CN110390202A - For detecting method, apparatus, system, equipment and the medium of service logic loophole - Google Patents

For detecting method, apparatus, system, equipment and the medium of service logic loophole Download PDF

Info

Publication number
CN110390202A
CN110390202A CN201910698760.7A CN201910698760A CN110390202A CN 110390202 A CN110390202 A CN 110390202A CN 201910698760 A CN201910698760 A CN 201910698760A CN 110390202 A CN110390202 A CN 110390202A
Authority
CN
China
Prior art keywords
server
attack
query
script
required parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910698760.7A
Other languages
Chinese (zh)
Other versions
CN110390202B (en
Inventor
叶红
旷亚和
姜城
刘婉娇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201910698760.7A priority Critical patent/CN110390202B/en
Publication of CN110390202A publication Critical patent/CN110390202A/en
Application granted granted Critical
Publication of CN110390202B publication Critical patent/CN110390202B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

Present disclose provides a kind of methods for detecting service logic loophole, comprising: the script for being issued to client in response to obtaining server-side identifies the logic judgment node in script as critical data;The service request sent in response to obtaining client to server-side, extracts required parameter from service request;Required parameter is handled based on critical data, determines the legal value range of required parameter;Based on legal value range, construction includes the query-attack including illegal required parameter, and sends server-side for query-attack;And the response message that server-side is directed to query-attack is received, and information determines whether there is service logic loophole according to response.The disclosure additionally provides a kind of device for detecting service logic loophole, a kind of electronic equipment, a kind of computer readable storage medium and a kind of system for detecting service logic loophole.

