CN110765464A - Vulnerability detection method, device, equipment and computer storage medium - Google Patents

Vulnerability detection method, device, equipment and computer storage medium Download PDF

Info

Publication number
CN110765464A
CN110765464A CN201911063550.7A CN201911063550A CN110765464A CN 110765464 A CN110765464 A CN 110765464A CN 201911063550 A CN201911063550 A CN 201911063550A CN 110765464 A CN110765464 A CN 110765464A
Authority
CN
China
Prior art keywords
event
target
website
tested
vulnerability detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911063550.7A
Other languages
Chinese (zh)
Inventor
张强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN201911063550.7A priority Critical patent/CN110765464A/en
Publication of CN110765464A publication Critical patent/CN110765464A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

The invention relates to the technical field of financial technology (Fintech) and discloses a vulnerability detection method, which comprises the following steps: establishing a test case corresponding to a website interface to be tested, and integrating the test case and parameters to be tested of the website interface to be tested to obtain target parameters; acquiring all process events in a website host according to a preset socket netlink and the target parameters, and sequentially matching each process event with the test case; if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition; and if so, determining that the interface of the website to be tested has a bug. The invention also discloses a vulnerability detection device, equipment and a computer storage medium. The invention improves the efficiency of vulnerability detection.

Description

Vulnerability detection method, device, equipment and computer storage medium
Technical Field
The present invention relates to the field of financial technology (Fintech), and in particular, to a vulnerability detection method, apparatus, device, and computer storage medium.
Background
With the development of computer technology, more and more technologies (big data, distributed, Blockchain, artificial intelligence, etc.) are applied to the financial field, and the traditional financial industry is gradually changing to financial technology (Fintech), but higher requirements are also put forward on the technologies due to the requirements of security and real-time performance of the financial industry. For example, currently, common vulnerability detection is only effective for command injection and code execution vulnerability identification of a website with a significant status response packet (e.g., status code and returned page content), but low detection effect is caused by low discovery rate and high false alarm rate for command injection and code execution without playback. Moreover, in the conventional design of the detection case of command injection and code execution vulnerabilities without echoing, API functions such as system delay waiting and network requests are usually adopted to enhance the return characteristic state of the detection point. However, the above detection method is limited by network stability on one hand, and may bring real attack influence on normal services on the other hand, so that the vulnerability detection efficiency is very low. Therefore, how to improve the efficiency of vulnerability detection becomes a technical problem to be solved urgently at present.
Disclosure of Invention
The invention mainly aims to provide a vulnerability detection method, a vulnerability detection device, vulnerability detection equipment and a computer storage medium, and aims to improve vulnerability detection efficiency.
In order to achieve the above object, the present invention provides a vulnerability detection method, which includes the following steps:
establishing a test case corresponding to a website interface to be tested, and integrating the test case and parameters to be tested of the website interface to be tested to obtain target parameters;
acquiring all process events in a website host according to a preset socket netlink and the target parameters, and sequentially matching each process event with the test case;
if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition;
and if so, determining that the interface of the website to be tested has a bug.
Optionally, the step of acquiring all process events in the website host according to the preset netlink and the target parameter includes:
and configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host through the monitoring rule and a preset netlink.
Optionally, the step of configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host by using the monitoring rule and a preset netlink includes:
configuring a monitoring rule for an application state in the website host based on the target parameter, and transmitting the monitoring rule to a kernel state in the website host through a preset netlink;
and acquiring system calling events operated by all application programs in the website host through the kernel thread in the kernel state and the monitoring rule, and acquiring all process events in the website host based on the system calling events.
Optionally, the step of acquiring all process events in the website host based on each system call event includes:
feeding back each system calling event from the kernel state to the application state, and analyzing each system calling event according to a network control protocol in the application state to determine whether a system calling event meeting a preset detection requirement exists in each system calling event;
and if so, taking the system calling event meeting the preset detection requirement as a process event.
Optionally, the step of detecting whether the process chain corresponding to the target process event meets a preset condition includes:
acquiring a parent process corresponding to the target process event, determining a process chain corresponding to the target process event based on the parent process, and detecting whether dynamic script analysis process information of the website host exists in the process chain;
and if not, determining that the process chain corresponding to the target process event does not meet the preset condition.
Optionally, after the step of detecting whether the dynamic script parsing process information of the website host exists in the process chain, the method includes:
if yes, acquiring a white list prestored in the website host, and matching the target process event with all history records in the white list in sequence;
and if the target history record matched with the target process event does not exist in each history record, determining that the process chain corresponding to the target process event meets a preset condition.
Optionally, after the step of sequentially matching each process event with the test case, the method includes:
and if the target process event matched with the test case does not exist in the process events, determining that no vulnerability exists in the to-be-tested website interface.
In addition, to achieve the above object, the present invention further provides a vulnerability detection apparatus, including:
the acquisition module is used for establishing a test case corresponding to a to-be-tested website interface and integrating the test case and to-be-tested parameters of the to-be-tested website interface to acquire target parameters;
the matching module is used for acquiring all process events in the website host according to a preset socket netlink and the target parameters and matching each process event with the test case in sequence;
the detection module is used for detecting whether a process chain corresponding to the target process event meets a preset condition or not if the target process event matched with the test case exists in each process event;
and the determining module is used for determining that the to-be-tested website interface has a bug if the to-be-tested website interface meets the requirement.
In addition, to achieve the above object, the present invention further provides a vulnerability detection apparatus, including: the system comprises a memory, a processor and a vulnerability detection program which is stored on the memory and can run on the processor, wherein when the vulnerability detection program is executed by the processor, the steps of the vulnerability detection method are realized.
In addition, to achieve the above object, the present invention further provides a computer storage medium, where a vulnerability detection program is stored, and when being executed by a processor, the computer storage medium implements the steps of the vulnerability detection method.
The method comprises the steps of establishing a test case corresponding to a website interface to be tested, and integrating the test case and parameters to be tested of the website interface to be tested to obtain target parameters; acquiring all process events in a website host according to a preset socket netlink and the target parameters, and sequentially matching each process event with the test case; if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition; and if so, determining that the interface of the website to be tested has a bug. The target process event can be acquired without determining whether the website host has an obvious state response packet, the efficiency of vulnerability detection on the website interface to be detected is improved, in order to further improve the detection accuracy, whether the target process event meets a preset condition needs to be determined, if yes, the website interface to be detected has a vulnerability, and therefore the vulnerability detection accuracy is also improved.
Drawings
FIG. 1 is a schematic diagram of an apparatus architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flowchart of a vulnerability detection method according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram of an apparatus module of the vulnerability detection apparatus according to the present invention;
FIG. 4 is a schematic flow chart of process information determination in the vulnerability detection method of the present invention;
FIG. 5 is a schematic flow chart of the vulnerability detection method according to the present invention;
fig. 6 is an interaction diagram of a host application state and a kernel state in the vulnerability detection method according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The vulnerability detection equipment of the embodiment of the invention can be a PC or server equipment, and a Java virtual machine runs on the vulnerability detection equipment.
As shown in fig. 1, the vulnerability detection apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration of the apparatus shown in fig. 1 is not intended to be limiting of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a vulnerability detection program.
In the device shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to call a vulnerability detection program stored in the memory 1005 and perform operations in the vulnerability detection method described below.
Based on the hardware structure, the embodiment of the vulnerability detection method is provided.
Referring to fig. 2, fig. 2 is a schematic flowchart of a vulnerability detection method according to a first embodiment of the present invention, where the method includes:
step S10, establishing a test case corresponding to a website interface to be tested, and integrating the test case and parameters to be tested of the website interface to be tested to obtain target parameters;
at present, when vulnerability detection is carried out, generally, command injection and code execution are provided, various test cases are executed, a large number of constructed HTTP requests are sent to a target website, content returned by a page and website response time are analyzed, and whether command injection and code execution vulnerabilities exist at a website interface or not is judged. However, when the operation is performed by injecting and executing codes for commands without echoing (the website has no significant state response packet), the discovery rate is very low, and the false alarm rate is high. Therefore, in this embodiment, when the test is performed by an automated vulnerability scanner or manually, the test request sent by the website interface to be tested should contain in advance a test case of command operation and network operation behavior that may be executed by a vulnerability point, and borrow a netlink kernel state and application state communication mechanism to implement injection point execution command operation and network connection event recording of the suspected existence of the website, if the case execution is successfully monitored in the auditing process, and the parent process of traversing, executing and calling the case has the identity attributes of command injection and code execution, it is determined that the website interface to be tested has a vulnerability. Therefore, the effect that the loophole injection points with the echoing (response packets with the obvious state of the website, such as state codes, returned page content and the like) and without the echoing can be effectively found is achieved. In the embodiment, the application state and the kernel state are architecture division of the Linux operating system. Code execution is performed by calling server website code, and command injection is performed by calling operating system commands. And the final effects of both code execution and command injection may be to execute external malicious commands at the target cluster. Netlink is a set of Linux kernel interfaces that can be used for interprocess communication, interprocess communication between Linux kernel and user space, and interprocess communication between user processes.
When vulnerability detection is carried out and a test request sent by a to-be-tested website interface is received, a test case corresponding to the to-be-tested website interface can be constructed through a test case framework module, namely a test case for constructing detection command injection and code execution in advance. And common command injection and code execution vulnerability trigger points are located at interface parameters, and are mainly applied to functions of system original command operation and network connection in this embodiment, but not limited to these, for example, a "Sleep function is used to enable a computer program (process, task or thread) to go to Sleep and be in an inactive state for a period of time)", "cat/etc/passwd (representing that contents in a read/etc/passwd file are on a screen)", "cURL (crl is a file transfer tool working under a command line using URL syntax)", "system (whoamine), and other test cases are used, and the constructed test cases and parameters to be tested of the website interface to be tested are integrated (for example, the test cases are replaced and spliced to the positions of the parameters to be tested) to obtain target parameters, and the target parameters are subjected to network package, i.e. to the web site host. The target parameters are parameters to be tested with test cases in the interfaces of the website to be tested.
Step S20, acquiring all process events in the website host according to a preset socket netlink and the target parameters, and matching each process event with the test case in sequence;
after the target parameters are obtained and sent to the website host, netlink audit event monitoring service access is required. And because the Linux kernel already provides a connector module and a process event collection mechanism, and the Netlink protocol supports Netlink _ audio, an interface of a user AUDIT subsystem is provided. Therefore, only by means of NETLINK _ AUDIT mechanism in application state, the light-weight self-defined NCP (NETLINK connected process) application program is realized, and all process creation and network connection events of the host can be intercepted. That is, according to the netlink and the target parameter set in advance, the suspected injection point in the website host executes the command operation and the event record of the network connection, that is, the process event is obtained. Specifically, since the test case in the target parameter includes cat/etc/password, curl and other command functions, the system call of the native execute (execution file) and socket (socket) needs to be monitored. Therefore, the monitoring rule can be configured for the management process of the application state in the website host according to the target parameter, and the management process is notified to the kernel state by means of the netlink. After the kernel-state kaudited obtains the monitoring rules through the netlink and is loaded, all the application programs of the host computer pass through the kaudited process when performing system calling and network request returning, so that corresponding events of the application programs when performing system calling and network request returning can be recorded through the monitoring rules and are returned to the application-state NCP application program through the netlink. And the NCP application program analyzes the events, determines to capture cat command operation events in the test case, reads file parameters/etc/password or captures process network request events, and if the corresponding request target is qq.com, the suspected test case is considered to be executed system call at the interface with the bug. After all process events are acquired, matching each process event with a test case in sequence, and if a target process event is matched with the test case, determining that the suspected test case is executed by the interface with the bug. The test case is a description of a test task performed on a specific software product, and embodies a test scheme, a method, a technology and a strategy. The process event is a system call event having a network connection, a command operation, and the like, and the system call event is an event record of the application when a system call is made, a network request is returned, and the like.
Step S30, if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition;
when a target process event matched with the test case exists in each process event, whether the target process event meets a preset condition needs to be detected, namely, the target process event is determined to be called by a website interface to be detected and not by other interfaces, whether the target process event is one of a white list is determined, and then different operations are executed according to different determination results. Therefore, when the target process event is acquired, in order to further improve the detection accuracy, identity attribute determination needs to be performed on the target process event.
The method for judging the identity attribute may be to obtain information of a dynamic script parsing process started by a web server (web server), for example, a common php script web parsing engine is php-fpm, a jsp script web parsing engine is tomcat, and obtain a pid of a corresponding process on a host (i.e., Linux, Unix identifies an id number of a currently running process). And continuously traversing the monitored parent process of the execution system calling process until the systemd process so as to obtain a process chain corresponding to the target process, judging whether dynamic script analysis process information such as php-fpm and tomcatjava processes exists in the process chain, if so, determining whether the target process event is one member of a website host white list, and if so, determining that a vulnerability exists in the to-be-tested website interface. If the dynamic script information does not exist in the process chain, determining that the to-be-detected website interface has no bug, and stopping detection. The dynamic script analysis process information can be total process information of a website webpage after being started through a to-be-tested website interface.
And detecting a target process event according to a process chain to determine whether a vulnerability exists in a website interface to be detected, which can be shown according to the following table, that is, when the process pid of the cat/etc/password process is 1123, the parent process thereof is 850, and the process chain is 1123- >850- > … - >62- >1, and since the process pid of the php-fpm dynamic analysis engine is 62, the parent process is 1, and the process chain is 850- >1, it can be obviously obtained that the process pid of the php-fpm dynamic analysis engine exists in the process chain corresponding to the cat/etc/password process, so that the cat/etc/password process can be considered to be suspected of having the vulnerability, and for other application processes, for example: the process pid of spp _ bsp _ offline _ ctrl is 5891, the parent process is 1091, and the process chain is 5891- >1091- >34- >19- >1, which is not considered, i.e. it is considered to be absent and ignored.
Figure BDA0002253313710000081
In addition, to assist understanding of identity attribute determination for target process events, the following description is provided by way of example. For example, as shown in fig. 4, when vulnerability detection is performed on a website interface to be detected, and when a netlink monitors that the system executes cat/etc/password, cat/etc/password process information is acquired, and a parent process of the process information is called in a traversal manner, so that a process chain corresponding to the process information is acquired, and whether a php-fpm process pid exists in the process chain is judged: 40 (i.e. all process information run by the host, such as other applications, kernel processes, website dynamic script parsing processes, other application processes, etc.), and there is no php-fpm process pid in the discovery process chain: at 40, determining that no vulnerability is found, but if a php-fpm process pid is found: 40 when the process chain exists, acquiring a white list in the host, and determining whether cat/etc/password process information exists in the white list, if so, determining that no bug is found, and if not, determining that the bug is found.
And step S40, if yes, determining that the to-be-tested website interface has a bug.
And when the target process event is judged to meet the preset condition, determining that the vulnerability exists in the to-be-tested website interface. However, when the target process event is found to not meet the preset condition through judgment, it can be determined that no vulnerability exists in the to-be-tested website interface. In addition, in order to assist understanding of the principle of vulnerability detection on the website interface to be detected, the following description is given by way of example.
For example, as shown in fig. 5, in determining a normal URL interface/is it necessary to perform vulnerability detection? When Id is 1, a configuration test case may be performed, such as cat/etc/passwd; curl qq. And concatenating the test cases into the URL interface to be tested, i.e./? id ═ cat/etc/passwd; /? Com is curl qq. After splicing is completed, forming a data packet, sending the data packet to a website host, and performing audit service access on the website host, namely acquiring host operation behavior data through a netlink event recording module to acquire all command operation behaviors and network connection events of the system, and performing cat/etc/password in an association judgment module; com is used as a judging condition to judge the command operation behaviors and the network connection events, if the command behaviors which are preset and monitored are not matched, the detection is stopped, and the URL interface is determined to have no loophole. However, if the execution of use cases such as cat/etc/password is monitored, and the parent process of the traversal discovery execution use cases is dynamic script analysis process information started by a web server, it can be determined that the id parameter is found to have a bug, that is, the URL interface has a bug.
In this embodiment, a target parameter is obtained by establishing a test case corresponding to a website interface to be tested, and integrating the test case and a parameter to be tested of the website interface to be tested; acquiring all process events in a website host according to a preset socket netlink and the target parameters, and sequentially matching each process event with the test case; if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition; and if so, determining that the interface of the website to be tested has a bug. The target process event can be acquired without determining whether the website host has an obvious state response packet, the efficiency of vulnerability detection on the website interface to be detected is improved, in order to further improve the detection accuracy, whether the target process event meets a preset condition needs to be determined, if yes, the website interface to be detected has a vulnerability, and therefore the vulnerability detection accuracy is also improved.
Further, based on the first embodiment of the vulnerability detection method, a second embodiment of the vulnerability detection method is provided. This embodiment is a step S20 of the first embodiment of the present invention, and a refinement of the step of acquiring all process events in the website host according to the preset netlink and the target parameter includes:
step a, configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host through the monitoring rule and a preset netlink.
After the target parameters are acquired and sent to the website host, because the target parameters include test cases including cat/etc/password, and the test cases include command functions such as cat/etc, system calls of native execve and socket need to be monitored, that is, a monitoring rule needs to be configured for a management process of an application state in the website host according to the target parameters, and the monitoring rule is transmitted to a kernel state in the website host through a preset netlink, so that the kernel state acquires event records of all application programs in the website host when system calls and network requests are returned according to the monitoring rule, and transmits the event records to the application state, so that the event records are analyzed in the application state, and process events of network connection and command operation are acquired.
In this embodiment, the monitoring rule is configured for the website host according to the target parameter, and all process events in the website host are acquired through the monitoring rule, so that the accuracy of the acquired process events is guaranteed.
Specifically, the step of configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host through the monitoring rule and a preset netlink includes:
b, configuring a monitoring rule for the application state in the website host based on the target parameter, and transmitting the monitoring rule to a kernel state in the website host through a preset netlink;
after the application state in the website host is configured with the monitoring rule according to the target parameter, the monitoring rule is further transmitted to the kernel state in the website host by means of a preset netlink, so that the kernel state can obtain each process event in the website host according to the monitoring rule.
And c, acquiring system calling events operated by all application programs in the website host through the kernel thread in the kernel state and the monitoring rule, and acquiring all process events in the website host based on all the system calling events.
After the kernel thread in the kernel mode acquires the monitoring rule sent by the application mode through the netlink and finishes loading, because all application programs in the website host can pass through the kauditd process when running (such as system calling and network request returning), the kauditd process can record corresponding events according to the monitoring rule to obtain system calling events, and the system calling events are transmitted to the application mode through the netlink, so that the application mode can acquire all process events in the website host in the system calling events.
In this embodiment, the monitoring rule is configured in the application state of the website host, and is transmitted to the kernel state of the website host, and all process events of the website host are acquired through the kernel state, so that some process events are avoided from being missed, and the accuracy of the acquired process events is ensured.
Specifically, the step of acquiring all process events in the website host based on each system call event includes:
step e, feeding back each system calling event from the kernel state to the application state, and analyzing each system calling event according to a network control protocol in the application state to determine whether a system calling event meeting a preset detection requirement exists in each system calling event;
after each system call event is fed back to the application state from the kernel state, that is, after the NCP application program in the application state receives each system call user event, the system call events are analyzed to determine whether there is a system call event meeting the preset detection requirement (for example, whether there is a system call event of network connection and command operation) in the system call events, and different operations are executed according to different determination results.
And f, if the process event exists, taking the system calling event meeting the preset detection requirement as the process event.
And when the system calling event meeting the preset detection requirement is found to exist in each system calling event through judgment, taking the system calling event meeting the preset detection requirement as a process event. If the system calling event meeting the preset requirement does not exist in all the system calling events, the detection is continued, and a new system calling event is obtained.
In addition, in order to assist understanding of acquiring a process event in a network host in this embodiment, the following description is given by way of example.
For example, as shown in fig. 6, the host application state and the kernel state are divided to obtain an application program user state and a system kernel state, a website service interface in the user state executes cat/etc/paswd, curl qq.com system functions, and performs system call, and registers a monitoring audit rule for a kauditd kernel process in the system kernel state according to audio netlink.
In this embodiment, each system call event is analyzed according to a network control protocol in an application state to obtain a process event, so that accuracy of obtaining the process event is guaranteed.
Further, a third embodiment of the vulnerability detection method is provided based on any one of the first to second embodiments of the vulnerability detection method. This embodiment is a step S30 of the first embodiment of the present invention, and a refinement of the step of detecting whether the process chain corresponding to the target process event satisfies the preset condition includes:
step h, acquiring a parent process corresponding to the target process event, determining a process chain corresponding to the target process event based on the parent process, and detecting whether dynamic script analysis process information of the website host exists in the process chain;
acquiring a parent process corresponding to a target process event (namely the last process of the target process event), and then calculating a process chain corresponding to the target process event according to the parent process, meanwhile, acquiring dynamic script analysis process information of a website host, detecting whether the dynamic script analysis process information of the website host exists in the process chain, and executing different operations based on different detection results.
And k, if the target process event does not exist, determining that the process chain corresponding to the target process event does not meet the preset condition.
When the dynamic script analysis process information of the website host exists in the process chain through judgment, whether the target process event is one member of a white list of the website host needs to be determined, if not, the process chain corresponding to the target process event is determined to meet the preset condition, and the existence of the vulnerability in the to-be-detected website interface can be determined. However, if the dynamic script analysis process information of the website host does not exist in the process chain, it is determined that the process chain corresponding to the target process event does not meet the preset condition, and it can be determined that the vulnerability does not exist in the to-be-tested website interface.
In this embodiment, the accuracy of vulnerability detection is improved by obtaining the process chain corresponding to the target process event and determining whether the dynamic script analysis process information exists in the process chain, that is, determining whether the target process event is called by the website interface to be detected.
Specifically, after the step of detecting whether the dynamic script analysis process information of the website host exists in the process chain, the method includes:
step m, if yes, acquiring a white list prestored in the website host, and matching the target process event with all history records in the white list in sequence;
when the dynamic script analysis process information exists in the process chain through judgment, a white list prestored in the website host is also required to be obtained, the white list contains records of the normal function calling function of the historical website service to the system, for example, normal operation of calling cat/etc/password exists in the service, so that the condition needs to be screened and eliminated, false detection is avoided, and command injection and code execution bugs of the to-be-detected website interface can be determined only if the records of the white list are not hit. That is, matching the target process event with all history records in the white list (namely, the history website service records to the system normal function call function), and executing different operations according to the matching result.
And n, if a target history record matched with the target process event does not exist in each history record, determining that a process chain corresponding to the target process event meets a preset condition.
When the target history record matched with the target process event does not exist in each history record through judgment, the process chain corresponding to the target process event can be determined to meet the preset condition, namely, the website interface to be tested has a bug. However, if a target history record matching the target process event exists in each history record, it may be determined that the process chain corresponding to the target process event does not satisfy the preset condition, that is, the to-be-tested website interface does not have a bug.
In the embodiment, whether the target process event is matched with the target history record in the white list or not is determined, and if the target process event is not matched with the target history record, the process chain corresponding to the target process event is determined to meet the preset condition, so that the phenomenon of false alarm detection is avoided, and the accuracy of vulnerability detection is improved.
Further, after the step of sequentially matching each process event with the test case, the method includes:
and step x, if the target process event matched with the test case does not exist in the process events, determining that no vulnerability exists in the to-be-tested website interface.
And when the target process event matched with the test case does not exist in each process event through judgment, determining that no vulnerability exists in the to-be-tested website interface, and stopping detecting the to-be-tested website interface.
In this embodiment, when it is determined that a target process event matching the test case does not exist in each process event, it is determined that no vulnerability exists in the to-be-tested website interface, so that the vulnerability detection accuracy is improved.
The present invention also provides a vulnerability detection apparatus, referring to fig. 3, the vulnerability detection apparatus includes:
the acquisition module is used for establishing a test case corresponding to a to-be-tested website interface and integrating the test case and to-be-tested parameters of the to-be-tested website interface to acquire target parameters;
the matching module is used for acquiring all process events in the website host according to a preset socket netlink and the target parameters and matching each process event with the test case in sequence;
the detection module is used for detecting whether a process chain corresponding to the target process event meets a preset condition or not if the target process event matched with the test case exists in each process event;
and the determining module is used for determining that the to-be-tested website interface has a bug if the to-be-tested website interface meets the requirement.
Optionally, the matching module is further configured to:
and configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host through the monitoring rule and a preset netlink.
Optionally, the matching module is further configured to:
configuring a monitoring rule for an application state in the website host based on the target parameter, and transmitting the monitoring rule to a kernel state in the website host through a preset netlink;
and acquiring system calling events operated by all application programs in the website host through the kernel thread in the kernel state and the monitoring rule, and acquiring all process events in the website host based on the system calling events.
Optionally, the matching module is further configured to:
feeding back each system calling event from the kernel state to the application state, and analyzing each system calling event according to a network control protocol in the application state to determine whether a system calling event meeting a preset detection requirement exists in each system calling event;
and if so, taking the system calling event meeting the preset detection requirement as a process event.
Optionally, the detection module is further configured to:
acquiring a parent process corresponding to the target process event, determining a process chain corresponding to the target process event based on the parent process, and detecting whether dynamic script analysis process information of the website host exists in the process chain;
and if not, determining that the process chain corresponding to the target process event does not meet the preset condition.
Optionally, the detection module is further configured to:
if yes, acquiring a white list prestored in the website host, and matching the target process event with all history records in the white list in sequence;
and if the target history record matched with the target process event does not exist in each history record, determining that the process chain corresponding to the target process event meets a preset condition.
Optionally, the vulnerability detection apparatus further includes:
and if the target process event matched with the test case does not exist in the process events, determining that no vulnerability exists in the to-be-tested website interface.
The methods executed by the program modules may refer to various embodiments of the vulnerability detection method of the present invention, and are not described herein again.
The invention also provides a computer storage medium.
The computer storage medium of the present invention stores a vulnerability detection program, and the vulnerability detection program, when executed by a processor, implements the steps of the vulnerability detection method described above.
The method implemented when the vulnerability detection program running on the processor is executed may refer to each embodiment of the vulnerability detection method of the present invention, and will not be described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A vulnerability detection method is characterized by comprising the following steps:
establishing a test case corresponding to a website interface to be tested, and integrating the test case and parameters to be tested of the website interface to be tested to obtain target parameters;
acquiring all process events in a website host according to a preset socket netlink and the target parameters, and sequentially matching each process event with the test case;
if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition;
and if so, determining that the interface of the website to be tested has a bug.
2. The vulnerability detection method of claim 1, wherein the step of obtaining all process events in a website host according to a preset netlink and the target parameter comprises:
and configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host through the monitoring rule and a preset netlink.
3. The vulnerability detection method of claim 2, wherein the step of configuring a monitoring rule for the website host based on the target parameter and acquiring all process events in the website host through the monitoring rule and a preset netlink comprises:
configuring a monitoring rule for an application state in the website host based on the target parameter, and transmitting the monitoring rule to a kernel state in the website host through a preset netlink;
and acquiring system calling events operated by all application programs in the website host through the kernel thread in the kernel state and the monitoring rule, and acquiring all process events in the website host based on the system calling events.
4. The vulnerability detection method of claim 3, wherein the step of obtaining all process events in the website host based on each of the system call events comprises:
feeding back each system calling event from the kernel state to the application state, and analyzing each system calling event according to a network control protocol in the application state to determine whether a system calling event meeting a preset detection requirement exists in each system calling event;
and if so, taking the system calling event meeting the preset detection requirement as a process event.
5. The vulnerability detection method of claim 1, wherein the step of detecting whether the process chain corresponding to the target process event meets a preset condition comprises:
acquiring a parent process corresponding to the target process event, determining a process chain corresponding to the target process event based on the parent process, and detecting whether dynamic script analysis process information of the website host exists in the process chain;
and if not, determining that the process chain corresponding to the target process event does not meet the preset condition.
6. The vulnerability detection method of claim 5, wherein after the step of detecting whether the dynamic script parsing process information of the website host exists in the process chain, the method comprises:
if yes, acquiring a white list prestored in the website host, and matching the target process event with all history records in the white list in sequence;
and if the target history record matched with the target process event does not exist in each history record, determining that the process chain corresponding to the target process event meets a preset condition.
7. The vulnerability detection method of any of claims 1-6, wherein the step of matching each of the process events to the test cases in sequence, after, comprises:
and if the target process event matched with the test case does not exist in the process events, determining that no vulnerability exists in the to-be-tested website interface.
8. A vulnerability detection apparatus, comprising:
the acquisition module is used for establishing a test case corresponding to a to-be-tested website interface and integrating the test case and to-be-tested parameters of the to-be-tested website interface to acquire target parameters;
the matching module is used for acquiring all process events in the website host according to a preset socket netlink and the target parameters and matching each process event with the test case in sequence;
the detection module is used for detecting whether a process chain corresponding to the target process event meets a preset condition or not if the target process event matched with the test case exists in each process event;
and the determining module is used for determining that the to-be-tested website interface has a bug if the to-be-tested website interface meets the requirement.
9. A vulnerability detection device, comprising: a memory, a processor and a vulnerability detection program stored on the memory and executable on the processor, the vulnerability detection program when executed by the processor implementing the steps of the vulnerability detection method according to any of claims 1 to 7.
10. A computer storage medium having stored thereon a vulnerability detection program which, when executed by a processor, implements the steps of the vulnerability detection method of any of claims 1-7.
CN201911063550.7A 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium Pending CN110765464A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911063550.7A CN110765464A (en) 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911063550.7A CN110765464A (en) 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium

Publications (1)

Publication Number Publication Date
CN110765464A true CN110765464A (en) 2020-02-07

Family

ID=69335762

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911063550.7A Pending CN110765464A (en) 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN110765464A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111723380A (en) * 2020-06-22 2020-09-29 深圳前海微众银行股份有限公司 Method and device for detecting component bugs
CN111935121A (en) * 2020-07-31 2020-11-13 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN112019544A (en) * 2020-08-28 2020-12-01 支付宝(杭州)信息技术有限公司 Network interface security scanning method, device and system
CN112995236A (en) * 2021-05-20 2021-06-18 杭州海康威视数字技术股份有限公司 Internet of things equipment safety management and control method, device and system
CN113449298A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Detection method, device, equipment and medium for rebounding shell process
CN113536307A (en) * 2021-06-10 2021-10-22 安徽安恒数智信息技术有限公司 Identification method and system of credential scanning process
CN113779561A (en) * 2021-09-09 2021-12-10 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN114338240A (en) * 2022-03-07 2022-04-12 浙江网商银行股份有限公司 Vulnerability scanning method and device

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113449298A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Detection method, device, equipment and medium for rebounding shell process
CN113449298B (en) * 2020-03-24 2023-09-05 百度在线网络技术(北京)有限公司 Detection method, device, equipment and medium for rebound shell process
CN111723380B (en) * 2020-06-22 2022-12-16 深圳前海微众银行股份有限公司 Method and device for detecting component vulnerability
CN111723380A (en) * 2020-06-22 2020-09-29 深圳前海微众银行股份有限公司 Method and device for detecting component bugs
CN111935121A (en) * 2020-07-31 2020-11-13 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN111935121B (en) * 2020-07-31 2022-04-26 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN112019544A (en) * 2020-08-28 2020-12-01 支付宝(杭州)信息技术有限公司 Network interface security scanning method, device and system
CN112995236A (en) * 2021-05-20 2021-06-18 杭州海康威视数字技术股份有限公司 Internet of things equipment safety management and control method, device and system
CN113536307A (en) * 2021-06-10 2021-10-22 安徽安恒数智信息技术有限公司 Identification method and system of credential scanning process
CN113779561A (en) * 2021-09-09 2021-12-10 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN113779561B (en) * 2021-09-09 2024-03-01 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN114338240B (en) * 2022-03-07 2022-08-26 浙江网商银行股份有限公司 Vulnerability scanning method and device
CN114338240A (en) * 2022-03-07 2022-04-12 浙江网商银行股份有限公司 Vulnerability scanning method and device

Similar Documents

Publication Publication Date Title
CN110765464A (en) Vulnerability detection method, device, equipment and computer storage medium
US11003764B2 (en) System and method for exploiting attack detection by validating application stack at runtime
US10705811B2 (en) Method and system for automated, static instrumentation for applications designed for execution in environments with restricted resources, like mobile devices or TV set top boxes
EP3647981B1 (en) Security scanning method and apparatus for mini program, and electronic device
US8683440B2 (en) Performing dynamic software testing based on test result information retrieved in runtime using test result entity
CN108521353B (en) Processing method and device for positioning performance bottleneck and readable storage medium
US10474826B2 (en) Methods and apparatuses for improved app security testing
CN109586282B (en) Power grid unknown threat detection system and method
US20130160130A1 (en) Application security testing
CN108664793B (en) Method and device for detecting vulnerability
CN104182688A (en) Android malicious code detection device and method based on dynamic activation and behavior monitoring
JP6734481B2 (en) Call stack acquisition device, call stack acquisition method, and call stack acquisition program
EP2877953A1 (en) Determining application vulnerabilities
US10701087B2 (en) Analysis apparatus, analysis method, and analysis program
US9098704B2 (en) Method for function capture and maintaining parameter stack
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium
CN110941534A (en) Method and system for detecting third-party code call of web application
CN112632547A (en) Data processing method and related device
KR102578430B1 (en) Type-aware windows kernel fuzzing method based on static binary analysis
CN112685745B (en) Firmware detection method, device, equipment and storage medium
CN115859280A (en) Memory horse detection method, device, equipment and storage medium
CN115544518A (en) Vulnerability scanning engine implementation method and device, vulnerability scanning method and electronic equipment
CN112632534A (en) Malicious behavior detection method and device
CN115220859A (en) Data input mode monitoring method and device, electronic equipment and storage medium
CN111475783A (en) Data detection method, system and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination