CN109194670A - A kind of any file download leak detection method in website - Google Patents
A kind of any file download leak detection method in website Download PDFInfo
- Publication number
- CN109194670A CN109194670A CN201811096616.8A CN201811096616A CN109194670A CN 109194670 A CN109194670 A CN 109194670A CN 201811096616 A CN201811096616 A CN 201811096616A CN 109194670 A CN109194670 A CN 109194670A
- Authority
- CN
- China
- Prior art keywords
- download
- file
- request
- file download
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention relates to a kind of any file download leak detection methods in website, by obtaining request URL all in website, URL is carried out based on whether the filtering with download features, such as the output test result without if simultaneously terminates, and if any the parameter of then acquisition request URL, modifies parameter value by payload requester and retransmits request, it is detected, if the data returned include the feature of downloading file, there are any file download loopholes, generate the report of any file download Hole Detection.The present invention carries out Hole Detection in such a way that black box automates, solves the problems, such as the low efficiency of any file download loophole of traditional manual test and high to safety test personnel requirement, the coverage rate for improving detection is greatly reduced manual time's cost simultaneously, reduces technical staff's threshold of detection.
Description
Technical field
The present invention relates to the technical field of the transmission of digital information, such as telegraph communication, in particular to a kind of energy is automatic, fast
Any file download leak detection method in website that speed is completed.
Background technique
Continuous development Internet-based, expansion, even to this day, internet have become our work, study, life
In indispensable a part, and number of site may provide the function of Fileview or downloading due to business demand for user.
In fact, if the file that user is checked or is downloaded with no restrictions, arbitrary file can be checked or be downloaded to malicious user,
It can be source code file, sensitive document etc., this will cause the harm for being difficult to estimate.
In the prior art, the method for any file download loophole is detected mainly to download function present in web site traffic
The crawl of parameter is made requests, and verifying of modifying, whether test malicious user can be around the catalogue of downloading limitation, if
There are any file download loopholes.Although traditional manual testing process can detecte out any file download loophole, but need
More time cost is spent, and is easy to appear and covers infull situation, and to the Safety skill and warp of testing staff
Test require it is relatively high.
Summary of the invention
Present invention solves the technical problem that being in the prior art, any file download leakage to be carried out in a manner of manually-operated
The detection in hole, time cost is high, and detection accuracy is low, and the Safety skill and skill requirement to testing staff are high, the present invention provides
A kind of any file download leak detection method in the website of optimization simplifies safety test personnel by automatic detection and verifying
Operation, greatly promote detection efficiency and detection coverage rate.
The technical scheme adopted by the invention is that a kind of any file download leak detection method in website, the method packet
Include following steps:
Step 1: obtaining request URL all in website;
Step 2: all request URLs being filtered, the URL with download features is judged whether there is, if so, carrying out
In next step, otherwise, output test result terminates;
Step 3: the parameter of acquisition request URL modifies parameter value by payload requester and retransmits request, detected;
Step 4: whether the data that the detection of judgment step 3 returns include the feature for downloading file, if so, there are any texts
Part download flaw, if it is not, any file download loophole is then not present;
Step 5: the report of any file download Hole Detection is generated according to step 4.
Preferably, in the step 1, request URL all in website is obtained by crawler module.
Preferably, in the step 2, all request URLs are filtered by regular expression.
Preferably, in the step 2, when all request URLs all do not have download features, output test result is not deposit
In any file download loophole.
Preferably, in the step 3, the parameter of request URL includes file directory, filename, download path, lower published article
Part.
Preferably, in the step 3, parameter value is modified by payload requester and retransmits request, detection content includes being
It is no can download web container xml document, whether can by spcial character around access catalogue, whether can with download system sensitivity
File.
Preferably, in the step 4, whether the data returned by the detection of response analyzer judgment step 3 include downloading
The feature of file, when the response of response analyzer and the expection return value of payload requester to it is corresponding when then there is any text
Part download flaw.
Preferably, in the step 5, report includes URL, parameter and the testing result of request.
Preferably, the report further includes the test request data packet and response data packet of text formatting.
The present invention provides a kind of any file download leak detection methods in the website of optimization, own by obtaining in website
Request URL, URL is carried out based on whether passing through with the filterings of download features if any the parameter of then acquisition request URL
Payload requester modifies parameter value and retransmits request, is detected, if the data returned include the feature of downloading file, deposits
In any file download loophole, the report of any file download Hole Detection is generated.The present invention by black box automate in a manner of into
Row Hole Detection solves the low efficiency of any file download loophole of traditional manual test and to safety test personnel requirement height
The problem of, it improves the coverage rate of detection while being greatly reduced manual time's cost, reduce technical staff's threshold of detection.
Detailed description of the invention
Fig. 1 is flow chart of the invention.
Specific embodiment
The present invention is described in further detail below with reference to embodiment, but protection scope of the present invention is not limited to
This.
The present invention relates to a kind of any file download leak detection methods in website, the described method comprises the following steps.
Step 1: obtaining request URL all in website.
In the step 1, request URL all in website is obtained by crawler module.
In the present invention, all request URLs are generally crawled by crawler in website.
In the present invention, in order to which crawler there are more URL access authority, therefore generally logged in using cookie, it is also necessary to match
Close the technology of crawler camouflage browser and user behavior.
Step 2: all request URLs being filtered, the URL with download features is judged whether there is, if so, carrying out
In next step, otherwise, output test result terminates.
In the step 2, all request URLs are filtered by regular expression.
In the step 2, when all request URLs all do not have download features, output test result is that there is no any
File download loophole.
In the present invention, all request URLs are filtered by regular expression, match URL parameter and value, matching at
Function is then judged as file download URL link, such as judges with the presence or absence of download parameters feature in GET and POST request, if it exists then
It is judged as doubtful downloading URL.For example, http://xxx.com/downfile.php? file=test.txt, this GET
Parameter file in request there are in Parameter Dictionary, or the incoming path of judgement filename such as downfile whether in parameter
In dictionary, the feature for part of publishing papers if meeting one of them, in the presence of this URL request is labeled as, and under being judged as doubtful
Request is carried, the URL and parameter of this request are then passed to payload requester.
Step 3: the parameter of acquisition request URL modifies parameter value by payload requester and retransmits request, detected.
In the step 3, the parameter of request URL includes file directory, filename, download path, downloading file.
In the step 3, parameter value is modified by payload requester and retransmits request, detection content includes whether under energy
Carry web container xml document, whether can by spcial character around access catalogue, whether can be with download system sensitive document.
In the present invention, need to call download parameters library before the parameter of request URL, download parameters library is that a collection is common
Download the Parameter Dictionary of file, the including but not limited to parameters such as file, filename, down, path, filep, downfile
, it is convenient that download parameters are safeguarded.
In the present invention, also there is payload rule base in payload requester, and payload rule base is received in the form of dictionary
The web container xml document and system sensitive file parameters value for having collected common any file download Hole Detection are tied with expected
Fruit facilitates modifications and extensions.For example, required parameter value=../../../conf/web.xml, it is contemplated that backout feature=<?
Xml, rule ID=1.
In the present invention, spcial character includes " ../", and system sensitive file includes but is not limited to/etc file ,/passwd text
Part.
In the present invention, the required parameter that payload requester is used to send in payload rule base is used to verify whether can
Arbitrarily to download file, after receiving the URL and parameter request that url filtering device passes over, it is passed in the value of parameter
Parameter value in payload rule base, test of then being given out a contract for a project again.For example, the parameter value file in modification request
For http://xxx.com/downfile.php? file=./../../../../etc/passwd obtains new URL, then
Retransmit request.
Step 4: whether the data that the detection of judgment step 3 returns include the feature for downloading file, if so, there are any texts
Part download flaw, if it is not, any file download loophole is then not present.
In the step 4, whether the data returned by the detection of response analyzer judgment step 3 include the spy for downloading file
Sign, when the response of response analyzer and the expection return value of payload requester to it is corresponding when then there is any file download leakage
Hole.
In the present invention, response analyzer for analyzing the response returned in payload requester, verifying file whether by
Function downloading, wherein payload requester and response analyzer are corresponding relationships, respectively correspond the request ginseng of payload rule base
Numerical value and expected return value.For example, required parameter value be ../../../conf/web.xml, it is contemplated that backout feature be <?
Xml, exactly scans for the response of return to judge whether there is feature, is then judged as downloads successfully if it exists, there is no then
It is judged as failed download.
Step 5: the report of any file download Hole Detection is generated according to step 4.
In the step 5, report includes URL, parameter and the testing result of request.
The report further includes the test request data packet and response data packet of text formatting.
In the present invention, test request data packet and response data packet are output to word.
The present invention carries out URL by obtaining request URL all in website based on whether the mistake with download features
Filter modifies parameter value by payload requester and retransmits request, detected, if returning if any the parameter of then acquisition request URL
The data returned include the feature of downloading file, then there is any file download loophole, generate any file download Hole Detection
Report.The present invention carries out Hole Detection in such a way that black box automates, and solves any file download leakage of traditional manual test
The low efficiency in hole and the problem high to safety test personnel requirement, improve the coverage rate of detection while being greatly reduced manual time
Cost reduces technical staff's threshold of detection.
Claims (9)
1. a kind of any file download leak detection method in website, it is characterised in that: the described method comprises the following steps:
Step 1: obtaining request URL all in website;
Step 2: all request URLs being filtered, the URL with download features is judged whether there is, if so, carrying out next
Step, otherwise, output test result terminates;
Step 3: the parameter of acquisition request URL modifies parameter value by payload requester and retransmits request, detected;
Step 4: whether the data that the detection of judgment step 3 returns include the feature for downloading file, if so, there are under any file
Carrier leak hole, if it is not, any file download loophole is then not present;
Step 5: the report of any file download Hole Detection is generated according to step 4.
2. any file download leak detection method in a kind of website according to claim 1, it is characterised in that: the step
In 1, request URL all in website is obtained by crawler module.
3. any file download leak detection method in a kind of website according to claim 1, it is characterised in that: the step
In 2, all request URLs are filtered by regular expression.
4. any file download leak detection method in a kind of website according to claim 3, it is characterised in that: the step
In 2, when all request URLs all do not have download features, output test result is that there is no any file download loopholes.
5. any file download leak detection method in a kind of website according to claim 1, it is characterised in that: the step
In 3, the parameter of request URL includes file directory, filename, download path, downloading file.
6. any file download leak detection method in a kind of website according to claim 5, it is characterised in that: the step
In 3, parameter value is modified by payload requester and retransmits request, detection content include whether to download web container xml document,
Whether can by spcial character around access catalogue, whether can be with download system sensitive document.
7. any file download leak detection method in a kind of website according to claim 1, it is characterised in that: the step
In 4, whether the data returned by the detection of response analyzer judgment step 3 include the feature for downloading file, work as response analyzer
Response and the expection return value of payload requester to it is corresponding when then there is any file download loophole.
8. any file download leak detection method in a kind of website according to claim 1, it is characterised in that: the step
In 5, report includes URL, parameter and the testing result of request.
9. any file download leak detection method in a kind of website according to claim 8, it is characterised in that: the report
It further include the test request data packet and response data packet of text formatting.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811096616.8A CN109194670A (en) | 2018-09-19 | 2018-09-19 | A kind of any file download leak detection method in website |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811096616.8A CN109194670A (en) | 2018-09-19 | 2018-09-19 | A kind of any file download leak detection method in website |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109194670A true CN109194670A (en) | 2019-01-11 |
Family
ID=64908778
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811096616.8A Pending CN109194670A (en) | 2018-09-19 | 2018-09-19 | A kind of any file download leak detection method in website |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109194670A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111191244A (en) * | 2019-12-11 | 2020-05-22 | 杭州孝道科技有限公司 | Vulnerability repairing method |
CN111818008A (en) * | 2020-05-21 | 2020-10-23 | 云南电网有限责任公司信息中心 | Network data safety exchange method based on Webservice |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102843270A (en) * | 2011-09-02 | 2012-12-26 | 哈尔滨安天科技股份有限公司 | Suspicious URL (uniform resource locator) detection method and device based on correlation of URL and local file |
CN104363251A (en) * | 2014-12-12 | 2015-02-18 | 北京奇虎科技有限公司 | Website security detecting method and device |
CN105430002A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Vulnerability detection method and device |
CN106302337A (en) * | 2015-05-22 | 2017-01-04 | 腾讯科技(深圳)有限公司 | leak detection method and device |
-
2018
- 2018-09-19 CN CN201811096616.8A patent/CN109194670A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102843270A (en) * | 2011-09-02 | 2012-12-26 | 哈尔滨安天科技股份有限公司 | Suspicious URL (uniform resource locator) detection method and device based on correlation of URL and local file |
CN104363251A (en) * | 2014-12-12 | 2015-02-18 | 北京奇虎科技有限公司 | Website security detecting method and device |
CN106302337A (en) * | 2015-05-22 | 2017-01-04 | 腾讯科技(深圳)有限公司 | leak detection method and device |
CN105430002A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Vulnerability detection method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111191244A (en) * | 2019-12-11 | 2020-05-22 | 杭州孝道科技有限公司 | Vulnerability repairing method |
CN111818008A (en) * | 2020-05-21 | 2020-10-23 | 云南电网有限责任公司信息中心 | Network data safety exchange method based on Webservice |
CN111818008B (en) * | 2020-05-21 | 2022-11-11 | 云南电网有限责任公司信息中心 | Network data safety exchange method based on Webservice |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gupta et al. | PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications | |
CN103888490B (en) | A kind of man-machine knowledge method for distinguishing of full automatic WEB client side | |
KR101001132B1 (en) | Method and System for Determining Vulnerability of Web Application | |
CN103023710B (en) | A kind of safety test system and method | |
CN105068925B (en) | Software safety defect finds system | |
CN101340434B (en) | Malicious content detection and verification method and system for network station | |
CN101964025B (en) | XSS detection method and equipment | |
CN104144142B (en) | A kind of Web bug excavation methods and system | |
CN104601573B (en) | A kind of Android platform URL accesses result verification method and device | |
CN104580230B (en) | Verification method and device are attacked in website | |
CN104980309A (en) | Website security detecting method and device | |
CN108696481A (en) | leak detection method and device | |
CN110460612A (en) | Safety detecting method, equipment, storage medium and device | |
CN104765682B (en) | Detection method and system under the line of cross site scripting leak | |
CN108667770A (en) | A kind of loophole test method, server and the system of website | |
CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
CN109729044A (en) | A kind of general internet data acquisition is counter to climb system and method | |
CN105260469B (en) | A kind of method, apparatus and equipment for handling site maps | |
CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
CN102855418A (en) | Method for discovering Web intranet agent bugs | |
CN109194670A (en) | A kind of any file download leak detection method in website | |
CN105447700A (en) | Payment security detection method and device | |
CN105117340B (en) | URL detection methods and device for iOS browser application quality evaluations | |
US20160127409A1 (en) | Web service testing | |
CN106411906A (en) | SQL (Structured Query Language) injection flaw positioning and detecting method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190111 |
|
RJ01 | Rejection of invention patent application after publication |