CN107948120A - leak detection method and device - Google Patents

leak detection method and device Download PDF

Info

Publication number
CN107948120A
CN107948120A CN201610890539.8A CN201610890539A CN107948120A CN 107948120 A CN107948120 A CN 107948120A CN 201610890539 A CN201610890539 A CN 201610890539A CN 107948120 A CN107948120 A CN 107948120A
Authority
CN
China
Prior art keywords
request message
server
field
message
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610890539.8A
Other languages
Chinese (zh)
Other versions
CN107948120B (en
Inventor
李翼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610890539.8A priority Critical patent/CN107948120B/en
Publication of CN107948120A publication Critical patent/CN107948120A/en
Application granted granted Critical
Publication of CN107948120B publication Critical patent/CN107948120B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a kind of leak detection method and device,The field of JSON forms in first request message is converted into the field step of URL format by increasing during Hole Detection,So as to,Can the existing vulnerability scanners engine based on URL format without modification in the case of,The addition test load in the field of URL format,And the field for adding the URL format after testing load is converted into JSON forms,Generate the second request message,The second request message is sent to server,So that server can identify the second request message,Corresponding second response message of the second request message returned according to server,The first response message with the first request message to be directly sent to server return,It is compared,And combine the loophole in loophole knowledge base and judge preset rules,Obtain Hole Detection result,So as to,Realize the Hole Detection of the automation based on JSON forms,Development cost is saved,And,Improve Hole Detection efficiency.

Description

Leak detection method and device
Technical field
This application involves computer technology, more particularly to a kind of leak detection method and device.
Background technology
JavaScript object notation (JavaScript Object Notation, referred to as:JSON) it is a kind of lightweight Data interchange format, be easy to people read and write, while be also easy to machine parsing and generation.
Web Hole Detections are the request messages of the browser or user end to server transmission by obtaining web applications, According to the loophole type to be tested, the corresponding test load of the loophole type is added in request message, load is tested into addition Request message afterwards is sent to server, and the corresponding response of request message after the addition test load returned according to server disappears Breath, determines that web is applied and whether there is the corresponding loophole of loophole type;For certain loophole type, if server return adds Add the corresponding response message of request message after test load different from the response message estimated, then it is assumed that web, which applies to exist, to be somebody's turn to do The corresponding loophole of loophole type, wherein, the response message estimated refers to that server receives the request for being not added with testing load and disappears The response message returned after breath.
It is well known that currently used uniform resource locator (Uniform Resoure Locator, abbreviation:URL) Form is different with JSON forms, as follows:
URL format:Parameter name and parameter value combine for the data of " key1=value1&key2=value2 " style;
JSON forms:Parameter name and parameter value are " { " key1 ":“value1”,“key2”:" value2 " } " number of style According to combination.
The acquisition request and test load that existing vulnerability scanners engine is generally automated based on URL format Addition, and thus carry out Hole Detection.But due to that cannot identify JSON forms, there is presently no ripe based on JSON lattice Formula carries out the scanner engine of Hole Detection.
At present, in webpage (Web) framework, the communication between browser and server more and more uses JSON lattice Formula, and a vulnerability scanners engine suitable for JSON forms is developed, it is necessary to put into more development cost.So current One of way is to carry out loophole investigation to the data of JSON forms by artificial mode, so extremely labor intensive.
Therefore, it is badly in need of a kind of method that automatic vulnerability scanning can be carried out to JSON forms now.
The content of the invention
The application provides a kind of leak detection method and device, to solve the inefficient of Hole Detection in the prior art Problem.
On one side, the application provides a kind of leak detection method, including:
The first request message sent to server is obtained, the field of JSON forms is included in first request message;
The field of the JSON forms is converted into the field of uniform resource position mark URL form;
The addition test load in the field of the URL format;
The field for adding the URL format after testing load is converted into JSON forms, generates the second request message;
Second request message is sent to the server;
Receive the first response message for first request message that the server is sent;
Receive the second response message for second request message that the server is sent;
Preset rules are judged according to first response message, second response message and loophole, obtain loophole inspection Survey result.
As a kind of achievable mode, first request message and second request message are Hyper text transfer association Discuss HTTP message.
As a kind of achievable mode, first request message obtained to server transmission, including:
The first request message sent to server is obtained from the daily record of the server.
As a kind of achievable mode, first request message obtained to server transmission, including:
The first request message sent to server is obtained by web proxy;
It is described to send second request message to the server, including:
Second request message is sent to the server by the web proxy.
As a kind of achievable mode, first request message obtained to server transmission, including:
The first request message sent to server is obtained by way of bypass data monitoring.
As a kind of achievable mode, the field by the JSON forms is converted into uniform resource position mark URL lattice After the field of formula, further include:
Format conversion mark is added in first request message;
It is described that the field for adding the URL format after testing load is converted into JSON forms, the second request message of generation it Before, further include:
Determine to identify comprising the format conversion in first request message.
As a kind of achievable mode, the first response message, second sound according to second request message Answer message and loophole judge preset rules obtain Hole Detection as a result, including:
By second response message compared with first response message, and judge default rule with reference to the loophole Then, Hole Detection result is obtained.
On the other hand, the application provides a kind of Hole Detection device, including:
Acquisition module, for obtaining the first request message sent to server, includes in first request message The field of JSON forms;
Format conversion module, for the field of the JSON forms to be converted into the word of uniform resource position mark URL form Section;
Processing module, for the addition test load in the field of the URL format;
The format conversion module, is additionally operable to the field for adding the URL format after testing load being converted into JSON forms, Generate the second request message;
Sending module, for sending second request message to the server;
Receiving module, the first response message for first request message sent for receiving the server;
Receiving module, the second response for second request message for being additionally operable to receive the server transmission disappear Breath;
The processing module, is additionally operable to be judged according to first response message, second response message and loophole Preset rules, obtain Hole Detection result.
As a kind of achievable mode, first request message and second request message are Hyper text transfer association Discuss HTTP message.
As a kind of achievable mode, the acquisition module is specifically used for obtaining from the daily record of the server to service The first request message that device is sent.
As a kind of achievable mode, the acquisition module is specifically used for obtaining what is sent to server by web proxy First request message;The sending module is specifically used for controlling the web proxy to send second request to the server Message.
As a kind of achievable mode, the acquisition module is specifically used for obtaining to clothes by way of bypass data monitoring The first request message that business device is sent.
As a kind of achievable mode, the processing module is additionally operable to add format conversion in first request message Mark;
The processing module is additionally operable to determine to identify comprising the format conversion in first request message.
As a kind of achievable mode, the processing module is specifically used for second response message and first sound Answer message to be compared, and judge preset rules with reference to the loophole, obtain Hole Detection result.
Another further aspect, the application provide a kind of Hole Detection device, including:
Processor, for obtaining the first request message sent to server, JSON is included in first request message The field of form;
The processor, is additionally operable to the field of the JSON forms being converted into the word of uniform resource position mark URL form Section;
The processor, is additionally operable to the addition test load in the field of the URL format;
The processor, is additionally operable to the field for adding the URL format after testing load being converted into JSON forms, generation the Two request messages;
Transmission interface, the transmission interface are coupled to the processor, the transmission interface, for being sent out to the server Send second request message;
Receiving interface, the receiving interface are coupled to the processor, the receiving interface, for receiving the server The first response message for first request message sent, and receive being asked for described second for the server transmission Seek the second response message of message;
The processor, is additionally operable to be judged according to first response message, second response message and loophole pre- If regular, Hole Detection result is obtained.
As a kind of achievable mode, the processor is specifically used for obtaining from the daily record of the server to server The first request message sent.
As a kind of achievable mode, the processor is specifically used for obtaining the to server transmission by web proxy One request message;
The transmission interface is specifically used for controlling the web proxy to send second request message to the server.
As a kind of achievable mode, the processor is specifically used for obtaining to service by way of bypass data monitoring The first request message that device is sent.
As a kind of achievable mode, the processor is additionally operable to add format conversion mark in first request message Know;
The processor is additionally operable to determine to identify comprising the format conversion in first request message.
As a kind of achievable mode, the processor is specifically used for second response message and the described first response Message is compared, and judges preset rules with reference to the loophole, obtains Hole Detection result.
The leak detection method and device that the application provides, by increasing during Hole Detection by the first request message The field of middle JSON forms is converted into the field step of URL format, it is thus possible to be swept in the existing loophole based on URL format In the case of retouching device engine without modification, the addition test load in the field of URL format, and by after addition test load The field of URL format is converted into JSON forms, generates the second request message, and the second request message is sent to server, so that The second request message can be identified by obtaining server, corresponding second response message of the second request message returned according to server, The first response message with the first request message to be directly sent to server return, is compared, and combines loophole knowledge base In loophole judge preset rules, obtain Hole Detection as a result, so as to, realize the automation based on JSON forms loophole inspection Survey, saved development cost, also, improve Hole Detection efficiency.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is attached drawing needed in technology description to be briefly described, it should be apparent that, drawings in the following description are this hairs Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the B/S configuration diagrams of the application;
Fig. 2 is the C/S configuration diagrams of the application;
Fig. 3 is the flow diagram of the application leak detection method embodiment one;
Fig. 4 is the flow diagram of the application leak detection method embodiment two;
Fig. 5 is the structure diagram of one embodiment of the application Hole Detection device;
Fig. 6 is the structure diagram of another embodiment of the application Hole Detection device.
Embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, the technical solution in the embodiment of the present application is carried out clear, complete Site preparation describes, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, those of ordinary skill in the art are obtained every other without making creative work Embodiment, shall fall in the protection scope of this application.
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During attached drawing, unless otherwise indicated, the same numbers in different attached drawings represent the same or similar key element.Following exemplary embodiment Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
It will be appreciated that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.Base Embodiment in the present invention, those of ordinary skill in the art obtained without creative efforts it is all its Its embodiment, belongs to the scope of protection of the invention.
The term used in embodiments of the present invention is only merely for the purpose of description specific embodiment, and is not intended to be limiting The present invention.In the embodiment of the present invention and " one kind " of singulative used in the attached claims, " described " and "the" It is also intended to including most forms, unless context clearly shows that other implications.
It should be appreciated that term "and/or" used herein is only a kind of incidence relation for describing affiliated partner, represent There may be three kinds of relations, for example, A and/or B, can represent:Individualism A, while there are A and B, individualism B these three Situation.In addition, character "/" herein, it is a kind of relation of "or" to typically represent forward-backward correlation object.
It will be appreciated that though XXX may be described using term first, second, third, etc. in embodiments of the present invention, but These XXX should not necessarily be limited by these terms.These terms are only used for XXX being distinguished from each other out.For example, implementation of the present invention is not being departed from In the case of example scope, the first XXX can also be referred to as the 2nd XXX, and similarly, the 2nd XXX can also be referred to as the first XXX.
Depending on linguistic context, word as used in this " if ", " if " can be construed to " ... when " or " when ... " or " in response to determining " or " in response to detection ".Similarly, depending on linguistic context, phrase " if it is determined that " or " such as Fruit detects (condition or event of statement) " " when definite " or " in response to determining " can be construed to or " when detection (is stated Condition or event) when " or " in response to detect (condition or event of statement) ".
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability Comprising, so that commodity or system including a series of elements not only include those key elements, but also including without clear and definite The other element listed, or further include as this commodity or the intrinsic key element of system.In the feelings not limited more Under condition, the key element that is limited by sentence "including a ...", it is not excluded that in the commodity including the key element or system also There are other identical element.
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During attached drawing, unless otherwise indicated, the same numbers in different attached drawings represent the same or similar key element.Following exemplary embodiment Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
The technical solution of the application can be applied to browser/server (Browser/Server, abbreviation:B/S) framework or Person's client/server (Client/Server, referred to as:C/S) in framework, wherein, B/S frameworks are as shown in Figure 1, Fig. 1 is this Shen B/S configuration diagrams please, C/S frameworks are as shown in Fig. 2, Fig. 2 is the C/S configuration diagrams of the application.In Fig. 1, browser Communication between server uses JSON forms, and in fig. 2, the communication between client and server uses JSON forms.
The application cannot be based on JSON forms progress Hole Detection to solve Web leak detection methods of the prior art The problem of, by increasing the step of converting of URL format and JSON forms during Hole Detection, it is thus possible to existing Vulnerability scanners engine based on URL format without modification in the case of so that the leak detection method of the application can be realized Automation Hole Detection based on JSON forms.
The application is applied also directed to the web for needing to use after logging in, and can not obtain visitor by crawler technology The request message that family end is sent to server web application (such as:The web applications of mobile phone terminal), asked by manually triggering to send The mode of message is sought, obtains request message.
The technical solution of the application is described in detail with specifically embodiment below.These specific implementations below Example can be combined with each other, and may be repeated no more for the same or similar concept or process in some embodiments.
Embodiment one
Fig. 3 is the flow diagram of the application leak detection method embodiment one, and the leak detection method of the present embodiment should For in leakage location, browser/client, different web agent, the first conversion module, leakage to be included in the leakage location Hole scanner engine and the second conversion module;Wherein, the first conversion module is used to JSON being converted into URL format, the second conversion Module is used to URL format being converted into JSON forms, and the first conversion module and the second conversion module can be deployed in different web agent In, can also independently it dispose, in this regard, the application is not restricted;Wherein, vulnerability scanners engine is the loophole based on URL format Scanner engine, i.e.,:It can only identify the request message of URL format, when being added test load, be carried out based on URL format Addition;Browser/client and server are communicated based on JSON forms, and the method for the present embodiment is as follows:
S301:Browser/client sends the first request message to different web agent.
Browser/client can be triggered by way of manually triggering and sends the first request message, example to different web agent Such as;The button shown by the web of the click browser/clients applied, sends the first request to different web agent with triggering and disappears Breath.
Can also by way of simulation is manually clicked on the button that show of automatically clicking browser/client, with trigger to Server sends the first request message.
Wherein, the field of JSON forms is included in the first request message.Wherein, JSON format fields are as follows:
{"customerId":"","contactsMobile":"15678167514","contactsName":" tet","companyName":"123"}。
S302:Different web agent obtains the first request message.
Browser/client is communicated by different web agent with server, that is, browser or client are to service Device sends message, is required for passing through different web agent alternatively, browser/client receives message from server.Therefore, different web agent can To obtain the first request message sent to server.
It is alternatively possible to the first request message is obtained by a variety of implementations, in addition to different web agent, such as:Can be with Obtained by bypass data monitoring or from the daily record of server etc., in this regard, the application is not restricted.
S303:Different web agent sends the first request message to server.
S304:Different web agent receives the first response message for the first request message that server is sent.
Wherein, the first response message is as follows:
S305:Different web agent sends the first request message to the first conversion module.
S306:The field of JSON forms in first request message is converted into the field of URL format by the first conversion module.
Parse the key in JSON forms:Value sequences, by key:Value sequences are reassembled as URL format, so that, realize The field of JSON forms is converted into the field of URL format.
Such as:Parse the key in JSON forms:Value sequences are:“{“key1”:“value1”,“key2”: " value2 " } ", then by key:It is " key1=value1&key2=value2 " that value sequences, which are reassembled as URL format,.
Such as:The field that the field of JSON forms in S301 is converted into URL format is as follows:
" customerId=&contactsMobile=15678167514&contactsName=tet& comp AnyName=123 "
S307:First conversion module to vulnerability scanners engine send format conversion after the first request message.
S308:Vulnerability scanners engine adds test load in the first request message.
Vulnerability scanners engine is added, therefore, by JSON forms when load is tested in addition based on URL format After field is converted into the field of URL format, you can the addition test load in the field of URL format.
Loophole type includes:SQL injection loophole, order perform loophole, cross-site scripting attack (Cross-site Scripting, referred to as:XSS) loophole, any file download loophole and file include loophole etc., and every kind of loophole type corresponds to one Group tests load, one or more test load is included in one group of test load.
For every kind of test-types, corresponding test load is added in the first request message, to test the SQL injection that reports an error Exemplified by loophole, add a test load, this citing with ", updatexml (1 ,@@version, 1) " as test load, The url field in the first request message after being added at parameter contactsMobile is as follows:CustomerId=& ContactsMobile=15678167514, updatexml (1 ,@@version, 1) &co ntactsName=tet& CompanyName=123
S309:The first request message added after testing load is sent to the second conversion module by vulnerability scanners engine.
S310:The URL format added in the first request message after testing load is converted into JSON by the second conversion module Form, generates the second request message.
Since the browser/client of the application is communicated based on JSON forms with server, server can only Identify the message of JSON forms, therefore, it is also desirable to the field of the URL format after addition payload is converted into JSON forms, Generate the second request message.
The field of JSON forms in second request message is as follows:
{"customerId":"","contactsMobile":"15678167514,updatexml(1,@@v ersion,1)","contactsName":"tet","companyName":"123"}
S311:Second conversion module sends the second request message to different web agent.
S312:Different web agent sends the second request message to server.
S313:What different web agent reception server was sent is directed to second the second response message of request message.
Specifically, a kind of possible situation A is:Second response message, it is as follows:
Alternatively possible situation B is:Second response message is as follows:
S314:Second response message and the first response message are sent to vulnerability scanners engine by different web agent.
S315:Vulnerability scanners engine judges preset rules according to the first response message, the second response message and loophole, Determine whether there is loophole.
According to loophole knowledge base, the response message of the second request message and the difference of the first response message asked are contrasted, Determine that web is applied and whether there is loophole.
According to above example, when the second response is the situation A in S313, it is found that the second response message and the One response message is different, has SQL error informations in the second response message, i.e.,:ERRO:SELECT DISTINCT JSON.qrid FROM x2 AS JSON,x2 AS x2 WHERE JSON.contactsMobile IN(1,updatexml(1,@@ Version, 1)) AND JSON.type=" AND JSON.number<=' 10'AND JSON.status=1AND JSON.type=1:XPATH syntax error:' .16-log', and database version information is included in error message, I.e.:' .16-log', with reference to loophole knowledge base, loophole is recorded in loophole knowledge base and judges preset rules, such as:For SQL injection Loophole type, loophole judge that preset rules are:SQL error informations are included in response message, and data are included in error information Storehouse version information, then judge there are SQL injection loophole, therefore, it is possible to determine that there are SQL injection loophole.
When the second response is the situation B in S313, the second response message is identical with the first response message, it may be considered that There is no SQL injection loophole.
Only it is to be illustrated so that one is tested load as an example above, for fc-specific test FC type, the survey can be added one by one The corresponding one group of test load of type is tried, obtains one group of second response message, as long as existing at least in one group of second response message One different from the first response message, judge preset rules with reference to the loophole in loophole knowledge base, analyze in the specific difference Hold section, it can be determined that there are the loophole of this kind of fc-specific test FC type.
The field of JSON forms in first request message, is converted into by the present embodiment by increasing during Hole Detection The field step of URL format, it is thus possible in the existing situation of vulnerability scanners engine without modification based on URL format Under, the addition test load in the field of URL format, and the field for adding the URL format after testing load is converted into JSON Form, generates the second request message, the second request message is sent to server, so that server can identify the second request Message, corresponding second response message of the second request message returned according to server, with directly sending the first request message The first response message returned to server, is compared, and combines the loophole in loophole knowledge base and judge preset rules, obtains Hole Detection is as a result, so as to realize the Hole Detection of the automation based on JSON forms, save development cost, also, improve Hole Detection efficiency.
In the above-described embodiments, involved in each step to format conversion be exemplified below:
In S301, the field comprising JSON forms is as follows in the first request message:
{"customerId":"","contactsMobile":"15678167514",
"contactsName":"tet","companyName":"123"}
In S306, the field of the JSON forms in S301 is converted into the following institute of field of URL format by the first conversion module Show:
" customerId=&contactsMobile=15678167514&contactsName=tet& comp AnyName=123 "
In S308, reported an error by test exemplified by SQL injection loophole, add a test load, this citing with ", Updatexml (1 ,@@version, 1) " is asked as test load, first after the addition of parameter contactsMobile places Url field in message is as follows:
" customerId=&contactsMobile=15678167514, updatexml (1 ,@@version, 1) & ContactsName=tet&companyName=123 "
In S310, the URL format added in the first request message after testing load is converted into by the second conversion module JSON forms, generate the second request message, and the field of the JSON forms included in the second request message is as follows:
"customerId":"","contactsMobile":"15678167514,updatexml(1,@@ve rsion, 1)","contactsName":"tet","companyName":"123"}
Embodiment two
Fig. 4 is the flow diagram of the application leak detection method embodiment two, and embodiment two is different from embodiment one It is that the mode for obtaining the first response message is that vulnerability scanners engine is obtained by way of not adding load, wherein, with Fig. 3 In identical step, referring to the detailed description of same steps in Fig. 3, repeated no more in Fig. 4, as shown in Figure 4:
S401:Browser/client sends the first request message to different web agent.
S402:Different web agent obtains the first request message.
S403:Different web agent sends the first request message to the first conversion module.
S404:The field of JSON forms in first request message is converted into the field of URL format by the first conversion module.
S405:First conversion module to vulnerability scanners engine send format conversion after the first request message.
S406:Vulnerability scanners engine to the second conversion module send format conversion after the first request message.
Vulnerability scanners engine adds test load not in the first request message.
S407:URL format in first request message is converted into JSON forms by the second conversion module.
S408:Second conversion module sends the first request message of format conversion to different web agent.
S409:Different web agent sends the first request message received from the second conversion module to server.
S410:What different web agent reception server was sent is directed to corresponding first response message of the first request message.
S411:Vulnerability scanners engine adds test load in the first request message.
S412:The first request message added after testing load is sent to the second conversion module by vulnerability scanners engine.
S413:The URL format added in the first request message after testing load is converted into JSON by the second conversion module Form, generates the second request message.
S414:Second conversion module sends the second request message to different web agent.
S415:Different web agent sends the second request message to server.
S416:What different web agent reception server was sent is directed to corresponding second response message of the second request message.
S417:Second response message and the first response message are sent to vulnerability scanners engine by different web agent.
S418:Vulnerability scanners engine judges preset rules according to the first response message, the second response message and loophole, Determine whether there is loophole.
Wherein, S406-S410, is not restricted with the execution sequence of S411-S416, may be performed simultaneously, can also first hold Row S406-S410, then S411-S416 is performed, S411-S416 can also be first carried out, then perform S406-S410;In this regard, the application It is not restricted.
The present embodiment is similar with the implementing principle and technical effect of the technical solution of embodiment one, and details are not described herein again.
Embodiment three
Embodiment three is on the basis of embodiment one or embodiment two, and further, the first conversion module is into row format It is additionally included in after conversion in the first request message and adds format conversion mark;Second conversion module is before format conversion is carried out Further include in definite first request message and identified comprising format conversion.
The present embodiment, is identified by format conversion, is identified and whether has been carried out form turn before test load is added Change, format conversion again is carried out in order to be tested in addition after load, to ensure being normally carried out for communication.
Example IV
On the basis of the various embodiments described above, the mode for the first request message that client/server is sent is obtained, also It can be obtained by following several possible implementations:
A kind of possible implementation:The first request message sent to server is obtained from the daily record of server.
Browser or the first all request messages of client transmission can be recorded in the daily record of server, therefore, can With by obtaining the first request message sent to server from the daily record of server.By being obtained from the daily record of server During the first request message, the first request message is sent without manually triggering to server.
Alternatively possible implementation:The first request sent to server is obtained by way of bypass data monitoring Message.
Obtained from by different web agent unlike the first request message sent to server, bypass data is monitored usual It is the progress bypass data monitoring at router.
The first request message for obtaining and being sent to server can be realized by above-mentioned several possible implementations.
Embodiment five
In the various embodiments described above, the first request message and the second request message are hypertext transfer protocol (HyperText Transfer Protocol, referred to as:HTTP) message.
Fig. 5 is the structure diagram of one embodiment of the application Hole Detection device, and the device of the present embodiment includes:Obtain mould Block 501, format conversion module 502, processing module 503, sending module 504 and receiving module 505, wherein, acquisition module 501 is used In obtaining the first request message to server transmission, the field of JSON forms is included in the first request message;Format conversion mould Block 502 is used for the field that the field of JSON forms is converted into uniform resource position mark URL form;Processing module 503 is used for Addition test load in the field of URL format;Format conversion module 502 is additionally operable to that the URL format after testing load will be added Field is converted into JSON forms, generates the second request message;Sending module 504 is used to send the second request message to server; Receiving module 505 is used for the first response message for the first request message for receiving server transmission;And receive server hair The second response message for the second request message sent;Processing module 503 is additionally operable to according to first response message, described Second response message and loophole judge preset rules, obtain Hole Detection as a result, obtaining Hole Detection result.
Wherein, processing module 503 is specifically used for by second response message compared with first response message, And judge preset rules with reference to the loophole, obtain Hole Detection result.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in embodiment one or embodiment two, Its implementing principle and technical effect is similar, and details are not described herein again.
Alternatively, in the embodiment shown in fig. 5, acquisition module 501 is specifically used for obtaining from the daily record of server to clothes The first request message that business device is sent.
Alternatively, in the embodiment shown in fig. 5, acquisition module 501 is specifically used for obtaining to server by web proxy and sends out The first request message sent;Sending module 504 is specifically used for control web proxy and disappears to server transmission first request Breath, and send the second request message to server.
Alternatively, in the embodiment shown in fig. 5, acquisition module 501 is specifically used for obtaining by way of bypass data monitoring It is orientated the first request message that server is sent.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in example IV, its realization principle Similar with technique effect, details are not described herein again.
In the embodiment shown in fig. 5, processing module 503 is additionally operable to add format conversion mark in the first request message; Processing module 503 is additionally operable to determine to identify comprising format conversion in the first request message.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in embodiment three, its realization principle Similar with technique effect, details are not described herein again.
In the embodiment shown in fig. 5, the first request message and the second request message are that hypertext transfer protocol HTTP disappears Breath.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in embodiment five, its realization principle Similar with technique effect, details are not described herein again.
Fig. 6 is the structure diagram of another embodiment of the application Hole Detection device, and the device of the present embodiment includes:Processing Device 601, transmission interface 602 and receiving interface 603, wherein, transmission interface 602 and receiving interface 603 are coupled to processor 601, Processor 601 is used to obtain the first request message sent to server, and the field of JSON forms is included in the first request message; Processor 601 is additionally operable to the field of JSON forms being converted into the field of uniform resource position mark URL form;Processor 601 is also For the addition test load in the field of URL format;Processor 601 is additionally operable to that the URL format after testing load will be added Field is converted into JSON forms, generates the second request message;602 transmission interface of transmission interface is coupled to processor, transmission interface, For sending the second request message to server;603 receiving interface of receiving interface is coupled to processor, and receiving interface 603 is used for The first response message for first request message that the server is sent is received, and receives being directed to for server transmission Second response message of the second request message;Processor 601 be additionally operable to according to the first response message, second response message with And loophole judges preset rules, Hole Detection result is obtained.
Wherein, processor 601 is specifically used for by second response message compared with first response message, and Judge preset rules with reference to the loophole, obtain Hole Detection result.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in embodiment one or embodiment two, Its implementing principle and technical effect is similar, and details are not described herein again.
Alternatively, in the embodiment shown in fig. 6, processor 601 is specifically used for obtaining from the daily record of server to service The first request message that device is sent.
Alternatively, in the embodiment shown in fig. 6, processor 601 is specifically used for obtaining to server by web proxy and sends The first request message;Transmission interface 602 is specifically used for controlling the web proxy to send the second request message to server.
Alternatively, in the embodiment shown in fig. 6, processor 601 is specifically used for obtaining by way of bypass data monitoring The first request message sent to server.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in example IV, its realization principle Similar with technique effect, details are not described herein again.
In the embodiment shown in fig. 6, processor 601 is additionally operable to add format conversion mark in the first request message;Place Reason device 601 is additionally operable to determine to identify comprising format conversion in the first request message.
The device of the present embodiment, the corresponding technical solution that can be used for performing method shown in embodiment three, its realization principle Similar with technique effect, details are not described herein again.
The application may also provide a kind of processor readable storage medium, and have program stored therein instruction in the readable storage medium storing program for executing, The programmed instruction is used to make processor 601 perform all steps in the leak detection method in above-described embodiment one to example IV Or part steps.Above-mentioned readable storage medium storing program for executing can be by any kind of volatibility or non-volatile memory device or they Combination realize, as static RAM (SRAM), electrically erasable programmable read-only memory (EEPROM) are erasable Programmable read only memory (EPROM), programmable read only memory (PROM), read-only storage (ROM), magnetic memory, quick flashing Memory, disk or CD.
Finally it should be noted that:Various embodiments above is only to illustrate the technical solution of the application, rather than its limitations;To the greatest extent Pipe is described in detail the application with reference to foregoing embodiments, it will be understood by those of ordinary skill in the art that:Its according to Can so modify to the technical solution described in foregoing embodiments, either to which part or all technical characteristic into Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from each embodiment technology of the application The scope of scheme.

Claims (20)

  1. A kind of 1. leak detection method, it is characterised in that including:
    The first request message sent to server is obtained, the field of JSON forms is included in first request message;
    The field of the JSON forms is converted into the field of uniform resource position mark URL form;
    The addition test load in the field of the URL format;
    The field for adding the URL format after testing load is converted into JSON forms, generates the second request message;
    Second request message is sent to the server;
    Receive the first response message for first request message that the server is sent;
    Receive the second response message for second request message that the server is sent;
    Preset rules are judged according to first response message, second response message and loophole, obtain Hole Detection knot Fruit.
  2. 2. according to the method described in claim 1, it is characterized in that, first request message and second request message are equal For hypertext transfer protocol HTTP message.
  3. 3. according to the method described in claim 1, it is characterized in that, it is described obtain to server send the first request message, Including:
    The first request message sent to server is obtained from the daily record of the server.
  4. 4. according to the method described in claim 1, it is characterized in that, it is described obtain to server send the first request message, Including:
    The first request message sent to server is obtained by web proxy;
    It is described to send second request message to the server, including:
    Second request message is sent to the server by the web proxy.
  5. 5. according to the method described in claim 1, it is characterized in that, it is described obtain to server send the first request message, Including:
    The first request message sent to server is obtained by way of bypass data monitoring.
  6. 6. according to claim 1-5 any one of them methods, it is characterised in that the field by the JSON forms converts After field for uniform resource position mark URL form, further include:
    Format conversion mark is added in first request message;
    It is described that the field for adding the URL format after testing load is converted into JSON forms, before generating the second request message, also Including:
    Determine to identify comprising the format conversion in first request message.
  7. 7. according to the method described in claim 1, it is characterized in that, described disappear according to the first of second request message the response Breath, second response message and loophole judge preset rules obtain Hole Detection as a result, including:
    By second response message compared with first response message, and judge preset rules with reference to the loophole, Obtain Hole Detection result.
  8. A kind of 8. Hole Detection device, it is characterised in that including:
    Acquisition module, for obtaining the first request message sent to server, JSON lattice are included in first request message The field of formula;
    Format conversion module, for the field of the JSON forms to be converted into the field of uniform resource position mark URL form;
    Processing module, for the addition test load in the field of the URL format;
    The format conversion module, is additionally operable to the field for adding the URL format after testing load being converted into JSON forms, generates Second request message;
    Sending module, is additionally operable to send second request message to the server;
    Receiving module, the first response message for first request message sent for receiving the server;
    The receiving module, the second response for second request message for being additionally operable to receive the server transmission disappear Breath;
    The processing module, is additionally operable to be judged according to first response message, second response message and loophole default Rule, obtains Hole Detection result.
  9. 9. device according to claim 8, it is characterised in that first request message and second request message are equal For hypertext transfer protocol HTTP message.
  10. 10. device according to claim 8, it is characterised in that the acquisition module is specifically used for from the server The first request message sent to server is obtained in daily record.
  11. 11. device according to claim 8, it is characterised in that the acquisition module is specifically used for obtaining by web proxy The first request message sent to server;The sending module is specifically used for control web proxy and sends institute to the server State the second request message.
  12. 12. device according to claim 8, it is characterised in that the acquisition module is specifically used for supervising by bypass data The mode listened obtains the first request message sent to server.
  13. 13. according to claim 8-12 any one of them devices, it is characterised in that the processing module is additionally operable to described Format conversion mark is added in one request message;
    The processing module is additionally operable to determine to identify comprising the format conversion in first request message.
  14. 14. device according to claim 8, it is characterised in that the processing module is specifically used for responding described second Message judges preset rules compared with first response message, and with reference to the loophole, obtains Hole Detection result.
  15. A kind of 15. Hole Detection device, it is characterised in that including:
    Processor, for obtaining the first request message sent to server, JSON forms are included in first request message Field;
    The processor, is additionally operable to the field of the JSON forms being converted into the field of uniform resource position mark URL form;
    The processor, is additionally operable to the addition test load in the field of the URL format;
    The processor, is additionally operable to the field for adding the URL format after testing load being converted into JSON forms, generation second please Seek message;
    Transmission interface, the transmission interface are coupled to the processor, the transmission interface, for sending institute to the server State the second request message;
    Receiving interface, the receiving interface are coupled to the processor, and the receiving interface, sends for receiving the server The first response message for first request message, and receive that the server sends disappears for the described second request Second response message of breath;
    The processor, is additionally operable to judge default rule according to first response message, second response message and loophole Then, Hole Detection result is obtained.
  16. 16. device according to claim 15, it is characterised in that the processor is specifically used for the day from the server The first request message sent to server is obtained in will.
  17. 17. device according to claim 15, it is characterised in that the processor is specifically used for obtaining by web proxy The first request message sent to server;
    The transmission interface is specifically used for controlling the web proxy to send second request message to the server.
  18. 18. device according to claim 15, it is characterised in that the processor is specifically used for monitoring by bypass data Mode obtain to server send the first request message.
  19. 19. according to claim 15-18 any one of them devices, it is characterised in that the processor is additionally operable to described Format conversion mark is added in one request message;
    The processor is additionally operable to determine to identify comprising the format conversion in first request message.
  20. 20. device according to claim 15, it is characterised in that the processor is specifically used for disappearing the described second response Breath judges preset rules compared with first response message, and with reference to the loophole, obtains Hole Detection result.
CN201610890539.8A 2016-10-12 2016-10-12 Vulnerability detection method and device Active CN107948120B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610890539.8A CN107948120B (en) 2016-10-12 2016-10-12 Vulnerability detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610890539.8A CN107948120B (en) 2016-10-12 2016-10-12 Vulnerability detection method and device

Publications (2)

Publication Number Publication Date
CN107948120A true CN107948120A (en) 2018-04-20
CN107948120B CN107948120B (en) 2020-11-24

Family

ID=61928285

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610890539.8A Active CN107948120B (en) 2016-10-12 2016-10-12 Vulnerability detection method and device

Country Status (1)

Country Link
CN (1) CN107948120B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446819A (en) * 2018-10-30 2019-03-08 北京知道创宇信息技术有限公司 It goes beyond one's commission leak detection method and device
CN109740355A (en) * 2019-01-03 2019-05-10 深圳前海微众银行股份有限公司 Vulnerability scanning method, server, system and proxy server
CN109981653A (en) * 2019-03-28 2019-07-05 上海中通吉网络技术有限公司 A kind of web vulnerability scanning method
CN110401634A (en) * 2019-06-24 2019-11-01 北京墨云科技有限公司 A kind of web application hole detection regulation engine implementation method and terminal
CN110460612A (en) * 2019-08-15 2019-11-15 中国平安财产保险股份有限公司 Safety detecting method, equipment, storage medium and device
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN110995684A (en) * 2019-11-26 2020-04-10 西安四叶草信息技术有限公司 Vulnerability detection method and device
CN114640530A (en) * 2022-03-24 2022-06-17 深信服科技股份有限公司 Data leakage detection method and device, electronic equipment and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217546A (en) * 2008-01-18 2008-07-09 东南大学 A realization method of high efficiency and secured protocol detecting system to deny the service attacking
CN101459548A (en) * 2007-12-14 2009-06-17 北京启明星辰信息技术股份有限公司 Script injection attack detection method and system
CN101471818A (en) * 2007-12-24 2009-07-01 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
CN101808093A (en) * 2010-03-15 2010-08-18 北京安天电子设备有限公司 System and method for automatically detecting WEB security
CN102468985A (en) * 2010-11-01 2012-05-23 北京神州绿盟信息安全科技股份有限公司 Method and system for carrying out penetration test on network safety equipment
CN102508674A (en) * 2011-12-02 2012-06-20 方正国际软件有限公司 Method based on JSON (javascript serialized object notation) for passing object-oriented parameters and system
CN103678113A (en) * 2012-09-04 2014-03-26 国际商业机器公司 Self-testing of computer software application, method and system thereof
CN105049440A (en) * 2015-08-06 2015-11-11 福建天晴数码有限公司 Method and system for detecting cross-site scripting attack injection

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459548A (en) * 2007-12-14 2009-06-17 北京启明星辰信息技术股份有限公司 Script injection attack detection method and system
CN101471818A (en) * 2007-12-24 2009-07-01 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
CN101217546A (en) * 2008-01-18 2008-07-09 东南大学 A realization method of high efficiency and secured protocol detecting system to deny the service attacking
CN101808093A (en) * 2010-03-15 2010-08-18 北京安天电子设备有限公司 System and method for automatically detecting WEB security
CN102468985A (en) * 2010-11-01 2012-05-23 北京神州绿盟信息安全科技股份有限公司 Method and system for carrying out penetration test on network safety equipment
CN102508674A (en) * 2011-12-02 2012-06-20 方正国际软件有限公司 Method based on JSON (javascript serialized object notation) for passing object-oriented parameters and system
CN103678113A (en) * 2012-09-04 2014-03-26 国际商业机器公司 Self-testing of computer software application, method and system thereof
CN105049440A (en) * 2015-08-06 2015-11-11 福建天晴数码有限公司 Method and system for detecting cross-site scripting attack injection

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446819B (en) * 2018-10-30 2020-12-22 北京知道创宇信息技术股份有限公司 Unauthorized vulnerability detection method and device
CN109446819A (en) * 2018-10-30 2019-03-08 北京知道创宇信息技术有限公司 It goes beyond one's commission leak detection method and device
CN109740355A (en) * 2019-01-03 2019-05-10 深圳前海微众银行股份有限公司 Vulnerability scanning method, server, system and proxy server
CN109981653A (en) * 2019-03-28 2019-07-05 上海中通吉网络技术有限公司 A kind of web vulnerability scanning method
CN109981653B (en) * 2019-03-28 2021-07-23 上海中通吉网络技术有限公司 Web vulnerability scanning method
CN110401634A (en) * 2019-06-24 2019-11-01 北京墨云科技有限公司 A kind of web application hole detection regulation engine implementation method and terminal
CN110460612B (en) * 2019-08-15 2022-05-20 中国平安财产保险股份有限公司 Security test method, device, storage medium and apparatus
CN110460612A (en) * 2019-08-15 2019-11-15 中国平安财产保险股份有限公司 Safety detecting method, equipment, storage medium and device
CN110995684A (en) * 2019-11-26 2020-04-10 西安四叶草信息技术有限公司 Vulnerability detection method and device
CN110995684B (en) * 2019-11-26 2022-06-28 西安四叶草信息技术有限公司 Vulnerability detection method and device
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN110881043B (en) * 2019-11-29 2022-07-01 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN114640530A (en) * 2022-03-24 2022-06-17 深信服科技股份有限公司 Data leakage detection method and device, electronic equipment and readable storage medium
CN114640530B (en) * 2022-03-24 2023-12-29 深信服科技股份有限公司 Data leakage detection method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN107948120B (en) 2020-11-24

Similar Documents

Publication Publication Date Title
CN107948120A (en) leak detection method and device
US10528454B1 (en) Intelligent automation of computer software testing log aggregation, analysis, and error remediation
CN105099811B (en) Interface testing method and device
Gupta et al. PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
US10146676B1 (en) Multi-version regression tester for source code
CN101483514B (en) Evaluation method for WEB application
CN110083391A (en) Call request monitoring method, device, equipment and storage medium
CN104573520B (en) The method and apparatus for detecting resident formula cross site scripting loophole
CN104579830B (en) service monitoring method and device
JP2007241906A (en) Web application vulnerability dynamic inspection method and system
CN103581185A (en) Cloud searching and killing method, device and system for resisting anti-antivirus test
CN106897207A (en) Ui testing method and apparatus
CN111106983B (en) Method and device for detecting network connectivity
CN110287056A (en) Webpage error message acquisition methods and device
CN108256322A (en) Safety detecting method, device, computer equipment and storage medium
CN110532779A (en) A kind of method, apparatus of Hole Detection, terminal and storage medium
CN109657475A (en) Code vulnerabilities check method, apparatus, equipment and storage medium
US11373004B2 (en) Report comprising a masked value
CN104834588A (en) Permanent residence cross site script vulnerability detection method and apparatus
Chen et al. Automatic root cause analysis via large language models for cloud incidents
CN110460606B (en) Second-order SQL injection vulnerability detection method, device and equipment
CN105515909A (en) Data collection test method and device
Wong et al. Smart debugging software architectural design in SDL
CN103577326B (en) DEBUG method and device
US11360745B2 (en) Code generation for log-based mashups

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant