CN111198819A - Safety test method and device - Google Patents

Safety test method and device Download PDF

Info

Publication number
CN111198819A
CN111198819A CN201911419484.2A CN201911419484A CN111198819A CN 111198819 A CN111198819 A CN 111198819A CN 201911419484 A CN201911419484 A CN 201911419484A CN 111198819 A CN111198819 A CN 111198819A
Authority
CN
China
Prior art keywords
product
tested
test
webpage data
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911419484.2A
Other languages
Chinese (zh)
Other versions
CN111198819B (en
Inventor
农时
孔壮
李晓静
刘倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN201911419484.2A priority Critical patent/CN111198819B/en
Publication of CN111198819A publication Critical patent/CN111198819A/en
Application granted granted Critical
Publication of CN111198819B publication Critical patent/CN111198819B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3676Test management for coverage analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Strategic Management (AREA)
  • Technology Law (AREA)
  • General Business, Economics & Management (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a safety test method, a safety test device and a safety test system, wherein the method comprises the following steps: copying and storing webpage data generated in the testing process to a database in the process of performing function testing on a product to be tested, and repeating the steps until the function testing is finished; extracting the webpage data of the product to be tested from the database, and sending the webpage data of the product to be tested to a safety test system; and receiving a safety test result fed back by the safety test system. The invention can simply and conveniently obtain the product data with relatively comprehensive coverage rate by combining the functional test and the safety test, and then carry out the safety test based on the product data, thereby improving the coverage rate and the efficiency of the safety test.

Description

Safety test method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security testing method and apparatus.
Background
In order to ensure the security of financial industry products (e.g., banking applications, banking websites, etc.), security tests are required on the financial industry products.
At present, safety testing tools are mostly adopted for safety testing, but the safety testing tools are carried out based on a crawler mode and are not suitable for products in the financial industry. Because many pages in the financial industry require input content and the input content is verified before the next level of access is available. Therefore, only the product data of the first-level page and a small number of second-level pages in the product to be tested can be obtained by adopting a crawler mode, and all data of the product to be tested cannot be obtained, so that the coverage rate of the safety test is low.
For example, all automated safety testing tools which take an automated testing tool AWVS as a leading part adopt a crawler principle, and various URL links of a product to be tested can be automatically crawled, but such safety testing tools have a serious applicability problem when safety testing is performed on products in the financial industry. Because the financial industry products have severe restrictions on the input data, the data can not be crawled or input randomly, and the second level or deeper page can not be entered correctly.
Currently, product data of a product to be tested is also manually collected to be sent to an automated testing tool for safety testing. However, manually collecting product data requires a large amount of work, resulting in inefficient safety testing and incomplete coverage.
For example, due to the complexity of financial product business, prior to the testing process, it is often necessary to train the tester to know the product business and collect product data for the business of the product under test, which requires a significant amount of time to be invested, possibly even orders of magnitude beyond that required for the security test itself. Meanwhile, due to the loss of financial product services, a tester may have certain loss in testing coverage.
Disclosure of Invention
In view of this, the present application provides a security testing method, device and system, which can perform security testing on products in the financial industry and improve coverage and efficiency of the security testing.
In order to achieve the above object, the present invention provides the following technical features:
a security test method, comprising:
copying and storing webpage data generated in the testing process to a database in the process of performing function testing on a product to be tested, and repeating the steps until the function testing is finished;
extracting the webpage data of the product to be tested from the database, and sending the webpage data of the product to be tested to a safety test system;
and receiving a safety test result fed back by the safety test system.
Optionally, in the process of performing a function test on the product to be tested, copying and storing the webpage data generated in the test process into the database, and repeating the above steps until the function test is completed, including:
in the process of adopting browser software to carry out function test on the product to be tested, copying webpage data generated in the process of function test by using a software script preset in the browser software and storing the webpage data into a database;
and repeating the steps until the functional test is finished.
Optionally, after repeating the above steps until the functional test is finished, the method further includes:
determining a website to be tested corresponding to the product to be tested;
according to the website to be tested corresponding to the product to be tested, screening operation is carried out on the webpage data in the database;
only the webpage data containing the website to be tested is reserved.
Optionally, the extracting the web page data of the product to be tested from the database and sending the web page data of the product to be tested to a security test system includes:
and extracting the webpage data of the product to be tested from the database by adopting a silent test mode, and sending the webpage data of the product to be tested to a safety test system.
Optionally, in a case that there are multiple security test systems, the extracting the web page data of the product to be tested from the database, and sending the web page data of the product to be tested to the security test systems includes:
extracting webpage data of the product to be detected from the database;
and distributing the webpage data of the product to be tested to a plurality of safety test systems in a load balancing mode, and executing safety test on the product to be tested by adopting the plurality of safety test systems respectively.
A security test device comprising:
the copying and storing unit is used for copying and storing webpage data generated in the testing process to a database in the process of performing function testing on the product to be tested, and repeating the steps until the function testing is finished;
the extraction and transmission unit is used for extracting the webpage data of the product to be tested from the database and transmitting the webpage data of the product to be tested to a safety test system;
and the receiving unit is used for receiving the safety test result fed back by the safety test system.
A processing device, comprising:
the database equipment is used for storing webpage data generated in the process of performing function test on the product to be tested;
the processor is used for copying and sending webpage data generated in the testing process to the database equipment in the process of performing function testing on the product to be tested, and repeating the steps until the function testing is finished; extracting the webpage data of the product to be tested from the database and sending the webpage data of the product to be tested to a safety test system; and receiving a safety test result fed back by the safety test system.
Optionally, the processor is further configured to copy, by using a software script preset in the browser software, web page data generated in a function test process and store the web page data in a database in the process of performing a function test on the product to be tested by using the browser software;
and repeating the steps until the functional test is finished.
A security test system comprising:
processing equipment and a security test system;
the processing equipment is used for copying and storing webpage data generated in the testing process to a database in the process of performing function testing on the product to be tested, and repeating the steps until the function testing is finished; extracting the webpage data of the product to be tested from the database, and sending the webpage data of the product to be tested to a safety test system; receiving a safety test result fed back by the safety test system;
the safety test system is used for executing safety test on the webpage data, generating and sending a safety test result to the processing equipment.
A security test system comprising:
the system comprises function test equipment, processing equipment and a safety test system;
the function test equipment is used for carrying out function test on the product to be tested, copying and sending webpage data generated in the test process in the process of carrying out function test on the product to be tested, and repeating the steps until the function test is finished;
the processing equipment is used for receiving and storing webpage data generated in the process of performing function test on the product to be tested into the database, and repeating the steps until the function test is finished; extracting webpage data of a product to be tested from the database, sending the webpage data of the product to be tested to a safety test system, and receiving a safety test result fed back by the safety test system;
the safety test system is used for executing safety test on the webpage data, generating and sending a safety test result to the processing equipment.
Through the technical means, the following beneficial effects can be realized:
the invention provides a safety test mode combining the function test and the safety test of a product to be tested, in the process of carrying out the function test on the product to be tested, copying and storing webpage data generated in the function test process to a database, and repeatedly executing the copying and storing operation until the function test is finished. Therefore, the database stores a plurality of web page data of the product to be tested.
The invention can simply and conveniently obtain the product data with relatively comprehensive coverage rate by combining the functional test and the safety test, and then carry out the safety test based on the product data, thereby improving the coverage rate and the efficiency of the safety test.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a first embodiment of a security testing system disclosed in the embodiments of the present application;
fig. 2 is a schematic structural diagram of a second embodiment of a security testing system disclosed in the embodiments of the present application;
fig. 3 is a schematic structural diagram of a first embodiment of a security testing method disclosed in the embodiments of the present application;
fig. 4 is a schematic structural diagram of a second embodiment of a security testing method disclosed in the embodiments of the present application;
fig. 5 is a schematic diagram of web page data in a security testing method disclosed in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a first safety testing apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of a second safety testing apparatus according to an embodiment of the present application.
Detailed Description
The products to be tested in the financial industry also have function tests, that is, each function in the products to be tested is tested to verify whether each function normally operates. Because the coverage rate of the function test is very high, the invention provides a safety test mode which combines the function test and the safety test of the product to be tested.
And copying the function test data generated in the function test process through the script and storing the function test data in a database, so as to obtain product data for performing safety test on the product to be tested. And subsequently, product data can be acquired from the database and sent to a third-party safety testing system for safety testing, and a safety testing result fed back by the third-party safety testing system is acquired.
The invention fully utilizes the service coverage of the function test and the product data stored in the function test process to carry out the safety test on the product to be tested, thereby improving the coverage rate and efficiency of the safety test.
Compared with the prior art, the safety test provided by the invention has the following beneficial effects:
the first coverage rate is high: the product data in the functional test process is copied, and the coverage rate of the product data for performing the safety test is higher due to higher service coverage rate of the functional test, so that the problem that the traditional safety test automation tool cannot complete test points, such as unauthorized test, information leakage and the like, can be solved.
The second test efficiency is high: the invention can reuse the product data of the product in the functional test process without manually collecting the product data again, thereby not spending more time to collect the product data and improving the test efficiency.
The third test precision is high: because the product data used by the safety test is obtained based on the functional test, the service flow of the functional test and the test flow of the safety test are linked. The precision of the product data is higher, so that the test precision of the product to be tested is improved.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
For ease of understanding, the present invention provides two security test systems.
The first safety test system is shown in fig. 1, and both the functional test and part of the safety test in the first safety test system are executed in the processing device.
A second safety testing system is shown in fig. 2, in which the functional test is performed in the functional testing device and part of the safety test is performed in the processing device.
Two specific implementations of the security test system are described below:
referring to fig. 1, the present invention provides a first embodiment of a security testing system, including:
a processing device 100 and a security test system 200.
The processing device 100 is configured to copy and store webpage data generated in a testing process to a database in a process of performing a function test on a product to be tested, and repeat the above steps until the function test is finished; extracting the webpage data of the product to be tested from the database, and sending the webpage data of the product to be tested to a safety test system; and receiving a safety test result fed back by the safety test system.
The security test system 200 is configured to perform a security test on the web page data, generate and send a security test result to the processing device.
Referring to fig. 2, the present invention provides a second embodiment of a security testing system, including:
a functional test device 000, a processing device 100, and a security test system 200;
the function test equipment is used for carrying out function test on the product to be tested, copying and sending webpage data generated in the test process in the process of carrying out function test on the product to be tested, and repeating the steps until the function test is finished;
the processing equipment is used for receiving and storing webpage data generated in the process of performing function test on the product to be tested into the database, and repeating the steps until the function test is finished; extracting webpage data of a product to be tested from the database, sending the webpage data of the product to be tested to a safety test system, and receiving a safety test result fed back by the safety test system;
the safety test system is used for executing safety test on the webpage data, generating and sending a safety test result to the processing equipment.
The invention provides a first embodiment of a safety test method, which is applied to a safety test system shown in fig. 1. Referring to fig. 3, the method comprises the following steps:
step S301: a software script is added in a browser application of a processing device.
The function tester can use the browser application in the processing equipment to perform function test, and in order to not influence normal function test, a software script is added in the browser application and is applied to executing copy operation on webpage data generated in the function test process.
Step S302: and copying and storing webpage data generated in the testing process to a database by the processing equipment in the process of performing the function test on the product to be tested, and repeating the steps until the function test is finished.
The function tester utilizes the browser application to perform function testing, and the function tester can continuously perform function testing aiming at each function of the product to be tested. The preset software script in the function test process can continuously copy the page data generated in the function test process and send the page data to the database, and the database can store the page data.
The copying, sending and storing processes are repeated until the functional test is finished. It is understood that the database has all the web page data in the functional test process.
Step S303: and the processing equipment performs screening operation on the webpage data in the database.
S1: and determining the corresponding website to be tested of the product to be tested.
It can be understood that the product to be tested corresponds to a website to be tested. For example, China Bank corresponds to a China Bank's website "https:// www.boc.cn/".
S2: and according to the to-be-detected website corresponding to the to-be-detected product, performing screening operation on the webpage data in the database.
As the function tester inevitably incorporates webpage data of other products in the test process, the screening operation can be executed on the webpage data in the database according to the website to be tested in order to facilitate the subsequent safety test.
It can be understood that the web addresses of the first-level web page, the second-level web page, the third-level web page and other web pages of the product to be tested all include the web address to be tested. For example, the web addresses of the primary web page, the secondary web page and the tertiary web page of the Chinese bank all include the web address "https:// www.boc.cn/" of the Chinese bank.
S3: only the webpage data containing the website to be tested is reserved.
And after the screening operation is executed, only the webpage data containing the to-be-tested website is reserved, and the rest webpage data are deleted. And the rest webpage data are the webpage data of the products which are not to be tested.
Step S304: and the processing equipment extracts the webpage data of the product to be tested from the database and sends the webpage data of the product to be tested to a safety test system.
Under the condition that a third-party safety test system exists, webpage data of the product to be tested can be extracted from the database one by one, and the webpage data of the product to be tested is sent to the safety test system so that after the safety test system tests, a safety test result is fed back to the processing equipment.
Under the condition that a plurality of third-party safety test systems exist, webpage data of a product to be tested can be extracted from the database one by one, and the webpage data of the product to be tested is sent to the safety test system in a load balancing mode so as to be tested by the safety test system and then fed back to the processing equipment.
Step S305: and the processing equipment receives the safety test result fed back by the safety test system.
The processing device may receive the security test results of each web page data item by item, or may receive the security test results of all web page data items together. This implementation is not a limitation of the present invention.
The processing device can receive a plurality of safety test results corresponding to a plurality of webpage data fed back by the safety test system, integrate the plurality of safety test results, and receive and display the safety test results fed back by the safety test system.
Referring to the second embodiment of the security testing method provided by the invention, the second embodiment of the security testing method is applied to the security testing system shown in fig. 2. Referring to fig. 4, the method comprises the following steps:
step S401: adding a software script in a browser application of the functional test apparatus.
The function tester can use the browser application in the function test device to perform function test, and in order to not influence normal function test, a software script is added in the browser application and is applied to executing copy operation on webpage data generated in the function test process.
Step S402: and copying and sending webpage data generated in the testing process to the processing equipment by the functional testing equipment in the process of performing functional testing on the product to be tested, and repeating the steps until the functional testing is finished.
The function tester utilizes the browser application to perform function testing, and the function tester can continuously perform function testing aiming at each function of the product to be tested. The preset software script in the function test process can continuously copy the page data generated in the function test process and send the page data to the processing equipment.
The copying and sending process is repeated until the functional test is finished.
Step S403: the processing device continuously receives and stores the webpage data sent by the function testing device.
It is understood that all the web page data in the functional test process is available in the database after the functional test is finished.
Step S404: and the processing equipment performs screening operation on the webpage data in the database.
S1: and determining the corresponding website to be tested of the product to be tested.
It can be understood that the product to be tested corresponds to a website to be tested. For example, China Bank corresponds to a China Bank's website "https:// www.boc.cn/".
S2: and according to the to-be-detected website corresponding to the to-be-detected product, performing screening operation on the webpage data in the database.
As the function tester inevitably incorporates webpage data of other products in the test process, the screening operation can be executed on the webpage data in the database according to the website to be tested in order to facilitate the subsequent safety test.
It can be understood that the web addresses of the first-level web page, the second-level web page, the third-level web page and other web pages of the product to be tested all include the web address to be tested. For example, the web addresses of the primary web page, the secondary web page and the tertiary web page of the Chinese bank all include the web address "https:// www.boc.cn/" of the Chinese bank.
S3: only the webpage data containing the website to be tested is reserved.
And after the screening operation is executed, only the webpage data containing the to-be-tested website is reserved, and the rest webpage data are deleted. And the rest webpage data are the webpage data of the products which are not to be tested.
Step S405: and the processing equipment extracts the webpage data of the product to be tested from the database and sends the webpage data of the product to be tested to a safety test system.
Under the condition that a third-party safety test system exists, webpage data of the product to be tested can be extracted from the database one by one, and the webpage data of the product to be tested is sent to the safety test system so that after the safety test system tests, a safety test result is fed back to the processing equipment.
Under the condition that a plurality of third-party safety test systems exist, webpage data of a product to be tested can be extracted from the database one by one, and the webpage data of the product to be tested is sent to the safety test system in a load balancing mode so as to be tested by the safety test system and then fed back to the processing equipment.
Step S406: and the processing equipment receives the safety test result fed back by the safety test system.
The processing device may receive the security test results of each web page data item by item, or may receive the security test results of all web page data items together. This implementation is not a limitation of the present invention.
The processing device can receive a plurality of safety test results corresponding to a plurality of webpage data fed back by the safety test system, integrate the plurality of safety test results, and receive and display the safety test results fed back by the safety test system.
The following provides a scenario embodiment of the present invention:
and adding a software script in the functional test environment, wherein the software script can realize the function of the proxy server. And the function tester accesses the product to be tested through the proxy server for function test. The proxy server adopts a transparent mode, and a function tester cannot feel the existence of the proxy server in the process of performing function test, namely, the original function test is not influenced.
The software script copies the web page data generated during the functional test, referring to fig. 5, the web page data may include a web address (URL) of the web page visited by the functional tester, a cookie corresponding to the web page, a head parameter, a body parameter, and other parameters. Of course, other parameters may be included, which will not be described in detail.
At present, most of functional tests can execute two-round repeated functional tests, and in the first round of functional test process, along with the continuous operation of the functional tests, webpage data generated in the functional test process can be continuously copied and stored until the first round of functional tests are finished.
And aiming at the webpage data stored in the database, performing filtering operation according to the webpage address of the product to be detected, and only keeping the webpage data of the website to be detected.
And in the process of performing the second round of function test, the background adopts a silent test mode to perform a safety test process. After the functional tester logs in, the URL record of the functional tester in the first round of functional test can be called out, and the cookie is replaced by the current cookie so as to restore the availability of the test data in the first round (the test data in the first round needs to be used under the condition that the current tester logs in).
And sending the webpage data saved in the first round to a third-party safety testing tool for safety testing, and obtaining a safety testing result. The invention emphasizes the combination of functional test and safety test, and finally realizes the safety test at atomic level.
The third-party security testing system can comprise a plurality of security testing systems such as a news system, an awvs system and the like so as to cover most common vulnerabilities in the industry. For the atomic-level safety test, a distributed principle is adopted on the design architecture and the deployment, and distributed deployment, mutual independence and plug-and-play of the third-party missing scanning tools are ensured. The flexibility and expansibility of the system are greatly improved.
Referring to fig. 6, the present invention provides a first embodiment of a safety testing apparatus, which mainly includes three modules:
the device comprises a data acquisition module, a data scheduling module and a silence testing module.
And the data acquisition module is used for copying the webpage data (namely extracting URL and corresponding parameters, cookie and other parameters) generated by the function test through the software script and storing the webpage data into the database.
And the data scheduling module is used for identifying whether the function tester is online or not, reading out the webpage data saved in the first round of function test process of the function tester from the database if the function tester is online, replacing the current cookie with the cookie in the webpage data, sending the webpage data in the database to the third-party safety test system, and acquiring the safety test report generated by the third-party safety test system.
The silent test module is used for completing background silent automatic safety test and can cover functions of SQL injection scanning, XSS scanning, unauthorized point mining, sensitive information recording, vulnerability uploading mining and the like.
Referring to fig. 7, the present invention provides a second embodiment of a safety testing apparatus, including:
the copying and storing unit 71 is used for copying and storing webpage data generated in the testing process to a database in the process of performing the function test on the product to be tested, and repeating the steps until the function test is finished;
an extracting and sending unit 72, configured to extract the web page data of the product to be tested from the database, and send the web page data of the product to be tested to a security test system;
and the receiving unit 73 is configured to receive the safety test result fed back by the safety test system.
Through the technical means, the following beneficial effects can be realized:
the invention provides a safety test mode combining the function test and the safety test of a product to be tested, in the process of carrying out the function test on the product to be tested, copying and storing webpage data generated in the function test process to a database, and repeatedly executing the copying and storing operation until the function test is finished. Therefore, the database stores a plurality of web page data of the product to be tested.
The invention can simply and conveniently obtain the product data with relatively comprehensive coverage rate by combining the functional test and the safety test, and then carry out the safety test based on the product data, thereby improving the coverage rate and the efficiency of the safety test.
The functions described in the method of the present embodiment, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A security test method, comprising:
copying and storing webpage data generated in the testing process to a database in the process of performing function testing on a product to be tested, and repeating the steps until the function testing is finished;
extracting the webpage data of the product to be tested from the database, and sending the webpage data of the product to be tested to a safety test system;
and receiving a safety test result fed back by the safety test system.
2. The method of claim 1, wherein copying and storing the web page data generated during the testing process into the database during the functional testing process of the product to be tested, and repeating the above steps until the functional testing process is finished, comprises:
in the process of adopting browser software to carry out function test on the product to be tested, copying webpage data generated in the process of function test by using a software script preset in the browser software and storing the webpage data into a database;
and repeating the steps until the functional test is finished.
3. The method of claim 2, after repeating the above steps until the functional test is complete, further comprising:
determining a website to be tested corresponding to the product to be tested;
according to the website to be tested corresponding to the product to be tested, screening operation is carried out on the webpage data in the database;
only the webpage data containing the website to be tested is reserved.
4. The method of claim 3, wherein the extracting the web page data of the product under test from the database and sending the web page data of the product under test to a security test system comprises:
and extracting the webpage data of the product to be tested from the database by adopting a silent test mode, and sending the webpage data of the product to be tested to a safety test system.
5. The method of claim 4, wherein in the case of multiple security test systems, the extracting the web page data of the product to be tested from the database and sending the web page data of the product to be tested to the security test systems comprises:
extracting webpage data of the product to be detected from the database;
and distributing the webpage data of the product to be tested to a plurality of safety test systems in a load balancing mode, and executing safety test on the product to be tested by adopting the plurality of safety test systems respectively.
6. A security test device, comprising:
the copying and storing unit is used for copying and storing webpage data generated in the testing process to a database in the process of performing function testing on the product to be tested, and repeating the steps until the function testing is finished;
the extraction and transmission unit is used for extracting the webpage data of the product to be tested from the database and transmitting the webpage data of the product to be tested to a safety test system;
and the receiving unit is used for receiving the safety test result fed back by the safety test system.
7. A processing device, comprising:
the database equipment is used for storing webpage data generated in the process of performing function test on the product to be tested;
the processor is used for copying and sending webpage data generated in the testing process to the database equipment in the process of performing function testing on the product to be tested, and repeating the steps until the function testing is finished; extracting the webpage data of the product to be tested from the database and sending the webpage data of the product to be tested to a safety test system; and receiving a safety test result fed back by the safety test system.
8. The processing apparatus of claim 7,
the processor is also used for
In the process of adopting browser software to carry out function test on the product to be tested, copying webpage data generated in the process of function test by using a software script preset in the browser software and storing the webpage data into a database;
and repeating the steps until the functional test is finished.
9. A security test system, comprising:
processing equipment and a security test system;
the processing equipment is used for copying and storing webpage data generated in the testing process to a database in the process of performing function testing on the product to be tested, and repeating the steps until the function testing is finished; extracting the webpage data of the product to be tested from the database, and sending the webpage data of the product to be tested to a safety test system; receiving a safety test result fed back by the safety test system;
the safety test system is used for executing safety test on the webpage data, generating and sending a safety test result to the processing equipment.
10. A security test system, comprising:
the system comprises function test equipment, processing equipment and a safety test system;
the function test equipment is used for carrying out function test on the product to be tested, copying and sending webpage data generated in the test process in the process of carrying out function test on the product to be tested, and repeating the steps until the function test is finished;
the processing equipment is used for receiving and storing webpage data generated in the process of performing function test on the product to be tested into the database, and repeating the steps until the function test is finished; extracting webpage data of a product to be tested from the database, sending the webpage data of the product to be tested to a safety test system, and receiving a safety test result fed back by the safety test system;
the safety test system is used for executing safety test on the webpage data, generating and sending a safety test result to the processing equipment.
CN201911419484.2A 2019-12-31 2019-12-31 Safety testing method and device Active CN111198819B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911419484.2A CN111198819B (en) 2019-12-31 2019-12-31 Safety testing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911419484.2A CN111198819B (en) 2019-12-31 2019-12-31 Safety testing method and device

Publications (2)

Publication Number Publication Date
CN111198819A true CN111198819A (en) 2020-05-26
CN111198819B CN111198819B (en) 2024-05-10

Family

ID=70744547

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911419484.2A Active CN111198819B (en) 2019-12-31 2019-12-31 Safety testing method and device

Country Status (1)

Country Link
CN (1) CN111198819B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070094543A1 (en) * 2005-10-24 2007-04-26 Infosys Technologies Ltd. Automated software testing architecture using a multi-level framework
JP2014197375A (en) * 2013-03-04 2014-10-16 株式会社オプティム Security server, user terminal, web page identification method, and program for security server
CN110191097A (en) * 2019-05-05 2019-08-30 平安科技(深圳)有限公司 Detection method, system, equipment and the storage medium of login page safety

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070094543A1 (en) * 2005-10-24 2007-04-26 Infosys Technologies Ltd. Automated software testing architecture using a multi-level framework
JP2014197375A (en) * 2013-03-04 2014-10-16 株式会社オプティム Security server, user terminal, web page identification method, and program for security server
CN110191097A (en) * 2019-05-05 2019-08-30 平安科技(深圳)有限公司 Detection method, system, equipment and the storage medium of login page safety

Also Published As

Publication number Publication date
CN111198819B (en) 2024-05-10

Similar Documents

Publication Publication Date Title
Gupta et al. PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
CN106572117B (en) A kind of detection method and device of WebShell file
JP6609047B2 (en) Method and device for application information risk management
CN105740707A (en) Malicious file identification method and device
CN109241733A (en) Crawler Activity recognition method and device based on web access log
CN107241292B (en) Vulnerability detection method and device
CN110782374A (en) Electronic evidence obtaining method and system based on block chain
CN104618177A (en) Website bug examination method and device
CN104202291A (en) Anti-phishing method based on multi-factor comprehensive assessment method
CN111629010A (en) Malicious user identification method and device
CN113779571B (en) WebShell detection device, webShell detection method and computer readable storage medium
CN104182681A (en) Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof
CN108234392B (en) Website monitoring method and device
CN108804501B (en) Method and device for detecting effective information
CN111125704B (en) Webpage Trojan horse recognition method and system
CN111241547B (en) Method, device and system for detecting override vulnerability
CN111198819A (en) Safety test method and device
CN115795475A (en) Method and device for determining software system risk and electronic equipment
CN113031995B (en) Rule updating method and device, storage medium and electronic equipment
CN112446030B (en) Method and device for detecting file uploading vulnerability of webpage end
CN111368231B (en) Method and device for testing heterogeneous redundancy architecture website
CN110968779A (en) Processing method and device for crawling webpage information
CN115291762A (en) Service item triggering method and device, storage medium and computer equipment
CN111143644B (en) Identification method and device of Internet of things equipment
CN111934949A (en) Safety test system based on database injection test

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant