CN112115475A - Unauthorized vulnerability detection method and device, storage medium and computer equipment - Google Patents
Unauthorized vulnerability detection method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112115475A CN112115475A CN202010777805.2A CN202010777805A CN112115475A CN 112115475 A CN112115475 A CN 112115475A CN 202010777805 A CN202010777805 A CN 202010777805A CN 112115475 A CN112115475 A CN 112115475A
- Authority
- CN
- China
- Prior art keywords
- account information
- sample
- information
- request message
- unauthorized vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a detection method, a device, a storage medium and computer equipment of an unauthorized vulnerability, wherein the method comprises the steps of receiving a request message; determining first account information corresponding to the request message; determining second account information of the session corresponding to the request message; and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information. By the method and the device, the comprehensiveness of the unauthorized vulnerability detection can be effectively improved, the accuracy of the unauthorized vulnerability detection is improved, and the detection effect of the unauthorized vulnerability is improved.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a method and an apparatus for detecting an unauthorized vulnerability, a storage medium, and a computer device.
Background
Among various security vulnerabilities, compared with traditional security vulnerabilities such as SQL Structured Query Language (SQL) injection, a logic vulnerability is more difficult to discover and easier to generate, so such vulnerabilities have become one of the main causes of security risks such as data leakage. The unauthorized access is more common in various logic vulnerabilities, developers often cannot guarantee that all interfaces have perfect authority verification logic, so that certain interfaces have unauthorized access more or less in application, and serious safety problems can be caused if the unauthorized access exists in key interfaces, such as an interface for acquiring sensitive information and an interface for executing sensitive operation.
In the related art, logic vulnerabilities are usually detected based on features, but a method based on feature detection is difficult to be applied to detection of unauthorized vulnerabilities because attack requests of unauthorized vulnerabilities do not have fixed request features, or unauthorized vulnerabilities are detected by identifying forms in request response pages and corresponding unmodified parameters in hidden domains, and the like, and the detection coverage of the method is limited, and the detection accuracy is poor.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, the application aims to provide a detection method, a detection device, a storage medium and computer equipment for the unauthorized vulnerability, which can effectively improve the comprehensiveness of detection of the unauthorized vulnerability and improve the accuracy of detection of the unauthorized vulnerability, thereby improving the detection effect of the unauthorized vulnerability.
In order to achieve the above object, an embodiment of the present application provides a method for detecting an unauthorized vulnerability, including: receiving a request message; determining first account information corresponding to the request message; determining second account information of a session corresponding to the request message; and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information.
According to the detection method for the unauthorized vulnerability, provided by the embodiment of the first aspect of the application, the first account information corresponding to the request message is determined by receiving the request message, the second account information of the session corresponding to the request message is determined, and the unauthorized vulnerability detection is performed on the request message according to the first account information and the second account information, so that the detection comprehensiveness of the unauthorized vulnerability can be effectively improved, the detection accuracy of the unauthorized vulnerability is improved, and the detection effect of the unauthorized vulnerability is improved.
In order to achieve the above object, an apparatus for detecting an unauthorized vulnerability provided by an embodiment of a second aspect of the present application includes: a receiving module, configured to receive a request message; a first determining module, configured to determine first account information corresponding to the request message; a second determining module, configured to determine second account information of the session corresponding to the request message; and the detection module is used for carrying out unauthorized vulnerability detection on the request message according to the first account information and the second account information.
According to the detection device for the unauthorized vulnerability, provided by the embodiment of the second aspect of the application, the first account information corresponding to the request message is determined by receiving the request message, the second account information of the session corresponding to the request message is determined, and the unauthorized vulnerability detection is performed on the request message according to the first account information and the second account information, so that the detection comprehensiveness of the unauthorized vulnerability can be effectively improved, the detection accuracy of the unauthorized vulnerability is improved, and the detection effect of the unauthorized vulnerability is improved.
A non-transitory computer-readable storage medium is provided in an embodiment of the third aspect of the present application, and when executed by a processor of a computer device, enables the computer device to perform a method for detecting an unauthorized vulnerability, the method including: the embodiment of the first aspect of the application provides a detection method of an unauthorized vulnerability.
The non-transitory computer-readable storage medium provided in the embodiment of the third aspect of the present application, by receiving the request message, determining first account information corresponding to the request message, determining second account information of a session corresponding to the request message, and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information, can effectively improve the comprehensiveness of the unauthorized vulnerability detection, improve the accuracy of the unauthorized vulnerability detection, and thus improve the detection effect of the unauthorized vulnerability.
A computer device provided in an embodiment of a fourth aspect of the present application, the computer device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; the power supply circuit is used for supplying power to each circuit or device of the computer equipment; the memory is used for storing executable program codes; the processor reads the executable program code stored in the memory to run a program corresponding to the executable program code, so as to execute the detection method of the unauthorized vulnerability provided by the embodiment of the first aspect of the present application.
According to the computer device provided by the embodiment of the fourth aspect of the application, by receiving the request message, determining the first account information corresponding to the request message, determining the second account information of the session corresponding to the request message, and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information, the comprehensiveness of the unauthorized vulnerability detection can be effectively improved, the accuracy of the unauthorized vulnerability detection is improved, and the detection effect of the unauthorized vulnerability is improved.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flowchart of a detection method for an unauthorized vulnerability according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating an embodiment of a mapping table;
fig. 3 is a flowchart illustrating a method for detecting an unauthorized vulnerability according to another embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus for detecting an unauthorized vulnerability according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus for detecting an unauthorized vulnerability according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present application. On the contrary, the embodiments of the application include all changes, modifications and equivalents coming within the spirit and terms of the claims appended hereto.
Fig. 1 is a schematic flowchart of a detection method for an unauthorized vulnerability according to an embodiment of the present application.
The present embodiment is exemplified in a case where the detection method of the unauthorized vulnerability is configured as a detection apparatus of the unauthorized vulnerability.
The detection method of the unauthorized vulnerability in this embodiment may be configured in the detection apparatus of the unauthorized vulnerability, and the detection apparatus of the unauthorized vulnerability may be set in the server, or may also be set in the computer device, which is not limited in this embodiment of the present application.
The embodiment takes the example that the detection method of the unauthorized vulnerability is configured in the computer equipment.
It should be noted that the execution main body in the embodiment of the present application may be, for example, a Central Processing Unit (CPU) in a server or a computer device in terms of hardware, and may be, for example, a related background service in the server or the computer device in terms of software, which is not limited to this.
Referring to fig. 1, the method includes:
s101: a request message is received.
The request message may be, for example, a request message supporting HTTP (hypertext Transfer Protocol), or may also be a request message supporting any other communication Protocol, which is not limited to this.
Generally, in an application scenario of data communication, a computer device may respond to a user access instruction and generate a corresponding request message according to the user access instruction, so as to send the request message to a background server to obtain a corresponding service.
Examples of formats of the request message may be, for example:
(Each request message generates a unique request identifier, e.g., xxxxxx)
POST/pages/viewpage.action HTTP/1.1
Host:xx.xx.com
Connection:keep-alive
Pragma:no-cache
Cache-Control:no-cache
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0(Macintosh;Intel Mac OS X 10_15_3)AppleWebKit/537.36(KHTML,like Gecko)Chrome/80.0.3987.149Safari/537.36
Sec-Fetch-Site:none
Accept-Encoding:gzip,deflate,br
Accept-Language:zh-CN,zh;q=0.9,zh-TW;q=0.8
Cookie:JSESSIONID=36F106BD456DFB53C04F7EFE271111E3。
S102: first account information corresponding to the request message is determined.
It can be understood that, when the service corresponding to the background server is obtained based on the request message, generally, the request message carries some account related information of the user, where the some account related information may be referred to as first account information, and the first account information may be used to identify an account of the user using the computer device, or a user identity (an identity card number, a mobile phone number, or the like), which is not limited thereto.
In a specific implementation process, the request message may be parsed to obtain authentication information (the authentication information may be, for example, a cookie (a computer file sent to the central server information by a network or internet user), a token, or the like), so as to obtain the first account information corresponding to the request message according to the authentication information.
The first account information is, for example, a User id (abbreviated as User Identification), a User phone number, a User nickname, a User Identification number, and the like.
Certainly, in the actual execution process, the collected first account information may be flexibly defined according to the application condition, for example, data that may be used for resource positioning by the application may be collected, for example, a certain application may be collected, and if the authority is mainly determined by the UID for obtaining and operating sensitive data, it is only necessary to collect the user UID as the first account information in a focused manner, which is not limited to this.
S103: second account information for the session corresponding to the request message is determined.
In some embodiments, the request message further comprises: the request identification is used for determining second account information of the session corresponding to the request message, and comprises the following steps: determining a sample request identifier matched with the request identifier from a pre-configured corresponding relation table; the corresponding relation table is used for learning and obtaining the corresponding relation among the sample request identification, the sample session account corresponding to the sample request identification and the sample account information; and taking the sample session account number corresponding to the sample request identification and the sample account information corresponding to the sample session account number as second account information together.
That is to say, in the embodiment of the present application, a corresponding relationship table is configured in advance, and the corresponding relationship among the sample request identifier, the sample session account number corresponding to the sample request identifier, and the sample account information is obtained through learning, so that when determining the second account information corresponding to the session corresponding to the request message, the corresponding sample session account number may be directly read from the corresponding relationship table according to the request identifier, and the sample account information corresponding to the sample session account number is used as the second account information together, and the second account information corresponding to the session corresponding to the request message may be quickly determined, so that the detection efficiency of the unauthorized access is ensured, and the resource leakage caused by the access application of the request message with the unauthorized access is avoided in time.
For example, the table of the correspondence relationship can be referred to the following table 1, where the field values in table 1 take the format of the request message as an example:
TABLE 1
That is, with respect to table 1, after the request identifier in the request message is obtained through parsing, the session account (session account), the detailed information of the session account, and the like may be directly read from table 1 as the second account information.
Of course, any other possible manner may be adopted to determine the second account information of the session corresponding to the request message, which is not limited to this.
The process of configuring the correspondence table in advance may be as follows (this example may refer to table 1 and the format example of the request message together, and may refer to fig. 2, and fig. 2 is an implementation flow of configuring the correspondence table in this embodiment of the present application): acquiring the corresponding relationship between the sample authentication identifier (cookie, token, etc.) corresponding to the sample request message and the user account information, when acquiring the sample authentication identifier of the sample request message, detecting an Application login interface, extracting the login account number and the information of the completed cookie or token, or interfacing a user center to acquire the corresponding relationship between the logged cookie or token and the user, or acquiring the corresponding relationship between the Application login account and the request cookie or token, etc. in real time in the Application by RASP (Runtime Application Self-Protection) technology, or interfacing a login record table of the Application to acquire the corresponding relationship between the Application login account and the request cookie or token, etc., or any other possible method without limitation, thereby acquiring the corresponding relationship between the sample request identifier and the session, and then acquiring the sample account number associated with the sample request message, and a corresponding relationship of account information associated with the sample user account, where the account information associated with the sample user account, for example, the user account is xxx @ xx.com, and detailed information thereof to be collected may optionally include: and the UID of the user, the mobile phone number of the user, the nickname of the user, the ID number of the user and the like are used, and then the corresponding relation table is configured by using the acquired data.
S104: and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information.
After the first account information corresponding to the request message is collected and the second account information of the session corresponding to the request message is determined, the request message can be directly subjected to the unauthorized vulnerability detection according to the first account information and the second account information, so that the unauthorized vulnerability detection is not required to be performed on the basis of rules of the characteristic detection, but is directly performed on the basis of some account information associated with the request message, the defect of detection by the rules of the characteristic detection is overcome, and the unauthorized vulnerability is unauthorized access and call aiming at some interfaces, so that whether the unauthorized vulnerability exists in the request message is detected on the basis of the dimensionality of the account information, the unauthorized vulnerability detection has good pertinence, and the detection accuracy of the unauthorized vulnerability is improved.
In some embodiments, when the request message is subjected to the unauthorized vulnerability detection according to the first account information in combination with the second account information, it may be determined that the request message has the unauthorized vulnerability when the matching state between the first account information and the second account information is not matched, and it is determined that the request message does not have the unauthorized vulnerability when the matching state between the first account information and the second account information is matched.
Of course, any other possible manner may be adopted to perform the unauthorized vulnerability detection on the request message according to the first account information and the second account information, such as a modeling manner, an engineering manner, and the like, which is not limited herein.
The embodiment of the present application further provides a specific implementation manner for performing unauthorized vulnerability detection on a request message according to the first account information in combination with the second account information, which may be specifically referred to in the following embodiments.
In the embodiment, by receiving the request message, determining the first account information corresponding to the request message, determining the second account information of the session corresponding to the request message, and performing the unauthorized vulnerability detection on the request message according to the first account information and the second account information, the comprehensiveness of the unauthorized vulnerability detection can be effectively improved, the accuracy of the unauthorized vulnerability detection is improved, and the detection effect of the unauthorized vulnerability is improved.
Fig. 3 is a flowchart illustrating a method for detecting an unauthorized vulnerability according to another embodiment of the present application.
Referring to fig. 3, the method includes:
s301: a request message is received.
The request message is used to invoke a target interface of the application.
S302: first account information corresponding to the request message is determined.
S303: second account information for the session corresponding to the request message is determined.
See the above embodiments for S301-S303.
S304: and judging whether the information of the target interface is in a pre-configured interface parameter table or not, wherein the interface parameter table is learned to obtain the corresponding relation between the information of the sample interface and the negligible sample account information corresponding to the information of the sample interface.
The interface parameter table may be pre-configured, and fields in the interface parameter table indicate that some types of account information may be negligible in the detection process of the unauthorized vulnerability if the information of the target interface matches the information of the sample interface.
The interface parameter table may be as shown in table 2 below:
TABLE 2
| Application ID | Type of request | Interface | Negligible parameter | Other fields |
| aaaaaaa | POST | /userinfo | uid | … |
The information of the target interface may for example comprise: the application ID, the target interface, and the request type of the request message are listed in the interface parameter table, and accordingly, the sample application ID, the sample request type, the name of the sample interface, and the corresponding ignorable sample account information are listed in the interface parameter table, which is exemplified by using the ignorable sample account information as UID in table 2 above, but the ignorable sample account information may be configured as any account information, which is not limited to this.
That is to say, in the embodiment of the present application, first, information of a target interface is obtained through analysis, and it is determined whether the information of the target interface is in a preconfigured interface parameter table, and if the information of the target interface is in the preconfigured interface parameter table, it is further determined whether corresponding negligible target account information exists, so as to assist in subsequent detection of the unauthorized vulnerability according to the negligible target account information, thereby effectively guaranteeing hit rate of detection and accuracy of detection, and improving detection effect of the unauthorized vulnerability.
S305: and if the information of the target interface is not in the preconfigured interface parameter table, or if the information of the target interface is in the preconfigured interface parameter table and the first account information is not matched with the negligible target account information corresponding to the information of the target interface, performing unauthorized vulnerability detection on the request message according to the matching state between the first account information and the second account information.
Optionally, if the matching state between the first account information and the second account information is not matched, determining that the request message has an unauthorized vulnerability; and if the matching state between the first account information and the second account information is matching, determining that the request message has no unauthorized vulnerability.
S306: and if the information of the target interface is in the preconfigured interface parameter table and the first account information is matched with the target account information, directly determining that the request message has no unauthorized vulnerability.
In some embodiments, it is determined whether the request message submits a field (which may be referred to as target account information) included in the second account information of the session, if not, detection of the unauthorized access and invocation of the request message is ended, and if so, detection is continued, that is, if not, it may be directly determined that there is no possibility of unauthorized access and invocation of the request message, and at this time, a logic for performing unauthorized access detection may not be triggered, so that hardware and software resource consumption required for detection may be effectively saved, detection of the unauthorized access is more reasonable, and rationality of detection logic configuration is improved.
For example, if uid 12345 is sent to POSTDATA in the above example request, and the field uid in the user account is included, the unauthorized vulnerability detection may be further performed, and the matching field is uid.
For example, when the unauthorized vulnerability detection is triggered, the preconfigured interface parameter tables can be compared, and if the information of the target interface of the request message is in the preconfigured interface parameter tables and the first account information is the same as the target account information in matching, the request message is directly determined to have no unauthorized vulnerability. Otherwise, carrying out alarm prompt.
For example:
if the request message is:
POST/userinfo HTTP/1.1
Host:xx.xx.com
Connection:keep-alive
Pragma:no-cache
Cache-Control:no-cache
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0(Macintosh;Intel Mac OS X 10_15_3)AppleWebKit/537.36(KHTML,like Gecko)Chrome/80.0.3987.149Safari/537.36
Sec-Fetch-Site:none
Accept-Encoding:gzip,deflate,br
Accept-Language:zh-CN,zh;q=0.9,zh-TW;q=0.8
Cookie:JSESSIONID=36F106BD456DFB53C04F7EFE271111E3
first account information uid 12345
Com, the Cookie corresponds to the user xx @ xxx.com, the second account information is { ' UID ': 11111 ', ' username ': xx ', ' phone ': 17777777777 ', and although the UID submitted by the request message is not consistent with the corresponding UID in the session, the detection result is directly ended and no alarm is given because the preconfigured interface parameter table considers that the detection of the UID field can be ignored.
If the request message is:
POST/pages/viewpage.action HTTP/1.1
Host:xx.xx.com
Connection:keep-alive
Pragma:no-cache
Cache-Control:no-cache
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0(Macintosh;Intel Mac OS X 10_15_3)AppleWebKit/537.36(KHTML,like Gecko)Chrome/80.0.3987.149Safari/537.36
Sec-Fetch-Site:none
Accept-Encoding:gzip,deflate,br
Accept-Language:zh-CN,zh;q=0.9,zh-TW;q=0.8
Cookie:JSESSIONID=36F106BD456DFB53C04F7EFE271111E3
first account information uid 12345& pageId 037664704
Action interfaces are not included in the pre-configured interface parameter table, the submitted uid is 12345, the uid corresponding to the session is 11111, and the detection results are inconsistent, so that the unauthorized attack alarm is directly generated.
In the embodiment of the application, a method flow schematic for pre-configuring an interface parameter table is further provided, a massive sample request message can be obtained before the request message is received, and the sample request message comprises sample authentication information; analyzing the sample authentication information to obtain sample account information corresponding to the sample request message; identifying negligible sample account information from the sample account information according to historical access information of the sample request message; and analyzing the information of the sample interface corresponding to the sample request message, and establishing an interface parameter table according to the information of the sample interface and the negligible sample account information corresponding to the information of the sample interface.
That is to say, according to the embodiment of the application, the request message of a large number of samples is collected, and the negligible sample account information is identified from the sample account information according to the historical access information of the sample request message, so that the interface parameter table is established in a big data training mode, the detection accuracy is effectively improved, and the detection for the unauthorized attack has good detection capability and a wide detection range.
For example, data of a correspondence table between request messages and account information for n days is acquired (default configuration is 30 days, any time length can be selected), data including corresponding account information in the submission contents of all the request messages is acquired by filtering, and data, in which the account information in the submission data of the request messages is inconsistent with account detailed information of a session, is automatically identified and labeled for the filtered data.
For example, if the phone submitted by the request message is 17788888888, and the phone information corresponding to the account actually associated with the session is 17777777777, the phone field submitted by the request message is labeled as inconsistent, then the data after the identification and labeling is learned through an algorithm model, which fields of which interfaces are identified as data that can be submitted with account information bound with the session inconsistent, and the learning logic is: in the account information submitted by receiving request messages from a large number of different account numbers for a long time, most request messages mark that data which can be submitted by a certain field is inconsistent with data in a session, the interface can be considered to submit the data, the type selection of a learning algorithm can be a classification or clustering algorithm and the like, the model learning result is the submitted data of a certain interface of a certain application, the data of the certain account information can not correspond to the account information of the session, and an interface parameter table is configured according to the data.
After the interface parameter table is preconfigured, if the information of the target interface is not in the preconfigured interface parameter table, or if the information of the target interface is in the preconfigured interface parameter table and when the first account information is not matched with the negligible target account information corresponding to the information of the target interface, if it is detected that the first account information is not matched with the target account information and the first account information is not matched with the second account information, a prompt message may be generated, and if the user selects the prompt message: ignoring that the first account information is not matched with the second account information in the application scene, namely indicating that the first account information can be not matched with the second account information in the application scene, at the moment, the first account information can be added into the interface parameter table, so as to perfect the interface parameter table in the dynamic detection process.
For example, the alarm content is application a, interface/pages/visual action, alarm parameter UID, alarm content is actual UID 11111 and request submission is 12345 …, the user can choose to click to ignore the alarm, and the process of ignoring can choose to ignore the application, the application interface and the parameter of the application interface. For example, if the UID parameter of the application/pages/view interface is selected to be ignored, then subsequently any value submitted for the UID of the interface will not give an alarm, and for the false alarm generated in a special scene, the user side calibration can be adopted to realize rapid optimization and elimination, so that the false alarm rate can be effectively reduced, and the detection accuracy can be improved by continuously perfecting the interface parameter table.
In the embodiment, the information of the target interface is obtained through analysis, whether the information of the target interface is in the preconfigured interface parameter table or not is judged, and if the information of the target interface is in the preconfigured interface parameter table, whether the information of the target account is corresponding to negligible target account information is further determined, so that the subsequent detection of the unauthorized vulnerability is assisted according to the negligible target account information, the hit rate and the detection accuracy of the detection are effectively guaranteed, and the detection effect of the unauthorized vulnerability is improved. The negligible sample account information is identified from the sample account information by collecting the request information of the mass samples and according to the historical access information of the sample request information, so that the interface parameter table is established by adopting a big data training mode, the detection accuracy is effectively improved, and the detection for the unauthorized attack has good detection capability and wide detection range. The method can realize rapid optimization and elimination by adopting the calibration of the user side, thereby effectively reducing the false alarm rate and improving the detection accuracy by continuously perfecting the interface parameter table.
Fig. 4 is a schematic structural diagram of an apparatus for detecting an unauthorized vulnerability according to an embodiment of the present application.
Referring to fig. 4, the unauthorized vulnerability detection apparatus 400 includes:
a receiving module 401, configured to receive a request message;
a first determining module 402, configured to determine first account information corresponding to the request message;
a second determining module 403, configured to determine second account information corresponding to the session corresponding to the request message;
the detection module 404 is configured to perform unauthorized vulnerability detection on the request message according to the first account information in combination with the second account information.
Optionally, in some embodiments, referring to fig. 5, the request message is used to invoke a target interface of the application program, and further includes:
a determining module 405, configured to determine, after receiving the request message, whether information of the target interface is in a preconfigured interface parameter table, where the interface parameter table has learned a correspondence between information of the sample interface and negligible sample account information corresponding to the information of the sample interface;
the detection module 404 is specifically configured to:
and according to the judgment result, carrying out unauthorized vulnerability detection on the request message by combining the first account information and the second account information.
Optionally, in some embodiments, the detecting module 404 is further configured to:
if the information of the target interface is not in the preconfigured interface parameter table, or if the information of the target interface is in the preconfigured interface parameter table and the first account information is not matched with the negligible target account information corresponding to the information of the target interface, performing unauthorized vulnerability detection on the request message according to the matching state between the first account information and the second account information;
and if the information of the target interface is in the preconfigured interface parameter table and the first account information is matched with the target account information, directly determining that the request message has no unauthorized vulnerability.
Optionally, in some embodiments, the detecting module 404 is further configured to:
if the matching state between the first account information and the second account information is not matched, determining that the request message has an unauthorized vulnerability;
and if the matching state between the first account information and the second account information is matching, determining that the request message has no unauthorized vulnerability.
Optionally, in some embodiments, the request message further includes: the request identifier, the second determining module 403 is specifically configured to:
determining a sample request identifier matched with the request identifier from a pre-configured corresponding relation table; the corresponding relation table is used for learning and obtaining the corresponding relation among the sample request identification, the sample session account corresponding to the sample request identification and the sample account information;
and taking the sample session account number corresponding to the sample request identification and the sample account information corresponding to the sample session account number as second account information together.
Optionally, in some embodiments, referring to fig. 5, further comprising:
the establishing module 406 is configured to, before receiving the request message, obtain a massive sample request message, where the sample request message includes sample authentication information, analyze the sample authentication information to obtain sample account information corresponding to the sample request message, identify negligible sample account information from the sample account information according to historical access information of the sample request message, analyze sample interface information corresponding to the sample request message, and establish an interface parameter table according to the sample interface information and the negligible sample account information corresponding to the sample interface information.
Optionally, in some embodiments, referring to fig. 5, further comprising:
the display module 407 is configured to display prompt information that a matching state between the first account information and the second account information is unmatched, and display the first account information and information of the target interface;
the updating module 408 is configured to respond to a selection instruction of a user, and supplement the interface parameter table according to target information corresponding to the selection instruction, where the target information is any one of the first account information and information of the target interface.
It should be noted that the explanation of the embodiment of the detection method for unauthorized holes in the foregoing fig. 1-3 is also applicable to the detection apparatus 400 for unauthorized holes in this embodiment, and the implementation principle is similar, and therefore, the description is omitted here.
In the embodiment, by receiving the request message, determining the first account information corresponding to the request message, determining the second account information of the session corresponding to the request message, and performing the unauthorized vulnerability detection on the request message according to the first account information and the second account information, the comprehensiveness of the unauthorized vulnerability detection can be effectively improved, the accuracy of the unauthorized vulnerability detection is improved, and the detection effect of the unauthorized vulnerability is improved.
Fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Referring to fig. 6, a computer apparatus 600 of the present embodiment includes a housing 601, a processor 602, a memory 603, a circuit board 604, and a power supply circuit 605, wherein the circuit board 604 is disposed inside a space surrounded by the housing 601, and the processor 602 and the memory 603 are provided on the circuit board 604; a power supply circuit 605 for supplying power to the respective circuits or devices of the computer apparatus 600; the memory 603 is used for storing executable program code; the processor 602 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 603, for performing:
receiving a request message;
determining first account information corresponding to the request message;
determining second account information of the session corresponding to the request message;
and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information.
It should be noted that the explanation of the embodiment of the detection method for unauthorized bugs in the foregoing embodiments of fig. 1 to fig. 3 is also applicable to the computer device 600 of the embodiment, and the implementation principle is similar and will not be described herein again.
In the embodiment, by receiving the request message, determining the first account information corresponding to the request message, determining the second account information of the session corresponding to the request message, and performing the unauthorized vulnerability detection on the request message according to the first account information and the second account information, the comprehensiveness of the unauthorized vulnerability detection can be effectively improved, the accuracy of the unauthorized vulnerability detection is improved, and the detection effect of the unauthorized vulnerability is improved.
In order to implement the foregoing embodiments, the present application provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the detection method of the unauthorized vulnerability of the foregoing method embodiments.
It should be noted that, in the description of the present application, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present application, "a plurality" means two or more unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and the scope of the preferred embodiments of the present application includes other implementations in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.
Claims (16)
1. A method for detecting an unauthorized vulnerability, the method comprising:
receiving a request message;
determining first account information corresponding to the request message;
determining second account information of a session corresponding to the request message;
and performing unauthorized vulnerability detection on the request message according to the first account information and the second account information.
2. The method of claim 1, wherein the request message is used to invoke a target interface of an application, and further comprising, after the receiving the request message:
judging whether the information of a target interface is in a pre-configured interface parameter table or not, wherein the interface parameter table is learned to obtain the corresponding relation between the information of a sample interface and the negligible sample account information corresponding to the information of the sample interface;
the performing unauthorized vulnerability detection on the request message according to the first account information and the second account information includes:
and according to the judgment result, carrying out unauthorized vulnerability detection on the request message by combining the first account information and the second account information.
3. The method for detecting the unauthorized vulnerability of claim 2, wherein the step of performing the unauthorized vulnerability detection on the request message by combining the first account information and the second account information according to the judgment result comprises:
if the information of the target interface is not in the preconfigured interface parameter table, or if the information of the target interface is in the preconfigured interface parameter table, and when the first account information is not matched with the negligible target account information corresponding to the information of the target interface, performing unauthorized vulnerability detection on the request message according to the matching state between the first account information and the second account information;
and if the information of the target interface is in the preconfigured interface parameter table and the first account information is matched with the target account information, directly determining that the request message has no unauthorized vulnerability.
4. The method for detecting the unauthorized vulnerability of claim 3, wherein the step of performing the unauthorized vulnerability detection on the request message according to the matching condition of the first account information and the second account information comprises:
if the matching state between the first account information and the second account information is not matched, determining that the request message has an unauthorized vulnerability;
and if the matching state between the first account information and the second account information is matching, determining that the request message has no unauthorized vulnerability.
5. The method of detecting an unauthorized vulnerability of claim 1, wherein the request message further comprises: a request identifier, wherein the determining second account information of the session corresponding to the request message includes:
determining a sample request identifier matched with the request identifier from a pre-configured corresponding relation table; the corresponding relation table is used for learning and obtaining the corresponding relation among the sample request identification, the sample session account number corresponding to the sample request identification and the sample account information;
and taking the sample session account number corresponding to the sample request identification and the sample account information corresponding to the sample session account number as the second account information.
6. The method of detecting an unauthorized vulnerability of claim 1, wherein before the receiving a request message, further comprising:
acquiring massive sample request messages, wherein the sample request messages comprise sample authentication information;
analyzing the sample authentication information to obtain sample account information corresponding to the sample request message;
identifying negligible sample account information from the sample account information according to historical access information of the sample request message;
analyzing the information of the sample interface corresponding to the sample request message, and establishing the interface parameter table according to the information of the sample interface and the negligible sample account information corresponding to the information of the sample interface.
7. The method for detecting an unauthorized vulnerability of claim 4, wherein if the matching status between the first account information and the second account information is not matched, after determining that the request message has the unauthorized vulnerability, further comprising:
displaying prompt information that the matching state between the first account information and the second account information is unmatched, and displaying the first account information and the information of the target interface;
responding to a selection instruction of a user, and supplementing the interface parameter table according to target information corresponding to the selection instruction, wherein the target information is any one of the first account information and the information of the target interface.
8. An apparatus for detecting an unauthorized vulnerability, the apparatus comprising:
a receiving module, configured to receive a request message;
a first determining module, configured to determine first account information corresponding to the request message;
a second determining module, configured to determine second account information of the session corresponding to the request message;
and the detection module is used for carrying out unauthorized vulnerability detection on the request message according to the first account information and the second account information.
9. The apparatus for detecting an unauthorized vulnerability of claim 8, wherein the request message is used to invoke a target interface of an application program, further comprising:
the judging module is used for judging whether the information of the target interface is in a pre-configured interface parameter table or not after the request message is received, wherein the interface parameter table is learned to obtain the corresponding relation between the information of the sample interface and the negligible sample account information corresponding to the information of the sample interface;
the detection module is specifically configured to:
and according to the judgment result, carrying out unauthorized vulnerability detection on the request message by combining the first account information and the second account information.
10. The apparatus for detecting an unauthorized vulnerability of claim 9, wherein the detection module is further configured to:
if the information of the target interface is not in the preconfigured interface parameter table, or if the information of the target interface is in the preconfigured interface parameter table, and when the first account information is not matched with the negligible target account information corresponding to the information of the target interface, performing unauthorized vulnerability detection on the request message according to the matching state between the first account information and the second account information;
and if the information of the target interface is in the preconfigured interface parameter table and the first account information is matched with the target account information, directly determining that the request message has no unauthorized vulnerability.
11. The apparatus for detecting an unauthorized vulnerability of claim 10, wherein the detection module is further configured to:
if the matching state between the first account information and the second account information is not matched, determining that the request message has an unauthorized vulnerability;
and if the matching state between the first account information and the second account information is matching, determining that the request message has no unauthorized vulnerability.
12. The apparatus for detecting an unauthorized vulnerability of claim 8, wherein the request message further comprises: the request identifier, and the second determining module is specifically configured to:
determining a sample request identifier matched with the request identifier from a pre-configured corresponding relation table; the corresponding relation table is used for learning and obtaining the corresponding relation among the sample request identification, the sample session account number corresponding to the sample request identification and the sample account information;
and taking the sample session account number corresponding to the sample request identification and the sample account information corresponding to the sample session account number as the second account information.
13. The apparatus for detecting an unauthorized vulnerability of claim 8, further comprising:
the establishing module is used for acquiring massive sample request messages before receiving the request messages, the sample request messages comprise sample authentication information, analyzing the sample authentication information to obtain sample account information corresponding to the sample request messages, identifying negligible sample account information from the sample account information according to historical access information of the sample request messages, analyzing information of sample interfaces corresponding to the sample request messages, and establishing the interface parameter table according to the information of the sample interfaces and the negligible sample account information corresponding to the information of the sample interfaces.
14. The apparatus for detecting an unauthorized vulnerability of claim 11, further comprising:
the display module is used for displaying prompt information that the matching state between the first account information and the second account information is unmatched, and displaying the first account information and the information of the target interface;
and the updating module is used for responding to a selection instruction of a user and supplementing the interface parameter table according to target information corresponding to the selection instruction, wherein the target information is any one of the first account information and the information of the target interface.
15. A non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor implements the method of detecting an unauthorized vulnerability of any one of claims 1-7.
16. A computer device comprising a housing, a processor, a memory, a circuit board, and a power circuit, wherein the circuit board is disposed inside a space enclosed by the housing, the processor and the memory being disposed on the circuit board; the power supply circuit is used for supplying power to each circuit or device of the computer equipment; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the method of detecting an unauthorized vulnerability according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010777805.2A CN112115475A (en) | 2020-08-05 | 2020-08-05 | Unauthorized vulnerability detection method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010777805.2A CN112115475A (en) | 2020-08-05 | 2020-08-05 | Unauthorized vulnerability detection method and device, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112115475A true CN112115475A (en) | 2020-12-22 |
Family
ID=73799576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010777805.2A Pending CN112115475A (en) | 2020-08-05 | 2020-08-05 | Unauthorized vulnerability detection method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112115475A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112765611A (en) * | 2021-01-19 | 2021-05-07 | 上海微盟企业发展有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN113961940A (en) * | 2021-12-21 | 2022-01-21 | 杭州海康威视数字技术股份有限公司 | Override detection method and device based on authority dynamic update mechanism |
| CN114499960A (en) * | 2021-12-24 | 2022-05-13 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method and device and computer readable storage medium |
| WO2023273139A1 (en) * | 2021-06-28 | 2023-01-05 | 深圳前海微众银行股份有限公司 | Unauthorized access vulnerability detection method, apparatus and device, and computer program product |
-
2020
- 2020-08-05 CN CN202010777805.2A patent/CN112115475A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112765611A (en) * | 2021-01-19 | 2021-05-07 | 上海微盟企业发展有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN112765611B (en) * | 2021-01-19 | 2022-11-25 | 上海微盟企业发展有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| WO2023273139A1 (en) * | 2021-06-28 | 2023-01-05 | 深圳前海微众银行股份有限公司 | Unauthorized access vulnerability detection method, apparatus and device, and computer program product |
| CN113961940A (en) * | 2021-12-21 | 2022-01-21 | 杭州海康威视数字技术股份有限公司 | Override detection method and device based on authority dynamic update mechanism |
| CN114499960A (en) * | 2021-12-24 | 2022-05-13 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method and device and computer readable storage medium |
| CN114499960B (en) * | 2021-12-24 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method, device and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112115475A (en) | Unauthorized vulnerability detection method and device, storage medium and computer equipment | |
| WO2021135532A1 (en) | Cloud network vulnerability discovery method, apparatus, electronic device, and medium | |
| Ye et al. | NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces. | |
| CN108763031A (en) | A kind of threat information detection method and device based on daily record | |
| CN113301012B (en) | Network threat detection method and device, electronic equipment and storage medium | |
| CN104412565B (en) | For relating to the method that the socket of bearer independent protocol manages | |
| CN104067561A (en) | Dynamically scanning a WEB application through use of WEB traffic information | |
| CN106294102A (en) | The method of testing of application program, client, server and system | |
| US20130185645A1 (en) | Determining repeat website users via browser uniqueness tracking | |
| CN111756697B (en) | API safety detection method and device, storage medium and computer equipment | |
| CN112165445B (en) | Method, device, storage medium and computer equipment for detecting network attack | |
| CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
| WO2021234525A1 (en) | System for centralized monitoring and control of iot devices | |
| CN111506497A (en) | Service logic debugging method, device, equipment and computer readable storage medium | |
| Song et al. | Rule-based verification of network protocol implementations using symbolic execution | |
| CN113014587A (en) | API detection method and device, electronic equipment and storage medium | |
| TW202127329A (en) | Data acquisition method, related device and system thereof and storage apparatus | |
| CN113572826B (en) | Device information binding method and system and electronic device | |
| Liu et al. | Understanding digital forensic characteristics of smart speaker ecosystems | |
| CN115334150A (en) | Data forwarding method, device, system, electronic equipment and medium | |
| Cheng et al. | PDFuzzerGen: Policy‐Driven Black‐Box Fuzzer Generation for Smart Devices | |
| CN109274758B (en) | Request message processing method and computing device | |
| JP6219621B2 (en) | Communication verification device | |
| CN117811836A (en) | Traffic forwarding and detecting method and device | |
| CN116702146B (en) | Injection vulnerability scanning method and system of Web server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |