CN109165507A - Cross-site scripting attack leak detection method, device and terminal device - Google Patents
Cross-site scripting attack leak detection method, device and terminal device Download PDFInfo
- Publication number
- CN109165507A CN109165507A CN201810746133.1A CN201810746133A CN109165507A CN 109165507 A CN109165507 A CN 109165507A CN 201810746133 A CN201810746133 A CN 201810746133A CN 109165507 A CN109165507 A CN 109165507A
- Authority
- CN
- China
- Prior art keywords
- cross
- site scripting
- request
- data
- scripting attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The present invention is suitable for computer security technical field, provides a kind of cross-site scripting attack leak detection method, device and terminal device, which comprises receives request;The request is parsed, the parameter after being parsed;The parameter after the parsing is tracked by data flow tracking technique, obtains execution information when application program operation;The application program is application program corresponding with the request;Being detected according to the execution information whether there is cross-site scripting attack loophole in the request, execution information is obtained by the method that data flow tracks, and execution information is detected to determine whether there are the classifications of cross-site scripting attack loophole and cross-site scripting attack loophole, compared with traditional method, two kinds of cross-site scripting attack loopholes are able to detect, while having the advantages that detect speed fastly and not generating junk data.
Description
Technical field
The invention belongs to computer security technical field more particularly to a kind of cross-site scripting attack leak detection methods, dress
It sets and terminal device.
Background technique
Cross-site scripting attack (Crosssite scripting, XSS) is that attacker specifically may be used by injecting into webpage
Perform script simultaneously lures that user accesses into, so that the script of attacker's injection will be performed when user browses the page, thus
Subscriber data is stolen, certain movement is carried out using user identity or virus infraction is carried out to visitor.XSS loophole has complexity
Property, can be divided into reflective XSS and memory-type XSS, and wherein memory-type XSS is deposited into attack code in database, when with
Family executes attack code when opening, and has bigger harm and wider array of influence compared with reflective XSS.
Inventor has found that most of cross-site scripting attack loophole is examined in the prior art in the implementation of the present invention
The characteristics of survey method is designed both for reflective XSS, reflective XSS is that two processes of user's request and response are present in
The same period, the detection for based on one requesting that loophole can be completed, and for memory-type XSS, user's request and response are often
It not in the same RQ cycle, needs to construct a large amount of request to detect memory-type XSS, has detection efficiency low and generate a large amount of
The problem of data contamination.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of cross-site scripting attack leak detection method, device and terminals to set
It is standby, to solve the problems, such as that XSS detection instrument can not detect memory-type XSS in the prior art.
The first aspect of the embodiment of the present invention provides a kind of cross-site scripting attack leak detection method, comprising:
Receive request;
The request is parsed, the parameter after being parsed;
The parameter after the parsing is tracked by data flow tracking technique, obtains execution when application program operation
Information;The application program is application program corresponding with the request;
Being detected according to the execution information whether there is cross-site scripting attack loophole in the request.
Optionally, the parameter after the parsing is tracked by data flow tracking technique, obtains application program operation
When execution information, specifically include:
Parameter after parsing is judged, when the source of the parameter is request data, then the parameter is started
Trace flow;
Business logic processing is carried out to the request data, the data after obtaining business logic processing;
Safety state information label is carried out to the data after the business logic processing.
Optionally, described detected according to the execution information whether there is cross-site scripting attack loophole in the request, tool
Body includes:
The label of the safety state information is detected, it is when the label is information, then described
There are cross-site scripting attack loopholes in request;
Flow regime to label for the data after the business logic processing of information detects, and judges institute
State the type of cross-site scripting attack loophole.
Optionally, described pair of label is that the flow regime of the data after the business logic processing of information carries out
Detection, judges the type of the cross-site scripting attack loophole, specifically includes:
When data after the label is the business logic processing of information are return state, then institute is reported
State request in there are reflective cross-site scripting attack loopholes;
When data after the label is the business logic processing of information are storage state, then by pre-
If analysis model judgement when needing to call the parameter, then report in the request that there are the leakages of memory-type cross-site scripting attack
Hole.
Optionally, described to need to call the parameter by the judgement of preset analysis model, it specifically includes:
The Persistence Layer Framework used when the parameter saves is obtained, is believed according to the storage that the Persistence Layer Framework obtains data
Breath and reading information;
According to the storage information and acquisition of information pitching pile scheme and judgement processing logic are read, according to the pitching pile scheme
With judge handle logic acquisition whether call the parameter.
The second aspect of the embodiment of the present invention provides a kind of cross-site scripting attack Hole Detection device, comprising: receives mould
Block, obtains module and judgment module at parsing module;
The receiving module, for receiving request;
The parsing module, parses the request, the parameter after being parsed;
The acquisition module, for being tracked by data flow tracking technique to the parameter after the parsing, acquisition is answered
Execution information when being run with program;The application program is application program corresponding with the request;
The detection module is leaked for being detected in the request according to the execution information with the presence or absence of cross-site scripting attack
Hole.
Optionally, the acquisition module includes: tracking start unit, business logic processing unit and information flag unit;
Start unit is tracked, for judging the parameter after parsing, when the source of the parameter is request data,
Then to the parameter start-up trace process;
Business logic processing unit obtains business logic processing for carrying out business logic processing to the request data
Data afterwards;
Information flag unit, for carrying out safety state information label to the data after the business logic processing.
Optionally, the detection module includes: first detection unit and second detection unit;
The first detection unit is detected for the label to the safety state information, when the label is
When safety state information, then there are cross-site scripting attack loopholes in the request;
The second detection unit, for the stream to label for the data after the business logic processing of information
Dynamic state is detected, and judges the type of the cross-site scripting attack loophole.
The third aspect of the embodiment of the present invention provides a kind of cross-site scripting attack Hole Detection terminal device, comprising: deposits
Reservoir, processor and storage in the memory and the computer program that can run on the processor, the processing
Device is realized as described in any of the above-described when executing the computer program the step of cross-site scripting attack leak detection method.
The fourth aspect of the embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable storage
Media storage has computer program, and the cross site scripting as described in any of the above-described is realized when the computer program is executed by processor
The step of attacking leak detection method.
Existing beneficial effect is the embodiment of the present invention compared with prior art: the embodiment of the present invention is requested by receiving,
And the parameter after being parsed according to request, then the parameter after parsing is tracked and held by data flow tracking technique
Row information can judge to attack in the request with the presence or absence of cross-site scripting attack loophole and cross site scripting according to execution information
The classification of loophole is hit, so that the detection for based on one requesting that cross-site scripting attack loophole can be completed, to solve conventional method
In the problem of cannot detecting memory-type cross-site scripting attack loophole, while also there is detection speed fastly and do not generate junk data
Advantage.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art
Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is only of the invention some
Embodiment for those of ordinary skill in the art without any creative labor, can also be according to these
Attached drawing obtains other attached drawings.
Fig. 1 is the implementation flow chart of cross-site scripting attack leak detection method provided in an embodiment of the present invention;
Fig. 2 is the implementation flow chart of step S103 in Fig. 1;
Fig. 3 is the implementation flow chart of step S104 in Fig. 1;
Fig. 4 is the implementation flow chart of step S302 in Fig. 3;
Fig. 5 is the implementation flow chart of step S402 in Fig. 4;
Fig. 6 is the structural schematic diagram of cross-site scripting attack Hole Detection device provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of cross-site scripting attack vulnerability detection equipment provided in an embodiment of the present invention.
Specific embodiment
In being described below, for illustration and not for limitation, the tool of such as particular system structure, technology etc is proposed
Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific
The present invention also may be implemented in the other embodiments of details.In other situations, it omits to well-known system, device, electricity
The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, the following is a description of specific embodiments.
Embodiment one
Fig. 1 shows the implementation process of the cross-site scripting attack leak detection method of the offer of the embodiment of the present invention one, is described in detail
It is as follows:
Step S101 receives request.
Wherein, when the service that user terminal requests some to apply, service request is sent to network english teaching by user terminal
Device, network application server then receive the request of user.
It is interacted in general, network application server often may require that with user, when there are malice generations in request data
When code, for different exchange methods, then different cross-site scripting attack loopholes is corresponded to.A kind of interactive mode are as follows: when user mentions
The data that user submits are back to user browser according to after network server by intersection number.Such as: for user's log in page
For face, after user is with " Zhang San " user name Website login, it often will appear the printed words of " you are good, Zhang San " on webpage, at this point,
If there are malicious codes in request data, for reflective cross-site scripting attack.Another interactive mode are as follows: when user submits number
According to after network server, the data that user submits are stored.Such as: for a message board page, work as user
After submitting corresponding message information, network server can store message information to database, at this point, if existing in request data
Malicious code is then memory-type cross-site scripting attack.
Step S102, parses the request, the parameter after being parsed.
In the present embodiment, network server can parse the request of user, and then the parameter after being parsed,
In, parsing herein namely obtains the input data of user and the process of intermediate data.Such as: above-mentioned user is logged in
In the process of the page, when user is when inputting the information such as username and password to request log-on webpage, network server can be parsed
The request, and the information such as user name and password for obtaining user's input.Parameter after the parsing is data flow tracking technique
Tracking object.
Step S103 tracks the parameter after the parsing by data flow tracking technique, obtains application program fortune
Execution information when row;The application program is application program corresponding with the request.
In the present embodiment, execution information when application program operation is obtained by using data flow tracking technique, into
And judged in user's request according to execution information with the presence or absence of cross-site scripting attack loophole.Application program herein refers to described
The corresponding application program of request, such as: when user logs in individual mailbox by browser, mailbox net is inputted by browser
Location, into mailbox network address after input account information after send log on request information, wherein application program herein is exactly mailbox journey
Sequence.
Referring to fig. 2, in one embodiment, step S103 can be realized by following procedure:
Step S201 judges the parameter after parsing, when the source of the parameter is request data, then to described
Parameter start-up trace process.
In the present embodiment, to the condition of the parameter log-on data stream trace flow after parsing are as follows: parameter after parsing
Ability log-on data stream trace flow when for request data.This is because cross-site scripting attack loophole is often the evil of user's insertion
Anticipate what code was formed, therefore the main object of data flow tracking is then request data.It should be noted that request data herein
Other data in request data may also be will receive distorting for hacker, institute by the data for not only referring only to user's input
With the parameter that the object of tracking is from request data.Specifically, being inserted into tested program using core classes pitching pile technology
Then probe obtains the control stream and traffic flow information of program by the execution of probe.
Step S202 carries out business logic processing to the request data, the data after obtaining business logic processing.
In the present embodiment, after to request data log-on data stream trace flow, business can be carried out to request data and patrolled
Collect processing, wherein business logic processing refers to the business of processing data, such as: request data is judged or is modified,
And then judged or modified data.
Such as: in the process of above-mentioned user's login page, when user inputs username and password in login page
Afterwards, the username and password that can be inputted to user judge judge whether user name is chartered user name, works as user
User's entitled user name registered when, judge whether the password of user's input consistent with pre-set password.In addition,
In order to guarantee the safety of user information, cryptographic operation etc. can also be carried out to the password that user inputs, obtain encrypted number
According to.The process for carrying out business logic processing to request data herein is exactly the process of data dissemination.
Step S203 carries out safety state information label to the data after the business logic processing.
In the present embodiment, to request data carry out business logic processing after, to the data after business logic processing into
Row safety state information label.Wherein the label of safety state information is kind, and one kind is safety state information, and one kind is uneasy
Full state information can first judge the data before being marked for the data after logical process, when the service logic
Data that treated can then be labeled as safety state information after carrying out safe handling;Opposite, after the business logic processing
Data can then be labeled as unsafe condition information when not carrying out safe handling.Safe handling herein may include to input number
According to filtering and to the coding of output data.Such as: in general, cross-site scripting attack loophole in order to prevent, using journey
Sequence would generally carry out HTML coding to data, after carrying out HTML coding to data, then it is assumed that cross site scripting is not present in data
Loophole is attacked, safety state information can be labeled as to data at this time.However, when application program not to data carry out HTML coding or
Person has carried out decoding operate again after data are carried out with HTML coding, then in data or there may be cross site scripting loophole, this
When need to data labeled as unsafe condition information.
Step S104, being detected according to the execution information whether there is cross-site scripting attack loophole in the request.
In the present embodiment, it can be detected in the solicited message according to execution information and be leaked with the presence or absence of cross-site scripting attack
Hole.Specifically, can first judge whether there is cross-site scripting attack loophole when detecting cross-site scripting attack loophole, when exist across
The type of cross-site scripting attack loophole is further determined when script of standing attacks loophole.
Referring to Fig. 3, in one embodiment, step S104 can be realized by following procedure:
Step S301 detects the label of the safety state information, when the label is information
When, then there are cross-site scripting attack loopholes in the request.
In the present embodiment, when detecting received request with the presence or absence of cross-site scripting attack loophole, it is only necessary to safety
Status information label is detected.Wherein, when, there are when cross-site scripting attack loophole, which reports in the request
Time is at the time of needing to call the content in the request.Therefore, when calling the content in the request, pitching pile can be passed through
Code detect whether that there are safety state information labels.When detecting the presence of unsafe condition information flag, then it represents that
There are cross-site scripting attack loopholes in the request.
Such as: in the process of above-mentioned user's login page, when user inputs username and password in login page
Afterwards, when showing the homepage after logging in user, it may be desirable to show user name on the page, specifically, precipitating can be passed through
Function shows user name in front end.Therefore, the detection code being inserted into the function can be executed when calling precipitation function, led to
Detection code detection safety state information label is crossed, if detect unsafe condition information flag, is illustrated in the request
There are cross-site scripting attack loopholes.
Step S302, the flow regime to label for the data after the business logic processing of information are examined
It surveys, judges the type of the cross-site scripting attack loophole.
In the present embodiment, cross-site scripting attack leak detection method can also detect the class of cross-site scripting attack loophole
The difference of type, reflective cross-site scripting attack loophole and memory-type cross-site scripting attack loophole is that in the request
Hold and whether is stored.Based on the above-mentioned fact, it can obtain user by carrying out tracing detection to request data and send in request
Data flow regime, the type of cross-site scripting attack loophole is judged according to data flow regime.
Referring to fig. 4, in one embodiment, step S302 can be realized by following procedure:
Step S401, the data after label is the business logic processing of information are return state
When, then report in the request that there are reflective cross-site scripting attack loopholes.
Specifically, when determine the label information be unsafe condition information when, can be to the business logic processing after
Data tracked, obtain business logic processing after data flow regime.Directly the data are returned when described
When, then report request in there are reflective cross-site scripting attack loopholes.
Step S402, the data after label is the business logic processing of information are storage state
When, then when needing to call the parameter by the judgement of preset analysis model, then report in the request that there are memory-types across station
Script attacks loophole.
In the present embodiment, when the information for determining the label is unsafe condition information, and by the unsafe condition
When information is stored, then need by analysis model allocating time getparms, when the reading for detecting Persistence Layer Framework
Logic needs to read the unsafe condition information, and when the unsafe condition information is exported to front end, then reports storage
Formula cross-site scripting attack loophole.It should be noted that be not necessarily intended to read the unsafe condition information herein, only lead to
Crossing reading logic can judge whether to report memory-type cross-site scripting attack loophole, have the advantages that detection efficiency is high.For depositing
Storage formula cross-site scripting attack loophole may be stored using different Persistence Layer Frameworks, therefore, for different persistent layers
The form of its calling data of frame is also different.And the upper time signal machine of cross-site scripting attack loophole is to need to call in the request
At the time of content, therefore, it is necessary to obtain the storage of different Persistence Layer Frameworks and reading process.
Referring to Fig. 5, in one embodiment, step S402 can be realized by following procedure:
Step S501, obtains the Persistence Layer Framework used when the parameter saves, obtains number according to the Persistence Layer Framework
According to storage information and read information.
In the present embodiment, it when detecting memory-type cross-site scripting attack loophole, needs to obtain and be adopted when saving the parameter
The type of Persistence Layer Framework, and according to the type of the Persistence Layer Framework, it obtains the storage information of data and reads information.
Such as: for JPA frame, web program can define an ORM class, the table in ORM class meeting correspondence database, subsequent web program
Table data can be updated and be read by the ORM class of definition.Such as: by set method by the field initialization in class, so
After store data into corresponding database table;When reading, specific data are taken out by get method.
Step S502 according to the storage information and reads acquisition of information pitching pile scheme and judgement processing logic, according to institute
It states pitching pile scheme and judges to handle whether logic acquisition calls the parameter.
In the present embodiment, in the storage information for obtaining different Persistence Layer Frameworks and after reading information, believed according to storage
Breath and read acquisition of information pitching pile scheme and judgement processing logic, so then report when calling the parameter information memory-type across
Script of standing attacks loophole.Such as: when using set method by field initialization in class, pitching pile can be carried out to set method, that
The parameter of input can be detected when calling set method, judge whether there is the condition that loophole reports, when meeting loophole
When report condition, then the pitching pile when calling get method, thus when calling get method to obtain data and be transmitted to front end, then
The memory-type cross-site scripting attack loophole can be reported.
Above-mentioned cross-site scripting attack leak detection method, by receive request, and according to request parsed after parameter,
It is tracked and is obtained execution information to the parameter after parsing by data flow tracking technique again, can be sentenced according to execution information
The classification broken in the request with the presence or absence of cross-site scripting attack loophole and cross-site scripting attack loophole, so that being asked based on one
The detection that cross-site scripting attack loophole can be completed is asked, to solve that memory-type cross-site scripting attack cannot be detected in conventional method
The problem of loophole, while also having the advantages that detect speed fastly and not generating junk data.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process
Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit
It is fixed.
Embodiment two
Corresponding to cross-site scripting attack leak detection method described in foregoing embodiments one, Fig. 6 shows implementation of the present invention
The structural schematic diagram for the cross-site scripting attack Hole Detection device that example provides.For ease of description, it illustrates only and the present embodiment
Relevant part.
Cross-site scripting attack Hole Detection device may include: receiving module 101, parsing module 102, obtain module 103
With judgment module 104.Receiving module 101, for receiving request;Parsing module 102 parses the request, is solved
Parameter after analysis;Module 103 is obtained, for being tracked by data flow tracking technique to the parameter after the parsing, is obtained
Execution information when application program is run;The application program is application program corresponding with the request;Detection module 104,
It whether there is cross-site scripting attack loophole in the request for detecting according to the execution information.
Optionally, obtaining module 103 includes: tracking start unit, business logic processing unit and information flag unit;Its
In, start unit is tracked, it is when the source of the parameter is request data, then right for judging the parameter after parsing
The parameter start-up trace process;Business logic processing unit is obtained for carrying out business logic processing to the request data
Data after business logic processing;Information flag unit, for carrying out safe condition to the data after the business logic processing
Information flag.
Optionally, detection module 104 includes: first detection unit and second detection unit;Wherein, first detection unit,
It is detected for the label to the safety state information, when the label is information, then the request
In there are cross-site scripting attack loopholes;Second detection unit, for being the business logic processing of information to label
The flow regime of data afterwards is detected, and judges the type of the cross-site scripting attack loophole.
Cross-site scripting attack Hole Detection device in the present embodiment two can be used for executing cross site scripting shown in FIG. 1 and attack
Leak detection method is hit, specific implementation principle may refer to above method embodiment, and details are not described herein again.
Above-mentioned cross-site scripting attack Hole Detection device is received by receiving module and is requested, solved by parsing module
Parameter after analysis tracks the parameter after parsing by data flow tracking technique using acquisition module and obtains executing letter
Breath, by detection module according to execution information can judge in the request with the presence or absence of cross-site scripting attack loophole and across
Script of standing attacks the classification of loophole, so that the detection for based on one requesting that cross-site scripting attack loophole can be completed, to solve
The problem of memory-type cross-site scripting attack loophole cannot be detected in conventional method, while also there is detection speed fastly and do not generate rubbish
The advantages of rubbish data.
Embodiment three
Fig. 7 is the schematic diagram for the cross-site scripting attack vulnerability detection equipment that one embodiment of the invention provides.As shown in fig. 7,
The cross-site scripting attack vulnerability detection equipment 7 of the embodiment includes: processor 701, memory 702 and is stored in the storage
In device 702 and the computer program 703 that can run on the processor 701, such as obtain the program of execution information.The place
Reason device 701 is realized in above-mentioned each cross-site scripting attack leak detection method embodiment when executing the computer program 703
Step, such as step 101 shown in FIG. 1 is to 104.Alternatively, realization when the processor 701 executes the computer program 703
The function of each module/unit in above-mentioned each Installation practice, such as the function of module 101 to 104 shown in Fig. 6.
Illustratively, the computer program 703 can be divided into one or more module/units, it is one or
Multiple module/the units of person are stored in the memory 702, and are executed by the processor 701, to complete the present invention.Institute
Stating one or more module/units can be the series of computation machine program instruction section that can complete specific function, the instruction segment
For describing execution of the computer program 703 in the cross-site scripting attack Hole Detection device/terminal device 70
Journey.For example, the computer program 703 can be divided into receiving module, parsing module, obtain module, detection module, each mould
Block concrete function is as follows:
The receiving module 101, for receiving request;The parsing module 102, parses the request, obtains
Parameter after parsing;The acquisition module 103, for by data flow tracking technique to the parameter after the parsing carry out with
Track obtains execution information when application program operation;The application program is application program corresponding with the request;The inspection
Module 104 is surveyed, whether there is cross-site scripting attack loophole in the request for detecting according to the execution information.
The cross-site scripting attack Hole Detection device/terminal device 70 can be desktop PC, notebook, palm
Computer and cloud server etc. calculate equipment.The cross-site scripting attack Hole Detection device/terminal device may include, but not only
It is limited to, processor 701, memory 702.It will be understood by those skilled in the art that Fig. 7 is only cross-site scripting attack Hole Detection
The example of device/terminal device 70 is not constituted to the restriction of cross-site scripting attack Hole Detection device/terminal device 70, can
To include perhaps combining certain components or different components, such as the cross site scripting than illustrating more or fewer components
Attacking Hole Detection device/terminal device can also include input-output equipment, network access equipment, bus etc..
Alleged processor 701 can be central processing unit (Central Processing Unit, CPU), can also be
Other general processors, digital signal processor (Digital Signal Processor, DSP), specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor is also possible to any conventional processor
Deng.
The memory 702 can be the storage inside of the cross-site scripting attack Hole Detection device/terminal device 70
Unit, such as cross-site scripting attack Hole Detection device/terminal device 70 hard disk or memory.The memory 702 can also be with
It is the External memory equipment of the cross-site scripting attack Hole Detection device/terminal device 70, such as the cross-site scripting attack
The plug-in type hard disk being equipped on Hole Detection device/terminal device 70, intelligent memory card (Smart Media Card, SMC), peace
Digital (Secure Digital, SD) card, flash card (Flash Card) etc..Further, the memory 702 can be with
Both including the cross-site scripting attack Hole Detection device/terminal device 70 internal storage unit and also set including external storage
It is standby.The memory 702 is used to store the computer program and the cross-site scripting attack Hole Detection device/terminal is set
Standby required other programs and data.The memory 702, which can be also used for temporarily storing, have been exported or will export
Data.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each function
Can unit, module division progress for example, in practical application, can according to need and by above-mentioned function distribution by different
Functional unit, module are completed, i.e., the internal structure of described device is divided into different functional unit or module, more than completing
The all or part of function of description.Each functional unit in embodiment, module can integrate in one processing unit, can also
To be that each unit physically exists alone, can also be integrated in one unit with two or more units, it is above-mentioned integrated
Unit both can take the form of hardware realization, can also realize in the form of software functional units.In addition, each function list
Member, the specific name of module are also only for convenience of distinguishing each other, the protection scope being not intended to limit this application.Above system
The specific work process of middle unit, module, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in detail or remembers in some embodiment
The part of load may refer to the associated description of other embodiments.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
The scope of the present invention.
In embodiment provided by the present invention, it should be understood that disclosed device/terminal device and method, it can be with
It realizes by another way.For example, device described above/terminal device embodiment is only schematical, for example, institute
The division of module or unit is stated, only a kind of logical function partition, there may be another division manner in actual implementation, such as
Multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Separately
A bit, shown or discussed mutual coupling or direct-coupling or communication connection can be through some interfaces, device
Or the INDIRECT COUPLING or communication connection of unit, it can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated module/unit be realized in the form of SFU software functional unit and as independent product sale or
In use, can store in a computer readable storage medium.Based on this understanding, the present invention realizes above-mentioned implementation
All or part of the process in example method, can also instruct relevant hardware to complete, the meter by computer program
Calculation machine program can be stored in a computer readable storage medium, the computer program when being executed by processor, it can be achieved that on
The step of stating each embodiment of the method.Wherein, the computer program includes computer program code, the computer program
Code can be source code form, object identification code form, executable file or certain intermediate forms etc..Computer-readable Jie
Matter may include: can carry the computer program code any entity or device, recording medium, USB flash disk, mobile hard disk,
Magnetic disk, CD, computer storage, read-only memory (ROM, Read-Only Memory), random access memory (RAM,
Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that described
The content that computer-readable medium includes can carry out increasing appropriate according to the requirement made laws in jurisdiction with patent practice
Subtract, such as does not include electric carrier signal and electricity according to legislation and patent practice, computer-readable medium in certain jurisdictions
Believe signal.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although referring to aforementioned reality
Applying example, invention is explained in detail, those skilled in the art should understand that: it still can be to aforementioned each
Technical solution documented by embodiment is modified or equivalent replacement of some of the technical features;And these are modified
Or replacement, the spirit and scope for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution should all
It is included within protection scope of the present invention.
Claims (10)
1. a kind of cross-site scripting attack leak detection method characterized by comprising
Receive request;
The request is parsed, the parameter after being parsed;
The parameter after the parsing is tracked by data flow tracking technique, executes letter when obtaining application program operation
Breath;The application program is application program corresponding with the request;
Being detected according to the execution information whether there is cross-site scripting attack loophole in the request.
2. cross-site scripting attack leak detection method as described in claim 1, which is characterized in that described to be tracked by data flow
Technology tracks the parameter after the parsing, obtains execution information when application program operation, specifically includes:
Parameter after parsing is judged, when the source of the parameter is request data, then to the parameter start-up trace
Process;
Business logic processing is carried out to the request data, the data after obtaining business logic processing;
Safety state information label is carried out to the data after the business logic processing.
3. cross-site scripting attack leak detection method as claimed in claim 2, which is characterized in that examined according to the execution information
It surveys in the request with the presence or absence of cross-site scripting attack loophole, specifically includes:
The label of the safety state information is detected, when the label is information, then the request
In there are cross-site scripting attack loopholes;
Be to label information business logic processing after the flow regimes of data detect, judgement it is described across
The type of script of standing attack loophole.
4. cross-site scripting attack leak detection method as claimed in claim 3, which is characterized in that described pair of label be
The flow regime of data after the business logic processing of status information is detected, and judges the class of the cross-site scripting attack loophole
Type specifically includes:
When data after the label is the business logic processing of information are return state, then described ask is reported
There are reflective cross-site scripting attack loopholes in asking;
When data after the label is the business logic processing of information are storage state, then by preset
Analysis model judgement is when needing to call the parameter, then reports in the request that there are memory-type cross-site scripting attack loopholes.
5. cross-site scripting attack leak detection method as claimed in claim 4, which is characterized in that described to pass through preset analysis
Model judgement needs to call the parameter, specifically includes:
Obtain the Persistence Layer Framework that the uses when parameter saves, according to the Persistence Layer Framework obtain the storage information of data with
Read information;
According to the storage information and acquisition of information pitching pile scheme and judgement processing logic are read, according to the pitching pile scheme and is sentenced
Whether disconnected processing logic acquisition calls the parameter.
6. a kind of cross-site scripting attack Hole Detection device characterized by comprising receiving module, obtains module at parsing module
And judgment module;
The receiving module, for receiving request;
The parsing module, parses the request, the parameter after being parsed;
The acquisition module obtains for being tracked by data flow tracking technique to the parameter after the parsing and applies journey
Execution information when sort run;The application program is application program corresponding with the request;
The detection module whether there is cross-site scripting attack loophole for detecting according to the execution information in the request.
7. cross-site scripting attack Hole Detection device as claimed in claim 6, which is characterized in that the acquisition module includes:
Track start unit, business logic processing unit and information flag unit;
Start unit is tracked, it is when the source of the parameter is request data, then right for judging the parameter after parsing
The parameter start-up trace process;
Business logic processing unit, for carrying out business logic processing to the request data, after obtaining business logic processing
Data;
Information flag unit, for carrying out safety state information label to the data after the business logic processing.
8. cross-site scripting attack Hole Detection device as claimed in claim 7, which is characterized in that the detection module includes:
First detection unit and second detection unit;
The first detection unit is detected for the label to the safety state information, when the label is
When status information, then there are cross-site scripting attack loopholes in the request;
The second detection unit, for the flowing shape to label for the data after the business logic processing of information
State is detected, and judges the type of the cross-site scripting attack loophole.
9. a kind of cross-site scripting attack Hole Detection terminal device, including memory, processor and it is stored in the memory
In and the computer program that can run on the processor, which is characterized in that the processor executes the computer program
The step of any one of Shi Shixian such as claim 1 to 5 the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists
In when the computer program is executed by processor the step of any one of such as claim 1 to 5 of realization the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810746133.1A CN109165507B (en) | 2018-07-09 | 2018-07-09 | Cross-site scripting attack vulnerability detection method and device and terminal equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810746133.1A CN109165507B (en) | 2018-07-09 | 2018-07-09 | Cross-site scripting attack vulnerability detection method and device and terminal equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109165507A true CN109165507A (en) | 2019-01-08 |
CN109165507B CN109165507B (en) | 2021-02-19 |
Family
ID=64897527
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810746133.1A Active CN109165507B (en) | 2018-07-09 | 2018-07-09 | Cross-site scripting attack vulnerability detection method and device and terminal equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109165507B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110381033A (en) * | 2019-06-24 | 2019-10-25 | 深圳开源互联网安全技术有限公司 | Web application hole detection method, apparatus, system, storage medium and server |
CN110929264A (en) * | 2019-11-21 | 2020-03-27 | 中国工商银行股份有限公司 | Vulnerability detection method and device, electronic equipment and readable storage medium |
CN111859375A (en) * | 2020-07-20 | 2020-10-30 | 百度在线网络技术(北京)有限公司 | Vulnerability detection method and device, electronic equipment and storage medium |
CN111949992A (en) * | 2020-08-17 | 2020-11-17 | 中国工商银行股份有限公司 | Automatic safety monitoring method and system for WEB application program |
WO2020252698A1 (en) * | 2019-06-19 | 2020-12-24 | 深圳开源互联网安全技术有限公司 | Data flow tracking method and system, storage medium, and server |
CN112866274A (en) * | 2021-02-01 | 2021-05-28 | 北京工业大学 | XSS vulnerability detection method based on cloud data |
CN113761519A (en) * | 2021-08-19 | 2021-12-07 | 深圳开源互联网安全技术有限公司 | Detection method and device for Web application program and storage medium |
CN114124448A (en) * | 2021-10-14 | 2022-03-01 | 北京墨云科技有限公司 | Cross-site scripting attack identification method based on machine learning |
CN114968826A (en) * | 2022-07-28 | 2022-08-30 | 深圳开源互联网安全技术有限公司 | Application program bug repair verification method and system |
CN116055218A (en) * | 2023-03-06 | 2023-05-02 | 深圳开源互联网安全技术有限公司 | User login request identification method and system for web application security detection |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101159732A (en) * | 2007-08-14 | 2008-04-09 | 电子科技大学 | Data flow analysis based hostile attack detecting method |
CN101741645A (en) * | 2009-12-17 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting storage-type cross-site scripting attack and attack detector |
CN101895516A (en) * | 2009-05-19 | 2010-11-24 | 北京启明星辰信息技术股份有限公司 | Method and device for positioning cross-site scripting attack source |
CN101901221A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting cross site scripting |
CN101901307A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting whether database is attacked by cross-site script |
CN102622558A (en) * | 2012-03-01 | 2012-08-01 | 北京邮电大学 | Excavating device and excavating method of binary system program loopholes |
CN103544433A (en) * | 2012-07-13 | 2014-01-29 | 北京一铭昌和科技发展有限公司 | Method for defending cross site scripting attacks |
CN103856471A (en) * | 2012-12-06 | 2014-06-11 | 阿里巴巴集团控股有限公司 | Cross-site scripting attack monitoring system and method |
CN103995782A (en) * | 2014-06-17 | 2014-08-20 | 电子科技大学 | Taint analyzing method based on taint invariable set |
CN104715195A (en) * | 2015-03-12 | 2015-06-17 | 广东电网有限责任公司信息中心 | Malicious code detecting system and method based on dynamic instrumentation |
CN106506548A (en) * | 2016-12-23 | 2017-03-15 | 努比亚技术有限公司 | The defence installation of cross-site scripting attack and method |
CN107657177A (en) * | 2017-09-30 | 2018-02-02 | 北京奇虎科技有限公司 | A kind of leak detection method and device |
CN107784065A (en) * | 2017-08-17 | 2018-03-09 | 平安壹钱包电子商务有限公司 | Business datum tracking, device, computer equipment and storage medium |
-
2018
- 2018-07-09 CN CN201810746133.1A patent/CN109165507B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101159732A (en) * | 2007-08-14 | 2008-04-09 | 电子科技大学 | Data flow analysis based hostile attack detecting method |
CN101895516A (en) * | 2009-05-19 | 2010-11-24 | 北京启明星辰信息技术股份有限公司 | Method and device for positioning cross-site scripting attack source |
CN101901221A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting cross site scripting |
CN101901307A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting whether database is attacked by cross-site script |
CN101741645A (en) * | 2009-12-17 | 2010-06-16 | 成都市华为赛门铁克科技有限公司 | Method, device and system for detecting storage-type cross-site scripting attack and attack detector |
CN102622558A (en) * | 2012-03-01 | 2012-08-01 | 北京邮电大学 | Excavating device and excavating method of binary system program loopholes |
CN103544433A (en) * | 2012-07-13 | 2014-01-29 | 北京一铭昌和科技发展有限公司 | Method for defending cross site scripting attacks |
CN103856471A (en) * | 2012-12-06 | 2014-06-11 | 阿里巴巴集团控股有限公司 | Cross-site scripting attack monitoring system and method |
CN103995782A (en) * | 2014-06-17 | 2014-08-20 | 电子科技大学 | Taint analyzing method based on taint invariable set |
CN104715195A (en) * | 2015-03-12 | 2015-06-17 | 广东电网有限责任公司信息中心 | Malicious code detecting system and method based on dynamic instrumentation |
CN106506548A (en) * | 2016-12-23 | 2017-03-15 | 努比亚技术有限公司 | The defence installation of cross-site scripting attack and method |
CN107784065A (en) * | 2017-08-17 | 2018-03-09 | 平安壹钱包电子商务有限公司 | Business datum tracking, device, computer equipment and storage medium |
CN107657177A (en) * | 2017-09-30 | 2018-02-02 | 北京奇虎科技有限公司 | A kind of leak detection method and device |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020252698A1 (en) * | 2019-06-19 | 2020-12-24 | 深圳开源互联网安全技术有限公司 | Data flow tracking method and system, storage medium, and server |
CN110381033A (en) * | 2019-06-24 | 2019-10-25 | 深圳开源互联网安全技术有限公司 | Web application hole detection method, apparatus, system, storage medium and server |
CN110381033B (en) * | 2019-06-24 | 2021-06-08 | 深圳开源互联网安全技术有限公司 | Web application vulnerability detection method, device, system, storage medium and server |
CN110929264A (en) * | 2019-11-21 | 2020-03-27 | 中国工商银行股份有限公司 | Vulnerability detection method and device, electronic equipment and readable storage medium |
CN110929264B (en) * | 2019-11-21 | 2022-08-30 | 中国工商银行股份有限公司 | Vulnerability detection method and device, electronic equipment and readable storage medium |
CN111859375A (en) * | 2020-07-20 | 2020-10-30 | 百度在线网络技术(北京)有限公司 | Vulnerability detection method and device, electronic equipment and storage medium |
CN111859375B (en) * | 2020-07-20 | 2023-08-29 | 百度在线网络技术(北京)有限公司 | Vulnerability detection method and device, electronic equipment and storage medium |
CN111949992A (en) * | 2020-08-17 | 2020-11-17 | 中国工商银行股份有限公司 | Automatic safety monitoring method and system for WEB application program |
CN111949992B (en) * | 2020-08-17 | 2023-09-29 | 中国工商银行股份有限公司 | Automatic safety monitoring method and system for WEB application program |
CN112866274B (en) * | 2021-02-01 | 2022-08-16 | 北京工业大学 | XSS vulnerability detection method based on cloud data |
CN112866274A (en) * | 2021-02-01 | 2021-05-28 | 北京工业大学 | XSS vulnerability detection method based on cloud data |
CN113761519A (en) * | 2021-08-19 | 2021-12-07 | 深圳开源互联网安全技术有限公司 | Detection method and device for Web application program and storage medium |
CN113761519B (en) * | 2021-08-19 | 2023-04-25 | 深圳开源互联网安全技术有限公司 | Method and device for detecting Web application program and storage medium |
CN114124448A (en) * | 2021-10-14 | 2022-03-01 | 北京墨云科技有限公司 | Cross-site scripting attack identification method based on machine learning |
CN114124448B (en) * | 2021-10-14 | 2024-03-19 | 北京墨云科技有限公司 | Cross-site script attack recognition method based on machine learning |
CN114968826B (en) * | 2022-07-28 | 2022-11-22 | 深圳开源互联网安全技术有限公司 | Application program bug fixing verification method and system |
CN114968826A (en) * | 2022-07-28 | 2022-08-30 | 深圳开源互联网安全技术有限公司 | Application program bug repair verification method and system |
CN116055218A (en) * | 2023-03-06 | 2023-05-02 | 深圳开源互联网安全技术有限公司 | User login request identification method and system for web application security detection |
CN116055218B (en) * | 2023-03-06 | 2023-06-23 | 深圳开源互联网安全技术有限公司 | User login request identification method and system for web application security detection |
Also Published As
Publication number | Publication date |
---|---|
CN109165507B (en) | 2021-02-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109165507A (en) | Cross-site scripting attack leak detection method, device and terminal device | |
US11818169B2 (en) | Detecting and mitigating attacks using forged authentication objects within a domain | |
CN104065651B (en) | A kind of information flow credible security method towards cloud computing | |
CN107003976A (en) | Based on active rule can be permitted determine that activity can be permitted | |
CN103581105B (en) | Login validation method and login authentication system | |
US20090187442A1 (en) | Feedback augmented object reputation service | |
Nithya et al. | A survey on detection and prevention of cross-site scripting attack | |
CN105791261B (en) | A kind of detection method and detection device of cross-site scripting attack | |
CN102073822A (en) | Method and system for preventing user information from leaking | |
CN108763071A (en) | A kind of webpage test method and terminal device | |
CN109861968A (en) | Resource access control method, device, computer equipment and storage medium | |
CN104899482A (en) | Batch request service restricting method and apparatus | |
Roy et al. | Generating phishing attacks using chatgpt | |
CN109547426A (en) | Service response method and server | |
CN106845248A (en) | A kind of XSS leak detection methods based on state transition graph | |
WO2019018829A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
US10310962B2 (en) | Infrastructure rule generation | |
CN105681344A (en) | Verification code recognition system and method | |
CN109446053A (en) | Test method, computer readable storage medium and the terminal of application program | |
CN112671605A (en) | Test method and device and electronic equipment | |
CN107392026A (en) | leak detection method and device | |
US20150066763A1 (en) | Method and apparatus for cross channel monitoring | |
CN111371811A (en) | Resource calling method, resource calling device, client and service server | |
CN103281296B (en) | The method and apparatus for handling encrypted message | |
CN106453418A (en) | Verification method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |