CN103455759B - A kind of page Hole Detection device and detection method - Google Patents
A kind of page Hole Detection device and detection method Download PDFInfo
- Publication number
- CN103455759B CN103455759B CN201210182054.5A CN201210182054A CN103455759B CN 103455759 B CN103455759 B CN 103455759B CN 201210182054 A CN201210182054 A CN 201210182054A CN 103455759 B CN103455759 B CN 103455759B
- Authority
- CN
- China
- Prior art keywords
- node
- syntax tree
- abstract syntax
- page
- symbol table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to a kind of page Hole Detection device, which includes:Abstract syntax tree management module, for managing the abstract syntax tree of detected program's source code;Symbol table module, for managing the symbol table information of detected program's source code;And stain backtracking module, for reading abstract syntax tree from abstract syntax tree management module, and ergodic abstract syntax tree with obtain all be pre-configured with triggering nodes set, its all correlated variables is recalled according to symbol table information for each triggering node, can be then considered as at the triggering node by the controllable input change of attacker if there are correlated variabless and be there is leak and export vulnerability information.The page Hole Detection device can improve leak coverage rate and reduce rate of false alarm.Additionally, the present invention also provides a kind of page leak detection method.
Description
Technical field
The present invention relates to safe web page technology, more particularly to a kind of page Hole Detection device and detection method, specifically,
It is related to a kind of PHP pages Hole Detection device and detection method.
Background technology
The method of the detection various activities page such as PHP pages leak is mainly black box scanning at present.Abnormal in a large number by constructing
The use-case of shape, accesses the PHP pages, then judges the content of back page.If having particular data in back page, then it is assumed that
The PHP pages can not correctly process input, there is leak.
Black box scan mode has following shortcoming:
Firstth, its effect relies on the mode of construction use-case, if the PHP page source codes path that use-case very little, is covered is not
Enough, have and fail to report in a large number.If use-case construction not comprehensively, still not enough, fail to report in a large number by overlay path.
Secondth, use-case may need AD HOC, such as just may proceed to process with " http " character string beginning PHP pages, no
Then all use-cases can all be dropped, and not enter internal layer logic, do not reach test effect, be still and fail to report in a large number.
3rd, black box scanning relies on back page to judge test result, if the PHP pages are not returned, can fail to report.
4th, black box scanning relies on the correct deployment of the PHP pages, can only test normally accessing of having made the overall arrangement for
The PHP pages, when individually providing the PHP page source codes that is not disposed, black box scanning can not work.
Other page vulnerability scanning method is exactly characteristic character String matching, searches dangerous function, such as in the PHP pages
Eval () function, if find this kind of dangerous function, then it is assumed that the PHP pages have leak.
The shortcoming of feature string matching way is that wrong report is too many, because the input of dangerous function is if fixed, no
Can be controlled by attacker, then the use of dangerous function will not produce leak.
Content of the invention
In view of this, it is necessary to a kind of method for providing page Hole Detection device and detection, which is black compared to traditional
Box scanner uni feature string matching way has lower rate of false alarm and higher leak coverage rate.
Above-described page Hole Detection device is achieved through the following technical solutions:
A kind of page Hole Detection device, including:Abstract syntax tree management module, for managing detected program's source code
Abstract syntax tree;Symbol table module, for managing the symbol table information of detected program's source code;And stain backtracking module, use
In from abstract syntax tree management module read abstract syntax tree, and ergodic abstract syntax tree with obtain all be pre-configured with touch
The set of node is sent out, its all correlated variables is recalled according to symbol table information for each triggering node, if there are correlated variabless
Can be changed then to be considered as at the triggering node by the controllable input of attacker and there is leak and export vulnerability information.
Used as the further improvement of above-mentioned technical proposal, above-mentioned symbol table module is additionally operable to:Mould is managed by abstract syntax
Block reads abstract syntax tree information, parses all assignment statements, obtains the symbol table information comprising each variable information, and by institute
State symbol table information and be supplied to the stain backtracking module.
Used as the further improvement of above-mentioned technical proposal, above-mentioned page Hole Detection device is further included:Morphology grammer
Detected program's source code, for reading in detected program's source code, is converted to abstract syntax tree by analysis module, and by abstract syntax
Tree output is to abstract syntax tree management module.
Used as the further improvement of above-mentioned technical proposal, above-mentioned page Hole Detection device is further included:Pretreatment mould
Block, for parsing the constant definition node in abstract syntax tree and including node, and write-back parsing information is to abstract syntax tree
In.
Used as the further improvement of above-mentioned technical proposal, above-mentioned page Hole Detection device is further included:Function is made a summary
Module, for parsing the function declaration node in abstract syntax tree, then the relation of the return value and parameter of analytical function is obtained
Function is made a summary.
Used as the further improvement of above-mentioned technical proposal, above-mentioned stain backtracking module is additionally operable to:When tool in abstract syntax tree
When having comprising node, abstract syntax tree management module, symbol table module and stain backtracking module are jumped to and are processed comprising node
By process comprising file, is back to comprising file process after being finished be detected source code.
Used as the further improvement of above-mentioned technical proposal, above-mentioned stain backtracking module is additionally operable to:When tool in abstract syntax tree
When having function declaration node, the child node for traveling through function declaration node obtains the set for triggering node, for each triggering node
Its all correlated variables is recalled according to the symbol table information, can be changed by the controllable input of attacker if there are correlated variabless
Then it is considered as at the triggering node and there is leak and export vulnerability information.
As the further improvement of above-mentioned technical proposal, when having comprising node in the function declaration node, abstract
Syntax tree management module, symbol table module and stain backtracking module are jumped to and are processed comprising node by comprising file, when being wrapped
Process function declaration node is back to containing file process after finishing.
Above-described page leak detection method is achieved through the following technical solutions:
A kind of page leak detection method, including:Step one, abstract syntax tree and symbol that detected program's source code is provided
Table information;Step 2, ergodic abstract syntax tree obtain all triggering nodes set, triggering node refer in abstract syntax tree with
The corresponding node of sensitive operation sentence;Execute for each triggering node:Step 3, which is extracted according to symbol table all related become
The set of amount;And step 4, recall each correlated variables, if it find that correlated variabless can be changed by the controllable input of attacker
Become then to be considered as and find at one leak and export vulnerability information.
Used as the further improvement of above-mentioned technical proposal, step one also includes:Abstract syntax tree information is read, parsing is all
Assignment statement, obtains the symbol table information comprising each variable information.
As including reading before the further improvement of above-mentioned technical proposal, step one being detected program's source code, word is carried out
Method syntactic analysiss obtain abstract syntax tree, and further all Evaluation nodes obtain symbol table information in parsing abstract syntax tree.
Used as the further improvement of above-mentioned technical proposal, in step one, abstract syntax tree and symbol table information are by outside journey
Sequence is provided.
Used as the further improvement of above-mentioned technical proposal, said method also includes:Wrap when having in the abstract syntax tree
When containing node, all comprising node in parsing abstract syntax tree, and write-back is included the path of file to the abstract syntax
In tree.
Used as the further improvement of above-mentioned technical proposal, said method also includes:Include section when having in abstract syntax tree
Point when, suspend be detected program's source code handling process, go to be directed to by comprising file recurrence execution step one to step 4.
Used as the further improvement of above-mentioned technical proposal, said method also includes:When fixed with constant in abstract syntax tree
During adopted node, the child node of constant definition node is analyzed to obtain constant definition value and be written back to constant definition value taking out
In as syntax tree.
Used as the further improvement of above-mentioned technical proposal, said method also includes:When in abstract syntax tree have function sound
During bright node, the relation of the return value and parameter of analytical function obtains function and makes a summary and be written back in abstract syntax tree.
Used as the further improvement of above-mentioned technical proposal, said method also includes:For function declaration node execution step
Two to step 4, if directly having found that inside function that triggering node can be changed by the controllable input of attacker, is considered as
Leak simultaneously exports vulnerability information.
Used as the further improvement of above-mentioned technical proposal, said method also includes:Have comprising section inside the function
During point, the step one is executed to step 4 comprising node comprising file recurrence for described.
In above-described page Hole Detection device and detection method, by program Fundamentals of Compiling, program's source code is turned
Abstract syntax tree is changed to, and the variable related to trigger point is recalled for leak trigger point, is that attacker is controllable if there are variable,
Then show leaky at the trigger point.Scan compared to black box of the prior art, the page Hole Detection device of the present embodiment
Can completely covers all possible leak, improves leak coverage rate;And compared to keyword search side of the prior art
Formula, can avoid for those having used dangerous sentence, but its correlated variables attacker uncontrollable situation is considered as leak, reduce
Rate of false alarm.
It is that the above and other objects, features and advantages of the present invention can be become apparent, preferred embodiment cited below particularly,
And coordinate institute's accompanying drawings, it is described in detail below.
Description of the drawings
The module frame chart of the page Hole Detection device that Fig. 1 is provided for first embodiment of the invention.
The abstract syntax tree node schematic diagram that Fig. 2 is provided for first embodiment of the invention.
The flow chart of the page leak detection method that Fig. 3 is provided for second embodiment of the invention.
Specific embodiment
For further illustrating the present invention for realizing technological means and effect that predetermined goal of the invention taken, below in conjunction with
Accompanying drawing and preferred embodiment, to the specific embodiment according to page Hole Detection device proposed by the present invention and detection method,
Structure, feature and its effect, describe in detail as after.
First embodiment
Fig. 1 is referred to, first embodiment provides a kind of page Hole Detection device, and which includes:Morphology syntax Analysis Module 11,
Abstract syntax tree (Abstract Syntax Tree, AST) management module 12, pretreatment module 13, symbol table module 14, function
Summarization module 15 and stain backtracking module 16.
Morphology syntax Analysis Module 11 is used for read-in programme source code, by the morphology of Fundamentals of Compiling, parsing process,
Source code changes into AST, and transfers to AST management modules to be managed.For example, each sentence in program's source code correspondingly can be changed into
One node of AST.Fig. 2 is referred to, such as if () { } can change into the node of an ifStmt, corresponding source code letter in node, can be preserved
Breath is (such as row information).Conditional judgment sentence (parts in the first row round parentheses) and substatement (the second row) inside if is right respectively
The conStmt child nodes that should be transformed into below ifStmt and echoStmt child nodes.It is appreciated that Fig. 2 is only an example, appoint
What knows the technical staff of Fundamentals of Compiling should be appreciated that these contents and can make change according to practical situation.
One program's source code fragment is only shown in Fig. 2, is obtained after said process is executed for whole part program's source code whole
The AST of program's source code.
AST management modules 12 read in the AST information of 11 output of morphology syntax Analysis Module, other four module (pretreatment
16) device module 13, symbol table module 14, function summarization module 15, stain backtracking module is interacted with AST management modules, by AST
Management module operates AST information.
Watermark pre-processor 13 manages AST information by AST management modules 12, for parsing all constant definition nodes,
It is written back in AST information;And parsing is all comprising node, calculates by the true path comprising file, is written back to AST information
In.Certainly, it is not limited to be written back in AST information by the true path comprising file, individually can also preserves.
Above-mentioned constant definition node is, for example, for the define sentences in program's source code, is, for example, to be directed to journey comprising node
Include sentences in sequence source code.It is appreciated that the difference of the programming language adopted according to program's source code, which specifically closes
Key word such as define, include may be different, but its principle is same or like, can adopt same or
Similar processing mode.
Symbol table module 14 reads AST information by AST management modules 12, for parsing all assignment statements, asignment statement
Different nodes (the such as node such as assignStmt, opAssignStmt, listAssignStmt) in possible corresponding A ST of sentence, obtain
To the symbol table information comprising each variable information.Wherein, the common tax during assignStmt nodes are, for example, corresponding to source code
Value sentence, opAssignStmt nodes be, for example, corresponding to source code in compound assignment statement, listAssignStmt node examples
List assignment statement in source code is such as corresponded to.Symbol table module 14 provides service to stain backtracking module 16.
Symbol table point global symbol table and local symbol table, correspond respectively to global variable and local variable.Symbol table is tied
Structure is similar to two grades of arrays.The first order preserves all variables, and each item is directed to a concrete variable.The information of each concrete variable is
The second level, saves all assignment relations for the variable, and each assignment preserves row number information, it is to avoid endless loop during backtracking.
Function summarization module 15 reads AST information by AST management modules 12, parses all function declaration nodes, then
The relation of the return value and parameter of analytical function, obtains function summary.Function connects and will can be kept separately and can also be written back to
In AST information.
Stain backtracking module 16 reads AST information by AST management modules 12, parses the triggering node in all configurations,
Obtain triggering node related with which variable, namely which variable can control the behavior of triggering node.Then start back jump tracking
These variables wherefrom get, and by what, other variables affect.According to each variable assignments relation of the record of symbol table module 14,
Last layer can be found again affects the variables collection of triggering node.Rule is recalled to the end always like this, if it find that variable is first
Initial value is from the controllable input of attacker, then it is assumed that all variables in this backtracking are all contaminated, are that attacker is controllable
System, there is leak.By taking the PHP pages as an example, the controllable input of attacker refers to that attacker accesses the ginseng provided during the PHP pages
Number, the built-in $ _ GET of such as PHP, $ _ POST etc..
Triggering node refers to the node in some AST corresponding to sensitive operation sentence, and these sensitive operation sentences are
Refer to the sentence that may result in page leak, specifically can be configured by user in advance.This is for those of ordinary skill in the art
For belong to common contents.
By and large, page leak, the particularly leak of website programming language can be divided into cross-site scripting attack (Cross-
Site Scripting, XSS) leak and SQL injection (SQL Injection) leak.
For XSS leaks, such as the echo sentences in PHP arrive back page parameter output, if parameter is contaminated,
Leak can be caused, so echo is the triggering node of XSS leaks in a PHP program.Similar with echo also has printf
Sentence.For SQL injection loopholes, related triggering node has the sentences such as mysql_query, sqlite_exec.
It is appreciated that above triggering node is only illustrated by taking PHP language as an example, but those skilled in the art can be with
Arbitrarily aforesaid way is used into other programming languages.Additionally, As time goes on, can also constantly there is new page leak
It is found, these newfound leaks can serve as triggering node.
Additionally, including morphology syntax Analysis Module 11, pretreatment module in the page Hole Detection device of the present embodiment
13rd, symbol table module 14 and function summarization module 15, that is, AST information and symbol table information are filled by page Hole Detection
Put what itself completed.However, it is to be appreciated that page Hole Detection device can also be without including morphology syntax Analysis Module 11, pre-
Processing module 13, symbol table module 14 and function summarization module 15.The AST letters of program's source code now can be provided by external program
Breath and symbol table information.
In the page Hole Detection device of the present embodiment, by program Fundamentals of Compiling, program's source code is converted to abstract language
Method tree, recalls the variable related to trigger point for leak trigger point, is that attacker is controllable if there are variable, then show that this touches
Send out leaky at point.Scan compared to black box of the prior art, the page Hole Detection device can completely of the present embodiment is covered
All possible leak is covered, leak coverage rate is improve;And compared to keyword search mode of the prior art, can avoid
Those have been used dangerous sentence, but its correlated variables attacker uncontrollable situation is considered as leak, reduce rate of false alarm.
Second embodiment
Fig. 3 is referred to, second embodiment provides a kind of detection method of page leak, and which comprises the following steps:
Step 1, abstract syntax tree and symbol table information that detected program's source code is provided;
Step 2, ergodic abstract syntax tree obtain all triggering nodes;
Execute for each triggering node:
Step 3, the set for extracting its all correlated variables according to symbol table information;And
Step 4, recall each correlated variables, if it find that the correlated variabless can be changed then by the controllable input of attacker
It is considered as and finds at one leak and export vulnerability information.
Abstract syntax tree and symbol table information in step 1 can be prepared before execution step 1, or directly adopt
Abstract syntax tree and symbol table information that other external programs have been disposed.Abstract syntax tree and symbol table information concrete
Set-up procedure is as follows:
Step 1.1, the preparation of abstract syntax tree, specifically includes:
Step 1.1.1, read-in programme sound code file judge whether with corresponding abstract syntax tree, if there is then
Follow-up step 1.1.2 and 1.1.3 is skipped, is otherwise continued executing with;For example, program's source code typically all can be in phase in compiling
With generate under catalogue from program's source code same names but different suffix names intermediate file, different suffix names has different meanings
Justice.Therefore can search under same directory whether there is the file for preserving abstract syntax tree after read-in programme sound code file.When
So, it is also possible to directly specified the file for preserving abstract syntax tree by user.
Step 1.1.2, carries out the morphology stream that morphological analysis obtains program's source code.
Step 1.1.3, carries out syntactic analysiss to the morphology stream of program's source code and collects obtaining abstract syntax tree.
Step 1.2 can be carried out after abstract syntax tree is obtained, and the preparation of symbol table information specifically may include:
Step 1.2.1, all Evaluation nodes in ergodic abstract syntax tree take out nodal information, build global symbol table.
Specifically, for each Evaluation node, affected variable is taken out, all nodes of r value is further taken out, then in global symbol
Add an assignment relation in the second level symbol table of the corresponding variable of table.Above-mentioned r value refers to the value on the right of assignment operator.
Step 1.2.2, builds local symbol table.Local symbol table is the symbol table for the local variable in function, its
Set up that process is similar to step 1.2.1, the difference is that only local symbol table only for the local variable in function.
Step 2 is carried out by obtaining after abstract syntax tree and symbol table information, and ergodic abstract syntax tree is owned
The set of triggering node.Triggering node for example refers to node corresponding with sensitive operation sentence.And these sensitive operation sentences are
Refer to the sentence that may result in page leak, specifically can be configured by user in advance.
After obtaining triggering node set, start to whether there is at the back jump tracking triggering node for each triggering node
Leak, specifically, which may include:
Step 4.1, extracting affects the variables collection of trigger point;
Step 4.2, recalls each variable;And
Step 4.3, if finally having traced back to the controllable input energy of attacker in step 4.2 affects the variable, recognizes
For finding a leak, then export vulnerability information.
Step 4.2 specifically may include:
Step 4.2.1, according to symbol table find to should variable item;
Step 4.2.2, finds nearest line number in the second level symbol table pointed to from respective items less than the variable line number
Assignment;
Step 4.2.3, if the assignment found in step 4.2.2 is constant assignment, jumps out to step 4.2 and continues backtracking
Next variable;
Step 4.2.4, if the assignment found in step 4.2.2 is the controllable input assignment of attacker, jumps to step
Rapid 4.3 terminate backtracking;
Step 4.2.5, if the assignment found in step 4.2.2 is indirect assignment, i.e., is which on the right of assignment operator
Dependent variable, then extracting affects the variables collection of current assignment;
Step 4.2.6, each variable for the variables collection obtained in recursive backtracking step 4.2.5, the same step of specific algorithm
4.2.
Output vulnerability information in step 4.3 for example refer to vulnerability information is stored in variable, record hereof,
Export in display or vulnerability information is passed to other modules all.Certainly, above each operation can be carried out with compound mode.
For example, when each leak is found, simply vulnerability information is stored in variable, and is completed in all of triggering node backtracking
Afterwards, then by all vulnerability information output displays.
Flow process only for backtracking leak is illustrated above, but according to specific program's source code, may be further
Some other process steps are needed just to ensure that above operation can be smoothly completed, it being understood, however, that these steps are not must
Must.
For example, when having constant definition node (defStmt) in abstract syntax tree, the son to constant definition node is needed
Node is analyzed to obtain constant definition value and constant definition value can be written back in abstract syntax tree.
For example, when having comprising node (inclStmt) in abstract syntax tree, need to carry out the node comprising node
Analyze to obtain by the true path comprising file, and will can be written back in abstract syntax tree by the true path comprising file.
In general, in program code, using comprising often can use defined constant during file simultaneously, (for example file path is normal
Amount), therefore, the operation of this step may need the result for relying on above-mentioned constant definition node analysis.
Additionally, when having comprising node in abstract syntax tree, in addition to carrying out aforesaid operations, in addition it is also necessary to by comprising text
Part recurrence carries out step 1 to step 4, i.e. suspend the handling process of present procedure code, goes to for being walked comprising file
Rapid 1 to step 4, after being finished comprising file process, continues the handling process for returning present procedure code.
For example, when having function declaration node (funcDeclStmt) in abstract syntax tree, need to carry out:
With reference to the processing procedure of step 1.2.1, the local symbol table of the function is built;
Each return node in the function declaration node child node is traveled through, all variables in return statement are obtained;
According to the algorithm of step 4.2, backtracking obtains the relation of return statement and parameter, is considered as function summary;
According to the algorithm of step 2 to step 4, if directly having found that inside function that triggering node can by attacker
Control input changes, then be considered as leak and export vulnerability information;
If finding to include node, according to the above-mentioned disposal methods comprising node inside function.
In the page leak detection method of the present embodiment, by program Fundamentals of Compiling, program's source code is converted to abstract language
Method tree, recalls the variable related to trigger point for leak trigger point, is that attacker is controllable if there are variable, then show that this touches
Send out leaky at point.Scan compared to black box of the prior art, the page Hole Detection device can completely of the present embodiment is covered
All possible leak is covered, leak coverage rate is improve;And compared to keyword search mode of the prior art, can avoid
Those have been used dangerous sentence, but its correlated variables attacker uncontrollable situation is considered as leak, reduce rate of false alarm.
The above, is only presently preferred embodiments of the present invention, not makees any pro forma restriction to the present invention, though
So the present invention is disclosed as above with preferred embodiment, but is not limited to the present invention, and any those skilled in the art, not
Depart from the range of technical solution of the present invention, make a little change or be modified to equivalent when the technology contents using the disclosure above and becoming
The Equivalent embodiments of change, as long as be that the technical spirit according to the present invention is to above enforcement without departing from technical solution of the present invention content
Any brief introduction modification, equivalent variations and modification that example is made, still fall within the range of technical solution of the present invention.
Claims (18)
1. a kind of page Hole Detection device, it is characterised in that include:
Abstract syntax tree management module, for managing the abstract syntax tree of detected program's source code;
Symbol table module, for managing the symbol table information of detected program's source code;And
Stain backtracking module, for reading the abstract syntax tree from the abstract syntax tree management module, and travels through described
Abstract syntax tree is believed according to the symbol table for each triggering node with obtaining the set of all triggering nodes being pre-configured with
Each variable assignments relation of breath record, finding again last layer affects the correlated variabless set of the trigger point, and recalls its institute
There are correlated variabless, can be changed then to be considered as to exist at the triggering node if there are correlated variabless by the controllable input of attacker and leak
Hole simultaneously exports vulnerability information.
2. page Hole Detection device as claimed in claim 1, it is characterised in that the symbol table module, is additionally operable to:Pass through
Abstract syntax management module reads abstract syntax tree information, parses all assignment statements, obtains the symbol comprising each variable information
Number table information, and the symbol table information is supplied to the stain backtracking module.
3. page Hole Detection device as claimed in claim 1, it is characterised in that further include:Morphology syntactic analysiss mould
Detected program's source code, for reading in detected program's source code, is converted to abstract syntax tree, and abstract syntax tree is exported by block
To the abstract syntax tree management module.
4. page Hole Detection device as claimed in claim 1, it is characterised in that further include:Pretreatment module, is used for
Parse the constant definition node in the abstract syntax tree and include node, and write-back parsing information is to the abstract syntax tree
In.
5. page Hole Detection device as claimed in claim 1, it is characterised in that further include:Function summarization module, uses
In the function declaration node in the abstract syntax tree is parsed, the relation for then parsing the return value and parameter of the function is obtained
Function is made a summary.
6. page Hole Detection device as claimed in claim 1, it is characterised in that the stain backtracking module is additionally operable to:When
When having comprising node in the abstract syntax tree, the abstract syntax tree management module, symbol table module and stain backtracking mould
Block is jumped to process and comprising file, is back to the process tested ranging after being finished comprising file process comprising node
Sequence source code.
7. page Hole Detection device as claimed in claim 1, it is characterised in that the stain backtracking module is additionally operable to:When
When there is function declaration node in the abstract syntax tree, the child node for traveling through the function declaration node obtains triggering node
Set, recalls its all correlated variables for each triggering node according to the symbol table information, can quilt if there are correlated variabless
The controllable input change of attacker is then considered as described triggering and there is leak at node and export vulnerability information.
8. page Hole Detection device as claimed in claim 1, it is characterised in that when the function sound in the abstract syntax tree
When having comprising node in bright node, the abstract syntax tree management module, symbol table module and stain backtracking module are jumped to
Process after being finished comprising file process, the process function declaration node comprising file, is back to comprising node.
9. a kind of page leak detection method, it is characterised in that include:
Step one, abstract syntax tree and symbol table information that detected program's source code is provided;
Step 2, the traversal abstract syntax tree obtain the set of all triggering nodes, and the triggering node refers to abstract syntax
Node corresponding with the sensitive operation sentence in program code in tree;
Execute for each triggering node:
Step 3, each the variable assignments relation according to symbol table information record, finding again last layer affects the triggering
The correlated variabless set of point, to extract the set of its all correlated variables;And step 4, recall each correlated variables, if
It was found that the correlated variabless can be changed then be considered as by the controllable input of attacker and being found at one leak and being exported vulnerability information.
10. page leak detection method as claimed in claim 9, it is characterised in that step one also includes:Read abstract syntax
Tree information, parses all assignment statements, obtains the symbol table information comprising each variable information.
11. page leak detection methods as claimed in claim 9, it is characterised in that include reading before step one being detected
Program's source code, carries out morphology syntactic analysiss and obtains the abstract syntax tree, and further parse all assignment in abstract syntax tree
Node obtains the symbol table information.
12. page leak detection methods as claimed in claim 9, it is characterised in that abstract syntax tree and symbol in step one
Table information is provided by external program.
13. page leak detection methods as claimed in claim 9, it is characterised in that methods described also includes:When described abstract
When having comprising node in syntax tree, all comprising node in the parsing abstract syntax tree, and write-back is included file
Path is into the abstract syntax tree.
14. page leak detection methods as claimed in claim 13, it is characterised in that methods described also includes:Take out when described
During as having comprising node in syntax tree, suspending the handling process of the detected program's source code, going to and being directed to by comprising file
Recurrence executes the step one to step 4.
15. page leak detection methods as claimed in claim 9, it is characterised in that methods described also includes:When described abstract
When there is constant definition node in syntax tree, the child node of constant definition node is analyzed to obtain constant definition value and incite somebody to action
Constant definition value is written back in abstract syntax tree.
16. page leak detection methods as claimed in claim 9, it is characterised in that methods described also includes:When described abstract
When there is function declaration node in syntax tree, parse the return value of function and the relation of parameter obtains function summary write-back
Into abstract syntax tree.
17. page leak detection methods as claimed in claim 15, it is characterised in that methods described also includes:For function
Declaration node executes the step 2 to step 4, if directly finding to have inside function the triggering node can be controllable by attacker
System input changes, then be considered as leak and export vulnerability information.
18. page leak detection methods as claimed in claim 16, it is characterised in that methods described also includes:When the letter
Number is internal with during comprising node, is executed the step one to step 4 comprising node comprising file recurrence for described.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210182054.5A CN103455759B (en) | 2012-06-05 | 2012-06-05 | A kind of page Hole Detection device and detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210182054.5A CN103455759B (en) | 2012-06-05 | 2012-06-05 | A kind of page Hole Detection device and detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103455759A CN103455759A (en) | 2013-12-18 |
| CN103455759B true CN103455759B (en) | 2017-03-15 |
Family
ID=49738109
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210182054.5A Active CN103455759B (en) | 2012-06-05 | 2012-06-05 | A kind of page Hole Detection device and detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103455759B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104850493A (en) * | 2015-04-24 | 2015-08-19 | 百度在线网络技术(北京)有限公司 | Method and device for detecting loophole of source code |
| CN106295346B (en) * | 2015-05-20 | 2022-08-30 | 深圳市腾讯计算机系统有限公司 | Application vulnerability detection method and device and computing equipment |
| CN105808423B (en) * | 2016-02-04 | 2018-11-13 | 天津橙子科技有限公司 | The method for building the enforcement engine based on WEB engineering test use-case programming languages |
| CN108875366A (en) * | 2018-05-23 | 2018-11-23 | 四川大学 | A kind of SQL injection behavioral value system towards PHP program |
| CN109002712B (en) * | 2018-06-22 | 2020-11-03 | 北京大学 | Pollution data analysis method and system based on value dependency graph and electronic equipment |
| CN109241484B (en) * | 2018-09-06 | 2023-06-16 | 平安科技(深圳)有限公司 | Method and equipment for sending webpage data based on encryption technology |
| CN109508296A (en) * | 2018-11-22 | 2019-03-22 | 北京知道创宇信息技术有限公司 | Data detection method, device and electronic equipment |
| CN109871693A (en) * | 2019-02-21 | 2019-06-11 | 北京百度网讯科技有限公司 | Method and apparatus for detecting loophole |
| CN110059006B (en) * | 2019-03-29 | 2020-07-07 | 北京创鑫旅程网络技术有限公司 | Code auditing method and device |
| CN110245496B (en) * | 2019-05-27 | 2021-04-20 | 华中科技大学 | Source code vulnerability detection method and detector and training method and system thereof |
| CN110532782B (en) * | 2019-07-30 | 2023-02-21 | 平安科技(深圳)有限公司 | Method and device for detecting task execution program and storage medium |
| CN110472411B (en) * | 2019-08-20 | 2021-05-07 | 杭州和利时自动化有限公司 | Memory overflow processing method, device, equipment and readable storage medium |
| CN110955898A (en) * | 2019-12-12 | 2020-04-03 | 杭州安恒信息技术股份有限公司 | Vulnerability auditing method and system of station building system and related device |
| CN111291373B (en) * | 2020-02-03 | 2022-06-14 | 思客云(北京)软件技术有限公司 | Method, apparatus and computer-readable storage medium for analyzing data pollution propagation |
| CN111475809B (en) * | 2020-04-09 | 2023-10-20 | 杭州奇盾信息技术有限公司 | Script confusion detection method, script confusion detection device, computer equipment and storage medium |
| CN112131573A (en) * | 2020-09-14 | 2020-12-25 | 深信服科技股份有限公司 | Method and device for detecting security vulnerability and storage medium |
| CN114257389B (en) * | 2020-09-22 | 2024-08-02 | 北京基调网络股份有限公司 | Reflection type XSS detection method and device based on grammar analysis |
| CN115618363B (en) * | 2022-11-22 | 2023-03-21 | 北京邮电大学 | Vulnerability path mining method and related equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101482847A (en) * | 2009-01-19 | 2009-07-15 | 北京邮电大学 | Detection method based on safety bug defect mode |
| CN101661543A (en) * | 2008-08-28 | 2010-03-03 | 西门子(中国)有限公司 | Method and device for detecting security flaws of software source codes |
| CN101908006A (en) * | 2010-07-30 | 2010-12-08 | 北京理工大学 | GCC abstract syntax tree-based buffer overflow vulnerability detection method |
| CN102185930A (en) * | 2011-06-09 | 2011-09-14 | 北京理工大学 | Method for detecting SQL (structured query language) injection vulnerability |
| CN102385550A (en) * | 2010-08-30 | 2012-03-21 | 北京理工大学 | Detection method for software vulnerability |
-
2012
- 2012-06-05 CN CN201210182054.5A patent/CN103455759B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101661543A (en) * | 2008-08-28 | 2010-03-03 | 西门子(中国)有限公司 | Method and device for detecting security flaws of software source codes |
| CN101482847A (en) * | 2009-01-19 | 2009-07-15 | 北京邮电大学 | Detection method based on safety bug defect mode |
| CN101908006A (en) * | 2010-07-30 | 2010-12-08 | 北京理工大学 | GCC abstract syntax tree-based buffer overflow vulnerability detection method |
| CN102385550A (en) * | 2010-08-30 | 2012-03-21 | 北京理工大学 | Detection method for software vulnerability |
| CN102185930A (en) * | 2011-06-09 | 2011-09-14 | 北京理工大学 | Method for detecting SQL (structured query language) injection vulnerability |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103455759A (en) | 2013-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103455759B (en) | A kind of page Hole Detection device and detection method | |
| KR101981028B1 (en) | System for detecting security vulnerability based on binary, method and program thereof | |
| KR101904911B1 (en) | Method for Automatically Detecting Security Vulnerability Based on Hybrid Fuzzing, and Apparatus thereof | |
| CN102955914B (en) | The detection method of one source file security breaches and pick-up unit | |
| Saxena et al. | A symbolic execution framework for javascript | |
| CN104298921B (en) | Animation source file security breaches inspection method and device | |
| Alhuzali et al. | Chainsaw: Chained automated workflow-based exploit generation | |
| CN110383238A (en) | System and method for the software analysis based on model | |
| CN104881607B (en) | A kind of XSS leakage locations based on simulation browser behavior | |
| US11263062B2 (en) | API mashup exploration and recommendation | |
| CN107292170A (en) | Detection method and device, the system of SQL injection attack | |
| CN104021084A (en) | Method and device for detecting defects of Java source codes | |
| CN110059006A (en) | Code audit method and device | |
| CN104036003B (en) | search result integration method and device | |
| CN111694746A (en) | Flash defect fuzzy evaluation tool for compilation type language AS3 | |
| CN104331663A (en) | Detection method of web shell and web server | |
| CN103914374B (en) | The aacode defect detection method and device extracted based on program slice and frequent mode | |
| Delahaye et al. | Infeasible path generalization in dynamic symbolic execution | |
| US20130036108A1 (en) | Method and system for assisting users with operating network devices | |
| CN105487983B (en) | Sensitive spot approach method based on intelligent Route guiding | |
| CN117113347A (en) | Large-scale code data feature extraction method and system | |
| CN114911711A (en) | Code defect analysis method and device, electronic equipment and storage medium | |
| CN117235745B (en) | Deep learning-based industrial control vulnerability mining method, system, equipment and storage medium | |
| CN102141959B (en) | Test case generation method restrained by context-free grammar | |
| Zhao et al. | A new framework of security vulnerabilities detection in PHP web application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |