CN110955594B - Method and system for detecting Web application request coverage based on IAST - Google Patents
Method and system for detecting Web application request coverage based on IAST Download PDFInfo
- Publication number
- CN110955594B CN110955594B CN201911041370.9A CN201911041370A CN110955594B CN 110955594 B CN110955594 B CN 110955594B CN 201911041370 A CN201911041370 A CN 201911041370A CN 110955594 B CN110955594 B CN 110955594B
- Authority
- CN
- China
- Prior art keywords
- request
- iast
- prototype
- web
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012360 testing method Methods 0.000 claims abstract description 34
- 238000012544 monitoring process Methods 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 abstract description 4
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3676—Test management for coverage analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and a system for detecting Web application request coverage based on IAST, wherein the detection method comprises the following steps: s1), inserting a Web frame to which an application program to be detected belongs by adopting IAST testing tools; s2), starting an application program, and acquiring a request container distributed by a Web framework through IAST testing tools, wherein the request container comprises a request set of all requests designed for the application program; s3), the request set comprises a request prototype and a request method, and all requests in the request set are analyzed; s4), dynamically monitoring a request instance from the application program by adopting IAST test tools; s5, according to a rule, respectively carrying out corresponding matching on the request instance in the step 4 and the request prototype in the step 3, and displaying a matching result, thereby obtaining request coverage; the method is used for detecting the coverage of the Web application request, can be matched with the existing Web framework, completely displays all application interfaces of the application program, and saves labor and time cost.
Description
Technical Field
The invention relates to the technical field of Web application request detection, in particular to a method and a system for detecting Web application request coverage based on IAST.
Background
With the development of the Internet, the network application is more and more popular, and the life of people is more and more convenient, and shopping, ordering, communication chat and the like can be realized by means of the network application. In theory, all interfaces of a network application should be tested without problems and then used for users, however, because developers and testers have different professional technical scope and the mobility of the developers is larger, all request interfaces under an application cannot be completely detected, for example, a normal java Web application is divided into a front end and a back end, the back end writes 100 interfaces, but the front end page only displays 70, the testers often pass the page click test, the test is incomplete at this time, and the back end interfaces which are not safe and exposed can be violently attacked by hackers. The detection of the request coverage of the Web application program is mainly based on a white box tool and a black box tool. When detecting the defect of request coverage by using a white box tool, all code files of the current application need to be acquired, and the corresponding request set is acquired by matching line by line, so that the time consumption is long, the complexity is high, and the application request cannot be realized if the application request is stored in a database; when the black box tool is used for detecting the request coverage, all request data cannot be acquired, so that the real coverage cannot be displayed.
Disclosure of Invention
The invention aims to solve the technical problems and provide a method for detecting the request coverage of the Web application based on IAST, which can obtain all request sets of the application program and save time and labor cost.
It is another object of the present invention to provide a system for detecting Web application request coverage based on IAST that can obtain all request sets for an application and that saves time and labor costs.
In order to achieve the above object, the present invention discloses a method for detecting Web application request coverage based on IAST, which comprises the following steps:
s1), inserting a Web frame to which an application program to be detected belongs by adopting IAST testing tools;
s2), starting the application program, and acquiring a request container distributed by the Web framework through the IAST testing tool, wherein the request container comprises a request set of all requests designed for the application program;
S3), the request set comprises request prototypes and request methods, all requests in the request set are analyzed, and a request prototype is stored correspondingly according to the type of each request method;
S4), dynamically monitoring a request instance from the application program by adopting the IAST testing tool;
S5, according to a rule, respectively carrying out corresponding matching on the request instance in the step 4 and the request prototype in the step 3, and displaying a matching result, thereby obtaining the request coverage.
Compared with the prior art, the method for detecting the request coverage of the Web application based on IAST adopts the pile inserting mode of the IAST testing tool to insert the Web framework to which the application program to be detected belongs, when the application program is started, all request sets designed for the application program can be obtained through the IAST testing tool, then a request prototype is analyzed from the request sets, then a request instance from a client is dynamically monitored through the IAST testing tool, finally the request instance and the request prototype are matched according to a rule, and a matching result is displayed, at the moment, if the request instance and the request prototype can be completely matched, the request coverage is 100%, and if the request instance cannot be completely matched with the request prototype, the request coverage is the ratio of the total number of the request instance to the total number of the request prototype; therefore, the method is adopted to detect the coverage of the Web application request, and can be matched with the existing Web framework to completely display all application interfaces of the application program, and save labor and time cost.
Preferably, in the step 4, the illegal request is filtered by the returned request status code.
Preferably, a plurality of instrumentation functions are preset in the IAST test tool, and when the Web frame is instrumented in the step 1, the instrumentation functions are matched with the Web frame one by one, so as to select the instrumentation function matched with the Web frame.
Preferably, the Web framework includes any one of spring, struts.
The invention also discloses a system for detecting the coverage of the Web application request based on IAST, which comprises a pile inserting module, a request set acquisition module, an analysis module, a request instance collection module and a matching display module;
The pile inserting module is used for inserting the Web frames to which the application programs to be detected belong by adopting IAST testing tools;
The request set acquisition module is used for acquiring a request container distributed by the Web framework based on the instrumentation module when the application program is started, wherein the request container comprises a request set of all requests designed for the application program, and the request set comprises a request prototype and a request method;
The analysis module is used for analyzing all requests in the request set so as to respectively store a request prototype in a corresponding mode according to the type of each request method;
The request instance collection module is used for dynamically monitoring the request instance from the application program according to the instrumentation module;
The matching display module is used for respectively carrying out corresponding matching on the request examples collected by the request example collection module and the request prototype analyzed by the analysis module according to a rule, and displaying a matching result, so that the request coverage is obtained.
Preferably, the request instance collection module filters illegal requests by returned request status codes.
Preferably, a plurality of instrumentation functions are preset in the IAST test tool, and when the Web frame is instrumented, the instrumentation module matches the plurality of instrumentation functions with the Web frame one by one, so as to select the instrumentation function matched with the Web frame.
Preferably, the Web framework includes any one of spring, struts.
The invention also discloses a system for detecting the coverage of the Web application request based on IAST, which comprises:
one or more processors;
a memory;
And one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs including instructions for performing the method of detecting Web application request coverage based on IAST as described above.
The invention also discloses a computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method of detecting Web application request coverage based on IAST as described above.
Drawings
Fig. 1 is a flow chart of a method for detecting coverage of a Web application request based on IAST according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a system for detecting coverage of Web application requests based on IAST according to an embodiment of the present invention.
Detailed Description
In order to describe the technical content, structural features, implementation principles and achieved objects and effects of the present invention in detail, the following description is made in connection with the embodiments and the accompanying drawings.
As shown in fig. 1, the invention discloses a method for detecting Web application request coverage based on IAST, which comprises the following steps:
s1), inserting a Web frame to which an application program to be detected belongs by adopting IAST testing tools;
s2), starting an application program, and acquiring a request container distributed by a Web framework through IAST testing tools, wherein the request container comprises a request set of all requests designed for the application program;
S3), the request set comprises request prototypes and request methods, all requests in the request set are analyzed, and a request prototype is stored correspondingly according to the type of each request method; the request method types refer to POST, PUT, GET, DELETE and the like, in the request set, the request prototype is a request defined in a request container, and the same request prototype may correspond to a plurality of method types, so that the corresponding request prototype needs to be stored according to different method types, for example, the same request prototype/user/{ userId }, two types of request methods are respectively GET and POST, and the memory stores two request prototype data of POST-/user/{ userId } and GET-/user/{ userId };
S4), dynamically monitoring a request instance from an application program by adopting IAST test tools, wherein the request instance refers to an actual request sent by a user, such as a user/0001;
S5, according to a rule, respectively carrying out corresponding matching on the request instance in the step 4 and the request prototype in the step 3, and displaying a matching result, thereby obtaining request coverage; it should be noted that, when matching, one request prototype may correspond to multiple request instances, for example, the request prototype is/user/{ userId }, and according to the rule, the request prototypes are matched with the request instances/user/0001 and/user/0002, that is, the two request instances correspond to one request prototype; in addition, as in step 3, when there are two types of request methods (GET and POST) for request prototype/user/{ userId }, the request prototype/user/{ userId } will appear twice in the form of POST-/user/{ userId } and GET-/user/{ userId }, thus avoiding the user to test only the request of a certain method to the greatest extent.
According to the method for detecting the Web application request coverage based on IAST, the Web framework to which the application program to be detected belongs is inserted by adopting the inserting mode of the IAST testing tool, when the application program is started, all request sets designed for the application program can be dynamically obtained through the IAST testing tool, then a request prototype is analyzed from the request sets, then a request instance from a client is dynamically monitored through the IAST testing tool, finally the request instance and the request prototype are matched according to a regular rule, and a matching result is displayed. Therefore, the method is adopted to detect the coverage of the Web application request, all application interfaces of the application program can be completely displayed in cooperation with the existing Web framework, labor and time cost are saved, and in addition, the coverage of the test request is displayed according to the request instance, so that the original request of the code can be maximally closed.
Preferably, in the above-mentioned detecting step 4, illegal requests may be filtered by the returned request status code, for example, if the status code 404 represents that no corresponding request is found, the request is automatically ignored and not counted in the test object of the request coverage.
In addition, since the types of Web frames are not unique, the Web frames in the main stream of java currently have spring, struts and the like, then a plurality of pile inserting functions can be preset in the IAST test tool, and when the Web frames are inserted in the step 1, the pile inserting functions are matched with the Web frames one by one, so that the pile inserting functions matched with the Web frames are selected.
In order to facilitate the execution of the above detection method, as shown in fig. 2, the invention also discloses a system for detecting Web application request coverage based on IAST, which comprises a pile inserting module 10, a request set acquisition module 11, an analysis module 12, a request instance collection module 13 and a matching display module 14; the instrumentation module 10 is used for instrumentation of the Web frame to which the application program to be detected belongs by adopting IAST testing tools; the request set acquisition module 11 is configured to acquire, based on the instrumentation module 10, a request container distributed by a Web framework when an application program is started, where the request container includes a request set of all requests designed for the application program, and the request set includes a request prototype and a request method; the parsing module 12 is configured to parse all requests in the request set, so as to store a request prototype respectively corresponding to each request method type; a request instance collection module 13, configured to dynamically monitor a request instance from an application program according to the instrumentation module 10; the matching display module 14 is configured to correspondingly match the request instances collected by the request instance collection module 13 with the request prototypes analyzed by the analysis module 12 according to the rule rules, and display a matching result, thereby obtaining the request coverage. The principle and the working process of the system for detecting the coverage of the Web application request based on IAST in this embodiment are similar to those of the method for detecting the coverage of the Web application request based on IAST, and are not described herein again.
In addition, the invention also discloses a system for detecting Web application request coverage based on IAST, which comprises one or more processors, a memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, and the programs comprise instructions for executing the method for detecting Web application request coverage based on IAST as described above.
In addition, the invention also discloses a computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method for detecting Web application request coverage based on IAST as described above.
The foregoing disclosure is merely illustrative of the principles of the present invention, and thus, it is intended that the scope of the invention be limited thereto and not by this disclosure, but by the claims appended hereto.
Claims (6)
1. A method for detecting Web application request coverage based on IAST, comprising the steps of:
s1), inserting a Web frame to which an application program to be detected belongs by adopting IAST testing tools;
S2), starting the application program, and acquiring a request container distributed by the Web framework through the IAST testing tool, wherein the request container comprises a request set of all requests designed for the application program;
S3), the request set comprises request prototypes and request methods, all requests in the request set are analyzed, and a request prototype is stored correspondingly according to the type of each request method; the request prototype is a request defined in the request container, and the same request prototype corresponds to a plurality of types of request methods so as to obtain a plurality of request prototype data corresponding to different request methods and different request types;
The request method type includes any one of POST, PUT, GET and DELETE; when one request prototype corresponds to a plurality of method types, storing the corresponding request prototype according to different method types;
S4), dynamically monitoring a request instance from the application program by adopting the IAST testing tool;
s5) according to a rule, respectively carrying out corresponding matching on the request examples in the step S4) and the request prototype data in the step S3), and displaying a matching result, so as to obtain request coverage, wherein one request prototype can correspond to a plurality of request examples when matching is carried out; wherein in said step S4), the illegal request is filtered by the returned request status code;
And IAST, presetting a plurality of pile inserting functions in the testing tool, and when the Web frame is inserted in the step S1), matching the pile inserting functions with the Web frame one by one so as to select the pile inserting function matched with the Web frame.
2. The method of detecting Web application request coverage based on IAST of claim 1, wherein the Web framework includes any one of spring, struts.
3. A system for detecting Web application request coverage based on IAST is characterized by comprising a pile inserting module, a request set acquisition module, an analysis module, a request instance collection module and a matching display module;
The pile inserting module is used for inserting the Web frames to which the application programs to be detected belong by adopting IAST testing tools;
The request set acquisition module is used for acquiring a request container distributed by the Web framework based on the instrumentation module when the application program is started, wherein the request container comprises a request set of all requests designed for the application program, and the request set comprises a request prototype and a request method;
The analysis module is used for analyzing all requests in the request set so as to respectively store a request prototype in a corresponding mode according to the type of each request method; the request prototype is a request defined in the request container, and the same request prototype corresponds to a plurality of types of request methods so as to obtain a plurality of request prototype data corresponding to different request methods and different request types; the request method type includes any one of POST, PUT, GET and DELETE; when one request prototype corresponds to a plurality of method types, storing the corresponding request prototype according to different method types;
The request instance collection module is used for dynamically monitoring the request instance from the application program according to the instrumentation module; the request instance collection module filters illegal requests through returned request state codes;
The matching display module is used for respectively carrying out corresponding matching on the request examples collected by the request example collection module and the request prototype data analyzed by the analysis module according to a rule, and displaying a matching result so as to obtain request coverage, wherein one request prototype can correspond to a plurality of request examples when matching is carried out;
and a plurality of stake inserting functions are preset in the IAST testing tool, and when the Web frame is stake inserted, the stake inserting module is used for matching the stake inserting functions with the Web frame one by one, so that stake inserting functions matched with the Web frame are selected.
4. The system for detecting Web application request coverage based on IAST of claim 3, wherein the Web framework comprises any one of spring, struts.
5. A system for detecting Web application request coverage based on IAST, comprising:
one or more processors;
a memory;
And one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the programs comprising instructions for performing the method of detecting Web application request coverage based on IAST of claims 1 to 2.
6. A computer readable storage medium comprising a computer program for testing, the computer program being executable by a processor to perform the method of detecting Web application request coverage based on IAST as claimed in any one of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911041370.9A CN110955594B (en) | 2019-10-29 | 2019-10-29 | Method and system for detecting Web application request coverage based on IAST |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911041370.9A CN110955594B (en) | 2019-10-29 | 2019-10-29 | Method and system for detecting Web application request coverage based on IAST |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110955594A CN110955594A (en) | 2020-04-03 |
| CN110955594B true CN110955594B (en) | 2024-05-03 |
Family
ID=69975826
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911041370.9A Active CN110955594B (en) | 2019-10-29 | 2019-10-29 | Method and system for detecting Web application request coverage based on IAST |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110955594B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113722048B (en) * | 2021-08-31 | 2023-10-27 | 杭州默安科技有限公司 | IAST agent automatic deployment method and system in k8s |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428249A (en) * | 2012-05-23 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Collecting method and processing method for HTTP request packet, system and server |
| CN106126417A (en) * | 2016-06-17 | 2016-11-16 | 深圳开源互联网安全技术有限公司 | Interactive application safety detecting method and system thereof |
| WO2017163141A1 (en) * | 2016-03-21 | 2017-09-28 | Checkmarx Ltd. | Integrated interactive application security testing |
| EP3401827A1 (en) * | 2017-05-10 | 2018-11-14 | Checkmarx Ltd. | Method and system of static and dynamic data flow analysis |
| CN108845941A (en) * | 2018-06-15 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of SQL injection test coverage statistical method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10387656B2 (en) * | 2016-03-21 | 2019-08-20 | Checkmarx Ltd. | Integrated interactive application security testing |
-
2019
- 2019-10-29 CN CN201911041370.9A patent/CN110955594B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428249A (en) * | 2012-05-23 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Collecting method and processing method for HTTP request packet, system and server |
| WO2017163141A1 (en) * | 2016-03-21 | 2017-09-28 | Checkmarx Ltd. | Integrated interactive application security testing |
| CN106126417A (en) * | 2016-06-17 | 2016-11-16 | 深圳开源互联网安全技术有限公司 | Interactive application safety detecting method and system thereof |
| EP3401827A1 (en) * | 2017-05-10 | 2018-11-14 | Checkmarx Ltd. | Method and system of static and dynamic data flow analysis |
| CN108845941A (en) * | 2018-06-15 | 2018-11-20 | 郑州云海信息技术有限公司 | A kind of SQL injection test coverage statistical method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110955594A (en) | 2020-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106649063B (en) | Method and system for monitoring time-consuming data during program operation | |
| CN110362483B (en) | Performance data acquisition method, device, equipment and storage medium | |
| US10657036B2 (en) | Determining visual testing coverages | |
| CN110569214B (en) | Index construction method and device for log file and electronic equipment | |
| CN105868256A (en) | Method and system for processing user behavior data | |
| CN101917286B (en) | Web performance analysis system and method for realizing cross-browser in internet application system | |
| CN103281177A (en) | Method and system for detecting hostile attack on Internet information system | |
| WO2016008398A1 (en) | Program performance test method and device | |
| CN110750458A (en) | Big data platform testing method and device, readable storage medium and electronic equipment | |
| US11030384B2 (en) | Identification of sequential browsing operations | |
| CN107918575B (en) | Page state monitoring method and device | |
| CN110955594B (en) | Method and system for detecting Web application request coverage based on IAST | |
| CN107748715B (en) | Unity-based texture map configuration information detection method and system | |
| KR20120086926A (en) | A visualization system for Forensics audit data | |
| CN113238917A (en) | Front-end performance monitoring method, device, equipment and storage medium | |
| CN108108299B (en) | User interface testing method and device | |
| WO2017095362A1 (en) | Generating application flow entities | |
| CN116467110A (en) | Method and system for detecting damage of tablet personal computer | |
| CN110971673A (en) | Computer device and method for acquiring user activity of deep learning platform | |
| CN113419932B (en) | Equipment performance analysis method and device | |
| CN113379285A (en) | Building environment monitoring method, building environment monitoring device, building environment monitoring equipment, storage medium and program product | |
| CN112463591A (en) | Agricultural Internet of things system evaluation method, device, equipment and storage medium | |
| CN116401421B (en) | Chip test data query method, system, equipment and medium | |
| CN110347582B (en) | Buried point testing method and device | |
| Paternò | Tools for remote web usability evaluation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |