Disclosure of Invention
The invention aims to solve the technical problems and provides a method for dynamically detecting the horizontal override based on an IAST test tool, which can accurately position the horizontal override vulnerability of an application program.
Another object of the present invention is to provide a system for dynamically detecting a horizontal override based on an IAST test tool, which can accurately locate a horizontal override vulnerability of an application.
In order to achieve the aim, the invention discloses a method for dynamically detecting horizontal override based on an IAST test tool, which comprises the following steps:
s1, inserting detection codes at the connection positions of the user codes in the application program to be detected and the database by using an IAST test tool and an instrumentation technology, thereby dynamically acquiring SQL sentences interacted between the user program and the database and returned query result data;
s2, binding each user request with the corresponding request authority;
s3, when the user request is sent to the server for execution, all executed SQL statements under the request are obtained and stored according to the step S1;
s4, analyzing the SQL statement acquired in the step S3;
s5, carrying out weighted calculation on the data generated in the step S4 and generating a detection model based on a supervised learning algorithm, wherein the detection model is used for verifying the requested SQL statement;
s6, monitoring a user request flow in real time;
and S7, performing authority verification on the request sent by the user by adopting the detection model to judge whether the statement executed by the request has a horizontal override problem.
Compared with the prior art, the method for dynamically detecting the horizontal override based on the IAST test tool has the advantages that when a user starts an application program to be detected, the IAST test tool is started at the same time, and the part of a user code interacting with a database is marked by adopting a pile inserting technology, so that all executed SQL sentences under the user request are monitored, then the mapping relation between the user request and the authority is obtained, then all the SQL sentences requested to be executed and the authority value corresponding to the request are stored in the database, then a detection model is created through an algorithm after the SQL sentences are analyzed, and then the horizontal override problem detection is carried out on the monitored user request in real time through the detection model; therefore, by combining the analysis of the database resources of the SQL statements and the detection model, the detection software can be deeply inserted into the codes of the application programs, and the horizontal unauthorized vulnerability can be more accurately positioned.
Preferably, the specific step of requesting the rights binding in step S2 includes:
s20, binding the user name recorded in the application program to be detected and the authority corresponding to the user name;
s21, monitoring a user login request, and acquiring a login user name and an identity authentication token related to the user name;
s22, binding the authentication token acquired in the step S21 with the corresponding authority;
and S23, marking authority values for each request in the application program.
Preferably, the authentication token is based on a cookie or token.
Preferably, the method for dynamically detecting horizontal override based on IAST test tool further comprises the step of optimizing the detection model according to the user request and the verification result of the detection model.
The invention also discloses a system for dynamically detecting the horizontal override based on the IAST test tool, which comprises a data tracking module, a request permission generating module, an SQL interactive statement collecting module, an SQL analyzing module, a detection model establishing module, a request flow acquiring module and a verifying module; the data tracking module is used for inserting detection codes at the connection positions of the user codes in the application program to be detected and the database by using an IAST test tool and an instrumentation technology, so as to dynamically acquire SQL sentences interacted between the user program and the database and returned query result data; the request permission generating module is used for binding each user request with the corresponding request permission to generate the request permission corresponding to each user request; the SQL interactive statement collection module is used for acquiring and storing all executed SQL statements under the request through the data tracking module when the user request is sent to the server for execution; the SQL analysis module is used for analyzing the SQL sentences acquired by the SQL interactive sentence collection module; the detection model establishing module is used for performing weighted calculation according to the data generated by the SQL analyzing module and generating a detection model based on a supervised learning algorithm, and the detection model is used for verifying the requested SQL statement; the request flow acquiring module is used for monitoring and acquiring a user request flow in real time; the verification module is used for performing authority verification on the user request acquired by the request flow acquisition module by adopting the detection model so as to judge whether the statement executed by the request has a horizontal override problem.
Preferably, the request permission generating module specifically comprises a permission binding module, a request monitoring module, an identity authentication module and a request marking module; the authority binding module is used for binding the user name recorded in the application program to be detected and the authority corresponding to the user name; the request monitoring module is used for monitoring a user login request and acquiring a login user name and an identity authentication token related to the user name; the identity authentication module is used for binding the identity authentication token acquired by the request monitoring module with the corresponding authority; the request marking module is used for marking each request in the application program with a permission value.
Preferably, the authentication token is based on a cookie or token.
Preferably, the IAST test tool-based system for dynamically detecting horizontal override further comprises a detection model optimization module, wherein the detection model optimization module is used for optimizing the detection model according to a user request and a verification result of the detection model.
The invention also discloses a system for dynamically detecting horizontal override based on the IAST test tool, which comprises:
one or more processors;
a memory;
and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the method of dynamically detecting a level override based on an IAST test tool as described above.
The present invention also discloses a computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method for dynamically detecting a level override based on an IAST test tool as described above.
Detailed Description
In order to explain technical contents, structural features, implementation principles, and objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in combination with the embodiments.
As shown in FIG. 1, the invention discloses a method for dynamically detecting horizontal override based on IAST test tool, comprising the following steps:
s1, inserting detection codes at the connection positions of the user codes in the application program to be detected and the database by using an IAST test tool and an instrumentation technology, thereby dynamically acquiring SQL sentences interacted between the user program and the database and returned query result data; in the step, inserting codes at the connection part of the user program and the database according to the IAST technology, when the user program and the IAST program are started together, all codes and data interacting with the database are captured, and therefore SQL sentences interacting between the user application program and the database can be obtained; in addition, the user code is relative to the frame code in the application program, namely the code developed by the user, because the frame code generally undergoes technical and time inspection, the code structure is mature, no leak generally occurs, and for the user, only the user code developed by the user needs to be detected;
s2, binding each user request with the corresponding request authority respectively, thereby obtaining the mapping relation between the request and the authority;
s3, when the user request is sent to the server for execution, obtaining all executed SQL statements under the request according to the step S1 and storing the SQL statements in the database;
s4, analyzing the SQL sentences obtained in the step S3, and correspondingly performing weighted calculation on the database, the table, the fields and the field values to obtain weighted results;
s5, performing weighted calculation on the data generated in step S4 to generate a detection model, specifically: using the data obtained in step S4, creating a learning model using a naive bayes algorithm (one of supervised learning algorithms), where the learning model learns basic data (obtained in step S4 as input data, and performs a comparative analysis on a learning result and actual request data, and can perform a corresponding adjustment on the learning model, and then inputs the data in step S4 as input data into the adjusted learning model, until the accuracy of the model for verifying the requested SQL statement reaches a preset threshold, the model can more accurately determine whether the SQL statement has an override problem, and at this time, the learning model can be used as a detection model for verifying the to-be-detected SQL statement;
s6, monitoring a user request flow in real time;
and S7, performing authority verification on the request sent by the user by adopting a detection model to judge whether the statement executed by the request has a horizontal override problem.
According to the detection process of the horizontal override, the detection software can be deeply inserted into the code of the application program through the combination of the analysis of the database resource of the SQL statement and the detection model, and the horizontal override vulnerability can be more accurately positioned.
Preferably, as shown in fig. 2, the specific step of requesting the rights binding in step S2 includes:
s20, binding the user name recorded in the application program to be detected and the authority corresponding to the user name, for example, zhangsan ═ userA, and lie ═ userB;
s21, monitoring a user login request, and acquiring a login user name and an identity authentication token related to the user name; the authentication information may be based on a cookie or token, and the authentication token is based on the cookie when the client's server is a web application. When the client's server is not a web application, the authentication token is based on token information and is bound to the username. So-called non-web applications: the client and the server communicate by using a protocol other than http, which may be the original tcp protocol, dubbo protocol, sofa protocol, etc. In this embodiment, a web application is taken as an example to explain: when a user sends a login request, dynamically binding a user name and a cookie, for example, Zhang three ═ cookie A, Li four ═ cookie B;
s22, binding the authentication token obtained in step S21 with the corresponding right, for example, cookie a ═ userA, and cookie b ═ userB;
s23 marks authority values for each request in the application program, and binds the request with the authority, for example, Q (cookie a ═ userA) and P (cookie b ═ userB).
When the horizontal override is detected, different users under the same authority are requested repeatedly by the same request, and then whether the horizontal override is overridden is judged according to the operation result (for example, the request Q in step S203 is judged after being accessed by both userA and userB).
Furthermore, in the process of establishing the detection model, the method also comprises the step of optimizing the detection model, namely after the detection model is established, whether the verification result is correct or not is fed back to the detection model according to the request, so that the detection model is optimized, and the accuracy and the effectiveness of detecting the unauthorized problem are improved. The following describes the process of building the detection model in detail with a specific example: after SQL sentences are analyzed, weight calculation is carried out on analyzed data (comprising a database, a table, fields and field values, for example, the similarity of the database is highest, the weight is lowest, the similarity of the data table is next, the weight is lower, the similarity of the data field names and the data field values is lower, the weight is higher, characteristic values are extracted according to the weight calculation results, then a learning model is established by utilizing a naive Bayes algorithm according to the extracted characteristic values (the main idea is that if data to be classified has certain characteristics, the data to be classified is input into the learning model by using the extracted characteristic values as input data for learning, after learning is finished, the obtained learning result is compared with the actual situation for analysis, and (3) carrying out secondary adjustment on the learning model according to the result to ensure that the conformity of the learning model with the actual situation is higher, repeating the adjustment of the learning until the verification result of the learning model reaches a threshold value expected by people, and converting the learning model into the detection model. And then, receiving SQL sentences executed by each request in real time, obtaining a detection result according to the detection model, and feeding back the actual condition of the detection result to the detection model (namely, whether the detection is correct or not so as to continuously optimize the detection model).
In addition, the invention also discloses a system for dynamically detecting the horizontal override based on the IAST test tool, which comprises a data tracking module 10, a request authority generating module 11, an SQL interactive statement collecting module 12, an SQL analyzing module 13, a detection model establishing module 14, a request flow acquiring module 15 and a verification module 16 as shown in FIG. 3; the data tracking module 10 is used for inserting a detection code at a connection position between a user code in an application program to be detected and a database according to an IAST test tool and an instrumentation technique, so as to dynamically acquire an SQL statement interacted between the user program and the database and returned query result data; the request permission generating module 11 is configured to bind each user request with the request permission corresponding to the user request, so as to generate a request permission corresponding to each user request; the SQL interactive statement collection module 12 is configured to, when a user request is sent to the server for execution, obtain and store all executed SQL statements under the request through the data tracking module 10; the SQL parsing module 13 is configured to parse the SQL statements acquired by the SQL interactive statement collecting module 12; the detection model establishing module 14 is configured to perform weighted calculation according to the data generated by the SQL parsing module 13 and generate a detection model; the request flow acquiring module 15 is used for monitoring and acquiring a user request flow in real time; the verification module 16 is configured to perform permission verification on the user request acquired by the request flow acquisition module 15 by using a detection model, so as to determine whether a statement executed by the request has a horizontal override problem. Preferably, the request right generating module 11 specifically includes a right binding module 110, a request monitoring module 111, an identity authentication module 112, and a request marking module 113; the permission binding module 110 is configured to bind the user name recorded in the application program to be detected and the permission corresponding to the user name; the request monitoring module 111 is configured to monitor a user login request, and obtain a login user name and an authentication token related to the login user name; the identity authentication module 112 is configured to bind the authentication token obtained by the request monitoring module 111 with the corresponding right; the request marking module 113 is used for marking the authority value of each request in the application program. The authentication token is based on a cookie or token. Preferably, a detection model optimization module 17 is further provided, and the detection model optimization module 17 is configured to optimize the detection model according to the user request and the verification result of the detection model.
The invention also discloses a system for dynamically detecting a level override based on an IAST test tool, which comprises one or more processors, a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, and the program comprises instructions for executing the method for dynamically detecting a level override based on an IAST test tool as described above.
The present invention also discloses a computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method for dynamically detecting a level override based on an IAST test tool as described above.
The above disclosure is only a preferred embodiment of the present invention, and certainly should not be taken as limiting the scope of the present invention, which is therefore intended to cover all equivalent changes and modifications within the scope of the present invention.