights and calculate (2.3.1 step);
2) repeated using greedy method, each test case from the concentrated right to choose value maximum of candidate's test case is till reaching given size or not having optional test case (2.3.2 step).
In step,, make test case t at 2.3.1 for the list of n form fields
s=<v
1, v
2..., v
n, v wherein
iExpression test case t
sIn i form fields f
iValue.Use-case t
sWeights can calculate and get by formula (1):
D (v wherein
i) expression form fields f
iValue v
iThe time to test case t
sThe weights of contribution, calculated by formula (2):
D (v
i) the same v of value
i.test_target at test case t
sIn the position relevant, and if only if v
i.test_target at t
sEach form fields assignment in test case t appears for the first time
sV
iTest value just can be this test case contribution certain weight w, and its size is by v
i.test_target the harmfulness decision of corresponding security breaches.
In 2.3.2 step, utilize greedy method, from the full combined test set of uses case of candidate, select the test case of weights maximum at every turn, put into as a result test case and concentrate, till reaching given size or not having optional test case.
The test case Executive Module of step 3 is mainly finished two tasks: execution of test case (the 3.1st step) and test execution result's collection (the 3.2nd step).Wherein the detailed process of implementation of test cases as shown in Figure 6.At first in 3.1.1 goes on foot, the Web page at given list and list place, to each test case, create and a HTTP request of initialization Req, and, specifically comprise: request row (Request-Line), header (containing Cookie), new line (CRLF) and message body with the tested Web page and tested form information initialization request Req wherein.The HTTP request has two kinds of request mode: GET and POST according to the commit method (method) that list is provided with.Under " GET " request mode, form data is carried by the URI of request row; Under " POST " request mode, form data is carried by message body POST parameter.Thereby in 3.1.2 goes on foot, for each concentrated test case t of test case
s=<v
1, v
2..., v
n, extract each form fields f
iName and v
iValue form " name-value pair " (name-value), do following processing by the request mode:
1) HTTP request mode is GET, then with t
sAll name-value append among the URI of request row;
2) HTTP request mode is POST, then with t
sAll name-value assignment in the step, submit Req request and waiting for server response (3.1.3 step) to Web server at 3.1.3 at last for the POST parameter of message body with client identity.
The execution result in the 3.2nd step is collected the http response data of being responsible for accepting and storing Web server, uses for follow-up potential security hole analysis module.
The potential leak analysis module of step 4 is finished the potential leak analysis (the 4.1st step) of a corresponding list in the Web application mainly based on the pairing server response message of implementation of test cases, and gathers generation security breaches examining report (the 4.2nd step).
Wherein at the detailed process of single list potential security hole parser as shown in Figure 7, this algorithm mainly is divided into two parts: the server response results is extracted (4.1.1 step) and potential security hole analysis (4.1.2 step).In server response results leaching process, algorithm detects the http response sign indicating number of Web server and further handles:
1) answer code is " 1xx ", and expression HTTP request is received, needs to continue the further response of waiting for server;
2) answer code is " 2xx ", and expression HTTP ask successfully, and the HTML content that this moment collection responds is saved in as a result among the Result;
3) answer code is " 3xx ", and the expression resource request is redirected, and needs waiting for server further to handle.If be redirected successfully, collect the HTML content of response, be saved in as a result among the Result;
4) answer code is " 4xx ", and the expression client is sent the serviced device end refusal of false request, can ignore;
5) answer code is " 5xx ", and the expression server error attempt to be collected error message and is saved in as a result among the Result.
If collect unsuccessful expression unknown error, the security breaches of having found unknown (UNKNOWN) be described.
According to the server response results Result that extracts, further analyze potential Web application safety leak in the 4.1.2 step.Need this moment to use security breaches to detect rule base R
d, rule format is as follows in the storehouse: rule ≡<vulnerability_type, regular_expression 〉.
Wherein vulnerability_type is the security breaches type, and regular_expression is the used regular expression of match responding result.In the security breaches analytic process, to each value v of performed test case
i(corresponding form fields f
i), at storehouse R
dThe same v of middle retrieval
i.test_target Dui Ying security breaches detect regular r, i.e. r.vulnerability_type==v
i.test_target; With the server response results Result that the regular expression regular_expression coupling of the regular r that retrieves is collected, the match is successful then represents to find the potential Web application safety leak that type is r.vulnerability_type.When checking, the test_target of test case all values represents that this test case test result inspection finishes when finishing.
The test result that gathers all test cases in the 4.2nd step at the tested list and the place Web page, generates its potential security hole report.And then gather and generate the test report of using at whole Web.
Characteristics based on the Web application safety leak dynamic testing method of form feature are that with the Web list be basic test unit, make up test assignment rule storehouse at the known attack means; Be each form fields assignment in the list then; Generate and be used for the test use cases of security breaches detection according to weights size sequencing selection based on full combination; Then be HTTP request and execution with each test case conversion; Make up the Hole Detection rule base according to known attack, at last according to test result analysis with gather Web and use potential security hole.We realize this patented method, picked at random 55 lists in some websites carry out the security breaches detection of dynamic in the education network, symbiosis becomes 96786 full combined test use-cases, utilizes greedy method to select 3387 use-cases wherein to constitute 55 actual test use cases of carrying out.Last experimental result is as shown in the table:
Find the test case number of XSS leak | 364 |
Find the list number of XSS leak | 15 |
Find the test case number of SQLI leak | 108 |
Find the list number of SQLI leak | 8 |
There is the list number of XSS leak in artificial checking | 15 |
There is the list number of SQLI leak in artificial checking | 7 |
Experimental result shows, the inventive method can be accurately and effectively detected the potential security hole that Web uses; Wherein have the test case more than 10% to find security breaches, and in whole 22 lists that have security breaches of being found, only have 1 to be proved to be wrong report, accuracy rate is more than 95%.
Claims (7)
1. Web application safety leak dynamic testing method based on form feature is characterized in that may further comprise the steps:
1) the Web form feature is collected: the automation feature of the page to be measured, its list and the form fields that Web is used is extracted, collect and preserve following data: Web page feature, the HTML imformosome that comprises Status-Line, contains the header of Cookie and contain list; Form feature comprises action (action), method (method) and data form (enctype); The form fields feature comprises type (type), title (name) and initial value (initial_value);
2) test use cases generates: with the list is measuring unit, for each form fields of each list is given one group of specific security breaches test candidate value, and passes through the full compound mode of form fields candidate value, tentatively generates the full combined test set of uses case of this list; According to the harmfulness of security breaches, calculate weights of representing its Hole Detection ability for each test case then, weights are big more, represent that its Hole Detection ability is strong more; At last, utilize maximum weights back-and-forth method, select one by one to generate the test use cases of given size;
3) test use cases is carried out: based on test use cases a series of HTTP requests for each list generates, and the corresponding test case of each HTTP request, the value of each form fields is provided by the test case of correspondence in the list; The HTTP request is submitted to Web server one by one and is collected http response, as the execution result of this list under this test use cases;
4) potential security hole detects: with the list is unit, at the execution result of each test case, the execution result of test case is carried out the potential security hole analysis; At first obtain the testing result of single list, and then gather the security breaches test report that generates the Web application.
2. the Web application safety leak dynamic testing method based on form feature according to claim 1 is characterized in that step 2) in give one group of specific security breaches test candidate value process for each form fields of each list and be: at first make up a Web application safety leak assignment rule storehouse R
s, and by rule base R
sFinish the automatic assignment of each form fields; Rule base R
sMiddle rule schemata is as follows:
Rule ≡<constraint, test_target, value 〉, wherein constraint is a constraints, represents with regular expression, determines whether a form fields can use this rule; Test_target be at security breaches or attack type; Value is the test value that satisfies the test_target type leak of constraint constraint.
3. the Web application safety leak dynamic testing method based on form feature according to claim 2 is characterized in that step 2) in calculate one for each test case and represent the process of the weights of its Hole Detection ability to be: to rule base R
sEach leak type (test_target) of middle rule according to its size to Web application security threaten degree, is endowed a weight w (0<w≤1); Rule base R
sThe leak type of middle test_target correspondence includes: XSS, SQLI and NORMAL type, and the security breaches threaten degree sorts as follows from big to small: SQLI>XSS>NORMAL, the leak that threaten degree is big is given bigger weights; According to the weights of each security breaches type (test_target), give each concentrated test case t of candidate's test case again
sCalculate a weights W (t
s), described t
s=<v
1, v
2..., v
n, v
iExpression test case t
sI form fields f
iValue; The formula that calculates the test case weights is as follows:
D (v wherein
i) expression form fields f
iValue v
iThe time be test case t
sThe weights of contribution, calculated by following formula:
4. the Web application safety leak dynamic testing method based on form feature according to claim 3 is characterized in that step 2) in adopt maximum weights back-and-forth method to generate test use cases process be: a given list F=<f that n form fields arranged
1, f
2..., f
n, form fields f
iBe endowed and comprise k
iThe assignment set of>0 candidate's test value
Adopt full combined method will produce a scale to be
Candidate's test use cases; Further adopt greedy method, choose test case successively with maximum weights, till test use cases reaches given size or does not have optional test case, thus the test use cases that is configured for carrying out.
5. according to claim 1,2,3 or 4 described Web application safety leak dynamic testing methods based on form feature, the process that it is characterized in that the test use cases execution of step 3) is: at the Web page at tested list and list place, to each test case, create and a HTTP request of initialization Req, and, specifically comprise: request row (Request-Line), header (containing Cookie), new line (CRLF) and message body with the tested Web page and tested form information initialization request Req wherein; Fill the Req content according to test case, make test case t
s=<v
1, v
2..., v
n, extract each form fields .f
iName and v
iValue form " name-value pair " (name-value), by the request mode, i.e. GET or POST, do following processing:
1) HTTP request mode is GET, then with t
sAll name-value append among the URI of request row;
2) HTTP request mode is POST, then with t
sAll name-value assignment submit Req request and waiting for server response with client identity to Web server then for the POST parameter of message body.
6. the Web application safety leak dynamic testing method based on form feature according to claim 5, the detailed process that it is characterized in that step 4) is: according to the web server response sign indicating number, extract response results Result, it is carried out the analysis of tested list potential security hole, and then gather and generate Web application safety leak test report, wherein the processing of obtaining response results Result according to web server response information has following several situation:
1) answer code is " 1xx ", and expression HTTP request is received, needs to continue the further response of waiting for server;
2) answer code is " 2xx ", and expression HTTP ask successfully, and the HTML content that this moment collection responds is saved in as a result among the Result;
3) answer code is " 3xx ", and the expression resource request is redirected, and needs waiting for server further to handle.If be redirected successfully, collect the HTML content of response, be saved in as a result among the Result;
4) answer code is " 4xx ", and the expression client is sent the serviced device end refusal of false request, can ignore;
5) answer code is " 5xx ", and the expression server error attempt to be collected error message and is saved in as a result among the Result.
If collect unsuccessful expression unknown error, the security breaches of having found unknown (UNKNOWN) be described.
7. the Web application safety leak dynamic testing method based on form feature according to claim 6 is characterized in that step 4) is according to Hole Detection rule base R
dDetect potential security hole, be specially: at first make up security breaches and detect rule base R
d, regular Kuku R
dMiddle rule format is as follows: rule ≡<vulnerability_type, regular_expression 〉, wherein vulnerability_type is the security breaches type, regular_expression is the used regular expression of match responding result;
In the potential security hole analytic process, to each value v of performed test case
i, this v
iCorresponding form fields f
i, at rule base R
dThe same v of middle retrieval
i.test_target Dui Ying security breaches detect regular r, i.e. rvulnerability_type==v
i.test_target; Regular expression regular_expression with the regular r that retrieves mates the server response results Result that collects, the match is successful then represents to find the potential Web application safety leak that type is r.vulnerability_type, when checking, the test_target of test case all values represents that the test result inspection of this test case finishes when finishing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010226471.6A CN101902470B (en) | 2010-07-14 | 2010-07-14 | Form feature-based Web security vulnerability dynamic testing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010226471.6A CN101902470B (en) | 2010-07-14 | 2010-07-14 | Form feature-based Web security vulnerability dynamic testing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101902470A true CN101902470A (en) | 2010-12-01 |
CN101902470B CN101902470B (en) | 2013-08-21 |
Family
ID=43227671
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010226471.6A Expired - Fee Related CN101902470B (en) | 2010-07-14 | 2010-07-14 | Form feature-based Web security vulnerability dynamic testing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101902470B (en) |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102075927A (en) * | 2011-01-11 | 2011-05-25 | 中国联合网络通信集团有限公司 | Security configuration method and system for wireless network equipment |
CN103023710A (en) * | 2011-09-21 | 2013-04-03 | 阿里巴巴集团控股有限公司 | Safety test system and method |
WO2013111027A1 (en) * | 2012-01-24 | 2013-08-01 | International Business Machines Corporation | Dynamically scanning a web application through use of web traffic information |
CN103647678A (en) * | 2013-11-08 | 2014-03-19 | 北京奇虎科技有限公司 | Method and device for online verification of website vulnerabilities |
CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
CN104184762A (en) * | 2013-05-23 | 2014-12-03 | 腾讯科技(深圳)有限公司 | Fault information feedback method and system of server |
CN104375935A (en) * | 2014-11-13 | 2015-02-25 | 华为技术有限公司 | Method and device for testing SQL injection attack |
WO2015067114A1 (en) * | 2013-11-08 | 2015-05-14 | 腾讯科技(深圳)有限公司 | Method, apparatus, terminal and media for detecting document object model-based cross-site scripting attack vulnerability |
CN104679656A (en) * | 2015-03-13 | 2015-06-03 | 哈尔滨工程大学 | Combination testing method for adaptively adjusting defect detection rate |
CN104766013A (en) * | 2015-04-10 | 2015-07-08 | 北京理工大学 | Skip list based cross-site scripting attack defense method |
CN104794396A (en) * | 2014-01-16 | 2015-07-22 | 腾讯科技(深圳)有限公司 | Cross-site script vulnerability detection method and device |
CN104866769A (en) * | 2015-06-01 | 2015-08-26 | 广东电网有限责任公司信息中心 | Vulnerability analyzing method and system based on fingerprint acquisition of business system host |
US9262309B2 (en) | 2013-09-30 | 2016-02-16 | International Business Machines Corporation | Optimizing test data payload selection for testing computer software applications that employ data sanitizers and data validators |
CN105391729A (en) * | 2015-11-30 | 2016-03-09 | 中国航天科工集团第二研究院七〇六所 | Web loophole automatic mining method based on fuzzy test |
CN105991554A (en) * | 2015-02-04 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and equipment |
CN105991517A (en) * | 2015-01-28 | 2016-10-05 | 中国信息安全测评中心 | Vulnerability discovery method and device |
CN106778280A (en) * | 2016-11-02 | 2017-05-31 | 北京知道未来信息技术有限公司 | A kind of long-range leak PoC write methods of filled type and leak detection method |
CN106951242A (en) * | 2017-03-10 | 2017-07-14 | 北京白帽汇科技有限公司 | A kind of generation method, equipment and the computing device of validating vulnerability program |
CN107818051A (en) * | 2017-11-27 | 2018-03-20 | 北京新能源汽车股份有限公司 | The branch instruction analysis method, apparatus and server of a kind of test case |
CN108009427A (en) * | 2017-11-29 | 2018-05-08 | 北京安华金和科技有限公司 | A kind of method for quickly retrieving for database loophole rule |
CN108415398A (en) * | 2017-02-10 | 2018-08-17 | 上海辇联网络科技有限公司 | Automobile information safety automation tests system and test method |
CN108459964A (en) * | 2018-03-06 | 2018-08-28 | 平安科技(深圳)有限公司 | Test cases selection method, apparatus, equipment and computer readable storage medium |
CN109005192A (en) * | 2018-09-03 | 2018-12-14 | 杭州安恒信息技术股份有限公司 | A kind of method and device detecting CRLF injection loophole |
CN109729078A (en) * | 2018-12-20 | 2019-05-07 | 国网北京市电力公司 | Operate detection method, device, storage medium and the electronic device of loophole |
CN111930607A (en) * | 2020-05-29 | 2020-11-13 | 中国船舶重工集团公司第七0九研究所 | Method and system for generating change test case of combined Web service |
CN113377645A (en) * | 2020-02-25 | 2021-09-10 | 福建天泉教育科技有限公司 | Test method and system for illegal character input of WEB website page |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6260065B1 (en) * | 1999-01-13 | 2001-07-10 | International Business Machines Corporation | Test engine and method for verifying conformance for server applications |
CN1791037A (en) * | 2005-12-26 | 2006-06-21 | 北京航空航天大学 | Method for realizing Web service automatic test |
CN101267357A (en) * | 2007-03-13 | 2008-09-17 | 北京启明星辰信息技术有限公司 | A SQL injection attack detection method and system |
CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
-
2010
- 2010-07-14 CN CN201010226471.6A patent/CN101902470B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6260065B1 (en) * | 1999-01-13 | 2001-07-10 | International Business Machines Corporation | Test engine and method for verifying conformance for server applications |
CN1791037A (en) * | 2005-12-26 | 2006-06-21 | 北京航空航天大学 | Method for realizing Web service automatic test |
CN101267357A (en) * | 2007-03-13 | 2008-09-17 | 北京启明星辰信息技术有限公司 | A SQL injection attack detection method and system |
CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
Cited By (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102075927A (en) * | 2011-01-11 | 2011-05-25 | 中国联合网络通信集团有限公司 | Security configuration method and system for wireless network equipment |
CN103023710B (en) * | 2011-09-21 | 2016-06-08 | 阿里巴巴集团控股有限公司 | A kind of safety test system and method |
CN103023710A (en) * | 2011-09-21 | 2013-04-03 | 阿里巴巴集团控股有限公司 | Safety test system and method |
CN104067561B (en) * | 2012-01-24 | 2018-01-02 | 国际商业机器公司 | Method and system for dynamic scan WEB application |
CN104067561A (en) * | 2012-01-24 | 2014-09-24 | 国际商业机器公司 | Dynamically scanning a WEB application through use of WEB traffic information |
GB2515663A (en) * | 2012-01-24 | 2014-12-31 | Ibm | Dynamically scanning a web application through use of web traffic information |
GB2515663B (en) * | 2012-01-24 | 2017-08-30 | Ibm | Dynamically scanning a web application through use of web traffic information |
DE112013000387B4 (en) * | 2012-01-24 | 2020-08-27 | International Business Machines Corp. | Dynamic scanning of a web application using web traffic information |
US9213832B2 (en) | 2012-01-24 | 2015-12-15 | International Business Machines Corporation | Dynamically scanning a web application through use of web traffic information |
WO2013111027A1 (en) * | 2012-01-24 | 2013-08-01 | International Business Machines Corporation | Dynamically scanning a web application through use of web traffic information |
US9208309B2 (en) | 2012-01-24 | 2015-12-08 | International Business Machines Corporation | Dynamically scanning a web application through use of web traffic information |
CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
CN103679018B (en) * | 2012-09-06 | 2018-06-12 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for detecting CSRF loopholes |
CN104184762A (en) * | 2013-05-23 | 2014-12-03 | 腾讯科技(深圳)有限公司 | Fault information feedback method and system of server |
CN104184762B (en) * | 2013-05-23 | 2019-02-15 | 腾讯科技(深圳)有限公司 | A kind of server failure information feedback method and system |
US9262309B2 (en) | 2013-09-30 | 2016-02-16 | International Business Machines Corporation | Optimizing test data payload selection for testing computer software applications that employ data sanitizers and data validators |
WO2015067114A1 (en) * | 2013-11-08 | 2015-05-14 | 腾讯科技(深圳)有限公司 | Method, apparatus, terminal and media for detecting document object model-based cross-site scripting attack vulnerability |
CN103647678A (en) * | 2013-11-08 | 2014-03-19 | 北京奇虎科技有限公司 | Method and device for online verification of website vulnerabilities |
US9754113B2 (en) | 2013-11-08 | 2017-09-05 | Tencent Technology (Shenzhen) Company Limited | Method, apparatus, terminal and media for detecting document object model-based cross-site scripting attack vulnerability |
CN104794396B (en) * | 2014-01-16 | 2018-06-19 | 腾讯科技(深圳)有限公司 | Across standing posture script loophole detection method and device |
CN104794396A (en) * | 2014-01-16 | 2015-07-22 | 腾讯科技(深圳)有限公司 | Cross-site script vulnerability detection method and device |
CN104375935A (en) * | 2014-11-13 | 2015-02-25 | 华为技术有限公司 | Method and device for testing SQL injection attack |
CN105991517B (en) * | 2015-01-28 | 2019-08-20 | 中国信息安全测评中心 | Vulnerability mining method and apparatus |
CN105991517A (en) * | 2015-01-28 | 2016-10-05 | 中国信息安全测评中心 | Vulnerability discovery method and device |
CN105991554B (en) * | 2015-02-04 | 2019-06-11 | 阿里巴巴集团控股有限公司 | Leak detection method and equipment |
CN105991554A (en) * | 2015-02-04 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Vulnerability detection method and equipment |
CN104679656A (en) * | 2015-03-13 | 2015-06-03 | 哈尔滨工程大学 | Combination testing method for adaptively adjusting defect detection rate |
CN104766013A (en) * | 2015-04-10 | 2015-07-08 | 北京理工大学 | Skip list based cross-site scripting attack defense method |
CN104866769A (en) * | 2015-06-01 | 2015-08-26 | 广东电网有限责任公司信息中心 | Vulnerability analyzing method and system based on fingerprint acquisition of business system host |
CN105391729A (en) * | 2015-11-30 | 2016-03-09 | 中国航天科工集团第二研究院七〇六所 | Web loophole automatic mining method based on fuzzy test |
CN106778280A (en) * | 2016-11-02 | 2017-05-31 | 北京知道未来信息技术有限公司 | A kind of long-range leak PoC write methods of filled type and leak detection method |
CN108415398A (en) * | 2017-02-10 | 2018-08-17 | 上海辇联网络科技有限公司 | Automobile information safety automation tests system and test method |
CN106951242B (en) * | 2017-03-10 | 2020-12-04 | 北京白帽汇科技有限公司 | Vulnerability verification program generation method and device and computing device |
CN106951242A (en) * | 2017-03-10 | 2017-07-14 | 北京白帽汇科技有限公司 | A kind of generation method, equipment and the computing device of validating vulnerability program |
CN107818051B (en) * | 2017-11-27 | 2020-07-03 | 北京新能源汽车股份有限公司 | Test case jump analysis method and device and server |
CN107818051A (en) * | 2017-11-27 | 2018-03-20 | 北京新能源汽车股份有限公司 | The branch instruction analysis method, apparatus and server of a kind of test case |
CN108009427A (en) * | 2017-11-29 | 2018-05-08 | 北京安华金和科技有限公司 | A kind of method for quickly retrieving for database loophole rule |
CN108009427B (en) * | 2017-11-29 | 2021-01-26 | 北京安华金和科技有限公司 | Rapid retrieval method for database vulnerability rules |
CN108459964A (en) * | 2018-03-06 | 2018-08-28 | 平安科技(深圳)有限公司 | Test cases selection method, apparatus, equipment and computer readable storage medium |
CN109005192A (en) * | 2018-09-03 | 2018-12-14 | 杭州安恒信息技术股份有限公司 | A kind of method and device detecting CRLF injection loophole |
CN109729078A (en) * | 2018-12-20 | 2019-05-07 | 国网北京市电力公司 | Operate detection method, device, storage medium and the electronic device of loophole |
CN113377645A (en) * | 2020-02-25 | 2021-09-10 | 福建天泉教育科技有限公司 | Test method and system for illegal character input of WEB website page |
CN113377645B (en) * | 2020-02-25 | 2023-07-04 | 福建天泉教育科技有限公司 | Method and system for testing illegal character input on WEB site page |
CN111930607A (en) * | 2020-05-29 | 2020-11-13 | 中国船舶重工集团公司第七0九研究所 | Method and system for generating change test case of combined Web service |
CN111930607B (en) * | 2020-05-29 | 2023-04-18 | 中国船舶重工集团公司第七0九研究所 | Method and system for generating change test case of combined Web service |
Also Published As
Publication number | Publication date |
---|---|
CN101902470B (en) | 2013-08-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101902470B (en) | Form feature-based Web security vulnerability dynamic testing method | |
Renkewitz et al. | How to detect publication bias in psychological research | |
CN105117341B (en) | A kind of distributed automated test case generation method performed based on dynamic symbol | |
CN104899267A (en) | Integrated data mining method for similarity of accounts on social network sites | |
Zhang et al. | A parameter optimized variational mode decomposition method for rail crack detection based on acoustic emission technique | |
CN101957845B (en) | On-line application system and implementation method thereof | |
CN109391624A (en) | A kind of terminal access data exception detection method and device based on machine learning | |
CN101620566A (en) | Dynamic random testing method | |
CN106326112B (en) | A kind of method and apparatus that procedure operation is corrected automatically | |
CN110046647A (en) | A kind of identifying code machine Activity recognition method and device | |
CN107657393A (en) | The Seismic Evaluation method of the lower bridge of near-fault ground motion effect | |
CN109298855A (en) | A kind of network target range management system and its implementation, device, storage medium | |
CN106121622A (en) | A kind of Multiple faults diagnosis approach of Dlagnosis of Sucker Rod Pumping Well based on indicator card | |
CN107026773A (en) | Automatic correlation method for interface automatic test | |
CN110321285A (en) | Test case processing method and relevant device | |
CN109921938A (en) | Fault detection method under a kind of cloud computing environment | |
CN106603572B (en) | Vulnerability detection method and device based on probe | |
Chen et al. | Metamorphic testing: Applications and integration with other methods: Tutorial synopsis | |
Liu et al. | User-session-based test cases optimization method based on agglutinate hierarchy clustering | |
Peng et al. | A new approach for session-based test case generation by GA | |
CN110808947B (en) | Automatic vulnerability quantitative evaluation method and system | |
CN103810091B (en) | A kind of method and apparatus for realizing page test | |
CN104572791A (en) | Method and device for evaluating search prompt system | |
CN101894070A (en) | Method and system for quantitatively estimating code size of new requirements based on weight adjustment | |
CN110851344B (en) | Big data testing method and device based on complexity of calculation formula and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130821 Termination date: 20190714 |