Description

For detecting method, apparatus, system, equipment and the medium of service logic loophole
Technical field
This disclosure relates to automatization testing technique field more particularly to a kind of method for detecting service logic loophole, Device, system, equipment and medium.
Background technique
In the application, in order to ensure the safety of operation system, almost each system can have various test Demonstrate,prove function, such as account number cipher verifying, identifying code verifying, crucial parameter transaction verifying.The parameter that such user submits is only preceding End do verifying be it is unsafe, attacker can be used various methods and easily bypass.Such as in e-book purchase transaction, application Program requires user that could browse corresponding books after payment, if whether paying identification only relies on front end Script controlling, Malicious user can distort Front End Authentication logic by browser debugging tool, or distort phase in communication message using packet catcher Parameter is closed, front-end control is bypassed, it is free using service, cause website monetary losses.
In daily test, for the above scene, manual analysis business function is needed, is constructed outside regular traffic rule range Test data, by front-end code debugging or packet capturing distort the methods of communication message transmit test data to server-side carry out Test.At least there is following deficiency in such test method:
1. test point is easily omitted.The above method depends on tester after fully understanding business function, judges to survey Pilot simultaneously constructs test data, traverses all abnormal scenes, test leakage easily occurs;
2. technical difficulty is big.Either front-end code debugging or guaranteed the repair free of charge using Tool grasper and change service parameter, all have compared with High technical threshold, common functional test personnel are difficult to operate;
3. testing efficiency is low.Manual debugging code distorts messaging parameter, modifies and traverses all abnormal probable values, judgement The corresponding server-side of each exceptional value controls situation, and testing procedure is relative complex, inefficiency.
Summary of the invention
The first aspect of the disclosure provides a kind of method for detecting service logic loophole, comprising: in response to obtaining Server-side is issued to the script of client, identifies the logic judgment node in the script as critical data;In response to obtaining The service request that client is sent to the server-side extracts required parameter from the service request;Based on the crucial number According to the required parameter is handled, the legal value range of the required parameter is determined;Based on the legal value range, construction packet The server-side is sent to containing the query-attack including illegal required parameter, and by the query-attack;And receive institute The response message that server-side is directed to the query-attack is stated, and service logic leakage is determined whether there is according to the response message Hole.
Optionally, the method also includes: intercept the interaction data between the client and server-side;From the interaction The service request that the server-side is issued to the script of client and client is sent to the server-side is identified in data.
Optionally, the method also includes: to the critical data carry out pitching pile processing;It is described to be based on the critical data The required parameter is handled, determines that the legal value range of the required parameter includes: from raw based on the script handled through pitching pile At service request in obtain stake point information;And it is based on the stake point information, determine the legal value model of the required parameter It encloses.
Optionally, the response message for obtaining server-side and being directed to the query-attack, it is determined whether there are service logics Loophole includes: to send the server-side for the service request, to obtain the response message for being directed to the service request;By institute The response message for stating query-attack is compared with the response message of service request, to determine whether there is service logic leakage Hole;The method also includes generating warning information there are service logic loophole.
The second aspect of the disclosure provides a kind of for detecting the device of service logic loophole, comprising: identification module is used In the script for being issued to client in response to obtaining server-side, identify the logic judgment node in the script as crucial number According to;Extraction module, the service request for sending in response to obtaining client to the server-side, mentions from the service request Take required parameter;First determining module determines the required parameter for handling the required parameter based on the critical data Legal value range;Constructing module, for being based on the legal value range, construction is comprising including illegal required parameter Query-attack, and send the server-side for the query-attack;And second determining module, for receiving the service End is directed to the response message of the query-attack, and determines whether there is service logic loophole according to the response message.
The third aspect of the disclosure provides a kind of electronic equipment, comprising: processor;And memory, it is stored thereon with Computer-readable instruction makes processor execute above-mentioned method when described instruction is executed by processor.
The fourth aspect of the disclosure provides a kind of computer readable storage medium, is stored thereon with computer-readable finger It enables, processor is made to execute above-mentioned method when described instruction is executed by processor.
5th aspect of the disclosure provides a kind of system for detecting service logic loophole, comprising: pitching pile subsystem, The script for being issued to client for obtaining server-side obtains the service request that client is sent to the server-side, Yi Jishi Logic judgment node in the not described script is as critical data;Subsystem is detected, is asked for being extracted from the service request Parameter is sought, the required parameter is handled based on the critical data, determines the legal value range of the required parameter, is based on institute Legal value range is stated, construction includes the query-attack including illegal required parameter, and sends the query-attack to The server-side, and the response message that the server-side is directed to the query-attack is received, and true according to the response message Surely it whether there is service logic loophole.
Optionally, the pitching pile subsystem includes: positive supply module, for receiving the friendship of client Yu the server-side Mutual data identify that the server-side is issued to the business sent on the script and client of client and asks from the interaction data It asks;Code pitching pile module, for obtaining the script, identify the logic judgment node in the script as critical data, and Pitching pile processing is executed to the critical data;Data cache module, for caching the script handled through pitching pile.
Optionally, the detection subsystem includes: rule construct module, for extracting request ginseng from the service request Number handles the required parameter based on the critical data, determines the legal value range of the required parameter, is based on the conjunction Method value range, construction include the query-attack including illegal required parameter;Asynchronous forwarding module is used for the attack Request is sent to the server-side;Data analysis module, for obtaining the query-attack and the server-side for described The response message of query-attack, if the response message shows that server-side does not implement effectively control to the query-attack, Generate warning information.
Method, apparatus, system, equipment and the medium that present disclose provides a kind of for detecting service logic loophole, the party Method determines the conjunction of service request parameter according to the critical data by the critical data at the logic judgment node in identification script Method value range, and the query-attack for containing illegal service request parameter is constructed, server-side is obtained to the query-attack Response message determines whether there is service logic loophole according to the response message.Effectively reduce difficulty of test and Test coverage Rate improves testing efficiency.
Detailed description of the invention
Fig. 1 diagrammatically illustrates the application scenarios of the method for detecting service logic loophole according to the embodiment of the present disclosure Schematic diagram;
Fig. 2 diagrammatically illustrates the flow chart of the method for detecting service logic loophole according to the embodiment of the present disclosure;
Fig. 3 diagrammatically illustrates the block diagram of the system for detecting service logic loophole according to the embodiment of the present disclosure;
Fig. 4 diagrammatically illustrates the block diagram of the pitching pile subsystem according to the embodiment of the present disclosure;
Fig. 5 diagrammatically illustrates the block diagram of the positive supply module according to the embodiment of the present disclosure;
Fig. 6 diagrammatically illustrates the block diagram of the code pitching pile module according to the embodiment of the present disclosure;
Fig. 7 diagrammatically illustrates the work flow diagram of the pitching pile subsystem according to the embodiment of the present disclosure;
Fig. 8 diagrammatically illustrates the block diagram of the detection subsystem according to the embodiment of the present disclosure;
Fig. 9 diagrammatically illustrates the block diagram of the rule construct module according to the embodiment of the present disclosure;
Figure 10 diagrammatically illustrates the work flow diagram of the detection subsystem according to the embodiment of the present disclosure;
Figure 11 diagrammatically illustrates the stream of the method for detecting service logic loophole according to another embodiment of the disclosure Cheng Tu;
Figure 12 diagrammatically illustrates the block diagram of the device for detecting service logic loophole according to the embodiment of the present disclosure;With And
Figure 13 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Specific embodiment
Hereinafter, will be described with reference to the accompanying drawings embodiment of the disclosure.However, it should be understood that these descriptions are only exemplary , and it is not intended to limit the scope of the present disclosure.In the following detailed description, to elaborate many specific thin convenient for explaining Section is to provide the comprehensive understanding to the embodiment of the present disclosure.It may be evident, however, that one or more embodiments are not having these specific thin It can also be carried out in the case where section.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid Unnecessarily obscure the concept of the disclosure.
Term as used herein is not intended to limit the disclosure just for the sake of description specific embodiment.It uses herein The terms "include", "comprise" etc. show the presence of the feature, step, operation and/or component, but it is not excluded that in the presence of Or add other one or more features, step, operation or component.
There are all terms (including technical and scientific term) as used herein those skilled in the art to be generally understood Meaning, unless otherwise defined.It should be noted that term used herein should be interpreted that with consistent with the context of this specification Meaning, without that should be explained with idealization or excessively mechanical mode.
It, in general should be according to this using statement as " at least one in A, B and C etc. " is similar to Field technical staff is generally understood the meaning of the statement to make an explanation (for example, " system at least one in A, B and C " Should include but is not limited to individually with A, individually with B, individually with C, with A and B, with A and C, have B and C, and/or System etc. with A, B, C).Using statement as " at least one in A, B or C etc. " is similar to, generally come Saying be generally understood the meaning of the statement according to those skilled in the art to make an explanation (for example, " having in A, B or C at least One system " should include but is not limited to individually with A, individually with B, individually with C, with A and B, have A and C, have B and C, and/or the system with A, B, C etc.).
Shown in the drawings of some block diagrams and/or flow chart.It should be understood that some sides in block diagram and/or flow chart Frame or combinations thereof can be realized by computer program instructions.These computer program instructions can be supplied to general purpose computer, The processor of special purpose computer or other programmable data processing units, so that these instructions are when executed by this processor can be with Creation is for realizing function/operation device illustrated in these block diagrams and/or flow chart.The technology of the disclosure can be hard The form of part and/or software (including firmware, microcode etc.) is realized.In addition, the technology of the disclosure, which can be taken, is stored with finger The form of computer program product on the computer readable storage medium of order, the computer program product is for instruction execution system System uses or instruction execution system is combined to use.
Fig. 1 diagrammatically illustrates the application scenarios of the method for detecting service logic loophole according to the embodiment of the present disclosure Schematic diagram.It will be understood by those skilled in the art that be only the example that can apply the scene of the embodiment of the present disclosure shown in Fig. 1, with The technology contents of the disclosure are helped skilled in the art to understand, but are not meant to that the embodiment of the present disclosure may not be usable for other Equipment, system, environment or scene.
As shown in Figure 1, the application scenarios include client browser 101, service logic leakage location 100 and answer With server 104.Information exchange, business can be carried out between client browser 101 and detection service logic loophole system 100 Information exchange can be carried out between logic leakage location 100 and application server 104.Service logic leakage location 100 may include pitching pile subsystem 102 and detection subsystem 103.Client browser 101 is to 104 business of application server Request, application server 104 respond the service request and send script to client browser 101.102 pairs of pitching pile subsystem applications The script that server is issued to client browser 101 is analyzed, and identifies the critical data in script, and to the key number According to progress pitching pile processing.The required parameter in the extraction service request of subsystem 103 is detected, determines that the request is joined according to critical data Several legal value ranges, and construct comprising the query-attack including illegal required parameter, which is sent to Application server 104 judges service logic with the presence or absence of leakage according to response message of the application server 104 to the query-attack Hole.
Client browser 101 is the software for being used to access application server 104 that operational trials personnel use.It is visual Makeup is loaded in terminal device (such as terminal server), is operated for operational trials personnel.Before the test begins, browser generation is configured Address is managed, so that service request is forwarded to service logic leakage location 100, for service logic leakage location 100 Service request is handled.
Service logic leakage location 100 passes through client browser 101 to application for receiving operational trials personnel The service request and application server 104 that server 104 is sent respond the script of the service request, and extract in service request Required parameter and script in critical data, the legal value range of the required parameter is determined according to the critical data.Structure It makes comprising the query-attack including illegal required parameter, and the query-attack is sent to application server 104.
Application server 104 is observed to the response message of query-attack, according to the response message in client browser 101 Judge current service logic with the presence or absence of loophole.
It should be noted that for example may be used below with reference to the method described in Fig. 2 and Fig. 3 for detecting service logic loophole To be executed by service logic leakage location 100, correspondingly, leaked below with reference to described in Figure 12 for detecting service logic The device in hole generally can be set in service logic leakage location 100.
It should be understood that the number of each client browser and application server in Fig. 1 is only schematical.According to It realizes and needs, can have any number of client browser and application server.
Fig. 2 diagrammatically illustrates the flow chart of the method for detecting service logic loophole according to the embodiment of the present disclosure.
As shown in Fig. 2, this method may include operation S210~S250.
In operation S210, the script for being issued to client in response to obtaining server-side identifies the logic judgment in the script Node is as critical data.
In operation S220, the service request sent in response to obtaining client to server-side is extracted from the service request Required parameter.
In operation S230, above-mentioned required parameter is handled based on above-mentioned critical data, determines the legal value of the required parameter Range.
In operation S240, it is based on above-mentioned legal value range, construction is asked comprising the attack including illegal required parameter It asks, and sends server-side for the query-attack.
In operation S250, the response message that server-side is directed to above-mentioned query-attack is received, and is determined according to the response message With the presence or absence of service logic loophole.
The method of the embodiment of the present disclosure is by the critical data at the logic judgment node in identification script, according to the key Data determine the legal value range of service request parameter, and construct the query-attack for containing illegal service request parameter, Server-side is obtained to the response message of the query-attack, service logic loophole is determined whether there is according to the response message.
The above method is illustrated below with reference to Fig. 3~embodiment illustrated in Figure 10.
Fig. 3 diagrammatically illustrates the block diagram of the system 300 for detecting service logic loophole according to the embodiment of the present disclosure. The service logic leakage location 100 of example as shown in figure 1 can be implemented as this for detecting the system 300 of service logic loophole.
Referring to figure 3., which may include pitching pile subsystem 310 and detection subsystem 320.
Pitching pile subsystem 310 obtains client and sends to server-side for obtaining the script that server-side is issued to client Service request, and identify logic judgment node in the script as critical data.
Detection subsystem 320, should based on the processing of above-mentioned critical data for extracting required parameter from above-mentioned service request Required parameter determines the legal value range of the required parameter, is based on the legal value range, and construction includes illegal request Query-attack including parameter, and server-side is sent by the query-attack, and receive server-side for the query-attack Response message, and service logic loophole is determined whether there is according to the response message.
Above-mentioned pitching pile subsystem and detection subsystem are illustrated respectively below with reference to Fig. 4~Figure 10.
Fig. 4 diagrammatically illustrates the block diagram of the pitching pile subsystem 400 according to the embodiment of the present disclosure.The pitching pile of example as shown in figure 1 Pitching pile subsystem 310 in subsystem 102 and Fig. 3 can be implemented as the pitching pile subsystem 400.
Referring to figure 4., the pitching pile subsystem 400 may include positive supply module 410, code pitching pile module 420 and Data cache module 430.
Positive supply module 410 is used to intercept the interaction data between client and server-side, knows from the interaction data It Chu not server-side is issued to the script of client and client is sent to server-side service request.For example, receiving client With the interaction data of the server-side, from the interaction data identify server-side be issued to client script and client on The service request sent.For example, Fig. 5 diagrammatically illustrates the block diagram of the positive supply module 500 according to the embodiment of the present disclosure.
Referring to figure 5., the positive supply module 500 may include flow Transmit-Receive Unit 510, flow analysis unit 520 with And flow turns processing unit 530.
For example, flow Transmit-Receive Unit 510 is for intercepting and forwarding the interaction data between client and server, and by the friendship Mutual data forwarding filters out server-side hair so that flow analysis unit 520 parses the interaction data to flow analysis unit 520 It send to the script of client and client and is sent to the service request of server-side, and the script and service request are sent to stream Amount turns processing unit 530.Flow turns processing unit 530 and script is sent to code pitching pile module, and service request is sent to inspection Survey subsystem.
Code pitching pile module 420 identifies the logic judgment node in the script as crucial for obtaining the script Data, and pitching pile processing is executed to the critical data.Code pitching pile module receives the script that positive supply module is sent, to foot This is driven piles, dynamic as data cache module is cached after the completion of piling.
For example, Fig. 6 diagrammatically illustrates the block diagram of the code pitching pile module 600 according to the embodiment of the present disclosure.
Fig. 6 is please referred to, which may include semantic analysis unit 610 and stake point incision unit 620。
Semantic analysis unit 610 analyzes the semantic information in script, filters out logic judgment node and the rule in script Emphasis function in discriminant function such as script, and using the logic judgment node and regular discriminant function as critical data.Stake Point incision unit 620 carries out pitching pile to the critical data, so as to the corresponding code process path of subsequent tracking service request.
Data cache module 430 is used to cache the script handled through pitching pile.
Referring next to Fig. 7, pitching pile of the embodiment of the present disclosure is described in detail in each functional module in Fig. 7 combination Fig. 4 A kind of illustrative embodiments of system.
Fig. 7 diagrammatically illustrates the work flow diagram of the pitching pile subsystem according to the embodiment of the present disclosure.
In operation S710, positive supply module 410 forwards normal interaction data.For example, operational trials personnel are in client After browser configures upper agent address, positive supply module 410 intercepts and forwards the interaction data between client and server.
In operation S720, positive supply module 410 analyzes interaction data, filters out server-side and be sent to client Script and client be sent to the service request of server-side.And script is sent to code pitching pile module, by service request It is sent to detection subsystem.
In operation S730, code pitching pile module 420 carries out semantic analysis to script, marks the logic judgment node in script With jump node, and to the logic judgment node in script and jump function corresponding to node and drive piles, and to piling Position, which is marked, generates corresponding stake point information.In order to subsequent trace analysis code execution flow.
Script and stake point information after operation S740,430 pairs of data cache module piling cache.It can also incite somebody to action It is sent to operational trials personnel.
Fig. 8 diagrammatically illustrates the block diagram of the detection subsystem 800 according to the embodiment of the present disclosure.The detection of example as shown in figure 1 Detection subsystem 320 in subsystem 103 and Fig. 3 can be implemented as the detection subsystem 800.
Please refer to Fig. 8, the detection subsystem 800 may include rule construct module 810, asynchronous forwarding module 820 and Data analysis module 830.
Rule construct module 810 receives the service request that positive supply module is sent, before analyzing the service request parameter End processing logic, extracting parameter verification rule, determines the legal value range of service request parameter, and construct comprising illegal Query-attack including required parameter, and the query-attack is sent to asynchronous forwarding module 820.Asynchronous forwarding module 820 will The query-attack is sent to server.Server carries out response and sends to data analysis module 830 to respond to the query-attack Information.Data analysis module 830 analyzes the response message, judges whether server has carried out effective control to service logic System.If not controling effectively, warning information is generated.
For extracting required parameter from service request, which is based on handling through pitching pile rule construct module 810 Script generate, and from the service request extract stake point information, be based on the stake point information, determine that the legal of the required parameter takes It is worth range.Based on legal value range, construction includes the query-attack including illegal required parameter.
For example, Fig. 9 diagrammatically illustrates the block diagram of the rule construct module 900 according to the embodiment of the present disclosure.
Fig. 9 is please referred to, which may include executing stream analytical unit 910, parsing unit 920 And vector of attack generation unit 930.
It executes stream analytical unit 910 and receives and simultaneously analyze service request, extract required parameter therein and stake point information, and with Script after the pitching pile of data cache module caching in pitching pile subsystem compares and analyzes, and obtains each service request parameter Corresponding code execution flow, and the code execution flow is sent into parsing unit 920.Parsing unit 920 is to each industry The corresponding logic judgment function of stake point information that required parameter passes through of being engaged in carries out syntactic analysis, and it is corresponding to obtain regular traffic request Legal value range.The legal value range is sent into vector of attack generation unit 930, vector of attack generation unit 930 constructs Service request outside legal value range forms query-attack.The query-attack is sent to asynchronous turn of detection subsystem Send out module.
Asynchronous forwarding module 820 is used to send server-side for above-mentioned query-attack.For example, asynchronous forwarding module 820 connects It receives and query-attack is sent to server-side after more query-attacks.Server-side responds the query-attack and generates response message and sent out It send to asynchronous forwarding module 820.The response message is sent to data analysis module 830 by asynchronous forwarding module 820.
Data analysis module 830 is used to send server-side for service request, to obtain the response letter for service request Breath, the response message of query-attack is compared with the response message of service request, to determine whether there is service logic Loophole.For example, data analysis module 830 obtains query-attack and server-side is directed to the response message of the query-attack, pass through Response message is compared with the response message that regular traffic is requested, judges whether the server-side has query-attack Effect control, if monitoring exception, generates warning information, and the warning information is sent to client, operational trials personnel can To carry out next step operation according to warning information.
Referring next to Figure 10, the detection of the embodiment of the present disclosure is described in detail in each functional module in Figure 10 combination Fig. 8 A kind of illustrative embodiments of subsystem.
Figure 10 diagrammatically illustrates the work flow diagram of the detection subsystem according to the embodiment of the present disclosure.
In operation S1010, rule construct module 810 receives service request, and the code for analyzing the service request parameter executes Stream.
In operation S1020, rule construct module 810 carries out language to the logic judgment function that each service request parameter is passed through Method analysis obtains regular traffic and requests corresponding legal value range.
In operation S1030, rule construct module 810 constructs the service request outside legal value range, and composition attack is asked It asks.
In operation S1040, above-mentioned query-attack is sent server-side by asynchronous forwarding module 820.
In operation S1050, data analysis module 830 obtains query-attack and server-side is directed to the response of the query-attack Information generates warning information if response message shows that server-side implements effectively control to query-attack, and by the alarm Information is sent to client.
Figure 11 diagrammatically illustrates the stream of the method for detecting service logic loophole according to another embodiment of the disclosure Cheng Tu.
In operation S1110, pitching pile subsystem 310 obtains the script that server-side is issued to client, obtains client to clothes It is engaged in the service request that end sends, and identifies logic judgment node in the script as critical data.
In operation S1120, detection subsystem 320 is based on above-mentioned pass for extracting required parameter from above-mentioned service request Key data handles the required parameter, determines the legal value range of the required parameter, is based on the legal value range, and construction includes Query-attack including illegal required parameter, and server-side is sent by the query-attack, and receive server-side and be directed to The response message of the query-attack, and service logic loophole is determined whether there is according to the response message.
Based on the same inventive concept, the embodiment of the present disclosure additionally provides a kind of for detecting the device of service logic loophole, It is introduced below with reference to device for detect service logic loophole of the Figure 12 to the embodiment of the present disclosure.
Figure 12 diagrammatically illustrates the frame of the device 1200 for detecting service logic loophole according to the embodiment of the present disclosure Figure.
As shown in figure 12, the device 1200 for detecting service logic loophole includes identification module 1210, extraction module 1220, the first determining module 1230, constructing module 1240 and the second determining module 1250.
Identification module 1210 for example executes the operation S210 with reference to figure 2 above description, in response to obtaining under server-side It is dealt into the script of client, identifies the logic judgment node in the script as critical data.
Extraction module 1220 for example execute with reference to figure 2 above description operation S220, in response to obtain client to The service request that server-side is sent, extracts required parameter from the service request.
First determining module 1230 for example executes the operation S230 with reference to figure 2 above description, for based on above-mentioned crucial number According to above-mentioned required parameter is handled, the legal value range of the required parameter is determined.
Constructing module 1240 for example executes the operation S240 with reference to figure 2 above description, for being based on above-mentioned legal value model It encloses, construction includes the query-attack including illegal required parameter, and sends the server-side for the query-attack.
Second determining module 1250 for example executes the operation S250 with reference to figure 2 above description, is directed to for receiving server-side The response message of query-attack, and service logic loophole is determined whether there is according to the response message.
In accordance with an embodiment of the present disclosure, identification module 1210, extraction module 1220, the first determining module 1230, construction mould Multiple modules in block 1240 and the second determining module 1250, which may be incorporated in a module, to be realized or therein any One module can be split into multiple modules.Alternatively, at least partly function of one or more modules in these modules can It is combined at least partly function with other modules, and is realized in a module.In accordance with an embodiment of the present disclosure, mould is identified In block 1210, extraction module 1220, the first determining module 1230, constructing module 1240 and the second determining module 1250 at least One can at least be implemented partly as hardware circuit, such as field programmable gate array (FPGA), programmable logic array (PLA), system on chip, the system on substrate, the system in encapsulation, specific integrated circuit (ASIC), or can be by circuit The hardware such as any other rational method that is integrated or encapsulating or firmware are carried out to realize, or with software, hardware and firmware three Any one in kind of implementation several appropriately combined is realized with wherein any.Alternatively, identification module 1210, extraction mould At least one of block 1220, the first determining module 1230, constructing module 1240 and second determining module 1250 can be at least It is implemented partly as computer program module, when the computer program module is run, corresponding function can be executed.
Figure 13 is diagrammatically illustrated according to the electronic equipment for being adapted for carrying out method as described above of the embodiment of the present disclosure Block diagram.Electronic equipment shown in Figure 13 is only an example, should not function and use scope band to the embodiment of the present disclosure Carry out any restrictions.
As shown in figure 13, the present invention provides a kind of electronic equipment 1300, including processor 1310 and memory 1320, The electronic equipment 1300 can execute according to the method for the embodiment of the present invention.
Specifically, processor 1310 for example may include general purpose microprocessor, instruction set processor and/or related chip group And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 1310 can also include for caching The onboard storage device of purposes.Processor 1310 can be the different movements for executing process according to the method for the embodiment of the present invention Single treatment unit either multiple processing units.
Memory 1320, such as can be the arbitrary medium can include, store, transmitting, propagating or transmitting instruction.Example Such as, readable storage medium storing program for executing can include but is not limited to electricity, magnetic, optical, electromagnetic, infrared or semiconductor system, device, device or propagation Medium.The specific example of readable storage medium storing program for executing includes: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as light Disk (CD-ROM);Memory, such as random access memory (RAM) or flash memory;And/or wire/wireless communication link.
Memory 1320 may include computer program 1321, which may include code/computer Executable instruction, the method for making processor 1310 execute the embodiment of the present invention above for example when being executed by processor 1310 Process and its any deformation.
Computer program 1321 can be configured to have the computer program code for example including computer program module.Example Such as, in the exemplary embodiment, the code in computer program 1321 may include one or more program modules, for example including 1321A, module 1321B ....It should be noted that the division mode and number of module are not fixed, those skilled in the art It can be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor When 1310 execution, processor 1310 is executed for example above in conjunction with the method flow of the embodiment of the present invention and its any change Shape.
The disclosure additionally provides a kind of computer-readable medium, which, which can be in above-described embodiment, retouches Included in the equipment/device/system stated;It is also possible to individualism, and without in the supplying equipment/device/system.On It states computer-readable medium and carries one or more program, when said one or multiple programs are performed, realize root According to the method for the embodiment of the present application.
According to an embodiment of the present application, computer-readable medium can be computer-readable signal media or computer can Read storage medium either the two any combination.Computer readable storage medium for example can be --- but it is unlimited In system, device or the device of --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, or any above combination.It calculates The more specific example of machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, portable of one or more conducting wires Formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device or The above-mentioned any appropriate combination of person.In this application, computer readable storage medium can be it is any include or storage program Tangible medium, which can be commanded execution system, device or device use or in connection.And in this Shen Please in, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal, In carry computer-readable program code.The data-signal of this propagation can take various forms, including but not limited to Electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be computer-readable Any computer-readable medium other than storage medium, the computer-readable medium can send, propagate or transmit for by Instruction execution system, device or device use or program in connection.The journey for including on computer-readable medium Sequence code can transmit with any suitable medium, including but not limited to: wireless, wired, optical cable, radiofrequency signal etc., or Above-mentioned any appropriate combination.
Particular embodiments described above has carried out further in detail the purpose of the present invention, technical scheme and beneficial effects It describes in detail bright, it should be understood that the above is only a specific embodiment of the present invention, is not intended to restrict the invention, it is all Within the spirit and principles in the present invention, any modification, equivalent substitution, improvement and etc. done should be included in guarantor of the invention Within the scope of shield.

Claims (10)

1. a kind of method for detecting service logic loophole, comprising:
The script for being issued to client in response to obtaining server-side identifies the logic judgment node in the script as crucial number According to;
The service request sent in response to obtaining client to the server-side, extracts required parameter from the service request;
Based on the critical data processing required parameter, the legal value range of the required parameter is determined;
Based on the legal value range, construction includes the query-attack including illegal required parameter, and by the attack Request is sent to the server-side;And
The response message that the server-side is directed to the query-attack is received, and industry is determined whether there is according to the response message Business logic loophole.
2. according to the method described in claim 1, further include:
Intercept the interaction data between the client and server-side;
Identify script and client that the server-side is issued to client to the server-side from the interaction data The service request of transmission.
3. according to the method described in claim 1, further include:
Pitching pile processing is carried out to the critical data;
It is described that the required parameter is handled based on the critical data, determine that the legal value range of the required parameter includes:
Stake point information is obtained from the service request generated based on the script handled through pitching pile;And
Based on the stake point information, the legal value range of the required parameter is determined.
4. according to the method described in claim 1, wherein, the response message for obtaining server-side and being directed to the query-attack, Determining whether there is service logic loophole includes:
The server-side is sent by the service request, to obtain the response message for being directed to the service request;
The response message of the query-attack is compared with the response message of service request, to determine whether there is business Logic loophole;
The method also includes generating warning information there are service logic loophole.
5. a kind of for detecting the device of service logic loophole, comprising:
Identification module, the script for being issued to client in response to obtaining server-side, identifies the logic judgment in the script Node is as critical data;
Extraction module, the service request for being sent in response to obtaining client to the server-side, from the service request Extract required parameter;
First determining module determines the legal of the required parameter for handling the required parameter based on the critical data Value range;
Constructing module, for being based on the legal value range, construction includes the query-attack including illegal required parameter, And the server-side is sent by the query-attack;And
Second determining module, the response message for being directed to the query-attack for receiving the server-side, and according to the response Information determines whether there is service logic loophole.
6. a kind of electronic equipment, comprising:
Processor;And
Memory, is stored thereon with computer-readable instruction, and processor perform claim is made when described instruction is executed by processor It is required that method described in any one of 1~5.
7. a kind of computer readable storage medium is stored thereon with computer-readable instruction, when described instruction is executed by processor So that method described in any one of processor perform claim requirement 1~5.
8. a kind of system for detecting service logic loophole, comprising:
Pitching pile subsystem, the script for being issued to client for obtaining server-side obtain what client was sent to the server-side Logic judgment node in service request, and the identification script is as critical data;
Subsystem is detected, for extracting required parameter from the service request, the request is handled based on the critical data Parameter determines the legal value range of the required parameter, is based on the legal value range, and construction includes illegal request Query-attack including parameter, and the server-side is sent by the query-attack, and receive the server-side and be directed to institute The response message of query-attack is stated, and service logic loophole is determined whether there is according to the response message.
9. system according to claim 8, wherein the pitching pile subsystem includes:
Positive supply module identifies institute for receiving the interaction data of client Yu the server-side from the interaction data It states server-side and is issued to the service request sent on the script and client of client;
Code pitching pile module, for obtaining the script, identify the logic judgment node in the script as critical data, and Pitching pile processing is executed to the critical data;
Data cache module, for caching the script handled through pitching pile.
10. system according to claim 8, wherein the detection subsystem includes:
Rule construct module, for extracting required parameter from the service request, based on the critical data processing described in ask Parameter is sought, determines the legal value range of the required parameter, is based on the legal value range, construction is asked comprising illegal Seek the query-attack including parameter;
Asynchronous forwarding module, for sending the server-side for the query-attack;
Data analysis module is believed for obtaining the query-attack and the server-side for the response of the query-attack Breath generates warning information if the response message shows that server-side does not implement effectively control to the query-attack.
CN201910698760.7A 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole Active CN110390202B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910698760.7A CN110390202B (en) 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910698760.7A CN110390202B (en) 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole

Publications (2)

Publication Number Publication Date
CN110390202A true CN110390202A (en) 2019-10-29
CN110390202B CN110390202B (en) 2021-06-18

Family

ID=68287839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910698760.7A Active CN110390202B (en) 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole

Country Status (1)

Country Link
CN (1) CN110390202B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929264A (en) * 2019-11-21 2020-03-27 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN110955899A (en) * 2019-12-13 2020-04-03 中国工商银行股份有限公司 Safety test method, device, test equipment and medium
CN111708650A (en) * 2020-06-10 2020-09-25 中国工商银行股份有限公司 High-availability analysis method and system for business application system
CN111859370A (en) * 2020-06-30 2020-10-30 百度在线网络技术(北京)有限公司 Method, apparatus, electronic device and computer-readable storage medium for identifying service
CN112765611A (en) * 2021-01-19 2021-05-07 上海微盟企业发展有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
WO2021135532A1 (en) * 2020-07-21 2021-07-08 平安科技(深圳)有限公司 Cloud network vulnerability discovery method, apparatus, electronic device, and medium
CN113158197A (en) * 2021-05-26 2021-07-23 北京安普诺信息技术有限公司 SQL injection vulnerability detection method and system based on active IAST
CN113656322A (en) * 2021-08-26 2021-11-16 阿里巴巴(中国)有限公司 Data processing method and device, electronic equipment and computer storage medium
CN113965363A (en) * 2021-10-11 2022-01-21 北京天融信网络安全技术有限公司 Vulnerability studying and judging method and device based on Web user behaviors
CN114637690A (en) * 2022-05-09 2022-06-17 北京航天驭星科技有限公司 API penetration test method, system, electronic equipment and storage medium
CN114785581A (en) * 2022-04-14 2022-07-22 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN115065540A (en) * 2022-06-20 2022-09-16 北京天融信网络安全技术有限公司 Method and device for detecting web vulnerability attack and electronic equipment
CN115344869A (en) * 2022-08-10 2022-11-15 中国电信股份有限公司 Risk determination method and device, storage medium and electronic equipment

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023025A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Website security vulnerability detection method and device based on service rules
CN106027644A (en) * 2016-05-18 2016-10-12 广州市忆科计算机系统有限公司 Service checking method and system
US9521087B1 (en) * 2013-11-29 2016-12-13 Google Inc. Servicing requests using multiple data release cycles
US20170153882A1 (en) * 2015-12-01 2017-06-01 Salesforce.Com, Inc. Application aware virtual patching
CN107103239A (en) * 2017-04-10 2017-08-29 中国民生银行股份有限公司 Source code based on application system business processing logic is gone beyond one's commission detection method and device
CN107194258A (en) * 2017-04-06 2017-09-22 珠海格力电器股份有限公司 Method and device for monitoring code vulnerability, electronic equipment and storage medium
CN107920062A (en) * 2017-11-03 2018-04-17 北京知道创宇信息技术有限公司 A kind of construction method and computing device of service logic Attack Detection Model Based
CN108153659A (en) * 2016-12-02 2018-06-12 腾讯科技(深圳)有限公司 Program bug detection method and relevant apparatus
CN108776640A (en) * 2018-05-07 2018-11-09 深圳壹账通智能科技有限公司 Distributed test method, device, computer equipment and storage medium
CN109460661A (en) * 2018-09-17 2019-03-12 平安科技(深圳)有限公司 A kind of logical security leak detection method, device and terminal device
CN110061979A (en) * 2019-04-01 2019-07-26 视联动力信息技术股份有限公司 A kind of detection method and device of business object

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9521087B1 (en) * 2013-11-29 2016-12-13 Google Inc. Servicing requests using multiple data release cycles
CN104023025A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Website security vulnerability detection method and device based on service rules
US20170153882A1 (en) * 2015-12-01 2017-06-01 Salesforce.Com, Inc. Application aware virtual patching
CN106027644A (en) * 2016-05-18 2016-10-12 广州市忆科计算机系统有限公司 Service checking method and system
CN108153659A (en) * 2016-12-02 2018-06-12 腾讯科技(深圳)有限公司 Program bug detection method and relevant apparatus
CN107194258A (en) * 2017-04-06 2017-09-22 珠海格力电器股份有限公司 Method and device for monitoring code vulnerability, electronic equipment and storage medium
CN107103239A (en) * 2017-04-10 2017-08-29 中国民生银行股份有限公司 Source code based on application system business processing logic is gone beyond one's commission detection method and device
CN107920062A (en) * 2017-11-03 2018-04-17 北京知道创宇信息技术有限公司 A kind of construction method and computing device of service logic Attack Detection Model Based
CN108776640A (en) * 2018-05-07 2018-11-09 深圳壹账通智能科技有限公司 Distributed test method, device, computer equipment and storage medium
CN109460661A (en) * 2018-09-17 2019-03-12 平安科技(深圳)有限公司 A kind of logical security leak detection method, device and terminal device
CN110061979A (en) * 2019-04-01 2019-07-26 视联动力信息技术股份有限公司 A kind of detection method and device of business object

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王超等: "业务逻辑漏洞的利用机理与检测方法研究", 《万方数据》 *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929264A (en) * 2019-11-21 2020-03-27 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN110929264B (en) * 2019-11-21 2022-08-30 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN110955899B (en) * 2019-12-13 2022-02-22 中国工商银行股份有限公司 Safety test method, device, test equipment and medium
CN110955899A (en) * 2019-12-13 2020-04-03 中国工商银行股份有限公司 Safety test method, device, test equipment and medium
CN111708650A (en) * 2020-06-10 2020-09-25 中国工商银行股份有限公司 High-availability analysis method and system for business application system
CN111708650B (en) * 2020-06-10 2023-03-28 中国工商银行股份有限公司 High-availability analysis method and system for business application system
CN111859370A (en) * 2020-06-30 2020-10-30 百度在线网络技术(北京)有限公司 Method, apparatus, electronic device and computer-readable storage medium for identifying service
CN111859370B (en) * 2020-06-30 2024-05-17 百度在线网络技术(北京)有限公司 Method, apparatus, electronic device and computer readable storage medium for identifying service
WO2021135532A1 (en) * 2020-07-21 2021-07-08 平安科技(深圳)有限公司 Cloud network vulnerability discovery method, apparatus, electronic device, and medium
CN112765611B (en) * 2021-01-19 2022-11-25 上海微盟企业发展有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
CN112765611A (en) * 2021-01-19 2021-05-07 上海微盟企业发展有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
CN113158197A (en) * 2021-05-26 2021-07-23 北京安普诺信息技术有限公司 SQL injection vulnerability detection method and system based on active IAST
CN113656322A (en) * 2021-08-26 2021-11-16 阿里巴巴(中国)有限公司 Data processing method and device, electronic equipment and computer storage medium
CN113656322B (en) * 2021-08-26 2023-10-10 阿里巴巴(中国)有限公司 Data processing method, device, electronic equipment and computer storage medium
CN113965363A (en) * 2021-10-11 2022-01-21 北京天融信网络安全技术有限公司 Vulnerability studying and judging method and device based on Web user behaviors
CN113965363B (en) * 2021-10-11 2023-07-14 北京天融信网络安全技术有限公司 Vulnerability research and judgment method and device based on Web user behaviors
CN114785581A (en) * 2022-04-14 2022-07-22 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN114785581B (en) * 2022-04-14 2023-08-11 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN114637690A (en) * 2022-05-09 2022-06-17 北京航天驭星科技有限公司 API penetration test method, system, electronic equipment and storage medium
CN115065540A (en) * 2022-06-20 2022-09-16 北京天融信网络安全技术有限公司 Method and device for detecting web vulnerability attack and electronic equipment
CN115065540B (en) * 2022-06-20 2024-03-12 北京天融信网络安全技术有限公司 Method and device for detecting web vulnerability attack and electronic equipment
CN115344869A (en) * 2022-08-10 2022-11-15 中国电信股份有限公司 Risk determination method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN110390202B (en) 2021-06-18

Similar Documents

Publication Publication Date Title
CN110390202A (en) For detecting method, apparatus, system, equipment and the medium of service logic loophole
CN110414242A (en) For detecting the method, apparatus, equipment and medium of service logic loophole
JP6609047B2 (en) Method and device for application information risk management
US10009358B1 (en) Graph based framework for detecting malicious or compromised accounts
CN105940409B (en) Network services sandbox system
CN104221026B (en) Method for malicious activity detection in mobile station
CN111813696B (en) Application testing method, device and system and electronic equipment
US9864677B2 (en) Correlating out-of-band process data during mobile test automation
CN105701423B (en) Date storage method and device applied to high in the clouds payment transaction
CN108734012A (en) Malware recognition methods, device and electronic equipment
CN110311913A (en) Computer Network Security System, application method, equipment and storage medium
CN105095750B (en) To intelligent card chip analysis method under fire and device
CN106850687A (en) Method and apparatus for detecting network attack
Alimi et al. Analysis of embedded applications by evolutionary fuzzing
CN105245489B (en) Verification method and device
CN111884989B (en) Vulnerability detection method and system for electric power web system
US20180083994A1 (en) Unsupervised classification of web traffic users
US20140045596A1 (en) Methods and systems for determining the location of online gaming clients
CN110377522A (en) The test method for scene of trading, calculates equipment and medium at device
US10412101B2 (en) Detection device, detection method, and detection program
CN105791261A (en) Detection method and detection device for cross-site scripting attack
CN107886320A (en) It is a kind of to handle the method, equipment and computer-readable storage medium for tying up card
CN107633162A (en) A kind of identity identifying method, device, system, equipment and storage medium
CN105933876A (en) Counterfeit short message identification method, mobile phone terminal, server, and system
CN110188159A (en) Collage-credit data cut-in method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant