CN103731429A - Method and device for web application vulnerability detection - Google Patents
Method and device for web application vulnerability detection Download PDFInfo
- Publication number
- CN103731429A CN103731429A CN201410008853.XA CN201410008853A CN103731429A CN 103731429 A CN103731429 A CN 103731429A CN 201410008853 A CN201410008853 A CN 201410008853A CN 103731429 A CN103731429 A CN 103731429A
- Authority
- CN
- China
- Prior art keywords
- leak
- web application
- application
- vulnerability information
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a method for web application vulnerability detection. The method comprises the steps of receiving a data packet, and extracting application layer load contents of the data packet; extracting data fingerprints contained in the application layer load contents, and enabling the data fingerprints to comprise at least one of a protocol mark, an application mark, an application version or a feature keyword; obtaining a preset vulnerability feature library, and searching vulnerability information matched with the data fingerprints in the vulnerability feature library. In addition, the invention further comprises a device for web application vulnerability detection. The method and device for web application vulnerability detection can reduce a load of a web application server.
Description
Technical field
The present invention relates to networking technology area, particularly relate to a kind of web application leak detection method and device.
Background technology
Leak (vulnerability), is the defect existing on the specific implementation of hardware, software, agreement or System Security Policy, thereby can makes assailant in undelegated situation, access or destruction system.The security risk that normally problem of system self causes, has generally comprised login leak, denial of service leak, buffer overflow, leakage of information, worm back door, fortuitous event disposal mistake etc., has reflected the Security Vulnerability of system self.
In conventional art, Hole Detection technology, based on active scan, initiatively initiates to detect bag to web application server by vulnerability detection equipment, and judges according to the response packet returning whether web application exists security breaches.
But, inventor finds after deliberation, in conventional art, at least there are the following problems for web application leak detection method: existing vulnerability detection equipment is when detecting the leak of web application, need frequently to web application, to send and detect bag, making web application need to expend more computational resource replys this detection bag, thereby wasted the computational resource of web application, improved the load of web application.
Summary of the invention
Based on this, be necessary to provide a kind of web application leak detection method of the load that can reduce web application.
A kind of web application leak detection method, comprising:
Receive packet, extract the application layer load contents of described packet;
Extract the data fingerprint that described application layer load contents comprises, described data fingerprint comprises at least one in protocol-identifier, application identities, application version or feature keyword;
Obtain default leak feature database, in described leak feature database, search the vulnerability information mating with described data fingerprint.
In an embodiment, before the step of the application layer load contents of the described packet of described extraction, also comprise therein:
Described packet is carried out and checked legitimacy, IP fragmentation and reassembly and peel off at least one in transport layer/network layer protocol head.
In an embodiment, before the step of the data fingerprint that the described application layer load contents of described extraction comprises, also comprise therein:
Described application layer load contents is carried out to SSL deciphering or base64 decoding.
In an embodiment, described vulnerability information comprises leak type and solves suggestion therein;
The step of the described vulnerability information of described displaying comprises:
According to the leak type in described vulnerability information and solution suggestion generating report forms, show, and log.
In an embodiment, described method also comprises therein:
The vulnerability information that receives input upgrades instruction, upgrades instruction upgrade described leak feature database according to described vulnerability information.
In addition, be also necessary to provide a kind of web application Hole Detection device of the load that can reduce web application.
A kind of web application Hole Detection device, comprising:
Data reception module, for receiving packet, extracts the application layer load contents of described packet;
Fingerprint extraction module, the data fingerprint comprising for extracting described application layer load contents, described data fingerprint comprises at least one in protocol-identifier, application identities, application version or feature keyword;
Leak enquiry module for obtaining default leak feature database, is searched the vulnerability information mating with described data fingerprint in described leak feature database.
Therein in an embodiment, described data reception module also checks legitimacy, IP fragmentation and reassembly and peels off at least one of transport layer/network layer protocol head for described packet is carried out.
In an embodiment, described device also comprises pretreatment module therein, for described application layer load contents being carried out to SSL deciphering or base64 decoding.
In an embodiment, described vulnerability information comprises leak type and solves suggestion therein;
Described device also comprises form display module, for showing according to the leak type of described vulnerability information and solution suggestion generating report forms, and log.
In an embodiment, described device also comprises vulnerability database update module therein, for the vulnerability information that receives input, upgrades instruction, upgrades instruction upgrade described leak feature database according to described vulnerability information.
In above-mentioned web application leak detection method and device, the process that detects web application leak does not need to send and detect bag to web application server, then the respond packet of returning is analyzed, but directly according to the relevant business data packet with application mutual between external user and web application server, analyze, can not make web application server produce and reply the added burden that detects bag, thereby reduce the load that web applies.
In addition, above-mentioned detection mode and conventional art are in a ratio of passive detection mode, as long as have data packet stream through gateway device, detection behavior occurs, and therefore without keeper, detection mode is monitored.
Accompanying drawing explanation
Fig. 1 is the flow chart of web application leak detection method in an embodiment;
Fig. 2 is the structural representation of web application Hole Detection device in an embodiment;
Fig. 3 is the structural representation of web application Hole Detection device in another embodiment.
Embodiment
As shown in Figure 1, in one embodiment, a kind of web application leak detection method, the execution of the method depends on computer program, can run in the computer system based on Feng Luoyiman system, this computer system can be the computer equipment with gateway function.This computer equipment can be the gateway device corresponding to machine room at web application server hosts center.Multiple servers of disposing multiple web application can be placed in this machine room, by this gateway device, are formed subnet and are connected with outer net.Internet user all needs just can arrive at corresponding web application server by the forwarding of this gateway device to the access of web application.
The method comprises:
Step S102, receives packet, extracts the application layer load contents of packet.
Application layer load contents is the body part of packet.As previously mentioned, the packet that sends to the web application server in subnet that gateway device receives is the packet based on transport layer/network layer (TCP/IP).This packet comprises header part and body part.Header part is transport layer protocol head (Transmission Control Protocol head), network layer protocol head (IP protocol header) of packet etc.Body part is the data that can comprise the application layer of application layer protocol head and transmission in application layer load contents.For example, in the application layer load contents of the packet of the web application based on http agreement, application layer protocol head is the header part of http agreement, and the data of the application layer of transmission are the data of request or response.
In the present embodiment, before the step of the application layer load contents of extraction packet, also comprise: packet is carried out and checked legitimacy, IP fragmentation and reassembly and peel off at least one in transport layer/network layer protocol head.
The order that the legitimacy inspection of packet is to sequence number in integrality to packet and packet checks.The IP fragmentation and reassembly of packet is the MTU(Maximum Transmission Unit according to packet in IP agreement, MTU) multiple packets are synthesized to one.Peeling off transport layer/network layer protocol head is the header part removal of packet.
Step S104, extracts the data fingerprint that application layer load contents comprises, and data fingerprint comprises at least one in protocol-identifier, application identities, application version or feature keyword.
Protocol-identifier can be the identification information in the protocol header of application layer protocol, for example, for the web application based on http agreement, its protocol-identifier be http protocol header in http sign.Application identities is the sign of web application server.For example, if web application server is Apache Server, its application identities is the identification information (packet is in the situation of the web application server terminal that returns to outer net) of Apache Server.For the client receiving, send to the packet of web application server, application identities can be the sign of terminal operating system or browser, for example, and windows sign or chrome sign.Application version is the version information of operating system in aforementioned web application or terminal or browser.Feature keyword is a few sections in the data that comprise in the data of application.
In the present embodiment, can obtain default feature Keyword List, then in application layer load contents, search it and whether comprise the feature keyword in feature Keyword List, if so, obtain this feature keyword.In other embodiments, also predeterminable feature locations information is searched feature keyword in application layer load contents according to feature locations information.For example feature locations information can be the accept attribute in http protocol header, can obtain feature keyword by this accept attribute.
Before the step of the data fingerprint that in the present embodiment, extraction application layer load contents comprises, also can carry out SSL deciphering or base64 decoding to application layer load contents.
Some packet has carried out SSL when transmission to be encrypted or base64 encoding operation, can be now to obtaining application layer load contents expressly after its deciphering or decoding again.
Step S106, obtains default leak feature database, searches the vulnerability information mating with data fingerprint in leak feature database.
Leak feature database is default leak database (be not limited to database form, file system, distributed memory system also can).In leak feature database, store data fingerprint and the vulnerability information corresponding with data fingerprint.Can in leak feature database, search corresponding vulnerability information by comparison data fingerprint.The mode of comparison can be simple string matching or matching regular expressions.
Leak feature database is for setting in advance, by experienced network security personnel's typing.Later stage also can supplement, and its process is: the vulnerability information that receives input upgrades instruction, upgrades instruction upgrade leak feature database according to vulnerability information.
That is to say, the network security manager at trustship center can be entered into new data fingerprint and corresponding vulnerability information renewal in leak feature database according to accident and daily detection by input loophole information updating instruction on the gateway device of operation this method at any time.
In the present embodiment, vulnerability information comprises leak type and solves suggestion.The step of showing vulnerability information comprises: according to the leak type in vulnerability information and solution suggestion generating report forms, shows, and log.
That is to say, in vulnerability information, do not enter to comprise the type of the leak of web application server existence, also comprise corresponding leak removing suggestion.Because the operation of this method is based on gateway device, therefore without personnel control, can within 24 hours, automatically according to the packet flowing into and flow out, carry out leak analysis incessantly, then will analyze to obtain result store log.The network security manager at trustship center can be by the report display page of access gateway device, checks that gateway device continues to detect the analysis result obtaining.Thereby according to the solution suggestion showing in form, the leak of web application is repaired.
In one embodiment, as shown in Figure 2, a kind of web application Hole Detection device, comprises data reception module 102, fingerprint extraction module 104 and leak enquiry module 106, wherein:
Leak enquiry module 106 for obtaining default leak feature database, is searched the vulnerability information mating with data fingerprint in leak feature database.
In the present embodiment, data reception module 102 is also for carrying out and check legitimacy, IP fragmentation and reassembly and peel off at least one of transport layer/network layer protocol head packet.
In the present embodiment, as shown in Figure 3, web application Hole Detection device also comprises pretreatment module 108, for application layer load contents being carried out to SSL deciphering or base64 decoding.
In the present embodiment, vulnerability information comprises leak type and solves suggestion.
As shown in Figure 3, web application Hole Detection device also comprises form display module 110, for showing according to the leak type of vulnerability information and solution suggestion generating report forms, and log.
In the present embodiment, as shown in Figure 3, web application Hole Detection device also comprises vulnerability database update module 112, for the vulnerability information that receives input, upgrades instruction, upgrades instruction upgrade leak feature database according to vulnerability information.
In above-mentioned web application leak detection method and device, the process that detects web application leak does not need to send and detect bag to web application server, then the respond packet of returning is analyzed, but directly according to the relevant business data packet with application mutual between external user and web application server, analyze, can not make web application server produce and reply the added burden that detects bag, thereby reduce the load that web applies.
In addition, above-mentioned detection mode and conventional art are in a ratio of passive detection mode, as long as have data packet stream through gateway device, detection behavior occurs, and therefore without keeper, detection mode is monitored.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, can carry out the hardware that instruction is relevant by computer program to complete, described program can be stored in a computer read/write memory medium, this program, when carrying out, can comprise as the flow process of the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (10)
1. a web application leak detection method, comprising:
Receive packet, extract the application layer load contents of described packet;
Extract the data fingerprint that described application layer load contents comprises, described data fingerprint comprises at least one in protocol-identifier, application identities, application version or feature keyword;
Obtain default leak feature database, in described leak feature database, search the vulnerability information mating with described data fingerprint.
2. web application leak detection method according to claim 1, is characterized in that, before the step of the application layer load contents of the described packet of described extraction, also comprises:
Described packet is carried out and checked legitimacy, IP fragmentation and reassembly and peel off at least one in transport layer/network layer protocol head.
3. web application leak detection method according to claim 1, is characterized in that, before the step of the data fingerprint that the described application layer load contents of described extraction comprises, also comprises:
Described application layer load contents is carried out to SSL deciphering or base64 decoding.
4. web application leak detection method according to claim 1, is characterized in that, described vulnerability information comprises leak type and solves suggestion;
Described method also comprises:
According to the leak type in described vulnerability information and solution suggestion generating report forms, show, and log.
5. web application leak detection method according to claim 1, is characterized in that, described method also comprises:
The vulnerability information that receives input upgrades instruction, upgrades instruction upgrade described leak feature database according to described vulnerability information.
6. a web application Hole Detection device, is characterized in that, comprising:
Data reception module, for receiving packet, extracts the application layer load contents of described packet;
Fingerprint extraction module, the data fingerprint comprising for extracting described application layer load contents, described data fingerprint comprises at least one in protocol-identifier, application identities, application version or feature keyword;
Leak enquiry module for obtaining default leak feature database, is searched the vulnerability information mating with described data fingerprint in described leak feature database.
7. web application Hole Detection device according to claim 6, is characterized in that, described data reception module also checks legitimacy, IP fragmentation and reassembly and peels off at least one of transport layer/network layer protocol head for described packet is carried out.
8. web application Hole Detection device according to claim 6, is characterized in that, described device also comprises pretreatment module, for described application layer load contents being carried out to SSL deciphering or base64 decoding.
9. web application Hole Detection device according to claim 6, is characterized in that, described vulnerability information comprises leak type and solves suggestion;
Described device also comprises form display module, for showing according to the leak type of described vulnerability information and solution suggestion generating report forms, and log.
10. web application Hole Detection device according to claim 6, is characterized in that, described device also comprises vulnerability database update module, for the vulnerability information that receives input, upgrades instruction, upgrades instruction upgrade described leak feature database according to described vulnerability information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410008853.XA CN103731429A (en) | 2014-01-08 | 2014-01-08 | Method and device for web application vulnerability detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410008853.XA CN103731429A (en) | 2014-01-08 | 2014-01-08 | Method and device for web application vulnerability detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103731429A true CN103731429A (en) | 2014-04-16 |
Family
ID=50455356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410008853.XA Pending CN103731429A (en) | 2014-01-08 | 2014-01-08 | Method and device for web application vulnerability detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103731429A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105938533A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Scanning method and scanning device for system loopholes |
| CN106446690A (en) * | 2016-09-05 | 2017-02-22 | 北京蓝海讯通科技股份有限公司 | Application vulnerability restoration apparatus, method and system |
| CN107145783A (en) * | 2016-03-01 | 2017-09-08 | 重庆达特科技有限公司 | One-touch intelligent vulnerability scanning alignment system |
| CN107395637A (en) * | 2017-08-29 | 2017-11-24 | 厦门安胜网络科技有限公司 | Http tunnels active detecting method, terminal device and storage medium |
| CN108520180A (en) * | 2018-03-01 | 2018-09-11 | 中国科学院信息工程研究所 | A kind of firmware Web leak detection methods and system based on various dimensions |
| CN110933094A (en) * | 2019-12-04 | 2020-03-27 | 深信服科技股份有限公司 | Network security equipment and smb vulnerability detection method, device and medium thereof |
| CN112468520A (en) * | 2021-01-28 | 2021-03-09 | 腾讯科技(深圳)有限公司 | Data detection method, device and equipment and readable storage medium |
| CN117376037A (en) * | 2023-12-08 | 2024-01-09 | 山东星维九州安全技术有限公司 | Method, device and storage medium for classifying and scanning network assets |
-
2014
- 2014-01-08 CN CN201410008853.XA patent/CN103731429A/en active Pending
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107145783A (en) * | 2016-03-01 | 2017-09-08 | 重庆达特科技有限公司 | One-touch intelligent vulnerability scanning alignment system |
| CN105938533A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Scanning method and scanning device for system loopholes |
| CN105938533B (en) * | 2016-03-03 | 2019-01-22 | 杭州迪普科技股份有限公司 | A kind of scan method and scanning means of system vulnerability |
| CN106446690A (en) * | 2016-09-05 | 2017-02-22 | 北京蓝海讯通科技股份有限公司 | Application vulnerability restoration apparatus, method and system |
| CN106446690B (en) * | 2016-09-05 | 2019-08-02 | 北京蓝海讯通科技股份有限公司 | A kind of pair of device, method and the system repaired using loophole |
| CN107395637A (en) * | 2017-08-29 | 2017-11-24 | 厦门安胜网络科技有限公司 | Http tunnels active detecting method, terminal device and storage medium |
| CN108520180A (en) * | 2018-03-01 | 2018-09-11 | 中国科学院信息工程研究所 | A kind of firmware Web leak detection methods and system based on various dimensions |
| CN108520180B (en) * | 2018-03-01 | 2020-04-24 | 中国科学院信息工程研究所 | Multi-dimension-based firmware Web vulnerability detection method and system |
| CN110933094A (en) * | 2019-12-04 | 2020-03-27 | 深信服科技股份有限公司 | Network security equipment and smb vulnerability detection method, device and medium thereof |
| CN112468520A (en) * | 2021-01-28 | 2021-03-09 | 腾讯科技(深圳)有限公司 | Data detection method, device and equipment and readable storage medium |
| CN117376037A (en) * | 2023-12-08 | 2024-01-09 | 山东星维九州安全技术有限公司 | Method, device and storage medium for classifying and scanning network assets |
| CN117376037B (en) * | 2023-12-08 | 2024-02-23 | 山东星维九州安全技术有限公司 | Method, device and storage medium for classifying and scanning network assets |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103731429A (en) | Method and device for web application vulnerability detection | |
| US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| US8051484B2 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
| US10601865B1 (en) | Detection of credential spearphishing attacks using email analysis | |
| US8782794B2 (en) | Detecting secure or encrypted tunneling in a computer network | |
| RU2676021C1 (en) | DDoS-ATTACKS DETECTION SYSTEM AND METHOD | |
| US20170054745A1 (en) | Method and device for processing network threat | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| US8719944B2 (en) | Detecting secure or encrypted tunneling in a computer network | |
| CN103918222A (en) | System and method for detection of denial of service attacks | |
| CN106330849A (en) | Method and device for preventing domain name hijack | |
| CN102316087A (en) | The detection method that network application is attacked | |
| CN107634931A (en) | Processing method, cloud server, gateway and the terminal of abnormal data | |
| US10511618B2 (en) | Website information extraction device, system website information extraction method, and website information extraction program | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN104639391A (en) | Method for generating network flow record and corresponding flow detection equipment | |
| CN106911637A (en) | Cyberthreat treating method and apparatus | |
| EP3336739B1 (en) | A method for classifying attack sources in cyber-attack sensor systems | |
| US11057347B2 (en) | Filtering data using malicious reference information | |
| CN103036910B (en) | A kind of user's web access Behavior-Based control method and device | |
| CN111835777A (en) | Abnormal flow detection method, device, equipment and medium | |
| Rondeau et al. | Industrial IoT cross‐layer forensic investigation | |
| CN113496033A (en) | Access behavior recognition method and device and storage medium | |
| Frye et al. | An ontology-based system to identify complex network attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140416 |