CN111552645B - Open type safety compliance penetration test system - Google Patents
Open type safety compliance penetration test system Download PDFInfo
- Publication number
- CN111552645B CN111552645B CN202010357357.0A CN202010357357A CN111552645B CN 111552645 B CN111552645 B CN 111552645B CN 202010357357 A CN202010357357 A CN 202010357357A CN 111552645 B CN111552645 B CN 111552645B
- Authority
- CN
- China
- Prior art keywords
- module
- data packet
- fuzz
- engine
- safety compliance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3676—Test management for coverage analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an open type safety compliance penetration test system, which comprises: the system comprises a data packet analysis module, an automatic fuzz engine, a custom payload module, a report generation module and a work scheduling module; wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing by the module; automated fuzz engine: and the tcp protocol is adopted to carry out data interaction with the tested interface, and meanwhile, the program execution flow is asynchronous, so that the equipment resource utilization rate and the testing efficiency can be maximized. By adopting the penetration test tool constructed by the invention, safety testers can quickly and efficiently prepare safety compliance inspection items through simple definition of input and output and result judgment rules, the test coverage rate of interfaces of a service system is improved, and the test time is greatly shortened.
Description
Technical Field
The invention relates to a testing system, in particular to an open type safety compliance penetration testing system.
Background
Of the prior art, the closest prior art solution is the burppsuite product of PortSwigger corporation. Although the prior art scheme can manually complete the partial penetration test, if the tested system pages and parameters are numerous and complex, the prior art scheme can cause the following 2 problems:
1: testing all system pages and parameters cannot be done in a short period of time.
2: selectively testing portions of the page and parameters can result in missing security issues.
The reason for problem 1 is that Burp Suite does not have the ability to fully automatically check all system parameters.
The problem 2 arises because the Burp Suite product relies heavily on the tester's technical capabilities and sophisticated technical specialists can choose, empirically, the possible weak points to test, rather than testing all system parameters comprehensively, which can lead to problems with missed security issues.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide an open type safety compliance penetration test system.
In order to solve the technical problems, the invention provides the following technical scheme:
the invention provides an open safety compliance penetration test system, which comprises: the system comprises a data packet analysis module, an automatic fuzz engine, a custom payload module, a report generation module and a work scheduling module;
wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing by the module;
wherein the fuzz engine is automated: the method comprises the steps of adopting a tcp protocol to interact data with a tested interface, and simultaneously, performing a procedure of executing an asynchronous program to maximize the utilization rate of equipment resources and the testing efficiency, wherein the specific execution procedure is to establish connection between a socket and a service interface, simultaneously establish a plurality of socket requests by an asynchronous calling method, continuously create a transmitted data packet by a CPU during waiting for data return of a network, and call back a result processing function when the requested data return, prevent the CPU from blocking and waiting in network IO and maximally utilize the CPU and bandwidth resources;
wherein the custom payload module: the rule input template is defined, and a user can quickly generate the safety compliance rule only by simple definition;
wherein the report generation module: a report format required by a penetration test result is rapidly generated; the test result is stored in a markdown text form, and can be quickly rendered by using a result command;
the work scheduling module: the method comprises the steps of parameter analysis, automatic work scheduling function and coordination of the work flows of the modules.
Compared with the prior art, the invention has the following beneficial effects:
1: the invention automatically tests all pages and related parameters of the system, can improve the efficiency by several times, and saves a great amount of system safety testing time.
2: the invention comprehensively tests all pages and related parameters of the system, ensures that all system parameters are not missed, and does not need the experience of technical experts to select the parameter test.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
FIG. 1 is a schematic flow diagram of a system of the present invention;
FIG. 2 is a schematic diagram of an http packet according to the present invention;
FIG. 3 is a schematic diagram of the parsing to httPParser object of the present invention;
fig. 4 is a schematic diagram of socket connection establishment and data transmission according to the present invention;
FIG. 5 is a schematic diagram of a rule template of the present invention;
FIG. 6 is a schematic diagram of a markdown source file rendering result of the present invention;
FIG. 7 is a schematic representation of a markdown source file of the present invention;
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
Example 1
As shown in fig. 1-7, the present invention provides an open safety compliance penetration testing system comprising: the system comprises a data packet analysis module, an automatic fuzz engine, a custom payload module, a report generation module and a work scheduling module; wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing by the module; automated fuzz engine: the method comprises the steps of establishing connection between a socket and a service interface, simultaneously establishing a plurality of socket requests by using an asynchronous calling method, continuously creating a transmitted data packet by a CPU during the period of waiting for data return of a network, and calling back a result processing function when the requested data return, so as to prevent the CPU from blocking and waiting in a network IO and maximally utilizing the CPU and bandwidth resources; wherein the custom payload module: the rule input template is defined, and a user can quickly generate the safety compliance rule only by simple definition; wherein the report generation module: rapidly generating a report format required by the penetration test result; the test result is stored in a markdown text form, and can be quickly rendered by using a result command; the work scheduling module: the method comprises the steps of parameter analysis, automatic work scheduling function and coordination of the work flows of the modules.
Specifically, the system comprises: the system comprises a data packet analysis module, an automatic fuzz engine, a custom payload module, a report generation module and a work scheduling module.
And a data packet analysis module: the http protocol data packet is input in txt text format, and is analyzed by the module into the structural data for testing. For example, FIG. 2 is a typical http data request packet parsed into httpParser objects by the httpParser class;
automated fuzz engine: the tcp protocol is adopted to carry out data interaction with the tested interface, so that the fuzz engine is not only limited to a certain application protocol, the test object has more universality, and meanwhile, the program execution flow is asynchronous, so that the equipment resource utilization rate and the test efficiency can be maximized. The specific implementation process is that a socket is used for establishing connection with a service interface, a plurality of socket requests are established simultaneously through an asynchronous calling method, a CPU continuously builds a transmitted data packet during waiting for network return data, and when the request data returns, a callback is used for a result processing function, so that the CPU is prevented from blocking and waiting in a network IO, and CPU and bandwidth resources are utilized to the maximum extent;
custom payload module: a rule input template is defined, and a user can quickly generate the safety compliance rule by simply defining the rule input template. The following is a rule template, where the logpath sets the log storage location of the results generated during the scan; the testing item title is set by the chapter; details of the details setting test item; and matching socket return values acquired from the fuzz engine according to the rule set, and matching the return results according to the defined characteristic values, wherein the rule set is used for indicating that the test passes the rule, the rule set is used for indicating that the test fails the rule set at 0, and the rule set is used for indicating that the rule set is not applicable. For example, setting a rule of "0alltested parameters do not appear to be injectable", a result interpreted as matching the "0all tested parameters do not appear to be injectable" character represents no SQL injection problem; result saves test results, and result=os_command ('ls', verbose) sets test commands used in the test item;
a report generation module: a report format required by a penetration test result is rapidly generated; the test result is stored in a markdown text form, and can be quickly rendered by using a result command;
the work scheduling module: the method comprises the steps of parameter analysis, automatic work scheduling function and coordination of the work flows of the modules.
By adopting the penetration test tool constructed by the invention, safety testers can quickly and efficiently prepare safety compliance check items by simply defining input and output and result judging rules, the test coverage rate of interfaces of a service system is improved, and the test time is greatly shortened.
Finally, it should be noted that: the foregoing description is only a preferred embodiment of the present invention and is not intended to limit the present invention, but although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the technical solutions described in the foregoing embodiments, or equivalents may be substituted for some of the technical features thereof. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (1)
1. An open safety compliance penetration testing system, comprising: the system comprises a data packet analysis module, an automatic fuzz engine, a custom payload module, a report generation module and a work scheduling module;
wherein the data packet analysis module: inputting an http protocol data packet in a txt text format, and analyzing the http protocol data packet into structural data for testing by the module;
wherein the fuzz engine is automated: the method comprises the steps of establishing connection between a socket and a service interface, simultaneously establishing a plurality of socket requests by using an asynchronous calling method, continuously creating a transmitted data packet by a CPU during the period of waiting for data return of a network, and calling back a result processing function when the data is required to be returned, so as to prevent the CPU from blocking and waiting in a network IO and maximally utilizing the CPU and bandwidth resources;
wherein the custom payload module: the rule input template is defined, and a user can quickly generate the safety compliance rule only by simple definition;
wherein the report generation module: a report format required by a penetration test result is rapidly generated; the test result is stored in a markdown text form, and can be quickly rendered by using a result command;
the work scheduling module: the system comprises a parameter analysis, an automatic operation scheduling function, and workflow coordination data packet analysis module, an automatic fuzz engine, a custom payload module and a report generation module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010357357.0A CN111552645B (en) | 2020-04-29 | 2020-04-29 | Open type safety compliance penetration test system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010357357.0A CN111552645B (en) | 2020-04-29 | 2020-04-29 | Open type safety compliance penetration test system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111552645A CN111552645A (en) | 2020-08-18 |
| CN111552645B true CN111552645B (en) | 2023-05-12 |
Family
ID=72003295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010357357.0A Active CN111552645B (en) | 2020-04-29 | 2020-04-29 | Open type safety compliance penetration test system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111552645B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681126A (en) * | 2015-12-30 | 2016-06-15 | 合一网络技术(北京)有限公司 | Automatic test method and system based on protocol interface |
| CN105740148A (en) * | 2016-01-29 | 2016-07-06 | 博雅网信(北京)科技有限公司 | Script engine system of mobile terminal automation test and testing method |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090271214A1 (en) * | 2008-04-29 | 2009-10-29 | Affiliated Computer Services, Inc. | Rules engine framework |
-
2020
- 2020-04-29 CN CN202010357357.0A patent/CN111552645B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105681126A (en) * | 2015-12-30 | 2016-06-15 | 合一网络技术(北京)有限公司 | Automatic test method and system based on protocol interface |
| CN105740148A (en) * | 2016-01-29 | 2016-07-06 | 博雅网信(北京)科技有限公司 | Script engine system of mobile terminal automation test and testing method |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Non-Patent Citations (1)
| Title |
|---|
| 陈晓梅 ; 田洋 ; 王宝生 ; .基于AX4000的路由器用户自定义报文性能测试设计与实现.计算机工程与科学.2011,(01),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111552645A (en) | 2020-08-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105335293B (en) | A kind of automatization test system and method based on interface concurrent | |
| US10701097B2 (en) | Application security testing | |
| CN103198009B (en) | A kind of universal testing method, system and related device | |
| CN107105009B (en) | Job scheduling method and device for butting workflow engine based on Kubernetes system | |
| US20170075790A1 (en) | Integrating quality analysis with a code review tool | |
| CN106095677A (en) | The RESTful Webservice automatic interface testing method realized based on Robot Framework | |
| CN111444111A (en) | Performance testing method and device based on python, computer equipment and storage medium | |
| CN111209166B (en) | Automatic inspection system for B/S architecture service system | |
| CN103856467A (en) | Method and distributed system for achieving safety scanning | |
| US20200117587A1 (en) | Log File Analysis | |
| CN106484425B (en) | A kind of abnormality eliminating method of policy-based configuration | |
| CN106855844B (en) | Performance test method and system | |
| CN106972983B (en) | Automatic testing device and method for network interface | |
| CN115328758A (en) | Performance test method and system for large data volume of industrial software | |
| CN114172835A (en) | Automatic testing method of Bluetooth digital key | |
| CN114039899B (en) | Method for realizing network performance test of WEB product based on Fiddler tool | |
| CN110232013B (en) | Test method, test device, controller and medium | |
| CN111552645B (en) | Open type safety compliance penetration test system | |
| KR20050034661A (en) | Automatic testing system for mobile software and service | |
| CN111680288B (en) | Container command execution method, device, equipment and storage medium | |
| CN110768860B (en) | Test method, test device and electronic equipment | |
| CN113037526A (en) | Security detection method, terminal, system and storage medium | |
| Wu et al. | The study on an intelligent general-purpose automated software testing suite | |
| CN115550228A (en) | Internet of vehicles bus communication network test method and system | |
| CN114661592A (en) | Software testing method based on version iteration adaptive to rapid demand |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |