CN111125748A - Judgment method and device for unauthorized query, computer equipment and storage medium - Google Patents

Judgment method and device for unauthorized query, computer equipment and storage medium Download PDF

Info

Publication number
CN111125748A
CN111125748A CN201911067611.7A CN201911067611A CN111125748A CN 111125748 A CN111125748 A CN 111125748A CN 201911067611 A CN201911067611 A CN 201911067611A CN 111125748 A CN111125748 A CN 111125748A
Authority
CN
China
Prior art keywords
response message
request message
response
application server
function point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911067611.7A
Other languages
Chinese (zh)
Inventor
曾立环
刘远欢
苏武波
曾祥圣
林伟佳
张奕华
邱红丽
尉洪敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Guangfa Bank Co Ltd
Original Assignee
China Guangfa Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Guangfa Bank Co Ltd filed Critical China Guangfa Bank Co Ltd
Priority to CN201911067611.7A priority Critical patent/CN111125748A/en
Publication of CN111125748A publication Critical patent/CN111125748A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a judging method, a device, computer equipment and a storage medium for unauthorized query, wherein the method comprises the following steps: the method comprises the steps of obtaining a first response message of an application server, replacing a first session parameter carried by the first request message with a second session parameter to obtain a third request message, then sending the third request message to the application server, obtaining a third response message obtained by the application server responding to the third request message, and finally judging whether the target function point has unauthorized query or not based on the consistency of the first response message and the third response message. The scheme can keep the query condition in the request message unchanged, and modify the session parameters in the request message, so that whether the corresponding function point is subjected to the unauthorized query or not is judged based on the consistency of the response messages obtained before and after the session parameters are modified, the query condition of the request message does not need to be modified one by one, and the judgment efficiency of the unauthorized query is improved.

Description

Judgment method and device for unauthorized query, computer equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to an unauthorized query determination method, an unauthorized query determination device, a computer device, and a computer-readable storage medium.
Background
The unauthorized access vulnerability refers to sensitive data which allows a user to inquire other users when inquiring transaction. For example, after the user logs in the application program, the current balance in the card is inquired by inputting the personal card number, and at the moment, the user modifies the card number, and if the balance of other users can be inquired, the unauthorized inquiry is carried out. If functional points which can inquire the sensitive information of the user without authorization exist in the Web application program, the sensitive information of the user can be leaked in a large scale, so that the functional points for inquiring transaction need to be inquired and detected without authorization, and whether the functional points have the inquiry without authorization or not is judged.
In the conventional technology, an infiltration tester determines whether the unauthorized query occurs according to returned data by modifying query parameters in transaction messages one by one, and specifically, the infiltration tester determines the query parameters in the transaction messages, such as card numbers, fund account numbers, serial numbers and the like, modifies query conditions one by one, checks whether sensitive data of other users are returned, and accordingly judges whether the unauthorized query occurs to the function point. However, this technique requires penetration testing personnel to modify the query conditions of the function points one by one, and the time complexity increases exponentially with the increase of the query conditions, resulting in low efficiency of determining unauthorized queries.
Disclosure of Invention
In view of the above, it is necessary to provide an unauthorized query determination method, an unauthorized query determination device, a computer device, and a computer-readable storage medium, for solving the technical problem of low efficiency in determining unauthorized queries in the conventional technology.
A judgment method for unauthorized inquiry comprises the following steps:
acquiring a first response message of an application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server;
replacing the first session parameter carried by the first request message with a second session parameter to obtain a third request message; the second session parameter is a session parameter carried by the second request message; the second request message is used for a second user to inquire the target function point; the second user is a different user than the first user;
sending the third request message to the application server;
acquiring a third response message of the application server; the third response message is obtained by the application server responding to the third request message;
and judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
An apparatus for determining unauthorized inquiry, comprising:
the first acquisition module is used for acquiring a first response message of the application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server;
the replacing module is used for replacing the first session parameters carried by the first request message with the second session parameters to obtain a third request message; the second session parameter is a session parameter carried by the second request message; the second request message is used for a second user to inquire the target function point; the second user is different from the first user;
a sending module, configured to send the third request packet to the application server;
the second obtaining module is used for obtaining a third response message of the application server; the third response message is obtained by the application server responding to the third request message;
and the judging module is used for judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
A computer device comprising a processor and a memory, the memory storing a computer program that when executed by the processor performs the steps of:
acquiring a first response message of an application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server; replacing the first session parameter carried by the first request message with a second session parameter to obtain a third request message; the second session parameter is a session parameter carried by the second request message; the second request message is used for a second user to inquire the target function point; the second user is a different user than the first user; sending the third request message to the application server; acquiring a third response message of the application server; the third response message is obtained by the application server responding to the third request message; and judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring a first response message of an application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server; replacing the first session parameter carried by the first request message with a second session parameter to obtain a third request message; the second session parameter is a session parameter carried by the second request message; the second request message is used for a second user to inquire the target function point; the second user is a different user than the first user; sending the third request message to the application server; acquiring a third response message of the application server; the third response message is obtained by the application server responding to the third request message; and judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
The method, the device, the computer equipment and the storage medium for judging the unauthorized query acquire a first response message of the application server, replace a first session parameter carried by the first request message with a second session parameter to acquire a third request message, then send the third request message to the application server, acquire a third response message acquired by the application server in response to the third request message, and finally judge whether the unauthorized query exists in the target function point or not based on the consistency of the first response message and the third response message. The scheme can keep the query condition in the request message unchanged, and modify the session parameters in the request message, so that whether the corresponding function point is subjected to the unauthorized query or not is judged based on the consistency of the response messages obtained before and after the session parameters are modified, the query condition of the request message does not need to be modified one by one, and the judgment efficiency of the unauthorized query is improved.
Drawings
FIG. 1 is a diagram illustrating an exemplary scenario for determining unauthorized query;
FIG. 2 is a schematic diagram of unauthorized access in one embodiment;
FIG. 3 is a flowchart illustrating a method for determining unauthorized query in one embodiment;
FIG. 4 is a schematic diagram illustrating a method for determining unauthorized query in one embodiment;
FIG. 5 is a schematic diagram of another embodiment of a method for determining unauthorized query;
FIG. 6 is a block diagram showing an example of the structure of an apparatus for determining unauthorized inquiry;
FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It should be noted that the terms "first \ second \ third" related to the embodiments of the present invention only distinguish similar objects, and do not represent a specific ordering for the objects, and it should be understood that "first \ second \ third" may exchange a specific order or sequence when allowed. It should be understood that the terms first, second, and third, as used herein, are interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in other sequences than those illustrated or otherwise described herein.
The method for determining unauthorized query provided by the present invention can be applied to the application scenario shown in fig. 1, where fig. 1 is an application scenario diagram of the method for determining unauthorized query in an embodiment, and the application scenario may include a first access terminal 110, a second access terminal 120, a determining device 200 and an application server 300, where the first access terminal 110 is a terminal used by a first user, the second access terminal 120 is a terminal used by a second user, the first user and the second user may access the application server 300 through the first access terminal 110 and the second access terminal 120, respectively, and the first access terminal 110 and the second access terminal 120 may have corresponding application programs installed thereon, so that the users may access function points of query transactions of the application server 300. When a user triggers to query a certain function point on the access terminal, the access terminal generates a corresponding request message and sends the request message to the application server 300, and the application server 300 generates a response message according to the request message and feeds the response message back to the access terminal, thereby completing the process of querying the function point.
Taking a bank APP as an application program as an example, the bank APP may be downloaded from the application server 300 and installed on the access terminals such as the first access terminal 110 and the second access terminal 120 in advance, and the user may query each function point through the bank APP, for example, the user may query information such as a periodic deposit interest rate, an account balance, and payroll details through the corresponding function point provided by the bank APP. For example, when a user needs to query the account balance, the access terminal generates a query request message of the account balance and sends the query request message to the application server 300, and the application server 300 generates a query response message carrying the account balance information according to the query request message and feeds the query response message back to the access terminal, so that the user can view the account balance information on a bank APP interface of the access terminal.
In the application programs such as bank APP, the functional point for querying information such as account balance and payroll details may have an unauthorized query, that is, a certain user can query the current balance of other users by modifying the card number, and the functional point has an unauthorized query, which is described with reference to fig. 2. As shown in fig. 2, fig. 2 is a schematic diagram of the principle of unauthorized access in an embodiment, the root cause of the unauthorized query is that the application server does not check whether the data to be queried belongs to the currently logged-in user, that is, the application server does not check whether the data to be queried and the session parameter in the request message belong to the same person, specifically, when the user a logs in the application server, the user a sends its own account password to the application server through the access terminal, during the login period of the application server, the application server maintains the one-to-one relationship between the session parameter and the user identity information, and feeds back the session parameter a corresponding to the user a to the access terminal, and then when the user a accesses the function point such as account balance query through the access terminal, the access terminal sends the card number a input by the user a and the pre-stored session parameter a to the application server together, the application server will feed back the data of the user A to the user A, if the user A modifies the card number A into the card number B to carry out the query again, the application server will show that the function point has the unauthorized query if the application server returns the data of the user B to the user A.
The embodiment of the present invention may determine whether there is an unauthorized query for a function point of the application server 300 based on the determination device 200 shown in fig. 1, where the determination device 200 is a device configured with an unauthorized query determination tool, the unauthorized query determination tool is software for determining whether the unauthorized query occurs for the function point, and the determination device 200 may be a terminal such as a personal computer, a notebook computer, a tablet computer, or may be implemented by a server or a server cluster.
Specifically, the process of determining whether the device 200 has an unauthorized query on the function point may include the following steps: the determining device 200 obtains a first response message of the application server 300, where the first response message is obtained by the application server 300 in response to a first request message, and the first request message is a request message for a first user to query a target function point of the application server, where the target function point is a function point that needs to be queried and determined unauthorized among function points provided by the application server. The judgment device 200 replaces the first session parameter carried in the first request message with the second session parameter to obtain a third request message, where the third request message is the first request message after the session parameter is modified, the second session parameter is the session parameter carried in the second request message, and the second request message is a request message for the second user to query the same target function point. Then, the determining device 200 sends the third request packet to the application server 300, obtains a third response packet obtained by the application server 300 in response to the third request packet, and finally, the determining device 200 may determine whether the target function point has unauthorized query based on the consistency between the first response packet and the third response packet. The scheme can keep the query condition in the request message unchanged, and modify the session parameters in the request message, so that whether the corresponding function point is subjected to the unauthorized query or not is judged based on the consistency of the response messages obtained before and after the session parameters are modified, the query condition of the request message does not need to be modified one by one, and the judgment efficiency of the unauthorized query is improved.
In an embodiment, a method for determining an unauthorized query is provided, referring to fig. 3, fig. 3 is a flowchart illustrating a method for determining an unauthorized query in an embodiment, which may be applied to the determining apparatus 200 shown in fig. 1, and the method for determining an unauthorized query may include the following steps:
step S101, a first response message of the application server is obtained.
The first response message is a response message obtained by the application server 300 responding to the first request message, where the first request message is a transaction message used by the first user to query a target function point of the application server 300, and the application server 300 may provide a plurality of function points for the user to query interested transaction information. Taking a bank as an example, the functional points provided by the application server of the bank may include a functional point for inquiring interest rate of the deposit, a functional point for inquiring account balance, a functional point for inquiring payroll details, a receiving address and the like, and the user may inquire corresponding transaction information by accessing the functional points of the application server through the access terminal. The target function point refers to a function point that needs to perform unauthorized query detection among a plurality of function points provided by the application server 300, and these function points are generally function points related to querying user private data, and the target function point is characterized in that data queried by different users are different. For example, a function point for querying account balance, a function point for querying payroll details, and the like may be used as the target function point, and when different users query account balances of the users, data carried in a response message fed back by the application server is different.
In this step, the determining device 200 receives a first response packet from the application server 300, before that, the first user may access the application server 300 through the first access terminal 110 to query the target function point, when the first user triggers a query operation on the target function point on the first access terminal 110, the first access terminal 110 generates a first request packet for querying the target function point, the determining device 200 may obtain the first request packet, record the first request packet and then send the first request packet to the application server 300, the application server 300 obtains a first response packet in response to the first request packet, then the application server 300 may send the first response packet to the determining device 200, and the determining device 200 receives the first response packet.
And step S102, replacing the first session parameters carried by the first request message with the second session parameters to obtain a third request message.
The step is mainly that the judgment device 200 replaces the session parameter carried by the first request message, and the first request message after the session parameter replacement is used as the third request message. The transaction message for querying the function point by the user carries a query condition (such as a card number) and a session parameter, and the application server needs to distinguish different users, and the method adopted may be as follows: after a user inputs an account and a password, if an application server such as an internet bank server passes the account password after verification, a random character string is issued to the user as a session parameter, and the application server records a one-to-one relationship between the session parameter and user identity information, which is a process of logging in the application server such as the internet bank server by the user. In the application server, the user identity information usually includes name, certificate type, certificate number, mobile phone number, communication address, work unit, etc., and the application server usually employs some data structure, such as a data dictionary, to maintain a one-to-one relationship. The data dictionary is a basic data structure in a computer, elements of the data dictionary are key and value key-value pairs, the key may be a session parameter, the value is user identity information, and the key and the value are one-to-one, so that a one-to-one relationship between the session parameter and the user identity information is maintained through the key-value pairs.
After the user logs in and before logging out, the transaction messages sent out by all the transaction exchanges made by the user contain the session parameters, and the application server can judge which user sends out the transaction messages through the session parameters because the application server records the relationship between the session parameters and the user identity information.
In this step, before replacing the session parameters carried in the first request message, a second request message for the second user to query the target function point may be obtained. The second user is a user different from the first user, and the second request message carries a second session parameter. In this way, after acquiring the second request message, the determining device 200 may extract the second session parameter carried in the second request message, and replace the first session parameter of the first request message with the second session parameter, thereby obtaining the third request message.
In one embodiment, the first request message and the second request message may be generated by the first access terminal 110 and the second access terminal 120 respectively when the first user and the second user query the same target function point in the same time period. The "same time period" may ensure that neither the first user nor the second user has a time-out in the login session for logging in and accessing the application server 300, that is, both the first user and the second user are in the login state.
The application server of the bank is taken as an example to explain the session timeout, after a user logs in the internet bank, if the user does not operate within a period of time, the server sets the login session to be timeout, and after the timeout, the user needs to log in again to continue the access operation. Based on this, if the login session of the user is overtime, the determination device 200 sends the request message carrying the overtime session parameter to the application server 300 for response in the subsequent steps, and the obtained response message prompts that "the user logs in the session for timeout and please log in again", and such a response message is unfavorable for the identification of the unauthorized detection point. Therefore, the determining device 200 can ensure that the user triggering the function point access request is in the login state by obtaining the request message triggering different users to query the same target function point in the same time period, so as to obtain the response message in the login state, and such a response message is an effective message, so that the subsequent steps can accurately determine whether the target function point has the unauthorized query.
Step S103, sending the third request message to the application server.
In this step, after obtaining the third request message, the determining device 200 sends the third request message to the application server 300, and after receiving the third request message, the application server 300 responds to the third request message to obtain a third response message.
Step S104, acquiring a third response message of the application server.
After obtaining the third response packet, the application server 300 may send the third response packet to the determining device 200, and the determining device 200 receives the third response packet.
And step S105, judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
This step is mainly to judge whether the first response packet and the third response packet are consistent or not by comparing the first response packet with the third response packet after the device 200 acquires the first response packet and the third response packet. If the first response message is consistent with the third response message, judging that the target function point has unauthorized query; and if the first response message is inconsistent with the third response message, judging that the target function point does not have unauthorized query. Specifically, the first response packet and the third response packet are obtained by the application server 300 responding to the first request packet and the third request packet, respectively, and the first request packet and the third request packet are different in session parameters and may keep the query condition unchanged. Wherein, the session parameter of the first request message is a first session parameter, the application server can accordingly determine that the first request message is sent by a first user, and the session parameter of the third request message is a second session parameter, the application server can accordingly determine that the third request message is sent by a second user, therefore, the response messages obtained by the application server respectively correspond to the first user and the second user, and for the functional point without unauthorized query, the response messages obtained by query of different users should be different, therefore, the step determining device 200 determines the consistency of the first response message and the third response message, if the first response message is consistent with the third response message, it indicates that the second user can query the data of the first user, which is equivalent to the query condition of another user using the current user, to obtain the data of the current user, therefore, it can be determined that the target function point has the unauthorized query, and if the messages are inconsistent, it indicates that the second user cannot query the data of the first user, and the target function point does not have the unauthorized query.
The method for judging the unauthorized query obtains a first response message of the application server, replaces a first session parameter carried by the first request message with a second session parameter to obtain a third request message, then sends the third request message to the application server, obtains a third response message obtained by the application server responding to the third request message, and finally judges whether the unauthorized query exists in the target function point or not based on the consistency of the first response message and the third response message. The scheme can keep the query condition in the request message unchanged, and modify the session parameters in the request message, so that whether the corresponding function point is subjected to the unauthorized query or not is judged based on the consistency of the response messages obtained before and after the session parameters are modified, the query condition of the request message does not need to be modified one by one, and the judgment efficiency of the unauthorized query is improved.
In an embodiment, before the step of determining whether the target function point has the unauthorized query step based on the consistency between the first response packet and the third response packet in step S105, consistency between the packets may also be determined by the following steps:
converting the first response message into a first vector; converting the third response message into a third vector; calculating the cosine similarity of the first vector and the third vector; and determining the consistency of the first response message and the third response message according to the cosine similarity.
The embodiment is mainly used for calculating the consistency between response messages based on the cosine similarity principle. First, the cosine similarity principle is briefly described:
cosine similarity measures the similarity between two vectors by measuring their cosine values of their included angle, the cosine value of the 0 degree angle being 1, while the cosine value of any other angle is not greater than 1, and its minimum value is-1. Thus, the cosine of the angle between the two vectors may determine whether the two vectors point in approximately the same direction. When the two vectors have the same direction, the cosine similarity value is 1; when the included angle of the two vectors is 90 degrees, the value of the cosine similarity is 0; the cosine similarity has a value of-1 when the two vectors point in completely opposite directions. The cosine similarity is independent of the length of the vector and only dependent on the pointing direction of the vector. Cosine similarity is commonly used in the positive space, and thus gives values between 0 and 1.
Cosine similarity works well for any dimension of vector space, and cosine similarity is most often used for high dimensional space. For example, in information retrieval, each term is assigned a different dimension, and a document is represented by a vector whose values in the dimensions correspond to the frequency with which the term appears in the document. Cosine similarity may thus give the similarity of two documents in terms of their subject matter.
Given two n-dimensional vectors A and B, the remaining chord similarity θ is given by the dot product and the vector length, as follows:
Figure BDA0002259883420000121
similarity is given in the range-1 to 1, where-1 means that the two vectors point in exactly the opposite direction, 1 means that their points are identical, 0 usually means that they are independent, and values in between indicate intermediate similarity or dissimilarity.
Further, cosine similarity is often used to compare consistency of texts, and the comparison process is shown below by comparing similarity of two sentences:
word segmentation:
sentence a: this piece/garment/size/larger, that piece/size/fit.
Sentence B: this piece/clothing/size/not/small, that piece/better/fit.
List all words:
the clothes with larger size are suitable for being smaller
Calculating word frequency:
the piece 1 of clothing 1 has a size 2 larger than 1, the piece 1 is suitably 1 not 0 smaller than 0 and even 0
The piece 1 of clothing 1 is larger than 0 in size 1, suitably 1 is smaller than 1 and 1 is smaller than 1
Extracting word frequency vectors:
sentence a: (1,1,2,1,1,1,0,0,0)
Sentence B: (1,1,1,0,1,1,1,1,1)
Calculating cosine similarity:
Figure BDA0002259883420000131
therefore, the degree of similarity between sentence a and sentence B is 71%.
In this embodiment, after obtaining the first response packet and the third response packet, the determining device 200 may first convert the first response packet and the third response packet into a first vector and a third vector, respectively, then calculate a cosine similarity between the first vector and the third vector, and determine the consistency of the first response packet and the third response packet according to the cosine similarity. Specifically, the response message is usually some formatted messages, for example, the response message of the bank application system is usually in json format, and such response message can easily extract chinese and english words and numbers, and the obtained response message is, for example: response message 1: name: xiaoming, card number: 123, amount: 100, respectively; response message 2: name: plums, card number: 345, amount: 200 of a carrier; therefore, the cosine similarity can be applied to carry out consistency comparison based on the response message.
Further, in an embodiment, the step of determining consistency of the first response packet and the third response packet according to the cosine similarity may include:
comparing the cosine similarity with a preset similarity threshold; and if the cosine similarity is smaller than the similarity threshold, judging that the first response message is inconsistent with the third response message.
In this embodiment, if the cosine similarity is smaller than the similarity threshold, it is determined that the first response message is inconsistent with the third response message, which indicates that the first response message is different from the third response message, indicating that the response is related to the user; if the cosine similarity is larger than or equal to the similarity threshold, the first response message is consistent with the third response message, the first response message is the same as the third response message, and the response is irrelevant to the user. Wherein the similarity threshold is a preset consistency comparison standard, and in one embodiment, the similarity threshold may be set to 0.99.
In one embodiment, the number of the second users may be multiple, and the step of determining whether the target function point has the unauthorized query based on the consistency between the first response message and the third response message in step S105 may include:
if the first response message is consistent with the plurality of third response messages, judging that the target function point has unauthorized query; if not, judging that the target function point does not have the unauthorized query.
In this embodiment, the number of the second users is multiple, that is, whether the target function point has the unauthorized query is determined by using multiple different session parameters, so that the accuracy of the determination is improved. Specifically, a first user is set as a user a, the number of second users is set as two, and sequentially set as a user B and a user C, the determining device 200 can obtain two request messages for querying the same target function point in the same time period from the user a, the user B and the user C, including a first request message and a plurality of second request messages, and correspondingly, the number of second request messages is set as two, and set as a second request message B and a second request message C, then the determining device 200 extracts a third session parameter B carried by the second request message B and a third session parameter C carried by the second request message C, and then the determining device 200 replaces the first session parameter of the first request message with the third session parameter B and the third session parameter C, so as to obtain a third request message B and a third request message C, thereby completing the session parameter replacement process, this process is called cross-substitution of session parameters, and in the process of substitution of session parameters, the query condition in the first request message may be kept unchanged.
After the judgment device 200 obtains the first request message, the third request message B and the third request message C, the first request message, the third request message B and the third request message C are sent to the application server 200 for response, and the first response message, the third response message B and the third response message C returned by the application server 200 are received. The determining device 200 compares the consistency of the first response message with the third response message B and the consistency of the first response message with the third response message C, and in one embodiment, if the first response message is consistent with the third response message B and the first response message is consistent with the third response message C, it indicates that the first response message is consistent with both the first response message and the third response message, and determines that the unauthorized query exists at the target function point; if not, the target function point is not considered to have the unauthorized query.
Further, consistency between the first response message and the plurality of third response messages may be determined based on the cosine similarity. Specifically, the first response packet and the plurality of third response packets may be converted into corresponding vectors, which are set as a first vector, a third vector B, and a third vector C, and then the cosine similarity S1 between the first vector and the third vector B and the cosine similarity S2 between the first vector and the third vector C are calculated, and then whether the first response packet and the plurality of third response packets are consistent may be determined according to the cosine similarity S1 and the cosine similarity S2. In an embodiment, an average value of the cosine similarity S1 and the cosine similarity S2 may be calculated first, and then the average value is compared with a preset similarity threshold, and if the average value is smaller than the similarity threshold, it is determined that the first response packet is inconsistent with the plurality of third response packets; and if the average value is greater than or equal to the similarity threshold value, judging that the first response message is consistent with the plurality of third response messages. In an embodiment, the cosine similarity S1 and the cosine similarity S2 may be compared with a similarity threshold, respectively, and if the cosine similarity S1 and the cosine similarity S2 are both greater than or equal to the similarity threshold, it is determined that the first response packet is consistent with the plurality of third response packets, otherwise, it is determined that the first response packet is inconsistent with the plurality of third response packets. Whether the function point has the unauthorized query or not is judged based on the session parameters of the plurality of users, the accuracy of the unauthorized query judgment can be improved, and the confidence of the detection result is higher as the number of the compared users is increased.
In order to more clearly describe the technical solution of the embodiment of the present invention, the method for determining unauthorized query provided by the embodiment of the present invention is described with reference to fig. 4, fig. 4 is a schematic diagram illustrating the principle of the method for determining unauthorized query in an embodiment, and the specific step of determining whether the unauthorized query exists in the function point may include:
the user A and the user B can send the account and the password to the application server through the corresponding access terminals, the application server returns the session parameter A to the user A after checking the account password, and returns the session parameter B to the user B, so that login processing is completed, and the application server can maintain the one-to-one relationship between the session parameter and the user identity information during the period that the user A and the user B log in the application server.
When a user A needs to inquire the data related to the card number through a related function point, a first request message carrying the card number A and the session parameter A can be sent to an application server through an access terminal, and the application server feeds back a first response message carrying an inquiry result (namely the data of the user A) to the user A. In order to determine whether the function point has the unauthorized query, the determining device 200 may obtain a session parameter B of the user B, replace the session parameter a in the first request message with the session parameter B to obtain a third request message, where the third request message carries the session parameter B and the card number a, then determine that the device 200 sends the third request message to the application server, after the application server obtains a third response message carrying a query result, the determining device 200 may obtain the third response message, if the third response message is consistent with the first response message, it is indicated that the third response message carries data of the user a, and the function point has the unauthorized query, otherwise, it may be determined that the function point does not have the unauthorized query.
In one embodiment, before the unauthorized query of the target function point, it may be determined which function points belong to the target function point among the function points provided by the application server.
In this embodiment, because the number of function points provided by the application server is huge, if each function point performs the unauthorized query detection, it will take a lot of time, and therefore, before performing the unauthorized query detection, the target function point that needs to be subjected to the unauthorized query detection may be determined from each function point. The target function point is generally a function point related to querying user privacy data, and data queried by different users are different, so that consistency of response messages obtained by accessing the same function point by different users can be compared, whether the function point needs to perform unauthorized query detection or not is determined, the function point needing to perform unauthorized query detection can be marked, for example, the function point is marked as a target function point, and the judgment device 200 can subsequently judge whether the function point needs to be subjected to unauthorized query detection or not according to the mark.
In one embodiment, the specific step of identifying whether the function point requiring the unauthorized query detection needs to be performed may include:
acquiring a first request message and a second request message, wherein the first request message and the second request message are respectively request messages for a first user and a second user to access the same function point; then the first request message and the second request message are sent to an application server, the application server can respond to the first request message to obtain a first response message, respond to the second request message to obtain a second response message, then the first response message and the second response message can be obtained, whether the first response message and the second response message are consistent or not is compared, if the first response message and the second response message are consistent, the response of the function point is irrelevant to a user, and the function point can be considered to be free from unauthorized detection; if the first response message is inconsistent with the second response message, it is indicated that the response of the function point is related to the user, and the response content may carry private data, so that it can be determined that the function point needs to perform unauthorized detection, and further, the function point can be marked as a target function point. In an embodiment, the consistency between the first response packet and the second response packet may be compared based on a cosine similarity principle, and the specific comparison process may refer to a process of comparing the first response packet and the third response packet as described in the above embodiment, which is not described herein again.
The following describes a complete unauthorized detection method with reference to fig. 5, fig. 5 is a schematic diagram illustrating a method for determining unauthorized query in another embodiment, and the complete unauthorized detection method may include two processes of identifying whether a function point needs to be subjected to unauthorized query detection, and determining whether the function point has unauthorized query. The method includes the steps of firstly identifying whether a function point needs to be subjected to unauthorized query detection, enabling the judging device 200 to obtain a first request message and a second request message, which are used by different users to query the same function point in the same time period, sending the first request message and the second request message to an application server, enabling the application server to feed back the first response message and the second response message, judging whether the function point needs to be subjected to unauthorized query detection or not by comparing whether the first response message and the second response message are consistent, and entering a process of judging whether unauthorized query exists or not if the function point needs to be subjected to unauthorized query detection. The determining terminal 200 may extract the session parameter B carried in the second request message, and replace the session parameter a carried in the first request message with the session parameter B to obtain a third request message, it should be noted that the determining terminal 200 may also collect session parameters of a plurality of different login users, and cross-replace the session parameter of the first request message to obtain a plurality of third request messages. After the session parameter is replaced, the determination terminal 200 sends the third request message to the application server 300, and obtains a third response message obtained by the application server 300 in response. Then, the determination terminal 200 compares the first response packet with the third response packet, that is, as shown in fig. 5, compares the consistency of the response packet a (corresponding to the first response packet) and the response packet B (corresponding to the third response packet), first converts the response packet a into a vector An, converts the response packet B into a vector Bn, calculates the cosine similarity between the vector An and the vector Bn, compares the cosine similarity with a preset similarity threshold (which may be set to 0.99), and if the cosine similarity is greater than or equal to 0.99, determines that the first response packet is consistent with the third response packet, and the function point has An unauthorized query; if the cosine similarity is less than 0.99, judging that the first response message is inconsistent with the third response message, and the function point has no unauthorized query.
The embodiment of the invention provides a method for judging whether the function point has the override inquiry, which breaks through the conventional thought of automatically realizing the manual detection process by deeply analyzing the uniqueness of the override loophole and grasping the essence of the override inquiry, can further simplify the determination process of the override detection point and the judgment process of whether the override inquiry exists into uniform consistency for comparing the response messages, and avoids the defects of large difficulty in realizing the conventional thought, low execution efficiency and the like.
In an embodiment, a device for determining an unauthorized query is provided, and referring to fig. 6, fig. 6 is a block diagram illustrating a structure of the device for determining an unauthorized query in an embodiment, where the device for determining an unauthorized query may include:
a first obtaining module 101, configured to obtain a first response packet of an application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server;
a replacing module 102, configured to replace a first session parameter carried in the first request packet with a second session parameter, so as to obtain a third request packet; the second session parameter is a session parameter carried by the second request message; the second request message is used for the second user to inquire the target function point; the second user is different from the first user;
a sending module 103, configured to send the third request packet to the application server;
a second obtaining module 104, configured to obtain a third response packet of the application server; the third response message is obtained by the application server responding to the third request message;
and the judging module 105 is configured to judge whether the target function point has unauthorized query based on consistency between the first response packet and the third response packet.
The determination device for unauthorized query of the present invention corresponds to the determination method for unauthorized query of the present invention, and the specific limitations of the determination device for unauthorized query can be referred to the limitations of the determination method for unauthorized query in the above. All or part of each module in the above judging device for unauthorized query can be realized by software, hardware and their combination. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, where the computer device may be a server or a terminal, and its internal structure diagram may be as shown in fig. 7, and fig. 7 is an internal structure diagram of the computer device in one embodiment. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device may be used to store data such as request messages, response messages, and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method for determining unauthorized queries.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the inventive arrangements and is not intended to limit the computing devices to which the inventive arrangements may be applied, as a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, which includes a processor and a memory, where the memory stores a computer program, and the processor implements the method for determining an unauthorized query according to any one of the above embodiments when executing the computer program.
According to the computer equipment, the query conditions in the request message can be kept unchanged through the computer program running on the processor, and the session parameters in the request message are modified, so that whether the corresponding function points are subjected to unauthorized query or not is judged based on the consistency of the response messages obtained before and after the session parameters are modified, the query conditions of the request messages do not need to be modified one by one, and the judgment efficiency of the unauthorized query is improved.
It will be understood by those skilled in the art that all or part of the processes in the determination method for performing unauthorized query according to any of the above embodiments may be implemented by a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, the computer program may include the processes of the above embodiments of the methods. Any reference to memory, storage, databases, or other media used in embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
Accordingly, in an embodiment, a computer-readable storage medium is further provided, on which a computer program is stored, wherein the program, when executed by a processor, implements the method for determining an unauthorized query according to any one of the above embodiments.
The computer readable storage medium can keep the query condition in the request message unchanged through the stored computer program, and modifies the session parameter in the request message, so that whether the corresponding function point is subjected to the unauthorized query is judged based on the consistency of the response messages obtained before and after the session parameter is modified, the query condition of the request message does not need to be modified one by one, and the judgment efficiency of the unauthorized query is improved.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A judgment method for unauthorized inquiry is characterized by comprising the following steps:
acquiring a first response message of an application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server;
replacing the first session parameter carried by the first request message with a second session parameter to obtain a third request message; the second session parameter is a session parameter carried by the second request message; the second request message is used for a second user to inquire the target function point; the second user is a different user than the first user;
sending the third request message to the application server;
acquiring a third response message of the application server; the third response message is obtained by the application server responding to the third request message;
and judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
2. The method according to claim 1, wherein the step of determining whether the target function point has an unauthorized query based on the consistency of the first response packet and the third response packet comprises:
and if the first response message is consistent with the third response message, judging that the target function point has unauthorized query.
3. The method according to claim 1, wherein the step of determining whether the target function point has an unauthorized query based on the consistency of the first response packet and the third response packet comprises:
and if the first response message is inconsistent with the third response message, judging that the target function point has no unauthorized query.
4. The method according to claim 1, wherein before the step of determining whether there is an unauthorized query for the target function point based on the consistency of the first response packet and the third response packet, the method further comprises:
converting the first response message into a first vector;
converting the third response message into a third vector;
calculating cosine similarity of the first vector and the third vector;
and determining the consistency of the first response message and the third response message according to the cosine similarity.
5. The method of claim 4, wherein the step of determining the consistency of the first response packet and the third response packet according to the cosine similarity comprises:
comparing the cosine similarity with a preset similarity threshold;
and if the cosine similarity is smaller than the similarity threshold, judging that the first response message is inconsistent with the third response message.
6. The method of claim 1, wherein the number of second users is plural;
the step of judging whether the target function point has the unauthorized query or not based on the consistency of the first response message and the third response message comprises the following steps:
if the first response message is consistent with the plurality of third response messages, judging that the target function point has unauthorized query; if not, judging that the target function point does not have the unauthorized query; wherein the plurality of third response messages respectively correspond to a plurality of third request messages; the plurality of third request messages are obtained by replacing the first session parameters carried by the first request messages with a plurality of second session parameters; the plurality of second session parameters are session parameters carried by the plurality of second request messages respectively; the second request messages are respectively messages for querying the target function point by a plurality of second users.
7. The method of claim 6, wherein the consistency between the first response packet and the plurality of third response packets is determined based on cosine similarity.
8. An apparatus for determining unauthorized inquiry, comprising:
the first acquisition module is used for acquiring a first response message of the application server; the first response message is obtained by the application server responding to the first request message; the first request message is used for a first user to inquire a target function point of the application server;
the replacing module is used for replacing the first session parameters carried by the first request message with the second session parameters to obtain a third request message; the second session parameter is a session parameter carried by the second request message; the second request message is used for a second user to inquire the target function point; the second user is different from the first user;
a sending module, configured to send the third request packet to the application server;
the second obtaining module is used for obtaining a third response message of the application server; the third response message is obtained by the application server responding to the third request message;
and the judging module is used for judging whether the target function point has unauthorized inquiry or not based on the consistency of the first response message and the third response message.
9. A computer device comprising a processor and a memory, said memory storing a computer program, characterized in that said processor, when executing said computer program, implements the steps of the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN201911067611.7A 2019-11-04 2019-11-04 Judgment method and device for unauthorized query, computer equipment and storage medium Pending CN111125748A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911067611.7A CN111125748A (en) 2019-11-04 2019-11-04 Judgment method and device for unauthorized query, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911067611.7A CN111125748A (en) 2019-11-04 2019-11-04 Judgment method and device for unauthorized query, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN111125748A true CN111125748A (en) 2020-05-08

Family

ID=70495502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911067611.7A Pending CN111125748A (en) 2019-11-04 2019-11-04 Judgment method and device for unauthorized query, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111125748A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259327A (en) * 2021-04-20 2021-08-13 长沙市到家悠享网络科技有限公司 Automatic interface detection method, system and computer equipment
CN113779585A (en) * 2021-01-04 2021-12-10 北京沃东天骏信息技术有限公司 Unauthorized vulnerability detection method and device
WO2023093017A1 (en) * 2021-11-23 2023-06-01 深圳前海微众银行股份有限公司 Method and apparatus for identifying web service device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107577949A (en) * 2017-09-05 2018-01-12 郑州云海信息技术有限公司 A kind of Web goes beyond one's commission leak detection method and system
CN108932426A (en) * 2018-06-27 2018-12-04 平安科技(深圳)有限公司 It goes beyond one's commission leak detection method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107577949A (en) * 2017-09-05 2018-01-12 郑州云海信息技术有限公司 A kind of Web goes beyond one's commission leak detection method and system
CN108932426A (en) * 2018-06-27 2018-12-04 平安科技(深圳)有限公司 It goes beyond one's commission leak detection method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779585A (en) * 2021-01-04 2021-12-10 北京沃东天骏信息技术有限公司 Unauthorized vulnerability detection method and device
CN113259327A (en) * 2021-04-20 2021-08-13 长沙市到家悠享网络科技有限公司 Automatic interface detection method, system and computer equipment
WO2023093017A1 (en) * 2021-11-23 2023-06-01 深圳前海微众银行股份有限公司 Method and apparatus for identifying web service device

Similar Documents

Publication Publication Date Title
US11683330B2 (en) Network anomaly data detection method and device as well as computer equipment and storage medium
CN109474578B (en) Message checking method, device, computer equipment and storage medium
US10073916B2 (en) Method and system for facilitating terminal identifiers
CN110290212B (en) Service call recording method, device, computer equipment and storage medium
CN110535971B (en) Interface configuration processing method, device, equipment and storage medium based on block chain
EP3396558B1 (en) Method for user identifier processing, terminal and nonvolatile computer readable storage medium thereof
CN111125748A (en) Judgment method and device for unauthorized query, computer equipment and storage medium
CN109766072B (en) Information verification input method and device, computer equipment and storage medium
CN110378681B (en) Method, device, equipment and storage medium for determining account resource transfer path
CN108287823B (en) Message data processing method and device, computer equipment and storage medium
CN112464117A (en) Request processing method and device, computer equipment and storage medium
CN111090788A (en) Json file comparison method and device, storage medium and computer equipment
CN110083384B (en) Application programming interface creating method and device
CN109766483B (en) Regular expression generation method, device, computer equipment and storage medium
CN116366338B (en) Risk website identification method and device, computer equipment and storage medium
CN115840964A (en) Data processing method and device, electronic equipment and computer storage medium
WO2021169305A1 (en) Voiceprint data processing method and apparatus, computer device, and storage medium
CN113472803A (en) Vulnerability attack state detection method and device, computer equipment and storage medium
CN112559526A (en) Data table export method and device, computer equipment and storage medium
CN114780977A (en) File processing method, device, equipment and storage medium
CN114297735A (en) Data processing method and related device
CN112686745A (en) Financial account change processing method and device, computer equipment and storage medium
CN108712275A (en) Data transmission methods of risk assessment, device, computer equipment and storage medium
CN109471717B (en) Sample library splitting method, device, computer equipment and storage medium
CN111339317A (en) User registration identification method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200508