CN110196813B - Interface test method, device, equipment and medium - Google Patents

Interface test method, device, equipment and medium Download PDF

Info

Publication number
CN110196813B
CN110196813B CN201910493416.4A CN201910493416A CN110196813B CN 110196813 B CN110196813 B CN 110196813B CN 201910493416 A CN201910493416 A CN 201910493416A CN 110196813 B CN110196813 B CN 110196813B
Authority
CN
China
Prior art keywords
request
interface
data
original
mutation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910493416.4A
Other languages
Chinese (zh)
Other versions
CN110196813A (en
Inventor
罗亚东
郭方园
晋小玲
宋静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201910493416.4A priority Critical patent/CN110196813B/en
Publication of CN110196813A publication Critical patent/CN110196813A/en
Application granted granted Critical
Publication of CN110196813B publication Critical patent/CN110196813B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The embodiment of the invention discloses an interface testing method, device, equipment and medium, and relates to the technical field of testing. The method comprises the following steps: analyzing an access request of an interface to be tested to obtain an original parameter value of a request parameter in the access request; performing mutation on the original parameter value, and replacing the original parameter value by using a mutation parameter value generated by mutation to generate a mutation request; and testing the interface to be tested by using the generated mutation request. The embodiment of the invention provides an interface test method, device, equipment and medium, which realize the automatic construction of interface test data and utilize the constructed test data to carry out targeted test on an interface.

Description

Interface test method, device, equipment and medium
Technical Field
The embodiment of the invention relates to the technical field of testing, in particular to an interface testing method, device, equipment and medium.
Background
Blur testing (fuzzing) is a software testing technique. The core idea is to input random data generated automatically or semi-automatically into a program and monitor whether the program is abnormal, such as crashed, and assertion (assertion) failure, so as to find possible program errors, such as memory leaks. Fuzzy testing is commonly used to detect security vulnerabilities of software or computer systems.
The kinds of fuzzing are numerous, one of which is fuzzing the network interface, since most of the interfaces exposed to the user are http interfaces.
The fuzzy test scheme of the http interface currently has the following modes:
(1) The anomaly data is constructed manually. Specifically, according to the data type of the http interface, artificial variation data, such as adding special characters, lengthening the data, changing letters into numbers, and the like, is adopted.
(2) And automatically generating http interface data by utilizing various data grasped on the Internet. Specifically, the crawler technology is utilized to capture data, and then the data is randomly sent to the interface.
However, the above scheme has the following drawbacks:
scheme (1) can be classified into ash box test, because some strange data can be deliberately generated according to the realization of the interface side, the quality of the data can be higher, and the effect is better. But this solution is purely manual construction data, and the labor cost is high.
The scheme (2) greatly reduces labor cost and can produce various strange data. But because the data is randomly generated, the scheme is not very targeted.
Disclosure of Invention
The embodiment of the invention provides an interface test method, device, equipment and medium, which are used for realizing automatic construction of interface test data and carrying out targeted test on an interface by utilizing the constructed test data.
In a first aspect, an embodiment of the present invention provides an interface testing method, where the method includes:
analyzing an access request of an interface to be tested to obtain an original parameter value of a request parameter in the access request;
performing mutation on the original parameter value, and replacing the original parameter value by using a mutation parameter value generated by mutation to generate a mutation request;
and testing the interface to be tested by using the generated mutation request.
In a second aspect, an embodiment of the present invention further provides an interface testing apparatus, where the apparatus includes:
the parameter analysis module is used for analyzing the access request of the interface to be tested to obtain the original parameter value of the request parameter in the access request;
the parameter value mutation module is used for mutating the original parameter value, and replacing the original parameter value by using a mutation parameter value generated by mutation to generate a mutation request;
and the testing module is used for testing the interface to be tested by utilizing the generated variation request.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the interface testing method according to any of the embodiments of the present invention.
In a fourth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements an interface testing method according to any of the embodiments of the present invention.
According to the embodiment of the invention, the original parameter value of the request parameter is obtained by analyzing the access request of the interface to be tested; and then, the original parameter value obtained by analysis is mutated, so that the automatic construction of test data is realized. Because the embodiment only mutates the original parameter value of the request parameter based on the data format of the access request, the generated mutation request can be received and analyzed by the interface to be tested, i.e. the generated mutation request is directed to the interface to be tested. Therefore, the embodiment of the invention can realize the pertinence test of the interface.
In addition, for a user, the embodiment of the invention can realize the test of the interface to be tested only by the interface to be tested and the access request of the interface, so that the embodiment of the invention has the advantages of efficiency and usability, saves the construction cost of manpower on test data, and is convenient for introducing the interface fuzzy test into the conventional test flow, and is not only a simple test of the interface by using the artificially constructed test data.
Drawings
Fig. 1 is a flowchart of an interface testing method according to a first embodiment of the present invention;
fig. 2 is a flowchart of an interface testing method according to a second embodiment of the present invention;
fig. 3 is a flowchart of an interface testing method according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an interface testing device according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a device according to a fifth embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
The inventor finds that the scheme of automatically generating the http interface data by utilizing various data grasped on the internet has the following defects in the process of realizing the invention: for json-based interfaces, it is difficult to discover vulnerabilities that exist for the interface program.
The fuzzy test scheme of the http interface further comprises: the fuzzy test tool Sulley specifically uses a programming mode to carry out fuzzy test on a specific field of the http interface.
However, according to the scheme for performing fuzzy test on the specific field of the http interface by using the programming mode, a fuzzy test can be performed on all the fields of the network interface, and the tested data set has high quality and good effect. However, the scheme has high use cost, is not only required to be installed by the user, but also required to be programmed by the user, and is not very convenient to use.
Example 1
Fig. 1 is a flowchart of an interface testing method according to an embodiment of the present invention. The embodiment can be applied to the case of testing the interface. Typically, this embodiment may be applied to the case of testing json-based http interfaces. The method may be performed by an interface testing device, which may be implemented in software and/or hardware. Referring to fig. 1, the interface testing method provided in this embodiment includes:
s110, analyzing an access request of the interface to be tested to obtain an original parameter value of a request parameter in the access request.
The interface to be tested is an interface which needs to be tested by an interface program. Typically, the interface may be an http interface, or may be an interface based on a set data format.
The access request is a request for accessing the interface to be tested, that is, the interface to be tested can analyze and respond to the access request. In other words, the access request is a correct input request for the interface to be tested.
Different interfaces may have access requests in different formats.
The original parameter value is the value of the request parameter obtained by analysis.
For example, the request parameter is a name, and the original parameter value of the request parameter is Zhang three; the request parameter is age and the original parameter value of the request parameter is 18.
Specifically, analyzing an access request of an interface to be tested to obtain an original parameter value of a request parameter in the access request, including:
analyzing a request body of the access request from the access request of the interface to be tested;
the original parameter values of the request parameters are parsed from the request body.
S120, mutating the original parameter value, and replacing the original parameter value by using the mutated parameter value generated by mutation to generate a mutated request.
Specifically, the mutating the original parameter value includes:
performing data structure and/or data type variation on the original parameter values;
the data structure comprises at least one of an array, a character string, a dictionary, and a tuple;
the data type includes at least one of a long string, binary, hexadecimal, integer, boolean, empty string, random string, and special injection string.
Wherein the special injection string comprises: at least one of a character string injected based on XML (extensible markup language), a character string injected based on HTML (hypertext markup language), a character injected based on XSS (cross site scripting attack), and a character string injected based on LFI (Local File Include, local file contains) attack.
For example, the request parameter is age, and the original parameter value of the request parameter is 18. Binary mutation was performed on 18, yielding a mutation parameter value of 10010. The parameter value for the age of the request parameter in the mutation request is 10010.
S130, testing the interface to be tested by using the generated mutation request.
Specifically, the testing the interface to be tested by using the generated mutation request includes:
inputting the mutation request into the interface to be tested;
and determining whether the interface to be tested fails according to the response result of the interface to be tested to the mutation request.
In order to repair the interface to be tested, after the generated mutation request is used for testing the interface to be tested, the method further includes:
and counting the variation request which causes the interface fault to be tested in the variation request, and repairing the interface to be tested according to the counting result.
According to the technical scheme, the original parameter value of the request parameter is obtained by analyzing the access request of the interface to be tested; and then, the original parameter value obtained by analysis is mutated, so that the automatic construction of test data is realized. Because the embodiment only mutates the original parameter value of the request parameter based on the data format of the access request, the generated mutation request can be received and analyzed by the interface to be tested, i.e. the generated mutation request is directed to the interface to be tested. Therefore, the embodiment of the invention can realize the pertinence test of the interface.
In addition, for the user, the embodiment of the invention can realize the test of the interface to be tested only by the interface to be tested and the access request of the interface, so that the embodiment of the invention has the advantages of effectiveness and usability. And the construction cost of manpower to test data is saved. Thus, it is also convenient to introduce interface ambiguity testing into the conventional test flow, not just simple testing of interfaces with artificially constructed test data.
Example two
Fig. 2 is a flowchart of an interface testing method according to a second embodiment of the present invention. This embodiment is an alternative to the embodiments described above. Referring to fig. 2, the interface testing method provided in this embodiment includes:
s210, if the access request comprises at least two layers of data structures nested based on a set data format, analyzing the at least two layers of data structures based on the data structures of the set data format to obtain an original parameter value of a request parameter in the access request.
The set data format may be any data format. Typically, the data format is set to json.
json has a data structure { key1: value1, key2: value2.
Taking the setting of the data format as json as an example, specifically, at least two layers of data structures nested by the setting of the data format may be: { key1: { key3: value3, }, key2: value2. That is, the original parameter values of key1 remain in json format.
Illustratively, the at least two layer data structure based on json nesting is:
{
"method":"update",
"params":[0,10,"{\"del_flag\":\"1\",\"@ts\":\"14756780\"}"]
}
where { \ "del_flag \" is \ "1\", "@ ts\" is \ "14756780\" is nested json data.
Continue with { key1: { key3: value3, }, key2: for example, value2, analyze the at least two layer data structure based on the data structure with the set data format, and obtain the original parameter values of the request parameters in the access request as value3 and value2.
Specifically, if the access request includes at least two data structures nested based on a set data format, parsing the at least two data structures based on the data structures of the set data format includes:
if the data format of the request body in the access request of the interface to be tested is a set data format, analyzing the request body based on the data structure of the set data format to obtain the original data of the request parameters in the request body;
if the data format of the original data is the set data format, continuing to analyze the original data until the data structure nested based on the set data format in the original data is completely analyzed.
The original data is data representing an original parameter value of the request parameter obtained through analysis.
And if the original data is not in the set data format or the original data is in a specific value, taking the original data as an original parameter value of a request parameter.
S220, mutating the original parameter value, and replacing the original parameter value by using the mutated parameter value generated by mutation to generate a mutated request.
S230, testing the interface to be tested by using the generated mutation request.
According to the technical scheme, the original parameter value of the request parameter is obtained by analyzing the original data in the nested set data format; mutating the original parameter value to generate a mutated parameter value; and testing the interface to be tested by using the variation parameter value, thereby realizing the deep test of the interface code logic.
Example III
Fig. 3 is a flowchart of an interface testing method according to a third embodiment of the present invention. The embodiment is an alternative scheme provided by taking the setting data format as json and taking the http interface based on the json data format as an example on the basis of the embodiment. Referring to fig. 3, the interface testing method provided in this embodiment includes:
s310, acquiring an access request template of an interface to be tested, wherein the data format of a request body in the access request template is json.
The access request template is an access request which can be analyzed and responded by the interface to be tested.
The access request template can be set manually or obtained from other ends accessing the interface to be tested.
S320, analyzing a request body in the access request template based on the json data structure to obtain at least one key value pair representing the request parameter.
And S330, if the data format of the value in the key value pair is still json, continuing to analyze the value with the json data format until the original parameter value of the request parameter is obtained.
S340, carrying out data structure and data type mutation on the original parameter values obtained through analysis to generate mutation parameter values.
S350, replacing the original parameter value with the variation parameter value to generate a variation request.
S360, inputting the mutation request into the interface to be tested, judging whether the service of the interface exists according to the return value of the interface to be tested, and if not, recording the mutation request.
S370, counting the recorded mutation requests, feeding back the counting result to the user, and analyzing the recorded mutation requests (namely, the bad case) by the user to check loopholes in the repairing interface program.
The technical scheme of the embodiment of the invention can effectively discover the loopholes existing in the interface program, and has the advantages of effectiveness and usability. For a user, the embodiment can realize the test of the interface to be tested only by the interface to be tested and the correct access request, thereby reducing the fuzzy test cost, improving the efficiency of the fuzzy test and simultaneously facilitating the introduction of the fuzzy test of the automatic interface into the conventional test flow.
In practical application, fuzzy tests are performed on 20 json-based http interfaces by using the technical scheme of the embodiment, wherein 7 out of the fuzzy tests can cause service downtime due to core transfer. The vulnerabilities found can be summarized in three types:
first, the interface lacks an exception handling mechanism, such as not performing special processing on some data types of data, resulting in service downtime.
Second, memory leakage. Because the test data volume of the abnormal data is large, the abnormal data is continuously input to the interface to be tested, and then the content of the service is always increased until the service is down.
Third, the exception data is not taken as an escape place. And inputting a special character string to the interface to be tested, and then leading the configuration file to be directly messy and the service to be down.
It should be noted that, after the technical teaching of the present embodiment, a person skilled in the art is motivated to combine schemes of any implementation manner described in the foregoing embodiment, so as to implement automatic construction of interface test data, and perform targeted test on the interface by using the constructed test data.
Example IV
Fig. 4 is a schematic structural diagram of an interface testing device according to a fourth embodiment of the present invention. Referring to fig. 4, the interface testing apparatus provided in this embodiment includes: a parameter analysis module 10, a parameter value variation module 20 and a test module 30.
The parameter analysis module 10 is configured to analyze an access request of an interface to be tested, and obtain an original parameter value of a request parameter in the access request;
a parameter value mutation module 20, configured to mutate the original parameter value, replace the original parameter value with a mutation parameter value generated by mutation, and generate a mutation request;
and the testing module 30 is configured to test the interface to be tested by using the generated mutation request.
According to the technical scheme, the original parameter value of the request parameter is obtained by analyzing the access request of the interface to be tested; and then, the original parameter value obtained by analysis is mutated, so that the automatic construction of test data is realized. Because the embodiment only mutates the original parameter value of the request parameter based on the data format of the access request, the generated mutation request can be received and analyzed by the interface to be tested, i.e. the generated mutation request is directed to the interface to be tested. Therefore, the embodiment of the invention can realize the pertinence test of the interface.
In addition, for the user, the embodiment of the invention can realize the test of the interface to be tested only by the interface to be tested and the access request of the interface, so that the embodiment of the invention has the advantages of effectiveness and usability. And the construction cost of manpower to test data is saved. Thus, it is also convenient to introduce interface ambiguity testing into the conventional test flow, not just simple testing of interfaces with artificially constructed test data.
Further, the parameter analysis module includes: and a parameter analyzing unit.
And the parameter analysis unit is used for analyzing the at least two layers of data structures based on the data structures of the set data format if the access request comprises the at least two layers of data structures nested based on the set data format, so as to obtain the original parameter value of the request parameter in the access request.
Further, the parameter analyzing unit is specifically configured to:
if the data format of the request body in the access request of the interface to be tested is a set data format, analyzing the request body based on the data structure of the set data format to obtain the original data of the request parameters in the request body;
if the data format of the original data is the set data format, continuing to analyze the original data until the data structure nested based on the set data format in the original data is completely analyzed.
Further, the parameter value variation module includes: and a parameter value variation unit.
The parameter value mutation unit is used for carrying out data structure and/or data type mutation on the original parameter value;
the data structure comprises at least one of an array, a character string, a dictionary, and a tuple;
the data type includes at least one of a long string, binary, hexadecimal, integer, boolean, empty string, random string, and special injection string.
Further, the test module includes: a request input unit and a failure determination unit.
The request input unit is used for inputting the mutation request into the interface to be tested;
and the fault determining unit is used for determining whether the interface to be tested is faulty or not according to the response result of the interface to be tested to the mutation request.
Further, the apparatus further comprises: and a result statistics module.
And the result statistics module is used for counting the mutation requests which cause the faults of the interfaces to be tested in the mutation requests after the generated mutation requests are used for testing the interfaces to be tested, and repairing the interfaces to be tested according to the statistical results.
The interface testing device provided by the embodiment of the invention can execute the interface testing method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example five
Fig. 5 is a schematic structural diagram of a device according to a fifth embodiment of the present invention. Fig. 5 shows a block diagram of an exemplary device 12 suitable for use in implementing embodiments of the present invention. The device 12 shown in fig. 5 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 5, device 12 is in the form of a general purpose computing device. Components of device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.
Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Device 12 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. Device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, commonly referred to as a "hard disk drive"). Although not shown in fig. 5, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the embodiments described herein.
Device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with device 12, and/or any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, device 12 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, via network adapter 20. As shown, network adapter 20 communicates with other modules of device 12 over bus 18. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with device 12, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, for example, to implement the interface test method provided by the embodiment of the present invention.
Example six
The sixth embodiment of the present invention further provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the interface testing method according to any one of the embodiments of the present invention, the method comprising:
analyzing an access request of an interface to be tested to obtain an original parameter value of a request parameter in the access request;
performing mutation on the original parameter value, and replacing the original parameter value by using a mutation parameter value generated by mutation to generate a mutation request;
and testing the interface to be tested by using the generated mutation request.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (8)

1. An interface testing method, comprising:
if the data format of a request body in an access request of an interface to be tested is a set data format, analyzing the request body based on a data structure of the set data format to obtain original data of request parameters in the request body;
if the data format of the original data is the set data format, continuing to analyze the original data until the data structure nested based on the set data format in the original data is completely analyzed, so as to obtain an original parameter value of the request parameter in the access request;
if the data format of the original data is not the set data format, taking the original data as an original parameter value of a request parameter;
wherein the original data is data representing an original parameter value of a request parameter obtained through analysis;
performing mutation on the original parameter value, and replacing the original parameter value by using a mutation parameter value generated by mutation to generate a mutation request;
and testing the interface to be tested by using the generated mutation request.
2. The method of claim 1, wherein mutating the original parameter value comprises:
performing data structure and/or data type variation on the original parameter values;
the data structure comprises at least one of an array, a character string, a dictionary, and a tuple;
the data type includes at least one of a long string, binary, hexadecimal, integer, boolean, empty string, random string, and special injection string.
3. The method of claim 1, wherein the testing the interface to be tested with the generated mutation request comprises:
inputting the mutation request into the interface to be tested;
and determining whether the interface to be tested fails according to the response result of the interface to be tested to the mutation request.
4. The method of claim 1, wherein after testing the interface under test with the generated mutation request, the method further comprises:
and counting the variation request which causes the interface fault to be tested in the variation request, and repairing the interface to be tested according to the counting result.
5. An interface testing apparatus, comprising:
the parameter analysis module is used for analyzing the access request of the interface to be tested to obtain the original parameter value of the request parameter in the access request;
the parameter value mutation module is used for mutating the original parameter value, and replacing the original parameter value by using a mutation parameter value generated by mutation to generate a mutation request;
the testing module is used for testing the interface to be tested by utilizing the generated variation request;
wherein, the parameter analysis module includes: the parameter analysis unit is specifically configured to, if the data format of the request body in the access request of the interface to be tested is a set data format, analyze the request body based on the data structure of the set data format, and obtain the original data of the request parameter in the request body;
if the data format of the original data is the set data format, continuing to analyze the original data until the data structure nested based on the set data format in the original data is completely analyzed;
if the data format of the original data is not the set data format, taking the original data as an original parameter value of a request parameter;
the original data is data representing an original parameter value of the request parameter obtained through analysis.
6. The apparatus of claim 5, wherein the parameter value mutation module comprises:
a parameter value mutation unit, configured to perform a data structure and/or a data type mutation on the original parameter value;
the data structure comprises at least one of an array, a character string, a dictionary, and a tuple;
the data type includes at least one of a long string, binary, hexadecimal, integer, boolean, empty string, random string, and special injection string.
7. An electronic device, the device comprising:
one or more processors;
storage means for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the interface testing method of any of claims 1-4.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the interface testing method according to any of claims 1-4.
CN201910493416.4A 2019-06-06 2019-06-06 Interface test method, device, equipment and medium Active CN110196813B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910493416.4A CN110196813B (en) 2019-06-06 2019-06-06 Interface test method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910493416.4A CN110196813B (en) 2019-06-06 2019-06-06 Interface test method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN110196813A CN110196813A (en) 2019-09-03
CN110196813B true CN110196813B (en) 2023-05-02

Family

ID=67754125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910493416.4A Active CN110196813B (en) 2019-06-06 2019-06-06 Interface test method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN110196813B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111901310A (en) * 2020-07-06 2020-11-06 北京达佳互联信息技术有限公司 Website security testing method and device, electronic equipment and storage medium
CN111897742B (en) 2020-09-30 2021-01-15 支付宝(杭州)信息技术有限公司 Method and device for generating intelligent contract test case
CN112286812A (en) * 2020-10-30 2021-01-29 上海莉莉丝科技股份有限公司 JSON data processing method, system, device and medium
CN113157584A (en) * 2021-04-28 2021-07-23 杭州孝道科技有限公司 Fuzzy test method based on HttpClient
CN115774677B (en) * 2022-12-20 2024-02-23 上海安般信息科技有限公司 Fuzzy test method and device based on multi-parameter input

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103812729A (en) * 2014-02-19 2014-05-21 北京理工大学 Network protocol fuzz testing method and device
CN107102941A (en) * 2017-03-30 2017-08-29 腾讯科技(深圳)有限公司 The generation method and device of a kind of test case
CN107171897A (en) * 2017-07-14 2017-09-15 上海瀚银信息技术有限公司 A kind of interface test method and data-interface test system
CN107294808A (en) * 2017-07-05 2017-10-24 网易(杭州)网络有限公司 The methods, devices and systems of interface testing
CN109446071A (en) * 2018-09-26 2019-03-08 深圳壹账通智能科技有限公司 Interface test method, interface test device, electronic equipment and storage medium

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103973511A (en) * 2014-04-28 2014-08-06 南京邮电大学 Service vulnerability test method based on message combination variation
US9588848B2 (en) * 2015-06-19 2017-03-07 AO Kaspersky Lab System and method of restoring modified data
CN105516295A (en) * 2015-12-03 2016-04-20 腾讯科技(深圳)有限公司 Network request processing method and device
CN106502906B (en) * 2016-10-27 2019-02-26 广州华多网络科技有限公司 A kind of method and apparatus of test application program
CN106598851A (en) * 2016-12-05 2017-04-26 广州唯品会信息科技有限公司 Software interface test method and system
JP6771413B2 (en) * 2017-03-16 2020-10-21 三菱電機株式会社 Software verification device and software verification program
CN107391385B (en) * 2017-08-28 2018-06-01 北京航空航天大学 A kind of construction method of Generation of software test case technology
CN109656799B (en) * 2017-10-10 2022-06-07 北京京东尚科信息技术有限公司 Test method and device
US10768893B2 (en) * 2017-11-20 2020-09-08 Accenture Global Solutions Limited Using similarity analysis and machine learning techniques to manage test case information
CN108628604A (en) * 2018-04-24 2018-10-09 携程计算机技术(上海)有限公司 The parameter value generation method and system of SOA request messages
CN108959384B (en) * 2018-05-31 2023-04-07 康键信息技术(深圳)有限公司 Webpage data acquisition method and device, computer equipment and storage medium
CN109388561A (en) * 2018-09-18 2019-02-26 深圳壹账通智能科技有限公司 Interface testing case generation method, device, computer equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103812729A (en) * 2014-02-19 2014-05-21 北京理工大学 Network protocol fuzz testing method and device
CN107102941A (en) * 2017-03-30 2017-08-29 腾讯科技(深圳)有限公司 The generation method and device of a kind of test case
CN107294808A (en) * 2017-07-05 2017-10-24 网易(杭州)网络有限公司 The methods, devices and systems of interface testing
CN107171897A (en) * 2017-07-14 2017-09-15 上海瀚银信息技术有限公司 A kind of interface test method and data-interface test system
CN109446071A (en) * 2018-09-26 2019-03-08 深圳壹账通智能科技有限公司 Interface test method, interface test device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Fanghua Zhao.You Are Where You App: An Assessment on Location Privacy of Social Applications.《 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE)》.2018,1-8. *
基于SOAP消息变异的Web服务脆弱性测试方法研究;王环环;《万方》;20120903;1-60 *

Also Published As

Publication number Publication date
CN110196813A (en) 2019-09-03

Similar Documents

Publication Publication Date Title
CN110196813B (en) Interface test method, device, equipment and medium
US10534699B2 (en) Method, device and computer program product for executing test cases
CN110191019B (en) Vehicle CAN bus test method and device, computer equipment and storage medium
US7926114B2 (en) Testing software applications with schema-based fuzzing
CN105068925B (en) Software safety defect finds system
US9542259B1 (en) Automated incident resolution system and method
US9703690B2 (en) Determining test case efficiency
US9135153B2 (en) Optimizing test data payload selection for testing computer software applications via computer networks
CN112650685B (en) Automatic test method, device, electronic equipment and computer storage medium
CN110851471A (en) Distributed log data processing method, device and system
CN114650163A (en) Stateful network protocol-oriented fuzzy test method and system
CN113362173A (en) Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium
CN113609008A (en) Test result analysis method and device and electronic equipment
CN113535577A (en) Application testing method and device based on knowledge graph, electronic equipment and medium
CN104536884A (en) Code testing method and device
CN112363939A (en) Method, system and equipment for quickly generating fuzzy test network protocol template
CN113238940B (en) Interface test result comparison method, device, equipment and storage medium
Shahab et al. An automated approach to fix buffer overflows.
CN114553551A (en) Method and device for testing intrusion prevention system
CN114301713A (en) Risk access detection model training method, risk access detection method and risk access detection device
CN115700549A (en) Model training method, failure determination method, electronic device, and program product
CN111309585A (en) Log data testing method, device and system, electronic equipment and storage medium
CN109995771A (en) A kind of storage-type XSS leakage location based on genetic algorithm
CN115473788B (en) Storage alarm test method, device, equipment and storage medium
CN117235744B (en) Source file online method, device, electronic equipment and computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant