CN111770079B - Method and device for detecting vulnerability injection of web framework - Google Patents
Method and device for detecting vulnerability injection of web framework Download PDFInfo
- Publication number
- CN111770079B CN111770079B CN202010591709.9A CN202010591709A CN111770079B CN 111770079 B CN111770079 B CN 111770079B CN 202010591709 A CN202010591709 A CN 202010591709A CN 111770079 B CN111770079 B CN 111770079B
- Authority
- CN
- China
- Prior art keywords
- web application
- framework
- character string
- response
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method and a device for detecting vulnerability injection of a web framework, wherein the method comprises the following steps: the method comprises the steps that a client sends a first detection request comprising a random character string triggering abnormal response to a web application, when the first response content comprises the random character string triggering abnormal response, the client determines that a potential frame of the web application is injected into a vulnerability injection point and generates a tag group to be closed, then a web application is combined to detect a rule group for processing input data and generate a detection code for the character string triggering abnormal response and inject the detection code into the potential frame to inject the vulnerability injection point, and then a corresponding second detection request is sent to the web application to obtain second response content. And then generating a frame code, injecting the frame code into a potential frame injection vulnerability injection point, sending a corresponding third detection request, and acquiring third response content. When the injected framework code is determined to be executed, the web application is determined to have the framework injection vulnerability, and the problem that the web framework injection vulnerability cannot be efficiently and comprehensively detected in the prior art is solved.
Description
Technical Field
The application relates to the technical field of network security, in particular to a method and a device for detecting a vulnerability injection of a web framework.
Background
With the popularization of internet technology, the size of web applications is larger and larger, and the threat of intrusion faced by the web applications is also larger and larger. Serious consequences can result once the web application is attacked. Common vulnerabilities of web applications are XSS injection, framework injection, link injection, etc., wherein framework injection is one of the common vulnerabilities in the field of network security. If the vulnerability of the web application is utilized by a hacker, the hacker can steal the user login credentials, steal the user account, even control the whole web application and acquire the server authority of the web application, so that irreparable loss is caused, and serious harm is brought to the web application and related users.
Generally, a vulnerability detection method for framework injection mainly comprises injecting probe code comprising framework code, wherein the probe code is mainly used for constructing the framework code containing fixed closed tag prefixes and replacing the probe code to potential framework injection vulnerability injection points of a web application to be detected, response content is obtained, and if the framework code in the probe code is found in the response content and can be executed, the framework injection vulnerability is considered to exist.
However, in the existing framework injection vulnerability detection method, the condition that the framework code cannot be executed because some labels are not closed exists, so that the framework injection vulnerability is not reported; if the situation that whether the frame injection vulnerability exists is judged by only observing whether the frame code appears in the response content without considering whether the frame code is executed, the situation that whether the frame injection vulnerability exists is relieved, and therefore the frame injection vulnerability is mistakenly reported; and the detection code length for detection exceeds the limit of the website allowable input data length due to the fixed closed label prefix, so that the detection code cannot be successfully injected, and the framework injection vulnerability is not reported. Therefore, in order to accurately and flexibly detect the framework injection vulnerability of the web application, the invention provides a method for detecting the framework injection vulnerability.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting web framework injection vulnerability, and aims to solve the problems that in the prior art, the coverage of a framework injection vulnerability detection scene of web application is not comprehensive enough, and the problems of report missing, false report and the like exist.
In a first aspect, an embodiment of the present application provides a method for detecting a web framework injection vulnerability, including:
the client sends a first detection request to the web application, wherein the first detection request comprises a random character string for triggering abnormal response, and the random character string for triggering abnormal response is a combination of a common random character string and a triggering abnormal response character string. Further, when the random character string triggering the abnormal response is included in the first response content received from the web application, the client determines a potential framework injection vulnerability injection point of the web application according to the random character string triggering the abnormal response in the first response content. And then the client generates a tag group to be closed according to the position of the random character string triggering the abnormal response in the first response content and the first response content. And then the client generates detection codes according to the label group to be closed and the web application for the input data processing characteristic detection rule group and the trigger abnormal response character string, and after the detection codes are injected into the potential framework injection vulnerability injection point, a second detection request comprising the detection codes is sent to the web application. Further, the client acquires second response content corresponding to the second probe request, and then determines the data processing characteristic set of the web application according to the second response content. And the client generates a frame code according to the data processing characteristic set, the frame injection vulnerability detection rule template, the label group to be closed and the trigger abnormal response character string. Further, after injecting the framework code into the potential framework injection vulnerability injection point, the client sends a third probe request comprising the framework code to the web application. And then response content corresponding to the third detection request is obtained, and when the frame code is determined to be executed from the response content, the client determines that the web application has a frame injection vulnerability.
Further, the web application can return abnormal content by triggering the abnormal character string, the web application still has the risk of frame injection vulnerability under the abnormal condition, and the frame injection vulnerability of the web application can be detected more comprehensively by considering the abnormal condition. Further, the client can quickly determine the position of a potential framework injection vulnerability injection point according to the common random character string, and the framework injection vulnerability of the web application can be detected more quickly. That is, because a web application having a framework injection vulnerability injection point can find injected data in response content of the web application, in the embodiment of the present application, whether the potential framework injection vulnerability injection point exists or not is determined by looking up an injected random character string triggering an abnormal response in the response content, and the position of the potential framework injection vulnerability injection point is determined. Illustratively, the client enters a random string "857092 ') to trigger an exception response" into the web application, where "857092" is a normal random string and "')" is a trigger exception response string. Further, after receiving the first response content from the web application, the client searches "857092 ')" in the first response content, and when the injected data "857092')" is found in the first response content, determines that the corresponding injection position is the potential framework injection vulnerability injection point of the web application.
The method provides a flexible and accurate frame injection vulnerability detection technology, realizes accurate detection of the frame injection vulnerability of the web application so as to timely inform operation and maintenance personnel of the web application to repair the frame injection vulnerability, and prevents attackers from initiating further attacks by utilizing the frame injection vulnerability.
In one possible design, generating a tag group to be closed according to the position of the random character string triggering the abnormal response appearing in the first response content and the first response content includes: the client divides the character strings of the response content and determines n-1 character strings after the position of the random character string triggering the abnormal response in the response content. Further, the client generates a label group to be closed according to the n-1 character strings. By segmenting the response content, preparation is made for extracting effective tag groups to be closed subsequently, so that the scene coverage is more comprehensive, the missing report and the false report of the frame injection loophole are reduced, and the detection efficiency of the frame injection loophole is improved.
In one possible design, the client aims at a first character string in the n-1 character strings, and the first character string is any one of the n-1 character strings; acquiring m initial HTML tags corresponding to the first character string, carrying out forward direction identical cancellation on the m initial HTML tags to obtain a de-duplicated first tag set, then carrying out de-duplication on n-1 first tag sets corresponding to the n-1 character string, and then taking intersection with a preset tag set to obtain a final tag group to be closed. Through the tag group to be finally closed obtained after the duplication elimination and intersection taking of every two tags, the character string length of the frame codes injected in the subsequent steps can be shortened, the frame injection vulnerability detection effect is better, and the detection efficiency is higher.
In one possible design, the client generates the framework code according to the data processing feature set and the tag group to be closed, and the method includes: and the client fills the labels in the framework injection vulnerability detection template according to the data processing characteristic set to generate a framework injection vulnerability detection rule, wherein the framework injection vulnerability detection template comprises a protocol identifier, a framework identifier, a random domain name and a symbol identifier. Further, the client generates a frame code according to the frame injection vulnerability detection rule, the tag group to be closed and the string capable of triggering the abnormal response.
And the client processes the label in the framework injection vulnerability detection rule template according to the data processing characteristic set to generate the framework injection vulnerability detection rule. Specifically, the client injects a tag in the vulnerability detection template into the framework according to the data processing feature set, such as: and carrying out format conversion on the protocol identifier, the framework identifier, the random domain name and the symbol identifier to generate a framework injection vulnerability detection rule. Further, the client side can trigger the abnormal response character string to generate a frame code according to the frame injection vulnerability detection rule and the label group to be closed. In the embodiment of the application, the client generates the frame code, so that the generated third detection request can more accurately detect the processing characteristics of the web application on the input data, help to more accurately find out the frame injection vulnerability of the web application, help the operation and maintenance personnel to maintain the web application, and enhance the network security.
In one possible design, the client generates a probe code according to the tag group to be closed, including: and generating a detection code according to the tag group to be closed, the trigger abnormal response character string, the multiple groups of random numbers and the rule group for detecting the processing characteristics of the web application on the input data. Wherein the set of rules for exploring the web application for processing characteristics of the input data includes at least one reference datum. In the process that a client detects the processing characteristics of the web application on input data, the processing characteristics of the web application on "//", are tried out by using preset reference data in a rule, for example, when a value returned after the web application processes "//" is "/", it is indicated that the web application converts "//") into "/". By the technical scheme, the framework injection vulnerability existing in the web application can be detected more quickly and accurately.
In one possible design, the length of the concatenated string consisting of multiple sets of random numbers and rule sets does not exceed the maximum length of the vulnerability detection rules in the framework code. The detection reliability is ensured by limiting the length of the splicing character string and the length of the character string of the frame code, which are formed by a plurality of groups of random numbers and rule groups in the detection code, and the condition that the detection result is invalid due to the overlong injected character string is avoided.
In one possible design, the client determines the set of data processing characteristics of the web application according to the second response content, including: and acquiring multiple groups of random numbers and response contents corresponding to the rule group for detecting the input data processing characteristics of the web application from the second response contents, and determining a data processing characteristic set of the web application for the input data according to the multiple groups of random numbers and the rule group for detecting the input data processing characteristics of the web application. And the client determines the reference data processed by the web application according to the plurality of groups of random numbers in the second response content, and further determines the data processing characteristic set of the web application on the input data. The method is ready for follow-up detection, helps to generate more accurate detection requests, and improves detection efficiency.
In one possible design, the set of data processing characteristics includes at least one of processing characteristics of the web application with respect to filtering of data and processing characteristics of the web application with respect to encoding of data.
In one possible design, before sending the first probe request to the web application, the method includes: and collecting each webpage under the web application to be detected, and determining the web application and the webpage thereof which meet preset conditions. Optionally, a preset crawler program is used for automatically capturing each webpage under the web application to be detected, each webpage in the form of 'parameter ═ parameter value' in a uniform resource locator url address of the webpage is selected, and in the frame injection vulnerability detection, the generated random character string, the detection code and the frame code can be replaced to the parameter value and then a corresponding detection request is sent, so that the frame injection vulnerability existing in the web application can be better detected, and the frame injection vulnerability detection efficiency is improved.
In a second aspect, an embodiment of the present application provides a web framework injection vulnerability detection apparatus, including:
the system comprises a sending unit, a receiving unit and a processing unit, wherein the sending unit is used for sending a first detection request to a global wide area network web application, and the first detection request comprises a random character string for triggering abnormal response; the random character string triggering abnormal response is a combination of a common random character string and a triggering abnormal response character string;
the processing unit is used for determining a potential framework injection vulnerability injection point of the web application when the random character string triggering the abnormal response is included in the first response content received from the web application;
the processing unit is further used for generating a tag group to be closed according to the position of the random character string triggering the abnormal response appearing in the first response content and the first response content;
the processing unit is also used for detecting a rule group and triggering an abnormal response character string to generate a detection code according to the tag group to be closed and the web application for processing the input data;
the sending unit is further used for sending a second detection request comprising the detection code to the web application after the detection code is injected into the potential framework injection vulnerability injection point;
a receiving unit, configured to obtain second response content corresponding to the second probe request;
the processing unit is further used for determining a data processing characteristic set of the web application according to the second response content;
the processing unit is also used for generating a frame code according to the data processing characteristic set, the frame injection vulnerability detection rule template, the tag group to be closed and the trigger abnormal response character string;
the sending unit is further used for sending a third detection request comprising the frame code to the web application after the frame code is injected into the potential frame injection vulnerability injection point;
the receiving unit is further used for acquiring third response content corresponding to the third detection request;
and the processing unit is further used for determining that the web application has a framework injection vulnerability when the framework code is determined to be executed from the third response content.
In one possible design, the processing unit is specifically configured to perform character string segmentation on the response content, and determine n-1 character strings after an occurrence position of a random character string triggering an abnormal response in the response content; and generating a label group to be closed according to the n-1 character strings.
In one possible design, the processing unit is specifically configured to, for a first character string of the n-1 character strings, determine that the first character string is any one of the n-1 character strings; acquiring m initial HTML tags corresponding to the first character string, and performing forward identical cancellation on the m initial HTML tags to obtain a first tag set after duplication removal; and eliminating duplication of n-1 first label sets corresponding to the n-1 character strings, and then taking intersection with a preset label set to obtain a final label group to be closed.
In one possible design, filling labels in a framework injection vulnerability detection rule template according to the data processing characteristic set to generate a framework injection vulnerability detection rule; the framework injection vulnerability detection rule template comprises a protocol identifier, a framework identifier, a random domain name and a symbol identifier. And further, generating the frame code according to the frame injection vulnerability detection rule, the label group to be closed and the trigger abnormal response character string.
In one possible design, the processing unit is specifically configured to generate a detection code according to a tag group to be closed, a trigger abnormal response character string, a plurality of groups of random numbers, and a rule group for detecting characteristics of a web application on input data processing; the set of rules is used to probe characteristics of the processing of the input data by the at least one web application.
In one possible design, the length of the concatenation character string composed of the plurality of groups of random numbers and the rule group does not exceed the maximum length of the vulnerability detection rule in the framework code.
In a possible design, the processing unit is specifically configured to obtain, from the second response content, response content corresponding to the multiple sets of random numbers and the rule set of the probe web application for the processing characteristic of the input data, and obtain the data processing characteristic set according to the multiple sets of random numbers and the rule set of the probe web application for the processing characteristic of the input data. The set of data processing characteristics includes at least one of processing characteristics of the web application with respect to data filtering and processing characteristics of the web application with respect to data encoding.
In a possible design, before the first probe request is sent to the web application, the processing unit is further configured to collect the web application to be detected, and determine the web application meeting the preset condition.
In a third aspect, another embodiment of the present invention provides a computing device, which includes a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for calling the program stored in the memory, and executing any one of the methods in the first aspect according to the obtained program.
In a fourth aspect, another embodiment of the present invention provides a computer storage medium, where a computer-executable program is stored, and the computer-executable program is used to make a computer execute any one of the methods in the first aspect.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario for detecting a web framework injection vulnerability provided in an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating a method for detecting a vulnerability injection by a web framework according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a web framework injection vulnerability detection process provided in an embodiment of the present application;
fig. 4 is a schematic diagram illustrating a computing device of a web framework injection vulnerability detection apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Referring to fig. 1, an application scenario diagram for detecting a web framework injection vulnerability includes a client 10 and a web server 20. Optionally, in an embodiment of the present invention, the client 10 may include, but is not limited to, at least one of the following: cell-phone, panel computer, notebook computer, PC. The client 10 comprises a web browser, and a user can send a probe request to the web application through the web browser on the client 10; the web application is located on the web server 20, and the web server 20 returns corresponding response content according to the received probe request.
Exemplarily, a user inputs a URL (Uniform Resource Locator) address of a web application to be detected in a web browser on the client 10, then the client 10 sends various probe requests to the web application on the web server 20 through a network, acquires response content of the corresponding web application, and then detects a vulnerability injection condition of a frame of the web application according to different response contents.
It should be noted that a vulnerability refers to a system existing weakness or defect, which may be from a defect in the design of application software or operating system or an error generated in the encoding, or from a design defect or an irrational point in the logic flow of a service in the interactive processing process. Since a vulnerability has a great influence on security of a network, a system, a terminal, a server, and the like, how to detect and repair the existing vulnerability is very important for security of a target. When vulnerability detection is carried out on the web application to be detected, detection needs to be carried out according to the characteristics of different web applications, the data processing characteristics of different web applications and effective tags to be closed of different injection points are determined, the problem of detection leakage is further avoided, and the framework injection vulnerability detection of the web application to be detected is efficiently and accurately completed.
In combination with the system architecture diagram for detecting web framework injection vulnerabilities, an embodiment of the present invention further provides a flow diagram of a method for detecting web framework injection vulnerabilities, as shown in fig. 2, which specifically includes:
in step 201, the client 10 sends a first probe request to the web application on the web server 20, where the first probe request includes a random character string capable of triggering an abnormal response, and when the first response content received by the client 10 from the web application includes the random character string, a potential framework injection vulnerability injection point of the web application is determined.
The random character string for triggering the abnormal response is a combination of a common random character string and a triggering abnormal response character string. The ordinary random character string is generated by using a random character string generator, and may be composed of at least one of a number and a character, such as "857092". Further, the trigger exception response string may include characters of "'", ")" and the like. Illustratively, the random string may be "857092')". Referring to fig. 1, when the random string triggering the abnormal response is included in the first response content received by the client 10 from the web application on the web server 20, the client 10 may determine a potential framework injection vulnerability injection point of the web application according to the random string triggering the abnormal response in the first response content.
Illustratively, the client 10 sends each web page that meets the requirements to a web application such as "www.abc.com" on the web server 20, where the client 10 may determine that the url address includes a web page in the form of "parameter value", such as a web page with a url address of "www.abc.com/test 123", and send a first probe request including a random string "857092') that triggers an exception response to the web page. Specifically, the client 10 replaces the parameter value "123" in the web page "www.abc.com/test ═ 123" with the random character string "857092')" that triggers an abnormal response, further, after the web server 20 receives the probe request, searches for a page according to the probe request, returns corresponding first response content, and when the client 10 detects that the first response content includes the ordinary random character string "857092", considers that the web page "www.abc.com/test ═ 123" of the web application has a potential frame injection vulnerability injection point. By the technical scheme, the web application and the injection point thereof which possibly have the frame injection vulnerability are quickly found out, preparation is made for the subsequent detection of the frame injection vulnerability of the web application, and the detection efficiency of the frame injection vulnerability is improved. In addition, in the embodiment of the application, the client 10 returns the abnormal response content to the web application by replacing the triggering abnormal response character string to the parameter value, and then performs the frame injection vulnerability detection according to the abnormal response content, so that the coverage range of the frame injection vulnerability detection scene is expanded, and the frame injection vulnerability detection rate is improved.
In step 202, the client 10 generates a tag group to be closed according to the position of the random character string triggering the abnormal response appearing in the first response content and the first response content.
Specifically, the client 10 determines the position of the random character string triggering the abnormal response in the first response content, segments the first response content by using each random character string triggering the abnormal response as a segmentation node, obtains the character string after the random character string triggering the abnormal response from each segment obtained after the segmentation, and generates the tag group to be closed according to the character string after the random character string triggering the abnormal response.
Illustratively, the client 10 looks up the above-mentioned common random string "857092" in the first response content, and further extracting a tag group to be closed from the first response content according to a random character string '857092') triggering abnormal response, finally determining that the tag group to be closed is 'textual area', preparing for subsequent detection, avoiding that the detection of any web page applied by the prior art is injected with a tag to be closed with the same fixed content, reducing the false alarm caused by inaccurate tag to be closed in the injected content, and avoiding the situations that the injected character string is too long and the web page response fails, the method and the device can accurately detect the frame injection vulnerability existing in the web application, bring convenience to operation and maintenance personnel to maintain the web application, and improve the security of the web application.
In step 203, the client 10 generates a probe code according to the tag group to be closed, and after injecting the probe code into the potential framework injection vulnerability injection point, sends a second probe request including the probe code to the web application. Next, the client 10 obtains second response content corresponding to the second probe request, and determines a data processing feature set of the web application according to the second response content.
In one possible embodiment, the probe code may consist of a set of tags to be closed, a string of trigger exception responses, a plurality of sets of random numbers, and a set of rules that probe the web application's processing characteristics of the input data. Further, the length of a splicing character string formed by multiple groups of random numbers and rule groups in the detection code does not exceed the maximum length of the vulnerability detection rule in the framework code. In the embodiment of the application, the client 10 limits the length of the spliced character string composed of a plurality of groups of random numbers and rule groups and the character string length of the vulnerability detection rule in the frame code, so that in an application scene of the web application with certain limitation requirement on the length of the input character string, a to-be-closed label set of the web application can be generated dynamically according to each injection point playback position in response content returned by each web page of the web application, and further, the saved character string length can be fully reserved for the frame code, therefore, the framework injection vulnerability can be efficiently and accurately detected within limited input limit, and the consistency of the results of different injected data used in web application characteristic detection and vulnerability detection on the input validity detection of the web application can be ensured, so that the reliability of the framework injection vulnerability detection is ensured to the maximum extent.
In specific implementation, the method for determining the length of the spliced character string composed of multiple groups of random numbers and rule groups in the detection code and the preset length of the vulnerability detection rule in the frame code may be determined manually, or may be determined after detecting the character string input length of the web application, and optionally, the character string length limits of the detection code and the frame code may be set to different values respectively, or may be set to the same value.
Further, in the embodiment of the application, the client 10 determines the data processing characteristics of the detected web application on the input data processing through the detection request and the logical reasoning of the data processing characteristics, and adaptively adjusts the frame injection vulnerability detection rule according to the characteristics, so that the frame injection vulnerability is accurately detected, and the detection accuracy and reliability are improved.
In step 204, the client 10 generates a frame code according to the data processing feature set and the tag group to be closed. Further, after injecting the framework code to the potential framework injection vulnerability injection point, the client 10 sends a third probe request including the framework code to the web application. Further, the client 10 obtains third response content corresponding to the third probe request, and determines that the web application has a framework injection vulnerability when determining that the framework code is executed from the third response content.
For convenience of understanding, the following further description of the web framework injection vulnerability detection method provided in the embodiments of the present application may include the following contents:
in a possible embodiment, before step 201, the client 10 collects each web page of the web application to be detected, and determines the web application and the corresponding web page that meet the preset condition. Illustratively, the user enters a web address of the web application to be detected, such as "www.abc.com", in the client 10. The client 10 automatically fetches each web page meeting the preset conditions under the web application through a preset web crawler (a program for automatically acquiring web page contents). For example, a web page including the form "a ═ X" in the web address is found, for example, the web page "www.abc.com/test ═ 123" is found. According to the technical scheme, the web pages of the web applications to be detected which meet the preset conditions are found, preparation is made for detecting the subsequent frame injection vulnerability, and high detection efficiency of the frame injection vulnerability is improved.
In one possible embodiment, step 201 includes: for the web page meeting the preset condition of the web application to be detected (for example, "www.abc.com/test ═ 123"), the client 10 executes the following processing: a first detection request including a random string that triggers an exception response is sent to the web page. Optionally, the random character string triggering the abnormal response may be a combination of a normal random character string and a triggering abnormal response character string, the random character string generator generates a normal random character string, such as "857092", and the user may preset a triggering abnormal response character string, such as "'", "). The trigger exception response string may include, but is not limited to, any of "'", ")". Illustratively, the random string that the client 10 generates to trigger an exception response is "857092')". Illustratively, the client 10 may replace the parameter value "123" in "test ═ 123" with the random character string "857092 ') that triggers an abnormal response", and further, by accessing the url address "www.abc.com/test ═ 857092') on the web server 20 through the web browser, the web server 20 searches for the first response content of the corresponding page and returns it to the client 10. In the technical scheme, the random character string generator randomly generates the common random character string, so that the coincidence probability of the injection content and the original web application content is reduced, and the injection content can be quickly positioned in the response content.
Further, the client 10 performs analysis according to the first response content returned by the web server 20, and when the first response content includes the random character string triggering the abnormal response, it is considered that the corresponding web page may have a risk of frame injection vulnerability, thereby determining a potential frame injection vulnerability injection point in each web page under the web application. The technical scheme realizes the initial detection of the frame injection vulnerability injection point of the web application, prepares for subsequent detection and helps to realize more accurate detection of the frame injection vulnerability of the web application. Illustratively, when the random character string triggering the abnormal response is not included in the response content, the webpage is considered to have no frame injection vulnerability, and the next webpage is continuously detected.
In a possible embodiment, step 202 specifically includes: the client 10 firstly performs character string segmentation on the response content, and determines n-1 character strings behind a random character string which triggers abnormal response in the response content. Illustratively, the position of a random character string triggering abnormal response in the response content is taken as a segmentation node, and n-1 character strings between every two segmentation nodes and from the last segmentation node to the end of the response content are determined for analysis. Then the client 10 generates a tag group to be closed according to the n-1 character strings.
Illustratively, 4 random character strings "857092 ') which trigger abnormal responses are found in the first response content, then the random character strings which trigger abnormal responses are taken as segmentation nodes, the response content except for the segmentation node" 857092') is segmented into 5 parts, further, the response content before the first segmentation node "857092 ') is discarded, and 4 character strings corresponding to the remaining 4 parts of response content are determined. According to the technical scheme, the ordinary random character string '857092' is searched in the response content, so that quick positioning can be realized, and the frame injection vulnerability detection efficiency is improved.
Further, the client 10 aims at a first character string in the n-1 character strings, wherein the first character string is any one of the n-1 character strings; acquiring m initial HTML tags corresponding to the first character string, performing forward identical cancellation on the m initial HTML tags to obtain a first tag set after duplication is removed, and then, after the client 10 performs duplication elimination on n-1 first tag sets corresponding to the n-1 character string, taking an intersection with a preset tag set to obtain a final tag set to be closed.
Illustratively, the client 10 performs the following processing for the first string of the 4 strings: extracting 10 initial HTML tags "</textarea >, </div >, < table >, < tr >, < td >, < a >, < td >, < tr >, < table >, < div >" in the first character string; optionally, format converting the tags to generate "< textarea >, < div >, < table >, < tr >, < td >, < a >, < td >, < tr >, < table >, < div >" and further forward identical cancellation is performed on the tags to obtain a de-duplicated tag set "< textarea >, < div >; optionally, format conversion is performed again to generate tag sets "</textarea >, </div >".
Similarly, 4 label sets corresponding to the 4 character strings are determined, and then the 4 label sets are de-duplicated. Illustratively, the tag sets "</textarea >, </div >" after deduplication are determined. And further taking intersection with the preset label set to determine a final effective label group to be closed. Illustratively, the user sets the effective tag sets "</textarea >,"/text > "in advance, and then the effective tag set to be closed in the intersection is determined to be" </textarea > ". Optionally, when the intersection is empty, it is indicated that the extracted tag in the response content does not affect the subsequent injection, that is, does not affect the subsequent framework injection vulnerability detection. Through the effective extraction of the tag group to be closed, an effective tag set to be closed is determined, invalid tags in injection contents of subsequent frame injection vulnerability detection are reduced, namely the length of the injection character string to be detected is reduced, frame injection vulnerability missing report caused by the fact that the length of the injected character string exceeds the limiting length of web application to input data is prevented, the injection character string can play the greatest role, and the accuracy and the detection efficiency of the frame injection vulnerability detection are improved. And an effective label set to be closed is dynamically generated according to response content, and a closed label directly using fixed content in the prior art is not used, so that the scene coverage is more comprehensive, and the missing report and the false report of the frame injection vulnerability are further avoided.
In a possible embodiment, step 203 specifically includes: the client 10 generates a detection code according to the tag group to be closed, the multiple groups of random numbers, the rule group for detecting the processing characteristics of the web application on the input data, and the triggering abnormal response character string. Wherein optionally the set of rules for probing the web application for processing characteristics of the input data comprises at least one reference data.
Then, the client 10 obtains second response content corresponding to the second probe request, and determines a data processing feature set of the web application on the input data according to reference data in the second response content. Acquiring a plurality of groups of random numbers and response contents corresponding to the rule group for detecting the processing characteristics of the web application to the input data from the second response contents; and then, according to the plurality of groups of random numbers and the rule group for detecting the web application to process the characteristics of the input data, obtaining a characteristic set for data processing. Further, the client 10 determines the reference data processed by the web application in the second response content, and determines the data processing characteristic set of the web application on the input data. Optionally, the client 10 determines the position of the input reference data according to the position of the random array in the second response content, and analyzes the position to obtain the processing characteristics of the corresponding web application web page on the input data. Wherein the data processing characteristic set of the web application comprises at least one of processing characteristics of the web application in data filtering and processing characteristics of the web application in data encoding.
Illustratively, the client 10 first constructs a set of data processing characteristic rules for the probe web application on the input data, R ═ R 1 ,r 2 ,…,r n Wherein each small rule r i (i ═ 1,2, …, n), i.e., the reference data, is responsible for detecting at least one small feature of the web application's processing of the input data, such as whether to filter a sensitive character, whether to encode a character, etc. Each small rule has a certain logical relation, and more data processing characteristics of the detected web application on input data can be deduced, for example, r 1 It is responsible for exploring if a web application performs special processing on a "/" character, r 2 "http:// ═ https://" is responsible for probing whether a web application performs special processing on characters like "http", "https", "/", "-", etc., and r is 1 And r 2 Taken together, the logical relationship that a web application handles both "//" and "/". r is 3 "frame" is responsible for probing whether a web application handles "frame" specifically.
Further, the client 10 generates a plurality of random arrays num 1 ,num 2 ,…,num n Illustratively, the client 10 generates random word arrays "115", "116", "117", "118".
The client 10 generates a detection code according to the random array and the data processing characteristics detection rule, the tag group to be closed and the string capable of triggering the abnormal response, and exemplarily, the client 10 generates the detection code')</textarea>115r 1 116r 2 117r 3 118r 4 119". Further, the client 10 replaces the above detection code with the parameter value part in the url address of the corresponding web page, for example, replaces the parameter value "123" in "www.abc.com/test ═ 123", generates "www.abc.com/test ═')</textarea>115r 1 116r 2 117r 3 118r 4 119' and sends a corresponding second probe request to the web server 20, receives and analyzes the corresponding second response content, and determines a set of data processing characteristics [ s ] corresponding to the web application 1 ,s 2 ,s 3 ,s 4 ,s 5 ,s 6 ]。
And determining the data processing characteristic set of the web application to the input data according to the reference data in the second response content. Exemplarily, s 1 Filtering the "/" character on behalf of the web application (a processing feature on data filtering), s 2 The web application is represented as filtering the "http" string as a whole, but not the "https" string, s 3 It is represented that the web application does not specially process (a processing characteristic in data encoding) the "═ character, s 4 Representing that the web application would convert "/", to "/", s 5 The "/" converted on behalf of the web application is not filtered, s 6 The "frame" is not filtered on behalf of the web application.
In a possible embodiment, step 204 specifically includes: and the client 10 generates a frame code according to the data processing characteristic set, the frame injection vulnerability detection template, the label group to be closed and the triggering abnormal response character string.
Specifically, the client 10 fills the tags in the framework injection vulnerability detection rule template according to the data processing characteristic set to generate a framework injection vulnerability detection rule, and then generates a framework code according to the framework injection vulnerability detection rule, the tag group to be closed and the trigger abnormal response character string. The framework injection vulnerability detection template comprises a protocol identifier, a framework identifier, a random domain name and a symbol identifier.
Illustratively, the client 10 processes the framework injection vulnerability detection template according to the data processing feature set, wherein the protocol identifier, the framework identifier, the random domain name, and the symbol identifier are processed to obtain a corresponding framework injection vulnerability detection rule. Further, the client 10 may generate a framework code according to the tag group to be closed, the trigger abnormal response string, the random array, and the framework injection vulnerability detection rule.
Illustratively, the client 10 first injects a vulnerability detection template "[ solution ] into a preset framework according to the above-mentioned data processing feature set<][FRAMETAG][SPACECHAR][SRC][=][PROTOCOL][://][>]"processing, specifically, the client 10 pairs the bracket" [ solution ] in conjunction with the above-mentioned data detection feature]"is processed, e.g. according to data processing characteristics 6 Since the "frame" tag was not filtered, "[ FRAMETAG ] could be used]"replace with" frame ", inject the vulnerability detection template [ 2 ] to the frame according to the data processing characteristic set<][FRAMETAG][SPACECHAR][SRC][=][PROTOCOL][://][>]After processing, the corresponding framework injection vulnerability detection rule is obtained. Still further, the client 10 generates a framework code according to the framework injection vulnerability detection rule, the tag group to be closed, and the trigger exception response character string, replaces the framework code with a corresponding parameter value, that is, after the framework code is injected to a potential framework injection vulnerability injection point, the client 10 sends a third detection request including the framework code to the web server 20 through the web browser.
Further, in a possible embodiment, in step 205, the client 10 obtains response content corresponding to the third probe request, and when it is determined that the frame code is executed from the response content, for example, it is determined that the third response content includes the frame of the input, it is determined that the web application has a frame injection vulnerability.
In the embodiment of the application, the scene range supported by the framework injection vulnerability detection is expanded, so that the framework injection vulnerability detection is not limited to the framework injection vulnerability under the common scene, and the detection rule and the detection code can be adaptively adjusted according to the characteristic of the detected web application on the data processing of the input data. Especially, for scenes such as scenes of frame injection loopholes with abnormal redisplay, scenes of frame injection loopholes with certain length limitation on input character strings and the like, accurate and efficient detection of the frame injection loopholes can be achieved, and therefore detection efficiency and detection accuracy of the frame injection loopholes are effectively improved. In addition, in the embodiment of the application, the client 10 dynamically generates an accurate tag set to be closed according to different response contents, and can provide more concise and understandable frame injection vulnerability information, so that the reference verification of the frame injection vulnerability of the web application is more simplified, reliable and accurate.
Fig. 3 is a schematic view of a web framework injection vulnerability detection process provided in an embodiment of the present application, including:
in step 301, the client 10 sends a first probe request including a random string triggering an exception response, and receives first response content.
Illustratively, the client 10 sets a trigger exception response string scanPrefix containing at least one of "'", "", "); further, the client 10 generates a normal random string randomStr using the random string generator. Further, the client combines the string scanPrefix and the common string randomStr to generate a random string prePayload for triggering an exception response. Wherein: prePayload ═ scanPrefix + randomStr, and the "+" sign represents string concatenation.
Still further, the client 10 replaces the random character string prepapayload triggering the abnormal response to the parameter value in the url address of the web page in the web application to be detected, and then sends an HTTP request reqperscan (prepapayload). Further, a first response content returned by the web application on the web server 20 is received, wherein the content is reqperscan (prepapayload). The client 10 generates a first detection request comprising a trigger abnormal response character string scanPrefix and a common random character string randomStr, and when an abnormal response occurs in the web application, by querying the common random character string randomStr in response content, the position of a potential frame injection vulnerability injection point can be quickly determined, so that the frame injection vulnerability injection point is quickly positioned, the frame injection vulnerability of the web application is determined, operation and maintenance personnel can repair the frame injection vulnerability conveniently, and an attacker is prevented from starting further attack by using the frame injection vulnerability. Wherein, the common random character string may be composed of at least one of numbers and characters.
Optionally, the client determines in advance that a web page in a form of "parameter ═ parameter value" exists in the url address of the web application to be detected.
In step 302, the client 10 determines whether the first response content includes the random string triggering the abnormal response.
Illustratively, the client 10 analyzes the obtained first response content, and when the random character string triggering the abnormal response exists in the first response content, it is considered that the parameter value corresponding to the web page of the web application is a possible frame injection vulnerability injection point, and then the step 303 is continued.
If so, entering step 303, and the client 10 determines an effective tag group to be closed according to the HTML tag after the position of the random character string triggering the abnormal response in the first response content.
The client 10 segments the first response content preContent according to the position of the random character string prepapayload triggering the abnormal response in the first response content preContent, and the segmentation can be as follows:
preContent=content 1 +randomStr+content 2 +randomStr+…+randomStr+content n ;
wherein, the "+" sign represents the character string splicing, n is the number of times that the common random character string randomStr appears in preContent plus 1;
obtaining the response content [ content ] to be analyzed from the segmentation result 2 ,content 3 ,…,content n ](ii) a Further, the client 10 pairs content i Analyzing and obtaining content i And format converting the HTML tag, e.g. into a form of</TAG>To label conversion to<TAG>. Illustratively, the client 10 slave content i The extracted tags in (1) are as follows:
further, the converted HTML tag obtained by the client 10 is:
still further, the client 10 eliminates the labels two by two through forward identical cancellation, and then the remaining label sets
Further, the client 10 pairs the resulting TAG 2 ,TAG 3 ,…,TAG n Performing de-duplication between the sets to obtain a de-duplicated TAG set TAG ═ 2<tag 1 >,<tag 2 >,…,<tag n >]。
Further, the client 10 performs format conversion on the TAG set TAG' after deduplication to obtain TAG "(-),", a "TAG" (-) ") and a" TAG "(-)", a "TAG" (-) ") in the TAG set TAG</tag 1 >,</tag 2 >,…,</tag n >]。
Optionally, the user determines in advance from an empirical accumulated summary that the set of tags scanTags that may affect the execution of the framework code is 2</Tag 1 >,</Tag 2 >,…,</Tag n >]。
Further, taking intersection of the TAG set scanTags and the TAG' to finally generate an effective TAG set TAG to be closed scan According to TAG scan Generating a valid TAG group TAG to be closed in the form of a string str 。
If not, the client 10 determines that the web application has no framework injection vulnerability in step 308.
In step 304, the client 10 sends a second probe request with a valid tag group to be closed to the web application, and receives second response content.
Illustratively, the client 10 generates a random array randNum ═ num 1 ,num 2 ,…,num n . The client 10 then constructs a data processing characteristics rule set R for the input data by the exploration web application 1 ,r 2 ,…,r n Where i is 1,2, …, n. Wherein each small rule r i That is, the reference data is responsible for detecting data processing characteristics of the input data, such as whether a character is filtered, whether a character is escape encoded, and the like, by at least one web application. Optionally, a small rule r i There may be a certain logical relationship between them, so that more data processing characteristics of the probed web application on the input data can be determined. E.g. r 1 It is responsible for exploring if a web application performs special processing on a "/" character, r 2 "http:// ═ https://" is responsible for probing whether a web application performs special processing on characters such as "http", "https", "/", and "r" further 1 And r 2 Taken together, the logical relationship that a web application handles both "//" and "/". By a preset small rule r i The processing characteristics of the web application on the input data are detected, preparation is made for detecting the subsequent framework injection vulnerability, detection requests which accord with the processing characteristics of the web application data are generated better, and the accuracy of the framework injection vulnerability detection is improved.
Further, the client 10 generates a detection code testPayload according to the above tag group to be closed, the random array, the web application, the detection rule group for the input data processing characteristics, and the trigger abnormal response character string:
testPayload=scanPrefix+TAG str +num 1 +r 1 +num 2 +r 2 +…+r n-1 +num n ;
where the "+" sign represents a string splice.
Further, the client 10 replaces the above probe code testPayload to the parameter value in the url address of the web page in the web application to be detected, and then sends an HTTP request, that is, a second probe request, and receives a second response content testContent.
In step 305, the client 10 determines a data processing characteristic set according to the second response content, generates a frame code according to the data processing characteristic set, the frame injection vulnerability detection rule template, the tag group to be closed and the trigger abnormal response character string, sends a corresponding third detection request to the web application, and receives a third response content. The frame injection vulnerability detection template is processed by combining the data processing characteristic set to obtain a frame injection vulnerability detection rule aiming at the processing characteristics of the web application, and then a frame code is generated by combining the tag group to be closed and the trigger abnormal response character string, so that a user is further helped to better detect the frame injection vulnerability existing in the web application, the efficiency of detecting the frame injection vulnerability is improved, and the safety of the web application is improved.
Illustratively, the client 10 responds to each random number num in the random array in the second response content i Content between and pre-injected data processing characteristics detect each small rule r in the rules i The difference between the two is analyzed to obtain the data processing characteristic set S ═ S of the web application to the input data 1 ,s 2 ,…,s n ]。
For example, num in the probe code 1 r 1 num 2 r 2 num 3 The method comprises the following steps: 12/13http:// ═ https://14, where num 1 =12、r 1 =“/”、num 2 =13、r 2 ="http://=https://"、num 3 14. Accordingly, in the second response content, the following are obtained: 1213:/═ https:/14. From which the client 10 deducesThe web application processes a set of characteristics of input data: [ s ] of 1 ,s 2 ,s 3 ,s 4 ,s 5 ]Wherein s is 1 Filter "/" characters on behalf of the web application, s 2 The web application is represented by filtering the "http" string as a whole, but not the "https" string, s 3 On behalf of the web application, the "═ character is not specially processed, s 4 Representing that the web application would convert "/", to "/", s 5 The "/" converted on behalf of the web application is not filtered.
Further, the framework injection vulnerability detection template may be set as:
vulRule=[<][FRAMETAG][SPACECHAR][SRC][=][PROTOCOL][://][SITENAME][>]
wherein, the client 10 generates a random domain name "SITENAME" using a random character generator, and fills the random domain name "SITENAME" in the framework injection vulnerability detection template.
Further, the client 10 processes the bracketed content of the framework injection probe template according to the data processing feature set of the web application. Such as: as the web application is known not to filter the "frame" tag according to its data processing feature set, the "FRAMETAG" can be converted to]"replace with" frame ". Processing the framework injection vulnerability detection template according to the processing method to determine the corresponding framework injection vulnerability detection rule vulRule scan 。
Further, a framework code vulPayload ═ scanPrefix + TAG is generated str +vulRule scan . Triggering an abnormal response of the web application by triggering an abnormal response character string scanPrefix, and finding a framework of the web application under the abnormal response to inject a vulnerability; further, by the TAG to be closed being active str The situation that injection is invalid due to an unclosed label in the web application is avoided in a more targeted manner, and users or operation and maintenance personnel are helped to better detect the frame injection vulnerability of the web application; obtaining a framework injection vulnerability detection rule vulRule according to a processing characteristic set and a framework injection vulnerability detection template scan The framework injection vulnerability detection method can better help to better detect the framework injection vulnerability existing in the web application, and improve the framework injection vulnerability detection efficiency.
The client 10 replaces the vulPayload with the parameter value to be detected, then sends a corresponding HTTP request (i.e. a third probe request), and receives third response content from the web application on the web server 20.
In step 306, the client 10 determines whether the framework code can be executed.
If yes, the method proceeds to step 307, and the client 10 determines that the framework injection vulnerability exists in the web application.
Illustratively, when the third response content includes the above framework injection vulnerability detection rule vulRule scan Consider framework injection vulnerability detection rule vulRule scan Is executed. And judging that the web application has a framework injection vulnerability.
If not, the client 10 determines that the web application has no framework injection vulnerability in step 308.
In the embodiment of the application, by means of the technical scheme, the potential frame injection vulnerability injection points of the web application can be quickly and accurately found, effective label groups to be closed are generated according to the response content of the web application and the preset label set, the processing rules of the web application on the input data are detected according to the preset small detection rules, and the detection request is generated by combining the processing rules, so that the frame injection vulnerabilities of the web application can be more accurately detected, the frame injection vulnerabilities can be rapidly determined, and the frame injection vulnerabilities of the web application can be more effectively analyzed and are more targeted.
Fig. 4 is a schematic diagram of a computing device for detecting a web framework injection vulnerability, provided by an embodiment of the present application, and includes:
one or more processors 410 and memory 420, with one processor 410 being an example in fig. 4. The electronic device executing the framework injection vulnerability detection method may further include: an input device 430 and an output device 440.
The processor 410, the memory 420, the input device 430, and the output device 440 may be connected by a bus or other means, such as the bus connection in fig. 4.
The memory 420 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program modules corresponding to the vulnerability detection method in the embodiment of the present application. The processor 410 executes various functional applications and data processing of the server by running the nonvolatile software programs and modules stored in the memory 420, so as to implement the vulnerability detection method of the above method embodiment.
The memory 420 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the bug detection apparatus, and the like. Further, the memory 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 420 may optionally include memory located remotely from the processor 410, which may be connected to the framework injection vulnerability detection apparatus via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 430 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the vulnerability detection apparatus. The output device 440 may include a display device such as a display screen.
The one or more modules are stored in the memory 420 and, when executed by the one or more processors 410, perform the vulnerability detection methods of any of the method embodiments described above.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
As will be appreciated by one skilled in the art, embodiments of the present application are provided as a method, apparatus (device), or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer programs. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the programs, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer programs may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the programs stored in the computer-readable memory produce an article of manufacture including program means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the programs that execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A method for detecting vulnerability injection of a web framework is characterized by comprising the following steps:
sending a first probe request to a global area network web application, wherein the first probe request comprises a random character string for triggering an abnormal response; when the random character string triggering the abnormal response is included in the first response content received from the web application, determining a potential framework injection vulnerability injection point of the web application;
generating a label group to be closed according to the position of the random character string triggering the abnormal response appearing in the first response content and the first response content;
generating a detection code according to the tag group to be closed, and after the detection code is injected into the potential framework injection vulnerability injection point, sending a second detection request comprising the detection code to the web application; acquiring second response content corresponding to the second detection request, and determining a data processing characteristic set of the web application according to the second response content;
generating a frame code according to the data processing characteristic set and the tag group to be closed; after the framework code is injected into the potential framework injection vulnerability injection point, sending a third detection request comprising the framework code to the web application; and obtaining third response content corresponding to the third detection request, and determining that the web application has a framework injection vulnerability when the framework code is determined to be executed from the third response content.
2. The method of claim 1, wherein the random string that triggers an exception response is a combination of a normal random string and a string that triggers an exception response;
generating a tag group to be closed according to the position of the random character string triggering the abnormal response appearing in the first response content and the first response content, wherein the tag group comprises:
performing character string segmentation on the first response content, and determining the position of the random character string triggering abnormal response after the position of the random character string in the first response contentn-1 string; n is the number of times of the occurrence of the common random character string in the first response content plus 1;
according to then-1 string, generating said set of labels to be closed.
3. The method of claim 2, wherein said method is based on saidn-1 string, generating the set of tags to be closed, comprising:
to the saidn-a first character string of 1 character string, the first character string being then-any one of 1 string; acquiring the first character string corresponding tomAn initial HTML tag for HTML to be usedmForward identical cancellation is carried out on the initial HTML tags to obtain a first tag set after duplication removal; m is a positive integer;
to the aboven-1 string corresponds tonAnd after the repetition elimination is carried out on the 1 first label sets, taking an intersection with a preset label set to obtain the label group to be closed.
4. The method of any of claims 1 to 3, wherein generating a frame code from the set of data processing characteristics and the set of tags to be closed comprises:
filling labels in the framework injection vulnerability detection rule template according to the data processing characteristic set to generate a framework injection vulnerability detection rule; the framework injection vulnerability detection rule template comprises a protocol identifier, a framework identifier, a random domain name and a symbol identifier;
and generating the frame code according to the frame injection vulnerability detection rule, the tag group to be closed and the trigger abnormal response character string.
5. The method according to any one of claims 1 to 3, wherein generating a probe code from the set of tags to be closed comprises:
generating a detection code according to the tag group to be closed, the trigger abnormal response character string, a plurality of groups of random numbers and a rule group for detecting the processing characteristics of web application on input data; the set of rules is used to probe characteristics of the processing of the input data by the at least one web application.
6. The method according to claim 5, wherein a length of a concatenation string composed of the plurality of sets of random numbers and the rule sets does not exceed a maximum length of vulnerability detection rules in the framework code.
7. The method of claim 5, wherein determining the set of data processing characteristics of the web application from the second response content comprises:
acquiring the plurality of groups of random numbers and response contents corresponding to the rule group of the detection web application for processing the input data from the second response contents;
and obtaining the data processing characteristic set according to the plurality of groups of random numbers and the rule group of the detection web application for processing the input data.
8. A web framework injection vulnerability detection apparatus, the apparatus comprising:
the system comprises a sending unit, a receiving unit and a processing unit, wherein the sending unit is used for sending a first detection request to a web application, and the first detection request comprises a random character string for triggering an abnormal response;
the processing unit is used for determining a potential framework injection vulnerability injection point of the web application when the random character string triggering the abnormal response is included in the first response content received from the web application;
the processing unit is further configured to generate a tag group to be closed according to the position of the random character string triggering the abnormal response appearing in the first response content and the first response content;
the processing unit is also used for detecting a rule group and triggering an abnormal response character string according to the label group to be closed and the web application to input data processing characteristics to generate detection codes;
the sending unit is further configured to send a second probe request including the probe code to the web application after the probe code is injected into the potential framework injection vulnerability injection point;
a receiving unit, configured to acquire second response content corresponding to the second probe request;
the processing unit is further configured to determine a data processing characteristic set of the web application according to the second response content;
the processing unit is further configured to generate a frame code according to the data processing feature set, the frame injection vulnerability detection rule template, the tag group to be closed, and the trigger abnormal response character string;
the sending unit is further configured to send a third probe request including the framework code to the web application after the framework code is injected to the potential framework injection vulnerability injection point;
the receiving unit is further configured to obtain third response content corresponding to the third probe request;
the processing unit is further configured to determine that the web application has a framework injection vulnerability when it is determined from the third response content that the framework code is executed.
9. A computing device, comprising:
a memory for storing a computer program;
a processor for calling a program stored in the memory and executing the method of any one of claims 1 to 7 in accordance with the obtained program.
10. A computer storage medium, characterized in that the computer-readable storage medium stores a computer-executable program for causing the computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010591709.9A CN111770079B (en) | 2020-06-24 | 2020-06-24 | Method and device for detecting vulnerability injection of web framework |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010591709.9A CN111770079B (en) | 2020-06-24 | 2020-06-24 | Method and device for detecting vulnerability injection of web framework |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111770079A CN111770079A (en) | 2020-10-13 |
| CN111770079B true CN111770079B (en) | 2022-09-02 |
Family
ID=72721790
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010591709.9A Active CN111770079B (en) | 2020-06-24 | 2020-06-24 | Method and device for detecting vulnerability injection of web framework |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111770079B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113890756B (en) * | 2021-09-26 | 2024-01-02 | 网易(杭州)网络有限公司 | Method, device, medium and computing equipment for detecting confusion of user account |
| CN114500053B (en) * | 2022-01-27 | 2023-12-05 | 安徽华云安科技有限公司 | Code injection detection method and device, electronic equipment and readable storage medium |
| CN115001844A (en) * | 2022-06-27 | 2022-09-02 | 中国电信股份有限公司 | Vulnerability detection method and device and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2179532A1 (en) * | 2007-08-06 | 2010-04-28 | Bernard De Monseignat | System and method for authentication, data transfer, and protection against phishing |
| CN102136051A (en) * | 2011-05-06 | 2011-07-27 | 南开大学 | Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model |
| CN102831345A (en) * | 2012-07-30 | 2012-12-19 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN103530564A (en) * | 2013-09-24 | 2014-01-22 | 国家电网公司 | Method and system for testing and verifying SQL injection vulnerability |
| CN107590387A (en) * | 2017-09-04 | 2018-01-16 | 杭州安恒信息技术有限公司 | EL expression formula injection loopholes detection method, device and electronic equipment |
| CN107704758A (en) * | 2017-08-25 | 2018-02-16 | 郑州云海信息技术有限公司 | A kind of SQL injection leak detection method and detection means |
| CN108667840A (en) * | 2018-05-11 | 2018-10-16 | 腾讯科技(深圳)有限公司 | Injection loophole detection method and device |
| CN110113311A (en) * | 2019-03-05 | 2019-08-09 | 北京丁牛科技有限公司 | Cross-site scripting attack XSS leak detection method and device |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| WO2019212565A1 (en) * | 2018-05-04 | 2019-11-07 | Google Llc | Detecting injection vulnerabilities of client-side templating systems |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090119741A1 (en) * | 2007-11-06 | 2009-05-07 | Airtight Networks, Inc. | Method and system for providing wireless vulnerability management for local area computer networks |
| US10503910B2 (en) * | 2017-06-06 | 2019-12-10 | Sap Se | Security testing framework including virtualized server-side platform |
-
2020
- 2020-06-24 CN CN202010591709.9A patent/CN111770079B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2179532A1 (en) * | 2007-08-06 | 2010-04-28 | Bernard De Monseignat | System and method for authentication, data transfer, and protection against phishing |
| CN102136051A (en) * | 2011-05-06 | 2011-07-27 | 南开大学 | Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model |
| CN102831345A (en) * | 2012-07-30 | 2012-12-19 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN103530564A (en) * | 2013-09-24 | 2014-01-22 | 国家电网公司 | Method and system for testing and verifying SQL injection vulnerability |
| CN107704758A (en) * | 2017-08-25 | 2018-02-16 | 郑州云海信息技术有限公司 | A kind of SQL injection leak detection method and detection means |
| CN107590387A (en) * | 2017-09-04 | 2018-01-16 | 杭州安恒信息技术有限公司 | EL expression formula injection loopholes detection method, device and electronic equipment |
| WO2019212565A1 (en) * | 2018-05-04 | 2019-11-07 | Google Llc | Detecting injection vulnerabilities of client-side templating systems |
| CN108667840A (en) * | 2018-05-11 | 2018-10-16 | 腾讯科技(深圳)有限公司 | Injection loophole detection method and device |
| CN110113311A (en) * | 2019-03-05 | 2019-08-09 | 北京丁牛科技有限公司 | Cross-site scripting attack XSS leak detection method and device |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
Non-Patent Citations (2)
| Title |
|---|
| Detecting malicious false frame injection attacks on surveillance systems at the edge using electrical network frequency signals;Deeraj Nagothu,Yu Chen,Erik Blasch,Alexander aved,Sencun Zhu;《mdpi》;20190518;全文 * |
| Web应用漏洞检测系统研究与设计;路艳华;《中国优秀硕士学位论文全文数据库信息科技辑》;20160415;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111770079A (en) | 2020-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111770079B (en) | Method and device for detecting vulnerability injection of web framework | |
| CN101964025B (en) | XSS detection method and equipment | |
| CA2840992C (en) | Syntactical fingerprinting | |
| US9208309B2 (en) | Dynamically scanning a web application through use of web traffic information | |
| KR101001132B1 (en) | Method and System for Determining Vulnerability of Web Application | |
| CN108809890B (en) | Vulnerability detection method, test server and client | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN108366058B (en) | Method, device, equipment and storage medium for preventing traffic hijacking of advertisement operator | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| CN109862021B (en) | Method and device for acquiring threat information | |
| CN112989348B (en) | Attack detection method, model training method, device, server and storage medium | |
| CN112231711B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
| CN112738127B (en) | Web-based website and host vulnerability detection system and method thereof | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN111541673A (en) | Efficient method and system for detecting HTTP request security | |
| US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
| CN111131236A (en) | Web fingerprint detection device, method, equipment and medium | |
| US11568130B1 (en) | Discovering contextualized placeholder variables in template code | |
| CN112583827A (en) | Data leakage detection method and device | |
| CN102937982B (en) | A kind of method and system collecting content generation | |
| CN108512818B (en) | Method and device for detecting vulnerability | |
| Bartoli et al. | How phishing pages look like? |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |