CN109450846A - A kind of EL expression formula injection loophole batch detecting device and detection method - Google Patents

A kind of EL expression formula injection loophole batch detecting device and detection method Download PDF

Info

Publication number
CN109450846A
CN109450846A CN201811096606.4A CN201811096606A CN109450846A CN 109450846 A CN109450846 A CN 109450846A CN 201811096606 A CN201811096606 A CN 201811096606A CN 109450846 A CN109450846 A CN 109450846A
Authority
CN
China
Prior art keywords
expression formula
url
response
formula injection
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811096606.4A
Other languages
Chinese (zh)
Inventor
王梓嫱
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201811096606.4A priority Critical patent/CN109450846A/en
Publication of CN109450846A publication Critical patent/CN109450846A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The present invention relates to a kind of EL expression formula injection loophole batch detecting device and detection methods, acquisition unit acquires URL file, the first response of server end is obtained based on normal HTTP request, detection sentence, which is injected, based on EL expression formula sends HTTP request, obtain server end second responds, and compares the difference of the first response and the second response, and implementing result of such as the first response without detection sentence and second, which respond, to be existed, then there is loophole, output test result simultaneously saves.The present invention meets the needs of carrying out batch Hole Detection, it supports URL of the acquisition containing keyword or manually imports the file for needing the multiple URL detected, it solves the problems, such as the low efficiency of test EL expression formula injection loophole, waste time and high to safety test personnel requirement, improve detection coverage rate, substantially reduce manual time's cost, the operation of safety test personnel is simplified, and automatically generates testing result, be convenient for reference use.

Description

A kind of EL expression formula injection loophole batch detecting device and detection method
Technical field
The present invention relates to prevent unauthorized behavior protection computer, its component, program or data safety device skill Art field, in particular to a kind of coverage rate for improving detection and the EL expression formula injection loophole batch for reducing manual time's cost are examined Survey device and detection method.
Background technique
EL (Expression Language) is provided at JSP (Java Server Pages, the java server page) The method of middle simplified expression writes JSP simpler, and EL expression formula is usually to be used to show in display layer in JSP The degree of coupling of the page can be improved in the label of data, since it facilitates handy, is used for reference and is developed by other frames, most common Two examples be OGNL (Struts use) language and SPEL (Spring use).
Just because of the simplicity of EL expression formula is easy-to-use, EL expression formula injection loophole also generates at any time, this loophole makes attacker The sensitive informations such as accessible Web application Application and Session can also execute system life in OGNL and SPEL It enables.
In the prior art, it generally adopts and manually EL expression formula injection loophole is detected, for safety test The skills and experience requirement of engineer is relatively high, needs to take a substantial amount of time, and time cost is high, and covers not comprehensive, effect Rate is low, is unable to reach the demand of batch efficient detection web site environment.
Summary of the invention
Present invention solves the technical problem that being, the prior art, which is adopted, manually examines EL expression formula injection loophole It surveys, the skills and experience requirement existed for safety test engineer is relatively high, needs to take a substantial amount of time, time cost Height, and not comprehensive, inefficiency is covered, the problem of being unable to reach the demand of batch efficient detection web site environment, and then provide The EL expression formula injection loophole batch detecting device and detection method of a kind of optimization.
The technical scheme adopted by the invention is that a kind of EL expression formula injection loophole batch detector methods, the method packet Include following steps:
Step 1: acquisition URL file;
Step 2: HTTP request being sent based on URL, obtains the first response of server end;
Step 3: HTTP request being sent based on EL expression formula injection detection sentence, obtains the second response of server end;
Step 4: comparing the first response and the second response, such as the first response holding there is no EL expression formula injection detection sentence Row result and the second response exists, then detect EL expression formula injection loophole, to detecting that EL expression formula injection loophole marks Note, otherwise, judges no EL expression formula injection loophole;
Step 5: output test result simultaneously saves.
Preferably, in the step 1, the URL of acquisition include URL file containing keyword or containing manually import to Detect the file of URL.
Preferably, the URL file containing keyword is by input keyword or after manually importing keyed file, benefit The URL containing keyword is collected with search engine to obtain.
Preferably, the file containing the URL to be detected manually imported passes through the absolute road for needing input file manually Diameter obtains.
Preferably, in the step 2, the file containing at least one URL is read, based on each of file URL hair Send HTTP request.
Preferably, in the step 3, by being manually entered EL expression formula injection detection sentence or being loaded into comprising multiple EL tables The file for injecting detection sentence up to formula initiates EL expression formula injection detection statement requests.
Preferably, in the step 4, do not have to detect the implementing result of sentence and the second in response to belt detection language in the first response When the implementing result of sentence, there are EL expression formula injection loopholes.
A kind of detection device using a kind of EL expression formula injection loophole batch detector methods, the detection device Include:
One for acquire the URL containing keyword or manually import the file of URL that needs detect acquisition unit,
One for send normal HTTP request and obtain server end first response normal request unit,
One for sending the second response injected the HTTP request of detection sentence based on EL expression formula and obtain server end Load request unit,
One for comparing the first response of normal request unit and the second response of load request unit, judging whether there is The comparing unit of EL expression formula injection loophole
And one for output test result and save output unit.
The present invention provides the EL expression formula injection loophole batch detecting devices and detection method of a kind of optimization, pass through acquisition Unit acquires URL file, and the first response of server end is obtained based on normal HTTP request, based on the injection detection of EL expression formula Sentence sends HTTP request, obtains the second response of server end, compares the difference of the first response and the second response, such as the first sound Should then there be loophole, output test result simultaneously saves without the implementing result for detecting sentence and the second response presence.The present invention is full Foot carries out the demand of batch Hole Detection, supports URL of the acquisition containing keyword or manually imports the multiple URL's for needing to detect File solves the problems, such as the low efficiency of test EL expression formula injection loophole, wastes time and high to safety test personnel requirement, Detection coverage rate is improved, manual time's cost is substantially reduced, simplifies the operation of safety test personnel, and automatically generates detection knot Fruit, be convenient for reference use.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of detection device of the invention, wherein arrow indicates the direction of response, file transmitting.
Specific embodiment
The present invention is described in further detail below with reference to embodiment, but protection scope of the present invention is not limited to This.
The present invention relates to a kind of EL expression formula injection loophole batch detector methods, are based on Scrapy frame, solve test The low efficiency of EL expression formula injection loophole wastes time and the problem high to safety test personnel requirement.
It the described method comprises the following steps.
Step 1: acquisition URL file.
In the step 1, the URL of acquisition includes the URL file containing keyword or containing the URL to be detected manually imported File.
The URL file containing keyword utilizes search by input keyword or after manually importing keyed file Engine is collected the URL containing keyword and is obtained.
The file containing the URL to be detected manually imported by needing the absolute path of input file to obtain manually.
In the present invention, due to being based on Scrapy frame, it is one and extracts structural data in order to crawl website data And the application framework write, access search engine web site may be implemented, URL is collected according to keyword and generates URL dictionary Function, meanwhile, using the frame, may be implemented to access each URL for needing to detect, including normally request and comprising EL The request of expression formula injection detection sentence, and the response of server end is obtained, difference judges whether there is EL expression according to response The function of formula injection loophole.
In the present invention, the URL containing keyword is acquired using search engine, and generate URL dictionary (urls.txt), it can Batch detection includes multiple URL of same keyword.
In the present invention, support to manually import the file of multiple URL for needing to detect, can manually, flexible configuration needs to examine The URL of survey.
Step 2: HTTP request being sent based on URL, obtains the first response of server end.
In the step 2, the file containing at least one URL is read, HTTP is sent based on each of file URL and is asked It asks.
In the present invention, the request that step 2 is sent is normal request.
Step 3: HTTP request being sent based on EL expression formula injection detection sentence, obtains the second response of server end.
In the step 3, infused by being manually entered EL expression formula injection detection sentence or being loaded into comprising multiple EL expression formulas The file for entering to detect sentence initiates EL expression formula injection detection statement requests.
In the present invention, it is the request that detection sentence is injected comprising EL expression formula that step 3, which is sent, includes in the parameter of request EL expression formula injection detection sentence.
Step 4: comparing the first response and the second response, such as the first response holding there is no EL expression formula injection detection sentence Row result and the second response exists, then detect EL expression formula injection loophole, to detecting that EL expression formula injection loophole marks Note, otherwise, judges no EL expression formula injection loophole;
Step 5: output test result simultaneously saves.
The invention further relates to a kind of detection device using the EL expression formula injection loophole batch detector methods, the inspections Surveying device includes:
One for acquire the URL containing keyword or manually import the file of URL that needs detect acquisition unit,
One for send normal HTTP request and obtain server end first response normal request unit,
One for sending the second response injected the HTTP request of detection sentence based on EL expression formula and obtain server end Load request unit,
One for comparing the first response of normal request unit and the second response of load request unit, judging whether there is The comparing unit of EL expression formula injection loophole
And one for output test result and save output unit.
In the present invention, in conjunction with detection device and detection method, following embodiment is provided:
In the present embodiment, acquisition unit selection URL of the acquisition containing keyword, or selection manually import what needs detected The file of URL.
In the present embodiment, when choosing the former option, it is based on Scrapy frame, access search engine web site may be implemented, such as Baidu, bing, google etc., acquire the URL containing keyword, can such as be found from URL keyword Share, wap, url, Link, src, source, target, u, 3g, display, sourceURL, imageURL, domain etc., input keyword or Person manually imports keyed file, after the completion of keyword search, the URL of acquisition matching keyword, and generate URL dictionary (urls.txt), every a line records a URL in the dictionary, by reading the URL dictionary, for each of these URL, hair HTTP request is sent, the response of server end is obtained.
In the present embodiment, when selecting the latter, supports to manually import the file for needing the URL detected, pass through input file Absolute path, program reads this document, detects each of these URL with the presence or absence of EL expression formula injection loophole.
In the present embodiment, normal request unit reads the file containing one or more URL that acquisition unit collects, For each URL, HTTP request is sent, the response of server end is obtained, for normal request.
In the present embodiment, the request that load request unit is sent is the request comprising detecting sentence.
In the present embodiment, if the second response is the implementing result of EL expression formula injection detection sentence, detect that EL is expressed EL expression formula injection loophole is marked in formula injection loophole, and turns to output module output.
In the present embodiment, selection is manually entered EL expression formula injection detection sentence (payload), or selection is loaded into and includes The file (payloads.txt) of multiple EL expression formula injection detection sentences, when sending HTTP request again, in the parameter of request Detection sentence (payload) is injected comprising EL expression formula, obtains the response of server end.
In the present embodiment, by the first response of server end when sending normal request, with transmission asking comprising payload The second response of server end compares when asking, and according to the difference of the response of the difference of payload and server end, judgement is It is no that there are EL expression formula injection loopholes.
For example, payload is calc, i.e., executes computerinstruction using system command caused by loophole, if clothes Second response at business device end shows calculator interface, then proves that there are EL expression formula injection loopholes, otherwise, it was demonstrated that EL is not present Expression formula injection loophole.
For another example, payload be " http://localhost/login.do? a=$ { whoami } " the case where when, purpose It is the current user name for obtaining server end, if including current user name information in the second response of server end, proves There are EL expression formula injection loopholes, otherwise, it was demonstrated that EL expression formula injection loophole is not present.
In the present embodiment, further, in order to avoid EL expression formula injects the implementing result for detecting sentence sheet in webpage There is the wrong report for leading to loophole in body, response when needing to compare normal request and response when requesting comprising payload are normally asked Do not have to detect the implementing result of sentence in response bag when asking, and the execution knot of the detection sentence of the request in response to belt with payload Fruit then judges that loophole exists.
In the present embodiment, detection terminates, and by output unit output test result and saves.
The present invention acquires URL file by acquisition unit, and the first sound of server end is obtained based on normal HTTP request Answer, based on EL expression formula injection detection sentence send HTTP request, obtain server end second response, compare the first response and The difference of second response, such as the first response are without the implementing result for detecting sentence and the second response exists, then there is loophole, export Testing result simultaneously saves.The present invention meets the needs of carrying out batch Hole Detection, supports URL of the acquisition containing keyword or manual The file for needing the multiple URL detected is imported, the low efficiency of test EL expression formula injection loophole is solved, wastes time and to peace The demanding problem of full tester improves detection coverage rate, substantially reduces manual time's cost, simplify safety test personnel Operation, and automatically generate testing result, be convenient for reference use.

Claims (8)

1. a kind of EL expression formula injection loophole batch detector methods, it is characterised in that: the described method comprises the following steps:
Step 1: acquisition URL file;
Step 2: HTTP request being sent based on URL, obtains the first response of server end;
Step 3: HTTP request being sent based on EL expression formula injection detection sentence, obtains the second response of server end;
Step 4: comparing the first response and the second response, there is no the execution knots of EL expression formula injection detection sentence for such as the first response Fruit and the second response exists, then detect EL expression formula injection loophole, no to detecting that EL expression formula injection loophole is marked Then, judge no EL expression formula injection loophole;
Step 5: output test result simultaneously saves.
2. a kind of EL expression formula injection loophole batch detector methods according to claim 1, it is characterised in that: the step In 1, the URL of acquisition includes the URL file containing keyword or the file containing the URL to be detected manually imported.
3. a kind of EL expression formula injection loophole batch detector methods according to claim 2, it is characterised in that: described to contain The URL file of keyword is collected using search engine containing key by input keyword or after manually importing keyed file The URL of word is obtained.
4. a kind of EL expression formula injection loophole batch detector methods according to claim 2, it is characterised in that: described to contain The file of the URL to be detected manually imported by needing the absolute path of input file to obtain manually.
5. a kind of EL expression formula injection loophole batch detector methods according to claim 1, it is characterised in that: the step In 2, the file containing at least one URL is read, HTTP request is sent based on each of file URL.
6. a kind of EL expression formula injection loophole batch detector methods according to claim 1, it is characterised in that: the step In 3, by being manually entered EL expression formula injection detection sentence or being loaded into the file comprising multiple EL expression formulas injection detection sentence Initiate EL expression formula injection detection statement requests.
7. a kind of EL expression formula injection loophole batch detector methods according to claim 1, it is characterised in that: the step In 4, when not having to detect the implementing result of sentence and the implementing result of the second in response to belt detection sentence in the first response, there are EL tables Up to formula injection loophole.
8. a kind of detection dress using a kind of EL expression formula injection loophole batch detector methods described in one of claim 1 ~ 7 It sets, it is characterised in that: the detection device includes:
One for acquire the URL containing keyword or manually import the file of URL that needs detect acquisition unit,
One for send normal HTTP request and obtain server end first response normal request unit,
One for sending the second lotus responded injected the HTTP request of detection sentence based on EL expression formula and obtain server end Load request unit,
One for comparing the first response of normal request unit and the second response of load request unit, judging whether there is EL table Up to the comparing unit of formula injection loophole
And one for output test result and save output unit.
CN201811096606.4A 2018-09-19 2018-09-19 A kind of EL expression formula injection loophole batch detecting device and detection method Pending CN109450846A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811096606.4A CN109450846A (en) 2018-09-19 2018-09-19 A kind of EL expression formula injection loophole batch detecting device and detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811096606.4A CN109450846A (en) 2018-09-19 2018-09-19 A kind of EL expression formula injection loophole batch detecting device and detection method

Publications (1)

Publication Number Publication Date
CN109450846A true CN109450846A (en) 2019-03-08

Family

ID=65533059

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811096606.4A Pending CN109450846A (en) 2018-09-19 2018-09-19 A kind of EL expression formula injection loophole batch detecting device and detection method

Country Status (1)

Country Link
CN (1) CN109450846A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110968475A (en) * 2019-11-13 2020-04-07 泰康保险集团股份有限公司 Method and device for monitoring webpage, electronic equipment and readable storage medium
CN110995684A (en) * 2019-11-26 2020-04-10 西安四叶草信息技术有限公司 Vulnerability detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106407803A (en) * 2016-08-30 2017-02-15 北京奇虎科技有限公司 Detection method and device of SQL (Structured Query Language) injection vulnerabilities
US20170318045A1 (en) * 2016-04-27 2017-11-02 Sap Se End-to-End Taint Tracking for Detection and Mitigation of Injection Vulnerabilities in Web Applications
CN107590387A (en) * 2017-09-04 2018-01-16 杭州安恒信息技术有限公司 EL expression formula injection loopholes detection method, device and electronic equipment
CN107846407A (en) * 2017-11-10 2018-03-27 郑州云海信息技术有限公司 A kind of method and system of batch detection SSRF leaks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170318045A1 (en) * 2016-04-27 2017-11-02 Sap Se End-to-End Taint Tracking for Detection and Mitigation of Injection Vulnerabilities in Web Applications
CN106407803A (en) * 2016-08-30 2017-02-15 北京奇虎科技有限公司 Detection method and device of SQL (Structured Query Language) injection vulnerabilities
CN107590387A (en) * 2017-09-04 2018-01-16 杭州安恒信息技术有限公司 EL expression formula injection loopholes detection method, device and electronic equipment
CN107846407A (en) * 2017-11-10 2018-03-27 郑州云海信息技术有限公司 A kind of method and system of batch detection SSRF leaks

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110968475A (en) * 2019-11-13 2020-04-07 泰康保险集团股份有限公司 Method and device for monitoring webpage, electronic equipment and readable storage medium
CN110995684A (en) * 2019-11-26 2020-04-10 西安四叶草信息技术有限公司 Vulnerability detection method and device
CN110995684B (en) * 2019-11-26 2022-06-28 西安四叶草信息技术有限公司 Vulnerability detection method and device

Similar Documents

Publication Publication Date Title
CN107256195B (en) Webpage front-end test method and device
US9264443B2 (en) Browser based method of assessing web application vulnerability
US20100174774A1 (en) Method for server-side logging of client browser state through markup language
US20150278080A1 (en) Processing automation scripts of software
CN104881603B (en) Webpage redirects leak detection method and device
US20090037521A1 (en) System and method for identifying compatibility between users from identifying information on web pages
US10491629B2 (en) Detecting sensitive data sent from client device to third-party
CN109347882A (en) Webpage Trojan horse monitoring method, device, equipment and storage medium
CN104573520B (en) The method and apparatus for detecting resident formula cross site scripting loophole
WO2015103122A2 (en) A method and system for tracking and gathering multivariate testing data
US20180131779A1 (en) Recording And Triggering Web And Native Mobile Application Events With Mapped Data Fields
CN107846407A (en) A kind of method and system of batch detection SSRF leaks
US20170371888A1 (en) Method for advertisement interception in dual-kernel browser and browser apparatus
CN106899549A (en) A kind of network security detection method and device
CN107918575A (en) The monitoring method and device of a kind of page status
CN109450846A (en) A kind of EL expression formula injection loophole batch detecting device and detection method
CN106326734A (en) Method and device for detecting sensitive information
US20200034393A1 (en) Synchronizing http requests with respective html context
US20030131319A1 (en) Lexicon-based new idea detector
US20040073653A1 (en) Servlet monitoring tool
CN110392024A (en) A kind of page detection method is set with scanning engine
CN106209487B (en) For detecting the method and device of the security breaches of webpage in website
CN107704369A (en) A kind of recording method of Operation Log, electronic equipment, storage medium, system
CN105721519B (en) A kind of webpage data acquiring method, apparatus and system
CA2786418A1 (en) Identifying equivalent javascript events

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190308