CN110390202B - Method, device, system, equipment and medium for detecting business logic loophole - Google Patents

Method, device, system, equipment and medium for detecting business logic loophole Download PDF

Info

Publication number
CN110390202B
CN110390202B CN201910698760.7A CN201910698760A CN110390202B CN 110390202 B CN110390202 B CN 110390202B CN 201910698760 A CN201910698760 A CN 201910698760A CN 110390202 B CN110390202 B CN 110390202B
Authority
CN
China
Prior art keywords
request
server
client
attack
script
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910698760.7A
Other languages
Chinese (zh)
Other versions
CN110390202A (en
Inventor
叶红
旷亚和
姜城
刘婉娇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201910698760.7A priority Critical patent/CN110390202B/en
Publication of CN110390202A publication Critical patent/CN110390202A/en
Application granted granted Critical
Publication of CN110390202B publication Critical patent/CN110390202B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The present disclosure provides a method for detecting a business logic vulnerability, comprising: in response to the acquisition of the script issued to the client by the server, identifying a logic judgment node in the script as key data; in response to the service request sent to the server side by the client side, request parameters are extracted from the service request; processing the request parameter based on the key data, and determining a legal value range of the request parameter; constructing an attack request containing illegal request parameters based on a legal value range, and sending the attack request to a server; and receiving response information of the server aiming at the attack request, and determining whether a business logic vulnerability exists according to the response information. The present disclosure also provides an apparatus for detecting a business logic vulnerability, an electronic device, a computer-readable storage medium, and a system for detecting a business logic vulnerability.

Description

Method, device, system, equipment and medium for detecting business logic loophole
Technical Field
The present disclosure relates to the field of automated testing technologies, and in particular, to a method, an apparatus, a system, a device, and a medium for detecting a business logic vulnerability.
Background
In the application program, in order to ensure the safety of the business system, almost every system has various verification functions, such as account password verification, verification code verification, key transaction parameter verification, and the like. Such user-submitted parameters are not secure for validation only at the front-end, and can be easily bypassed by attackers using various methods. For example, in an electronic book shopping transaction, an application program requires that a user can browse a corresponding book after paying, if whether payment identification is only controlled by front-end scripts or not, a malicious user can tamper with front-end verification logic through a browser debugging tool, or tamper with related parameters in a communication message by using a packet capturing tool, and bypass front-end control, service is used freely, and website fund loss is caused.
In daily test, aiming at the scenes, the service function needs to be manually analyzed, test data outside the normal service rule range is constructed, and the test data is sent to the server side for testing by methods such as front-end code debugging or packet capturing and tampering communication messages. Such a test method has at least the following disadvantages:
1. test points are easy to miss. The method mainly depends on that after a tester fully knows the service function, the tester judges the test point and constructs test data, traverses all abnormal scenes and is easy to miss test;
2. the technical difficulty is high. Whether the front-end code debugging or the tool packet capturing is used for modifying the service parameters, the method has higher technical threshold, and common function testers are difficult to operate;
3. the testing efficiency is low. And manually debugging codes or tampering communication parameters, modifying and traversing all abnormal possible values, and judging the control condition of the server corresponding to each abnormal value, wherein the test steps are relatively complex and the efficiency is low.
Disclosure of Invention
A first aspect of the present disclosure provides a method for detecting a business logic vulnerability, including: in response to the acquisition of a script issued to the client by the server, identifying a logic judgment node in the script as key data; in response to obtaining a service request sent by a client to the server, extracting request parameters from the service request; processing the request parameter based on the key data, and determining a legal value range of the request parameter; constructing an attack request containing illegal request parameters based on the legal value range, and sending the attack request to the server; and receiving response information of the server aiming at the attack request, and determining whether a business logic vulnerability exists according to the response information.
Optionally, the method further comprises: intercepting interactive data between the client and the server; and identifying the script issued to the client by the server and the service request sent to the server by the client from the interactive data.
Optionally, the method further comprises: performing pile inserting processing on the key data; processing the request parameter based on the key data, and determining a legal value range of the request parameter comprises: acquiring stake point information from a service request generated based on the instrumented script; and determining the legal value range of the request parameter based on the pile point information.
Optionally, the obtaining response information of the server to the attack request, and determining whether a service logic vulnerability exists includes: sending the service request to the server to obtain response information aiming at the service request; comparing the response information of the attack request with the response information of the service request so as to determine whether a service logic vulnerability exists; the method also comprises the step of generating alarm information under the condition that the business logic loophole exists.
A second aspect of the present disclosure provides an apparatus for detecting a business logic vulnerability, comprising: the identification module is used for responding to a script which is issued to the client by the server and identifying a logic judgment node in the script as key data; the extraction module is used for responding to a service request sent to the server by a client, and extracting request parameters from the service request; the first determining module is used for processing the request parameter based on the key data and determining the legal value range of the request parameter; the construction module is used for constructing an attack request containing illegal request parameters based on the legal value range and sending the attack request to the server; and the second determining module is used for receiving response information of the server end aiming at the attack request and determining whether a business logic vulnerability exists according to the response information.
A third aspect of the present disclosure provides an electronic device, comprising: a processor; and a memory having computer readable instructions stored thereon which, when executed by the processor, cause the processor to perform the above-described method.
A fourth aspect of the present disclosure provides a computer-readable storage medium having stored thereon computer-readable instructions which, when executed by a processor, cause the processor to perform the above-described method.
A fifth aspect of the present disclosure provides a system for detecting a business logic vulnerability, comprising: the instrumentation subsystem is used for acquiring a script issued by a server to a client, acquiring a service request sent by the client to the server and identifying a logic judgment node in the script as key data; the detection subsystem is used for extracting request parameters from the service request, processing the request parameters based on the key data, determining a legal value range of the request parameters, constructing an attack request containing illegal request parameters based on the legal value range, sending the attack request to the server, receiving response information of the server aiming at the attack request, and determining whether a service logic vulnerability exists according to the response information.
Optionally, the stake inserting subsystem comprises: the forward proxy module is used for receiving interactive data of a client and the server, and identifying a script issued to the client by the server and a service request sent by the client from the interactive data; the code instrumentation module is used for acquiring the script, identifying a logic judgment node in the script as key data and executing instrumentation processing on the key data; and the data caching module is used for caching the script subjected to the pile inserting processing.
Optionally, the detection subsystem comprises: a rule construction module, configured to extract a request parameter from the service request, process the request parameter based on the key data, determine a legal value range of the request parameter, and construct an attack request including an illegal request parameter based on the legal value range; the asynchronous forwarding module is used for sending the attack request to the server; and the data analysis module is used for obtaining the attack request and response information of the server side aiming at the attack request, and generating alarm information if the response information shows that the server side does not effectively control the attack request.
The method judges key data at a node through logic in an identification script, determines a legal value range of a service request parameter according to the key data, constructs an attack request containing an illegal service request parameter, obtains response information of a server to the attack request, and determines whether the service logic vulnerability exists according to the response information. The test difficulty and the test coverage rate are effectively reduced, and the test efficiency is improved.
Drawings
Fig. 1 schematically illustrates an application scenario diagram of a method for detecting a business logic vulnerability according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method for detecting business logic vulnerabilities according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a block diagram of a system for detecting business logic vulnerabilities, in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a block diagram of a pile insertion subsystem, in accordance with an embodiment of the present disclosure;
FIG. 5 schematically illustrates a block diagram of a forward proxy module according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a code instrumentation module according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a workflow diagram of a pile insertion subsystem according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a detection subsystem according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of a rule construction module according to an embodiment of the present disclosure;
FIG. 10 schematically illustrates a workflow diagram of a detection subsystem according to an embodiment of the disclosure;
FIG. 11 schematically illustrates a flow diagram of a method for detecting a business logic vulnerability according to another embodiment of the present disclosure;
FIG. 12 schematically illustrates a block diagram of an apparatus for detecting business logic vulnerabilities according to an embodiment of the present disclosure; and
FIG. 13 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
Fig. 1 schematically illustrates an application scenario diagram of a method for detecting a business logic vulnerability according to an embodiment of the present disclosure. Those skilled in the art will appreciate that the illustration in fig. 1 is merely an example of a scenario in which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, and does not imply that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, the application scenario includes a client browser 101, a business logic vulnerability detection system 100, and an application server 104. Information interaction can be performed between the client browser 101 and the service logic vulnerability detection system 100, and information interaction can be performed between the service logic vulnerability detection system 100 and the application server 104. The business logic vulnerability detection system 100 may include a instrumentation subsystem 102 and a detection subsystem 103. The client browser 101 makes a service request to the application server 104, and the application server 104 transmits a script to the client browser 101 in response to the service request. The instrumentation subsystem 102 analyzes the script issued by the application server to the client browser 101, identifies the key data in the script, and performs instrumentation on the key data. The detection subsystem 103 extracts request parameters in the service request, determines a legal value range of the request parameters according to the key data, constructs an attack request containing the illegal request parameters, sends the attack request to the application server 104, and judges whether a vulnerability exists in the service logic according to response information of the application server 104 to the attack request.
The client browser 101 is software used by the business tester to access the application server 104. The visual loading of the system is carried out in terminal equipment (such as a terminal server) for operation of service testers. Before the test starts, a browser proxy address is configured so as to forward the service request to the service logic vulnerability detection system 100, so that the service logic vulnerability detection system 100 can process the service request.
The service logic vulnerability detection system 100 is configured to receive a service request sent by a service tester to the application server 104 through the client browser 101 and a script for the application server 104 to respond to the service request, extract a request parameter in the service request and key data in the script, and determine a legal value range of the request parameter according to the key data. An attack request is constructed that contains the illegal request parameters and sent to the application server 104.
And observing response information of the application server 104 to the attack request at the client browser 101, and judging whether the current business logic has a vulnerability or not according to the response information.
It should be noted that the method for detecting a business logic vulnerability described below with reference to fig. 2 and 3 may be performed by the business logic vulnerability detection system 100, for example, and accordingly, the apparatus for detecting a business logic vulnerability described below with reference to fig. 12 may be generally disposed in the business logic vulnerability detection system 100.
It should be understood that the number of individual client browsers and application servers in FIG. 1 is merely illustrative. There may be any number of client browsers and application servers, as desired for implementation.
Fig. 2 schematically shows a flowchart of a method for detecting a business logic vulnerability according to an embodiment of the present disclosure.
As shown in fig. 2, the method may include operations S210 to S250.
In operation S210, in response to obtaining a script that is issued by the server to the client, a logic determination node in the script is identified as key data.
In operation S220, in response to obtaining a service request sent by a client to a server, request parameters are extracted from the service request.
In operation S230, the request parameter is processed based on the key data, and a legal value range of the request parameter is determined.
In operation S240, an attack request including the illegal request parameters is constructed based on the legal value range, and the attack request is sent to the server.
In operation S250, response information of the server for the attack request is received, and whether a service logic vulnerability exists is determined according to the response information.
The method of the embodiment of the disclosure judges key data at a node by identifying logic in a script, determines a legal value range of a service request parameter according to the key data, constructs an attack request containing an illegal service request parameter, obtains response information of a server to the attack request, and determines whether a service logic vulnerability exists according to the response information.
The above method is explained below with reference to the embodiments illustrated in fig. 3 to 10.
Fig. 3 schematically illustrates a block diagram of a system 300 for detecting business logic vulnerabilities according to an embodiment of the present disclosure. For example, the business logic vulnerability detection system 100 in fig. 1 may be implemented as the system 300 for detecting business logic vulnerabilities.
Referring to fig. 3, the system 300 may include an instrumentation subsystem 310 and a detection subsystem 320.
The instrumentation subsystem 310 is configured to obtain a script issued by the server to the client, obtain a service request sent by the client to the server, and identify a logic determination node in the script as key data.
The detection subsystem 320 is configured to extract a request parameter from the service request, process the request parameter based on the key data, determine a legal value range of the request parameter, construct an attack request including an illegal request parameter based on the legal value range, send the attack request to the server, receive response information of the server for the attack request, and determine whether a service logic vulnerability exists according to the response information.
The following describes the pile insertion subsystem and the detection subsystem with reference to fig. 4 to 10.
Fig. 4 schematically illustrates a block diagram of a instrumentation subsystem 400 according to an embodiment of the present disclosure. For example, the instrumentation subsystem 102 of fig. 1 and the instrumentation subsystem 310 of fig. 3 may be implemented as the instrumentation subsystem 400.
Referring to fig. 4, the instrumentation subsystem 400 may include a forward proxy module 410, a code instrumentation module 420, and a data cache module 430.
The forward proxy module 410 is configured to intercept interactive data between the client and the server, and identify a script issued by the server to the client and a service request sent by the client to the server from the interactive data. For example, interactive data between the client and the server is received, and a script issued by the server to the client and a service request uploaded by the client are identified from the interactive data. For example, fig. 5 schematically illustrates a block diagram of a forward proxy module 500 according to an embodiment of the disclosure.
Referring to fig. 5, the forward proxy module 500 may include a traffic transceiving unit 510, a traffic analyzing unit 520, and a traffic forwarding processing unit 530.
For example, the traffic transceiving unit 510 is configured to intercept and forward interactive data between a client and a server, and forward the interactive data to the traffic analyzing unit 520, so that the traffic analyzing unit 520 analyzes the interactive data, screens out a script sent by the server to the client and a service request sent by the client to the server, and sends the script and the service request to the traffic forwarding unit 530. The traffic forwarding processing unit 530 sends the script to the code instrumentation module and sends the service request to the detection subsystem.
The code instrumentation module 420 is configured to obtain the script, identify a logical judgment node in the script as key data, and perform instrumentation on the key data. And the code pile inserting module receives the script sent by the forward proxy module, piles the script, and caches the script by the data caching module after the pile is driven.
For example, fig. 6 schematically illustrates a block diagram of a code instrumentation module 600 according to an embodiment of the disclosure.
Referring to fig. 6, the code instrumentation module 600 may include a semantic analysis unit 610 and a stake point plunge unit 620.
The semantic analysis unit 610 analyzes semantic information in the script, screens out a logic determination node and a rule determination function in the script, such as a key function in the script, and takes the logic determination node and the rule determination function as key data. The stake point cut-in unit 620 performs stake insertion on the key data so as to track the code processing path corresponding to the service request in the following.
The data caching module 430 is used for caching the instrumented scripts.
Referring next to fig. 7, fig. 7 describes in detail an exemplary implementation of the stake insertion subsystem of an embodiment of the present disclosure in conjunction with the functional modules of fig. 4.
Fig. 7 schematically illustrates a workflow diagram of a pile insertion subsystem according to an embodiment of the present disclosure.
The normal interaction data is forwarded to the forward proxy module 410 in operation S710. For example, after the service tester configures the proxy address on the client browser, the forward proxy module 410 intercepts and forwards the interactive data between the client and the server.
In operation S720, the forward proxy module 410 analyzes the interactive data, and screens out a script sent by the server to the client and a service request sent by the client to the server. And sending the script to the code instrumentation module and sending the service request to the detection subsystem.
In operation S730, the code instrumentation module 420 performs semantic analysis on the script, marks the logical judgment nodes and the skip nodes in the script, piles the functions corresponding to the logical judgment nodes and the skip nodes in the script, and marks the position where the pile is piled to generate corresponding pile point information. In order to facilitate subsequent trace analysis of the code execution flow.
In operation S740, the data caching module 430 caches the instrumented script and the stake point information. It may also be sent to a business tester.
Fig. 8 schematically illustrates a block diagram of a detection subsystem 800 according to an embodiment of the present disclosure. For example, detection subsystem 103 of FIG. 1 and detection subsystem 320 of FIG. 3 may be implemented as detection subsystem 800.
Referring to fig. 8, the detection subsystem 800 may include a rule construction module 810, an asynchronous forwarding module 820, and a data analysis module 830.
The rule construction module 810 receives the service request sent by the forward proxy module, analyzes the front-end processing logic of the service request parameter, extracts the parameter verification rule, determines the legal value range of the service request parameter, constructs an attack request containing the illegal request parameter, and sends the attack request to the asynchronous forwarding module 820. The asynchronous forwarding module 820 sends the attack request to the server. The server responds to the attack request and sends a response message to the data analysis module 830. The data analysis module 830 analyzes the response information and determines whether the server has effectively controlled the service logic. And if the effective control is not carried out, generating alarm information.
The rule construction module 810 is configured to extract a request parameter from a service request, where the service request is generated based on a script processed by instrumentation, extract stub point information from the service request, and determine a legal value range of the request parameter based on the stub point information. And constructing an attack request containing illegal request parameters based on the legal value range.
For example, fig. 9 schematically illustrates a block diagram of a rule construction module 900 according to an embodiment of the disclosure.
Referring to fig. 9, the rule construction module 900 may include an execution flow analysis unit 910, a syntax analysis unit 920, and an attack vector generation unit 930.
The execution flow analysis unit 910 receives and analyzes the service request, extracts the request parameters and stub point information therein, and performs a comparison analysis with the instrumented script cached by the data cache module in the instrumentation subsystem to obtain a code execution flow corresponding to each service request parameter, and sends the code execution flow to the syntax analysis unit 920. The syntax analysis unit 920 performs syntax analysis on the logic judgment function corresponding to the stub information passed by each service request parameter to obtain a legal value range corresponding to the normal service request. The legal value range is sent to the attack vector generation unit 930, and the attack vector generation unit 930 constructs a service request outside the legal value range to form an attack request. And sending the attack request to an asynchronous forwarding module of the detection subsystem.
The asynchronous forwarding module 820 is used to send the attack request to the server. For example, the asynchronous forwarding module 820 receives the multiple attack requests and then sends the attack requests to the server. The server generates response information in response to the attack request and sends it to the asynchronous forwarding module 820. The asynchronous forwarding module 820 sends the response information to the data analysis module 830.
The data analysis module 830 is configured to send the service request to the server to obtain response information for the service request, and compare the response information of the attack request with the response information of the service request to determine whether a service logic vulnerability exists. For example, the data analysis module 830 obtains the attack request and the response information of the server for the attack request, compares the response information with the response information of the normal service request, and determines whether the server effectively controls the attack request, if an abnormality is detected, generates the alarm information, and sends the alarm information to the client, and the service tester can perform the next operation according to the alarm information.
Referring next to fig. 10, fig. 10 describes in detail an exemplary implementation of the detection subsystem of the embodiment of the present disclosure in conjunction with the functional modules in fig. 8.
FIG. 10 schematically illustrates a workflow diagram of a detection subsystem according to an embodiment of the disclosure.
In operation S1010, the rule construction module 810 receives the service request, and analyzes a code execution flow of the service request parameter.
In operation S1020, the rule constructing module 810 performs syntax analysis on the logic determining function passed by each service request parameter to obtain a legal value range corresponding to the normal service request.
In operation S1030, the rule construction module 810 constructs a service request outside the legal value range, and composes an attack request.
In operation S1040, the asynchronous forwarding module 820 sends the attack request to the server.
In operation S1050, the data analysis module 830 obtains the attack request and response information of the server for the attack request, and if the response information indicates that the server does not perform effective control on the attack request, generates alarm information and sends the alarm information to the client.
Fig. 11 schematically shows a flowchart of a method for detecting a business logic vulnerability according to another embodiment of the present disclosure.
In operation S1110, the instrumentation subsystem 310 obtains a script issued by the server to the client, obtains a service request sent by the client to the server, and identifies a logical judgment node in the script as key data.
In operation S1120, the detection subsystem 320 is configured to extract a request parameter from the service request, process the request parameter based on the key data, determine a legal value range of the request parameter, construct an attack request including an illegal request parameter based on the legal value range, send the attack request to the server, receive response information of the server for the attack request, and determine whether a service logic vulnerability exists according to the response information.
Based on the same inventive concept, the embodiment of the present disclosure further provides a device for detecting a business logic vulnerability, and the device for detecting a business logic vulnerability of the embodiment of the present disclosure is described below with reference to fig. 12.
Fig. 12 schematically illustrates a block diagram of an apparatus 1200 for detecting a business logic vulnerability according to an embodiment of the present disclosure.
As shown in fig. 12, the apparatus 1200 for detecting a business logic vulnerability includes an identification module 1210, an extraction module 1220, a first determination module 1230, a construction module 1240, and a second determination module 1250.
The identifying module 1210 performs, for example, the operation S210 described with reference to fig. 2 above, and is configured to identify, in response to obtaining a script issued by the server to the client, a logic determination node in the script as key data.
The extracting module 1220 performs, for example, the operation S220 described with reference to fig. 2 above, for extracting the request parameter from the service request sent by the obtaining client to the server.
The first determining module 1230, for example, performs the operation S230 described with reference to fig. 2, and is configured to process the request parameter based on the key data, and determine a legal value range of the request parameter.
The constructing module 1240, for example, executes the operation S240 described with reference to fig. 2 above, and is configured to construct an attack request including the illegal request parameters based on the legal value range, and send the attack request to the server.
The second determining module 1250 executes, for example, the operation S250 described with reference to fig. 2 above, and is configured to receive response information of the server for the attack request, and determine whether a service logic vulnerability exists according to the response information.
According to an embodiment of the present disclosure, a plurality of the identifying module 1210, the extracting module 1220, the first determining module 1230, the constructing module 1240 and the second determining module 1250 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the identifying module 1210, the extracting module 1220, the first determining module 1230, the constructing module 1240 and the second determining module 1250 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware and firmware, or in any suitable combination of any of them. Alternatively, at least one of the identifying module 1210, the extracting module 1220, the first determining module 1230, the constructing module 1240 and the second determining module 1250 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
Fig. 13 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 13 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 13, the present invention provides an electronic device 1300 comprising a processor 1310 and a memory 1320, wherein the electronic device 1300 can execute the method according to the embodiment of the present invention.
In particular, processor 1310 may include, for example, a general purpose microprocessor, an instruction set processor and/or an associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 1310 may also include onboard memory for caching purposes. Processor 1310 may be a single processing unit or a plurality of processing units for performing different acts of a method flow according to embodiments of the present invention.
The memory 1320, for example, may be any medium capable of containing, storing, transmitting, propagating or transmitting instructions. For example, a readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. Specific examples of the readable storage medium include: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and/or wired/wireless communication links.
Memory 1320 may include a computer program 1321, which computer program 1321 may include code/computer-executable instructions that, when executed by processor 1310, cause processor 1310 to perform, for example, the method flows of the embodiments of the invention above and any variations thereof.
The computer program 1321 may be configured with computer program code, for example comprising computer program modules. For example, in an example embodiment, code in computer program 1321 may include one or more program modules, including 1321A, modules 1321B, … …, for example. It should be noted that the division and number of modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, which when executed by the processor 1310, enable the processor 1310 to execute, for example, the method flows described above in connection with the embodiments of the present invention and any variations thereof.
The present disclosure also provides a computer-readable medium, which may be embodied in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer readable medium carries one or more programs which, when executed, implement the method according to an embodiment of the present application.
According to embodiments of the present application, a computer readable medium may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, optical fiber cable, radio frequency signals, etc., or any suitable combination of the foregoing.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. A method for detecting business logic vulnerabilities, comprising:
in response to the acquisition of a script issued to the client by the server, identifying a logic judgment node in the script as key data;
in response to obtaining a service request sent by a client to the server, extracting request parameters from the service request;
processing the request parameter based on the key data, and determining a legal value range of the request parameter;
based on the legal value range, constructing an attack request containing illegal request parameters, and sending the attack request to the server, wherein the illegal request parameters comprise request parameters outside the legal value range; and
receiving response information of the server aiming at the attack request, and determining whether a business logic bug exists according to the response information;
wherein the method further comprises:
intercepting interactive data between the client and the server;
and identifying the script issued to the client by the server and the service request sent to the server by the client from the interactive data.
2. The method of claim 1, further comprising:
performing pile inserting processing on the key data;
processing the request parameter based on the key data, and determining a legal value range of the request parameter comprises:
acquiring stake point information from a service request generated based on the instrumented script; and
and determining the legal value range of the request parameter based on the pile point information.
3. The method of claim 1, wherein the obtaining response information of the server to the attack request, and the determining whether a service logic vulnerability exists comprises:
sending the service request to the server to obtain response information aiming at the service request;
comparing the response information of the attack request with the response information of the service request so as to determine whether a service logic vulnerability exists;
the method also comprises the step of generating alarm information under the condition that the business logic loophole exists.
4. An apparatus for detecting business logic vulnerabilities, comprising:
the identification module is used for responding to a script which is issued to the client by the server and identifying a logic judgment node in the script as key data;
the extraction module is used for responding to a service request sent to the server by a client, and extracting request parameters from the service request;
the first determining module is used for processing the request parameter based on the key data and determining the legal value range of the request parameter;
the construction module is used for constructing an attack request containing illegal request parameters based on the legal value range and sending the attack request to the server, wherein the illegal request parameters comprise request parameters outside the legal value range; and
the second determining module is used for receiving response information of the server side aiming at the attack request and determining whether a business logic vulnerability exists according to the response information;
the device further comprises:
intercepting interactive data between the client and the server;
and identifying the script issued to the client by the server and the service request sent to the server by the client from the interactive data.
5. An electronic device, comprising:
a processor; and
a memory having computer-readable instructions stored thereon that, when executed by the processor, cause the processor to perform the method of any of claims 1-3.
6. A computer readable storage medium having computer readable instructions stored thereon which, when executed by a processor, cause the processor to perform the method of any of claims 1 to 3.
7. A system for detecting business logic vulnerabilities, comprising:
the instrumentation subsystem is used for acquiring a script issued by a server to a client, acquiring a service request sent by the client to the server and identifying a logic judgment node in the script as key data;
the detection subsystem is used for extracting request parameters from the service request, processing the request parameters based on the key data, determining a legal value range of the request parameters, constructing an attack request containing illegal request parameters based on the legal value range, sending the attack request to the server, receiving response information of the server aiming at the attack request, and determining whether a service logic vulnerability exists according to the response information, wherein the illegal request parameters comprise the request parameters outside the legal value range;
wherein the stake inserting subsystem comprises:
and the forward proxy module is used for receiving the interactive data of the client and the server, and identifying the script issued to the client by the server and the service request uploaded by the client from the interactive data.
8. The system of claim 7, wherein the stake subsystem further comprises: the code instrumentation module is used for acquiring the script, identifying a logic judgment node in the script as key data and executing instrumentation processing on the key data;
and the data caching module is used for caching the script subjected to the pile inserting processing.
9. The system of claim 7, wherein the detection subsystem comprises:
a rule construction module, configured to extract a request parameter from the service request, process the request parameter based on the key data, determine a legal value range of the request parameter, and construct an attack request including an illegal request parameter based on the legal value range;
the asynchronous forwarding module is used for sending the attack request to the server;
and the data analysis module is used for obtaining the attack request and response information of the server side aiming at the attack request, and generating alarm information if the response information shows that the server side does not effectively control the attack request.
CN201910698760.7A 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole Active CN110390202B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910698760.7A CN110390202B (en) 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910698760.7A CN110390202B (en) 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole

Publications (2)

Publication Number Publication Date
CN110390202A CN110390202A (en) 2019-10-29
CN110390202B true CN110390202B (en) 2021-06-18

Family

ID=68287839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910698760.7A Active CN110390202B (en) 2019-07-30 2019-07-30 Method, device, system, equipment and medium for detecting business logic loophole

Country Status (1)

Country Link
CN (1) CN110390202B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110929264B (en) * 2019-11-21 2022-08-30 中国工商银行股份有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN110955899B (en) * 2019-12-13 2022-02-22 中国工商银行股份有限公司 Safety test method, device, test equipment and medium
CN111708650B (en) * 2020-06-10 2023-03-28 中国工商银行股份有限公司 High-availability analysis method and system for business application system
CN111859370A (en) * 2020-06-30 2020-10-30 百度在线网络技术(北京)有限公司 Method, apparatus, electronic device and computer-readable storage medium for identifying service
CN111901327B (en) * 2020-07-21 2022-07-26 平安科技(深圳)有限公司 Cloud network vulnerability mining method and device, electronic equipment and medium
CN112765611B (en) * 2021-01-19 2022-11-25 上海微盟企业发展有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
CN113158197B (en) * 2021-05-26 2022-05-17 北京安普诺信息技术有限公司 SQL injection vulnerability detection method and system based on active IAST
CN113656322B (en) * 2021-08-26 2023-10-10 阿里巴巴(中国)有限公司 Data processing method, device, electronic equipment and computer storage medium
CN113965363B (en) * 2021-10-11 2023-07-14 北京天融信网络安全技术有限公司 Vulnerability research and judgment method and device based on Web user behaviors
CN114785581B (en) * 2022-04-14 2023-08-11 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN114637690B (en) * 2022-05-09 2023-04-11 北京航天驭星科技有限公司 API penetration test method, system, electronic equipment and storage medium
CN115065540B (en) * 2022-06-20 2024-03-12 北京天融信网络安全技术有限公司 Method and device for detecting web vulnerability attack and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023025A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Website security vulnerability detection method and device based on service rules
CN106027644A (en) * 2016-05-18 2016-10-12 广州市忆科计算机系统有限公司 Service checking method and system
US9521087B1 (en) * 2013-11-29 2016-12-13 Google Inc. Servicing requests using multiple data release cycles
CN107103239A (en) * 2017-04-10 2017-08-29 中国民生银行股份有限公司 Source code based on application system business processing logic is gone beyond one's commission detection method and device
CN107194258A (en) * 2017-04-06 2017-09-22 珠海格力电器股份有限公司 Method, device and electronic equipment, the storage medium of monitoring code leak
CN109460661A (en) * 2018-09-17 2019-03-12 平安科技(深圳)有限公司 A kind of logical security leak detection method, device and terminal device
CN110061979A (en) * 2019-04-01 2019-07-26 视联动力信息技术股份有限公司 A kind of detection method and device of business object

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10083024B2 (en) * 2015-12-01 2018-09-25 Salesforce.Com, Inc. Application aware virtual patching
CN108153659B (en) * 2016-12-02 2021-12-07 腾讯科技(深圳)有限公司 Program vulnerability detection method and related device
CN107920062B (en) * 2017-11-03 2020-06-05 北京知道创宇信息技术股份有限公司 Construction method of business logic attack detection model and computing equipment
CN108776640A (en) * 2018-05-07 2018-11-09 深圳壹账通智能科技有限公司 Distributed test method, device, computer equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9521087B1 (en) * 2013-11-29 2016-12-13 Google Inc. Servicing requests using multiple data release cycles
CN104023025A (en) * 2014-06-13 2014-09-03 中国民航信息网络股份有限公司 Website security vulnerability detection method and device based on service rules
CN106027644A (en) * 2016-05-18 2016-10-12 广州市忆科计算机系统有限公司 Service checking method and system
CN107194258A (en) * 2017-04-06 2017-09-22 珠海格力电器股份有限公司 Method, device and electronic equipment, the storage medium of monitoring code leak
CN107103239A (en) * 2017-04-10 2017-08-29 中国民生银行股份有限公司 Source code based on application system business processing logic is gone beyond one's commission detection method and device
CN109460661A (en) * 2018-09-17 2019-03-12 平安科技(深圳)有限公司 A kind of logical security leak detection method, device and terminal device
CN110061979A (en) * 2019-04-01 2019-07-26 视联动力信息技术股份有限公司 A kind of detection method and device of business object

Also Published As

Publication number Publication date
CN110390202A (en) 2019-10-29

Similar Documents

Publication Publication Date Title
CN110390202B (en) Method, device, system, equipment and medium for detecting business logic loophole
CN110414242B (en) Method, device, equipment and medium for detecting business logic loophole
CN106294102B (en) Application program testing method, client, server and system
RU2680736C1 (en) Malware files in network traffic detection server and method
CN110955899B (en) Safety test method, device, test equipment and medium
US20130305368A1 (en) Methods and apparatus for identifying and removing malicious applications
CN109039987A (en) A kind of user account login method, device, electronic equipment and storage medium
CN103955645A (en) Method, device and system for detecting malicious process behavior
CN110324416B (en) Download path tracking method, device, server, terminal and medium
US10412101B2 (en) Detection device, detection method, and detection program
CN113114680B (en) Detection method and detection device for file uploading vulnerability
CN111813696A (en) Application testing method, device and system and electronic equipment
CN112953971A (en) Network security traffic intrusion detection method and system
CN112134893A (en) Internet of things safety protection method and device, electronic equipment and storage medium
CN102624721B (en) Feature code verification platform system and feature code verification method
CN112003864A (en) Website security detection system and method based on full flow
US20150215333A1 (en) Network filtering apparatus and filtering method
US20140373158A1 (en) Detecting security vulnerabilities on computing devices
CN111581644A (en) Vulnerability mining method and system for intercepting data packet based on Hook function
CN107819758A (en) A kind of IP Camera leak remote detecting method and device
CN104052630A (en) Method and system for executing verification on website
CN113765912A (en) Distributed firewall device and detection method thereof
KR102040227B1 (en) Method and system for evaluating security effectiveness between device
CN113824748B (en) Asset characteristic active detection countermeasure method, device, electronic equipment and medium
CN115694866A (en) Interactive attack confirmation method, device, system, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant