Distributed website program vulnerability scanning system, method and device
Technical Field
The invention relates to the technical field of network security, in particular to a distributed website program vulnerability scanning system, method and device.
Background
With the various Web (Web) applications, such as internet banking, electronic commerce, personal space, cloud storage, etc., entering people's lives, if these Web applications have potential safety hazards, personal information, even Web site systems, face safety risks. Statistically, 75% of the current network attacks are performed through the Web.
Ensuring that Web services can run safely and stably is an important task for IT (internet technology) departments in many companies and institutions. Generally, due to the lack of effective Web security assessment tools and checking mechanisms, security problems are difficult to be discovered at ordinary times, and often, such problems are discovered only when a major accident occurs.
The traditional scanning mode for website program vulnerabilities (Web vulnerabilities) is generally based on a stand-alone system, and related modules of a scanner are installed on the same computer in a centralized mode. Therefore, the safety diagnosis results of all computers are mutually isolated, the overall risk assessment and prevention effect of the network is poor, the scanning speed is slow, and the single node has the risk of causing the breakdown of the whole system due to failure. In a Web scanning system, the single-computer processing capacity is limited within a certain time, and the conventional Web vulnerability scanning is only limited by the single-computer speed, and cannot be limited by distributed deployment.
Disclosure of Invention
The invention provides a distributed website program vulnerability scanning system, method and device, and solves the problem of speed limitation after distributed deployment of a web vulnerability scanning system.
In order to achieve the purpose of the invention, the technical scheme adopted by the invention is as follows:
a distributed website program vulnerability scanning system comprises a server and a client,
the client is used for controlling the packet sending speed, sending a scanning task request to the server when the packet sending speed meets a first preset condition, and executing the scanning task when receiving the scanning task issued by the server;
and the server is used for receiving the scanning task request sent by the client, controlling the number of scanning processes, and issuing the scanning task to the client when the number of scanning processes meets a second preset condition.
Optionally, the server is further configured to limit the scanning task of the scanning client when the number of scanning processes does not satisfy a second preset condition.
Optionally, limiting the scanning task of the scanning client comprises:
and suspending the issued scanning task or transferring the issued scanning task or waiting for the next scanning process parameter not exceeding the preset limit, and issuing the scanning task.
Optionally, after receiving the scan task request sent by the client, the server is further configured to:
and determining whether the scanning task of the scanning client is in a scanning queue, and adding the scanning task of the scanning client to the scanning queue when the scanning task of the scanning client is not in the scanning queue.
Optionally, the first preset condition includes: the speed of the hair packet is less than or equal to a preset speed threshold; the second preset condition includes: the number of scanning processes is less than or equal to a predetermined process number threshold.
The embodiment of the invention also provides a distributed website program vulnerability scanning method, which is applied to the client and comprises the following steps:
the client determines the packet sending speed;
judging whether the packet sending speed meets a first preset condition or not;
when the packet sending speed meets a first preset condition, sending a scanning task request to a server;
and receiving a scanning task issued by the server and executing the scanning task.
Optionally, the first preset condition includes: the speed of the hair packet is less than or equal to a predetermined speed threshold.
The embodiment of the invention also provides a distributed website program vulnerability scanning method, which is applied to a server and comprises the following steps:
receiving the scanning task request sent by a client;
and judging whether the number of scanning processes meets a second preset condition, and issuing the scanning task to the client when the number of scanning processes meets the second preset condition.
Optionally, when the number of scanning processes does not satisfy a second preset condition, the scanning task of the scanning client is limited.
Optionally, limiting the scanning task of the scanning client comprises:
and suspending the issued scanning task or transferring the issued scanning task or waiting for the next scanning process parameter not exceeding the preset limit, and issuing the scanning task.
Optionally, after receiving the scan task request sent by the client, the method further includes:
and determining whether the scanning task of the scanning client is in a scanning queue, and adding the scanning task of the scanning client to the scanning queue when the scanning task of the scanning client is not in the scanning queue.
The embodiment of the present invention further provides a distributed website program vulnerability scanning device, which is arranged at a client and includes:
the request module is set to send a scanning task request to the server when the packet sending speed meets a first preset condition;
and the execution module is configured to execute the scanning task when receiving the scanning task issued by the server.
The embodiment of the present invention further provides a distributed website program vulnerability scanning device, which is arranged at a server and includes:
the communication module is used for receiving a scanning request task sent by a scanning client;
and the issuing module is used for controlling the number of scanning processes and issuing the scanning task to the client when the number of the scanning processes meets a second preset condition.
Optionally, the apparatus further comprises: and the speed limit module is set to limit the scanning task of the scanning client when the number of the scanning processes does not meet a second preset condition.
Optionally, the issuing module is further configured to:
and determining whether the scanning task of the scanning client is in a scanning queue, and adding the scanning task of the scanning client to the scanning queue when the scanning task of the scanning client is not in the scanning queue.
Optionally, the limiting the scanning task of the scanning client by the speed limiting module means:
and suspending the issued scanning task or transferring the issued scanning task or waiting for the next scanning process parameter not exceeding the preset limit, and issuing the scanning task.
The embodiment of the present invention further provides a device for scanning distributed website program vulnerabilities, including: a first memory and a first processor;
the first memory is used for storing a program for distributed web vulnerability scanning; the program for distributed web vulnerability scanning, when read and executed by the first processor, performs the following operations:
and when the packet sending speed meets a first preset condition, sending a scanning task request to the server, and executing the scanning task when receiving the scanning task issued by the server.
The embodiment of the present invention further provides a device for scanning distributed website program vulnerabilities, including: a second memory and a second processor;
the second memory is used for storing a program for distributed web vulnerability scanning; the program for distributed web vulnerability scanning, when read and executed by the second processor, performs the following operations:
and receiving the scanning task request sent by the client, controlling the number of scanning processes, and issuing the scanning task to the client when the number of scanning processes meets a second preset condition.
Compared with the prior art, the invention has the following beneficial effects:
the method and the device can limit the network packet sending speed in the distributed web vulnerability scanning process, and prevent the situation that the service is unavailable of the scanned target server due to the fact that the scanning speed is too high.
Drawings
FIG. 1 is a block diagram of a vulnerability scanning system for distributed web sites according to an embodiment of the present invention;
FIG. 2 is a flowchart of a vulnerability scanning method for a distributed website according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a distributed website vulnerability scanning apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a distributed website vulnerability scanning apparatus according to an embodiment of the present invention;
FIG. 5 is a flowchart of a speed limit task according to embodiment 2 of the present invention;
fig. 6 is a flowchart of a speed limit task according to embodiment 1 of the present invention;
fig. 7 is a schematic structural diagram of a distributed scanning system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following description of the embodiments of the present invention with reference to the accompanying drawings is provided, and it should be noted that, in the case of conflict, features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
As shown in fig. 1, an embodiment of the present invention provides a distributed website bug scanning system, which includes a server 2 and a client 1,
the client 1 is used for controlling the packet sending speed, sending a scanning task request to the server 2 when the packet sending speed meets a first preset condition, and executing the scanning task when receiving the scanning task issued by the server 2;
and the server 2 is configured to receive the scan task request sent by the client 1, control the number of scan processes, and issue the scan task to the client 1 when the number of scan processes meets a second preset condition.
The server 2 is further configured to limit the scanning task of the scanning client 1 when the number of scanning processes does not satisfy a second preset condition.
The embodiment of the invention can adopt a pause, wait or cancel mode to the scanning task which exceeds the processing capacity of the distributed web vulnerability scanning system, thereby achieving the purpose of limiting the speed of the distributed web vulnerability scanning system and realizing the speed limit after the distributed deployment of the scanning system.
In the embodiment of the invention, the scanning client-side 1 speed limit is combined with the server-side 2 limited scanning process, so that the scanning speed limit effect aiming at the domain name in the distributed web vulnerability scanning system is achieved. The embodiment of the present invention may simultaneously limit the scanning speed of a plurality of scanning clients 1, and as shown in fig. 7, the scanning task of each scanning client 1 is maintained by using the identifier of the scanning client 1, for example, the address of the scanning client 1IP (Internet Protocol ) is used as the identifier of the scanning client 1.
After receiving the scan task request sent by the client 1, the server 2 is further configured to:
determining whether the scanning task of the scanning client 1 is in a scanning queue, and adding the scanning task of the scanning client 1 to the scanning queue when the scanning task is not in the scanning queue.
The first preset condition includes: the packet sending speed is less than or equal to a preset maximum speed threshold; the second preset condition includes: the number of scan passes is less than or equal to a predetermined maximum pass threshold.
The packet sending speed corresponding to the server is the product of the scanning process number of the server 2 and the packet sending speed of the scanning end.
The embodiment of the invention can limit the number of scanning processes and the speed of each scanning process, can also limit the number of data packets sent per second, and can limit the number of data packets sent per second to be controlled by the maximum packet sending speed.
The scanning end of the embodiment of the invention adopts a python requests library for encapsulation, wherein the number of data packets sent per second is defined, and the judgment of whether the speed of a legal tender exceeds a preset limit is realized.
Limiting the scanning task of the scanning client 1 comprises:
and suspending the issued scanning task or transferring the issued scanning task or waiting for the next scanning process parameter not exceeding the preset limit, and issuing the scanning task.
When the scanning client 1 limits the speed and the server 2 limits the scanning task, the scanning client 1 may not issue a new scanning task or wait for a period of time to limit the scanning speed.
As shown in fig. 7, the embodiment of the present invention includes a plurality of scanning clients 1, and the embodiment of the present invention may limit the scanning speeds of the plurality of scanning clients 1 at the same time, and perform speed limit processing in combination with a load balancing technology of the related art, and when a scanning process parameter corresponding to one or more scanning clients 1 exceeds a preset limit, distribute a scanning task of the scanning client 1 that is limited to the other scanning clients 1.
As shown in fig. 2, an embodiment of the present invention further provides a distributed website program vulnerability scanning method, which is applied to the client 1, and includes:
s101, when the packet sending speed meets a first preset condition, sending a scanning task request to the server 2, and executing the scanning task when receiving the scanning task issued by the server 2.
Wherein the first preset condition comprises: the packet speed is less than or equal to a predetermined maximum speed threshold.
As shown in fig. 2, an embodiment of the present invention further provides a distributed website program vulnerability scanning method, which is applied to the server 2, and includes:
s102, receiving the scanning task request sent by the client 1, controlling the number of scanning processes, and S103, issuing the scanning task to the client 1 when the number of scanning processes meets a second preset condition.
The method further comprises the following steps: and S104, when the number of the scanning processes does not meet a second preset condition, limiting the scanning task of the scanning client 1.
After receiving the scan task request sent by the client 1, the method further includes:
determining whether the scanning task of the scanning client 1 is in a scanning queue, and adding the scanning task of the scanning client 1 to the scanning queue when the scanning task is not in the scanning queue.
Limiting the scanning task of the scanning client 1 comprises:
and suspending the issued scanning task or transferring the issued scanning task or waiting for the next scanning process parameter not exceeding the preset limit, and issuing the scanning task.
As shown in fig. 3, an embodiment of the present invention further provides a distributed website bug scanning apparatus, which is disposed at a client 1, and includes:
the request module 11 is configured to send a scan task request to the server 2 when the packet sending speed meets a first preset condition;
the execution module 12 is configured to execute the scanning task when receiving the scanning task issued by the server 2.
The request module 11 of the embodiment of the present invention may be set in an HTTP (HyperText Transfer Protocol) request server. Packet sending speed detection is carried out in an HTTP request server.
As shown in fig. 4, an embodiment of the present invention further provides a distributed website bug scanning apparatus, which is disposed at the server 2, and includes:
a communication module 21 configured to receive a request scanning task sent by the scanning client 1;
and the issuing module 22 controls the number of scanning processes, and issues the scanning task to the client 1 when the number of scanning processes meets a second preset condition.
The device further comprises: and the speed limit module 23 is configured to limit the scanning task of the scanning client 1 when the number of the scanning processes does not satisfy a second preset condition.
The issuing module 22 is further configured to:
determining whether the scanning task of the scanning client 1 is in a scanning queue, and adding the scanning task of the scanning client 1 to the scanning queue when the scanning task is not in the scanning queue.
The limiting module 23 limits the scanning task of the scanning client 1 by:
and suspending the issued scanning task or transferring the issued scanning task or waiting for the next scanning process parameter not exceeding the preset limit, and issuing the scanning task.
The embodiment of the present invention may also implement the function corresponding to the speed limit module 23 in a task distribution server, and perform processing for limiting the scanning task of the scanning client 1 in the task distribution server.
For the client 1, when the result returned by the speed limiting device is the scanning task, waiting for the speed limiting device to issue the scanning task;
and when the result returned by the speed limiting device is the issued scanning task, executing the scanning task.
The embodiment of the invention also provides a speed limiting device for the distributed scanning system, which comprises: a first memory and a first processor;
the first memory is used for storing a program for distributed web vulnerability scanning; the program for distributed web vulnerability scanning, when read and executed by the first processor, performs the following operations:
when the packet sending speed meets a first preset condition, sending a scanning task request to the server 2, and executing the scanning task when receiving the scanning task issued by the server 2.
The embodiment of the invention also provides a speed limiting device for the distributed scanning system, which comprises: a second memory and a second processor;
the second memory is used for storing a program for distributed web vulnerability scanning; the program for distributed web vulnerability scanning, when read and executed by the second processor, performs the following operations:
and receiving the scanning task request sent by the client 1, controlling the number of scanning processes, and issuing the scanning task to the client when the number of scanning processes meets a second preset condition.
Example 1
The method and the device for controlling the packet sending speed max _ speed can set the maximum packet sending speed max _ speed.
As shown in fig. 6, the embodiment of the present invention illustrates the steps of the speed limiting task:
the request module determines that when the packet sending speed meets a first preset condition, step 210 sends a scanning task request to the server;
step 220, judging whether the packet sending speed meets a first preset condition or not;
when the packet transmission speed does not satisfy the first preset condition, step 230 waits for the next time.
Determining that the data packet sending speed of the scanning client does not exceed a preset maximum packet sending speed according to the scanning task; step 240, sending a scan task request.
Example 2
The method is used for maintaining a scanning queue and scanning process number, when a scanning client initiates a scanning task request A, if the scanning process number does not exceed max _ threads, a scanning task of the scanning task A is issued, and the scanning process number is increased by one; otherwise, no new task is issued.
As shown in fig. 5, the embodiment of the present invention illustrates the steps of the speed limiting task:
step 110, receiving a request scanning task sent by a scanning client;
step 120, determining whether the scanning task of the scanning client is in a scanning queue;
and step 130, when the scanning task is not in the scanning queue, adding the scanning task of the scanning client to the scanning queue.
Step 140, determining that the number of scanning processes of the scanning client exceeds a preset max _ threads according to the scanning request task;
and 150, limiting the scanning task of the scanning client.
Step 160, determining that the number of scanning processes of the scanning client does not exceed a preset max _ threads according to the request scanning task; and issuing a scanning task according to the request scanning task.
Example 3
As shown in fig. 7, the embodiment of the present invention illustrates a process of simultaneously limiting the scanning speeds of multiple scanning clients:
the server side maintains a scanning queue of each scanning client side, and scanning key values stored in the queues comprise: a scanned domain name and a scanned client IP;
when the scanning client A determines that the packet sending speed does not exceed the preset limit, initiating a request scanning task, and the server determines whether the scanning process of the corresponding scanning client A exceeds the preset limit according to the maintained scanning queue; the server side can also count the scanning process parameters of each scanning client side in advance, and can also count the scanning process parameters of the corresponding scanning client side A in real time;
if the scanning process parameter of the scanning client A does not exceed the preset limit, a scanning task is issued to the scanning client A; otherwise, issuing a scanning task without issuing a new task or waiting for the scanning process parameter of the scanning client A not to exceed the preset limit; here, the server may maintain the scanning process parameter corresponding to the scanning client a after issuing the scanning task to the scanning client a, that is, add 1 to the scanning process parameter corresponding to the scanning client a, or count the scanning process parameter of the scanning client a again when waiting for next receiving of the scanning request initiated by the scanning client a.
Example 4
As shown in fig. 7, the embodiment of the present invention describes a process of simultaneously limiting the scanning speeds of multiple scanning clients, and the distributed scanning system of the embodiment of the present invention includes a server, a scanning client a, a scanning client B, and a scanning client C:
the server side maintains a scanning queue of each scanning client side, and scanning key values stored in the queues comprise: a scanned domain name and a scanned client IP; the server side presets the limit corresponding to the scanning process parameter of each scanning client side, and presets the total limit of the distributed scanning system; the limits corresponding to the scanning process parameters of the plurality of scanning clients can be the same or different;
when the scanning client A determines that the packet sending speed does not exceed the preset limit and initiates a request scanning task, the server determines whether the scanning process parameter of the corresponding scanning client A exceeds the preset limit according to the maintained scanning queue; the server side can also count the scanning process parameters of each scanning client side in advance, and can also count the scanning process parameters of the corresponding scanning client side A in real time;
if the scanning process parameter of the scanning client A does not exceed the preset limit, a scanning task is issued to the scanning client A; otherwise, determining whether the sum of the scanning process parameters of the scanning client A, the scanning client B and the scanning client C exceeds the total limit of the distributed scanning system or not according to the maintained scanning queue; when the total limit of the server is exceeded, a new task is not issued or a scanning process parameter of the scanning client A is waited to be not exceeded a preset limit, a scanning task is issued; when the total limit of the server is not exceeded, determining whether the scanning process parameters of other scanning clients exceed a preset limit (namely whether the scanning process parameters of the scanning client B and the scanning client C exceed the corresponding preset limit) according to the maintained scanning queue; when the scanning process parameters of the scanning client B and the scanning client C both exceed the corresponding preset limits, a new task is not issued or the scanning process parameters of the scanning client A are not waited to exceed the preset limits, and a scanning task is issued; when the scanning process parameters of the scanning client B or the scanning client C do not exceed the corresponding preset limits; and issuing the scanning task to a scanning client which does not exceed a preset limit, and maintaining the scanning process parameters corresponding to the scanning client B or the scanning client C after issuing the scanning task to the scanning client B or the scanning client C, namely adding 1 to the scanning process parameters corresponding to the scanning client B or the scanning client C, or counting the scanning process parameters of the scanning client B or the scanning client C when the scanning client B or the scanning client C initiates a request scanning task next time.
Although the embodiments of the present invention have been described above, the contents thereof are merely embodiments adopted to facilitate understanding of the technical aspects of the present invention, and are not intended to limit the present invention. It will be apparent to persons skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims.