CN108696490A - The recognition methods of account permission and device - Google Patents
The recognition methods of account permission and device Download PDFInfo
- Publication number
- CN108696490A CN108696490A CN201710234539.7A CN201710234539A CN108696490A CN 108696490 A CN108696490 A CN 108696490A CN 201710234539 A CN201710234539 A CN 201710234539A CN 108696490 A CN108696490 A CN 108696490A
- Authority
- CN
- China
- Prior art keywords
- account
- website
- measured
- commission
- response contents
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the invention discloses a kind of recognition methods of account permission, including:The first account is logged on website to be measured, obtain the first account first logs in state information;Preset scanning rule is obtained, the scanning rule includes test address and the target account attribute type of website to be measured;State information is logged according to attribute value modification described first of second account under target account attribute type, obtains the second login state information;Website to be measured described in state message reference is logged in using described second, receives the first response contents that the website to be measured is sent;Matching rule defined in the scanning rule obtains the characteristic information of first response contents, determines whether first account goes beyond one's commission according to the characteristic information and the matching rule.In addition, the embodiment of the invention also discloses a kind of identification devices of account permission.Using the embodiment of the present invention, the efficiency that account is gone beyond one's commission can be improved.
Description
Technical field
The present invention relates to the recognition methods of Internet technical field more particularly to a kind of account permission and devices.
Background technology
With the continuous development of Internet technology, what whens more and more applications or function was realized by internet,
Just in time, the possibility in internet causes subscriber data or the loophole of other safety problems that should all avoid as possible.In mesh
In preceding existing internet loophole, loophole of going beyond one's commission is a very important important loophole.
Loophole of going beyond one's commission, which refers to website, does not lead to delineation of power strictly party A-subscriber certain methods or means can be utilized to access B
The permission control system of user, to reach other sensitive behaviour such as steal information, modification information, addition information, deletion information
Make.In the case of such as accessing webpage by URL (uniform resource locator, UniformResourceLocator), due to web journeys
Sequence design defect is passed to the property guessed of parameter using URL, by the parameter value for changing input, it is possible to cause laterally to go beyond one's commission
It accesses, takes other people private informations.
Because loophole of going beyond one's commission is once exist, attacker can forge other people identity and be traded, pays, Modify password, obtain
Other people privacy informations etc. are taken, great hidden danger can be caused to the account number safety of user, therefore, survey grid must be treated in test phase
Loophole that may be present is detected in standing.In the detection method for going beyond one's commission loophole common at present, the detection to loophole of going beyond one's commission
Mainly by manually carrying out testing permeability, then done for the different account number system in website by the penetration testing personnel of profession
Authority recognition, and the permission whether website has really effectively distinguished different user is detected by technological means.Entirely with manually to not
Same account system carries out authority recognition, not only less efficient, spends human and material resources, and cannot ensure that covering detects test
Account in range, i.e., it cannot be guaranteed that detecting all loopholes.
To sum up, time-consuming, the detection of loophole is incomplete because artificial detection causes for the detection method of existing loophole of going beyond one's commission
And there are problems that the inefficiency of detection.
Invention content
Based on this, to solve the detection method of loophole in the prior art of going beyond one's commission, because artificial detection causes, time-consuming, leakage
The detection in hole not exclusively there is technical issues that detection, and spy proposes a kind of recognition methods of account permission.
A kind of recognition methods of account permission, including:
The first account is logged on website to be measured, obtain the first account first logs in state information;
Preset scanning rule is obtained, the scanning rule includes test address and the target account Attribute class of website to be measured
Type;
State information is logged according to attribute value modification described first of second account under target account attribute type, obtains the
Two log in state information;
Website to be measured described in state message reference is logged in using described second, receives the first response that the website to be measured is sent
Content;
Matching rule defined in the scanning rule obtains the characteristic information of first response contents, according to institute
It states characteristic information and the matching rule determines whether first account goes beyond one's commission.
Optionally, in one embodiment, further include after the first login state information of the first account of acquisition:Using described
Website to be measured described in the login state message reference of first account receives the second response contents that the website to be measured is sent;Institute
It states in the second response contents in the case of the characteristic information comprising first account, executes the preset scanning rule of acquisition
Then.
Optionally, in one embodiment, first account is determined according to the characteristic information and the matching rule
Whether go beyond one's commission for:It is matched in the characteristic information of second response contents and first account, determine described
One account is not gone beyond one's commission;It is matched in the characteristic information of second response contents and second account, described in determination
First account is gone beyond one's commission.
Optionally, in one embodiment, receiving the second response contents that the website to be measured is sent further includes later:
In second response contents in the case of the characteristic information not comprising first account, the test of the website to be measured is determined
Address does not have the identification function of account permission, switches the test address of the website to be measured.
Optionally, in one embodiment, it is UIN codes, cookie or session ID to log in state information.
In addition, to solve the detection method of loophole in the prior art of going beyond one's commission, because artificial detection causes, time-consuming, loophole
Detection not exclusively and there is technical issues that detect, it is also proposed that a kind of identification device of account permission.
A kind of identification device of account permission, including:
State data obtaining module is logged in, for logging in the first account on website to be measured, obtain the first account first steps on
Record state information;
Scanning rule acquisition module, for obtaining preset scanning rule, the scanning rule includes the survey of website to be measured
Try address and target account attribute type;
State information modified module is logged in, for changing institute according to attribute value of second account under target account attribute type
The first login state information is stated, the second login state information is obtained;
Response contents receiving module, for logging in website to be measured described in state message reference using described second, described in reception
The first response contents that website to be measured is sent;
It goes beyond one's commission judgment module, first response contents is obtained for the matching rule defined in the scanning rule
Characteristic information, determine whether first account goes beyond one's commission according to the characteristic information and the matching rule.
Optionally, in one embodiment, above-mentioned apparatus further includes test website detection module, for using described first
Website to be measured described in the login state message reference of account receives the second response contents that the website to be measured is sent;Described
In two response contents in the case of the characteristic information comprising first account, the scanning rule acquisition module is called.
Optionally, in one embodiment, judgment module of going beyond one's commission is additionally operable to the characteristic information in second response contents
With first account it is matched in the case of, determine that first account is not gone beyond one's commission;Believe in the feature of second response contents
In the case of breath and second account are matched, determine that first account is gone beyond one's commission.
Optionally, in one embodiment, test website detection module is additionally operable to not wrap in second response contents
In the case of characteristic information containing first account, determine that the test address of the website to be measured does not have the knowledge of account permission
Other function switches the test address of the website to be measured.
Optionally, in one embodiment, it is UIN codes, cookie or session ID to log in state information.
In addition, to solve the detection method of loophole in the prior art of going beyond one's commission, because artificial detection causes, time-consuming, loophole
Detection not exclusively and there is technical issues that detection, it is also proposed that a kind of computer readable storage medium, this
Instruction is stored in computer readable storage medium, when run on a computer so that computer executes aforementioned account power
The recognition methods of limit.
Implement the embodiment of the present invention, will have the advantages that:
It uses the recognition methods of above-mentioned account permission and device and then needs to whether there is some website to be measured
Account goes beyond one's commission loophole when being detected, can be according to preset scanning rule, will be in the corresponding login state information of the first account
Identity information is revised as the corresponding identity information of the second account, then item web site requests data to be measured, and according in scanning rule
Whether the accounting features information that the matching rule of definition includes in the data to judge website return to be measured, which has occurred account, is gone beyond one's commission.
That is, after using the embodiment of the present invention, does not need testing staff and the identity for comparing and changing account is manually gone to know
Other parameter, can be automatically according to the target account attribute type determined in scanning rule, automatically will be under target account attribute type
The attribute value of the first account be revised as the attribute value of the second account, that is to say, that testing staff only needs to define scanning rule
In target account attribute type can be automatically performed account is detected with the presence or absence of loophole of going beyond one's commission, reduce account and go beyond one's commission
The time expended required for detection improves account and goes beyond one's commission the efficiency of detection.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Wherein:
Fig. 1 is a kind of flow diagram of the recognition methods of account permission in one embodiment;
Fig. 2 is the data transmission between the modules of the terminal for the recognition methods for realizing account permission in one embodiment
Schematic diagram;
Fig. 3 is a kind of flow diagram of the recognition methods of account permission in the prior art;
Fig. 4 is a kind of flow diagram of the recognition methods of account permission in one embodiment;
Fig. 5 is a kind of structural schematic diagram of the identification device of account permission in one embodiment;
Fig. 6 is the structural schematic diagram of the computer equipment for the recognition methods that aforementioned account permission is run in one embodiment.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts
Embodiment shall fall within the protection scope of the present invention.
To solve the detection method of loophole in the prior art of going beyond one's commission, because artificial detection causes, time-consuming, the detection of loophole
Not exclusively there is technical issues that detection, in the present embodiment, spy proposes a kind of identification of account permission
The realization of method, this method can be dependent on computer program, which can run on the meter based on von Neumann system
On calculation machine system, which can be that account is gone beyond one's commission the detection application program of loophole.The computer system can be
Run server or the terminal such as smart mobile phone, tablet computer, PC of above computer program.
Specifically, as shown in Figure 1, the recognition methods of above-mentioned account permission includes the following steps S102-S110:
Step S102:The first account is logged on website to be measured, obtain the first account first logs in state information.
The detection that account is gone beyond one's commission is carried out for some website, i.e., website to be measured.In the present embodiment, it needs to certain
One website for containing multiple accounts go beyond one's commission Hole Detection when, which is website to be measured.
In the present embodiment, it needs to be detected the phenomenon that going beyond one's commission to some account with the presence or absence of account, which is
For the first account.It should be noted that in embodiment, if desired whether there is account to all accounts for being included on website
When number loophole gone beyond one's commission, all accounts can be traversed, and step S102-S110 is executed for each account traversed.
It refers on website to be measured that whether account A, which goes beyond one's commission, and whether party A-subscriber can be accessed B by certain methods or means
The permission control system of user, or the operations such as love and respect for the information of party B-subscriber, delete, add.In the present embodiment,
Judge the related data under the second account whether can be accessed under the first account.
It is to be measured to log in by authentication informations such as the corresponding account of the first account, passwords first on website to be measured
Website, that is to say, that in the website to be measured APP or browser access of terminal be the identity information by the first account of login
It accesses, that is to say, that whether user currently has the permission for accessing some data or user currently can be with
It the operations such as modifies to the data being accessed, is determined by whether the first account logged in has corresponding permission.
After the first account logins successfully, obtain with the login state information of the first account, for example, logging in state information can be with
It is UIN (Unique Identification Number, unique identifier) codes corresponding with the first account or cookies
Information or Session ID are equal to the identity information of the first account uniquely corresponding data, can be used for verifying current account
Identity information unique identification information.
Specifically, UIN codes are accounts during registration, the authentication code of registrant, also, UIN codes are distributed to
It permanently and cannot change, unless the change of registrant's identity causes UIN to be deleted.That is, corresponding with the first account
UIN codes are to determine, and are different with the UIN codes of other users.Can currently be logged in unique mark with UIN codes
One account, if the account logged in is changed or is tampered, UIN codes can also change therewith.
Cookie (or cookies) is that website is stored in the data on user local terminal to distinguish user identity
Cookie can be sent to server, server by (browser rs cache) together when accessing website when sending HTTP request
It is searched in the database according to cookie and the matched subscriber identity informations of the cookie or user authentication information.Namely
It says, if cookie is changed, what server was found can also become with the matched subscriber identity informations of current cookie
Change.
Session ID generate corresponding with the session when being the request establishment session that server is the first account
Mark, session is to be stored in the data block of the corresponding authentication information of the first account in server, passing through
Session ID can find session corresponding with the Session ID in session lists, then determine with
The corresponding authentication informations of Session ID.That is, once Session ID are changed or are tampered, user is being searched
It will appear the case where subscriber authentication information searched less than or found can also change when authentication information.
To sum up, current account can be uniquely determined by logging in state information, if logging in state information change, corresponding account
Also it can change.In the present embodiment, log in state information can be UIN codes, cookies information, Session ID and its
He can be with the combination of one or more parameter in the parameter of identity user identity information.
In the present embodiment, interface function can be pulled to realize by login state by logging in obtaining for state information.Example
Such as, the first account of interface function acquisition is pulled by login state and logs in later cookie.
Step S104:Preset scanning rule is obtained, the scanning rule includes test address and the target of website to be measured
Account attribute type.
In the present embodiment, after pulling interface by login state and getting the login state information of the first account, by sweeping
It retouches device and the access for accessing website to be measured is sent to server, and judged according to the data that website returns, judge the first account
Number account whether occurs goes beyond one's commission.Scanner is the program of a kind of automatic detection Local or Remote Host Security weakness, it can be fast
Loophole existing for the accurate discovery scanning target of speed is simultaneously supplied to user's scanning result;Operation principle is scanner to target
Then computer transmission data packet judges the OS Type of other side, develops port, offer according to other side's feedack
The sensitive informations such as service.
Specifically, in the present embodiment, it is necessary first to determine test address corresponding with website to be measured, i.e. access address.
Further, it is also necessary to determine current scanners judging whether the first account occurs to need during account is gone beyond one's commission
The target account attribute type wanted.It should be noted that target account attribute type is to log in include at least one in state information
One or more specified attribute item in a attribute item to attribute item type.For example, the login state letter of the first account
In the case that breath contains UIN codes and account number, the account pet name of the first account, target account attribute type is UIN
One or more in code, account number, the account pet name.
Step S106:State letter is logged according to attribute value modification described first of second account under target account attribute type
Breath, obtains the second login state information.
As previously mentioned, in the present embodiment, needing to judge whether the first account can be with the number under the second account of unauthorized access
According to or carry out a certain feature operation.It should be noted that in the present embodiment, the second account can be and the first account relating
Associated account number, can also be any one account on website to be measured.
After the determination of target account attribute type, attribute value of second account under target account attribute type is determined,
Also, it, will be with target account attribute type in the multiple attribute items for including in the corresponding first login state information of the first account
The attribute value of corresponding attribute item is revised as attribute value of second account under target account attribute type, to obtain second
Log in state information.
For example, in the case where target account attribute type is UIN codes, the UIN codes first logged in state information are changed
For the corresponding UIN codes of the second account.
Step S108:Website to be measured described in state message reference is logged in using described second, the website to be measured is received and sends
The first response contents.
In the present embodiment, as corresponding by the first account if logging in state message reference website to be measured using first
Identity authority accesses website to be measured, carries out operation corresponding with the permission of the first account.
And use second to log in state message reference website to be measured, because only by target account category in the second login state information
Property type under attribute value change attribute value for the second account under target account attribute type, and other unmodified letters
Breath, also, the second account also and is not logged in website to be measured.In this case, using containing the second account in target account
Second login state information of attribute value under attribute type accesses website to be measured, receives what the server of website to be measured returned
In corresponding contents, it is divided into following several situations:
First, because server when receiving access request, can log in the phase for including in state information to the second of carrying
It closes information to be verified, for example, carrying out proof of identity according to the UIN codes for including in state information are logged in, determine corresponding to UIN codes
Account is the second account, and therefore, the content of return is related to the second account;
Second, include because server when receiving access request, is not logged in the second of carrying in state information
It is verified with the attribute value under target account attribute type, because server is not aware that log in state information has with the second account
It closes, therefore, the content of return is unrelated with the second account, that is to say, that will continue to be grasped according to the associated rights of the first account
Make.
Specifically, judging that the first account whether there is the process i.e. step S110 that account is gone beyond one's commission:According to the scanning rule
Defined in matching rule obtain the characteristic informations of first response contents, according to the characteristic information and the matching rule
Determine whether first account goes beyond one's commission.
Because in carrying out the detection process that account is gone beyond one's commission, need to carry out comprehensive detection to each attribute of account,
Therefore, during progress account goes beyond one's commission detection, according to actually detected needs, the target account category in scanning rule is determined
Property type.
In addition, in scanning rule, target account attribute type is not only contained, further comprises and is judging whether account gets over
The matching rule that the response contents returned to server in the detailed process of power are used during analyzing.
In the present embodiment, the whole of content not returned to server is compared and verifies, but only pair can be with
Determine that the partial content whether account goes beyond one's commission is compared and verifies.For example, in a specific embodiment, being logged in user
After website, mark corresponding with the account logged in can be shown (for example, Hi, Apple in the webpage view of website!), to
User can determine the account corresponding to current web page view by the account number of the displaying.In this case, it only needs
Account number corresponding with the account of login shown in webpage view is judged, you can know pair and the webpage view
It is corresponding log in state information in shadow account.
In a specific embodiment, believed according to the feature for the response contents for needing to obtain determined by matching rule
Breath obtains the characteristic information of the first response contents, then determines whether the first account gets over according to this feature information and matching rule
Power.
For example, the process whether the first account of above-mentioned determination goes beyond one's commission is:Second response contents characteristic information with
In the case of first account is matched, determine that first account is not gone beyond one's commission;In the characteristic information of second response contents
With second account it is matched in the case of, determine that first account is gone beyond one's commission.
If that is, being initiated in the case for the treatment of the access request at survey grid station by the second login state information, if service
Preset characteristic information in the response contents that device returns is matched with the first account, then the first account is not gone beyond one's commission, if server returns
Preset characteristic information and the first account in the response contents returned mismatch, for example, in the case of being matched with the second account,
First account is gone beyond one's commission.
For example, that characteristic information reflection is promoter that server judges HTTP request after receiving HTTP request
During identity and corresponding permission, the identity information of determining promoter, such as promoter UIN codes;If server
The UIN codes that characteristic information in the response contents of return is included are corresponding with the first account, it is determined that characteristic information and the first account
Number matching, if conversely, the characteristic information UIN codes that are included in the response contents that server returns are corresponding with the second account,
Determine that characteristic information is matched with the second account.
As shown in Fig. 2, Fig. 2 illustrates the terminal for the recognition methods for realizing above-mentioned account permission and website (target network to be measured
Stand) between interactive relation.After logging in website to be measured by registered first account in terminal, pulled by logging in state
Interface obtains the login state information of the first account logged in and is sent to scanner;Scanner is according to logging in state information and to be measured
The valid data such as the network address of website (payload) are packaged the corresponding HTTP request of generation and are then sent to website correspondence to be measured
Server, and receive the data that are returned by server;Scanner is directed to the data received and is analyzed, to determine whether depositing
In loophole of going beyond one's commission, wherein scanner generate HTTP request during dependency rule and the data of return are analyzed
Rule be scanning rule corresponding with scanner, also, the scanning rule regulation engine that is connected due to scanner is provided
And setting.
Further, in the present embodiment, detecting whether the first account can go beyond one's commission data corresponding with the second account
Before, it is also necessary to judge whether current site has account identification function, if for example, all users on website to be measured are provided with
The access rights or operating right of all data on website to be measured, alternatively, initiating to treat the number on survey grid station in arbitrary account
According to access request either operation requests when not to account carry out verification or account whether have permission and verify;
In such cases, the problem of whether going beyond one's commission there is no account.
As shown in figure 3, Fig. 3 illustrates a kind of flow diagram of the recognition methods of account permission, it is being to the first account
Before the judgement that no presence is gone beyond one's commission, it is also necessary to judge detection and judgement that whether address test supports account to go beyond one's commission.
Specifically, in one embodiment, the first login state information for obtaining the first account further includes later:Using described
Website to be measured described in the login state message reference of first account receives the second response contents that the website to be measured is sent;Institute
It states in the second response contents in the case of the characteristic information comprising first account, executes the preset scanning rule of acquisition
Then;In the case of not including the characteristic information of first account in second response contents, the website to be measured is determined
Test address do not have the identification function of account permission, switch the test address of the website to be measured.
That is, if in website to be measured and there is no the logic that reconciliation number carries out permission judgement, also there is no follow-up
Judgement of going beyond one's commission logic, the server return of website to be measured when using the logins state message reference website to be measured of the first account
Response contents in should not include any related data corresponding with the first account.Therefore, in the login using the first account
When state message reference website to be measured, if not including in the response contents that website to be measured returns has feature corresponding with the first account
Information then needs not continue to treat the detection that survey grid station progress account is gone beyond one's commission, directly stops the execution of this method.
In one embodiment, website to be measured is shopping website, the test address of the website to be measured determined in step S104
For a goods links in shopping website;In general, the corresponding address of the goods links of shopping website, does not need generally pair
The identity of user is verified.If not including in the response message that server returns in this case has the first account corresponding
Characteristic information, then it is assumed that the test address of the website to be measured does not have the detection function that account is gone beyond one's commission, needs switch test address.
For example, switching to account entry address or payment link of the website to be measured etc. needs the test verified to user identity
In address, step S102-S110 is executed again.
That is, in the case that some test address of website to be measured is there is no the detection function of account permission, and
All test addresses for not representing the website to be measured do not have the detection function of account permission, to avoid because of a test
The testing result of address and ignore account that may be present under other addresses and go beyond one's commission the detection of loophole, need to switch to website to be measured
Other lower test addresses carry out the detection that account is gone beyond one's commission.
If conversely, including characteristic information corresponding with the first account in the response contents of return, illustrate to wait for survey grid
There is the logic that is verified to the identity of account in standing, therefore, can subsequently be held to whether going beyond one's commission and further being judged
Row step S104-S110 judges whether the first account goes beyond one's commission.
In related art scheme, as shown in figure 4, Fig. 4 gives in related art scheme a kind of account with the presence or absence of more
Weigh the schematic diagram of the detection process of loophole.Specifically, logging in A accounts by testing staff, then initiating data operation request and cutting
Disconnected request bag, and identity corresponding with A in request bag is substituted for the corresponding identity requests of B, after then submitting modification
Request, according to website return content;To determine whether operate successfully, if so, label loophole, conversely, leakage is then not present
Hole.Wherein, the identification parameter of two accounts of testing staff artificial contrast A, B is needed, and determines that the data manipulation of A accounts is asked
All identification parameters are revised as B accounts and correspond to occurrence in asking, and need to take a substantial amount of time.
And through the embodiment of the present invention, it does not need testing staff and manually goes to compare and change the identification ginseng of account
Number, can be according to the target account attribute type determined in scanning rule, automatically by the first account under target account attribute type
Number attribute value be revised as the attribute value of the second account, that is to say, that testing staff only needs to define the target in scanning rule
Account attribute type, which can be automatically performed, is detected account with the presence or absence of loophole of going beyond one's commission, and reduces account detection of going beyond one's commission and is consumed
The time taken improves account and goes beyond one's commission the efficiency of detection.
In addition, to solve the detection method of loophole in the prior art of going beyond one's commission, because artificial detection causes, time-consuming, loophole
Detection not exclusively and there is technical issues that detect, in one embodiment, as shown in Figure 5, it is also proposed that
A kind of identification device of account permission, including log in state data obtaining module 102, scanning rule acquisition module 104, log in state letter
Modified module 106, response contents receiving module 108 and judgment module 110 of going beyond one's commission are ceased, wherein:
State data obtaining module 102 is logged in, for logging in the first account on website to be measured, obtains the first of the first account
Log in state information;
Scanning rule acquisition module 104, for obtaining preset scanning rule, the scanning rule includes website to be measured
Test address and target account attribute type;
State information modified module 106 is logged in, for being repaiied according to attribute value of second account under target account attribute type
Change described first and log in state information, obtains the second login state information;
Response contents receiving module 108 receives institute for logging in website to be measured described in state message reference using described second
State the first response contents that website to be measured is sent;
It goes beyond one's commission judgment module 110, first response is obtained for the matching rule defined in the scanning rule
The characteristic information of content determines whether first account goes beyond one's commission according to the characteristic information and the matching rule.
Optionally, in one embodiment, it as shown in figure 5, above-mentioned apparatus further includes test website detection module 112, uses
The website to be measured described in the login state message reference using first account receives the second response that the website to be measured is sent
Content;In second response contents include first account characteristic information in the case of, call the scanning rule
Acquisition module 104.
Optionally, in one embodiment, judgment module 110 of going beyond one's commission is additionally operable to believe in the feature of second response contents
In the case of breath and first account are matched, determine that first account is not gone beyond one's commission;In the feature of second response contents
In the case of information and second account are matched, determine that first account is gone beyond one's commission.
Optionally, in one embodiment, test website detection module 112 is additionally operable in second response contents not
Including in the case of the characteristic information of first account, determine that the test address of the website to be measured does not have account permission
Identification function switches the test address of the website to be measured.
Optionally, in one embodiment, it is UIN codes, cookie or session ID to log in state information.
Implement the embodiment of the present invention, will have the advantages that:
It uses the recognition methods of above-mentioned account permission and device and then needs to whether there is some website to be measured
Account goes beyond one's commission loophole when being detected, can be according to preset scanning rule, will be in the corresponding login state information of the first account
Identity information is revised as the corresponding identity information of the second account, then item web site requests data to be measured, and according in scanning rule
Whether the accounting features information that the matching rule of definition includes in the data to judge website return to be measured, which has occurred account, is gone beyond one's commission.
That is, after using the embodiment of the present invention, does not need testing staff and the identity for comparing and changing account is manually gone to know
Other parameter, can be automatically according to the target account attribute type determined in scanning rule, automatically will be under target account attribute type
The attribute value of the first account be revised as the attribute value of the second account, that is to say, that testing staff only needs to define scanning rule
In target account attribute type can be automatically performed account is detected with the presence or absence of loophole of going beyond one's commission, reduce account and go beyond one's commission
The time expended required for detection improves account and goes beyond one's commission the efficiency of detection.
In one embodiment, as shown in fig. 6, Fig. 6 illustrates a kind of base of the recognition methods of the above-mentioned account permission of operation
In the terminal of the computer system of von Neumann system.The computer system can be smart mobile phone, tablet computer, palm electricity
The terminal devices such as brain, laptop or PC.Specifically, may include the outer input interface connected by system bus
1001, processor 1002, memory 1003 and output interface 1004.Wherein, outer input interface 1001 optionally can be wrapped at least
Include network interface 10012.Memory 1003 may include external memory 10032 (such as hard disk, CD or floppy disk etc.) and interior storage
Device 10034.Output interface 1004 can include at least the equipment such as display screen 10042.
In the present embodiment, the operation of this method is based on computer program, and the program file of the computer program is stored in
In the external memory 10032 of the aforementioned computer system based on von Neumann system, it is loaded into built-in storage at runtime
It in 10034, is then compiled as being transferred in processor 1002 after machine code executing, so that being based on von Neumann system
Computer system in form login state data obtaining module 102 in logic, scanning rule acquisition module 104, log in state letter
Breath modified module 106, response contents receiving module 108, go beyond one's commission judgment module 110 and test website detection module 112.And
In the recognition methods implementation procedure of above-mentioned account permission, the parameter of input is received by outer input interface 1001, and is transmitted
It to being cached in memory 1003, is then input in processor 1002 and is handled, the result data of processing or be cached in storage
It is subsequently handled in device 1003, or is passed to output interface 1004 and is exported.
Specifically, processor 1002 is for executing following operation:
The first account is logged on website to be measured, obtain the first account first logs in state information;
Preset scanning rule is obtained, the scanning rule includes test address and the target account Attribute class of website to be measured
Type;
It is changed according to the second account and logs in state information, obtain the second login state information;
Website to be measured described in state message reference is logged in using described second, receives the first response that the website to be measured is sent
Content;
Matching rule defined in the scanning rule obtains the characteristic information of first response contents, according to institute
It states characteristic information and the matching rule determines whether first account goes beyond one's commission.
Optionally, in one embodiment, processor 1002 is also used for the login state information visit of first account
It asks the website to be measured, receives the second response contents that the website to be measured is sent;Include institute in second response contents
In the case of the characteristic information for stating the first account, the preset scanning rule of acquisition is executed.
Optionally, in one embodiment, processor 1002 be additionally operable to characteristic information in second response contents with
In the case of first account is matched, determine that first account is not gone beyond one's commission;In the characteristic information of second response contents
With second account it is matched in the case of, determine that first account is gone beyond one's commission.
Optionally, in one embodiment, processor 1002 is additionally operable to not include in second response contents described
In the case of the characteristic information of first account, determine that the test address of the website to be measured does not have the identification work(of account permission
Can, switch the test address of the website to be measured.
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly
It encloses, therefore equivalent changes made in accordance with the claims of the present invention, is still within the scope of the present invention.
Claims (11)
1. a kind of recognition methods of account permission, which is characterized in that including:
The first account is logged on website to be measured, obtain the first account first logs in state information;
Preset scanning rule is obtained, the scanning rule includes test address and the target account attribute type of website to be measured;
It is changed according to the second account and logs in state information, obtain the second login state information;
Website to be measured described in state message reference is logged in using described second, is received in the first response that the website to be measured is sent
Hold;
Matching rule defined in the scanning rule obtains the characteristic information of first response contents, according to the spy
Reference ceases and the matching rule determines whether first account goes beyond one's commission.
2. the recognition methods of account permission according to claim 1, which is characterized in that described to obtain the first of the first account
Logging in state information further includes later:
Website to be measured described in login state message reference using first account receives the second sound that the website to be measured is sent
Answer content;
In second response contents include first account characteristic information in the case of, execute it is described obtain it is preset
Scanning rule.
3. the recognition methods of account permission according to claim 1, which is characterized in that it is described according to the characteristic information and
The matching rule determine first account whether go beyond one's commission for:
It is matched in the characteristic information of second response contents and first account, determine first account not
It goes beyond one's commission;
It is matched in the characteristic information of second response contents and second account, determine that first account is got over
Power.
4. the recognition methods of account permission according to claim 2, which is characterized in that described to receive the website hair to be measured
Further include after the second response contents sent:
In the case of not including the characteristic information of first account in second response contents, the website to be measured is determined
Test address do not have the identification function of account permission, switch the test address of the website to be measured.
5. the recognition methods of account permission according to any one of claims 1 to 4, which is characterized in that the login state information
For UIN codes, cookie or session ID.
6. a kind of identification device of account permission, which is characterized in that including:
State data obtaining module is logged in, for logging in the first account on website to be measured, obtain the first account first logs in state
Information;
Scanning rule acquisition module, for obtaining preset scanning rule, the scanning rule includes the test of website to be measured
Location and target account attribute type;
State information modified module is logged in, for the attribute value modification described the according to the second account under target account attribute type
One logs in state information, obtains the second login state information;
Response contents receiving module receives described to be measured for logging in website to be measured described in state message reference using described second
The first response contents that website is sent;
It goes beyond one's commission judgment module, the spy of first response contents is obtained for the matching rule defined in the scanning rule
Reference ceases, and determines whether first account goes beyond one's commission according to the characteristic information and the matching rule.
7. the identification device of account permission according to claim 6, which is characterized in that described device further includes test website
Detection module receives the website hair to be measured for website to be measured described in the login state message reference using first account
The second response contents sent;In second response contents include first account characteristic information in the case of, call
The scanning rule acquisition module.
8. the identification device of account permission according to claim 6, which is characterized in that the judgment module of going beyond one's commission is additionally operable to
It is matched in the characteristic information of second response contents and first account, determine that first account is not got over
Power;It is matched in the characteristic information of second response contents and second account, determine that first account is got over
Power.
9. the identification device of account permission according to claim 7, which is characterized in that test website detection module is also
For in second response contents do not include first account characteristic information in the case of, determine the website to be measured
Test address do not have the identification function of account permission, switch the test address of the website to be measured.
10. according to the identification device of any account permission of claim 6 to 9, which is characterized in that the login state information
For UIN codes, cookie or session ID.
11. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium,
When run on a computer so that computer executes the recognition methods of above-mentioned account permission.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710234539.7A CN108696490A (en) | 2017-04-11 | 2017-04-11 | The recognition methods of account permission and device |
PCT/CN2018/082355 WO2018188558A1 (en) | 2017-04-11 | 2018-04-09 | Method and apparatus for identifying account permission |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710234539.7A CN108696490A (en) | 2017-04-11 | 2017-04-11 | The recognition methods of account permission and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108696490A true CN108696490A (en) | 2018-10-23 |
Family
ID=63793125
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710234539.7A Pending CN108696490A (en) | 2017-04-11 | 2017-04-11 | The recognition methods of account permission and device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108696490A (en) |
WO (1) | WO2018188558A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109902022A (en) * | 2019-03-14 | 2019-06-18 | 深圳壹账通智能科技有限公司 | The method and relevant device tested automatically for loophole of vertically going beyond one's commission |
CN110084044A (en) * | 2019-03-14 | 2019-08-02 | 深圳壹账通智能科技有限公司 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
CN110572417A (en) * | 2019-10-22 | 2019-12-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, server and storage medium for providing login ticket |
CN110881032A (en) * | 2019-11-06 | 2020-03-13 | 国网浙江武义县供电有限公司 | Identification method and device for unauthorized account operation |
CN111125718A (en) * | 2019-12-24 | 2020-05-08 | 北京三快在线科技有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
CN111241547A (en) * | 2018-11-28 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Detection method, device and system for unauthorized vulnerability |
CN111324539A (en) * | 2020-02-28 | 2020-06-23 | 深圳壹账通智能科技有限公司 | Account switching test method and system |
CN111683047A (en) * | 2020-04-30 | 2020-09-18 | 中国平安财产保险股份有限公司 | Unauthorized vulnerability detection method and device, computer equipment and medium |
CN113986956A (en) * | 2021-12-29 | 2022-01-28 | 深圳红途科技有限公司 | Data exception query analysis method and device, computer equipment and storage medium |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110287660A (en) * | 2019-05-21 | 2019-09-27 | 深圳壹账通智能科技有限公司 | Access right control method, device, equipment and storage medium |
CN111414614B (en) * | 2020-03-20 | 2024-04-05 | 上海中通吉网络技术有限公司 | Override detection method and auxiliary device |
CN112464250A (en) * | 2020-12-15 | 2021-03-09 | 光通天下网络科技股份有限公司 | Method, device and medium for automatically detecting unauthorized vulnerability |
CN113014448B (en) * | 2021-02-23 | 2022-09-30 | 深信服科技股份有限公司 | Login state rule extraction method and device and electronic equipment |
CN113590461B (en) * | 2021-06-01 | 2024-04-23 | 的卢技术有限公司 | Test method for realizing override of automobile user data based on fidder |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020010855A1 (en) * | 2000-03-03 | 2002-01-24 | Eran Reshef | System for determining web application vulnerabilities |
CN101964025A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
US20140137228A1 (en) * | 2012-11-15 | 2014-05-15 | Qualys, Inc. | Web application vulnerability scanning |
CN104519070A (en) * | 2014-12-31 | 2015-04-15 | 北京奇虎科技有限公司 | Method and system for detecting website permission vulnerabilities |
CN105357195A (en) * | 2015-10-30 | 2016-02-24 | 深圳市深信服电子科技有限公司 | Unauthorized web access vulnerability detecting method and device |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8191117B2 (en) * | 2007-10-25 | 2012-05-29 | Anchorfree, Inc. | Location-targeted online services |
CN106470132B (en) * | 2015-08-19 | 2019-09-17 | 阿里巴巴集团控股有限公司 | Horizontal permission test method and device |
-
2017
- 2017-04-11 CN CN201710234539.7A patent/CN108696490A/en active Pending
-
2018
- 2018-04-09 WO PCT/CN2018/082355 patent/WO2018188558A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020010855A1 (en) * | 2000-03-03 | 2002-01-24 | Eran Reshef | System for determining web application vulnerabilities |
CN101964025A (en) * | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
US20140137228A1 (en) * | 2012-11-15 | 2014-05-15 | Qualys, Inc. | Web application vulnerability scanning |
CN104519070A (en) * | 2014-12-31 | 2015-04-15 | 北京奇虎科技有限公司 | Method and system for detecting website permission vulnerabilities |
CN105357195A (en) * | 2015-10-30 | 2016-02-24 | 深圳市深信服电子科技有限公司 | Unauthorized web access vulnerability detecting method and device |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111241547A (en) * | 2018-11-28 | 2020-06-05 | 阿里巴巴集团控股有限公司 | Detection method, device and system for unauthorized vulnerability |
CN111241547B (en) * | 2018-11-28 | 2023-05-12 | 阿里巴巴集团控股有限公司 | Method, device and system for detecting override vulnerability |
CN110084044A (en) * | 2019-03-14 | 2019-08-02 | 深圳壹账通智能科技有限公司 | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission |
CN109902022A (en) * | 2019-03-14 | 2019-06-18 | 深圳壹账通智能科技有限公司 | The method and relevant device tested automatically for loophole of vertically going beyond one's commission |
WO2020181841A1 (en) * | 2019-03-14 | 2020-09-17 | 深圳壹账通智能科技有限公司 | Method for automatically testing horizontal over-permission vulnerabilities and related device |
CN110572417A (en) * | 2019-10-22 | 2019-12-13 | 腾讯科技(深圳)有限公司 | Method, apparatus, server and storage medium for providing login ticket |
CN110881032B (en) * | 2019-11-06 | 2022-02-22 | 国网浙江武义县供电有限公司 | Identification method and device for unauthorized account operation |
CN110881032A (en) * | 2019-11-06 | 2020-03-13 | 国网浙江武义县供电有限公司 | Identification method and device for unauthorized account operation |
CN111125718A (en) * | 2019-12-24 | 2020-05-08 | 北京三快在线科技有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
CN111324539A (en) * | 2020-02-28 | 2020-06-23 | 深圳壹账通智能科技有限公司 | Account switching test method and system |
CN111683047A (en) * | 2020-04-30 | 2020-09-18 | 中国平安财产保险股份有限公司 | Unauthorized vulnerability detection method and device, computer equipment and medium |
CN111683047B (en) * | 2020-04-30 | 2023-05-30 | 中国平安财产保险股份有限公司 | Unauthorized vulnerability detection method, device, computer equipment and medium |
CN113986956A (en) * | 2021-12-29 | 2022-01-28 | 深圳红途科技有限公司 | Data exception query analysis method and device, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2018188558A1 (en) | 2018-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108696490A (en) | The recognition methods of account permission and device | |
CN104601641B (en) | Application link sharing method, apparatus and system | |
EP2447878B1 (en) | Web based remote malware detection | |
CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
CN103324470B (en) | A kind of method and apparatus of Web system generation | |
CN104753730B (en) | A kind of method and device of Hole Detection | |
CN106453216A (en) | Malicious website interception method, malicious website interception device and client | |
CN103780450B (en) | The detection method and system of browser access network address | |
CN109547426B (en) | Service response method and server | |
CN109257321A (en) | Safe login method and device | |
US20150058930A1 (en) | Method and apparatus for enabling authorised users to access computer resources | |
CN106790291A (en) | A kind of intrusion detection reminding method and device | |
CN110708335A (en) | Access authentication method and device and terminal equipment | |
CN108322427A (en) | A kind of method and apparatus carrying out air control to access request | |
CN113949560A (en) | Network security identification method, device, server and storage medium | |
CN112118238A (en) | Method, device, system, equipment and storage medium for authentication login | |
US10887345B1 (en) | Protecting users from phishing attempts | |
US8381269B2 (en) | System architecture and method for secure web browsing using public computers | |
US8539335B2 (en) | Entering data into a webpage | |
CN109992940A (en) | Auth method, device, system and proof of identity server | |
CN111935107B (en) | Identity authentication method, device, system, electronic equipment and storage medium | |
CN105373715A (en) | Wearable device based data access method and apparatus | |
CN111241504B (en) | Identity verification method, device, electronic equipment and storage medium | |
CN113709136B (en) | Access request verification method and device | |
CN114257451B (en) | Verification interface replacement method and device, storage medium and computer equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181023 |