CN110381033B - Web application vulnerability detection method, device, system, storage medium and server - Google Patents

Web application vulnerability detection method, device, system, storage medium and server Download PDF

Info

Publication number
CN110381033B
CN110381033B CN201910550245.4A CN201910550245A CN110381033B CN 110381033 B CN110381033 B CN 110381033B CN 201910550245 A CN201910550245 A CN 201910550245A CN 110381033 B CN110381033 B CN 110381033B
Authority
CN
China
Prior art keywords
data
server
vulnerability
taint
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910550245.4A
Other languages
Chinese (zh)
Other versions
CN110381033A (en
Inventor
潘志祥
万振华
王颉
李绪勤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Kaiyuan Internet Security Technology Co Ltd
Original Assignee
Shenzhen Kaiyuan Internet Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Kaiyuan Internet Security Technology Co Ltd filed Critical Shenzhen Kaiyuan Internet Security Technology Co Ltd
Priority to CN201910550245.4A priority Critical patent/CN110381033B/en
Publication of CN110381033A publication Critical patent/CN110381033A/en
Application granted granted Critical
Publication of CN110381033B publication Critical patent/CN110381033B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Abstract

The invention provides a method, a device, a system, a storage medium and a server for detecting Web application vulnerabilities, which comprise the following steps: the method comprises the steps that a first server obtains data sent by a second server; judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser; if the data sent by the second server contains taint data, a second data tracking process is initiated, and the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not; and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called. The method and the device can accurately position the real source of the data with problems, thereby improving the accuracy and efficiency of the web application vulnerability detection, and simultaneously, the automatic vulnerability detection reduces the labor and the cost.

Description

Web application vulnerability detection method, device, system, storage medium and server
Technical Field
The invention relates to the technical field of information security, in particular to a method, a device, a system, a storage medium and a server for detecting Web application vulnerabilities.
Background
Due to the evolution of requirements and technologies, a distributed architecture is often adopted in a current large-scale internet architecture, which is different from a traditional SOA distributed service architecture, the existing distributed service is more detailed, and micro-service applications represented by a spring cloud + Docker technology are often composed of hundreds or even thousands of micro-services. The micro services are not directly exposed to the client, and the calling relations of the micro services are different because the functions of the micro services are different.
Due to the particularity of the micro-service architecture, the vulnerability detection rate of the traditional vulnerability detection tools for the architecture cannot be guaranteed, and the implementation efficiency is lower. For example: the black box testing tool sends a request with attack property to a server, the server extracts parameters in the request, calls different micro-services to process and obtain a return result, the called micro-services possibly forward the request parameters to other micro-services, if a sql is injected with a bug, the bug often occurs in other micro-services, other micro-services may have different response forms after receiving the attack, the responses are packaged and returned through different micro-services, and finally data reaching a client end may appear to be normal or if abnormal, the data is the return result processed by different micro-services, the black box testing tool cannot accurately judge whether the request with the attack property submitted before is effective, for a white box testing tool, hundreds of micro-services complete configuration and bug scanning, and the configuration and bug scanning are the self that a large amount of manpower and material cost needs to be invested The operation of (2).
In summary, in the prior art, the accuracy of detecting the web application vulnerability in the distributed micro-service architecture is not high, the detection efficiency is low, and the cost is high.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a system, a storage medium and a server for detecting Web application vulnerabilities, and aims to solve the problems that in the prior art, the accuracy of Web application vulnerability detection in a distributed micro-service architecture is low, the detection efficiency is low, and the cost is high.
A first aspect of the present application provides a method for detecting a Web application vulnerability, including:
the method comprises the steps that a first server obtains data sent by a second server;
judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser;
if the data sent by the second server contains taint data, a second data tracking process is initiated, and the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not;
and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called.
A second aspect of the present application provides a Web application vulnerability detection apparatus, including:
a data acquisition unit for acquiring data transmitted by the second server by the first server;
the data detection unit is used for judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser;
the data tracking unit is used for initiating a second data tracking process if the taint data exists in the data sent by the second server, and the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not;
and the vulnerability detection unit is used for detecting the vulnerability before the taint data is called if the calling instruction of the taint data is monitored.
A third aspect of the present application provides a Web application vulnerability detection system, including: a first server and a second server, wherein:
the second server is used for receiving a processing request and judging the source of data carried by the processing request; marking data carried by the processing request and coming from a front-end browser as taint data, and initiating a first data tracking process, wherein the first data tracking process is used for tracking the taint data in the second server and monitoring the safe processing of the taint data by the second server;
the second server is also used for processing based on the processing request, performing secondary packaging on part of data extracted from the processing request, and sending the re-packaged data to the first server;
the first server is used for acquiring the data sent by the second server and judging whether taint data exists in the data sent by the second server, wherein the taint data is data from a front-end browser; if the data sent by the second server contains taint data, a second data tracking process is initiated, and the second data tracking process is used for tracking the taint data in the first server and monitoring whether the taint data is called or not; and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called.
A fourth aspect of the present application provides a server comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to the first aspect when executing the computer program.
A fifth aspect of the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of the first aspect as described above.
A sixth aspect of the application provides a computer program product comprising a computer program which, when executed by one or more processors, performs the steps of the method of the first aspect as described above.
In the embodiment of the invention, a second server receives a processing request, judges the source of data carried by the processing request, marks the data carried by the processing request and originated from a front-end browser as taint data, initiates a first data tracking process, tracks the taint data, monitors the safe processing of the taint data by the second server, simultaneously the second server processes based on the processing request, secondarily encapsulates partial data extracted from the processing request, sends the re-encapsulated data to a first server, the first server acquires the data sent by the second server and judges whether the taint data exists in the data sent by the second server, if the taint data exists in the data sent by the second server, initiates a second data tracking process to monitor whether the taint data is called, and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called. According to the scheme, a data tracking process is initiated across the server to track the taint data, and the true source of the data with problems can be accurately positioned, so that the accuracy and efficiency of web application vulnerability detection are improved, meanwhile, the labor is reduced through automatic vulnerability detection, and the cost is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed for the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a system architecture diagram of a Web application vulnerability detection system provided in an embodiment of the present invention;
fig. 2 is a flowchart illustrating an implementation of a Web application vulnerability detection method according to an embodiment of the present invention;
fig. 3 is a flowchart of a specific implementation of the Web application vulnerability detection method S205 according to an embodiment of the present invention;
fig. 4 is a flowchart of another specific implementation of the Web application vulnerability detection method S205 according to the embodiment of the present invention;
fig. 5 is a block diagram of a structure of a Web application vulnerability detection apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a server provided in an embodiment of the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows a system architecture diagram of a Web application vulnerability detection system according to a first embodiment of the present invention, which is detailed as follows: for convenience of explanation, only portions related to the embodiments of the present invention are shown.
The Web application vulnerability detection system provided by the embodiment of the invention is applied to a distributed service architecture, and one distributed service architecture is applied to a few distributed servers and a plurality of hundreds or even thousands of micro servers. One or more servers are used as a gateway for receiving requests sent by clients (such as browsers), secondarily encapsulating part of parameters extracted from the requests after a series of processing in the servers, sending the requests with the re-encapsulated request parameters to other distributed servers through http/https or other communication protocols, waiting for returning results, and further returning processing results to the clients. Referring to fig. 1, the Web application vulnerability detection system includes a first server 1 and a second server 2, where the first server 1 and the second server 2 in the embodiment of the present invention are servers in a distributed microservice, where:
the second server 2 is used for receiving a processing request and judging the source of data carried by the processing request; and marking data which are carried by the processing request and come from a front-end browser as taint data, and initiating a first data tracking process, wherein the first data tracking process is used for tracking the taint data in the second server 2 and monitoring the safe processing of the taint data by the second server 2.
Specifically, the second server 2 receives a processing request and determines a source of data carried by the processing request, where the processing request and the data carried by the processing request may originate from a user, i.e., a client (e.g., a browser), or may originate from other servers in the same distributed service architecture. In the embodiment of the invention, the data from the user has high risk possibility, the data from the user is marked as taint data, and a first data tracking process is initiated aiming at the taint data. The first data tracking process is used for tracking the taint data in the second server 2 and monitoring the safe processing of the taint data by the second server 2.
The monitoring of the safe processing of the taint data by the second server 2 specifically comprises: detecting the loophole; and marking the detected loopholes and carrying out security processing operation on the detected loopholes, and generating security processing tags to identify the detected loopholes and corresponding security processing operation.
The second server 2 is further configured to perform processing based on the processing request, perform secondary encapsulation on a portion of data extracted from the processing request, and send re-encapsulated data to the first server 1. Specifically, the second server 2 performs processing based on the processing request, performs secondary encapsulation on part of the data extracted from the processing request, and sends the re-encapsulated data to the first server 1 through http/https or other communication protocols. In the embodiment of the present invention, the implementation of the data flow tracing technology is completed based on the instrumentation technology, which includes a source phase, a propagation phase, a tag phase, and a precipitation phase, and once the JDK core function is instrumented, a data flow tracing mechanism inside the second server 2 is established by implementing instrumentation execution logic and specific logic implementation of four phase functions in the instrumentation technology.
The first server 1 is configured to obtain data sent by the second server 2, and determine whether taint data exists in the data sent by the second server 2, where the taint data refers to data from a front-end browser, that is, determine whether data sent by the second server 2 exists in data from a user; if the data sent by the second server 2 contains taint data, a second data tracking process is initiated, and the second data tracking process is used for tracking the taint data in the first server 1 and monitoring whether the taint data is called or not; if the calling instruction of the taint data is monitored, vulnerability detection is carried out before the taint data is called, data tracking across servers is achieved, and the real source of data with problems can be accurately located.
Specifically, the first server 1 may be connected to the second server 2 in a wired manner or a wireless manner.
Optionally, the second server 2 is not limited to a certain server, and the second server may refer to one or more servers in a distributed microservice architecture.
In the embodiment of the invention, a second server receives a processing request, judges the source of data carried by the processing request, marks the data carried by the processing request and originated from a front-end browser as taint data, initiates a first data tracking process, tracks the taint data, monitors the safe processing of the taint data by the second server, simultaneously the second server processes based on the processing request, secondarily encapsulates partial data extracted from the processing request, sends the re-encapsulated data to a first server, the first server acquires the data sent by the second server and judges whether the taint data exists in the data sent by the second server, if the taint data exists in the data sent by the second server, initiates a second data tracking process to monitor whether the taint data is called, and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called. According to the scheme, a data tracking process is initiated across the server to track the taint data, and the true source of the data with problems can be accurately positioned, so that the accuracy and efficiency of web application vulnerability detection are improved, meanwhile, the labor is reduced through automatic vulnerability detection, and the cost is reduced.
Fig. 2 shows an implementation process of the Web application vulnerability detection method on the first server according to the embodiment of the present invention, where the method includes steps S201 to S204. The specific realization principle of each step is as follows:
s201: the first server acquires the data sent by the second server.
In the embodiment of the present invention, the data sent by the second server is data extracted from the processing request received by the second server, and is subjected to secondary encapsulation, and the sent data is re-encapsulated through http/https or another communication protocol.
S202: and judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser.
In the embodiment of the invention, whether a second data flow tracking process is initiated is determined by judging whether taint data exists in the data sent by the second server.
Specifically, after receiving data sent by the second server, the first server determines whether the taint data is called based on a first data tracking process initiated by the second server on the taint data in the data, and if so, initiates a second data tracking process to continue tracking whether the taint data is called by a sensitive function.
S203: and if the taint data exist in the data sent by the second server, initiating a second data tracking process, wherein the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not.
Specifically, in the embodiment of the present invention, whether the taint data is called by a sensitive function is monitored based on the second data tracking flow. The sensitive function refers to a pre-marked function.
S204: and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called.
Specifically, if a call instruction that the taint data is called by a sensitive function is monitored, and the taint data is called by some sensitive functions without corresponding security processing, vulnerability detection is performed before the taint data is called, and whether a vulnerability exists in calling the taint data is detected.
Optionally, after the step S204, the method further includes:
s205: and if the vulnerability is detected, judging whether the detected vulnerability meets vulnerability reporting conditions.
In this embodiment, if the taint data is called by some sensitive functions without being subjected to corresponding security processing, whether the calling meets the vulnerability reporting condition is analyzed. Specifically, a vulnerability reporting condition is preset, whether the detected vulnerability meets the vulnerability reporting condition is judged, and if yes, the detected vulnerability is reported to prompt that a risk exists; if not, judging that the detected loophole has no risk, and not reporting.
As an embodiment of the present invention, the step S205 specifically includes:
a1: and detecting whether the taint data has a safety processing label or not, wherein the safety processing label is used for identifying the loophole detected by the second server and the safety processing operation of the second server on the identified loophole.
A2: and if the taint data has the safe processing label, the loophole of the safe processing label identification of the taint data does not meet the loophole reporting condition.
In the embodiment of the present invention, before the second server sends the data including the taint data to the first server, the second server performs vulnerability detection and security processing operations on the taint data based on the monitoring result of the first data flow tracking process. And if the second server calls the taint data to detect a bug, generating a safe processing label mark according to the detected bug and the safe processing operation carried out on the bug. And the first server detects whether the taint data has a security processing tag or not, and if so, judges that the vulnerability of the security processing tag identification of the taint data does not meet the vulnerability reporting condition. Specifically, if the vulnerability detected by the taint data is called by the first server and the vulnerability detected by the second server of the security processing tag identification of the taint data is the same, and the second server has performed corresponding security processing operation on the vulnerability of the security processing tag identification, the vulnerability does not satisfy the report condition and does not report the vulnerability.
Optionally, as an embodiment of the present invention, as shown in fig. 3, the step S205 specifically includes:
b1: and detecting whether the taint data has a safety processing label or not, wherein the safety processing label is used for identifying the loophole detected by the second server and the safety processing operation of the second server on the identified loophole.
B2: if the taint data has the safety processing label and more than one safety processing label, judging whether the safety processing labels with the labels which are operated in a mutually reverse mode exist according to the loopholes of the labels of the safety processing labels and the safety processing operation of the second server on the loopholes of the labels.
B3: if the vulnerability exists, the vulnerability identified by the security processing labels with the identified security processing operations being inverse operations meets the vulnerability reporting condition.
In this embodiment of the present invention, if the taint data has the security processing tag and more than one security processing tag, that is, before the second server sends data including taint data, more than one vulnerability is detected according to the call of the first data flow tracking flow to the taint data, then more than one security processing tag corresponding to the taint data is generated according to the detected vulnerability and more than one security processing operation performed on the vulnerability. And determining whether the vulnerability of the safe processing label identification meets vulnerability reporting conditions by judging whether the safe processing operations corresponding to the plurality of safe processing labels are inverse operations to each other.
Optionally, as an embodiment of the present invention, as shown in fig. 4, the step S205 specifically includes:
c1: and detecting whether the taint data has a safety processing label or not, wherein the safety processing label is used for identifying the loophole detected by the second server and the safety processing operation of the second server on the identified loophole.
C2: and if the taint data has the safe processing label, acquiring an operation corresponding to a calling instruction of the taint data.
C3: and judging whether the operation corresponding to the calling instruction of the taint data is the inverse operation of the safe processing label identification of the taint data.
C4: and if the operation corresponding to the call instruction of the taint data is the inverse operation of the safe processing label identification, determining that the vulnerability of the safe processing label identification meets the vulnerability reporting condition.
For example, the sql escope processing is performed on data, if the data is added to the sql statement execution, the sql injection problem will not be described, but the web application may perform an unescape operation after performing the sql operation, and the sql escope and the unescape operate in reverse to each other, so that the data still has the sql injection vulnerability threat, and the sql injection vulnerability threat satisfies the vulnerability reporting condition.
S206: and if the vulnerability reporting condition is met, reporting the vulnerability.
Illustratively, after the A service receives the request parameters, secondary packaging is carried out and the request parameters are sent to the B service, before the A service sends data, a first data flow tracking process is initiated on the A service, the request parameters transmitted from a front-end browser are tracked, when the data are sent to the B service, the B service monitors the extraction condition of the data through first data flow tracking information established in the A service, judges whether the taint data are called or not, and initiates a second data flow tracking process if the taint data are called, and continues tracking the taint data. When the taint data is used by some sensitive functions without corresponding security processing, whether the taint data meets the report condition of the vulnerability is analyzed, and if the taint data meets the report condition, the vulnerability is reported, so that the true source of the data with problems can be accurately positioned.
In the embodiment of the invention, data sent by a second server is obtained through a first server, whether taint data exists in the data sent by the second server is judged, if the taint data exists in the data sent by the second server, a second data tracking flow is initiated, whether the taint data is called by a sensitive function is monitored, if a calling instruction of the taint data is monitored, vulnerability detection is carried out before the taint data is called, if a vulnerability is detected, whether the detected vulnerability meets vulnerability reporting conditions is judged, if the vulnerability reporting conditions are met, the vulnerability is reported, and vulnerability risk is prompted in time. According to the scheme, a data tracking process is initiated across the server to track the taint data, and the true source of the data with problems can be accurately positioned, so that the accuracy and efficiency of web application vulnerability detection are improved, meanwhile, the labor is reduced through automatic vulnerability detection, and the cost is reduced.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Corresponding to the Web application vulnerability detection method described in the foregoing embodiment, fig. 5 shows a structural block diagram of the Web application vulnerability detection apparatus provided in the embodiment of the present application, and for convenience of description, only the parts related to the embodiment of the present application are shown.
Referring to fig. 5, the Web application vulnerability detection apparatus includes: data acquisition unit 51, data detection unit 52, data tracking unit 53, vulnerability detection unit 54, wherein:
a data acquisition unit 51 for acquiring data transmitted by the second server by the first server;
a data detecting unit 52, configured to determine whether taint data exists in the data sent by the second server, where the taint data is data from a front-end browser;
a data tracking unit 53, configured to initiate a second data tracking procedure if taint data exists in the data sent by the second server, where the second data tracking procedure is used to track the taint data on the first server and monitor whether the taint data is called;
and the vulnerability detection unit 54 is configured to perform vulnerability detection before the taint data is called if the call instruction of the taint data is monitored.
Optionally, the vulnerability detection unit 54 includes:
the vulnerability detection module is used for judging whether the detected vulnerability meets vulnerability reporting conditions or not if the vulnerability is detected;
and the vulnerability reporting module is used for reporting the vulnerability if the vulnerability reporting condition is met.
Optionally, the vulnerability detection module specifically includes:
the label determining submodule is used for detecting whether a security processing label exists in the taint data, and the security processing label is used for identifying the loophole detected by the second server and performing security processing operation on the identified loophole by the second server;
and the first vulnerability determining submodule is used for determining whether the vulnerability of the safe processing label identification of the taint data does not meet the vulnerability reporting condition if the taint data has the safe processing label.
Optionally, the vulnerability detection module further includes:
the first operation judgment submodule is used for judging whether a security processing label with the identification security processing operation being inverse operation exists or not according to the vulnerability of each security processing label identification and the security processing operation of the second server to the identification vulnerability if the taint data has the security processing label and more than one security processing label exists;
and the second vulnerability determining submodule is used for determining whether the vulnerability identified by the security processing label with the identified security processing operations being inverse operations meets the vulnerability reporting condition if the vulnerability exists.
Optionally, the vulnerability detection module further includes:
the operation obtaining submodule is used for obtaining the operation corresponding to the calling instruction of the taint data if the taint data has the safe processing label;
the second operation judgment submodule is used for judging whether the operation corresponding to the calling instruction of the taint data is the inverse operation of the safety processing label identification;
and the third vulnerability determining submodule is used for determining that the vulnerability of the safe processing label identification meets the vulnerability reporting condition if the operation corresponding to the calling instruction of the taint data is the inverse operation of the safe processing label identification.
In the embodiment of the invention, data sent by a second server is obtained through a first server, whether taint data exists in the data sent by the second server is judged, if the taint data exists in the data sent by the second server, a second data tracking flow is initiated, whether the taint data is called by a sensitive function is monitored, if a calling instruction of the taint data is monitored, vulnerability detection is carried out before the taint data is called, if a vulnerability is detected, whether the detected vulnerability meets vulnerability reporting conditions is judged, if the vulnerability reporting conditions are met, the vulnerability is reported, and vulnerability risk is prompted in time. According to the scheme, a data tracking process is initiated across the server to track the taint data, and the true source of the data with problems can be accurately positioned, so that the accuracy and efficiency of web application vulnerability detection are improved, meanwhile, the labor is reduced through automatic vulnerability detection, and the cost is reduced.
Fig. 6 is a schematic diagram of a server according to an embodiment of the present invention. As shown in fig. 6, the server 6 of this embodiment includes: a processor 60, a memory 61, and a computer program 62, such as a Web application vulnerability detection program, stored in the memory 61 and operable on the processor 60. The processor 60, when executing the computer program 62, implements the steps in the above-described embodiments of the Web application vulnerability detection method, such as the steps 201 to 204 shown in fig. 2. Alternatively, the processor 60, when executing the computer program 62, implements the functions of the modules/units in the above-mentioned device embodiments, such as the functions of the units 51 to 54 shown in fig. 5.
Illustratively, the computer program 62 may be partitioned into one or more modules/units that are stored in the memory 61 and executed by the processor 60 to implement the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program 62 in the server 6. For example, the computer program 62 may be divided into a synchronization module, a summary module, an acquisition module, and a return module (a module in a virtual device), and the specific functions of each unit are as follows:
a data acquisition unit for acquiring data transmitted by the second server by the first server;
the data detection unit is used for judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser;
the data tracking unit is used for initiating a second data tracking process if the taint data exists in the data sent by the second server, and the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not;
and the vulnerability detection unit is used for detecting the vulnerability before the taint data is called if the calling instruction of the taint data is monitored.
The server 6 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The server may include, but is not limited to, a processor 60, a memory 61. Those skilled in the art will appreciate that fig. 6 is merely an example of a server 6 and does not constitute a limitation of the server 6, and may include more or fewer components than shown, or some components in combination, or different components, e.g., the server may also include input output devices, network access devices, buses, etc.
It should be understood that in the embodiment of the present Application, the Processor 60 may be a Central Processing Unit (CPU), and the Processor may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 61 may include both read-only memory and random access memory, and provides instructions and data to the processor 60. Some or all of memory 61 may also include non-volatile random access memory. For example, the memory 61 may also store information of device types.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media which may not include electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.

Claims (10)

1. A Web application vulnerability detection method is characterized by comprising the following steps:
the second server receives the processing request and judges the source of the data carried by the processing request; marking data carried by the processing request and coming from a front-end browser as taint data, and initiating a first data tracking process, wherein the first data tracking process is used for tracking the taint data in the second server and monitoring the safe processing of the taint data by the second server; the second server processes based on the processing request, secondary packaging is carried out on part of data extracted from the processing request, and the re-packaged data is sent to the first server;
the first server acquires data sent by the second server; judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser; if the data sent by the second server contains taint data, a second data tracking process is initiated, and the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not; and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called.
2. The Web application vulnerability detection method according to claim 1, wherein after the step of performing vulnerability detection before the taint data is called if the call instruction of the taint data is monitored, the method comprises:
if the vulnerability is detected, judging whether the detected vulnerability meets vulnerability reporting conditions;
and if the vulnerability reporting condition is met, reporting the vulnerability.
3. The method for detecting the Web application vulnerability according to claim 2, wherein if a vulnerability is detected, the step of judging whether the detected vulnerability meets a preset vulnerability reporting condition specifically comprises:
detecting whether the taint data has a security processing tag, wherein the security processing tag is used for identifying the loophole detected by the second server and performing security processing operation on the identified loophole by the second server;
and if the taint data has the safe processing label, the loophole of the safe processing label identification of the taint data does not meet the loophole reporting condition.
4. The method for detecting the Web application vulnerability according to claim 2, wherein if a vulnerability is detected, the step of judging whether the detected vulnerability meets a preset vulnerability reporting condition specifically comprises:
detecting whether the taint data has a security processing tag, wherein the security processing tag is used for identifying the loophole detected by the second server and performing security processing operation on the identified loophole by the second server;
if the taint data has the security processing tags and more than one security processing tags, judging whether the security processing tags with the identification security processing operations being inverse operations exist or not according to the vulnerabilities of the identification of each security processing tag and the security processing operations of the second server on the vulnerabilities of the identification;
if the vulnerability exists, the vulnerability identified by the security processing labels with the identified security processing operations being inverse operations meets the vulnerability reporting condition.
5. The method for detecting the Web application vulnerability according to claim 2, wherein if a vulnerability is detected, the step of judging whether the detected vulnerability meets a preset vulnerability reporting condition specifically comprises:
detecting whether the taint data has a security processing tag, wherein the security processing tag is used for identifying the loophole detected by the second server and performing security processing operation on the identified loophole by the second server;
if the taint data has the safe processing label, acquiring an operation corresponding to a calling instruction of the taint data;
judging whether the operation corresponding to the calling instruction of the taint data is the inverse operation of the safety processing label identification;
and if the operation corresponding to the call instruction of the taint data is the inverse operation of the safe processing label identification, determining that the vulnerability of the safe processing label identification meets the vulnerability reporting condition.
6. A Web application vulnerability detection system, comprising: a first server and a second server, wherein:
the second server is used for receiving a processing request and judging the source of data carried by the processing request; marking data carried by the processing request and coming from a front-end browser as taint data, and initiating a first data tracking process, wherein the first data tracking process is used for tracking the taint data in the second server and monitoring the safe processing of the taint data by the second server;
the second server is also used for processing based on the processing request, performing secondary packaging on part of data extracted from the processing request, and sending the re-packaged data to the first server;
the first server is used for acquiring the data sent by the second server and judging whether taint data exists in the data sent by the second server, wherein the taint data is data from a front-end browser; if the data sent by the second server contains taint data, a second data tracking process is initiated, and the second data tracking process is used for tracking the taint data in the first server and monitoring whether the taint data is called or not; and if the calling instruction of the taint data is monitored, carrying out vulnerability detection before the taint data is called.
7. The Web application vulnerability detection device is characterized by comprising the following components:
a data acquisition unit for acquiring data transmitted by the second server by the first server; the data is sent after the second server receives the processing request and performs processing based on the processing request, and specifically includes: the second server receives the processing request and judges the source of the data carried by the processing request; marking data carried by the processing request and coming from a front-end browser as taint data, and initiating a first data tracking process, wherein the first data tracking process is used for tracking the taint data in the second server and monitoring the safe processing of the taint data by the second server; the second server processes based on the processing request, secondary packaging is carried out on part of data extracted from the processing request, and the re-packaged data is sent to the first server;
the data detection unit is used for judging whether taint data exist in the data sent by the second server, wherein the taint data are data from a front-end browser;
the data tracking unit is used for initiating a second data tracking process if the taint data exists in the data sent by the second server, and the second data tracking process is used for tracking the taint data on the first server and monitoring whether the taint data is called or not;
and the vulnerability detection unit is used for detecting the vulnerability before the taint data is called if the calling instruction of the taint data is monitored.
8. The Web application vulnerability detection apparatus according to claim 7, wherein the vulnerability detection unit includes:
the vulnerability detection module is used for judging whether the detected vulnerability meets vulnerability reporting conditions or not if the vulnerability is detected;
and the vulnerability reporting module is used for reporting the vulnerability if the vulnerability reporting condition is met.
9. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the Web application vulnerability detection method according to any of claims 1 to 5.
10. A server comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the Web application vulnerability detection method according to any of claims 1 to 5 when executing the computer program.
CN201910550245.4A 2019-06-24 2019-06-24 Web application vulnerability detection method, device, system, storage medium and server Active CN110381033B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910550245.4A CN110381033B (en) 2019-06-24 2019-06-24 Web application vulnerability detection method, device, system, storage medium and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910550245.4A CN110381033B (en) 2019-06-24 2019-06-24 Web application vulnerability detection method, device, system, storage medium and server

Publications (2)

Publication Number Publication Date
CN110381033A CN110381033A (en) 2019-10-25
CN110381033B true CN110381033B (en) 2021-06-08

Family

ID=68249262

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910550245.4A Active CN110381033B (en) 2019-06-24 2019-06-24 Web application vulnerability detection method, device, system, storage medium and server

Country Status (1)

Country Link
CN (1) CN110381033B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111259399B (en) * 2020-04-28 2020-08-11 深圳开源互联网安全技术有限公司 Method and system for dynamically detecting vulnerability attacks for web applications
CN111625834A (en) * 2020-05-15 2020-09-04 深圳开源互联网安全技术有限公司 System and method for detecting vulnerability of Docker mirror image file
CN111859375B (en) * 2020-07-20 2023-08-29 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN111935121B (en) * 2020-07-31 2022-04-26 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN112416726A (en) * 2020-11-20 2021-02-26 深圳开源互联网安全技术有限公司 Method and device for analyzing static resource loading performance of WEB application
CN115277062A (en) * 2022-06-13 2022-11-01 深圳开源互联网安全技术有限公司 Malicious attack intercepting method, device and equipment and readable storage medium
CN116760650B (en) * 2023-08-23 2023-11-21 深圳开源互联网安全技术有限公司 Method for confirming HTTP parameter pollution propagation chain in micro-service call based on IAST technology

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device
CN108712448A (en) * 2018-07-09 2018-10-26 四川大学 A kind of injection attack detection model based on the analysis of dynamic stain
CN109165507A (en) * 2018-07-09 2019-01-08 深圳开源互联网安全技术有限公司 Cross-site scripting attack leak detection method, device and terminal device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080184208A1 (en) * 2007-01-30 2008-07-31 Sreedhar Vugranam C Method and apparatus for detecting vulnerabilities and bugs in software applications
CN102184360B (en) * 2011-05-13 2013-06-05 华中科技大学 Information flow safety monitoring method applied to embedded processor
US10460112B2 (en) * 2014-02-07 2019-10-29 Northwestern University System and method for privacy leakage detection and prevention system without operating system modification
US10129285B2 (en) * 2016-04-27 2018-11-13 Sap Se End-to-end taint tracking for detection and mitigation of injection vulnerabilities in web applications
CN107038378B (en) * 2016-11-14 2018-06-26 平安科技(深圳)有限公司 Application software security flaw detection method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107657177A (en) * 2017-09-30 2018-02-02 北京奇虎科技有限公司 A kind of leak detection method and device
CN108712448A (en) * 2018-07-09 2018-10-26 四川大学 A kind of injection attack detection model based on the analysis of dynamic stain
CN109165507A (en) * 2018-07-09 2019-01-08 深圳开源互联网安全技术有限公司 Cross-site scripting attack leak detection method, device and terminal device

Also Published As

Publication number Publication date
CN110381033A (en) 2019-10-25

Similar Documents

Publication Publication Date Title
CN110381033B (en) Web application vulnerability detection method, device, system, storage medium and server
CN108683562B (en) Anomaly detection positioning method and device, computer equipment and storage medium
CN108471429B (en) Network attack warning method and system
CN103699480B (en) A kind of WEB dynamic security leak detection method based on JAVA
CN109165507B (en) Cross-site scripting attack vulnerability detection method and device and terminal equipment
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108664793B (en) Method and device for detecting vulnerability
CN110912776B (en) Automatic fuzzy test method and device for entity router management protocol
CN111984975B (en) Vulnerability attack detection system, method and medium based on mimicry defense mechanism
CN104956372A (en) Determining coverage of dynamic security scans using runtime and static code analyses
CN108337266B (en) Efficient protocol client vulnerability discovery method and system
JP6037397B2 (en) User operation log recording method, program and apparatus thereof
CN113114680B (en) Detection method and detection device for file uploading vulnerability
CN107666464B (en) Information processing method and server
CN109040128B (en) WAF reverse proxy detection method based on offline pcap flow packet
CN112653693A (en) Industrial control protocol analysis method and device, terminal equipment and readable storage medium
KR102159399B1 (en) Device for monitoring web server and analysing malicious code
CN115147956A (en) Data processing method and device, electronic equipment and storage medium
KR20180060616A (en) RBA based integrated weak point diagnosis method
CN110691090B (en) Website detection method, device, equipment and storage medium
US20160050101A1 (en) Real-Time Network Monitoring and Alerting
US10931693B2 (en) Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence
CN104219219A (en) Method, server and system for handling data
CN108509796B (en) Method for detecting risk and server
CN115174192A (en) Application security protection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant