CN110851838A - Cloud testing system and security testing method based on Internet - Google Patents

Abstract

The invention discloses an internet-based cloud test system, which comprises a user, an authority management module, a test object selection module, a log recording module, an application program safety test module, a Web application safety test module and a safety test evaluation module, wherein the application program safety test module comprises a reverse safety test module and a forward safety test module, the reverse safety test module comprises a defect threat model establishing module, an intrusion point scanning module and an intrusion point matrix verification test module, and the forward safety test module comprises a test space identification module, a design space accurate definition module, a potential safety hazard identification module and an intrusion point matrix establishment verification module; the invention also discloses a safety testing method of the cloud testing system based on the Internet. The invention can perform rapid and safe test on the safety of the application program and the Web application, pertinently, improve the test efficiency and reduce the acquisition and maintenance cost of the test environment.

Description

Cloud testing system and security testing method based on Internet

Technical Field

The invention relates to the technical field of internet security detection systems, in particular to a cloud testing system and a security testing method based on the internet.

Background

Software security belongs to an important sub-field in the software field, and in the previous single-computer era, the security problem mainly is that an operating system is easy to be infected by viruses, and the security problem of single-computer application program software is not outstanding. But since the popularization of the internet, the software security problem is increasingly highlighted, so that the importance of software security testing is increased to an unprecedented level.

The safety test is one of important links in the software development process, the sufficient test is an important basis for ensuring the reliability of the software, the safety test is a process related to verifying the safety level of the application program and identifying potential safety defects, the main purpose of the application program level safety test is to search potential safety hazards existing in the self program design of the software, and checks the application program's protection against illegal intrusion, the security test does not finally prove that the application program is secure, but is used to verify the validity of the established policy, the countermeasures are selected based on assumptions made in a threat analysis stage, modules of the existing testing system are too complex, cannot be close to the real operating environment of software, cannot be directly or cannot be directly provided for testing, and accordingly testing efficiency and effect are low, and therefore the cloud testing system and the safety testing method based on the internet need to be designed.

Disclosure of Invention

The invention aims to solve the defects in the prior art and provides an internet-based cloud testing system and a security testing method.

In order to achieve the purpose, the invention adopts the following technical scheme:

a cloud test system based on the Internet comprises a user, an authority management module, a test object selection module, a log recording module, an application program safety test module, a Web application safety test module and a safety test evaluation module, wherein the application program safety test module comprises a reverse safety test module and a forward safety test module.

Preferably, the reverse security testing module comprises a defect threat model establishing module, an intrusion point scanning module and an intrusion point matrix verification testing module.

Preferably, the forward security testing module comprises a testing space identification module, a design space accurate definition module, a potential safety hazard identification module and an intrusion point matrix establishing and verifying module.

Preferably, the Web application security test module includes an SQL vulnerability test module, an XSS script test module, a CSRF request test module, a file upload vulnerability test module, and a URL jump vulnerability test module.

A security testing method of an Internet-based cloud testing system comprises the following steps:

s1, logging in the system;

s2, selecting a test object;

s3, performing corresponding safety tests according to different objects, wherein the safety tests comprise application program safety tests and Web application safety tests;

and S4, evaluating safety tests.

Preferably, the application security test in S3 includes a reverse security test and a forward security test, and the reverse security test includes the following steps:

s1, establishing a defect threat model: the defect threat model is established mainly by starting from known security vulnerabilities, checking whether the known vulnerabilities exist in software, and when the threat model is established, determining which professional fields the software involves, and then modeling according to network attack means encountered in each professional field;

s2, finding and scanning an intrusion point: checking which defects in the threat model are likely to occur in the software, then bringing the threats which are likely to occur into an intrusion point matrix for management, if a mature vulnerability scanning tool exists, directly using the vulnerability scanning tool for scanning, and then bringing the found suspicious problems into the intrusion point matrix for management;

s3, verification test of the intrusion matrix: after the intrusion matrix is created, a corresponding test case can be designed for the specific items of the intrusion matrix, and then test verification is carried out;

the forward security test comprises the following steps:

s1, identifying a test space: marking all variable data of a test space, and mainly marking an external input layer, for example, marking the test space in stages of requirement analysis, summary design, detailed design and coding, and establishing a test space tracking matrix;

s2, precisely defining the design space: in the step, the design space is precisely defined according to the safety principle strictly;

s3, identifying potential safety hazards: identifying which test spaces and which conversion rules may have potential safety hazards according to the test spaces and the design spaces and the conversion rules between the test spaces and the design spaces found in the steps S1 and S2, for example, the more complex the test spaces are divided, or the more the variable data combination relationship is, the more unsafe the test spaces are, and the more complex the conversion rules are, the greater the possibility of problems is, and the potential safety hazards are;

s4, establishing and verifying an intrusion matrix: after the potential safety hazard identification is completed, an intrusion matrix is established according to the identified potential safety hazard, potential safety hazards are listed, variable data with the potential safety hazard are identified, and the level of the potential safety hazard is identified.

Preferably, the Web application security test in S3 includes the following steps:

s1, SQL injection test: inputting simple SQL statements such as correct query conditions and 1 ═ 1 and the like on a page needing to be queried, checking a response result, and if the response result is consistent with a result returned by inputting the correct query conditions, indicating that the application program does not filter the user input, and preliminarily judging that the SQL injection vulnerability exists;

s2, XSS cross site scripting attack test: inputting, on a data input interface: < script > alert (/123/) </script >, if the dialog box is popped up after the saving is successful, the XSS vulnerability exists at the position, or the parameter in the url request is changed to < script > alert (/123/) </script >, if the dialog box is popped up at the page, the XSS vulnerability exists at the position;

s3, CSRF cross-site spoofing request attack test: the same browser opens two pages, after the authority of one page is invalid, whether the other page can be operated successfully or not is judged, if the other page can still be operated successfully, the risk exists, or a tool is used for sending a request, a referrer field is not added into an http request header, the response of a returned message is checked, and an error interface or a login interface is required to be relocated;

s4, testing the file uploading vulnerability: strictly checking the type, size and the like of an uploaded file, forbidding uploading of a file with a malicious code, checking the execution authority of a related directory, accessing all directories on a Web server through a browser, checking whether a directory structure is returned or not, and possibly having a safety problem if the directory structure is displayed;

s5, URL jump vulnerability testing: the request is grabbed using the grab tool, the url of 302 is grabbed, the destination address is modified, and a check is made to see if a jump is possible.

The invention has the beneficial effects that:

by setting, various testing environments can be provided for safety testing, the acquisition and maintenance cost of the testing environments is reduced, the environments are closer to the real running environment of software, and the resource utilization rate is improved.

Drawings

Fig. 1 is a block diagram of a cloud testing system based on the internet according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.

Referring to fig. 1, the cloud test system based on the internet includes a user, an authority management module, a test object selection module, a log recording module, an application program security test module, a Web application security test module, and a security test evaluation module, wherein the application program security test module includes a reverse security test module and a forward security test module.

Specifically, the reverse security testing module comprises a defect threat model establishing module, an intrusion point scanning module and an intrusion point matrix verification testing module.

Specifically, the forward security testing module comprises a testing space identification module, a design space accurate definition module, a potential safety hazard identification module and an intrusion point matrix establishing and verifying module.

Specifically, the Web application security test module comprises an SQL vulnerability test module, an XSS script test module, a CSRF request test module, a file uploading vulnerability test module and a URL jumping vulnerability test module.

A security testing method of an Internet-based cloud testing system comprises the following steps:

s1, logging in the system;

s2, selecting a test object;

s3, performing corresponding safety tests according to different objects, wherein the safety tests comprise application program safety tests and Web application safety tests;

and S4, evaluating safety tests.

Specifically, the application program security test in S3 includes a reverse security test and a forward security test, and the reverse security test includes the following steps:

s1, establishing a defect threat model: the defect threat model is established mainly by starting from known security vulnerabilities, checking whether the known vulnerabilities exist in software, and when the threat model is established, determining which professional fields the software involves in first, and then modeling according to network attack means encountered in each professional field, wherein the main network attack means include port scanning attack, virus attack, buffer overflow attack, e-mail attack and the like;

s2, finding and scanning an intrusion point: checking which defects in the threat model are likely to occur in the software, then bringing the threats which are likely to occur into an intrusion point matrix for management, if a mature vulnerability scanning tool exists, directly using the vulnerability scanning tool for scanning, and then bringing the found suspicious problems into the intrusion point matrix for management;

s3, verification test of the intrusion matrix: after the intrusion matrix is created, a corresponding test case can be designed for the specific items of the intrusion matrix, and then test verification is carried out;

the forward security test comprises the following steps:

s1, identifying a test space: the method comprises the steps of marking all variable data of a test space, wherein the variable data comprise data which changes along with time, such as data input by a user from an interface, and data changes caused by the fact that software runs in different spaces, such as a program needs to read a hardware device, and the hardware configuration of different machines is different, the changes are caused by the difference of the spaces, such as network card addresses, the variable data comprise changes in quantity and value in modification, increase and reduction forms, the external input layer is marked, for example, the test space is marked in the stages of demand analysis, summary design, detailed design and coding, and a test space tracking matrix is established by using an R language, and the R language is a complete set of data processing, computing and drawing software system. The functions of the device comprise: a data storage and processing system; array operation tools (which are particularly powerful in vector and matrix operations); a complete coherent statistical analysis tool; excellent statistical charting function; simple and powerful programming languages: the input and the output of data can be controlled, the branching and the circulation can be realized, and the user can define the function;

s2, precisely defining the design space: in the step, the design space is precisely defined according to the safety principle strictly;

s3, identifying potential safety hazards: identifying which test spaces and which conversion rules may have potential safety hazards according to the test spaces and the design spaces and the conversion rules between the test spaces and the design spaces found in the steps S1 and S2, for example, the more complex the test spaces are divided, or the more the variable data combination relationship is, the more unsafe the test spaces are, and the more complex the conversion rules are, the greater the possibility of problems is, and the potential safety hazards are;

s4, establishing and verifying an intrusion matrix: after the potential safety hazard identification is completed, an intrusion matrix is established according to the identified potential safety hazard, potential safety hazards are listed, variable data with the potential safety hazard are identified, and the level of the potential safety hazard is identified.

Specifically, the Web application security test in S3 includes the following steps:

s1, SQL injection test: on a page needing to be queried, inputting simple SQL statements such as correct query conditions and 1 ═ 1 and the like, checking a response result, if the result is consistent with a result returned by the input correct query conditions, indicating that the input of the user is not filtered by an application program, preliminarily judging that an SQL injection vulnerability exists, and finally, an attacker executes a malicious SQL command by inserting the SQL command into a Web form submission or inputting a domain name or a query character string requested by a page so as to invade a database to execute any query which is not granted, wherein the damage possibly caused by SQL injection is: the webpage and the data are tampered, the core data is stolen, and the server where the database is located is attacked to become a puppet host;

s2, XSS cross site scripting attack test: inputting, on a data input interface: < script > alert (/123/) </script >, if the dialog box pops up after the storage succeeds, it indicates that there is an XSS vulnerability, or changes the parameter in the url request to < script > alert (/123/) </script >, if the dialog box pops up, it indicates that there is an XSS vulnerability, XSS inserts malicious script through the webpage, the mainly used technology is also HTML and JavaScript script at the front end, when the user browses the webpage, it realizes the attack mode of controlling the user browser behavior;

s3, CSRF cross-site spoofing request attack test: and opening two pages by the same browser, after the authority of one page is invalid, judging whether the other page can be operated successfully, if the other page can still be operated successfully, the risk exists, or a request is sent by using a tool, a referrer field is not added into an http request header, the response of a returned message is checked, the page is required to be relocated to an error interface or a login interface, and a dangerous website B requires to access the website A to send a request. The browser accesses the website A with the cookie information of the user, and the website A does not know whether the request is sent by the user or the request is sent by the dangerous website B, so that the request of the dangerous website B is processed, the purpose of simulating the user operation is achieved, and the basic idea of CSRF attack is realized;

s4, testing the file uploading vulnerability: the method comprises the steps of strictly checking the type, the size and the like of uploaded files, forbidding uploading of files with malicious codes, checking the execution authority of related directories, accessing all directories on a Web server through a browser, checking whether a directory structure is returned or not, if the directory structure is displayed, safety problems possibly exist, file uploading attack means that an attacker uploads an executable file to the server and executes the file, and the attack mode is most direct and effective. The uploaded files can be viruses, trojans, malicious scripts or webshells and the like;

s5, URL jump vulnerability testing: the method comprises the steps of grabbing a request by using a packet grabbing tool, grabbing a URL of 302, modifying a target address, checking whether jump is possible, and jumping a URL, namely an unverified redirection vulnerability, to which a Web program directly jumps to a URL in a parameter, or introducing a URL of any developer into a page to guide the program to an unsafe third party area, thereby causing a safety problem.

The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be able to cover the technical scope of the present invention and the equivalent alternatives or modifications according to the technical solution and the inventive concept of the present invention within the technical scope of the present invention.

Claims (7)

1. The cloud testing system based on the Internet is characterized by comprising a user, an authority management module, a testing object selection module, a log recording module, an application program safety testing module, a Web application safety testing module and a safety testing evaluation module, wherein the application program safety testing module comprises a reverse safety testing module and a forward safety testing module.

2. The internet-based cloud test system of claim 1, wherein said reverse security test module comprises a defect threat model building module, an intrusion point scanning module, and an intrusion point matrix verification test module.

3. The internet-based cloud test system of claim 1, wherein the forward security test module comprises a test space identification module, a design space accurate definition module, a potential safety hazard identification module, and an intrusion point matrix establishment verification module.

4. The internet-based cloud test system of claim 1, wherein the Web application security test module comprises an SQL vulnerability test module, an XSS script test module, a CSRF request test module, a file upload vulnerability test module, and a URL jump vulnerability test module.

5. A security testing method of a cloud testing system based on the Internet is characterized by comprising the following steps:

s1, logging in the system;

s2, selecting a test object;

s3, performing corresponding safety tests according to different objects, wherein the safety tests comprise application program safety tests and Web application safety tests;

and S4, evaluating safety tests.

6. The security testing method of the internet-based cloud testing system of claim 5, wherein the application security test in S3 includes a reverse security test and a forward security test, and the reverse security test includes the following steps:

s1, establishing a defect threat model: the defect threat model is established mainly by starting from known security vulnerabilities, checking whether the known vulnerabilities exist in software, and when the threat model is established, determining which professional fields the software involves, and then modeling according to network attack means encountered in each professional field;

s2, finding and scanning an intrusion point: checking which defects in the threat model are likely to occur in the software, then bringing the threats which are likely to occur into an intrusion point matrix for management, if a mature vulnerability scanning tool exists, directly using the vulnerability scanning tool for scanning, and then bringing the found suspicious problems into the intrusion point matrix for management;

s3, verification test of the intrusion matrix: after the intrusion matrix is created, a corresponding test case can be designed for the specific items of the intrusion matrix, and then test verification is carried out;

the forward security test comprises the following steps:

s1, identifying a test space: marking all variable data of a test space, and mainly marking an external input layer, for example, marking the test space in stages of requirement analysis, summary design, detailed design and coding, and establishing a test space tracking matrix;

s2, precisely defining the design space: in the step, the design space is precisely defined according to the safety principle strictly;

s3, identifying potential safety hazards: identifying which test spaces and which conversion rules may have potential safety hazards according to the test spaces and the design spaces and the conversion rules between the test spaces and the design spaces found in the steps S1 and S2, for example, the more complex the test spaces are divided, or the more the variable data combination relationship is, the more unsafe the test spaces are, and the more complex the conversion rules are, the greater the possibility of problems is, and the potential safety hazards are;

s4, establishing and verifying an intrusion matrix: after the potential safety hazard identification is completed, an intrusion matrix is established according to the identified potential safety hazard, potential safety hazards are listed, variable data with the potential safety hazard are identified, and the level of the potential safety hazard is identified.

7. The security testing method of the internet-based cloud testing system of claim 5, wherein the Web application security testing in S3 comprises the following steps:

s1, SQL injection test: inputting simple SQL statements such as correct query conditions and 1 ═ 1 and the like on a page needing to be queried, checking a response result, and if the response result is consistent with a result returned by inputting the correct query conditions, indicating that the application program does not filter the user input, and preliminarily judging that the SQL injection vulnerability exists;

s2, XSS cross site scripting attack test: inputting, on a data input interface: < script > alert (/123/) </script >, if the dialog box is popped up after the saving is successful, the XSS vulnerability exists at the position, or the parameter in the url request is changed to < script > alert (/123/) </script >, if the dialog box is popped up at the page, the XSS vulnerability exists at the position;

s3, CSRF cross-site spoofing request attack test: the same browser opens two pages, after the authority of one page is invalid, whether the other page can be operated successfully or not is judged, if the other page can still be operated successfully, the risk exists, or a tool is used for sending a request, a referrer field is not added into an http request header, the response of a returned message is checked, and an error interface or a login interface is required to be relocated;

s4, testing the file uploading vulnerability: strictly checking the type, size and the like of an uploaded file, forbidding uploading of a file with a malicious code, checking the execution authority of a related directory, accessing all directories on a Web server through a browser, checking whether a directory structure is returned or not, and possibly having a safety problem if the directory structure is displayed;

s5, URL jump vulnerability testing: the request is grabbed using the grab tool, the url of 302 is grabbed, the destination address is modified, and a check is made to see if a jump is possible.