CN108769074A - A kind of web server method for testing security and system - Google Patents
A kind of web server method for testing security and system Download PDFInfo
- Publication number
- CN108769074A CN108769074A CN201810729694.0A CN201810729694A CN108769074A CN 108769074 A CN108769074 A CN 108769074A CN 201810729694 A CN201810729694 A CN 201810729694A CN 108769074 A CN108769074 A CN 108769074A
- Authority
- CN
- China
- Prior art keywords
- configuration
- security
- web server
- test
- configuration file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 63
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000011076 safety test Methods 0.000 claims abstract description 19
- 238000001514 detection method Methods 0.000 claims description 11
- 238000007689 inspection Methods 0.000 claims description 10
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 3
- 238000012986 modification Methods 0.000 abstract description 8
- 230000004048 modification Effects 0.000 abstract description 8
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 3
- 235000000332 black box Nutrition 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000009781 safety test method Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses a kind of web server method for testing security and systems, including:Obtain web server configuration file;Judge whether the configuration file is security configuration;If it is safety test is carried out, configuration file is reacquired after otherwise carrying out security configuration to web server.The configuration file of web server to be measured is obtained in the present invention first, judge whether the content in configuration file requires to be configured according to security configuration, if can directly start to test into security configuration survey excessively, corresponding configuration modification is carried out for the loophole occurred in test process, it is configured again after carrying out security configuration first if not carrying out security configuration, the testing process for changing traditional Web servers test, can effectively improve working efficiency.
Description
Technical field
The present invention relates to server technical field of measurement and test, more particularly to a kind of web server method for testing security and
System.
Background technology
Web server be it is a kind of being based on http protocol, it is clear for client to provide network information using the file of html format
Look at the program of service.With the fast development of Internet technology, Web server oneself become Web system important component,
The quality of Web server performance affects the quality of Web system performance, therefore in order to know the performance of Web server in time, needs
Web server is tested.
In traditional web server test method, Black-box Testing often is proceeded by from web client, using common
Web attack means carry out safety test to the service that web server provides, and research staff is submitted to if there are safety problem,
Research staff to the relevant configuration of web server change and debug accordingly again.
However, in Black-box Testing, if some basic security configuration not enableds of web server, test lead need to submit
Secondly a large amount of relevant vulnerability when the uncomprehending loophole in appearance research and development end, needs to survey again after repeatedly linking up modification with test lead
Examination, reduces working efficiency.
Invention content
A kind of * * method and devices are provided in the embodiment of the present invention, to solve the problems, such as * * in the prior art.
In order to solve the above-mentioned technical problem, the embodiment of the invention discloses following technical solutions:
First aspect present invention provides a kind of web server method for testing security, including:
Obtain web server configuration file;
Judge whether the configuration file is security configuration;
If it is safety test is carried out, configuration file is reacquired after otherwise carrying out security configuration to web server.
Preferably, judge whether the configuration file is that security configuration specifically includes:
Universal safety configuration inspection is carried out to the configuration file;
Judged whether to meet security configuration requirement according to inspection result.
Preferably, the security configuration requires to include:Hide and pretend software version information;Establish the catalogue knot of safety
Structure;Use special user and group;The access strategy that web catalogues are arranged is to forbid directory traversal;Web server is set and accesses control
System;The cryptoguard of web server is set;Carry out daily record segmentation;Server is set and takes precautions against Dos;Carry out CGI and SWGI configurations;
Dispose SSL certificate.
Preferably, safe bibliographic structure is established to specifically include:Configuration file catalogue, web site contents directory, CGI feet
Independently of each other and father and son's logical relation is not present in this catalogue and Log Directory structure.
Preferably, the method further includes:
Examining report is generated according to security configuration judging result.
Preferably, the method further includes:
Loophole is judged whether according to the safety test result;
If it is safety test is re-started after changing corresponding security configuration, otherwise stops test.
Second aspect of the present invention provides a kind of web server security test system, including:Sequentially connected file obtains
Modulus block, configuration detection module and test module, wherein the file acquisition module is for obtaining web server configuration text
Part, for detecting whether the configuration file is security configuration, the test module is used to take web the configuration detection module
Business device is tested.
Preferably, the system also includes report generation module, the report generation module and the configuration detection modules
Connection, for generating security configuration examining report.
By above technical scheme as it can be seen that obtaining the configuration file of web server to be measured in the present invention first, configuration text is judged
Whether the content in part requires to be configured according to security configuration, if can directly start to survey into security configuration survey excessively
Examination carries out corresponding configuration modification for the loophole occurred in test process, is carried out first if not carrying out security configuration
It is configured again after security configuration, changes the testing process of traditional Web servers test, working efficiency can be effectively improved.
Description of the drawings
It is illustrated more clearly that the embodiment of the present invention or technical solution in the prior art, it below will be to embodiment or existing
Attached drawing is briefly described needed in technology description, it should be apparent that, for those of ordinary skills,
Without creative efforts, other drawings may also be obtained based on these drawings.
Fig. 1 is a kind of flow diagram of web server method for testing security provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of another web server method for testing security provided in an embodiment of the present invention;
Fig. 3 is the flow diagram of another web server method for testing security provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of web server security test system provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of another web server security test system provided in an embodiment of the present invention.
Specific implementation mode
In order to make those skilled in the art more fully understand the technical solution in the present invention, below in conjunction with of the invention real
The attached drawing in example is applied, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described implementation
Example is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field is common
The every other embodiment that technical staff is obtained without making creative work, should all belong to protection of the present invention
Range.
It is a kind of flow diagram of web server method for testing security provided in an embodiment of the present invention referring to Fig. 1,
As shown in Figure 1, web server method for testing security provided in an embodiment of the present invention, including:
S10:Obtain web server configuration file.
Include the security configuration content for server in Web server configuration file, is being pacified in the prior art
The configuring condition of server is not taken into account that when full test but is being modified after directly carrying out safety test, and the present invention is implemented
It is to require to carry out matching to postpone according to security configuration to carry out safety test again in example, since security configuration item number is more, to have avoided
It omits and first carries out configuration file acquisition before carrying out safety test.
S20:Judge whether the configuration file is security configuration.
It gets configuration file to need to carry out universal safety configuration inspection to configuration file later, be judged according to inspection result
Whether security configuration requirement is met, wherein security configuration requires to include:Hide and pretend software version information;Establish safety
Bibliographic structure;Use special user and group;The access strategy that web catalogues are arranged is to forbid directory traversal;Web server is set
Access control;The cryptoguard of web server is set;Carry out daily record segmentation;Server is set and takes precautions against Dos;Carry out CGI and SWGI
Configuration;Dispose SSL certificate.Because the security configuration in the embodiment of the present invention is required to meet the need of different type server
It asks, therefore universal safety inspection is known as the inspection of configuration file.
Specifically, the bibliographic structure for establishing safety required for security configuration further includes:Configuration file catalogue, web
Site contents catalogue, CGI scripting catalogue and Log Directory structure are independently of each other and there is no father and son's logical relations.
If by thening follow the steps S30 without the non-security configuration item of discovery after safety inspection:Otherwise safety test is held
Row step S40:Step S10 is re-executed after security configuration:Obtain configuration file.
The embodiment of the present invention is to carry out safety test after carrying out security configuration to server whole secure item, to carry
High safety testing efficiency, therefore when checking configuration file if it find that there is non-security configuration item just to need to carry out immediately
Modification, it should be noted that for certain safety tests in special circumstances, some configurations need to open, therefore for needing
Open secure item can not consider its security configuration situation, i.e., need not carry out security configuration detection.
Referring to Fig. 2, for the flow diagram of another web server method for testing security provided in an embodiment of the present invention
As shown in Fig. 2, web server method for testing security provided in an embodiment of the present invention further includes:
S50:Examining report is generated according to security configuration judging result.
The security configuration situation of configuration file needs to carry out manual modification, and the people that works when being detected configuration file
Member not necessarily can real time inspection as a result, therefore to configuration file carry out security configuration detection after if there is non-security configuration then
It generates examining report and is sent to maintenance personnel, safety test can be directly proceeded by if all carrying out security configuration.
It is that the flow of another web server method for testing security provided in an embodiment of the present invention is illustrated referring to Fig. 3
Figure, as shown in figure 3, web server method for testing security provided in an embodiment of the present invention further includes:
S60:Loophole is judged whether according to the safety test result;
If it is thening follow the steps S70:Step S30 is re-executed after changing corresponding security configuration:Otherwise safety test is held
Row step S80:Stop test.
Safety test still by means of testing in the prior art, attacks tested web server, for carrying out
Loophole is generally not present in test result in the case of security configuration, but for certain being configured with extra demand, it is general
Security configuration requires to start a leak in test, in addition, for certain loopholes, if security configuration modification is not in time
It can start a leak when carrying out safety test, therefore, need to stop testing immediately if there is loophole during the test
It modifies to corresponding security configuration, then continues the test of other secure items if there is no loophole, until all tests
After stop.
It is a kind of structural schematic diagram of web server security test system provided in an embodiment of the present invention referring to Fig. 4,
For web server security test system provided in an embodiment of the present invention, including:Sequentially connected file acquisition module, configuration
Detection module and test module.
In order to realize that web server method for testing security provided in an embodiment of the present invention, the embodiment of the present invention also provide
A kind of web server security test system, wherein the file acquisition module for obtaining web server configuration file,
For detecting whether the configuration file is security configuration, the test module is used for web services the configuration detection module
Device is tested.
Referring to Fig. 5, for the structural schematic diagram of another web server security test system provided in an embodiment of the present invention
As shown in figure 5, the system also includes report generation module, the report generation module is connect with the configuration detection module,
For generating security configuration examining report.
The configuration file for obtaining web server to be measured in the present invention first, judge content in configuration file whether basis
Security configuration requires to be configured, if can directly start to test into security configuration survey excessively, for sending out in test process
Raw loophole carries out corresponding configuration modification, is matched again after carrying out security configuration first if not carrying out security configuration
It sets, changes the testing process of traditional Web servers test, working efficiency can be effectively improved.
The above is only the specific implementation mode of the present invention, is made skilled artisans appreciate that or realizing this hair
It is bright.Various modifications to these embodiments will be apparent to one skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest range caused.
Claims (8)
1. a kind of web server method for testing security, which is characterized in that including:
Obtain web server configuration file;
Judge whether the configuration file is security configuration;
If it is safety test is carried out, configuration file is reacquired after otherwise carrying out security configuration.
2. web server method for testing security according to claim 1, which is characterized in that judge the configuration file
Whether it is that security configuration specifically includes:
Universal safety configuration inspection is carried out to the configuration file;
Judged whether to meet security configuration requirement according to inspection result.
3. web server method for testing security according to claim 2, which is characterized in that the security configuration requirement
Including:Hide and pretend software version information;Establish the bibliographic structure of safety;Use special user and group;Web catalogues are set
Access strategy be forbid directory traversal;Web server access control is set;The cryptoguard of web server is set;Carry out day
Will is divided;Server is set and takes precautions against Dos;Carry out CGI and SWGI configurations;Dispose SSL certificate.
4. web server method for testing security according to claim 3, which is characterized in that establish safe catalogue knot
Structure specifically includes:Configuration file catalogue, web site contents directory, CGI scripting catalogue and Log Directory structure are independently of each other and not
There are father and son's logical relations.
5. according to any web server method for testing security of claim 1-4, which is characterized in that the method is also
Including:
Examining report is generated according to security configuration judging result.
6. according to any web server method for testing security of claim 1-4, which is characterized in that the method is also
Including:
Loophole is judged whether according to the safety test result;
If it is safety test is re-started after changing corresponding security configuration, otherwise stops test.
7. a kind of web server security test system, which is characterized in that including:Sequentially connected file acquisition module, configuration
Detection module and test module, wherein the file acquisition module is for obtaining web server configuration file, the configuration
Detection module is for detecting whether the configuration file is security configuration, and the test module is for surveying web server
Examination.
8. web server security test system according to claim 7, which is characterized in that the system also includes reports
Generation module is accused, the report generation module is connect with the configuration detection module, for generating security configuration examining report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810729694.0A CN108769074B (en) | 2018-07-05 | 2018-07-05 | Web server security testing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810729694.0A CN108769074B (en) | 2018-07-05 | 2018-07-05 | Web server security testing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108769074A true CN108769074A (en) | 2018-11-06 |
| CN108769074B CN108769074B (en) | 2021-02-09 |
Family
ID=63972478
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810729694.0A Active CN108769074B (en) | 2018-07-05 | 2018-07-05 | Web server security testing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108769074B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447898A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test system used for network safety product and test method thereof |
| CN102468985A (en) * | 2010-11-01 | 2012-05-23 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for carrying out penetration test on network safety equipment |
| CN103544660A (en) * | 2013-10-30 | 2014-01-29 | 国家电网公司 | Method for safety testing before online implementation of electric power information system |
| CN106021084A (en) * | 2016-05-23 | 2016-10-12 | 浪潮电子信息产业股份有限公司 | Method and apparatus for testing server performance |
| US9531705B1 (en) * | 2013-03-14 | 2016-12-27 | United Services Automobile Association | Systems and methods for computer digital certificate management and analysis |
| CN107357736A (en) * | 2017-07-28 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of automated detection method for Tomcat security configurations |
-
2018
- 2018-07-05 CN CN201810729694.0A patent/CN108769074B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447898A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test system used for network safety product and test method thereof |
| CN102468985A (en) * | 2010-11-01 | 2012-05-23 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for carrying out penetration test on network safety equipment |
| US9531705B1 (en) * | 2013-03-14 | 2016-12-27 | United Services Automobile Association | Systems and methods for computer digital certificate management and analysis |
| CN103544660A (en) * | 2013-10-30 | 2014-01-29 | 国家电网公司 | Method for safety testing before online implementation of electric power information system |
| CN106021084A (en) * | 2016-05-23 | 2016-10-12 | 浪潮电子信息产业股份有限公司 | Method and apparatus for testing server performance |
| CN107357736A (en) * | 2017-07-28 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of automated detection method for Tomcat security configurations |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108769074B (en) | 2021-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2777434C (en) | Verifying application security vulnerabilities | |
| JP5466476B2 (en) | Data processing system, method, and computer program for monitoring black box web application security scanning | |
| US9264443B2 (en) | Browser based method of assessing web application vulnerability | |
| JP2006526221A (en) | Apparatus and method for detecting network vulnerability and evaluating compliance | |
| CN106982194A (en) | Vulnerability scanning method and device | |
| CN105871947B (en) | The method and device of cross-domain request data | |
| US20080091775A1 (en) | Method and apparatus for parallel operations on a plurality of network servers | |
| CN108696481A (en) | leak detection method and device | |
| CN105141647A (en) | Method and system for detecting Web application | |
| CN113868659B (en) | Vulnerability detection method and system | |
| CN112347485A (en) | Multi-engine vulnerability acquisition and automatic penetration processing method | |
| CN112039868A (en) | Firewall policy verification method, device, equipment and storage medium | |
| CN110287056A (en) | Webpage error message acquisition methods and device | |
| US20220198025A1 (en) | Web Attack Simulator | |
| Li et al. | The application of fuzzing in web software security vulnerabilities test | |
| CN114003794A (en) | Asset collection method, device, electronic equipment and medium | |
| CN103368970B (en) | A kind of automation safety detection method for network objectives | |
| CN112565244B (en) | Active risk monitoring method, system and equipment for website projects | |
| CN113868669A (en) | Vulnerability detection method and system | |
| CN111125066B (en) | Method and device for detecting functions of database auditing equipment | |
| Oliveira et al. | Experimental evaluation of web service frameworks in the presence of security attacks | |
| CN108769074A (en) | A kind of web server method for testing security and system | |
| CN206181087U (en) | Active leak detecting system towards industrial control system | |
| Antunes et al. | A monitoring and testing framework for critical off-the-shelf applications and services | |
| CN111651330B (en) | Data acquisition method, data acquisition device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210108 Address after: Building 9, No.1, guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Wuzhong District, Suzhou City, Jiangsu Province Applicant after: SUZHOU LANGCHAO INTELLIGENT TECHNOLOGY Co.,Ltd. Address before: Room 1601, floor 16, 278 Xinyi Road, Zhengdong New District, Zhengzhou City, Henan Province Applicant before: ZHENGZHOU YUNHAI INFORMATION TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |