CN102855418A

CN102855418A - Method for discovering Web intranet agent bugs

Info

Publication number: CN102855418A
Application number: CN2012102794548A
Authority: CN
Inventors: 周耕辉
Original assignee: Individual
Current assignee: Individual
Priority date: 2012-08-08
Filing date: 2012-08-08
Publication date: 2013-01-02

Abstract

The invention discloses a method for discovering Web intranet agent bugs. Capture of intranet network pages is achieved and uniformed resource locators (URLs) of all pages are obtained through a network crawler technology; then filtering is performed twice to screen URLs possibly existing intranet agent bugs out based on UPL specifications and characteristics of parameter values; feature pages containing a section of message algorithm digest 5 (MD5) strings are constructed in a Web intranet; and for each filtered URL, original parameter content containing the URL is replaced with the URLs of the feature pages, the URLs after the replacement are requested, if request responses contain the MD5 strings in the feature pages, the intranet agent bugs exist in the page URLs, and otherwise, the intranet agent bugs do not exist in the page URLs. The defects in the artificial method are overcome by using the programmed intranet agent detection method, the intranet agent bugs in Web service can be discovered effectively and comprehensively, and the safety of the Web can be improved.

Description

Discovery Web Intranet is acted on behalf of the method for leak

Technical field

The present invention relates to a kind of method of finding leak, particularly a kind of Web of discovery Intranet is acted on behalf of the method for leak.

Background technology

Generally speaking, client's service of indirectly using proxy module to provide by public Web service.If the developer is not used as any restriction to making of proxy module, so, the client is direct access agent module just, and constructs suitable parameter and visit arbitrarily Intranet resource, thereby so that the Network Isolation strategy be bypassed.If there is above-mentioned possibility, so, the applied logic of website just comprises Intranet and acts on behalf of leak.

At present, the Intranet detection method of acting on behalf of leak mainly is divided into artificial code audit and two kinds of black box discovery techniques.

(1) artificial code audit.By manually the problem that may occur in the code being analyzed, thereby find potential Intranet agency problem.The pertinency factor that the leak of artificial code audit is found is higher, but because the complicacy that Web uses, and code numerous and jumbled causes recall ratio lower.

(2) black box discovery technique.The black box discovery technique is indifferent to concrete code realization, but from the Web service interface, goes to seek the Intranet resource of extraneous inaccessible, finds thus potential Intranet agency problem from the Web interface.May there be potential Intranet agency problem such as following URL:

http://test.web.org/proxy.php?proxy=internal.web.org

Above-mentioned URL comprises a proxy parameter, and its value is the URL of other Web addresses, thereby, there is possible Intranet agency problem from can infer this URL in form.In order to confirm leak, the tester need to find necessary being, the internal address of extraneous inaccessible, and can have access to this internal address by this URL.Therefore, although the black box discovery technique does not need to understand complicated Web service code, its process also needs to spend a large amount of manual testings' time.

Prior art is acted on behalf of in the discovery Intranet all needs artificial participation on the leak.Wherein, the code review process needs the person approving to be proficient in server programming language and Web logic, and the black box discovery technique needs the tester to be familiar with the Web working method, and abundant penetration testing experience is arranged.It is all higher that two kinds of methods require technically, simultaneously, because the manpower factor can not reach higher recall ratio.

Summary of the invention

The purpose of this invention is to provide a kind of discovery Web Intranet that reduces cost of labor and improve the Web security and act on behalf of the method for leak.

This discovery Web Intranet provided by the invention is acted on behalf of the method for leak, Web service of the internal server deploy that can not access in the external world, and in Web service, place a signature page that contains the signature of structure, realize that the step of described method comprises:

Step 1, Adoption Network crawler technology are obtained the URL of all Web site page in the website and are preserved;

Step 2 is judged the page URL of step 1, if comprise the parameter that value meets the URL standard among the page URL, preserves this URL, otherwise, abandon this page;

Step 3 replaces with the sensing signature page with comprising URL standard parameter value among the URL;

Step 4, the URL after access is replaced;

Step 5 checks whether the access result comprises the signature of structure, if the access result comprises the signature of structure, thinks that then this page exists Intranet to act on behalf of leak, if the access result does not comprise the signature of structure, thinks that then this page URL does not exist Intranet to act on behalf of leak.

In order to improve the travelling speed of program, each URL for step 2 obtains carries out the parsing of argument section according to the URL standard, and the retention parameter value satisfies the URL of URL standard; Then but value that this parameter corresponding different URL identical for parameter among the URL filters, and only keeps one of them URL, thereby obtains may have the URL of Intranet leak and preserve.

This discovery Web Intranet provided by the invention is acted on behalf of the method for leak, Intranet is acted on behalf of the automatic identification technology of leak by the method for sequencing, replace artificial code audit, automatically detect and judge that Intranet acts on behalf of leak and whether exist, person and webmaster find and solve Intranet to act on behalf of the leak problem fast to can be the Website development.The Intranet agency testing method of sequencing does not need artificial participation, and the operator only needs the start detection process, has significantly reduced detection difficulty.The Intranet agency testing method of sequencing has been avoided the deficiency of manual method, can find effectively, all sidedly that the Intranet that exists in the Web service acts on behalf of leak, improves the Web security.

Description of drawings

Fig. 1 is the synoptic diagram that represents that Intranet of the present invention is acted on behalf of the page.

Fig. 2 is the judgement synoptic diagram that Intranet of the present invention is acted on behalf of the page.

Fig. 3 is the process flow diagram of a preferred embodiment of the present invention.

Embodiment

The method of service routine of the present invention is found and is judged that Intranet acts on behalf of leak.During use, the operator only needs the start detection program to get final product.

The present invention as starting point, is summed up as URL discovery and leak checking two parts with the Black-box Testing process with Black-box Testing.

URL finds to be used for to extract all pages from the Web application.Consider the variation of URL parameter, a typical Web application usually comprises several ten thousand and arrives independently URL of hundreds of thousands bar.Each bar URL is carried out independent analysis will spend the plenty of time.Therefore, use filtering policy based on extracting the result, reduce and analyze quantity, just making becomes analysis time can accept.If URL is not filtered, can realize that also the Web Intranet acts on behalf of searching of leak, just the program implementation meeting expends the more time.

In the Black-box Testing method, the leak checking needs the tester to find the interior web page of necessary being.This process need tester has higher test-taking techniques, and difficulty is higher.The test that major part is acted on behalf of leak about Intranet in fact all occurs in developer or the safety assessment process of keeper to own website.Therefore, test itself has the access rights to Intranet.From this fact, the present invention is by the special interior web page of structure, and judges that by the specialized page of this structure Intranet acts on behalf of the authenticity of leak.

The present invention is divided into discovery and judges two stages at implementation.

(1) the discovery stage

At first, application network crawler technology of the present invention crawls links all in the web page contents, thereby finds all page URL and URL parameter that the website comprises.

Owing to all page URL are analyzed the larger calculated amount of existence, in order to reduce the subsequent treatment difficulty, need here the result is filtered.Filtration is divided into two stages.Phase one is that the page of other URL extracts with parameter value itself among the page URL.RFC 2396 and RFC 2732 have defined the call format of absolute URL and relative URL.Therefore, the parameter value that satisfies this requirement is thought an effective URL by program.Because all page URL need to do above-mentioned filtration, in order to guarantee to carry out efficient, format specification itself uses the regular expression description, and matching process then uses and defines the finite automaton technology and process.Suppose that string length is n, define the finite automaton technology and can under the time complexity of O (n), finish coupling, thereby can reach linear processing speed.URL after phase one filters all comprises the parameter that a value satisfies the URL form, supposes that this parameter is p.Subordinate phase, other parameters are identical, and only the different URL of value that comprises of p filters, and only keeps one of them.Usually provide service as common component for other pages owing to possess the page of Intranet agent functionality, thereby, can find that in page crawl process other pages are quoted the situation that Intranet is acted on behalf of the page in a large number, these situations belong to same background logic in itself, carry out once getting final product in analysis.

After finishing crawler capturing and filtering, the page URL of Intranet agency problem will be obtained existing.These URL can not be further processed and go heavily need to carry out one by one check analysis.

(2) decision stage

In order to judge whether a page can become the access agent of Intranet resource, and the present invention is not the Intranet resource of seeking extraneous inaccessible, be to realize the purpose judged by the Intranet resource at the extraneous invisible also inaccessible of Intranet structure.The matter of utmost importance that the process of programmed decision faces is wrong report.As shown in Figure 1, Intranet of consideration is acted on behalf of the content that the page represents.In the A part, Intranet is acted on behalf of the HTTP header information that the page comprises standard, and in B and D part, and Intranet is acted on behalf of the page and comprised and realize relevant other guide, and C partly comprises Intranet and acts on behalf of the Intranet resource part that page access arrives.Webpage represents by the html language of standard to be realized.Html language has been described a tree structure by label, and this is called as dom tree.Relevant with the Web logic realization, the C part may comprise the HTML code in the interior web page body label simply, also the Intranet content of pages may be included in the div label, perhaps other possible modes.Mode by DOM traversal can navigate to the Intranet resource and act on behalf of position in the page in Intranet, but because the diversity of Web logic itself, its process and complexity thereof.

The process simplification that the present invention searches DOM is the process of string searching.As shown in Figure 2, at first, Web service of the internal server deploy that can not access in the external world, and in Web service, place a special page x.Page x comprises the MD5 string (seeing italics among Fig. 2) of one section text.Secondly, need to determine whether the page URL that comprises the Intranet agency for each, the URL(that the content of parameter that originally comprised URL is replaced with x sees italics among Fig. 2).At last, the URL after request replaces it if the MD5 that request comprises among the page x in responding goes here and there, so, thinks that then page URL exists Intranet to act on behalf of leak.The principle of said method has been utilized the hash of MD5, runs into identical MD5 string in the Web page of service is provided, on probability close to impossible.Therefore, whether exist by judging the MD5 string, just can judge whether the page can realize Intranet agency's function.

With reference to Fig. 3, specific implementation step of the present invention is:

Step 1, the target pages crawl:

(1) obtains the HTML content of target Web website homepage;

(2) analyze the HTML content, obtain wherein＜a the link information that comprises of label;

(3) obtain the page that link is pointed to according to link information, and repeating step (2), until there is not the new page;

(4) all page URL that above-mentioned steps obtained preserve, and remember that every URL is u _i(i is natural number, and i=1 ..., M), and the total M bar of the URL that remembers.

Step 2, target pages filters:

(1) each the URL u that obtains for step 1 _i, carry out the parsing of argument section according to the URL standard, and note P _iBe u _iParameter sets, P _iIn each element p be the key (KEY) of parameter, the note value (p) be value corresponding to this parameter;

(2) for P _iIn each element p, if value (p) satisfies the URL standard, be a regular URL, so, u _iMay be that Intranet is acted on behalf of the page, with u _iPut into set A, total each element of M1 among the note A;

(3) for any URL u among the A _iAnd u _j(at this moment, i and j are natural number, and i=1 ..., M1, j=1 ..., M1, if i ≠ j) wherein is P _i=P _j, then think u _iAnd u _jEquate.According to this rule the element among the A is gone heavily, the set after note goes to weigh is A ', and its element number is M2.

Step 3, target pages is judged:

(1) for set A ' each URL u _i(i is natural number, and this moment i=1 ..., M2), the note parameter p is P _iElement, and value (p) satisfies the URL standard;

(2) at Intranet structural attitude page or leaf, the feature page or leaf comprises one section MD5 string, is used for this page of unique identification.The URL of note feature page or leaf is u _Sig

(3) with u _iThe value u of middle parameter p _SigReplace, namely the new value of value (p) is u _Sig, the u after note is replaced _iBe u _i';

(4) request u _i' page that points to, detect in the HTML content that the page returns whether comprise u _SigIn MD5 string, if comprise, u is described then _iExist Intranet to act on behalf of leak.If do not comprise, u is described then _iDo not exist Intranet to act on behalf of leak.

Specify a kind of preferred implementation of the present invention below in conjunction with embodiment.

One, the Web page obtains

In Web page obtaining step, all pages that how to obtain the Web website fully are the keys of carrying out subsequent detection work.

In the present embodiment, the method for Adoption Network reptile is carried out obtaining of the Web page.Web crawlers is a kind of technology of page crawl, and it conducts interviews to targeted sites, and the html page that returns is carried out grammatical analysis by simulation HTTP request, find out linking relationship wherein, thereby recurrence is found out all pages of Web website.

The process that the Web page obtains is from Web website homepage u _iBeginning.Definition set U _NewBe the URL set of not accessing, U _VisitedBe the URL set of accessing, u when initial _i∈ U _NewAcquisition process is:

(1) from U _NewMiddle taking-up element u _i, and with u _iPut into U _VisitedIn.

(2) structure access u _iHTTP request bag.

(3) access u _iThe page that points to, and obtain the HTML content of returning.

(4) analyze in the HTML content＜a label, general＜a〉href attribute taking-up in the label field.The href attribute is the URL of another page, is designated as u.If u does not belong to U _Visited, then u is put into U _NewIn.

(5) if U _NewBe not empty, then get back to step (1).

Two, the URL page filters

URL regulation and stipulation URL is by agreement, host name, and port numbers, path and parameter form.Wherein argument section may comprise the Web Intranet and acts on behalf of leak.In URL, argument section with "? " beginning, the form of parameter satisfies the form of " parameter=value ", uses “ ﹠amp between a plurality of parameters; " connect.The number of parameter and value are determined by the author that Web uses, thereby a Web website has a large amount of pages and parameter combinations usually.

We do not need to check each page of Web website, only need to check the URL that satisfies the leak condition.Web Intranet agency's feature refers to and can have access to Web Intranet resource by URL.Therefore, may exist the Web Intranet to act on behalf of the URL of leak, its argument section necessarily comprises a URL address that the user is controlled.Such as, we grab following three URL from the Web website.

(1) ?http://www.example.com/test.php?id=1&module=internal.com/login.php

(2) http://www.example.com/test.php?id=2&module=internal.com/logout.php

(3) http://www.example.com/test.php?name=proxy

Wherein be numbered among the URL of (1) and (2), the module parameter comprises a URL who points to other addresses, and therefore may comprise Intranet acts on behalf of leak.And it is identical to be numbered (1) and the URL of (2) page pointed, and comprises identical two parameter id and module, only parameter value is different, be id=1 and id=2, module=internal.com/login, module=internal.com/logout.The Web logic that this explanation (1) is corresponding identical with (2) two URL.Therefore, when practical operation, we only need get one of them and do subsequent treatment and get final product.

The URL set that the note step 1 obtains, is at first carried out the first time and is filtered each u among the U for U, and concrete steps are as follows.

(I) u is carried out analysis based on regular expression, extract value corresponding to all parameters and parameter.

(II) check the whether form of URL of value corresponding to parameter.If there is no such parameter then abandons u.If exist, then u is put into set U _Filtered

Under regard to U _FilteredIn each element u, do for the second time and filter.At first, u is carried out analysis based on regular expression, extract all parameters, and the page that u is pointed to and all parameter are as the signature of u.If the signature of two URL equates, then only gets one of them and do subsequent analysis.The URL of numbering (1) and (2) signature is respectively in the upper example:

Http:// www.example.com/test.php id=1﹠amp; Module=internal.com/login.phpSignature be＜/test.php, id, module 〉.

Http:// www.example.com/test.php id=2﹠amp; Module=internal.com/logout.phpSignature be＜/test.php, id, module 〉.

Find out that thus above-mentioned two URL only get one and do subsequent treatment and get final product.

Three, the leak page is judged

At first, place a signature page at the Web server of internal network, content of pages is as follows:

6f5902ac237024bdd0c176cb93063dc4

</body></html>

The placement location of this signature page should guarantee that the user can not be from visiting from outside to this page, but network can normally be accessed internally.The address of supposing this signature page is as follows.

http://192.168.1.10/sig.html

Each URL for filtering through step 2, can be write as following form:

http://www.example.com/test.php?param1=value1&param=url&...

Wherein " param=url " expression parameter value is the URL that points to another page.For pointing to the URL of the signature page, the form after the replacement is as follows with the content replacement of equal sign back in " param=url ":

http://www.example.com/test.php?param1=value1&param=http://192.168.1.10/sig.html

As target pages, structure HTTP request is wrapped and the URL above the access with the URL after replacing.Check the HTML content that access is returned, if the HTML content comprises character string " 6f5902ac237024bdd0c176cb93063dc4 ", then illustrate by this URL and can access any Intranet resource, judge that thus this URL exists the Web Intranet to act on behalf of leak.

Provide the Web Intranet among the above embodiment and act on behalf of the example of leak, the below provides and meets the URL that the Web Intranet is acted on behalf of the leak condition, but this URL does not comprise the example that Intranet is acted on behalf of leak.

Suppose that the Web website comprises the following php page, its URL is:

http://www.example.com/safe.php?proxy=http://192.168.1.10/login.php。

<?php

if($_GET[‘proxy’]==?‘http://192.168.1.10/login.php’)

echo?file_get_contents($_GET[‘proxy’]);

else?if($_GET[‘proxy’]==?‘http://192.168.1.10/logout.php’)

echo?file_get_contents($_GET[‘proxy’]);

>

Above code is accessed the Intranet resource, but code limits the Intranet resource, only allows the wherein access of two pages:

Http: // 192.168.1.10/login.phpWith Http: // 192.168.1.10/logout.php

According to Web Intranet agency's determination step, program at first grabs the page:

http://www.example.com/safe.php?proxy=http://192.168.1.10/login.php。

Owing to comprise parameter p roxy among the page URL, and the value of proxy is to point to the URL of another link, thereby satisfies the condition of follow-up judgement.

Will Http:// www.example.com/safe.php proxy=http: // 192.168.1.10/login.phpReplace with following form.

http://www.example.com/test.php proxy=http://192.168.1.10/sig.html

Access the above-mentioned page, and check the html page that returns.Because the Web code defines addressable Intranet resource, therefore, above-mentioned request will be returned an empty page.Owing to can not in the content of pages that returns, find signature string, judge thus that this page is judged as and do not comprise Intranet and act on behalf of leak.

As above describe sequencing and detected the basic skills that Intranet is acted on behalf of leak.Application the method is finished the software of Intranet leak agency detection and is realized that having consisted of Intranet acts on behalf of automatic checkout system.Intranet is acted on behalf of automatic checkout system and is deployed in internal network, comprises webcrawler module, filtering module, determination module and proxy resources module.Wherein webcrawler module realizes the Web content crawl based on crawler technology, filtering module carries out twice filtration based on the URL feature, whether determination module is identified according to the MD5 feature and is existed Intranet agency problem, proxy resources module to provide to comprise the MD5 feature, and the interior web page of outside inaccessible.The complete sequencing Intranet of above-mentioned four modules realization is acted on behalf of measuring ability.

Claims

1. find that the Web Intranet acts on behalf of the method for leak for one kind, it is characterized in that, Web service of the internal server deploy that can not access in the external world, and in Web service, place a signature page that contains the signature of structure, realize that the step of described method comprises:

Step 4, the URL after access is replaced;

2. discovery Web Intranet according to claim 1 is acted on behalf of the method for leak, it is characterized in that each URL for step 2 obtains carries out the parsing of argument section according to the URL standard, and the retention parameter value satisfies the URL of URL standard; Then but value that this parameter corresponding different URL identical for parameter among the URL filters, and only keeps one of them URL, thereby obtains may have the URL of Intranet leak and preserve.