CN109165507A - Cross-site scripting attack leak detection method, device and terminal device - Google Patents

Cross-site scripting attack leak detection method, device and terminal device Download PDF

Info

Publication number
CN109165507A
CN109165507A CN201810746133.1A CN201810746133A CN109165507A CN 109165507 A CN109165507 A CN 109165507A CN 201810746133 A CN201810746133 A CN 201810746133A CN 109165507 A CN109165507 A CN 109165507A
Authority
CN
China
Prior art keywords
cross
site scripting
request
data
scripting attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810746133.1A
Other languages
Chinese (zh)
Other versions
CN109165507B (en
Inventor
余瞰
潘志祥
李华
张家银
刘海涛
熊帅帅
吴迪
胡娇娇
郑有乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Kaiyuan Internet Security Technology Co Ltd
Original Assignee
Shenzhen Kaiyuan Internet Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Kaiyuan Internet Security Technology Co Ltd filed Critical Shenzhen Kaiyuan Internet Security Technology Co Ltd
Priority to CN201810746133.1A priority Critical patent/CN109165507B/en
Publication of CN109165507A publication Critical patent/CN109165507A/en
Application granted granted Critical
Publication of CN109165507B publication Critical patent/CN109165507B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Abstract

The present invention is suitable for computer security technical field, provides a kind of cross-site scripting attack leak detection method, device and terminal device, which comprises receives request;The request is parsed, the parameter after being parsed;The parameter after the parsing is tracked by data flow tracking technique, obtains execution information when application program operation;The application program is application program corresponding with the request;Being detected according to the execution information whether there is cross-site scripting attack loophole in the request, execution information is obtained by the method that data flow tracks, and execution information is detected to determine whether there are the classifications of cross-site scripting attack loophole and cross-site scripting attack loophole, compared with traditional method, two kinds of cross-site scripting attack loopholes are able to detect, while having the advantages that detect speed fastly and not generating junk data.

Description

Cross-site scripting attack leak detection method, device and terminal device
Technical field
The invention belongs to computer security technical field more particularly to a kind of cross-site scripting attack leak detection methods, dress It sets and terminal device.
Background technique
Cross-site scripting attack (Crosssite scripting, XSS) is that attacker specifically may be used by injecting into webpage Perform script simultaneously lures that user accesses into, so that the script of attacker's injection will be performed when user browses the page, thus Subscriber data is stolen, certain movement is carried out using user identity or virus infraction is carried out to visitor.XSS loophole has complexity Property, can be divided into reflective XSS and memory-type XSS, and wherein memory-type XSS is deposited into attack code in database, when with Family executes attack code when opening, and has bigger harm and wider array of influence compared with reflective XSS.
Inventor has found that most of cross-site scripting attack loophole is examined in the prior art in the implementation of the present invention The characteristics of survey method is designed both for reflective XSS, reflective XSS is that two processes of user's request and response are present in The same period, the detection for based on one requesting that loophole can be completed, and for memory-type XSS, user's request and response are often It not in the same RQ cycle, needs to construct a large amount of request to detect memory-type XSS, has detection efficiency low and generate a large amount of The problem of data contamination.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of cross-site scripting attack leak detection method, device and terminals to set It is standby, to solve the problems, such as that XSS detection instrument can not detect memory-type XSS in the prior art.
The first aspect of the embodiment of the present invention provides a kind of cross-site scripting attack leak detection method, comprising:
Receive request;
The request is parsed, the parameter after being parsed;
The parameter after the parsing is tracked by data flow tracking technique, obtains execution when application program operation Information;The application program is application program corresponding with the request;
Being detected according to the execution information whether there is cross-site scripting attack loophole in the request.
Optionally, the parameter after the parsing is tracked by data flow tracking technique, obtains application program operation When execution information, specifically include:
Parameter after parsing is judged, when the source of the parameter is request data, then the parameter is started Trace flow;
Business logic processing is carried out to the request data, the data after obtaining business logic processing;
Safety state information label is carried out to the data after the business logic processing.
Optionally, described detected according to the execution information whether there is cross-site scripting attack loophole in the request, tool Body includes:
The label of the safety state information is detected, it is when the label is information, then described There are cross-site scripting attack loopholes in request;
Flow regime to label for the data after the business logic processing of information detects, and judges institute State the type of cross-site scripting attack loophole.
Optionally, described pair of label is that the flow regime of the data after the business logic processing of information carries out Detection, judges the type of the cross-site scripting attack loophole, specifically includes:
When data after the label is the business logic processing of information are return state, then institute is reported State request in there are reflective cross-site scripting attack loopholes;
When data after the label is the business logic processing of information are storage state, then by pre- If analysis model judgement when needing to call the parameter, then report in the request that there are the leakages of memory-type cross-site scripting attack Hole.
Optionally, described to need to call the parameter by the judgement of preset analysis model, it specifically includes:
The Persistence Layer Framework used when the parameter saves is obtained, is believed according to the storage that the Persistence Layer Framework obtains data Breath and reading information;
According to the storage information and acquisition of information pitching pile scheme and judgement processing logic are read, according to the pitching pile scheme With judge handle logic acquisition whether call the parameter.
The second aspect of the embodiment of the present invention provides a kind of cross-site scripting attack Hole Detection device, comprising: receives mould Block, obtains module and judgment module at parsing module;
The receiving module, for receiving request;
The parsing module, parses the request, the parameter after being parsed;
The acquisition module, for being tracked by data flow tracking technique to the parameter after the parsing, acquisition is answered Execution information when being run with program;The application program is application program corresponding with the request;
The detection module is leaked for being detected in the request according to the execution information with the presence or absence of cross-site scripting attack Hole.
Optionally, the acquisition module includes: tracking start unit, business logic processing unit and information flag unit;
Start unit is tracked, for judging the parameter after parsing, when the source of the parameter is request data, Then to the parameter start-up trace process;
Business logic processing unit obtains business logic processing for carrying out business logic processing to the request data Data afterwards;
Information flag unit, for carrying out safety state information label to the data after the business logic processing.
Optionally, the detection module includes: first detection unit and second detection unit;
The first detection unit is detected for the label to the safety state information, when the label is When safety state information, then there are cross-site scripting attack loopholes in the request;
The second detection unit, for the stream to label for the data after the business logic processing of information Dynamic state is detected, and judges the type of the cross-site scripting attack loophole.
The third aspect of the embodiment of the present invention provides a kind of cross-site scripting attack Hole Detection terminal device, comprising: deposits Reservoir, processor and storage in the memory and the computer program that can run on the processor, the processing Device is realized as described in any of the above-described when executing the computer program the step of cross-site scripting attack leak detection method.
The fourth aspect of the embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable storage Media storage has computer program, and the cross site scripting as described in any of the above-described is realized when the computer program is executed by processor The step of attacking leak detection method.
Existing beneficial effect is the embodiment of the present invention compared with prior art: the embodiment of the present invention is requested by receiving, And the parameter after being parsed according to request, then the parameter after parsing is tracked and held by data flow tracking technique Row information can judge to attack in the request with the presence or absence of cross-site scripting attack loophole and cross site scripting according to execution information The classification of loophole is hit, so that the detection for based on one requesting that cross-site scripting attack loophole can be completed, to solve conventional method In the problem of cannot detecting memory-type cross-site scripting attack loophole, while also there is detection speed fastly and do not generate junk data Advantage.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is only of the invention some Embodiment for those of ordinary skill in the art without any creative labor, can also be according to these Attached drawing obtains other attached drawings.
Fig. 1 is the implementation flow chart of cross-site scripting attack leak detection method provided in an embodiment of the present invention;
Fig. 2 is the implementation flow chart of step S103 in Fig. 1;
Fig. 3 is the implementation flow chart of step S104 in Fig. 1;
Fig. 4 is the implementation flow chart of step S302 in Fig. 3;
Fig. 5 is the implementation flow chart of step S402 in Fig. 4;
Fig. 6 is the structural schematic diagram of cross-site scripting attack Hole Detection device provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of cross-site scripting attack vulnerability detection equipment provided in an embodiment of the present invention.
Specific embodiment
In being described below, for illustration and not for limitation, the tool of such as particular system structure, technology etc is proposed Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific The present invention also may be implemented in the other embodiments of details.In other situations, it omits to well-known system, device, electricity The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, the following is a description of specific embodiments.
Embodiment one
Fig. 1 shows the implementation process of the cross-site scripting attack leak detection method of the offer of the embodiment of the present invention one, is described in detail It is as follows:
Step S101 receives request.
Wherein, when the service that user terminal requests some to apply, service request is sent to network english teaching by user terminal Device, network application server then receive the request of user.
It is interacted in general, network application server often may require that with user, when there are malice generations in request data When code, for different exchange methods, then different cross-site scripting attack loopholes is corresponded to.A kind of interactive mode are as follows: when user mentions The data that user submits are back to user browser according to after network server by intersection number.Such as: for user's log in page For face, after user is with " Zhang San " user name Website login, it often will appear the printed words of " you are good, Zhang San " on webpage, at this point, If there are malicious codes in request data, for reflective cross-site scripting attack.Another interactive mode are as follows: when user submits number According to after network server, the data that user submits are stored.Such as: for a message board page, work as user After submitting corresponding message information, network server can store message information to database, at this point, if existing in request data Malicious code is then memory-type cross-site scripting attack.
Step S102, parses the request, the parameter after being parsed.
In the present embodiment, network server can parse the request of user, and then the parameter after being parsed, In, parsing herein namely obtains the input data of user and the process of intermediate data.Such as: above-mentioned user is logged in In the process of the page, when user is when inputting the information such as username and password to request log-on webpage, network server can be parsed The request, and the information such as user name and password for obtaining user's input.Parameter after the parsing is data flow tracking technique Tracking object.
Step S103 tracks the parameter after the parsing by data flow tracking technique, obtains application program fortune Execution information when row;The application program is application program corresponding with the request.
In the present embodiment, execution information when application program operation is obtained by using data flow tracking technique, into And judged in user's request according to execution information with the presence or absence of cross-site scripting attack loophole.Application program herein refers to described The corresponding application program of request, such as: when user logs in individual mailbox by browser, mailbox net is inputted by browser Location, into mailbox network address after input account information after send log on request information, wherein application program herein is exactly mailbox journey Sequence.
Referring to fig. 2, in one embodiment, step S103 can be realized by following procedure:
Step S201 judges the parameter after parsing, when the source of the parameter is request data, then to described Parameter start-up trace process.
In the present embodiment, to the condition of the parameter log-on data stream trace flow after parsing are as follows: parameter after parsing Ability log-on data stream trace flow when for request data.This is because cross-site scripting attack loophole is often the evil of user's insertion Anticipate what code was formed, therefore the main object of data flow tracking is then request data.It should be noted that request data herein Other data in request data may also be will receive distorting for hacker, institute by the data for not only referring only to user's input With the parameter that the object of tracking is from request data.Specifically, being inserted into tested program using core classes pitching pile technology Then probe obtains the control stream and traffic flow information of program by the execution of probe.
Step S202 carries out business logic processing to the request data, the data after obtaining business logic processing.
In the present embodiment, after to request data log-on data stream trace flow, business can be carried out to request data and patrolled Collect processing, wherein business logic processing refers to the business of processing data, such as: request data is judged or is modified, And then judged or modified data.
Such as: in the process of above-mentioned user's login page, when user inputs username and password in login page Afterwards, the username and password that can be inputted to user judge judge whether user name is chartered user name, works as user User's entitled user name registered when, judge whether the password of user's input consistent with pre-set password.In addition, In order to guarantee the safety of user information, cryptographic operation etc. can also be carried out to the password that user inputs, obtain encrypted number According to.The process for carrying out business logic processing to request data herein is exactly the process of data dissemination.
Step S203 carries out safety state information label to the data after the business logic processing.
In the present embodiment, to request data carry out business logic processing after, to the data after business logic processing into Row safety state information label.Wherein the label of safety state information is kind, and one kind is safety state information, and one kind is uneasy Full state information can first judge the data before being marked for the data after logical process, when the service logic Data that treated can then be labeled as safety state information after carrying out safe handling;Opposite, after the business logic processing Data can then be labeled as unsafe condition information when not carrying out safe handling.Safe handling herein may include to input number According to filtering and to the coding of output data.Such as: in general, cross-site scripting attack loophole in order to prevent, using journey Sequence would generally carry out HTML coding to data, after carrying out HTML coding to data, then it is assumed that cross site scripting is not present in data Loophole is attacked, safety state information can be labeled as to data at this time.However, when application program not to data carry out HTML coding or Person has carried out decoding operate again after data are carried out with HTML coding, then in data or there may be cross site scripting loophole, this When need to data labeled as unsafe condition information.
Step S104, being detected according to the execution information whether there is cross-site scripting attack loophole in the request.
In the present embodiment, it can be detected in the solicited message according to execution information and be leaked with the presence or absence of cross-site scripting attack Hole.Specifically, can first judge whether there is cross-site scripting attack loophole when detecting cross-site scripting attack loophole, when exist across The type of cross-site scripting attack loophole is further determined when script of standing attacks loophole.
Referring to Fig. 3, in one embodiment, step S104 can be realized by following procedure:
Step S301 detects the label of the safety state information, when the label is information When, then there are cross-site scripting attack loopholes in the request.
In the present embodiment, when detecting received request with the presence or absence of cross-site scripting attack loophole, it is only necessary to safety Status information label is detected.Wherein, when, there are when cross-site scripting attack loophole, which reports in the request Time is at the time of needing to call the content in the request.Therefore, when calling the content in the request, pitching pile can be passed through Code detect whether that there are safety state information labels.When detecting the presence of unsafe condition information flag, then it represents that There are cross-site scripting attack loopholes in the request.
Such as: in the process of above-mentioned user's login page, when user inputs username and password in login page Afterwards, when showing the homepage after logging in user, it may be desirable to show user name on the page, specifically, precipitating can be passed through Function shows user name in front end.Therefore, the detection code being inserted into the function can be executed when calling precipitation function, led to Detection code detection safety state information label is crossed, if detect unsafe condition information flag, is illustrated in the request There are cross-site scripting attack loopholes.
Step S302, the flow regime to label for the data after the business logic processing of information are examined It surveys, judges the type of the cross-site scripting attack loophole.
In the present embodiment, cross-site scripting attack leak detection method can also detect the class of cross-site scripting attack loophole The difference of type, reflective cross-site scripting attack loophole and memory-type cross-site scripting attack loophole is that in the request Hold and whether is stored.Based on the above-mentioned fact, it can obtain user by carrying out tracing detection to request data and send in request Data flow regime, the type of cross-site scripting attack loophole is judged according to data flow regime.
Referring to fig. 4, in one embodiment, step S302 can be realized by following procedure:
Step S401, the data after label is the business logic processing of information are return state When, then report in the request that there are reflective cross-site scripting attack loopholes.
Specifically, when determine the label information be unsafe condition information when, can be to the business logic processing after Data tracked, obtain business logic processing after data flow regime.Directly the data are returned when described When, then report request in there are reflective cross-site scripting attack loopholes.
Step S402, the data after label is the business logic processing of information are storage state When, then when needing to call the parameter by the judgement of preset analysis model, then report in the request that there are memory-types across station Script attacks loophole.
In the present embodiment, when the information for determining the label is unsafe condition information, and by the unsafe condition When information is stored, then need by analysis model allocating time getparms, when the reading for detecting Persistence Layer Framework Logic needs to read the unsafe condition information, and when the unsafe condition information is exported to front end, then reports storage Formula cross-site scripting attack loophole.It should be noted that be not necessarily intended to read the unsafe condition information herein, only lead to Crossing reading logic can judge whether to report memory-type cross-site scripting attack loophole, have the advantages that detection efficiency is high.For depositing Storage formula cross-site scripting attack loophole may be stored using different Persistence Layer Frameworks, therefore, for different persistent layers The form of its calling data of frame is also different.And the upper time signal machine of cross-site scripting attack loophole is to need to call in the request At the time of content, therefore, it is necessary to obtain the storage of different Persistence Layer Frameworks and reading process.
Referring to Fig. 5, in one embodiment, step S402 can be realized by following procedure:
Step S501, obtains the Persistence Layer Framework used when the parameter saves, obtains number according to the Persistence Layer Framework According to storage information and read information.
In the present embodiment, it when detecting memory-type cross-site scripting attack loophole, needs to obtain and be adopted when saving the parameter The type of Persistence Layer Framework, and according to the type of the Persistence Layer Framework, it obtains the storage information of data and reads information. Such as: for JPA frame, web program can define an ORM class, the table in ORM class meeting correspondence database, subsequent web program Table data can be updated and be read by the ORM class of definition.Such as: by set method by the field initialization in class, so After store data into corresponding database table;When reading, specific data are taken out by get method.
Step S502 according to the storage information and reads acquisition of information pitching pile scheme and judgement processing logic, according to institute It states pitching pile scheme and judges to handle whether logic acquisition calls the parameter.
In the present embodiment, in the storage information for obtaining different Persistence Layer Frameworks and after reading information, believed according to storage Breath and read acquisition of information pitching pile scheme and judgement processing logic, so then report when calling the parameter information memory-type across Script of standing attacks loophole.Such as: when using set method by field initialization in class, pitching pile can be carried out to set method, that The parameter of input can be detected when calling set method, judge whether there is the condition that loophole reports, when meeting loophole When report condition, then the pitching pile when calling get method, thus when calling get method to obtain data and be transmitted to front end, then The memory-type cross-site scripting attack loophole can be reported.
Above-mentioned cross-site scripting attack leak detection method, by receive request, and according to request parsed after parameter, It is tracked and is obtained execution information to the parameter after parsing by data flow tracking technique again, can be sentenced according to execution information The classification broken in the request with the presence or absence of cross-site scripting attack loophole and cross-site scripting attack loophole, so that being asked based on one The detection that cross-site scripting attack loophole can be completed is asked, to solve that memory-type cross-site scripting attack cannot be detected in conventional method The problem of loophole, while also having the advantages that detect speed fastly and not generating junk data.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit It is fixed.
Embodiment two
Corresponding to cross-site scripting attack leak detection method described in foregoing embodiments one, Fig. 6 shows implementation of the present invention The structural schematic diagram for the cross-site scripting attack Hole Detection device that example provides.For ease of description, it illustrates only and the present embodiment Relevant part.
Cross-site scripting attack Hole Detection device may include: receiving module 101, parsing module 102, obtain module 103 With judgment module 104.Receiving module 101, for receiving request;Parsing module 102 parses the request, is solved Parameter after analysis;Module 103 is obtained, for being tracked by data flow tracking technique to the parameter after the parsing, is obtained Execution information when application program is run;The application program is application program corresponding with the request;Detection module 104, It whether there is cross-site scripting attack loophole in the request for detecting according to the execution information.
Optionally, obtaining module 103 includes: tracking start unit, business logic processing unit and information flag unit;Its In, start unit is tracked, it is when the source of the parameter is request data, then right for judging the parameter after parsing The parameter start-up trace process;Business logic processing unit is obtained for carrying out business logic processing to the request data Data after business logic processing;Information flag unit, for carrying out safe condition to the data after the business logic processing Information flag.
Optionally, detection module 104 includes: first detection unit and second detection unit;Wherein, first detection unit, It is detected for the label to the safety state information, when the label is information, then the request In there are cross-site scripting attack loopholes;Second detection unit, for being the business logic processing of information to label The flow regime of data afterwards is detected, and judges the type of the cross-site scripting attack loophole.
Cross-site scripting attack Hole Detection device in the present embodiment two can be used for executing cross site scripting shown in FIG. 1 and attack Leak detection method is hit, specific implementation principle may refer to above method embodiment, and details are not described herein again.
Above-mentioned cross-site scripting attack Hole Detection device is received by receiving module and is requested, solved by parsing module Parameter after analysis tracks the parameter after parsing by data flow tracking technique using acquisition module and obtains executing letter Breath, by detection module according to execution information can judge in the request with the presence or absence of cross-site scripting attack loophole and across Script of standing attacks the classification of loophole, so that the detection for based on one requesting that cross-site scripting attack loophole can be completed, to solve The problem of memory-type cross-site scripting attack loophole cannot be detected in conventional method, while also there is detection speed fastly and do not generate rubbish The advantages of rubbish data.
Embodiment three
Fig. 7 is the schematic diagram for the cross-site scripting attack vulnerability detection equipment that one embodiment of the invention provides.As shown in fig. 7, The cross-site scripting attack vulnerability detection equipment 7 of the embodiment includes: processor 701, memory 702 and is stored in the storage In device 702 and the computer program 703 that can run on the processor 701, such as obtain the program of execution information.The place Reason device 701 is realized in above-mentioned each cross-site scripting attack leak detection method embodiment when executing the computer program 703 Step, such as step 101 shown in FIG. 1 is to 104.Alternatively, realization when the processor 701 executes the computer program 703 The function of each module/unit in above-mentioned each Installation practice, such as the function of module 101 to 104 shown in Fig. 6.
Illustratively, the computer program 703 can be divided into one or more module/units, it is one or Multiple module/the units of person are stored in the memory 702, and are executed by the processor 701, to complete the present invention.Institute Stating one or more module/units can be the series of computation machine program instruction section that can complete specific function, the instruction segment For describing execution of the computer program 703 in the cross-site scripting attack Hole Detection device/terminal device 70 Journey.For example, the computer program 703 can be divided into receiving module, parsing module, obtain module, detection module, each mould Block concrete function is as follows:
The receiving module 101, for receiving request;The parsing module 102, parses the request, obtains Parameter after parsing;The acquisition module 103, for by data flow tracking technique to the parameter after the parsing carry out with Track obtains execution information when application program operation;The application program is application program corresponding with the request;The inspection Module 104 is surveyed, whether there is cross-site scripting attack loophole in the request for detecting according to the execution information.
The cross-site scripting attack Hole Detection device/terminal device 70 can be desktop PC, notebook, palm Computer and cloud server etc. calculate equipment.The cross-site scripting attack Hole Detection device/terminal device may include, but not only It is limited to, processor 701, memory 702.It will be understood by those skilled in the art that Fig. 7 is only cross-site scripting attack Hole Detection The example of device/terminal device 70 is not constituted to the restriction of cross-site scripting attack Hole Detection device/terminal device 70, can To include perhaps combining certain components or different components, such as the cross site scripting than illustrating more or fewer components Attacking Hole Detection device/terminal device can also include input-output equipment, network access equipment, bus etc..
Alleged processor 701 can be central processing unit (Central Processing Unit, CPU), can also be Other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, Discrete hardware components etc..General processor can be microprocessor or the processor is also possible to any conventional processor Deng.
The memory 702 can be the storage inside of the cross-site scripting attack Hole Detection device/terminal device 70 Unit, such as cross-site scripting attack Hole Detection device/terminal device 70 hard disk or memory.The memory 702 can also be with It is the External memory equipment of the cross-site scripting attack Hole Detection device/terminal device 70, such as the cross-site scripting attack The plug-in type hard disk being equipped on Hole Detection device/terminal device 70, intelligent memory card (Smart Media Card, SMC), peace Digital (Secure Digital, SD) card, flash card (Flash Card) etc..Further, the memory 702 can be with Both including the cross-site scripting attack Hole Detection device/terminal device 70 internal storage unit and also set including external storage It is standby.The memory 702 is used to store the computer program and the cross-site scripting attack Hole Detection device/terminal is set Standby required other programs and data.The memory 702, which can be also used for temporarily storing, have been exported or will export Data.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each function Can unit, module division progress for example, in practical application, can according to need and by above-mentioned function distribution by different Functional unit, module are completed, i.e., the internal structure of described device is divided into different functional unit or module, more than completing The all or part of function of description.Each functional unit in embodiment, module can integrate in one processing unit, can also To be that each unit physically exists alone, can also be integrated in one unit with two or more units, it is above-mentioned integrated Unit both can take the form of hardware realization, can also realize in the form of software functional units.In addition, each function list Member, the specific name of module are also only for convenience of distinguishing each other, the protection scope being not intended to limit this application.Above system The specific work process of middle unit, module, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in detail or remembers in some embodiment The part of load may refer to the associated description of other embodiments.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed The scope of the present invention.
In embodiment provided by the present invention, it should be understood that disclosed device/terminal device and method, it can be with It realizes by another way.For example, device described above/terminal device embodiment is only schematical, for example, institute The division of module or unit is stated, only a kind of logical function partition, there may be another division manner in actual implementation, such as Multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Separately A bit, shown or discussed mutual coupling or direct-coupling or communication connection can be through some interfaces, device Or the INDIRECT COUPLING or communication connection of unit, it can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated module/unit be realized in the form of SFU software functional unit and as independent product sale or In use, can store in a computer readable storage medium.Based on this understanding, the present invention realizes above-mentioned implementation All or part of the process in example method, can also instruct relevant hardware to complete, the meter by computer program Calculation machine program can be stored in a computer readable storage medium, the computer program when being executed by processor, it can be achieved that on The step of stating each embodiment of the method.Wherein, the computer program includes computer program code, the computer program Code can be source code form, object identification code form, executable file or certain intermediate forms etc..Computer-readable Jie Matter may include: can carry the computer program code any entity or device, recording medium, USB flash disk, mobile hard disk, Magnetic disk, CD, computer storage, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that described The content that computer-readable medium includes can carry out increasing appropriate according to the requirement made laws in jurisdiction with patent practice Subtract, such as does not include electric carrier signal and electricity according to legislation and patent practice, computer-readable medium in certain jurisdictions Believe signal.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although referring to aforementioned reality Applying example, invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each Technical solution documented by embodiment is modified or equivalent replacement of some of the technical features;And these are modified Or replacement, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution should all It is included within protection scope of the present invention.

Claims (10)

1. a kind of cross-site scripting attack leak detection method characterized by comprising
Receive request;
The request is parsed, the parameter after being parsed;
The parameter after the parsing is tracked by data flow tracking technique, executes letter when obtaining application program operation Breath;The application program is application program corresponding with the request;
Being detected according to the execution information whether there is cross-site scripting attack loophole in the request.
2. cross-site scripting attack leak detection method as described in claim 1, which is characterized in that described to be tracked by data flow Technology tracks the parameter after the parsing, obtains execution information when application program operation, specifically includes:
Parameter after parsing is judged, when the source of the parameter is request data, then to the parameter start-up trace Process;
Business logic processing is carried out to the request data, the data after obtaining business logic processing;
Safety state information label is carried out to the data after the business logic processing.
3. cross-site scripting attack leak detection method as claimed in claim 2, which is characterized in that examined according to the execution information It surveys in the request with the presence or absence of cross-site scripting attack loophole, specifically includes:
The label of the safety state information is detected, when the label is information, then the request In there are cross-site scripting attack loopholes;
Be to label information business logic processing after the flow regimes of data detect, judgement it is described across The type of script of standing attack loophole.
4. cross-site scripting attack leak detection method as claimed in claim 3, which is characterized in that described pair of label be The flow regime of data after the business logic processing of status information is detected, and judges the class of the cross-site scripting attack loophole Type specifically includes:
When data after the label is the business logic processing of information are return state, then described ask is reported There are reflective cross-site scripting attack loopholes in asking;
When data after the label is the business logic processing of information are storage state, then by preset Analysis model judgement is when needing to call the parameter, then reports in the request that there are memory-type cross-site scripting attack loopholes.
5. cross-site scripting attack leak detection method as claimed in claim 4, which is characterized in that described to pass through preset analysis Model judgement needs to call the parameter, specifically includes:
Obtain the Persistence Layer Framework that the uses when parameter saves, according to the Persistence Layer Framework obtain the storage information of data with Read information;
According to the storage information and acquisition of information pitching pile scheme and judgement processing logic are read, according to the pitching pile scheme and is sentenced Whether disconnected processing logic acquisition calls the parameter.
6. a kind of cross-site scripting attack Hole Detection device characterized by comprising receiving module, obtains module at parsing module And judgment module;
The receiving module, for receiving request;
The parsing module, parses the request, the parameter after being parsed;
The acquisition module obtains for being tracked by data flow tracking technique to the parameter after the parsing and applies journey Execution information when sort run;The application program is application program corresponding with the request;
The detection module whether there is cross-site scripting attack loophole for detecting according to the execution information in the request.
7. cross-site scripting attack Hole Detection device as claimed in claim 6, which is characterized in that the acquisition module includes: Track start unit, business logic processing unit and information flag unit;
Start unit is tracked, it is when the source of the parameter is request data, then right for judging the parameter after parsing The parameter start-up trace process;
Business logic processing unit, for carrying out business logic processing to the request data, after obtaining business logic processing Data;
Information flag unit, for carrying out safety state information label to the data after the business logic processing.
8. cross-site scripting attack Hole Detection device as claimed in claim 7, which is characterized in that the detection module includes: First detection unit and second detection unit;
The first detection unit is detected for the label to the safety state information, when the label is When status information, then there are cross-site scripting attack loopholes in the request;
The second detection unit, for the flowing shape to label for the data after the business logic processing of information State is detected, and judges the type of the cross-site scripting attack loophole.
9. a kind of cross-site scripting attack Hole Detection terminal device, including memory, processor and it is stored in the memory In and the computer program that can run on the processor, which is characterized in that the processor executes the computer program The step of any one of Shi Shixian such as claim 1 to 5 the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists In when the computer program is executed by processor the step of any one of such as claim 1 to 5 of realization the method.
CN201810746133.1A 2018-07-09 2018-07-09 Cross-site scripting attack vulnerability detection method and device and terminal equipment Active CN109165507B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810746133.1A CN109165507B (en) 2018-07-09 2018-07-09 Cross-site scripting attack vulnerability detection method and device and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810746133.1A CN109165507B (en) 2018-07-09 2018-07-09 Cross-site scripting attack vulnerability detection method and device and terminal equipment

Publications (2)

Publication Number Publication Date
CN109165507A true CN109165507A (en) 2019-01-08
CN109165507B CN109165507B (en) 2021-02-19

Family

ID=64897527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810746133.1A Active CN109165507B (en) 2018-07-09 2018-07-09 Cross-site scripting attack vulnerability detection method and device and terminal equipment

Country Status (1)

Country Link
CN (1) CN109165507B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110381033A (en) * 2019-06-24 2019-10-25 深圳开源互联网安全技术有限公司 Web application hole detection method, apparatus, system, storage medium and server
CN110929264A (en) * 2019-11-21 2020-03-27 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN111859375A (en) * 2020-07-20 2020-10-30 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN111949992A (en) * 2020-08-17 2020-11-17 中国工商银行股份有限公司 Automatic safety monitoring method and system for WEB application program
WO2020252698A1 (en) * 2019-06-19 2020-12-24 深圳开源互联网安全技术有限公司 Data flow tracking method and system, storage medium, and server
CN112866274A (en) * 2021-02-01 2021-05-28 北京工业大学 XSS vulnerability detection method based on cloud data
CN113761519A (en) * 2021-08-19 2021-12-07 深圳开源互联网安全技术有限公司 Detection method and device for Web application program and storage medium
CN114124448A (en) * 2021-10-14 2022-03-01 北京墨云科技有限公司 Cross-site scripting attack identification method based on machine learning
CN114968826A (en) * 2022-07-28 2022-08-30 深圳开源互联网安全技术有限公司 Application program bug repair verification method and system
CN116055218A (en) * 2023-03-06 2023-05-02 深圳开源互联网安全技术有限公司 User login request identification method and system for web application security detection

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159732A (en) * 2007-08-14 2008-04-09 电子科技大学 Data flow analysis based hostile attack detecting method
CN101741645A (en) * 2009-12-17 2010-06-16 成都市华为赛门铁克科技有限公司 Method, device and system for detecting storage-type cross-site scripting attack and attack detector
CN101895516A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for positioning cross-site scripting attack source
CN101901221A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for detecting cross site scripting
CN101901307A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for detecting whether database is attacked by cross-site script
CN102622558A (en) * 2012-03-01 2012-08-01 北京邮电大学 Excavating device and excavating method of binary system program loopholes
CN103544433A (en) * 2012-07-13 2014-01-29 北京一铭昌和科技发展有限公司 Method for defending cross site scripting attacks
CN103856471A (en) * 2012-12-06 2014-06-11 阿里巴巴集团控股有限公司 Cross-site scripting attack monitoring system and method
CN103995782A (en) * 2014-06-17 2014-08-20 电子科技大学 Taint analyzing method based on taint invariable set
CN104715195A (en) * 2015-03-12 2015-06-17 广东电网有限责任公司信息中心 Malicious code detecting system and method based on dynamic instrumentation
CN106506548A (en) * 2016-12-23 2017-03-15 努比亚技术有限公司 The defence installation of cross-site scripting attack and method
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device
CN107784065A (en) * 2017-08-17 2018-03-09 平安壹钱包电子商务有限公司 Business datum tracking, device, computer equipment and storage medium

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159732A (en) * 2007-08-14 2008-04-09 电子科技大学 Data flow analysis based hostile attack detecting method
CN101895516A (en) * 2009-05-19 2010-11-24 北京启明星辰信息技术股份有限公司 Method and device for positioning cross-site scripting attack source
CN101901221A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for detecting cross site scripting
CN101901307A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Method and device for detecting whether database is attacked by cross-site script
CN101741645A (en) * 2009-12-17 2010-06-16 成都市华为赛门铁克科技有限公司 Method, device and system for detecting storage-type cross-site scripting attack and attack detector
CN102622558A (en) * 2012-03-01 2012-08-01 北京邮电大学 Excavating device and excavating method of binary system program loopholes
CN103544433A (en) * 2012-07-13 2014-01-29 北京一铭昌和科技发展有限公司 Method for defending cross site scripting attacks
CN103856471A (en) * 2012-12-06 2014-06-11 阿里巴巴集团控股有限公司 Cross-site scripting attack monitoring system and method
CN103995782A (en) * 2014-06-17 2014-08-20 电子科技大学 Taint analyzing method based on taint invariable set
CN104715195A (en) * 2015-03-12 2015-06-17 广东电网有限责任公司信息中心 Malicious code detecting system and method based on dynamic instrumentation
CN106506548A (en) * 2016-12-23 2017-03-15 努比亚技术有限公司 The defence installation of cross-site scripting attack and method
CN107784065A (en) * 2017-08-17 2018-03-09 平安壹钱包电子商务有限公司 Business datum tracking, device, computer equipment and storage medium
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020252698A1 (en) * 2019-06-19 2020-12-24 深圳开源互联网安全技术有限公司 Data flow tracking method and system, storage medium, and server
CN110381033A (en) * 2019-06-24 2019-10-25 深圳开源互联网安全技术有限公司 Web application hole detection method, apparatus, system, storage medium and server
CN110381033B (en) * 2019-06-24 2021-06-08 深圳开源互联网安全技术有限公司 Web application vulnerability detection method, device, system, storage medium and server
CN110929264A (en) * 2019-11-21 2020-03-27 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN110929264B (en) * 2019-11-21 2022-08-30 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN111859375A (en) * 2020-07-20 2020-10-30 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN111859375B (en) * 2020-07-20 2023-08-29 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN111949992A (en) * 2020-08-17 2020-11-17 中国工商银行股份有限公司 Automatic safety monitoring method and system for WEB application program
CN111949992B (en) * 2020-08-17 2023-09-29 中国工商银行股份有限公司 Automatic safety monitoring method and system for WEB application program
CN112866274B (en) * 2021-02-01 2022-08-16 北京工业大学 XSS vulnerability detection method based on cloud data
CN112866274A (en) * 2021-02-01 2021-05-28 北京工业大学 XSS vulnerability detection method based on cloud data
CN113761519A (en) * 2021-08-19 2021-12-07 深圳开源互联网安全技术有限公司 Detection method and device for Web application program and storage medium
CN113761519B (en) * 2021-08-19 2023-04-25 深圳开源互联网安全技术有限公司 Method and device for detecting Web application program and storage medium
CN114124448A (en) * 2021-10-14 2022-03-01 北京墨云科技有限公司 Cross-site scripting attack identification method based on machine learning
CN114124448B (en) * 2021-10-14 2024-03-19 北京墨云科技有限公司 Cross-site script attack recognition method based on machine learning
CN114968826B (en) * 2022-07-28 2022-11-22 深圳开源互联网安全技术有限公司 Application program bug fixing verification method and system
CN114968826A (en) * 2022-07-28 2022-08-30 深圳开源互联网安全技术有限公司 Application program bug repair verification method and system
CN116055218A (en) * 2023-03-06 2023-05-02 深圳开源互联网安全技术有限公司 User login request identification method and system for web application security detection
CN116055218B (en) * 2023-03-06 2023-06-23 深圳开源互联网安全技术有限公司 User login request identification method and system for web application security detection

Also Published As

Publication number Publication date
CN109165507B (en) 2021-02-19

Similar Documents

Publication Publication Date Title
CN109165507A (en) Cross-site scripting attack leak detection method, device and terminal device
US11818169B2 (en) Detecting and mitigating attacks using forged authentication objects within a domain
CN104065651B (en) A kind of information flow credible security method towards cloud computing
CN107003976A (en) Based on active rule can be permitted determine that activity can be permitted
CN103581105B (en) Login validation method and login authentication system
US20090187442A1 (en) Feedback augmented object reputation service
Nithya et al. A survey on detection and prevention of cross-site scripting attack
CN105791261B (en) A kind of detection method and detection device of cross-site scripting attack
CN102073822A (en) Method and system for preventing user information from leaking
CN108763071A (en) A kind of webpage test method and terminal device
CN109861968A (en) Resource access control method, device, computer equipment and storage medium
CN104899482A (en) Batch request service restricting method and apparatus
Roy et al. Generating phishing attacks using chatgpt
CN109547426A (en) Service response method and server
CN106845248A (en) A kind of XSS leak detection methods based on state transition graph
WO2019018829A1 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
US10310962B2 (en) Infrastructure rule generation
CN105681344A (en) Verification code recognition system and method
CN109446053A (en) Test method, computer readable storage medium and the terminal of application program
CN112671605A (en) Test method and device and electronic equipment
CN107392026A (en) leak detection method and device
US20150066763A1 (en) Method and apparatus for cross channel monitoring
CN111371811A (en) Resource calling method, resource calling device, client and service server
CN103281296B (en) The method and apparatus for handling encrypted message
CN106453418A (en) Verification method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant