CN108874669A - A kind of method of inspection based on Web defect - Google Patents
A kind of method of inspection based on Web defect Download PDFInfo
- Publication number
- CN108874669A CN108874669A CN201810606051.7A CN201810606051A CN108874669A CN 108874669 A CN108874669 A CN 108874669A CN 201810606051 A CN201810606051 A CN 201810606051A CN 108874669 A CN108874669 A CN 108874669A
- Authority
- CN
- China
- Prior art keywords
- code
- defect
- determines
- program
- web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000007547 defect Effects 0.000 title claims abstract description 27
- 238000007689 inspection Methods 0.000 title claims abstract description 21
- 238000012546 transfer Methods 0.000 claims abstract description 7
- 238000001514 detection method Methods 0.000 claims abstract description 6
- 238000012360 testing method Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 230000005856 abnormality Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 2
- 238000007726 management method Methods 0.000 claims description 2
- 101100324465 Caenorhabditis elegans arr-1 gene Proteins 0.000 description 3
- 238000010998 test method Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 235000000332 black box Nutrition 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3628—Software debugging of optimised code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a kind of method of inspection based on Web defect, this method includes the following contents:It relies on and determines:When web application starts, dependence determination is carried out to its code first;Code entry points identification:Critical mode matching is made to file data by regular expression, tracks and is analyzed and find entrance;Defect location and intrusion detection:To determine code entry points as starting point, the transfer route of variable in a program, influence power of the discovery kernel variable to application system are found;The precautionary measures:It examines whether code will appear the code risk often occurred, takes application department arranging method, avoid the intrusion of risk.The invention has the characteristics that:Starting source in code has fabulous supervision to code growth, to the termination of final project;It can be found that indiscoverable security risk after project is online;Not only there is good concern to aacode defect, there is good embodiment in terms of Web security intrusion protection, guarantees secure user data, privacy protection.
Description
Technical field
The present invention relates to field of computer technology, specifically a kind of method of inspection based on Web defect.
Background technique
Under popular market at this stage, Black-box Testing and white-box testing neutralize some common as mainstream test method
Under the action of such as anti-pushing manipulation of method, debugging code, various market software systems can guarantee preceding flat during user demand
It is steady online, but for a large size application web site architecture system, black box, white-box testing are no longer to applicable inspection Web system
At this moment defect just needs the test method of a traditional mode that is efficient, improving market to realize the vision of system " zero " defect.
Summary of the invention
Technical assignment of the invention is to provide a kind of method of inspection based on Web defect.
Technical assignment of the invention is realized in the following manner:
A kind of method of inspection based on Web defect, this method include the following contents:
1)It relies on and determines:When web application starts, dependence determination is carried out to its code first;
2)Code entry points identification:Critical mode matching is made to file data by regular expression, tracks and is analyzed
Find entrance;
3)Defect location and intrusion detection:To determine code entry points as starting point, the transfer route of variable in a program is found, is sent out
Influence power of the existing kernel variable to application system;
4)The precautionary measures:It examines whether code will appear the code risk often occurred, takes application department arranging method, avoid wind
The intrusion of danger.
The dependence determines that the dependence including code and database determines, platform and server determine, program word
Firewall of making peace determines that third party's component is determining and internet access information interface determines.
The dependence of the code and database determines:When carrying out code inspection, interface needs to check;
The platform and server determines:It needs to be determined that application program is with Java platform and with which kind of server disposition loading
Project;
The program language and firewall determine:By the feature to program language, confirms code logic relationship and inherit more
Sample relationship, avoids the occurrence of logic error;
Third party's component determines:The OWASP Dependency Check of reference technology radar tool, to third party's group
Part is identified, loophole matches, generates the activity of audit report;
The internet access information interface determines:By checking the Read-write Catrol power of server-side, whether user data is judged
The characteristics of the characteristics of being truly realized oneself control and important information privately owned control.
The program language and firewall determination further include:Application program firewall is deployed in rational position, content mistake
Filter function also must be turned on.
In the code entry points identification, file data is web page form, Request request and XML file.
In the defect location and intrusion detection, to determine code entry points as starting point, variable is found in a program
Transfer route, including:By the transfer route of test variable, it is completely covered, is thoroughly tracked, exposed information and record day
Will;Using the function of script-SG, the exception that will appear from file object, caching is observed and positions the position to start a leak.
Code risk in the precautionary measures is:API misuse, mistake and abnormality processing defect, by time or state
Caused application program defect risk.
Application department arranging method in the precautionary measures is:Rule is added in application program firewall, and
Predefined sentence and storing process are used in SQL layer time.
Compared to the prior art a kind of method of inspection based on Web defect of the invention, has the characteristics that:
1)Starting source in code has fabulous supervision to code growth, to the termination of final project;
2)Compared with conventional test methodologies, this method has more deep layer, it can be found that indiscoverable safety after project is online
Hidden danger;
3)Not only there is good concern to aacode defect, there is good embodiment in terms of Web security intrusion protection, guarantees user
Data safety, privacy protection.
Specific embodiment
Embodiment 1:
A kind of method of inspection based on Web defect, this method include the following contents:
1)It relies on and determines:When web application starts, dependence determination is carried out to its code first;Including code and database
Dependence determines that platform and server determine, program language and firewall determine, third party's component is determining and internet is visited
Ask that information interface determines.
The dependence of the code and database determines:When carrying out code inspection, interface needs to check;
The platform and server determines:It needs to be determined that application program is with Java platform and with which kind of server disposition loading
Project;
The program language and firewall determine:By the feature to program language, confirms code logic relationship and inherit more
Sample relationship, avoids the occurrence of logic error;Application program firewall is deployed in rational position, and content filtering function also must be turned on;
Third party's component determines:The OWASP Dependency Check of reference technology radar tool, to third party's group
Part is identified, loophole matches, generates the activity of audit report;
The internet access information interface determines:By checking the Read-write Catrol power of server-side, whether user data is judged
The characteristics of the characteristics of being truly realized oneself control and important information privately owned control.
2)Code entry points identification:Critical mode matching is made to file data by regular expression, tracks and is subject to
Entrance is found in analysis;The file data is web page form, Request request and XML file;
Find entrance part:Utilize scancode.py tool(One Python script)Known file is searched for, class custom is in control
Quantity method, selection-SR switch one entrance of lock machine, execute.
f:\scancode\scancode.py -SR TEXT.jsp
Request Object Entry:
22:NameValueCollection nvc=Requset.QueryString;
This i.e. application program entry stores the place of QueryString to NameValueCollection.
3)Defect location and intrusion detection:To determine code entry points as starting point, the transmitting road of variable in a program is found
Line, influence power of the discovery kernel variable to application system;By the transfer route of test variable, it is completely covered, is thoroughly chased after
Track exposes information and record log;Using the function of script-SG, the exception that will appear from file object, caching, observation is simultaneously
Position the position to start a leak.
4)The precautionary measures:Examine whether code will appear the code risk often occurred, the code risk is:API is missed
With, mistake and abnormality processing defect, the application program defect risk as caused by time or state;Take application department management side
Method avoids the intrusion of risk.The application department arranging method is:Rule, Yi Ji are added in application program firewall
SQL layer time uses predefined sentence and storing process.
Embodiment 2:
A kind of method of inspection based on Web defect, including the following contents and step:
It inquires code to rely on program dependence, the mode for tracking variable is as follows:
Scandoe.py -t detail.aspx.nvc
Tracing variable:nvc
NameValueConnection nvc=Request.QueryString;
String []arr1=nvc.AllKeys;
String []st2=nvc.GetValues(arr1[0]);
Nvc is assigned to st2, need to track again.
Scandoe.py -t aspx.st2
Tracing variable:st2
String []st2=nvc.GetValues(arr1[0]);
PRO_ID=st2[0];
Just new monitoring quantity PRO_ID is generated, needs to track again.Defect can be invaded by finding in the process.
The technical personnel in the technical field can readily realize the present invention with the above specific embodiments,.But it answers
Work as understanding, the present invention is not limited to above-mentioned several specific embodiments.On the basis of the disclosed embodiments, the technology
The technical staff in field can arbitrarily combine different technical features, to realize different technical solutions.
Claims (8)
1. a kind of method of inspection based on Web defect, which is characterized in that this method includes the following contents:
1)It relies on and determines:When web application starts, dependence determination is carried out to its code first;
2)Code entry points identification:Critical mode matching is made to file data by regular expression, tracks and is analyzed
Find entrance;
3)Defect location and intrusion detection:To determine code entry points as starting point, the transfer route of variable in a program is found, is sent out
Influence power of the existing kernel variable to application system;
4)The precautionary measures:It examines whether code will appear the code risk often occurred, takes application department arranging method, avoid wind
The intrusion of danger.
2. the method for inspection according to claim 1, which is characterized in that the dependence determines to include code and database
Dependence determines that platform and server determine, program language and firewall determine, third party's component is determining and internet is visited
Ask that information interface determines.
3. the method for inspection according to claim 2, which is characterized in that the dependence of the code and database is true
It is fixed:When carrying out code inspection, interface needs to check;
The platform and server determines:It needs to be determined that application program is with Java platform and with which kind of server disposition loading
Project;
The program language and firewall determine:By the feature to program language, confirms code logic relationship and inherit more
Sample relationship, avoids the occurrence of logic error;
Third party's component determines:The OWASP Dependency Check of reference technology radar tool, to third party's group
Part is identified, loophole matches, generates the activity of audit report;
The internet access information interface determines:By checking the Read-write Catrol power of server-side, whether user data is judged
The characteristics of the characteristics of being truly realized oneself control and important information privately owned control.
4. the method for inspection according to claim 3, which is characterized in that the program language and firewall determination are also wrapped
It includes:Application program firewall is deployed in rational position, and content filtering function also must be turned on.
5. the method for inspection according to claim 1, which is characterized in that in the code entry points identification, file data
For web page form, Request request and XML file.
6. the method for inspection according to claim 1, which is characterized in that in the defect location and intrusion detection, with true
Determining code entry points is starting point, finds the transfer route of variable in a program, including:
By the transfer route of test variable, it is completely covered, is thoroughly tracked, exposes information and record log;Utilize foot
The function of this-SG, the exception that will appear from file object, caching, observes and positions the position to start a leak.
7. the method for inspection according to claim 1, which is characterized in that the code risk in the precautionary measures is:API
Misuse, mistake and abnormality processing defect, the application program defect risk as caused by time or state.
8. the method for inspection according to claim 1, which is characterized in that the application department management side in the precautionary measures
Method is:Rule is added in application program firewall, and uses predefined sentence and storing process in SQL layer time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810606051.7A CN108874669A (en) | 2018-06-13 | 2018-06-13 | A kind of method of inspection based on Web defect |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810606051.7A CN108874669A (en) | 2018-06-13 | 2018-06-13 | A kind of method of inspection based on Web defect |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108874669A true CN108874669A (en) | 2018-11-23 |
Family
ID=64338127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810606051.7A Pending CN108874669A (en) | 2018-06-13 | 2018-06-13 | A kind of method of inspection based on Web defect |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108874669A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101551836A (en) * | 2008-04-03 | 2009-10-07 | 西门子(中国)有限公司 | Code audit method and device |
| CN104065645A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Web vulnerability protection method and apparatus |
| US20160241585A1 (en) * | 2013-12-19 | 2016-08-18 | Hewlett Packard Enterprise Development Lp | Analyze code that uses web framework using local parameter model |
| CN106407811A (en) * | 2016-10-10 | 2017-02-15 | 合肥红珊瑚软件服务有限公司 | SQL injection loophole positioning detection system |
| CN107169360A (en) * | 2017-06-14 | 2017-09-15 | 广东电力发展股份有限公司沙角A电厂 | The detection method and system of a kind of source code security loophole |
-
2018
- 2018-06-13 CN CN201810606051.7A patent/CN108874669A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101551836A (en) * | 2008-04-03 | 2009-10-07 | 西门子(中国)有限公司 | Code audit method and device |
| US20160241585A1 (en) * | 2013-12-19 | 2016-08-18 | Hewlett Packard Enterprise Development Lp | Analyze code that uses web framework using local parameter model |
| CN104065645A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Web vulnerability protection method and apparatus |
| CN106407811A (en) * | 2016-10-10 | 2017-02-15 | 合肥红珊瑚软件服务有限公司 | SQL injection loophole positioning detection system |
| CN107169360A (en) * | 2017-06-14 | 2017-09-15 | 广东电力发展股份有限公司沙角A电厂 | The detection method and system of a kind of source code security loophole |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Aliero et al. | An algorithm for detecting SQL injection vulnerability using black-box testing | |
| Zhou et al. | Automated identification of security issues from commit messages and bug reports | |
| Fonseca et al. | Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks | |
| US9160762B2 (en) | Verifying application security vulnerabilities | |
| EP2513793B1 (en) | Method and system of runtime analysis | |
| US20180349602A1 (en) | Security testing framework including virtualized server-side platform | |
| US8601434B2 (en) | Method and system for information processing and test case generation | |
| CN112131882A (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
| Li et al. | CLORIFI: software vulnerability discovery using code clone verification | |
| Li et al. | A mining approach to obtain the software vulnerability characteristics | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| WO2020244307A1 (en) | Vulnerability detection method and apparatus | |
| IL265518B2 (en) | Management of security vulnerabilities | |
| CN107392028A (en) | The detection method and its detection means of sensitive information, storage medium, electronic equipment | |
| CN113761519A (en) | Detection method and device for Web application program and storage medium | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| KR100926735B1 (en) | Web source security management system and method | |
| CN114003794A (en) | Asset collection method, device, electronic equipment and medium | |
| Alexopoulos et al. | The tip of the iceberg: On the merits of finding security bugs | |
| CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
| Bandara et al. | Fix that Fix Commit: A real-world remediation analysis of JavaScript projects | |
| CN114036526A (en) | Vulnerability testing method and device, computer equipment and storage medium | |
| US11297091B2 (en) | HTTP log integration to web application testing | |
| CN108874669A (en) | A kind of method of inspection based on Web defect | |
| Ngan et al. | Nowhere to hide: Detecting obfuscated fingerprinting scripts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181123 |