CN111552645A - Open type safety compliance permeability testing system - Google Patents
Open type safety compliance permeability testing system Download PDFInfo
- Publication number
- CN111552645A CN111552645A CN202010357357.0A CN202010357357A CN111552645A CN 111552645 A CN111552645 A CN 111552645A CN 202010357357 A CN202010357357 A CN 202010357357A CN 111552645 A CN111552645 A CN 111552645A
- Authority
- CN
- China
- Prior art keywords
- module
- data packet
- testing
- fuzz
- safety compliance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3676—Test management for coverage analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
Abstract
The invention discloses an open type safety compliance penetration testing system, which comprises: the system comprises a data packet analysis module, an automatic fuzz engine, a user-defined payload module, a report generation module and a work scheduling module; wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing through the module; automated fuzz engine: data interaction is carried out on the tcp protocol and the tested interface, and meanwhile, the program execution flow is asynchronous, so that the utilization rate of equipment resources and the testing efficiency can be maximized. By adopting the penetration testing tool constructed by the invention, safety testing personnel can quickly and efficiently make a safety compliance check item by simply defining input and output and result judgment rules, the test coverage rate of a service system interface is improved, and the test time is greatly shortened.
Description
Technical Field
The invention relates to a test system, in particular to an open type safety compliance penetration test system.
Background
Among the closest prior art solutions are the burpsoite product of PortSwigger corporation. Although the prior art scheme can manually complete part of penetration test work, if the tested system page and parameters are numerous and complex, the prior art scheme can cause the following 2 problems:
1: testing all system pages and parameters cannot be done in a short period of time.
2: if some pages and parameters are selectively tested, security problems may be missed.
The reason for the problem 1 is that Burp Suite does not have the capability to fully automatically check all system parameters.
The reason for the problem 2 is that the Burp Suite product is heavily dependent on the technical ability of testers, and a qualified technical expert can select possible vulnerabilities to test by experience instead of testing all system parameters comprehensively, which causes the problem that the security problem is missed.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides an open type safety compliance penetration testing system.
In order to solve the technical problems, the invention provides the following technical scheme:
the invention relates to an open type safety compliance penetration testing system, which comprises: the system comprises a data packet analysis module, an automatic fuzz engine, a user-defined payload module, a report generation module and a work scheduling module;
wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing through the module;
wherein the automated fuzz engine: the method comprises the steps that a tcp protocol is adopted to carry out data interaction with a tested interface, meanwhile, an asynchronous program execution process is adopted, the utilization rate of equipment resources and the testing efficiency can be maximized, the specific execution process is that a socket is used for establishing connection with a service interface, a plurality of socket requests are established simultaneously through an asynchronous calling method, a CPU continuously creates a sent data packet during the period of waiting for network data return, a result processing function is called back when the requested data return is carried out, the blocking waiting of the CPU in network IO is prevented, and the CPU and bandwidth resources are utilized to the maximum extent;
the user-defined payload module comprises: a rule input template is defined, and a user can quickly generate a safety compliance rule only by simple definition;
wherein the report generation module: a report format required by the penetration test result is quickly generated; the test result is stored in a markdown text form, and the test result can be quickly rendered by using a result command;
the work scheduling module: the method comprises the functions of parameter analysis and automatic work scheduling, and the work flow of each module is coordinated.
Compared with the prior art, the invention has the following beneficial effects:
1: the invention automatically tests all pages and related parameters of the system, can improve the efficiency by times and save a large amount of time for testing the system safety.
2: the invention can comprehensively test all pages and related parameters of the system, ensures that all system parameters are not omitted, and does not need the experience of technical experts to select parameter test.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic flow diagram of the system of the present invention;
FIG. 2 is a schematic diagram of an http packet of the present invention;
FIG. 3 is a diagram illustrating the present invention parsing into an httpParser object;
FIG. 4 is a schematic diagram of socket establishing connection and sending data according to the present invention;
FIG. 5 is a schematic diagram of a rule template of the present invention;
FIG. 6 is a diagram illustrating markdown source file rendering results of the present invention;
FIG. 7 is a schematic diagram of a markdown source file of the present invention;
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
Example 1
As shown in fig. 1-7, the present invention provides an open safety compliance penetration test system comprising: the system comprises a data packet analysis module, an automatic fuzz engine, a user-defined payload module, a report generation module and a work scheduling module; wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing through the module; automated fuzz engine: the method comprises the steps that a tcp protocol is adopted to carry out data interaction with a tested interface, meanwhile, a program execution process is asynchronous, the utilization rate of equipment resources and the testing efficiency can be maximized, the specific execution process is that a socket is used for establishing connection with a service interface, a plurality of socket requests are established simultaneously through an asynchronous calling method, a CPU continuously creates a sent data packet during the period of waiting for network data return, a result processing function is called back when the requested data return is carried out, the CPU is prevented from blocking and waiting in network IO, and the CPU and bandwidth resources are utilized to the maximum extent; the user-defined payload module comprises: a rule input template is defined, and a user can quickly generate a safety compliance rule only by simple definition; wherein the report generation module: rapidly generating a report format required by a penetration test result; the test result is stored in a markdown text form, and the test result can be quickly rendered by using a result command; the work scheduling module: the method comprises the functions of parameter analysis and automatic work scheduling, and the work flow of each module is coordinated.
Specifically, the system comprises: the system comprises a data packet analysis module, an automatic fuzz engine, a user-defined payload module, a report generation module and a work scheduling module.
A data packet analysis module: and inputting the http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing through the module. For example, fig. 2 shows a typical http data request packet, which is parsed into an httpParser object through an httpParser class;
automated fuzz engine: the tcp protocol is adopted to carry out data interaction with the tested interface, so that the fuzz engine is not limited to a certain application protocol, a test object has universality, and meanwhile, the program execution process is asynchronous, and the utilization rate of equipment resources and the test efficiency can be maximized. The specific execution process is that a socket is used for establishing connection with a service interface, a plurality of socket requests are established simultaneously through an asynchronous calling method, a CPU continuously creates a transmitted data packet during waiting for network data return, and a result processing function is called back when the requested data return, so that the CPU is prevented from blocking and waiting in network IO, and the CPU and bandwidth resources are utilized to the maximum extent;
self-defining payload module: the rule input template is defined, and a user can quickly generate the safety compliance rule only by simple definition. The following is a rule template, where logpath sets the log storage location of the results produced during the scan; chapter sets a test item title; details of the test items are set by the clients; rule sets are matched with a socket return value acquired in the fuzzy engine, and return results are matched according to defined characteristic values, wherein the rule is passed through by testing beginning with 0, the rule is not passed by testing beginning with 1, and the rule is not applied to testing beginning with 2. For example, setting the rule "0 all temporal parameters do not expect expected to be objectable", the result interpreted as matching the "0 all temporal parameters do not expect expected to be objectable" character represents no SQL injection problem; the result stores the test result, and the result sets the test command used in the test item (os _ command ('ls', verbose));
a report generation module: a report format required by the penetration test result is quickly generated; the test result is stored in a markdown text form, and the test result can be quickly rendered by using a result command;
the work scheduling module: the method comprises the functions of parameter analysis and automatic work scheduling, and the work flow of each module is coordinated.
By adopting the penetration testing tool constructed by the invention, safety testing personnel can quickly and efficiently make safety compliance check items through simply defining input and output and result judgment rules, the test coverage rate of the service system interface is improved, and the test time is greatly shortened.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (1)
1. An open safety compliance penetration test system, comprising: the system comprises a data packet analysis module, an automatic fuzz engine, a user-defined payload module, a report generation module and a work scheduling module;
wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing through the module;
wherein the automated fuzz engine: the method comprises the steps that a tcp protocol is adopted to carry out data interaction with a tested interface, meanwhile, a program execution process is asynchronous, the utilization rate of equipment resources and the testing efficiency can be maximized, the specific execution process is that a socket is used for establishing connection with a service interface, a plurality of socket requests are established simultaneously through an asynchronous calling method, a CPU continuously creates a sent data packet during the period of waiting for network data return, when the requested data return is carried out, a result processing function is called back, the blocking waiting of the CPU in network IO is prevented, and the CPU and bandwidth resources are utilized to the maximum extent;
the user-defined payload module comprises: a rule input template is defined, and a user can quickly generate a safety compliance rule only by simple definition;
wherein the report generation module: a report format required by the penetration test result is quickly generated; the test result is stored in a markdown text form, and the test result can be quickly rendered by using a result command;
the work scheduling module: the method comprises the functions of parameter analysis and automatic work scheduling, and the work flow of each module is coordinated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010357357.0A CN111552645B (en) | 2020-04-29 | 2020-04-29 | Open type safety compliance penetration test system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010357357.0A CN111552645B (en) | 2020-04-29 | 2020-04-29 | Open type safety compliance penetration test system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111552645A true CN111552645A (en) | 2020-08-18 |
| CN111552645B CN111552645B (en) | 2023-05-12 |
Family
ID=72003295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010357357.0A Active CN111552645B (en) | 2020-04-29 | 2020-04-29 | Open type safety compliance penetration test system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111552645B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090271351A1 (en) * | 2008-04-29 | 2009-10-29 | Affiliated Computer Services, Inc. | Rules engine test harness |
| CN105681126A (en) * | 2015-12-30 | 2016-06-15 | 合一网络技术(北京)有限公司 | Automatic test method and system based on protocol interface |
| CN105740148A (en) * | 2016-01-29 | 2016-07-06 | 博雅网信(北京)科技有限公司 | Script engine system of mobile terminal automation test and testing method |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
-
2020
- 2020-04-29 CN CN202010357357.0A patent/CN111552645B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090271351A1 (en) * | 2008-04-29 | 2009-10-29 | Affiliated Computer Services, Inc. | Rules engine test harness |
| CN105681126A (en) * | 2015-12-30 | 2016-06-15 | 合一网络技术(北京)有限公司 | Automatic test method and system based on protocol interface |
| CN105740148A (en) * | 2016-01-29 | 2016-07-06 | 博雅网信(北京)科技有限公司 | Script engine system of mobile terminal automation test and testing method |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Non-Patent Citations (1)
| Title |
|---|
| 陈晓梅;田洋;王宝生;: "基于AX4000的路由器用户自定义报文性能测试设计与实现" * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111552645B (en) | 2023-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105335293B (en) | A kind of automatization test system and method based on interface concurrent | |
| US20050010545A1 (en) | Method and system for managing events | |
| CN110740103A (en) | Service request processing method and device, computer equipment and storage medium | |
| CN108256118B (en) | Data processing method, device, system, computing equipment and storage medium | |
| US8972575B2 (en) | Server-side web analytics system and method | |
| US20120036275A1 (en) | Message traffic interception system | |
| CN109560996B (en) | Automatic testing system and method for terminal of Internet of things | |
| CN112954050B (en) | Distributed management method and device, management equipment and computer storage medium | |
| CN105763507A (en) | Message processing method, device and system | |
| CN106484425A (en) | A kind of abnormality eliminating method of policy-based configuration | |
| US20190073600A1 (en) | Skipping maintenance mode of applications | |
| CN111209166A (en) | Automatic inspection system for B/S architecture business system | |
| CN113609012B (en) | Method and system for normalized processing back-end exception reporting | |
| CN108121606B (en) | Method and device for generating coded data based on joint debugging interface | |
| CN105117344B (en) | A kind of Interface integration method of testing and system based on PB | |
| CN111552645A (en) | Open type safety compliance permeability testing system | |
| CN110968476B (en) | Method and device for automatically monitoring login information of Linux system | |
| CN107317826A (en) | A kind of method that java network system rights managements are realized based on blocker | |
| US20220417330A1 (en) | System and methods for application programming interface validation and testing | |
| CN104270431B (en) | A kind of method and device of con current control | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN115348086A (en) | Attack protection method and device, storage medium and electronic equipment | |
| CN112131095B (en) | Pressure testing method and device | |
| CN112835794A (en) | Method and system for positioning and monitoring code execution problem based on Swoole | |
| CN107066538B (en) | Data statistics method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |