CN103942497A - Forensics type website vulnerability scanning method and system - Google Patents
Forensics type website vulnerability scanning method and system Download PDFInfo
- Publication number
- CN103942497A CN103942497A CN201410185544.XA CN201410185544A CN103942497A CN 103942497 A CN103942497 A CN 103942497A CN 201410185544 A CN201410185544 A CN 201410185544A CN 103942497 A CN103942497 A CN 103942497A
- Authority
- CN
- China
- Prior art keywords
- leak
- page
- evidence obtaining
- module
- evidence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention relates to the field of network application security, and aims to provide a forensics type website vulnerability scanning method and system. The method comprises the steps of page capturing, vulnerability scanning, automatic forensics, information collection and manual forensics. The system comprises a page capturing module, a vulnerability scanning module, an automatic forensics module, an information collection module, a manual forensics module, a task issuing and managing module, a scanning result displaying and managing module, a reporting module, a system database module and an item file managing module. According to the forensics type website vulnerability scanning method and system, vulnerabilities can be filtered out automatically, and therefore a user can get a copy of more reliable report when automatic scanning is over by the adoption of the method; with regards to the doubtful individual vulnerability, the 'manual forensics' step in the method can be adopted, so that the vulnerability is re-determined directly and quickly.
Description
Technical field
The invention belongs to network application security fields, relate in particular to a kind of evidence obtaining type website vulnerability scanning method and system.
Background technology
Along with the development of internet, diverse network application emerges in an endless stream, and has met dramatically user's various demands.But, in Network application and development process, often more focus on the realization in function, but leave over lower various safety problem, this is generally because progress pressure, programmer's horizontal constraints, design imperfection or inadvertent cause.Common web portal security problem comprises: the leak that code causes the filtration deficiency of input data, the leak that server configuration aspect causes, sensitive information leakage etc.General very difficult these leaks of stopping completely in application development process.Therefore adopting website hole scanner to carry out safety assessment to website is a well selection.
Website vulnerability scanning system generally captures all pages in website, then the page grabbing is analyzed one by one, finds safety problem as much as possible.Yet several factors cause such scan mode to be very easy to cause wrong report, report some in fact also non-existent leaks, Website development and maintainer are caused to the waste in time and efforts.These factors comprise: the 1) dynamic of a lot of webpages, causes website vulnerability scanning system misjudgment; 2) the decision logic imperfection of website vulnerability scanning system itself; 3) current applied environment is very complicated, and the decision logic of website vulnerability scanning system often cannot cover situation about likely occurring.
In existing known technology, the technology comparatively approaching with this method is a kind of " the Web vulnerability scanning method based on infiltration technology " by name, and its committed step is " comprise scanning and analyze two stages ".This technology has mainly realized the method that website leak is found.But as previously described, such method easily produces wrong report, but the method that does not provide good filtration to report by mistake.Staff can adopt and scan in this way some leaks, but may a part be really to exist, and a part is wrong report.They can only select to tolerate these wrong reports, or manually leak are analyzed again one by one.
Summary of the invention
The object of the invention is to make up the deficiency of website using vulnerability scanning method, a kind of vulnerability scanning method and scanning system are provided, adopt automatic and manual evidence collecting method, improve the accuracy rate of website vulnerability scanning system scanning, submit more accurate believable website vulnerability scanning result to.
A kind of evidence obtaining type website vulnerability scanning method is provided, for carrying out Hole Detection to being scanned website, comprises the following steps:
A) page captures: from being scanned the initial page of website, start to resolve, obtain the page link that is scanned website, then page link is deposited in to system data library module, and guarantee that same page link does not repeat to deposit in, from system data library module, extract again the page link of having preserved and do not process through page crawl step, carry out page access, and extract new page link and be deposited into system data library module, until captured all pages that are scanned website;
B) vulnerability scanning: in the page grabbing at step a, judge whether not yet to carry out in addition the page of Hole Detection, if not yet do not carry out the page of Hole Detection, go to step e, otherwise carry out: select a page that not yet carries out Hole Detection to carry out Hole Detection, for this page, according to different leaks separately corresponding detection logic carry out leak analysis (kind of leak be very many, every kind of leak has different detection methods, it is known that part correlation technique has belonged to industry), if find that leak goes to step c, otherwise repeated execution of steps b;
C) automatic evidence-collecting: to the leak of finding in step b, carry out automatic evidence-collecting according to the evidence obtaining logic of different leaks, and automatic fitration falls wrong report, acquisition can prove the evidence obtaining result that this leak exists;
D) information: the leak of finding according to step b, the manual evidence collecting method that can take for different leaks, automatically collects the needed evidence obtaining information of manual evidence collecting method and preserves, and goes to step b other pages are carried out to Hole Detection after completing;
E) manual evidence obtaining: the evidence obtaining information of using steps d to collect, the corresponding manual evidence collecting method that can take according to different leaks carries out manual evidence obtaining, and obtains for confirming the manual evidence obtaining result of the authenticity of leak.
In the present invention, according to dissimilar website leak, evidence obtaining result in described step c and step e comprises following data: page length, http response code, the page request response time, the message of page request process transmitting-receiving, HTTP head, session and Cookie, content of pages, otherness between a plurality of page request is (as the difference of page response code, the difference of page length, the difference of content etc.), (part leak can be used browser to collect evidence for the actual displayed effect of the page in browser and sectional drawing thereof, it is different that different leaks is inputted in browser, such as " cross site scripting " can be revised the title at interface or eject a dialog box, the display effect of " catalogue browsing " is all sub-directories and the son file showing in browser under a catalogue, different situations also has a lot, will not enumerate).
In the present invention, the evidence obtaining information in described steps d comprises following data: URL, HTTP head, session and Cookie, submission of sheet data, HTTP request data package, the http response packet for further evidence obtaining of automatically constructing.
In the present invention, the automatic evidence-collecting in described step c comprises following methods:
1) directly using the response contents length of the leak place page, answer code, response time, message, content of pages as evidence obtaining result, and judge with this whether leak exists;
2) on the basis of parent page request, modify, automatically construct at least one new http request, and the data (comprising response contents length, answer code, response time, message, content of pages) of these different requests are contrasted, using the otherness of contrast acquisition as evidence obtaining result, and judge with this whether leak exists;
3) in the returned content of the leak place page, mate the text that meets feature, using the content matching as evidence obtaining result, and judge with this whether leak exists;
4) automatic imitation submission of sheet obtain request results, and judge with this whether leak exists;
5) use browser kernel and browser to resolve and typesetting the content of the page, carry out the script in content of pages, the result using the Output rusults of parsing and typesetting as evidence obtaining, and judge with this whether leak exists.
In the present invention, the craft of described step e evidence obtaining is optional, can optionally perform step as required e (manual evidence obtaining, can be more accurate than automatic evidence-collecting in people's presence); Described manual evidence obtaining comprises following methods:
1) use the URL for further evidence obtaining of the automatic structure obtaining in steps d, in browser, access, check that actual URL carries out and shows result, in conjunction with the feature of leak, judge whether leak exists, and can will show the preservation of result sectional drawing;
2) use HTTP to simulate the device of giving out a contract for a project, by the URL for further collecting evidence, and the HTTP head, session and the Cookie that in steps d, obtain, submission of sheet data message, inserting HTTP simulation gives out a contract for a project in device, and send HTTP request, check the content of pages returning, in conjunction with the feature of leak, judge whether leak exists;
3) in browser, by the submission of sheet data of obtaining in steps d, insert in the list of the leak place page, and submission form, check that the page after submission form shows result, in conjunction with the feature of leak, judge whether leak exists;
4) utilize specific purpose tool, described specific purpose tool refers to the instrument of leak evidence obtaining or penetration testing, by HTTP head, session and the Cookie, the submission of sheet data message that obtain in the URL of further evidence obtaining, steps d, insert further evidence obtaining or infiltration in specific purpose tool, and check result, in conjunction with the feature of leak, judge whether leak exists;
5) the HTTP request data package of obtaining in steps d and http response packet are presented in user interface, and use highlighted, font-weight method that important content is highlighted, in conjunction with the feature of leak, whether artificial judgment leak exists.
In the present invention, website leak and evidence obtaining result can be simultaneously displayed in the user interface of program or system, or output in form simultaneously; User judges according to these information whether leak exists, and the character of leak and harmfulness.
In the present invention, described a kind of evidence obtaining type website vulnerability scanning method has learning functionality: user judges whether leak is reported by mistake, system is carried out record to user's judged result, while again there is identical leak in follow-up scanning, according to the user's judged result in record, filter out the leak of wrong report, i.e. wrong report is fallen in automatic fitration in performing step c.
Evidence obtaining type website based on described scan method vulnerability scanning system is provided, comprises page handling module, vulnerability scanning module, automatic evidence-collecting module, information module, manual evidence obtaining module, task issues and administration module, scanning result demonstration and administration module, Reports module, system data library module, item file administration module;
Described page handling module is used for from being scanned the initial page of website or the page link that system data library module is preserved, new page link is obtained in parsing, then the page link obtaining is deposited in system data library module, and guarantee that same page link does not repeat to deposit in (the system data library module in page handling module also can replace with item file);
Described vulnerability scanning module is used for judging whether the page has through Hole Detection, and detects not passing through the page of Hole Detection;
Described automatic evidence-collecting module is carried out automatic evidence-collecting for leak that vulnerability scanning module is found, and automatic fitration falls wrong report, and acquisition can prove the evidence obtaining result that this leak exists;
The leak of described information module for vulnerability scanning module is found, collects and preserves the evidence obtaining information for manual evidence obtaining automatically;
The evidence obtaining information of described manual evidence obtaining module for utilizing information module to collect, carries out manual evidence obtaining, and obtains for confirming the manual evidence obtaining result of the authenticity of leak;
Described task issues and administration module starts the operational means of scans web sites process for offering user, reach the final purpose that leak is found and collected evidence, by supporting that user issues scan task on user interface, and it is managed, comprise time-out, stop, deleting, configure;
Described scanning result shows and administration module is used in scanning process and after having scanned, scan-data is presented on interface, and support user to check scan-data, manual evidence obtaining result and output report, scan-data comprises the leak of discovery, the page link of corresponding website, manual evidence obtaining information;
Described Reports module is for the result of Hole Detection is outputed to unique file, and unique file is as the interchange between staff, file or as the foundation of improving web station system, unique file can be directed in third party's system and further process;
Described system data library module is for the configuration information of storage system, the leak of website, page link, and the configuration information of system comprises account and log information;
Described item file administration module, for item file is managed, comprises establishment, deletion, data writing; Item file refers to the file of the link of energy memory page and leak data, and the task that each task issues and administration module issues, has a corresponding item file.
Principle of the present invention is: after scanning leak, utilize the feature of leak itself and the return data of the page, this leak is carried out to checking again or repeatedly, get rid of the leak of wrong report.
Compared with prior art, the invention has the beneficial effects as follows:
The invention provides a kind of website vulnerability scanning method that accuracy rate is higher, allow staff can produce like a cork the leak report of the more believable website of portion, without the authenticity that re-uses other means and judge leak, can increase work efficiency to a great extent.
Evidence obtaining type scan method can automatically be filtered leak.Adopt in this way, user can just take the more believable report of portion when autoscan finishes.For still there is individually the leak of doubtful point, can adopt " manual evidence obtaining " step described in this method, directly rapidly leak is reaffirmed.
Accompanying drawing explanation
Fig. 1 is the main module structure figure of the evidence obtaining type website vulnerability scanning system in the present invention.
Fig. 2 is the flow process of the evidence obtaining type website vulnerability scanning method in the present invention.
Embodiment
First it should be noted that, the present invention relates to Web and database technology, is that computer technology is in a kind of application of field of information security technology.In implementation procedure of the present invention, can relate to the application of a plurality of software function modules.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, in conjunction with existing known technology in the situation that, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: page handling module, vulnerability scanning module, automatic evidence-collecting module, information module, manual evidence obtaining module, task issues and administration module, scanning result demonstration and administration module, Reports module, system data library module, item file administration module etc., this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
The object of this invention is to provide a kind of website vulnerability scanning method that accuracy rate is higher.By the method for evidence obtaining, filter the leak of wrong report.Evidence obtaining mainly comprises automatic evidence-collecting and two steps of manual evidence obtaining, and wherein automatic evidence-collecting automatically completes in scanning process.
Evidence obtaining type website vulnerability scanning method specifically comprises the following steps:
A) page captures: from being scanned the initial page of website, start to resolve, obtain the page link that is scanned website, then page link is deposited in to system data library module, and guarantee that same page link does not repeat to deposit in, from system data library module, extract again the page link of having preserved and do not process through page crawl step, carry out page access, and extract new page link and be deposited into system data library module, until captured all pages that are scanned website.Can Adoption Network reptile, the various ways such as regular expression, simulation parsing, or various ways combines to carry out, and also can adopt existing web crawlers of increasing income at present, if Labin, Nurch etc. is the web crawlers project of increasing income that popularity is higher.
B) vulnerability scanning: in the page grabbing at step a, judge whether not yet to carry out in addition the page of Hole Detection, if not yet do not carry out the page of Hole Detection, go to step e, otherwise carry out: select a page that not yet carries out Hole Detection to carry out Hole Detection, for this page, according to different leaks separately corresponding detection logic carry out leak analysis (kind of leak be very many, every kind of leak has different detection methods, it is known that part correlation technique has belonged to industry), if find that leak goes to step c, otherwise repeated execution of steps b.Due to the diversity of leak, the present invention adopts policy library to realize writing of Hole Detection logic, and policy library provides unified Hole Detection framework, and every leak is written as respectively to a strategy in policy library.When user issues task, can select to want which strategy in implementation strategy storehouse.In scanning process, for each page, all can carry out user-selected All Policies one time.In the present invention, current step should be found leak as much as possible, and minimizing is failed to report.In the leak method of website, report by mistake and fail to report conflict often, need in scanning strategy, make balance.But in this step, needing top-priority is to reduce rate of failing to report.
C) automatic evidence-collecting: to the leak of finding in step b, carry out automatic evidence-collecting according to the evidence obtaining logic of different leaks, and automatic fitration falls wrong report, acquisition can prove the evidence obtaining result that this leak exists.Automatic evidence-collecting automatically completes in scanning process, after every strategy execution in described policy library completes, if the leak that discovery may exist, just start the process of automatic fitration and evidence obtaining, if be judged as wrong report, this result is dropped automatically, otherwise deposits in database.The foundation of automatic evidence-collecting and the possibility of result include but not limited to following information: message, HTTP head, session and the Cookie of page length, http response code, page request response time, the transmitting-receiving of page request process, content of pages etc., can also comprise the otherness between a plurality of page request in addition, as difference of the difference of the difference of page response code, page length and content etc.Except the content of datumization, evidence obtaining result can also comprise actual displayed effect and the sectional drawing thereof of the page in browser, part leak can be used browser to collect evidence, it is different that different leaks is inputted in browser, such as " cross site scripting " can be revised the title at interface or eject a dialog box, the display effect of " catalogue browsing " is all sub-directories and the son file showing in browser under a catalogue, and different situations also has a lot, will not enumerate.Automatic evidence-collecting includes but not limited to following methods: 1) directly using the response contents length of the leak place page, answer code, response time, message, content of pages as evidence obtaining result, and judge with this whether leak exists; 2) on the basis of parent page request, modify, automatically the one or more new http requests of structure, and the data such as the response contents length of these different requests, answer code, response time, message, content of pages are contrasted, using the otherness of contrast acquisition as evidence obtaining result, and judge with this whether leak exists; 3) in the returned content of the leak place page, mate the text that meets feature, using the content matching as evidence obtaining result, and judge with this whether leak exists; 4) automatic imitation submission of sheet obtain request results, and judge with this whether leak exists.5) use browser kernel and browser to resolve and typesetting the content of the page, carry out the script in content of pages.Result using the Output rusults of parsing and typesetting as evidence obtaining, and judge with this whether leak exists.
D) information: the leak of finding according to step b, the corresponding manual evidence collecting method that can take for this leak, by needed evidence obtaining information preservation, goes to step b other pages are carried out to Hole Detection after completing.Relevant Data Source can come from the page itself, the HTTP packet of transmitting-receiving and the result of program automatic analysis.For the leak that may exist having been found that, after automatic fitration, due to the complicacy of detection technique, still can not guarantee accuracy rate completely, therefore may exist and need human assistance to judge.After described Hole Detection strategy completes, relevant information is collected automatically, and these information will be used as source and the foundation of manual evidence obtaining.User, in needs, can judge according to these information the authenticity of leak, and by judged result storage or output.The information that may be collected includes but not limited to: URL, HTTP head, session and the Cookie for further evidence obtaining automatically constructing, submission of sheet data, HTTP request data package, http response packet etc.
E) manual evidence obtaining: the evidence obtaining information of using steps d to collect, the corresponding manual evidence collecting method that can take according to this leak carries out manual evidence obtaining, and obtains for confirming the manual evidence obtaining result of the authenticity of leak.Manual evidence obtaining is mainly used for manual operations, visual inspection is main, so information except obtaining in described steps d, in system of the present invention, also should comprise some instruments, facilitate user's manual operation, as: browser, simulation based on http protocol give out a contract for a project device, leak verification tool, Web application penetration testing instrument, network packet captures and analytical tool etc.Also relevant information should be presented in user interface, be convenient to user and check.According to dissimilar leak, manual evidence obtaining also should be used diverse ways.Operable method includes but not limited to: 1) use the URL for further collecting evidence of the automatic structure obtaining in steps d, in browser, access, check that actual URL carries out and shows result, in conjunction with the feature of leak, judges whether leak exists.Can the preservation of result sectional drawing will be shown simultaneously; 2) use HTTP to simulate the device of giving out a contract for a project, by the URL for further collecting evidence, and the information such as the HTTP head, session and the Cookie that obtain in steps d, submission of sheet data, inserting HTTP simulation gives out a contract for a project in device, and send HTTP request, check the content of pages returning, in conjunction with the feature of leak, judge whether leak exists; 3) in browser, by the submission of sheet data of obtaining in steps d, insert in the list of the leak place page, and submission form, check that the page after submission form shows result, in conjunction with the feature of leak, judge whether leak exists; 4) utilize other evidence obtaining of special-purpose leak or penetration testing instruments, for the URL further collecting evidence, and the information such as the HTTP head, session and the Cookie that obtain in steps d, submission of sheet data, insert further evidence obtaining or infiltration in specific purpose tool, and check result, in conjunction with the feature of leak, judge whether leak exists; 5) the HTTP request data package of obtaining in steps d and http response packet are presented in user interface, and use the methods such as highlighted, font-weight that important content is highlighted, in conjunction with the feature of leak, whether artificial judgment leak exists.
The craft evidence obtaining of step e is optional, if user is still lack confidence to the leak of reporting in form, can select as required to perform step e.
Evidence obtaining type website vulnerability scanning method, can be simultaneously displayed on website leak and evidence obtaining result in the user interface of program or system, or output in form simultaneously; User judges according to these information whether leak exists, and character and the harmfulness of judgement leak.Evidence obtaining type website vulnerability scanning method, also there is learning functionality: user judges whether leak is reported by mistake, system is carried out record to user's judged result, while again there is identical leak in follow-up scanning, filters out the leak of wrong report according to the user's judged result in record.
Evidence obtaining type website vulnerability scanning system based on described scan method, can include but not limited to lower module: page handling module, vulnerability scanning module, automatic evidence-collecting module, information module, manual evidence obtaining module, task issues and administration module, scanning result demonstration and administration module, Reports module, system data library module, item file administration module etc.
Below each module is further illustrated:
1) page handling module is used for from being scanned the initial page of website or the page link that system data library module is preserved, new page link is obtained in parsing, then the page link obtaining is deposited in system data library module, and guaranteeing that same page link does not repeat to deposit in, database described here also can replace with item file.
2) vulnerability scanning module is used for judging whether the page has through Hole Detection, and detects not passing through the page of Hole Detection, and different leaks has different detection methods.
3) automatic evidence-collecting module is carried out automatic evidence-collecting for leak that vulnerability scanning module is found, and automatic fitration falls wrong report, and acquisition can prove the evidence obtaining result that this leak exists.
4) leak of information module for vulnerability scanning module is found, collects and preserves the evidence obtaining information for manual evidence obtaining automatically.
5) the evidence obtaining information of manual evidence obtaining module for utilizing information module to collect, carries out manual evidence obtaining, and obtains for confirming the manual evidence obtaining result of the authenticity of leak.About the operation of this module, user is optional, can carry out as required.
6) task issues and administration module refers to that user issues scan task on user interface, and it is managed, as suspended, stop, deletion, configuration etc.Its objective is and offer the operational means that user starts scans web sites process, reach the final purpose that leak is found and collected evidence.
7) scanning result demonstration and administration module refer in scanning process and after having scanned, and by contents such as the leak of finding, the page link of corresponding website, manual evidence obtaining information, are presented on interface.User can check related data, manual evidence obtaining and output report.
8) Reports module refers to the result of Hole Detection is outputed to independently in file, for the interchange between staff, file or as the foundation of improving web station system, the file of output also can be directed in third party's system for further processing.
9) system data library module is for the configuration information of storage system, account and log information etc., the information such as leak that also can store website and page link.
10) item file administration module, wherein item file refer to can memory page the file of the data such as link and leak, the task that each task issues and administration module issues, can have a corresponding item file.Described item file administration module refers to the module that item file is managed, as establishment, deletion, data writing etc.
In system, user's scanning process is as follows: user first issue task and etc. to be scanned completing.In scanning process or after the end of scan, user can check scanning result, carries out manual evidence obtaining.Finally as required scanning result and evidence obtaining result are outputed to form.
By evidence obtaining type website vulnerability scanning method, in the vulnerability scanning system of evidence obtaining type website, realized, just can be completed the function of evidence obtaining type website vulnerability scanning.
Finally, it should be noted that above what enumerate is only specific embodiments of the invention.Obviously, the invention is not restricted to above embodiment, can also have a lot of distortion.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should think protection scope of the present invention.
Claims (8)
1. an evidence obtaining type website vulnerability scanning method, for carrying out Hole Detection to being scanned website, is characterized in that, comprises the following steps:
A) page captures: from being scanned the initial page of website, start to resolve, obtain the page link that is scanned website, then page link is deposited in to system data library module, and guarantee that same page link does not repeat to deposit in, from system data library module, extract again the page link of having preserved and do not process through page crawl step, carry out page access, and extract new page link and be deposited into system data library module, until captured all pages that are scanned website;
B) vulnerability scanning: in the page grabbing at step a, judge whether not yet to carry out in addition the page of Hole Detection, if not yet do not carry out the page of Hole Detection, go to step e, otherwise carry out: select a page that not yet carries out Hole Detection to carry out Hole Detection, for this page, according to different leaks separately corresponding detection logic carry out leak analysis, if find that leak goes to step c, otherwise repeated execution of steps b;
C) automatic evidence-collecting: to the leak of finding in step b, carry out automatic evidence-collecting according to the evidence obtaining logic of different leaks, and automatic fitration falls wrong report, acquisition can prove the evidence obtaining result that this leak exists;
D) information: the leak of finding according to step b, the manual evidence collecting method that can take for different leaks, automatically collects the needed evidence obtaining information of manual evidence collecting method and preserves, and goes to step b other pages are carried out to Hole Detection after completing;
E) manual evidence obtaining: the evidence obtaining information of using steps d to collect, the corresponding manual evidence collecting method that can take according to different leaks carries out manual evidence obtaining, and obtains for confirming the manual evidence obtaining result of the authenticity of leak.
2. a kind of evidence obtaining type according to claim 1 website vulnerability scanning method, it is characterized in that, according to dissimilar website leak, evidence obtaining result in described step c and step e comprises following data: page length, http response code, the page request response time, the message of page request process transmitting-receiving, HTTP head, session and Cookie, content of pages, otherness between a plurality of page request is (as the difference of page response code, the difference of page length, the difference of content etc.), (part leak can be used browser to collect evidence for the actual displayed effect of the page in browser and sectional drawing thereof, it is different that different leaks is inputted in browser, such as " cross site scripting " can be revised the title at interface or eject a dialog box, the display effect of " catalogue browsing " is all sub-directories and the son file showing in browser under a catalogue, different situations also has a lot, will not enumerate).
3. a kind of evidence obtaining type according to claim 1 website vulnerability scanning method, it is characterized in that, the evidence obtaining information in described steps d comprises following data: URL, HTTP head, session and Cookie, submission of sheet data, HTTP request data package, the http response packet for further evidence obtaining of automatically constructing.
4. a kind of evidence obtaining type according to claim 1 website vulnerability scanning method, is characterized in that, the automatic evidence-collecting in described step c comprises following methods:
1) directly using the response contents length of the leak place page, answer code, response time, message, content of pages as evidence obtaining result, and judge with this whether leak exists;
2) on the basis of parent page request, modify, automatically construct at least one new http request, and the data (comprising response contents length, answer code, response time, message, content of pages) of these different requests are contrasted, using the otherness of contrast acquisition as evidence obtaining result, and judge with this whether leak exists;
3) in the returned content of the leak place page, mate the text that meets feature, using the content matching as evidence obtaining result, and judge with this whether leak exists;
4) automatic imitation submission of sheet obtain request results, and judge with this whether leak exists;
5) use browser kernel and browser to resolve and typesetting the content of the page, carry out the script in content of pages, the result using the Output rusults of parsing and typesetting as evidence obtaining, and judge with this whether leak exists.
5. a kind of evidence obtaining type according to claim 3 website vulnerability scanning method, is characterized in that, the craft evidence obtaining of described step e is optional, can optionally perform step as required e; Described manual evidence obtaining comprises following methods:
1) use the URL for further evidence obtaining of the automatic structure obtaining in steps d, in browser, access, check that actual URL carries out and shows result, in conjunction with the feature of leak, judge whether leak exists, and can will show the preservation of result sectional drawing;
2) use HTTP to simulate the device of giving out a contract for a project, by the URL for further collecting evidence, and the HTTP head, session and the Cookie that in steps d, obtain, submission of sheet data message, inserting HTTP simulation gives out a contract for a project in device, and send HTTP request, check the content of pages returning, in conjunction with the feature of leak, judge whether leak exists;
3) in browser, by the submission of sheet data of obtaining in steps d, insert in the list of the leak place page, and submission form, check that the page after submission form shows result, in conjunction with the feature of leak, judge whether leak exists;
4) utilize specific purpose tool, described specific purpose tool refers to the instrument of leak evidence obtaining or penetration testing, by HTTP head, session and the Cookie, the submission of sheet data message that obtain in the URL of further evidence obtaining, steps d, insert further evidence obtaining or infiltration in specific purpose tool, and check result, in conjunction with the feature of leak, judge whether leak exists;
5) the HTTP request data package of obtaining in steps d and http response packet are presented in user interface, and use highlighted, font-weight method that important content is highlighted, in conjunction with the feature of leak, whether artificial judgment leak exists.
6. a kind of evidence obtaining type according to claim 1 website vulnerability scanning method, is characterized in that, website leak and evidence obtaining result can be simultaneously displayed in the user interface of program or system, or output in form simultaneously; User judges according to these information whether leak exists, and the character of leak and harmfulness.
7. a kind of evidence obtaining type according to claim 1 website vulnerability scanning method, it is characterized in that, described a kind of evidence obtaining type website vulnerability scanning method has learning functionality: user judges whether leak is reported by mistake, system is carried out record to user's judged result, while again there is identical leak in follow-up scanning, according to the user's judged result in record, filter out the leak of wrong report, i.e. wrong report is fallen in automatic fitration in performing step c.
8. the evidence obtaining type website vulnerability scanning system based on scan method described in claim 1, it is characterized in that, comprise page handling module, vulnerability scanning module, automatic evidence-collecting module, information module, manual evidence obtaining module, task issues and administration module, scanning result demonstration and administration module, Reports module, system data library module, item file administration module;
Described page handling module is used for from being scanned the initial page of website or the page link that system data library module is preserved, new page link is obtained in parsing, then the page link obtaining is deposited in system data library module, and guarantee that same page link does not repeat to deposit in (the system data library module in page handling module also can replace with item file);
Described vulnerability scanning module is used for judging whether the page has through Hole Detection, and detects not passing through the page of Hole Detection;
Described automatic evidence-collecting module is carried out automatic evidence-collecting for leak that vulnerability scanning module is found, and automatic fitration falls wrong report, and acquisition can prove the evidence obtaining result that this leak exists;
The leak of described information module for vulnerability scanning module is found, collects and preserves the evidence obtaining information for manual evidence obtaining automatically;
The evidence obtaining information of described manual evidence obtaining module for utilizing information module to collect, carries out manual evidence obtaining, and obtains for confirming the manual evidence obtaining result of the authenticity of leak;
Described task issues and administration module starts the operational means of scans web sites process for offering user, reach the final purpose that leak is found and collected evidence, by supporting that user issues scan task on user interface, and it is managed, comprise time-out, stop, deleting, configure;
Described scanning result shows and administration module is used in scanning process and after having scanned, scan-data is presented on interface, and support user to check scan-data, manual evidence obtaining result and output report, scan-data comprises the leak of discovery, the page link of corresponding website, manual evidence obtaining information;
Described Reports module is for the result of Hole Detection is outputed to unique file, and unique file is as the interchange between staff, file or as the foundation of improving web station system, unique file can be directed in third party's system and further process;
Described system data library module is for the configuration information of storage system, the leak of website, page link, and the configuration information of system comprises account and log information;
Described item file administration module, for item file is managed, comprises establishment, deletion, data writing; Item file refers to the file of the link of energy memory page and leak data, and the task that each task issues and administration module issues, has a corresponding item file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410185544.XA CN103942497B (en) | 2013-09-11 | 2014-04-30 | Forensics type website vulnerability scanning method and system |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310414211 | 2013-09-11 | ||
| CN201310414211.5 | 2013-09-11 | ||
| CN2013104142115 | 2013-09-11 | ||
| CN201410185544.XA CN103942497B (en) | 2013-09-11 | 2014-04-30 | Forensics type website vulnerability scanning method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103942497A true CN103942497A (en) | 2014-07-23 |
| CN103942497B CN103942497B (en) | 2017-05-03 |
Family
ID=51190164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410185544.XA Active CN103942497B (en) | 2013-09-11 | 2014-04-30 | Forensics type website vulnerability scanning method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103942497B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200166A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Script-based website vulnerability scanning method and system |
| CN104618177A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug examination method and device |
| CN104954372A (en) * | 2015-06-12 | 2015-09-30 | 中国科学院信息工程研究所 | Method and system for performing evidence acquisition and verification on phishing website |
| CN105488400A (en) * | 2014-12-13 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Comprehensive detection method and system of malicious webpage |
| CN105512559A (en) * | 2014-10-17 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Method and equipment for providing access |
| CN106878345A (en) * | 2017-04-25 | 2017-06-20 | 杭州迪普科技股份有限公司 | A kind of method and device for distorting protection |
| CN107277063A (en) * | 2017-08-09 | 2017-10-20 | 四川长虹电器股份有限公司 | Method of testing is judged based on vulnerability scanning precision |
| CN107276852A (en) * | 2017-06-27 | 2017-10-20 | 福建省天奕网络科技有限公司 | A kind of data safety detection method and terminal |
| CN107908959A (en) * | 2017-11-10 | 2018-04-13 | 北京知道创宇信息技术有限公司 | Site information detection method, device, electronic equipment and storage medium |
| CN108449319A (en) * | 2018-02-09 | 2018-08-24 | 秦玉海 | A kind of method and device of identification swindle website and the evidence obtaining of long-range wooden horse |
| CN108848115A (en) * | 2018-09-03 | 2018-11-20 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus of web site scan, equipment and computer readable storage medium |
| CN109729078A (en) * | 2018-12-20 | 2019-05-07 | 国网北京市电力公司 | Operate detection method, device, storage medium and the electronic device of loophole |
| CN110175058A (en) * | 2019-04-10 | 2019-08-27 | 阿里巴巴集团控股有限公司 | The method quickly retained, module, system and medium based on data exception information |
| CN110753047A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Method for reducing false alarm of vulnerability scanning |
| CN111277555A (en) * | 2018-12-05 | 2020-06-12 | 中国移动通信集团河南有限公司 | Vulnerability false alarm screening method and device |
| CN111291384A (en) * | 2020-04-28 | 2020-06-16 | 杭州海康威视数字技术股份有限公司 | Vulnerability scanning method and device and electronic equipment |
| CN111447224A (en) * | 2020-03-26 | 2020-07-24 | 江苏亨通工控安全研究院有限公司 | Web vulnerability scanning method and vulnerability scanner |
| CN111541693A (en) * | 2020-04-23 | 2020-08-14 | 北京凌云信安科技有限公司 | Automatic penetration test and data evidence obtaining system for multiple types of systems |
| CN112100626A (en) * | 2020-09-24 | 2020-12-18 | 成都信息工程大学 | Development method for improving source code audit vulnerability hit rate |
| CN113422759A (en) * | 2021-06-10 | 2021-09-21 | 杭州安恒信息技术股份有限公司 | Vulnerability scanning method, electronic device and storage medium |
| CN113742731A (en) * | 2020-05-27 | 2021-12-03 | 南京大学 | Data collection method for code vulnerability intelligent detection |
| CN117040801A (en) * | 2023-07-14 | 2023-11-10 | 华能信息技术有限公司 | Vulnerability detection method based on web middleware |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6584569B2 (en) * | 2000-03-03 | 2003-06-24 | Sanctum Ltd. | System for determining web application vulnerabilities |
| CN1866817A (en) * | 2006-06-15 | 2006-11-22 | 北京华景中天信息技术有限公司 | Website safety risk estimating method and system |
| CN102104601A (en) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | Web vulnerability scanning method and device based on infiltration technology |
-
2014
- 2014-04-30 CN CN201410185544.XA patent/CN103942497B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6584569B2 (en) * | 2000-03-03 | 2003-06-24 | Sanctum Ltd. | System for determining web application vulnerabilities |
| CN1866817A (en) * | 2006-06-15 | 2006-11-22 | 北京华景中天信息技术有限公司 | Website safety risk estimating method and system |
| CN102104601A (en) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | Web vulnerability scanning method and device based on infiltration technology |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200166A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Script-based website vulnerability scanning method and system |
| US10558807B2 (en) | 2014-10-17 | 2020-02-11 | Alibaba Group Holding Limited | Method and device for providing access page |
| CN105512559A (en) * | 2014-10-17 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Method and equipment for providing access |
| CN105488400A (en) * | 2014-12-13 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Comprehensive detection method and system of malicious webpage |
| CN104618177A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug examination method and device |
| CN104954372A (en) * | 2015-06-12 | 2015-09-30 | 中国科学院信息工程研究所 | Method and system for performing evidence acquisition and verification on phishing website |
| CN104954372B (en) * | 2015-06-12 | 2018-07-24 | 中国科学院信息工程研究所 | A kind of evidence obtaining of fishing website and verification method and system |
| CN106878345A (en) * | 2017-04-25 | 2017-06-20 | 杭州迪普科技股份有限公司 | A kind of method and device for distorting protection |
| CN107276852A (en) * | 2017-06-27 | 2017-10-20 | 福建省天奕网络科技有限公司 | A kind of data safety detection method and terminal |
| CN107276852B (en) * | 2017-06-27 | 2020-02-21 | 福建省天奕网络科技有限公司 | Data security detection method and terminal |
| CN107277063A (en) * | 2017-08-09 | 2017-10-20 | 四川长虹电器股份有限公司 | Method of testing is judged based on vulnerability scanning precision |
| CN107277063B (en) * | 2017-08-09 | 2020-09-25 | 四川长虹电器股份有限公司 | Vulnerability scanning precision-based judgment and test method |
| CN107908959B (en) * | 2017-11-10 | 2020-02-14 | 北京知道创宇信息技术股份有限公司 | Website information detection method and device, electronic equipment and storage medium |
| CN107908959A (en) * | 2017-11-10 | 2018-04-13 | 北京知道创宇信息技术有限公司 | Site information detection method, device, electronic equipment and storage medium |
| CN108449319A (en) * | 2018-02-09 | 2018-08-24 | 秦玉海 | A kind of method and device of identification swindle website and the evidence obtaining of long-range wooden horse |
| CN108848115A (en) * | 2018-09-03 | 2018-11-20 | 杭州安恒信息技术股份有限公司 | A kind of method, apparatus of web site scan, equipment and computer readable storage medium |
| CN111277555A (en) * | 2018-12-05 | 2020-06-12 | 中国移动通信集团河南有限公司 | Vulnerability false alarm screening method and device |
| CN111277555B (en) * | 2018-12-05 | 2022-03-11 | 中国移动通信集团河南有限公司 | Vulnerability false alarm screening method and device |
| CN109729078A (en) * | 2018-12-20 | 2019-05-07 | 国网北京市电力公司 | Operate detection method, device, storage medium and the electronic device of loophole |
| CN110175058B (en) * | 2019-04-10 | 2022-04-05 | 创新先进技术有限公司 | Method, module, system and medium for fast retention based on data exception information |
| CN110175058A (en) * | 2019-04-10 | 2019-08-27 | 阿里巴巴集团控股有限公司 | The method quickly retained, module, system and medium based on data exception information |
| CN110753047B (en) * | 2019-10-16 | 2022-02-11 | 杭州安恒信息技术股份有限公司 | Method for reducing false alarm of vulnerability scanning |
| CN110753047A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Method for reducing false alarm of vulnerability scanning |
| CN111447224A (en) * | 2020-03-26 | 2020-07-24 | 江苏亨通工控安全研究院有限公司 | Web vulnerability scanning method and vulnerability scanner |
| CN111541693A (en) * | 2020-04-23 | 2020-08-14 | 北京凌云信安科技有限公司 | Automatic penetration test and data evidence obtaining system for multiple types of systems |
| CN111291384B (en) * | 2020-04-28 | 2020-09-08 | 杭州海康威视数字技术股份有限公司 | Vulnerability scanning method and device and electronic equipment |
| CN111291384A (en) * | 2020-04-28 | 2020-06-16 | 杭州海康威视数字技术股份有限公司 | Vulnerability scanning method and device and electronic equipment |
| CN113742731A (en) * | 2020-05-27 | 2021-12-03 | 南京大学 | Data collection method for code vulnerability intelligent detection |
| CN112100626A (en) * | 2020-09-24 | 2020-12-18 | 成都信息工程大学 | Development method for improving source code audit vulnerability hit rate |
| CN113422759A (en) * | 2021-06-10 | 2021-09-21 | 杭州安恒信息技术股份有限公司 | Vulnerability scanning method, electronic device and storage medium |
| CN113422759B (en) * | 2021-06-10 | 2023-04-18 | 杭州安恒信息技术股份有限公司 | Vulnerability scanning method, electronic device and storage medium |
| CN117040801A (en) * | 2023-07-14 | 2023-11-10 | 华能信息技术有限公司 | Vulnerability detection method based on web middleware |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103942497B (en) | 2017-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103942497A (en) | Forensics type website vulnerability scanning method and system | |
| Rosen et al. | What are mobile developers asking about? a large scale study using stack overflow | |
| CN105068925B (en) | Software safety defect finds system | |
| Vieira et al. | Using web security scanners to detect vulnerabilities in web services | |
| Fonseca et al. | Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks | |
| CN101808093B (en) | System and method for automatically detecting WEB security | |
| CN103297394B (en) | Website security detection method and device | |
| US20210201016A1 (en) | Classifying digital documents in multi-document transactions based on embedded dates | |
| US20100218256A1 (en) | System and method of integrating and managing information system assessments | |
| KR100968126B1 (en) | System for Detecting Webshell and Method Thereof | |
| CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
| CN105141647A (en) | Method and system for detecting Web application | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| CN108763091A (en) | Method, apparatus and system for regression test | |
| Axelsson | A systematic mapping of the research literature on system-of-systems engineering | |
| Villanes et al. | What are software engineers asking about android testing on stack overflow? | |
| CN107846407A (en) | A kind of method and system of batch detection SSRF leaks | |
| CN104899219A (en) | Screening method and system of pseudo-static URL (Uniform Resource Locator) and webpage crawling method and system | |
| Ricca et al. | Three open problems in the context of e2e web testing and a vision: Neonate | |
| CN102073678B (en) | System and method for analyzing information of websites | |
| CN102103537A (en) | Method and device for finding compatibility problem among safety software | |
| CN114491560A (en) | Vulnerability detection method and device, storage medium and electronic equipment | |
| Zhong et al. | Iterative android automated testing | |
| Santos et al. | Templates for textual use cases of software product lines: results from a systematic mapping study and a controlled experiment | |
| CN108388796A (en) | Dynamic domain name verification method, system, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15 Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building Patentee before: Dbappsecurity Co.,ltd. |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15 Patentee before: Hangzhou Annan information technology Limited by Share Ltd |