Summary of the invention
In view of the above problems, the present invention has been proposed, in order to a kind of web portal security detection system that overcomes the problems referred to above or address the above problem at least in part is provided.
According to the present invention, a kind of web portal security detection system is provided, it comprises web portal security checkout equipment, one or more Website server and web crawlers equipment, wherein,
Described web portal security checkout equipment is suitable for receiving detection network address that network address and structure be associated with described network address utilizing its accessing website from described web crawlers equipment, thereby judges whether described network address exists leak;
Described one or more Website server is suitable in response to the access of described web portal security checkout equipment to the website, to described web portal security checkout equipment return results; And
Described web crawlers equipment is suitable for from the network address of described one or more Website server crawl website, and described network address is sent to described web portal security checkout equipment.
Alternatively, described web portal security checkout equipment comprises network interface, is suitable for receiving network address, and utilizes the network address accessing website that receives, and the return results that obtains described website.
This web portal security checkout equipment also comprises the network address constructor, be suitable for obtaining from network interface the network address of website, and according to the network address of this website construct be associated with this website first detect network address, and detect network address based on first and construct and detect second of network address corresponding to first and detect network address, and detect network address and second with first and detect network address and send to described network interface.
In addition, the web portal security checkout equipment also comprises loophole detector, be suitable for from first return results of network interface reception corresponding to this first detection network address, detect the website based on the first return results and whether have leak, indicate described website to exist in the situation of leak in testing result, obtain second return results corresponding with the second detection network address from network interface, and verify based on the second return results whether described website exists leak.
Alternatively, the web portal security checkout equipment can also comprise memory according to an embodiment of the invention, is suitable for storing vulnerability database, records formation rule and predefined leak judgment rule that the network address constructor is used for constructing the first detection network address in the vulnerability database.
The invention provides above-mentioned web portal security detection system.According to embodiments of the invention, can whether there be leak based on utilizing the resulting return results of the first detection network address access websites to detect the website, and based on utilizing the authenticity of verifying this leak corresponding to the first resulting return results of the second detection network address access websites that detects network address, like this, can solve well the high problem of ubiquitous rate of false alarm in the Hole Detection, greatly reduced rate of false alarm, quality and the efficient of Hole Detection have been improved, be conducive to find early leak, maintenance information safety.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Fig. 1 schematically illustrates the according to an embodiment of the invention flow chart of web portal security detection method 100.As shown in Figure 1, in web portal security detection method 100 according to an embodiment of the invention, the method starts from step S102, in step S102, and according to the network address of website, the first detection network address that structure is associated with this website.
According to embodiments of the invention, network address for example can be URL(Uniform Resource Locator, URL(uniform resource locator)), hereinafter be described as an example of URL example, but network address is not limited in URL, but can comprise the mode of any marked net station address.
According to one embodiment of present invention, before carrying out above-mentioned steps S102, can execution in step S101: from website crawl network address.Alternatively, this step S101 can carry out by web crawlers, that is, web crawlers is from the Website server crawl network address at place, website.
Next, in step S102, according to the network address that grasps, construct the first detection network address that is associated with this website.According to embodiments of the invention, can in the network address of this website, add according to the leak type that will test or the definite character string of predefined leak judgment rule, detect network address to construct first.For instance, suppose website URL that web crawlers grasps be http://xxx.com(wherein " x " can be any letter or number), if the leak type of test is responsive catalogue, then can constructs first and detect network address: http://xxx.com/admin/; Suppose that the website URL that web crawlers grasps is http://webscan.xxx.com/app/, if the leak type of test is backup directory, then can constructs first and detect network address: http://webscan.xxx.com/app.bak; Suppose that web crawlers has grabbed file http://webscan.xxx.com/b.asp, if the leak type of test is backup file, then can constructs first and detect network address: http://webscan.xxx.com/b.asp.tar.gz; If pre-defined leak judgment rule is XSS(Cross-Site Scripting, cross site scripting) rule, then can add in the URL back grasped character string "<script〉alert (42873)</script ", in this case, if the URL that grasps is http://aaa.com/a.asp a=1, first address test of then constructing is: http://aaa.com/a.asp a=1<script〉alert (42873)</script 〉.Those skilled in the art can understand easily, the mode that above-mentioned structure first detects network address only is example, scope of the present invention is not limited to this, can also adopt other to construct the mode of the first address test, for example with SQL(Structured Query Language, SQL) injects rule as predefined leak judgment rule, determine the character string that to add.
Then, in step S 104, utilize first to detect network address and visit this website, and detect this website based on the return results of this website and whether have leak.According to embodiments of the invention, can judge whether the return results of this website meets predefined leak judgment rule, in situation about meeting, indicate this website to have leak.This return results can comprise one or more in state code, content of pages, the page header information.Still be described as an example of the XSS rule example, suppose to utilize above-mentioned first address test http://aaa.com/a.asp a=1<script〉alert (42873)</script〉access this website, if comprise in the content of pages that returns character string "<script〉alert (42873)</script ", think that then this return results meets the XSS rule, indicate this website to have leak.Similarly, if adopt SQL to inject rule as predefined leak judgment rule, can judge then whether return results meets SQL and inject rule, in situation about meeting, indicates this website to have leak this moment.In addition, for example utilize above-mentioned first to detect network address http://xxx.com/admin/ accessing website, detect responsive catalogue leak, if the state code that returns is 200(OK), content of pages is greater than 10 characters, then can indicate this website to have leak.
Next, in step S106, indicate this website to exist in the situation of leak in testing result, based on this first detection network address, structure detects second of network address corresponding to first and detects network address.According to embodiments of the invention, can detect first and add the checking character string in the network address, detect network address to construct second.Alternatively, the length of this checking character string is greater than a character.
With the first top detection network address http://xxx.com/admin/, http://webscan.xxx.com/app.bak, http://webscan.xxx.com/b.asp.tar.gz, http://aaa.com/a.asp a=1<script〉alert (42873)</script〉be example, the second detection network address of constructing can be respectively http://xxx.com/adminXXXXX/, http://webscan.xxx.com/appXXXXXX.bak, http://webscan.xxx.com/bXXXX.asp.tar.gz, http://aaa.com/aXXXXXX.asp a=1<script〉alert (42873)</script 〉, wherein " X " can be any character.
Subsequently, in step S108, utilize this second detection network address to visit this website, and verify based on the return results of this website whether this website exists this leak.
Fig. 2 schematically illustrates the flow chart of step S108 in the web portal security detection method according to an embodiment of the invention, as shown in Figure 2, in this embodiment, whether above-mentioned checking website exists the step of leak can comprise substep S108a, S108b and S108c.
At first, in substep S108a, whether the return results of judging the website meets predefined leak judgment rule, detect network address http://aaa.com/aXXXXXX.asp a=1<script take XSS rule and above-mentioned second〉alert (42873)</script〉as example, utilize this second detection network address accessing website, if comprise in the content of pages that returns character string "<script〉alert (42873)</script ", think that then this return results meets the XSS rule, if and do not comprise in the content of pages that returns character string "<script〉alert (42873)</script ", think that then this return results does not meet the XSS rule.In substep S108b, if return results does not meet the leak judgment rule, can determine that then there is this leak in this website.And in substep S108c, if return results meets in the situation of leak judgment rule, can determine that then there is not this leak in this website.That is to say that the server at place, website should be different for utilizing the first detection network address access with the return results that utilizes the second detection network address access of having added therein arbitrary string, if identical, then may have wrong report.
Among superincumbent substep S108b and the S108c, if utilize second to detect the resulting return results of network address access websites and to utilize the first detection network address to access the return results that this website obtains consistent, all meet for example XSS rule, can determine that then there is not this leak in this website, before based on the indicated leak of the detection that utilizes the first return results that detects the network address access websites to carry out for wrong report, need not to report this leak; And if utilize second to detect the resulting return results of network address access websites and utilize first to detect network address to access the return results that this website obtains inconsistent, do not meet for example XSS rule, just can determine that there is this leak in this website, and report this leak.
Fig. 3 schematically illustrates the flow chart of step S108 in according to another embodiment of the invention the web portal security detection method, as shown in Figure 3, in this embodiment, step S 108 can comprise substep S108a ', S108b ', S108c ' and S108d '.
At first, in substep S108a ', utilize second to detect repeatedly access websites of network address, and obtain a plurality of return results; Next, in substep S108b ', judge whether a plurality of return results meet predefined leak judgment rule; Then, in substep S108c ' and S108d ', if meet in a plurality of return results in result's the situation of ratio more than or equal to predefined threshold value of leak judgment rule, determine that there is not this leak in this website, if and meet in a plurality of return results in result's the situation of ratio less than predefined threshold value of leak judgment rule, determine that there is this leak in this website.This predefined threshold value for example can be 0.5, but is not limited to this value, but can choose according to actual needs.Be in 0.5 the situation in this threshold value, if the result who meets the leak judgment rule in a plurality of return results more than or equal not meet the result of leak judgment rule, determine that then there is not this leak in this website, before based on the indicated leak of the detection that utilizes the first return results that detects the network address access websites to carry out for wrong report, need not to report this leak; Otherwise, be less than the result who does not meet the leak judgment rule if meet the result of leak judgment rule in a plurality of return results, can determine that then there is this leak in this website, and report this leak.
The invention provides a kind of web portal security detection method.According to embodiments of the invention, can whether there be leak based on utilizing the resulting return results of the first detection network address access websites to detect the website, and based on utilizing the authenticity of verifying this leak corresponding to the first resulting return results of the second detection network address access websites that detects network address, like this, can solve well the high problem of ubiquitous rate of false alarm in the Hole Detection, greatly reduced rate of false alarm, quality and the efficient of Hole Detection have been improved, be conducive to find early leak, maintenance information safety.
Corresponding with above-mentioned method 100, the present invention also provides a kind of web portal security checkout equipment 200.Fig. 4 schematically illustrates the according to an embodiment of the invention block diagram of web portal security checkout equipment.Referring to Fig. 4, web portal security checkout equipment 200 mainly comprises network interface 201, network address constructor 203, loophole detector 205.
According to embodiments of the invention, network interface 201 is suitable for receiving network address, and utilizes the network address accessing website that receives and the return results that obtains the website.Network address constructor 203 is suitable for obtaining from network interface 201 network address of website, and according to the network address of this website construct be associated with this website first detect network address, and first detect network address and construct corresponding to this and first detect second of network address and detect network address based on this, and detect network address and second with first and detect network address and send to network interface 201.Loophole detector 205 is suitable for from first return results of network interface 201 receptions corresponding to this first detection network address, detect the website based on the first return results and whether have leak, exist in the situation of leak in testing result indication website, obtain second return results corresponding with the second detection network address from network interface 201, and whether have leak based on the second return results checking website.According to embodiments of the invention, the first return results of access websites and the second return results comprise one or more in state code, content of pages, the page header information.Above-mentioned network interface 201, network address constructor 203 and loophole detector 205 can be used for carrying out step S102, S104, S106 and the S108 of said method 100.
According to embodiments of the invention, web portal security checkout equipment 200 can also comprise memory 207, be suitable for storing vulnerability database, record in this vulnerability database the network address constructor be used for constructing first detect the formation rule of network address and predefined leak judgment rule (as XSS, SQL such as etc. rule).
According to embodiments of the invention, network address constructor 203 can add according to the leak type that will test or the definite character string of predefined leak judgment rule in the network address of website, detects network address to construct first.
Still for above for the example in the description of method 100, detect network address corresponding to first of website http://xxx.com, http://webscan.xxx.com/app/, http://webscan.xxx.com/b.asp, http://aaa.com/a.asp a=1 and can be respectively http://xxx.com/admin/, http://webscan.xxx.com/app.bak, http://webscan.xxx.com/b.asp.tar.gz, http://aaa.com/a.asp a=1<script〉alert (42873)</script.
As mentioned above, loophole detector 205 detects the website based on the first return results and whether has leak from first return results of network interface 201 receptions corresponding to this first detection network address.Wherein, loophole detector 205 judges whether the first return results of website meets predefined leak judgment rule, and in situation about meeting, there is leak in the indication website.
Still be described as an example of the XSS rule example, suppose to utilize above-mentioned first address test http://aaa.com/a.asp a=1<script〉alert (42873)</script〉access this website, if comprise in the content of pages that returns character string "<script〉alert (42873)</script ", think that then this first return results meets the XSS rule, indicates this website to have leak.In addition, for example utilize above-mentioned first to detect network address http://xxx.com/admin/ accessing website, detect responsive catalogue leak, if the state code that returns is 200(OK), content of pages is greater than 10 characters, then can indicate this website to have leak.
According to embodiments of the invention, network address constructor 203 can detect first and add the checking character string in the network address, detects network address to construct second.Still with the first top detection network address http://xxx.com/admin/, http://webscan.xxx.com/app.bak, http://webscan.xxx.com/b.asp.tar.gz, http://aaa.com/a.asp a=1<script〉alert (42873)</script〉be example, the second detection network address of constructing can be respectively http://xxx.com/adminXXXXX/, http://webscan.xxx.com/appXXXXXX.bak, http://webscan.xxx.com/bXXXX.asp.tar.gz, http://aaa.com/aXXXXXX.asp a=1<script〉alert (42873)</script 〉, wherein " X " can be any character.
According to one embodiment of present invention, loophole detector 205 judges whether the second return results of website meets predefined leak judgment rule, do not meet at the second return results in the situation of predefined leak judgment rule, determine that there is this leak in this website, perhaps meet in the situation of predefined leak judgment rule at the second return results, determine that there is not this leak in this website.If the second return results is consistent with the first return results, all meet for example XSS rule, can determine that then there is not this leak in this website, the indicated leak of the detection of carrying out based on the first return results before the loophole detector 205 is wrong report, need not to report this leak; And if the second return results and the first return results are inconsistent, do not meet for example XSS rule, can determine that with regard to loophole detector 205 there is this leak in this website, and report this leak.
According to another embodiment of the invention, loophole detector 205 utilizes the second detection network address repeatedly to access this website, and obtains a plurality of the second return results; Judge whether a plurality of the second return results meet predefined leak judgment rule; In a plurality of the second return results, meet in result's the situation of ratio more than or equal to predefined threshold value of predefined leak judgment rule, determine that there is not this leak in the website; Perhaps in a plurality of the second return results, meet in result's the situation of ratio less than predefined threshold value of predefined leak judgment rule, determine that there is this leak in this website.This predefined threshold value for example can be 0.5, but is not limited to this value, but can choose according to actual needs.Be in 0.5 the situation in this threshold value, if the result who meets the leak judgment rule in a plurality of the second return results more than or equal not meet the result of leak judgment rule, determine that then there is not this leak in this website, the indicated leak of detection that before carries out based on the first return results is wrong report, need not to report this leak; Otherwise, be less than the result who does not meet the leak judgment rule if meet the result of leak judgment rule in a plurality of the second return results, can determine that then there is this leak in this website, and report this leak.
Because above-mentioned each equipment (device) embodiment is corresponding with aforementioned approaches method embodiment, therefore no longer each device embodiment is described in detail.
According to another aspect of the invention, also provide a kind of web portal security detection system 1000.Fig. 5 schematically illustrates the according to an embodiment of the invention block diagram of web portal security detection system 1000, referring to Fig. 5, web portal security detection system 1000 can comprise web portal security checkout equipment 200, be suitable for receiving detection network address that network address and structure be associated with described network address utilizing its accessing website from described web crawlers equipment 400, thereby judge whether described network address exists leak; Also comprise one or more Website server 300-1 ..., 300-n, be suitable for the access in response to 200 pairs of websites of web portal security checkout equipment, to web portal security checkout equipment 200 return results; Also comprise web crawlers equipment 400, be suitable for from one or more Website server 300-1 ..., 300-n crawl website network address, and network address sent to web portal security checkout equipment 200.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the specification that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more devices different from this embodiment the module in the device among the embodiment.Can become the some module combinations among the embodiment module or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or module at least some are mutually repelling, and can adopt any combination to disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or similar purpose alternative features replaces in this specification (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
Each device embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of modules in the device of the embodiment of the invention.The present invention can also be embodied as be used to part or all the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.