CN111104675A - Method and device for detecting system security vulnerability - Google Patents
Method and device for detecting system security vulnerability Download PDFInfo
- Publication number
- CN111104675A CN111104675A CN201911118880.1A CN201911118880A CN111104675A CN 111104675 A CN111104675 A CN 111104675A CN 201911118880 A CN201911118880 A CN 201911118880A CN 111104675 A CN111104675 A CN 111104675A
- Authority
- CN
- China
- Prior art keywords
- request
- tested
- access request
- response
- test
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000004044 response Effects 0.000 claims abstract description 94
- 238000012360 testing method Methods 0.000 claims abstract description 79
- 238000001514 detection method Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 abstract description 13
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 235000014510 cooky Nutrition 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention discloses a method and a device for detecting system security vulnerabilities, and relates to the technical field of computers. One embodiment of the method comprises: acquiring a first access request aiming at a system to be tested, wherein the first access request carries login state information of a first user; changing the login credential information in the first access request data packet to generate a first test request aiming at the system to be tested; sending a first access request and a first test request to a system to be tested; and comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request, and judging whether the system to be tested has a security vulnerability according to a comparison result. The method and the device can accurately detect the security holes which exist in the system to be detected and are generated due to lack of verification of the user login credentials.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for detecting system security vulnerabilities.
Background
The existing Web application system often has one or more security holes, for example, because the system lacks verification of the user-related authority, an illegal user without authority can execute the service function in the authority, thereby forming huge potential safety hazard. In the existing security vulnerability detection method, the problem of low detection accuracy exists in both manual detection and automatic detection.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for detecting a system security vulnerability, which can accurately detect a security vulnerability existing in a system under test and generated due to lack of verification of a user login credential.
To achieve the above object, according to one aspect of the present invention, a method for detecting a system security vulnerability is provided.
The method for detecting the system security vulnerability comprises the following steps: acquiring a first access request aiming at a system to be tested, wherein the first access request carries login state information of a first user; changing the login credential information in the first access request data packet to generate a first test request aiming at the system to be tested; sending a first access request and a first test request to a system to be tested; and comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request, and judging whether the system to be tested has a security vulnerability according to a comparison result.
Optionally, the modifying login credential information in the first access request packet includes: replacing the login credential information in the first access request data packet with pre-stored login credential information of the second user; or deleting the login credential information in the first access request packet.
Optionally, the determining whether a security vulnerability exists in the system to be tested according to the comparison result includes: and when the request data carried by the first response is the same as the request data carried by the second response, determining that the security vulnerability exists in the system to be tested.
Optionally, the determining whether a security vulnerability exists in the system to be tested according to the comparison result includes: and when the format of the request data carried by the first response is the same as that of the request data carried by the second response, determining that the security vulnerability exists in the system to be tested.
Optionally, the determining whether a security vulnerability exists in the system to be tested according to the comparison result includes: and when the difference value between the size of the first response data packet and the size of the second response data packet is smaller than a preset first threshold value, determining that a security vulnerability exists in the system to be tested.
Optionally, the method further comprises: when the format of the request data carried by the first response is the same as that of the request data carried by the second response, a second access request aiming at the system to be tested is obtained, wherein the second access request carries login state information of a third user; replacing information of a preset field in the second access request data packet with pre-stored information of the field of the fourth user, and generating a second test request aiming at the system to be tested; sending a second access request and a second test request to the system to be tested; comparing a third response returned by the system to be tested for the second access request with a fourth response returned for the second test request; and when the format of the request data carried by the third response is the same as the format of the request data carried by the fourth response or the difference value between the size of the data packet of the third response and the size of the data packet of the fourth response is smaller than a preset second threshold value, determining that a security vulnerability exists in the system to be tested.
Optionally, the field includes: a subscriber identity and/or a current service identity.
To achieve the above object, according to another aspect of the present invention, there is provided a system security vulnerability detection apparatus.
The device for detecting the system security vulnerability of the embodiment of the invention can comprise: the device comprises a request acquisition unit, a first access unit and a second access unit, wherein the request acquisition unit is used for acquiring a first access request aiming at a system to be tested, and the first access request carries login state information of a first user; the request construction unit is used for changing the login credential information in the first access request data packet and generating a first test request aiming at the system to be tested; the request sending unit is used for sending a first access request and a first test request to the system to be tested; and the test unit is used for comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request and judging whether a security vulnerability exists in the system to be tested according to a comparison result.
To achieve the above object, according to still another aspect of the present invention, there is provided an electronic apparatus.
An electronic device of the present invention includes: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the method for detecting the system security vulnerability provided by the invention.
To achieve the above object, according to still another aspect of the present invention, there is provided a computer-readable storage medium.
The invention relates to a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the method for detecting system security vulnerabilities provided by the invention.
According to the technical scheme of the invention, one embodiment of the invention has the following advantages or beneficial effects: the method comprises the steps of generating a first test request by obtaining a first access request carrying normal user login state information, replacing login credential information in the first access request with login credential information of other users or deleting the login credential information, sending two requests to a system to be tested, comparing respective response information, and judging whether an access control vulnerability generated due to lack of verification on the login credential exists in the system to be tested when returned data are the same, returned data are the same in format or response data packets are close in size; on the basis, preset field information in a second access request sent by a normal user can be further changed to form a second test request, and the response of the second request is compared in a similar mode so as to detect whether the system has an access control vulnerability generated due to lack of verification of the field information. The steps can be automatically executed by writing the test script, so that the detection efficiency is higher.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram illustrating major steps of a method for detecting a system security vulnerability according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an architecture for implementing a method for detecting a system security vulnerability according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a part of a device for detecting a system security vulnerability according to an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 5 is a schematic structural diagram of an electronic device for implementing the method for detecting a system security vulnerability in the embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments of the present invention and the technical features of the embodiments may be combined with each other without conflict.
Fig. 1 is a schematic diagram illustrating main steps of a method for detecting a system security vulnerability according to an embodiment of the present invention.
As shown in fig. 1, the method for detecting a system security vulnerability according to the embodiment of the present invention may specifically be performed according to the following steps:
step S101: the method comprises the steps of obtaining a first access request aiming at a system to be tested, wherein the first access request carries login state information of a first user.
In this step, the first user login state information may be login information (e.g., a user name, a password, etc.) of the first user, or may be a Session identifier (i.e., Session ID) or a login credential (i.e., Token) that characterizes a login state of the user. In practical applications, the above login status information may be stored in a Cookie field of a request header of the access request packet. In the embodiment of the present invention, the first user includes a second user, a third user, and a fourth user (all the above four users are different users) which are all users capable of normally accessing the system under test (i.e., capable of receiving a normal response from the system under test). In a specific application, the first access request can be intercepted by the access request access device, and the first access request can also be constructed by acquiring historical access information of the first user. After the first access request is obtained, whether the first access request is used in the previous test process and whether the first access request can be normally responded by the system to be tested can be checked, and if the first access request is qualified through checking, the subsequent steps can be executed.
Step S102: and changing the login credential information in the first access request data packet to generate a first test request aiming at the system to be tested.
In order to verify whether the system to be tested has a security vulnerability caused by lack of verification of the user login credentials, in this step, the user login credentials in the normal request (i.e., the first access request) may be modified to generate a first test request and send the second request to the system to be tested. It can be understood that if the system to be tested does not have the security vulnerability, the response data packets for the two requests are necessarily different; if the system to be tested has the security vulnerability, the response data packets for the two requests may be slightly different or even completely the same, so that the response information of the two requests can be compared to judge whether the system to be tested has the security vulnerability.
In practical applications, the login credential information may be changed in a Cookie field of the request header data of the first access request. Specifically, the modification may be to replace the login credential information in the first access request with the login credential information of the second user stored in advance, or to delete the login credential information in the first access request packet.
Step S103: and sending the first access request and the first test request to the system to be tested.
Step S104: and comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request, and judging whether the system to be tested has a security vulnerability according to a comparison result.
In this step, after receiving the first response and the second response, the first response and the second response may be compared and whether a security vulnerability exists in the system under test may be determined according to the following policy: if the request data carried by the first response (i.e. the data requested by the first access request, for example, when the first access request aims to inquire the order number, the order number information returned by the system to be tested is the request data) is the same as the request data carried by the second response, determining that a security vulnerability exists in the system to be tested; if the format of the request data carried by the first response is the same as that of the request data carried by the second response (for example, the request data are both 13 digits, and the format can be set according to requirements), determining that a security vulnerability exists in the system to be tested; if the difference value between the size of the first response data packet and the size of the second response data packet is smaller than a preset first threshold value (the threshold value can be set according to requirements, for example, 500 bytes), it is determined that a security vulnerability exists in the system to be tested.
Through the arrangement, the method can judge whether the system to be tested has security holes caused by lack of verification of the user login credentials. Further, in the embodiment of the present invention, it may be determined whether the system under test has a security vulnerability due to lack of verification on other field information through the following steps, where the fields may include: user identification, user mobile terminal (such as mobile phone) number, current service identification (for example, when the user uses the order number to inquire the order state, the order number is the current service identification). In practical application, the user identifier may be present in a Cookie field of a request header, and the user mobile terminal number and the current service identifier may be present in a request body.
Specifically, when the security vulnerability of the system to be detected is not found through the foregoing steps, a second access request for the system to be detected, which carries the login state information of the third user, may be first obtained. Similarly, after obtaining the third access request, it is checked whether the third access request has been used in the previous test process and can be normally responded by the system under test, and if the third access request is verified to be a qualified request, the subsequent steps can be executed. After that, the preset field information in the second access request data packet may be replaced with the previously stored field information of the fourth user or deleted, so as to generate a second test request for the system under test. And finally, sending the second access request and the second test request to the system to be tested, and comparing a third response returned by the system to be tested for the second access request with a fourth response returned for the second test request. Based on the above reasons, it can be determined whether there is a security hole in the system under test due to lack of verification of the above field information through the following strategy.
If the request data carried by the third response is the same as the request data carried by the fourth response, determining that a security vulnerability exists in the system to be tested; if the format of the request data carried by the third response is the same as that of the request data carried by the fourth response, determining that a security vulnerability exists in the system to be tested; and if the difference value between the size of the third response data packet and the size of the fourth response data packet is smaller than a preset second threshold (the threshold can be the same as or different from the first threshold), determining that a security vulnerability exists in the system to be tested.
Through the arrangement, the security hole existing in the system to be detected can be detected quickly and accurately. Fig. 2 is a schematic diagram of an architecture for implementing a method for detecting a system security vulnerability according to an embodiment of the present invention, and as shown in fig. 2, the architecture for implementing the method for detecting a system security vulnerability includes a request access module, a rule management dimension module, a security vulnerability detection module, a task processing scheduling module, and a result statistics output module, and the functions of each module will be described below.
In the embodiment of the present invention, the request access module may be configured to record an access request between the user terminal and the system to be tested, and all request data packets pass through the module. The module executes deduplication processing on an access request sent by a user terminal and analyzes parameters carried in the request. In practical applications, the module may perform the deduplication processing and analysis according to a request method (e.g., Get method, Post method, etc.), a request protocol, a request Host (hostname), and/or a request URL (Uniform Resource Locator). It will be appreciated that the first access request and the second access request described above may be obtained from a requesting access module.
The rule management maintenance module can be used for maintaining necessary data required by the system, wherein the data comprises user login credentials, hypertext Transfer security Protocol (http) (secure) certificates, data matching rules, data matching fields, host priority and the like. It is understood that the http certificate, the data matching rule, the data matching field, and the host priority are all data required for executing a specific service. It should be noted that, in the above steps, the login credential information of the second user and the preset field information of the fourth user may be obtained from the rule management maintenance module.
The security vulnerability identification module is a module for executing the method for detecting the system security vulnerability, and may obtain the first access request and the second access request from the request access module, and obtain the login credential information of the second user and the preset field information of the fourth user from the rule management maintenance module, so as to generate the first test request and the second test request.
The task processing and scheduling module can be used for pulling a corresponding test case through the working node and managing the working node, can also be used for distributing a preset number of threads to process requests and response tasks of data packets, and can automatically add new threads when the number of the current idle threads is reduced to a certain number.
The result statistic output module can be used for storing the detected security vulnerabilities and related request packet data and response packet data into a database for subsequent analysis, and the data can also be used for subsequent training, verification and testing of related machine learning models.
In the technical scheme of the embodiment of the invention, a first access request carrying login state information of a normal user is obtained, the login credential information is replaced by login credential information of other users or deleted to generate a first test request, the two requests are sent to a system to be tested and respective response information is compared, and when the returned data are the same, the returned data are in the same format or the response data packet is close in size, the system to be tested can be judged to have an access control vulnerability due to lack of authentication on the login credential; on the basis, preset field information in a second access request sent by a normal user can be further changed to form a second test request, and the response of the second request is compared in a similar mode so as to detect whether the system has an access control vulnerability generated due to lack of verification of the field information. The steps can be automatically executed by writing the test script, so that the detection efficiency is higher.
It should be noted that, for the convenience of description, the foregoing method embodiments are described as a series of acts, but those skilled in the art will appreciate that the present invention is not limited by the order of acts described, and that some steps may in fact be performed in other orders or concurrently. Moreover, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no acts or modules are necessarily required to implement the invention.
To facilitate a better implementation of the above-described aspects of embodiments of the present invention, the following also provides relevant means for implementing the above-described aspects.
Referring to fig. 3, a device 300 for detecting a system security vulnerability according to an embodiment of the present invention may include: a request acquisition unit 301, a request construction unit 302, a request transmission unit 303, and a test unit 304.
The request obtaining unit 301 may be configured to obtain a first access request for a system to be tested, where the first access request carries login status information of a first user; the request construction unit 302 may be configured to modify login credential information in the first access request packet, and generate a first test request for the system under test; the request sending unit 303 may be configured to send a first access request and a first test request to the system under test; the test unit 304 may be configured to compare a first response returned by the system under test for the first access request with a second response returned by the system under test for the first test request, and determine whether a security vulnerability exists in the system under test according to a comparison result.
In an embodiment of the present invention, the request construction unit 302 may be further configured to: replacing the login credential information in the first access request data packet with pre-stored login credential information of the second user; or deleting the login credential information in the first access request packet.
In particular applications, the test unit 304 may be further configured to: and when the request data carried by the first response is the same as the request data carried by the second response, determining that the security vulnerability exists in the system to be tested.
In an actual application scenario, the test unit 304 may further be configured to: and when the format of the request data carried by the first response is the same as that of the request data carried by the second response, determining that the security vulnerability exists in the system to be tested.
In some embodiments, the test unit 304 may be further configured to: and when the difference value between the size of the first response data packet and the size of the second response data packet is smaller than a preset first threshold value, determining that a security vulnerability exists in the system to be tested.
As a preferred solution, the apparatus 300 may further include a related vulnerability detection unit, configured to: when the format of the request data carried by the first response is the same as that of the request data carried by the second response, a second access request aiming at the system to be tested is obtained, wherein the second access request carries login state information of a third user; replacing information of a preset field in the second access request data packet with pre-stored information of the field of the fourth user, and generating a second test request aiming at the system to be tested; sending a second access request and a second test request to the system to be tested; comparing a third response returned by the system to be tested for the second access request with a fourth response returned for the second test request; and when the format of the request data carried by the third response is the same as the format of the request data carried by the fourth response or the difference value between the size of the data packet of the third response and the size of the data packet of the fourth response is smaller than a preset second threshold value, determining that a security vulnerability exists in the system to be tested.
Furthermore, in the embodiment of the present invention, the fields may include: a subscriber identity and/or a current service identity.
In the technical scheme of the embodiment of the invention, a first access request carrying login state information of a normal user is obtained, the login credential information is replaced by login credential information of other users or deleted to generate a first test request, the two requests are sent to a system to be tested and respective response information is compared, and when the returned data are the same, the returned data are in the same format or the response data packet is close in size, the system to be tested can be judged to have an access control vulnerability due to lack of authentication on the login credential; on the basis, preset field information in a second access request sent by a normal user can be further changed to form a second test request, and the response of the second request is compared in a similar mode so as to detect whether the system has an access control vulnerability generated due to lack of verification of the field information. The steps can be automatically executed by writing the test script, so that the detection efficiency is higher.
Fig. 4 shows an exemplary system architecture 400 to which the method for detecting a system security vulnerability or the apparatus for detecting a system security vulnerability according to the embodiments of the present invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405 (this architecture is merely an example, and the components included in a particular architecture may be adapted according to application specific circumstances). The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 401, 402, 403 to interact with a server 405 over a network 404 to receive or send messages or the like. The terminal devices 401, 402, 403 may have installed thereon various communication client applications, such as a security breach detection type application (for example only).
The terminal devices 401, 402, 403 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 405 may be a server providing various services, such as a server providing support for security breach detection type applications operated by users with the terminal devices 401, 402, 403 (for example only). The server 405 may process the received security breach detection request and the like, and feed back a processing result (e.g., a detection result, for example only) to the terminal devices 401, 402, 403.
It should be noted that the method for detecting a system security vulnerability provided by the embodiment of the present invention is generally executed by the server 405, and accordingly, the device for detecting a system security vulnerability is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The invention also provides the electronic equipment. The electronic device of the embodiment of the invention comprises: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors realize the method for detecting the system security vulnerability provided by the invention.
Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use in implementing an electronic device of an embodiment of the present invention. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data necessary for the operation of the computer system 500 are also stored. The CPU501, ROM 502, and RAM503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, the processes described in the main step diagrams above may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the main step diagram. In the above-described embodiment, the computer program can be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the central processing unit 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a request acquisition unit, a request construction unit, and a test unit. Where the names of the units do not in some cases constitute a limitation on the units themselves, for example, the request acquisition unit may also be described as a "unit providing the first access request to the request construction unit".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by the apparatus, cause the apparatus to perform steps comprising: acquiring a first access request aiming at a system to be tested, wherein the first access request carries login state information of a first user; changing the login credential information in the first access request data packet to generate a first test request aiming at the system to be tested; sending a first access request and a first test request to a system to be tested; and comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request, and judging whether the system to be tested has a security vulnerability according to a comparison result.
In the technical scheme of the embodiment of the invention, a first access request carrying login state information of a normal user is obtained, the login credential information is replaced by login credential information of other users or deleted to generate a first test request, the two requests are sent to a system to be tested and respective response information is compared, and when the returned data are the same, the returned data are in the same format or the response data packet is close in size, the system to be tested can be judged to have an access control vulnerability due to lack of authentication on the login credential; on the basis, preset field information in a second access request sent by a normal user can be further changed to form a second test request, and the response of the second request is compared in a similar mode so as to detect whether the system has an access control vulnerability generated due to lack of verification of the field information. The steps can be automatically executed by writing the test script, so that the detection efficiency is higher.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for detecting system security vulnerabilities, comprising:
acquiring a first access request aiming at a system to be tested, wherein the first access request carries login state information of a first user;
changing the login credential information in the first access request data packet to generate a first test request aiming at the system to be tested;
sending a first access request and a first test request to a system to be tested; and
and comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request, and judging whether the system to be tested has a security vulnerability according to a comparison result.
2. The method of claim 1, wherein the modifying login credential information in the first access request packet comprises:
replacing the login credential information in the first access request data packet with pre-stored login credential information of the second user; or
And deleting the login credential information in the first access request data packet.
3. The method according to claim 1, wherein the determining whether the system under test has a security vulnerability according to the comparison result comprises:
and when the request data carried by the first response is the same as the request data carried by the second response, determining that the security vulnerability exists in the system to be tested.
4. The method according to claim 1, wherein the determining whether the system under test has a security vulnerability according to the comparison result comprises:
and when the format of the request data carried by the first response is the same as that of the request data carried by the second response, determining that the security vulnerability exists in the system to be tested.
5. The method according to claim 1, wherein the determining whether the system under test has a security vulnerability according to the comparison result comprises:
and when the difference value between the size of the first response data packet and the size of the second response data packet is smaller than a preset first threshold value, determining that a security vulnerability exists in the system to be tested.
6. The method of claim 4, further comprising:
when the format of the request data carried by the first response is the same as that of the request data carried by the second response, a second access request aiming at the system to be tested is obtained, wherein the second access request carries login state information of a third user;
replacing information of a preset field in the second access request data packet with pre-stored information of the field of the fourth user, and generating a second test request aiming at the system to be tested;
sending a second access request and a second test request to the system to be tested;
comparing a third response returned by the system to be tested for the second access request with a fourth response returned for the second test request; and
and when the format of the request data carried by the third response is the same as the format of the request data carried by the fourth response or the difference value between the size of the data packet of the third response and the size of the data packet of the fourth response is smaller than a preset second threshold value, determining that a security vulnerability exists in the system to be tested.
7. The method of claim 6, wherein the field comprises: a subscriber identity and/or a current service identity.
8. A system security vulnerability detection device, comprising:
the device comprises a request acquisition unit, a first access unit and a second access unit, wherein the request acquisition unit is used for acquiring a first access request aiming at a system to be tested, and the first access request carries login state information of a first user;
the request construction unit is used for changing the login credential information in the first access request data packet and generating a first test request aiming at the system to be tested;
the request sending unit is used for sending a first access request and a first test request to the system to be tested;
and the test unit is used for comparing a first response returned by the system to be tested aiming at the first access request with a second response returned aiming at the first test request and judging whether a security vulnerability exists in the system to be tested according to a comparison result.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911118880.1A CN111104675A (en) | 2019-11-15 | 2019-11-15 | Method and device for detecting system security vulnerability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911118880.1A CN111104675A (en) | 2019-11-15 | 2019-11-15 | Method and device for detecting system security vulnerability |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111104675A true CN111104675A (en) | 2020-05-05 |
Family
ID=70420762
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911118880.1A Pending CN111104675A (en) | 2019-11-15 | 2019-11-15 | Method and device for detecting system security vulnerability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111104675A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112165489A (en) * | 2020-09-28 | 2021-01-01 | 彩讯科技股份有限公司 | Unauthorized access vulnerability detection method, system, server and storage medium |
| CN112464250A (en) * | 2020-12-15 | 2021-03-09 | 光通天下网络科技股份有限公司 | Method, device and medium for automatically detecting unauthorized vulnerability |
| CN113242257A (en) * | 2021-05-26 | 2021-08-10 | 中国银行股份有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN113259327A (en) * | 2021-04-20 | 2021-08-13 | 长沙市到家悠享网络科技有限公司 | Automatic interface detection method, system and computer equipment |
| CN113411333A (en) * | 2021-06-18 | 2021-09-17 | 杭州安恒信息技术股份有限公司 | Unauthorized access vulnerability detection method, device, system and storage medium |
| CN114676067A (en) * | 2022-05-26 | 2022-06-28 | 武汉迎风聚智科技有限公司 | Parameterization processing method and device for test script |
| CN114938291A (en) * | 2022-04-25 | 2022-08-23 | 深圳开源互联网安全技术有限公司 | Method and system for detecting user identity verification vulnerability in application program |
| CN115080977A (en) * | 2022-05-06 | 2022-09-20 | 北京结慧科技有限公司 | Security vulnerability defense method, system, computer equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753730A (en) * | 2013-12-30 | 2015-07-01 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device |
| CN105049440A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for detecting cross-site scripting attack injection |
| CN107294919A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of detection method and device of horizontal authority leak |
| CN107566537A (en) * | 2017-10-30 | 2018-01-09 | 郑州云海信息技术有限公司 | A kind of web applies the method for semi-automatically detecting and system of longitudinal leak of going beyond one's commission |
| CN108833365A (en) * | 2018-05-24 | 2018-11-16 | 杭州默安科技有限公司 | A kind of service logic leak detection method and its system based on flow |
| CN110113366A (en) * | 2019-06-24 | 2019-08-09 | 深圳前海微众银行股份有限公司 | A kind of detection method and device of CSRF loophole |
| CN110348225A (en) * | 2019-07-09 | 2019-10-18 | 中国工商银行股份有限公司 | Method and apparatus are determined for the security breaches of application programming interfaces |
| CN110442524A (en) * | 2019-08-09 | 2019-11-12 | 中国建设银行股份有限公司 | It is a kind of for have Certificate Authority web service interface test method and device |
-
2019
- 2019-11-15 CN CN201911118880.1A patent/CN111104675A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753730A (en) * | 2013-12-30 | 2015-07-01 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device |
| CN105049440A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for detecting cross-site scripting attack injection |
| CN107294919A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of detection method and device of horizontal authority leak |
| CN107566537A (en) * | 2017-10-30 | 2018-01-09 | 郑州云海信息技术有限公司 | A kind of web applies the method for semi-automatically detecting and system of longitudinal leak of going beyond one's commission |
| CN108833365A (en) * | 2018-05-24 | 2018-11-16 | 杭州默安科技有限公司 | A kind of service logic leak detection method and its system based on flow |
| CN110113366A (en) * | 2019-06-24 | 2019-08-09 | 深圳前海微众银行股份有限公司 | A kind of detection method and device of CSRF loophole |
| CN110348225A (en) * | 2019-07-09 | 2019-10-18 | 中国工商银行股份有限公司 | Method and apparatus are determined for the security breaches of application programming interfaces |
| CN110442524A (en) * | 2019-08-09 | 2019-11-12 | 中国建设银行股份有限公司 | It is a kind of for have Certificate Authority web service interface test method and device |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112165489A (en) * | 2020-09-28 | 2021-01-01 | 彩讯科技股份有限公司 | Unauthorized access vulnerability detection method, system, server and storage medium |
| CN112464250A (en) * | 2020-12-15 | 2021-03-09 | 光通天下网络科技股份有限公司 | Method, device and medium for automatically detecting unauthorized vulnerability |
| CN113259327A (en) * | 2021-04-20 | 2021-08-13 | 长沙市到家悠享网络科技有限公司 | Automatic interface detection method, system and computer equipment |
| CN113242257A (en) * | 2021-05-26 | 2021-08-10 | 中国银行股份有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN113411333A (en) * | 2021-06-18 | 2021-09-17 | 杭州安恒信息技术股份有限公司 | Unauthorized access vulnerability detection method, device, system and storage medium |
| CN114938291A (en) * | 2022-04-25 | 2022-08-23 | 深圳开源互联网安全技术有限公司 | Method and system for detecting user identity verification vulnerability in application program |
| CN115080977A (en) * | 2022-05-06 | 2022-09-20 | 北京结慧科技有限公司 | Security vulnerability defense method, system, computer equipment and storage medium |
| CN114676067A (en) * | 2022-05-26 | 2022-06-28 | 武汉迎风聚智科技有限公司 | Parameterization processing method and device for test script |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111104675A (en) | Method and device for detecting system security vulnerability | |
| CN110944330B (en) | MEC platform deployment method and device | |
| CN110442524B (en) | Method and device for testing web service interface with authentication authorization | |
| EP2676220A2 (en) | System and method for application attestation | |
| CN109981647B (en) | Method and apparatus for detecting brute force cracking | |
| CN113271296B (en) | Login authority management method and device | |
| CN112653681B (en) | Multi-feature fusion user login access method, device and system | |
| US11379567B2 (en) | Establishing access sessions | |
| CN112995166A (en) | Resource access authentication method and device, storage medium and electronic equipment | |
| US20230308459A1 (en) | Authentication attack detection and mitigation with embedded authentication and delegation | |
| CN115695012A (en) | Login request processing method and device, electronic equipment and storage medium | |
| CN111556080A (en) | Network node monitoring method, device, medium and electronic equipment | |
| CN107911383A (en) | A kind of cryptographic check method and apparatus | |
| CN111767542A (en) | Unauthorized detection method and device | |
| CN107634942B (en) | Method and device for identifying malicious request | |
| CN113709136B (en) | Access request verification method and device | |
| CN110048864B (en) | Method and apparatus for authenticating an administrator of a device-specific message group | |
| CN108228280A (en) | The configuration method and device of browser parameters, storage medium, electronic equipment | |
| CN113946816A (en) | Cloud service-based authentication method and device, electronic equipment and storage medium | |
| CN110875831B (en) | Method and device for monitoring network quality | |
| CN113343155A (en) | Request processing method and device | |
| CN115834252B (en) | Service access method and system | |
| CN112350881B (en) | Method and device for testing performance of switch | |
| CN111885006B (en) | Page access and authorized access method and device | |
| CN112069517B (en) | Method and device for managing user rights |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200505 |
|
| RJ01 | Rejection of invention patent application after publication |