CN110781073A - Security testing method and system - Google Patents
Security testing method and system Download PDFInfo
- Publication number
- CN110781073A CN110781073A CN201910860457.2A CN201910860457A CN110781073A CN 110781073 A CN110781073 A CN 110781073A CN 201910860457 A CN201910860457 A CN 201910860457A CN 110781073 A CN110781073 A CN 110781073A
- Authority
- CN
- China
- Prior art keywords
- test
- probe
- vulnerability
- analysis information
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a safety testing method. The method comprises the following steps: receiving a test request of a user, wherein the test request comprises a tested system; installing a probe in a tested system and deploying the tested system in an operable test environment; acquiring analysis information through the probe when the tested system is in operation, wherein the analysis information comprises: program requests, code data flows, and code control flows; and obtaining a vulnerability result according to the analysis information. The system comprises: the system under test comprises a running environment module, a probe and a management module. The invention can synchronously realize the safety test and the function test by the technical scheme.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a safety testing method and system.
Background
With the development of computer technology, people are increasingly unable to leave software technology in production and life. Software technology often comes in the form of applications. An application may undergo various tests, such as functional, performance, and security tests, before it is marketed.
In the prior art, a tester usually performs a security test after a functional test is completed, which may prolong the development period of an application program and is not favorable for shortening the development period of the application program.
Disclosure of Invention
In order to solve the above problem, an aspect of the present invention provides a security testing method, including: receiving a test request of a user, wherein the test request comprises a tested system; installing probes in the system under test and deploying the system under test in an operable test environment; acquiring analysis information through the probe when the tested system is in operation, wherein the analysis information comprises: program requests, code data flows, and code control flows; and obtaining a vulnerability result according to the analysis information.
In the above security testing method, preferably, after obtaining the vulnerability result according to the analysis information, the security testing method further includes: and generating a visual test report according to the vulnerability result.
In the above safety test method, preferably, when the system under test runs, acquiring analysis information through the probe includes: the probe is triggered by manual or automatic traffic testing.
In the security testing method as described above, preferably, the probe is used for acquiring request data and return data, parameter passing in code execution, database query, directory query and file system authority, monitoring values in the memory and identifying contaminated inputs, using a third-party library, and calling an external application program and service.
In the above security testing method, preferably, the vulnerability result includes: vulnerability name, code file where vulnerability is located, line number, function and parameter.
Another aspect of the present invention provides a security test system, which includes: the system testing system comprises a tested system running environment module, a test execution module and a test execution module, wherein the tested system running environment module is used for receiving a test request of a user, the test request comprises a tested system, and the tested system is deployed in a runnable test environment; a probe configured to be installed in the system under test, and when the system under test is running, obtain analysis information through the probe, where the analysis information includes: program requests, code data flows, and code control flows; and the management module is used for obtaining a vulnerability result according to the received analysis information sent by the probe.
In the security testing system as described above, preferably, the management module is further configured to generate a visual test report according to the vulnerability result.
In the safety test system as described above, preferably, the probe is triggered by a manual or automatic service test.
In the security test system as described above, preferably, the probe is specifically configured to obtain request data and return data, parameter passing during code execution, database query, directory query and file system permission, monitor values in the memory and identify contaminated inputs, use of a third-party library, and call to an external application and service.
In the security test system as described above, preferably, the vulnerability result includes: vulnerability name, code file where vulnerability is located, line number, function and parameter.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
receiving a test request of a user, wherein the test request comprises a tested system; installing a probe in a tested system and deploying the tested system in an operable test environment; when the tested system runs, acquiring analysis information through the probe, wherein the analysis information comprises: program requests, code data flows, and code control flows; the vulnerability result is obtained according to the analysis information, so that the safety test and the function test can be synchronously realized, namely, the safety test is completed without sensing during the function test, the development period is shortened, the safety defect and the vulnerability can be efficiently and accurately identified, and the code file, the line number, the function and the parameter of the vulnerability can be accurately determined.
Drawings
Fig. 1 is a schematic flow chart of a security testing method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, an embodiment of the present invention passes a security testing method, which includes the following steps:
At step 102, a probe is installed in a system under test, and the system under test is deployed in an operable test environment.
Specifically, in application, under the condition that the original logic of the system under test (or called the to-be-tested development application program) is guaranteed to be complete, a probe is inserted into a preset position of the system under test, where the preset position may be a root directory of the system under test. The probe, namely the Agent program, is triggered by manual or automatic service test, and vulnerability detection can be carried out in real time when test flow is transmitted. The probe is used for acquiring request data and return data, parameter transmission in code execution, database query, directory query and file system authority, monitoring values in a memory and identifying polluted input, using a third-party library and calling external application programs and services. That is to say: the probe monitors the application and analyzes the code while the system under test is running, it does not actively perform an attack on the system under test, but rather analyzes the detected code purely passively, so it does not affect other testing activities running at the same time. Probes need to be developed from different languages, which can only be executed on languages with virtual runtime environments, such as Java, C #, Python, and NodeJS.
103, when the tested system runs, obtaining analysis information through the probe, wherein the analysis information comprises: program requests, code data flow, and code control flow.
And 104, obtaining a vulnerability result according to the analysis information.
Specifically, the vulnerability results include: vulnerability name, code file where vulnerability is located, line number, function and parameter. Because more tested system information can be obtained through the probe, the found security loophole can be positioned to a code line, and complete request and response information, complete data stream and stack information can be obtained, so that the security loophole can be conveniently positioned, repaired and verified. When the test method is applied, the test AJAX page, the CSRF Token page, the verification code page, the API isolated chain, the POST form request and other environments are supported.
To facilitate the test personnel to understand the test situation, after step 104, the method further comprises: and generating a visual test report according to the vulnerability result.
Receiving a test request of a user, wherein the test request comprises a tested system; installing a probe in a tested system and deploying the tested system in an operable test environment; when the tested system runs, acquiring analysis information through the probe, wherein the analysis information comprises: program requests, code data flows, and code control flows; and obtaining a vulnerability result according to the analysis information, so that the safety test and the function test can be synchronously realized, namely, the safety test is finished without sensing during the function test, the safety defect and the vulnerability can be efficiently and accurately identified, and the code file, the line number, the function and the parameter of the vulnerability can be accurately determined.
The embodiment can detect not only the security weakness of the tested system, but also the version information of the third-party software depending on the tested system and the included open vulnerabilities. The whole process does not need the intervention of safety experts, does not need the investment of extra safety testing time, does not cause any influence on the prior development process, and meets the requirements of quick iteration and quick delivery of software products under agile development and DevOps modes.
Another embodiment of the present invention provides a security test system, which includes: the system under test comprises a running environment module, a probe and a management module.
Specifically, the tested system running environment module is used for receiving a test request of a user, providing an operable test environment for the tested system, wherein the test request comprises the tested system, and deploying the tested system in the operable test environment.
The probe is used for being installed in a tested system, and when the tested system runs, analysis information is obtained through the probe, wherein the analysis information comprises: program requests, code data flow, and code control flow. The probe is triggered by manual or automatic traffic testing. The probe is specifically used for acquiring request data and return data, parameter transmission in code execution, database query, directory query and file system permission, monitoring values in a memory and identifying polluted input, using a third-party library, and calling external application programs and services.
And the management module is used for obtaining a vulnerability result according to the received analysis information sent by the probe.
Preferably, the management module is further configured to generate a visual test report according to the vulnerability result.
It will be appreciated by those skilled in the art that the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The embodiments disclosed above are therefore to be considered in all respects as illustrative and not restrictive. All changes which come within the scope of or equivalence to the invention are intended to be embraced therein.
Claims (10)
1. A security test method, comprising:
receiving a test request of a user, wherein the test request comprises a tested system;
installing probes in the system under test and deploying the system under test in an operable test environment;
acquiring analysis information through the probe when the tested system is in operation, wherein the analysis information comprises: program requests, code data flows, and code control flows;
and obtaining a vulnerability result according to the analysis information.
2. The security testing method of claim 1, wherein after obtaining the vulnerability results from the analysis information, the security testing method further comprises:
and generating a visual test report according to the vulnerability result.
3. The safety testing method according to claim 1, wherein the acquiring analysis information through the probe while the system under test is running specifically includes:
the probe is triggered by manual or automatic traffic testing.
4. The security test method of claim 1, wherein the probes are used to obtain request and return data, parameter passing in code execution, database queries, directory queries and file system permissions, to listen for values in memory and identify contaminated inputs, to use third party libraries, and to invoke external applications and services.
5. The security test method of claim 1, wherein the vulnerability results comprise: vulnerability name, code file where vulnerability is located, line number, function and parameter.
6. A security test system, the security test system comprising:
the system testing system comprises a tested system running environment module, a test execution module and a test execution module, wherein the tested system running environment module is used for receiving a test request of a user, the test request comprises a tested system, and the tested system is deployed in a runnable test environment;
a probe configured to be installed in the system under test, and when the system under test is running, obtain analysis information through the probe, where the analysis information includes: program requests, code data flows, and code control flows;
and the management module is used for obtaining a vulnerability result according to the received analysis information sent by the probe.
7. The security testing method of claim 6, wherein the management module is further configured to generate a visual test report according to the vulnerability results.
8. The security test method of claim 1, wherein the probe is triggered by a manual or automatic business test.
9. The security test method of claim 6, wherein the probe is specifically configured to obtain request and return data, parameter passing in code execution, database queries, directory queries and file system permissions, snoop values in memory and identify contaminated inputs, use of third party libraries, and calls to external applications and services.
10. The security test method of claim 6, wherein the vulnerability results comprise: vulnerability name, code file where vulnerability is located, line number, function and parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910860457.2A CN110781073A (en) | 2019-09-11 | 2019-09-11 | Security testing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910860457.2A CN110781073A (en) | 2019-09-11 | 2019-09-11 | Security testing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110781073A true CN110781073A (en) | 2020-02-11 |
Family
ID=69383499
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910860457.2A Pending CN110781073A (en) | 2019-09-11 | 2019-09-11 | Security testing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110781073A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111723375A (en) * | 2020-06-09 | 2020-09-29 | 杭州孝道科技有限公司 | Software security vulnerability detection method based on runtime non-execution mode |
| CN111859385A (en) * | 2020-07-29 | 2020-10-30 | 中国工商银行股份有限公司 | Application program testing method, system and device |
| CN112087466A (en) * | 2020-09-18 | 2020-12-15 | 国家电网有限公司华东分部 | Power network security system based on identity recognition and protection method thereof |
| CN113918432A (en) * | 2021-09-26 | 2022-01-11 | 云智慧(北京)科技有限公司 | Nail small program data acquisition probe |
-
2019
- 2019-09-11 CN CN201910860457.2A patent/CN110781073A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111723375A (en) * | 2020-06-09 | 2020-09-29 | 杭州孝道科技有限公司 | Software security vulnerability detection method based on runtime non-execution mode |
| CN111859385A (en) * | 2020-07-29 | 2020-10-30 | 中国工商银行股份有限公司 | Application program testing method, system and device |
| CN111859385B (en) * | 2020-07-29 | 2023-09-22 | 中国工商银行股份有限公司 | Application program testing method, system and device |
| CN112087466A (en) * | 2020-09-18 | 2020-12-15 | 国家电网有限公司华东分部 | Power network security system based on identity recognition and protection method thereof |
| CN113918432A (en) * | 2021-09-26 | 2022-01-11 | 云智慧(北京)科技有限公司 | Nail small program data acquisition probe |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110781073A (en) | Security testing method and system | |
| CN106203113B (en) | The privacy leakage monitoring method of Android application file | |
| CA2777434C (en) | Verifying application security vulnerabilities | |
| CN103984900B (en) | Android application leak detection method and system | |
| CN103699480B (en) | A kind of WEB dynamic security leak detection method based on JAVA | |
| US8752182B2 (en) | Pinpointing security vulnerabilities in computer software applications | |
| US6745383B1 (en) | Early warning mechanism for enhancing enterprise availability | |
| US20050066234A1 (en) | Method and system for identifying errors in computer software | |
| US11888885B1 (en) | Automated security analysis of software libraries | |
| CN112182588A (en) | Operating system vulnerability analysis and detection method and system based on threat intelligence | |
| Micskei et al. | Robustness testing techniques and tools | |
| CN112035354A (en) | Method, device and equipment for positioning risk code and storage medium | |
| CN111427771A (en) | Code coverage rate analysis method, equipment, server and readable storage medium | |
| Choudhary et al. | Software testing | |
| Boxler et al. | Static taint analysis tools to detect information flows | |
| Antunes et al. | Evaluating and improving penetration testing in web services | |
| CN116450533B (en) | Security detection method and device for application program, electronic equipment and medium | |
| US8464103B2 (en) | Generating a functional coverage model from a trace | |
| WO2021245939A1 (en) | System, method, and non-transitory computer-readable medium | |
| CN113127367B (en) | Defect detection method for Android dynamic permission application | |
| CN109271781B (en) | Method and system for detecting super authority obtaining behavior of application program based on kernel | |
| Gajrani et al. | Detection of information leaks via reflection in android apps | |
| CN113609487B (en) | Method for detecting backdoor code through static analysis | |
| CN111428238B (en) | Android component-based service rejection testing method, detection terminal and medium | |
| Хадеева | Functional software testing: principles, objectives and methods of implementation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |