Disclosure of Invention
The invention aims to solve the technical problems and provides a method for dynamically detecting the horizontal override based on an IAST test tool, which can accurately position the horizontal override vulnerability of an application program.
Another object of the present invention is to provide a system for dynamically detecting a horizontal override based on an IAST test tool, which can accurately locate a horizontal override vulnerability of an application.
In order to achieve the aim, the invention discloses a method for dynamically detecting horizontal override based on an IAST test tool, which comprises the following steps:
s1), inserting detection codes at the connection positions of the user codes and the database in the application program to be detected by using an IAST test tool and an instrumentation technology, thereby dynamically acquiring SQL sentences interacted between the user program and the database and returned query result data;
s2), binding each user request with the corresponding request authority;
s3), when the user request is sent to the server side for execution, all executed SQL statements under the request are obtained and stored according to the step 1;
s4), analyzing the SQL statement obtained in the step 3;
s5), carrying out weighted calculation on the data generated in the step 4 and generating a detection model;
s6), monitoring the user request flow in real time;
s7), performing authority verification on the request sent by the user by adopting the detection model to judge whether the statement executed by the request has a horizontal override problem.
Compared with the prior art, the method for dynamically detecting the horizontal override based on the IAST test tool has the advantages that when a user starts an application program to be detected, the IAST test tool is started at the same time, and the part of a user code interacting with a database is marked by adopting a pile inserting technology, so that all executed SQL sentences under the user request are monitored, then the mapping relation between the user request and the authority is obtained, then all the SQL sentences requested to be executed and the authority value corresponding to the request are stored in the database, then a detection model is created through an algorithm after the SQL sentences are analyzed, and then the horizontal override problem detection is carried out on the monitored user request in real time through the detection model; therefore, by combining the analysis of the database resources of the SQL statements and the detection model, the detection software can be deeply inserted into the codes of the application programs, and the horizontal unauthorized vulnerability can be more accurately positioned.
Preferably, the specific step of requesting the rights binding in step 2 includes:
s20), binding the user name recorded in the application program to be detected and the authority corresponding to the user name;
s21), monitoring a user login request, and acquiring a login user name and an identity authentication token related to the user name;
s22), binding the authentication token acquired in the step S21 with the corresponding authority;
s23), the authority value is marked for each request in the application.
Preferably, the authentication token is based on a cookie or token.
Preferably, the method for dynamically detecting horizontal override based on IAST test tool further comprises the step of optimizing the detection model according to the user request and the verification result of the detection model.
The invention also discloses a system for dynamically detecting the horizontal override based on the IAST test tool, which comprises a data tracking module, a request permission generating module, an SQL interactive statement collecting module, an SQL analyzing module, a detection model establishing module, a request flow acquiring module and a verifying module; the data tracking module is used for inserting detection codes at the connection positions of the user codes in the application program to be detected and the database by using an IAST test tool and an instrumentation technology, so as to dynamically acquire SQL sentences interacted between the user program and the database and returned query result data; the request permission generating module is used for binding each user request with the corresponding request permission to generate the request permission corresponding to each user request; the SQL interactive statement collection module is used for acquiring and storing all executed SQL statements under the request through the data tracking module when the user request is sent to the server for execution; the SQL analysis module is used for analyzing the SQL sentences acquired by the SQL interactive sentence collection module; the detection model establishing module is used for performing weighted calculation according to the data generated by the SQL analyzing module and generating a detection model; the request flow acquiring module is used for monitoring and acquiring a user request flow in real time; the verification module is used for performing authority verification on the user request acquired by the request flow acquisition module by adopting the detection model so as to judge whether the statement executed by the request has a horizontal override problem.
Preferably, the request permission generating module specifically comprises a permission binding module, a request monitoring module, an identity authentication module and a request marking module; the authority binding module is used for binding the user name recorded in the application program to be detected and the authority corresponding to the user name; the request monitoring module is used for monitoring a user login request and acquiring a login user name and an identity authentication token related to the user name; the identity authentication module is used for binding the identity authentication token acquired by the request monitoring module with the corresponding authority; the request marking module is used for marking each request in the application program with a permission value.
Preferably, the authentication token is based on a cookie or token.
Preferably, the IAST test tool-based system for dynamically detecting horizontal override further comprises a detection model optimization module, wherein the detection model optimization module is used for optimizing the detection model according to a user request and a verification result of the detection model.
The invention also discloses a system for dynamically detecting horizontal override based on the IAST test tool, which comprises:
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the method of dynamically detecting a level override based on an IAST test tool as described above.
The present invention also discloses a computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method for dynamically detecting a level override based on an IAST test tool as described above.
Detailed Description
In order to explain technical contents, structural features, implementation principles, and objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in combination with the embodiments.
As shown in FIG. 1, the invention discloses a method for dynamically detecting horizontal override based on IAST test tool, comprising the following steps:
s1), inserting detection codes at the connection positions of the user codes and the database in the application program to be detected by using an IAST test tool and an instrumentation technology, thereby dynamically acquiring SQL sentences interacted between the user program and the database and returned query result data; in the step, inserting codes at the connection part of the user program and the database according to the IAST technology, when the user program and the IAST program are started together, all codes and data interacting with the database are captured, and therefore SQL sentences interacting between the user application program and the database can be obtained; in addition, the user code is relative to the frame code in the application program, namely the code developed by the user, because the frame code generally undergoes technical and time inspection, the code structure is mature, no leak generally occurs, and for the user, only the user code developed by the user needs to be detected;
s2), binding each user request with the corresponding request authority respectively, thereby obtaining the mapping relation between the request and the authority;
s3), when the user request is sent to the server side for execution, all executed SQL statements under the request are obtained according to the step 1 and stored in the database;
s4), analyzing the SQL sentences obtained in the step 3, and correspondingly performing weighted calculation on the database, the table, the fields and the field values to obtain weighted results;
s5), performing weighted calculation on the data generated in step 4, and generating a detection model, specifically: using the data obtained in step 4, creating a learning model by using a naive Bayes algorithm (one of supervised learning algorithms), wherein the learning model learns the basic data (obtained in step 4) as input data, and performs comparative analysis on a learning result and actual request data, so that the learning model can be correspondingly adjusted, and then the adjusted learning model learns the data in step 4 again as the input data until the accuracy of the model for verifying the requested SQL sentence reaches a preset threshold value, so that the model can more accurately judge whether the SQL sentence has an override problem, and at the moment, the learning model can be used as a detection model for verifying the request sentence to be detected;
s6), monitoring the user request flow in real time;
s7), performing authority verification on the request sent by the user by adopting a detection model to judge whether the statement executed by the request has a horizontal override problem.
According to the detection process of the horizontal override, the detection software can be deeply inserted into the code of the application program through the combination of the analysis of the database resource of the SQL statement and the detection model, and the horizontal override vulnerability can be more accurately positioned.
Preferably, as shown in fig. 2, the specific step of requesting the rights binding in step 2 includes:
s20), binding the user name recorded in the application program to be detected and the authority corresponding to the user name, for example, zhangsan ═ userA, and lie ═ userB;
s21), monitoring a user login request, and acquiring a login user name and an identity authentication token related to the user name; the authentication information may be based on a cookie or token, and the authentication token is based on the cookie when the client's server is a web application. When the client's server is not a web application, the authentication token is based on token information and is bound to the username. So-called non-web applications: the client and the server communicate by using a protocol other than http, which may be the original tcp protocol, dubbo protocol, sofa protocol, etc. In this embodiment, a web application is taken as an example to explain: when a user sends a login request, dynamically binding a user name and a cookie, for example, Zhang three ═ cookie A, Li four ═ cookie B;
s22), binding the authentication token obtained in step S21 with the corresponding right, for example, cookie a ═ userA, and cookie b ═ userB;
s23), marking authority values for each request in the application program, and binding the request and the authority, for example, q (cookie a) > userA, and request p (cookie b) > userB.
When the horizontal override is detected, different users under the same authority are requested repeatedly by the same request, and then whether the horizontal override is overridden is judged according to the operation result (for example, the request Q in the step 203 is judged after being accessed by both the userA and the userB).
Furthermore, in the process of establishing the detection model, the method also comprises the step of optimizing the detection model, namely after the detection model is established, whether the verification result is correct or not is fed back to the detection model according to the request, so that the detection model is optimized, and the accuracy and the effectiveness of detecting the unauthorized problem are improved. The following describes the process of building the detection model in detail with a specific example: after the SQL sentence is analyzed, the weight calculation is carried out on the analyzed data (including a database, a table, a field and a field value), for example, the similarity of the database is highest, the weight is lowest, the similarity of the data table is next, the weight is lower, the similarity of the data field name and the data field value is lower, the weight is higher, then characteristic values are extracted according to the weight calculation results, and then a learning model is established by utilizing a naive Bayes algorithm according to the extracted characteristic values (the main idea is that if the data to be classified has some characteristics, the data to be classified is considered to be mostly present in which categories, the corresponding characteristics of which category are most present, the data to be classified is put in which category, and the basic principle is from Bayes theorem). And then, inputting the extracted characteristic value as input data into a learning model for learning, after learning is finished, performing data comparison analysis on an obtained learning result and an actual situation, performing secondary adjustment on the learning model according to a result to enable the learning model to be more in conformity with the actual situation, repeating the learning adjustment until a verification result of the learning model reaches a threshold value expected by a user, and converting the learning model into a detection model. Then, receiving each SQL statement requested to be executed in real time, obtaining a detection result according to the detection model, and feeding back the actual condition of the detection result to the detection model (namely whether the detection is correct), thereby continuously optimizing the detection model. When the horizontal override problem is detected, the user can process the program code corresponding to the request, otherwise, the detection of the next request is continuously executed.
In addition, the invention also discloses a system for dynamically detecting the horizontal override based on the IAST test tool, which comprises a data tracking module 10, a request authority generating module 11, an SQL interactive statement collecting module 12, an SQL analyzing module 13, a detection model establishing module 14, a request flow acquiring module 15 and a verification module 16 as shown in FIG. 3; the data tracking module 10 is used for inserting a detection code at a connection position between a user code in an application program to be detected and a database according to an IAST test tool and an instrumentation technique, so as to dynamically acquire an SQL statement interacted between the user program and the database and returned query result data; the request permission generating module 11 is configured to bind each user request with the request permission corresponding to the user request, so as to generate a request permission corresponding to each user request; the SQL interactive statement collection module 12 is configured to, when a user request is sent to the server for execution, obtain and store all executed SQL statements under the request through the data tracking module 10; the SQL parsing module 13 is configured to parse the SQL statements acquired by the SQL interactive statement collecting module 12; the detection model establishing module 14 is configured to perform weighted calculation according to the data generated by the SQL parsing module 13 and generate a detection model; the request flow acquiring module 15 is used for monitoring and acquiring a user request flow in real time; the verification module 16 is configured to perform permission verification on the user request acquired by the request flow acquisition module 15 by using a detection model, so as to determine whether a statement executed by the request has a horizontal override problem. Preferably, the request right generating module 11 specifically includes a right binding module 110, a request monitoring module 111, an identity authentication module 112, and a request marking module 113; the permission binding module 110 is configured to bind the user name recorded in the application program to be detected and the permission corresponding to the user name; the request monitoring module 111 is configured to monitor a user login request, and obtain a login user name and an authentication token related to the login user name; the identity authentication module 112 is configured to bind the authentication token obtained by the request monitoring module 111 with the corresponding right; the request marking module 113 is used for marking the authority value of each request in the application program. The authentication token is based on a cookie or token. Preferably, a detection model optimization module 17 is further provided, and the detection model optimization module 17 is configured to optimize the detection model according to the user request and the verification result of the detection model.
The invention also discloses a system for dynamically detecting a level override based on an IAST test tool, which comprises one or more processors, a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, and the program comprises instructions for executing the method for dynamically detecting a level override based on an IAST test tool as described above.
The present invention also discloses a computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method for dynamically detecting a level override based on an IAST test tool as described above.
The above disclosure is only a preferred embodiment of the present invention, and certainly should not be taken as limiting the scope of the present invention, which is therefore intended to cover all equivalent changes and modifications within the scope of the present invention.