CN112231711A - Vulnerability detection method and device, computer equipment and storage medium - Google Patents
Vulnerability detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112231711A CN112231711A CN202011124781.7A CN202011124781A CN112231711A CN 112231711 A CN112231711 A CN 112231711A CN 202011124781 A CN202011124781 A CN 202011124781A CN 112231711 A CN112231711 A CN 112231711A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- detected
- test case
- page
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
Abstract
The embodiment of the application discloses a vulnerability detection method, a vulnerability detection device, computer equipment and a storage medium, and can receive a page acquisition request which is sent by a terminal and carries an object to be detected; acquiring an object identifier of the object to be detected; filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case; processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case; feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request so as to instruct the terminal to display a page corresponding to the page display instruction; and when the browsing operation event in the page triggers the vulnerability test case, determining that the object to be detected has a vulnerability. The accuracy and the reliability of vulnerability detection are improved, the vulnerability is repaired in time, the leakage of privacy information is avoided, and the information security is improved.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a vulnerability detection method, apparatus, computer device, and storage medium.
Background
Cross Site scripting (XSS) attacks are malicious attackers who add malicious codes into a web page and induce a user to access the web page, and the malicious codes are executed on a user terminal when the visitor browses the web page, so that the malicious attackers steal user information (for example, user authentication credentials are leaked), or mount trojan attacks on the user terminal and remotely obtain the control right of the user terminal (i.e., operation hijacking), and the use safety of the user terminal is seriously affected. Among them, the storage type cross-site scripting (also called resident cross-site scripting) attack is one of cross-site scripting attacks (i.e. cross-site scripting vulnerability), which allows malicious codes to be stored in a web server, and then when a user accesses a web page of the web server, the web page can pull the malicious codes from the web server and execute the malicious codes, so that the damage is extremely large.
In the prior art, a storage-type cross-site scripting vulnerability is detected in a manner of completing one-time HyperText Transfer Protocol (HTTP) request, which specifically includes: firstly, a detection HTTP packet is constructed, an HTTP request carrying the detection HTTP packet is sent to a server, and then the server can judge whether a vulnerability exists according to response characteristics such as response duration, response codes and response contents based on the HTTP request. For example, if response characteristics such as response duration, response code and response content are matched with pre-stored attack characteristics, it is determined that the storage-type cross-site script has a vulnerability.
Because the attack mode of the XSS vulnerability is very hidden, and the attacking webpage may not have direct echoing characteristics, the XSS vulnerability can not be accurately detected based on the response characteristics, and under the condition that a writing point and an output point generated by the XSS vulnerability are separated, the page where the written content can be output can not be determined. Therefore, whether the storage type XSS vulnerability exists in one HTTP request cannot be accurately judged, a vulnerability detection result can generate a large amount of missing reports, vulnerability detection accuracy and reliability are reduced, and network security and reliability of the user terminal are reduced.
Disclosure of Invention
The embodiment of the application provides a vulnerability detection method, a vulnerability detection device, computer equipment and a storage medium, and the vulnerability detection accuracy and reliability can be achieved.
In order to solve the above technical problem, an embodiment of the present application provides the following technical solutions:
the embodiment of the application provides a vulnerability detection method, which comprises the following steps:
acquiring an object identifier of an object to be detected;
filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case;
processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;
feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction;
and when the browsing operation event in the page triggers the vulnerability test case, determining that the object to be detected has a vulnerability.
According to an aspect of the present application, there is also provided a vulnerability detection apparatus, including:
the receiving unit is used for receiving a page acquisition request which is sent by a terminal and carries an object to be detected;
the acquisition unit is used for acquiring the object identification of the object to be detected;
the filling unit is used for filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case;
the splicing unit is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;
a feedback unit, configured to feed back, to the terminal, a page display instruction carrying the target detection object based on the page acquisition request, where the page display instruction is used to instruct the terminal to display a page corresponding to the page display instruction;
and the determining unit is used for determining that the object to be detected has the bug when the browsing operation event in the page triggers the bug test case.
In one embodiment, the acquisition unit includes:
the analysis subunit is used for analyzing the object to be detected to obtain object parameters corresponding to the object to be detected;
and the generating subunit is used for generating the object identifier of the object to be detected based on the object parameter.
In one embodiment, the object to be detected includes a web address, and the object parameter includes a transmission protocol, a domain name, a port number, a request path name, and a query parameter of the web address;
the generating subunit is specifically configured to:
performing hash value operation on the transmission protocol, the domain name, the port number, the request path name and the query parameter to obtain a hash value;
and determining the object identification of the object to be detected based on the hash value.
In an embodiment, the generating subunit is specifically configured to:
acquiring template identification information of the target test case template;
performing hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value;
and determining the object identification of the object to be detected based on the hash value.
In an embodiment, the filling unit is specifically configured to:
identifying placeholders in the target test case template;
and when the recognized placeholder is a preset placeholder, writing the object identifier into the position of the preset placeholder to obtain the vulnerability test case.
In an embodiment, the splicing unit is specifically configured to:
determining the position of test case identification information carried in the object to be detected;
and splicing the vulnerability test cases based on the positions to obtain a target detection object.
In an embodiment, the determining unit is specifically configured to:
receiving a vulnerability detection request sent by the terminal based on a browsing operation event in the page, wherein the vulnerability detection request carries a request source, the vulnerability test case and the object identification;
determining that the object to be detected has the storage type cross-site script vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning a page with the storage type cross-site script vulnerability based on the request source.
In one embodiment, the vulnerability detection apparatus further includes:
and the association storage unit is used for associating and storing the page with the vulnerability and the object to be detected based on the object identification.
In an embodiment, the association storage unit is specifically configured to:
inquiring a first database for storing object information of the target detection object and a second database for storing page information of the page at intervals of preset time;
and generating a vulnerability generation chain based on the inquired field for storing the object identifier in the first database and the field for storing the object identifier in the second database so as to associate the page and the object to be detected.
In one embodiment, the vulnerability detection apparatus further includes:
the generating unit is used for acquiring vulnerability information and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected;
and the output unit is used for outputting the alarm information.
According to an aspect of the application, the vulnerability detection system comprises a server and a terminal, wherein the terminal is used for sending a page acquisition request carrying an object to be detected to the server;
the server is used for acquiring an object identifier of the object to be detected, and filling placeholders in a target test case template according to the object identifier to obtain a vulnerability test case;
the server is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;
the server is used for feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request;
the terminal is used for displaying a page corresponding to the page display instruction;
and the server is used for determining that the object to be detected has a bug when the bug test case is triggered by the browsing operation event in the page.
According to an aspect of the present application, there is also provided a computer device, including a processor and a memory, where the memory stores a computer program, and the processor executes any one of the vulnerability detection methods provided by the embodiments of the present application when calling the computer program in the memory.
According to an aspect of the present application, there is also provided a storage medium for storing a computer program, where the computer program is loaded by a processor to execute any one of the vulnerability detection methods provided by the embodiments of the present application.
The method and the device for detecting the vulnerability of the target test case template can receive a page acquisition request which is sent by a terminal and carries an object to be detected, acquire an object identifier of the object to be detected, and fill a placeholder in the target test case template according to the object identifier to obtain a vulnerability test case; then, the vulnerability test case and the object to be detected can be processed to obtain a target detection object containing the vulnerability test case; at this time, a page display instruction carrying the target detection object can be fed back to the terminal based on the page acquisition request so as to indicate the terminal to display a page corresponding to the page display instruction; and when a browsing operation event in the page triggers a vulnerability test case, determining that the object to be detected has a vulnerability. According to the technical scheme, the target test object is generated based on the vulnerability test case, when the vulnerability test case is triggered by the received browsing operation event in the page displayed by the terminal based on the page display instruction carrying the target test object, the object to be detected is determined to have the vulnerability, the vulnerability detection accuracy and reliability are improved, the vulnerability can be repaired in time, the leakage of privacy information is avoided, and the information security is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a scene schematic diagram of a vulnerability detection system provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a vulnerability detection method provided in an embodiment of the present application;
fig. 3 is another schematic flow chart of the vulnerability detection method according to the embodiment of the present application;
FIG. 4 is a schematic diagram of a server architecture provided by an embodiment of the present application;
fig. 5 is another schematic flow chart of the vulnerability detection method according to the embodiment of the present application;
fig. 6 is another schematic flow chart of the vulnerability detection method provided in the embodiment of the present application;
FIG. 7 is a schematic diagram illustrating fields stored in a detection record database and a vulnerability handling record database according to an embodiment of the present application;
fig. 8 is a schematic diagram of a terminal architecture and a server architecture provided in an embodiment of the present application;
fig. 9 is a schematic diagram of a vulnerability detection apparatus provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a vulnerability detection method and device, computer equipment and a storage medium.
Referring to fig. 1, fig. 1 is a scene schematic diagram of a vulnerability detection system provided in an embodiment of the present application, where the vulnerability detection system may include a server 10 and a terminal 20, a vulnerability detection device may be integrated in the server 10, the server 10 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), and a big data and artificial intelligence platform, but is not limited thereto.
In short, the Database (Database) can be regarded as an electronic file cabinet, i.e., a place for storing electronic files, and a user can add, query, update, delete, etc. to data in the files. A "database" is a collection of data that is stored together in a manner that can be shared by multiple users, has as little redundancy as possible, and is independent of the application.
Cloud computing (cloud computing) is a computing model that distributes computing tasks over a pool of resources formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand.
A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and a distributed storage file system, and provides a data storage function and a service access function to the outside.
The server 10 may be connected with the terminal 20 directly or indirectly through wired or wireless communication, and the application is not limited thereto. The terminal 20 may be a mobile phone, a tablet computer, a notebook computer, a desktop computer, a smart television, or a wearable device.
The terminal 20 may be configured to send a page acquisition request carrying an object to be detected to the server. The server 10 may be configured to obtain an object identifier of an object to be detected, and fill a placeholder in the target test case template according to the object identifier to obtain a vulnerability test case. The server 10 may be configured to process the vulnerability test case and the object to be detected, so as to obtain a target detection object including the vulnerability test case. The server 10 may be configured to feed back a page display instruction carrying the target detection object to the terminal based on the page acquisition request. The terminal 20 may be configured to display a page corresponding to the page display instruction. The server 10 may be configured to determine that the object to be detected has a bug when the browsing operation event in the page triggers the bug test case.
Specifically, the server 10 may receive a page acquisition request carrying an object to be detected sent by the terminal 20, analyze the object to be detected (e.g., a web address) to obtain an object parameter corresponding to the object to be detected, generate an object identifier of the object to be detected based on the object parameter, and fill a placeholder in a target test case template according to the object identifier to obtain a vulnerability test case; then, the vulnerability test case and the object to be detected may be processed (for example, splicing processing), so as to obtain a target detection object containing the vulnerability test case. At this time, the server 10 may feed back a page display instruction carrying the target detection object to the terminal 20 based on the page acquisition request, and the terminal 20 may display a page corresponding to the page display instruction. When a browsing operation event such as sliding operation or clicking operation is received in the page and the browsing operation event triggers a vulnerability test case, the existence of a vulnerability (such as a storage type cross-site script vulnerability) in the object to be detected can be determined, the page with the vulnerability and the object to be detected can be stored in an associated mode based on the object identification, the page with the vulnerability can be accurately positioned based on the request source, and the accuracy and the reliability of vulnerability detection are improved. The server 10 may also generate warning information corresponding to the vulnerability, and send the warning information to the terminal 20 for display, or send the warning information to a specified mailbox or an instant messaging account, etc. Therefore, the vulnerability can be repaired in time, the leakage of privacy information is avoided, and the information security and the cloud security are improved.
The Cloud Security (Cloud Security) refers to a generic term of Security software, hardware, users, organizations, and Security Cloud platforms applied based on a Cloud computing business model. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is performed through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to a server (namely, the server 10) for automatic analysis and processing, and then the solution of viruses and trojans is distributed to each client (namely, the client on the terminal 20).
It should be noted that the scene schematic diagram of the vulnerability detection system shown in fig. 1 is only an example, and the vulnerability detection system and the scene described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application.
The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
In this embodiment, a description will be made from the perspective of a vulnerability detection apparatus, which may be specifically integrated in a computer device such as a server.
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating a vulnerability detection method according to an embodiment of the present application. The vulnerability detection method can comprise the following steps:
s101, receiving a page acquisition request carrying an object to be detected sent by a terminal.
S102, acquiring an object identifier of the object to be detected.
The object to be detected may include a web page address or a web page loading path, and the web page address may be a Uniform Resource Identifier (URL), for example, the object to be detected may be http:// www.XXX.coma ═ 1, it needs to be noted that, in order to protect privacy, a specific web page address herein is replaced with "XXX", and specific content of the "XXX" may be flexibly set according to actual needs, which is not limited herein. When the terminal needs to display the page, the page acquisition request which is sent by the terminal and carries the object to be detected can be received.
The object identification is used for uniquely identifying the object to be detected, a mapping relation can be established between the object identification and the object to be detected, and the object to be detected can be accurately positioned through the object identification. The object identifier may be composed of any one or more of numbers, letters, character symbols, characters, and the like, and specific contents may be flexibly set according to actual needs, for example, the object identifier may be a hash value generated based on object parameters of the object to be detected, or an index value generated based on object parameters of the object to be detected, and the like.
In an embodiment, the obtaining the object identifier of the object to be detected may include: analyzing the object to be detected to obtain object parameters corresponding to the object to be detected; and generating an object identifier of the object to be detected based on the object parameters.
When the object to be detected may include a web page address, the object parameters may include a transmission protocol of the web page address (e.g., URL), a domain name, a port number, a request path name, query parameters, and the like, and the query parameters may include GET/POST parameters. For example, for HTTP:// www.XXX.coma ═ 1, the transport protocol may be Hypertext transfer protocol (HTTP), the domain name may be xxx.
In order to improve the accuracy of the object identifier acquisition, the object identifier may be generated based on the object parameter corresponding to the object to be detected. Specifically, the object to be detected may be acquired first, and in an embodiment, in order to improve the reliability of acquiring the object to be detected, the object to be detected may be input manually. For example, an editing instruction input by a user in an editing text box displayed by the terminal may be received, the object to be detected is input based on the editing instruction, and at this time, a page acquisition request carrying the object to be detected and sent by the terminal may be received. In another embodiment, in order to improve the convenience and flexibility of the acquisition of the object to be detected, the object to be detected may be automatically loaded. For example, the object to be detected may be loaded from a database storing the object to be detected.
It should be noted that, in order to facilitate subsequent detection of an object to be detected, when the object to be detected is obtained, a login state of the object to be detected may also be obtained, where the login state may include Cookies or a special response header, and the Cookies refer to data stored on a local terminal of a user by some websites for identifying the identity of the user, and the judgment of the login state of the user may be implemented by the Cookies, so that the user is prevented from directly entering some pages without logging in, or entering some pages without permission, and the like.
After the object to be detected is obtained, the object to be detected may be analyzed to obtain object parameters corresponding to the object to be detected, for example, when the object parameters of the object to be detected are URL web addresses, the object parameters obtained by decomposing URLs may include a transmission protocol, a domain name, a port number, a request path name, query parameters, and the like of the URL.
Then, an object identifier of the object to be detected may be generated based on the object parameters. In an embodiment, generating the object identifier of the object to be detected based on the object parameter may include: carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name and the query parameter to obtain a hash value; and determining the object identification of the object to be detected based on the hash value.
In order to improve the accuracy and reliability of the object identifier acquisition, hash value operation may be performed on the transmission protocol, the domain name, the port number, the request path name, and the query parameter to obtain a hash value. In an embodiment, performing a hash operation on the transport protocol, the domain name, the port number, the request path name, and the query parameter, and obtaining the hash value may include: acquiring template identification information of a target test case template; and carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value.
The target test case template can be flexibly set according to actual needs, the target test case template can be obtained from a template library, or the target test case template and the like are input by a user, and then the template identification information of the target test case template can be obtained.
The template identification information of the target test case template may include a target parameter name and a test case number of the target test case template, for example, for http:// www.XXX.coma ═ 1, the target parameter name may be a, and the test case number may be test case 1 or test case 2, and the like.
At this time, hash value operation can be performed on the transmission protocol, the domain name, the port number, the request path name, the query parameter, and the template identification information through a message digest algorithm, so as to obtain a hash value. The specific type of the Message Digest Algorithm may be flexibly set according to actual needs, for example, the Message Digest Algorithm may include a Message Digest (MD), a Secure Hash (SHA), a Message Authentication Code (MAC), and the like. The MD may include MD2, MD4, MD5 and the like, and the SHA may include SHA-1, SHA-2 and the like.
For example, the hash value operation may be: the hash value is a message digest algorithm (transport protocol + domain name + port number + request path name + query parameter + target parameter name + test case number), and at this time, the object identifier of the object to be detected may be determined based on the hash value, for example, the hash value may be used as the object identifier of the object to be detected.
After the hash value is obtained, the hash value and the object to be detected (e.g., URL) may be stored in a detection record Database (DB) for subsequent association, where the detection record Database may be a first Database for storing object information of the target detection object. The object information may include a transport protocol, a domain name, a port number, a request path name, an object identifier (e.g., a hash value), and the like of the target detection object.
S103, filling placeholders in the target test case template according to the object identification to obtain the vulnerability test case.
The target test case template can be flexibly set according to actual needs, for example, the target test case template can be a test case template for vulnerability detection, and a placeholder for filling an object identifier can be arranged in the target test case template. After the object identifier is obtained, the object identifier may be used to fill the placeholder in the target test case template, so that a vulnerability test case (which may be called Payload) may be obtained, where the vulnerability test case may be a hypertext Markup Language (HTML) tag.
It should be noted that the target test case template may include one or more target test case templates, and when the target test case template may include one target test case template, the placeholder in the target test case template is filled with the object identifier, so that a vulnerability test case can be obtained; when the target test case template can include a plurality of target test case templates, the placeholders in each target test case template are filled with the object identifiers, and a plurality of vulnerability test cases can be obtained, for example, the vulnerability test case 1, the vulnerability test case 2, the vulnerability test case 3 and the like.
In an embodiment, the filling the placeholder in the target test case template according to the object identifier to obtain the bug test case may include: identifying placeholders in the target test case template; and when the recognized placeholder is the preset placeholder, writing the object identifier into the position of the preset placeholder to obtain the vulnerability test case.
In order to improve the efficiency and flexibility of acquiring the vulnerability test case, in the process of filling the placeholder in the target test case template by using the object identifier, the placeholder in the target test case template can be firstly identified. For example, when the target test case template includes the following:
< img src ═ "// XXX hostname/___ < hash value placeholder > _"/>
< iframe src ═ v/XXX hostname/____ < hash value placeholder > "> < iframe >
Placeholders for < hash value placeholder > in the target test case template may be identified. When the identified placeholder is a preset placeholder (e.g., a hash value placeholder), the object identifier (e.g., a hash value) can be written into a position where the preset placeholder is located, so that the vulnerability test case is obtained.
It should be noted that, in order to facilitate generation of a subsequent browsing operation event, a mouse event attribute that is easily triggered may be added to the target test case template, a JavaScript script may be executed, and a special style attribute (including attributes such as mouse movement or click operation) may be added to increase a triggering probability of the browsing operation event, and specific contents may be as follows:
"onmouseover" \\ z ═ document. Src ═// XXX hostname/__ < hash value placeholder > _'; document, body, apendchild (z); 100% of style ═ width; height is 100 percent; position: fixed; left is 0 px; top is 0 px; 'Ying'
The obtained hash value can be used for dynamically replacing a preset placeholder (namely _ < hash value placeholder > _) in the target test case template, and a unique test case (namely a vulnerability test case) bound with the vulnerability detection can be generated.
And S104, processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case.
After the vulnerability test case is obtained, the vulnerability test case and the object to be detected can be processed, wherein the splicing processing mode can include splicing processing, for example, the vulnerability test case can be spliced at the tail of the object to be detected, or the vulnerability test case can be spliced at the head of the object to be detected, or the vulnerability test case can be spliced at a preset position (the preset position can be flexibly set according to actual needs) between the head and the tail of the object to be detected, so that the target detection object containing the vulnerability test case can be obtained.
In an embodiment, the processing the vulnerability test case and the object to be detected to obtain the target detection object including the vulnerability test case may include: determining the position of test case identification information carried in an object to be detected; and splicing the vulnerability test cases based on the positions to obtain a target detection object.
In order to improve the flexibility and convenience of splicing, the test case identification information carried in the object to be detected can be identified, the test case identification information can be a test case parameter name or a query parameter and the like, the position of the test case identification information in the object to be detected is determined, and then the vulnerability test case can be spliced to the tail of the position of the test case identification information to obtain the target detection object. For example, for the object to be detected http:// www.XXX.coma ═ 1 and the vulnerability test case payload, the target object to be detected http:// www.XXX.coma ═ 1< payload > can be obtained by splicing. Or the vulnerability test case can be spliced to the position in front of the identification information of the test case to obtain the target detection object. For example, for the object to be detected http:// www.XXX.coma ═ 1 and the vulnerability test case payload, the target object to be detected http:// www.XXX.coma ═ payload >1 can be obtained by splicing. Or alternatively. The vulnerability test case can replace the position of the test case identification information to obtain a target detection object. For example, for the object to be detected http:// www.XXX.coma ═ 1 and the vulnerability test case payload, the target object to be detected http:// www.XXX.coma ═ payload > can be obtained by splicing.
And S105, feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction.
After the target detection object is obtained, a page display instruction carrying the target detection object may be generated, where the page display instruction may be an HTTP request, and then the page display instruction carrying the target detection object may be fed back to the terminal based on the page acquisition request, so that the terminal may display a page corresponding to the page display instruction.
It should be noted that, in order to determine the login state of the terminal, the page display instruction may carry the login state, so as to determine the login state of the terminal through the login state, and control the terminal to enter some pages through login.
S106, when the browsing operation event in the page triggers the vulnerability test case, determining that the object to be detected has a vulnerability.
The browsing operation event may include a moving operation (or a sliding operation) performed in the displayed page, a clicking operation performed in the displayed page, and the like. For example, the browsing operation event may be generated by a mouse moving or a click operation in a display page of a terminal (e.g., a computer), or may be generated by a finger or a touch pen moving or a click operation in a display page of a terminal (e.g., a mobile phone).
After a terminal displays a page corresponding to a page display instruction, if an object to be detected has a bug, when a client such as a browser is used to browse the page to generate a browsing operation event, a bug test case is passively triggered, for example, the bug test case is implanted into a data source of the page, and at this time, it can be determined that the object to be detected has a bug, and the types of the bug may include reflection-type XSS, storage-type XSS, Document Object Model (DOM) -based XSS, and the like. And when the browsing operation event in the page does not trigger the vulnerability test case, determining that the object to be detected has no vulnerability.
In an embodiment, determining that the object to be detected has the vulnerability may include: based on a browsing operation event in a page, receiving a vulnerability detection request sent by a terminal, wherein the vulnerability detection request carries a request source, a vulnerability test case and an object identifier; determining that the object to be detected has the storage type cross-site script vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning the page with the storage type cross-site script vulnerability based on the request source.
The vulnerability detection request can be an HTTP request, and can carry information such as a request source, a vulnerability test case, an object identifier and the like, wherein the request source is used for indicating a page link to which the vulnerability detection request belongs, and can be carried in a header of the vulnerability detection request.
Because the vulnerability test case can be an HTML label, the terminal can use the client output page, can passively trigger the vulnerability test case implantation, and can send a vulnerability detection request to the vulnerability detection device. The vulnerability detection device can monitor the request log in real time, can receive a vulnerability detection request sent by the terminal when a browsing operation event is generated in a page displayed by the terminal, records the vulnerability detection request with the vulnerability test case Payload, extracts a request source (refer), the vulnerability test case and an object identifier (such as a hash value) in the vulnerability detection request and stores the request source, the vulnerability test case and the object identifier in the database DB for subsequent associated use. At this time, the existence of the storage type cross-site script vulnerability in the object to be detected can be determined based on the vulnerability test case and the object identification in the vulnerability detection request, and the page with the storage type cross-site script vulnerability can be accurately positioned based on the request source. Therefore, according to the principle of the storage type XSS vulnerability, the vulnerability test case of the interface to be detected can be written into the database and output by the page with the vulnerability, and when a user browses the output page by using a client on the terminal, the embedded vulnerability test case Payload can be passively triggered, so that judgment of whether the vulnerability risk exists, warning notification of the vulnerability risk and the like can be asynchronously realized.
For example, the vulnerability test case may be: and if the bug test case is triggered, namely the bug test case is rendered and displayed in a page, the fact that the storage type XSS bug exists is meant. The terminal displays < img src ═ http:// vulnerability detection device:// >, and when the page is displayed through browser rendering, resources (such as vulnerability detection devices) pointed by URLs corresponding to the 'http:// vulnerability detection device:// xxx/Hash value' can be accessed in the background, and the vulnerability detection devices listen to vulnerability detection requests of the 'http:// vulnerability detection device:// xxx/Hash value'. And then, determining that the object to be detected has the storage type XSS based on the vulnerability test case and the object identification in the vulnerability detection request, and accurately positioning the page with the storage type cross-site script vulnerability based on the request source. The vulnerability detection method and the device have the advantages that automatic vulnerability detection is realized, the accuracy of the stored XSS vulnerability detection is improved, and the detection cost is reduced.
In an embodiment, after determining that the object to be detected has a vulnerability, the vulnerability detection method may further include: and storing the pages with the bugs and the objects to be detected in an associated manner based on the object identification.
In order to improve the accuracy of the vulnerability detection result, relevant responsible persons can conveniently and quickly take measures to carry out vulnerability repair and other processing, and the page with the vulnerability can be associated with the object to be detected. For example, with an object identifier (e.g., a hash value) as a main key, a page with a vulnerability and an object to be detected (e.g., a URL) can be stored in an associated manner based on the object identifier, and the URL and the page which generate the storage-type XSS vulnerability can be accurately positioned in an associated manner, so that the URL and the page of the storage-type XSS vulnerability can be concatenated to obtain a complete vulnerability generation chain.
In this embodiment, an asynchronous detection mode is adopted, an object parameter of an object to be detected (for example, a URL) is extracted, the object parameter is calculated based on a message digest algorithm to obtain an object identifier (for example, a hash value), a vulnerability test case is generated based on the object identifier, and the vulnerability test case is carried to send a probe (for example, a page display instruction). The method comprises the steps of receiving a report (such as a vulnerability detection request) of the vulnerability existence state, analyzing an object identifier, taking the object identifier as a main key, and automatically associating the object to be detected with the vulnerability with the page, so that the accuracy of the vulnerability detection result is improved.
In an embodiment, the associating and storing the page with the vulnerability and the object to be detected based on the object identifier may include: inquiring a first database for storing object information of a target detection object and a second database for inquiring page information of a storage page at intervals of preset time; and generating a vulnerability generation chain based on the inquired field for storing the object identifier in the first database and the field for storing the object identifier in the second database so as to associate the page and the object to be detected.
The preset time can be flexibly set according to actual needs, the object information can include a transmission protocol, a domain name, a request source, an object identifier, a port number, a request path name and the like of a target detection object, and the page information can include the request source, the object identifier and the like. In the course of detecting the loophole, the object information of the target detection object obtained by detection can be timely stored in the first database, and the page information of the page can be timely stored in the second database.
In order to improve the convenience of association between the page and the object to be detected, the first database and the second database can be inquired at intervals of preset time, based on the field of the object identification stored in the inquired first database and the field of the object identification stored in the second database, and the object identification in the field is used as a main key to generate a vulnerability generation chain so as to associate the page and the object to be detected.
In an embodiment, after determining that the object to be detected has a vulnerability, the vulnerability detection method may further include: acquiring vulnerability information, and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected; and outputting alarm information.
The vulnerability information may include information of a responsible person and an object identifier related to vulnerability repair, and in order to notify the relevant responsible person of the vulnerability detection result in time, so as to repair the vulnerability in time, alarm information may be automatically sent. For example, pre-stored vulnerability information such as information of a responsible person can be inquired, and alarm information is generated based on the vulnerability information, the page with the vulnerability and the object to be detected, wherein the type of the alarm information can be flexibly set according to actual needs.
At this time, the alarm information may be output, for example, the alarm information may be transmitted to the terminal so that the terminal displays the alarm information within the display interface. For another example, the warning information may be sent to the mail of the person in charge based on the person in charge information, and the person in charge may be notified in time. For another example, an alarm message may be sent to the specified instant messaging account to prompt that a vulnerability exists. Therefore, the judgment of whether the vulnerability risk exists or not, the alarm notification of the vulnerability risk and the like are asynchronously realized, accurate and rich vulnerability detection results are provided, and the vulnerability risk can be quickly processed and closed-loop.
According to the method and the device, the object identification of the object to be detected can be obtained, and the placeholder in the target test case template is filled according to the object identification to obtain the vulnerability test case; then, the vulnerability test case and the object to be detected can be processed to obtain a target detection object containing the vulnerability test case; at this time, a page display instruction carrying the target detection object can be fed back to the terminal based on the page acquisition request, and the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction; and when a browsing operation event in the page triggers a vulnerability test case, determining that the object to be detected has a vulnerability. According to the technical scheme, the target test object is generated based on the vulnerability test case, when the vulnerability test case is triggered by the received browsing operation event in the page displayed by the terminal based on the page display instruction carrying the target test object, the object to be detected is determined to have the vulnerability, the vulnerability detection accuracy and reliability are improved, the vulnerability can be repaired in time, the leakage of privacy information is avoided, and the information security is improved.
The method described in the above embodiments is further illustrated in detail by way of example.
In this embodiment, a vulnerability detection apparatus is integrated in a server, and a to-be-detected object is taken as a URL and an object identifier is taken as a hash value for example to describe in detail, please refer to fig. 3, and fig. 3 is a schematic flow diagram of the vulnerability detection method provided in this embodiment. The method flow can comprise the following steps:
s201, the server acquires the URL of the object to be detected.
The server may receive the URL sent by the terminal or load the URL from a database.
S202, the server analyzes the URL, calculates a hash value based on the analyzed URL, and stores object information of the URL.
The server analyzes the URL to obtain object parameters of the URL, where the object parameters may include a transport protocol, a domain name, a port number, a request path name, query parameters, and the like of the URL. Then, hash value operation can be performed on object parameters such as a transmission protocol, a domain name, a port number, a request path name, query parameters and the like through a message digest algorithm to obtain a hash value. And the object information of the URL may be stored to the first database (i.e., the detection record database). The object information may include a transport protocol of the URL, a domain name, a port number, a request path name, a hash value, and the like.
S203, the server generates a vulnerability detection test case based on the Hash value.
The server can fill the placeholders in the target test case template by using the hash value to obtain the vulnerability test case.
S204, the server splices the vulnerability detection test case and the URL to obtain a target URL containing the vulnerability detection test case.
For example, the server may splice the vulnerability detection test case at the tail of the URL to obtain a target URL containing the vulnerability detection test case.
S205, the server sends a page display instruction carrying the target URL to the terminal, and the page is displayed on the terminal based on the page display instruction.
Wherein the page display instruction may be an HTTP request.
S206, when the vulnerability detection test case is triggered in the displayed page, the server determines that the URL has the storage type XSS.
For example, when a browsing operation event is generated by moving a mouse in a display page of the terminal or clicking operation, and the browsing operation event triggers a vulnerability detection test case, the server may determine that the URL exists in the storage-type XSS.
S207, the server stores page information of the page.
The page information may include a request source of the page, a hash value, and the like.
And S208, associating the URL with the vulnerability with the page by the server.
The server may associate the URL where the vulnerability exists with the page based on the hash value.
S209, the server outputs alarm information related to the vulnerability detection result.
For example, the warning information may be sent to the terminal so that the terminal displays the warning information within the display interface. For another example, an alarm message may be sent to a designated mail and the associated person in charge may be notified in time. For another example, the warning information may be sent to the specified instant messaging account.
In the above embodiments, the descriptions of the embodiments have respective emphasis, and a part that is not described in detail in a certain embodiment may be referred to the above detailed description of the vulnerability detection method, and is not described herein again.
In order to better implement vulnerability detection, improve convenience and flexibility of vulnerability detection, and improve efficiency of asynchronous detection, the server may be divided into a plurality of modules for cooperative detection, for example, the server may include a detection module, a vulnerability processing module, a detection record database, a vulnerability processing record database, and an association module.
As shown in fig. 4, the detection module may be connected to the detection record database, the vulnerability processing module may be connected to the vulnerability processing record database, the association module may be connected to the detection record database and the vulnerability processing record database, and the detection module and the vulnerability processing module may be connected to the terminal respectively.
The detection module can be used for analyzing the URL of the detection object, calculating a hash value, generating a vulnerability test case, splicing the target URL, sending a page display instruction to the terminal and the like.
The vulnerability processing module can be used for determining whether a vulnerability exists, generating and sending warning information and the like.
The detection record database may be used to store object information for URLs.
The vulnerability processing record database may be used to store page information for pages.
The association module may be configured to associate the URL with the page where the vulnerability exists.
Referring to fig. 5, fig. 5 is a schematic flow chart of a vulnerability detection method according to an embodiment of the present disclosure. The method flow can comprise the following steps:
s20, the detection module receives a page acquisition request which is sent by the terminal and carries the URL of the object to be detected.
For example, as shown in fig. 6, the URL of the object to be detected, which is carried in the page obtaining request sent by the terminal, may be transmitted to the detection module.
S21, the detection module acquires the URL of the object to be detected from the page acquisition request.
For example, as shown in fig. 6, the detection module may receive an incoming URL, so as to facilitate subsequent detection of the object to be detected, the page obtaining request may also carry a login status of the object to be detected, where the login status may include Cookies or a special response header.
S22, the detection module analyzes the URL and calculates a hash value based on the analyzed URL.
The detection module can analyze the URL to obtain object parameters of the URL, such as a transmission protocol, a domain name, a port number, a request path name, query parameters and the like. Then, hash value operation can be performed on object parameters such as a transmission protocol, a domain name, a port number, a request path name, query parameters and the like through a message digest algorithm to obtain a hash value.
And S23, the detection module sends the object information of the URL to a detection record database, and the detection record database stores the object information.
The object information may include a transport protocol of the URL, a domain name, a port number, a request path name, a hash value, and the like. The object information may be referred to as URL information, and for example, as shown in fig. 6, the URL information may be stored in a detection record database (may be referred to as a detection record DB).
And S24, the detection module generates a vulnerability test case based on the hash value.
The detection module can fill the placeholders in the target test case template by using the hash values to obtain the vulnerability test case Payload.
S25, the detection module splices the vulnerability test case and the URL to obtain a target URL containing the vulnerability test case.
For example, as shown in fig. 6, the detection module may splice the vulnerability detection test case at the tail of the URL, so as to splice a target URL containing the vulnerability detection test case Payload.
And S26, the detection module sends a page display instruction carrying the target URL to the terminal.
For example, because the target URL includes Payload and the page display instruction carries the target URL, the detection module in fig. 6 may send the HTTP request including Payload to the terminal.
And S27, displaying the page based on the page display instruction by the terminal.
And S28, the terminal receives the browsing operation event generated in the page and monitors whether the browsing operation event triggers the vulnerability test case.
And S29, when the browsing operation event triggers the vulnerability test case, the terminal sends a vulnerability detection request to the vulnerability processing module.
The vulnerability detection request can be an HTTP request carrying a hash value, a vulnerability test case, a request source and the like. For example, as shown in fig. 6, a browsing operation event in a displayed page may trigger a vulnerability test case Payload, and the vulnerability processing module may monitor a Web Server request log (i.e., a log of a vulnerability detection request) and record a request with Payload characteristics to extract a hash value in the vulnerability detection request.
And S30, the vulnerability processing module extracts the hash value, the vulnerability test case and the like from the vulnerability detection request and determines that the storage type XSS exists.
S31, the vulnerability processing module sends the page information of the page to a vulnerability processing record database (i.e. vulnerability processing record DB in fig. 6), and the vulnerability processing record database stores the page information. The page information may include a request source of the page, a hash value, and the like.
S32, the correlation module reads the hash value field in the detection record database and receives the hash value sent by the detection record database.
S33, the correlation module reads the hash value field in the vulnerability processing record database and receives the hash value sent by the vulnerability processing record database.
And S34, the association module associates the URL with the vulnerability with the page based on the hash value.
For example, as shown in fig. 6, a URL and a page where a vulnerability exists may be associated based on URL information in the detection record DB and page information in the vulnerability processing record DB.
For example, as shown in fig. 7, the detection record database may include fields such as a transmission protocol, a domain name, a request source, a hash value, a port number, and a request path name, and the vulnerability processing record database may include fields such as a request source and a hash value, and the vulnerability is associated by detecting the hash value stored in the hash value field in the record database, the hash value stored in the hash value field in the vulnerability processing record database, and the URL and the page of the vulnerability.
And S35, the vulnerability processing module generates warning information related to the vulnerability detection result.
For example, as shown in fig. 6, the vulnerability processing module may combine URL information in the detection record DB and page information in the vulnerability processing record DB to obtain combined information, and generate warning information related to the vulnerability detection result based on the combined information, so as to send the warning information to the terminal.
And S36, the vulnerability processing module sends the warning information to the terminal.
And S37, the terminal outputs alarm information.
For example, the terminal may display the warning information in the display interface, or may send the warning information to a specified email, or may send the warning information to a specified instant messaging account, or the like.
In the above embodiments, the descriptions of the embodiments have respective emphasis, and a part that is not described in detail in a certain embodiment may be referred to the above detailed description of the vulnerability detection method, and is not described herein again.
According to the method and the device, the server can generate the vulnerability test case based on the Hash value corresponding to the URL, and the vulnerability test case and the URL are spliced to obtain the target URL containing the vulnerability test case; and then, a page display instruction carrying the target URL can be sent to the terminal so as to display a page corresponding to the page display instruction in the terminal. And when the browsing operation event in the page triggers the vulnerability test case, determining that the URL has the vulnerability, and outputting alarm information related to the vulnerability detection result. The accuracy and the reliability of vulnerability detection are improved, so that vulnerabilities can be repaired in time, leakage of privacy information is avoided, and information security is improved.
It should be noted that the detection module may be disposed on the terminal, at this time, the server may include a vulnerability processing module, a detection record database, a vulnerability processing record database, and an association module, and the like, where as shown in fig. 8, the detection module may be connected to the detection record database, the vulnerability processing module may be connected to the vulnerability processing record database, the association module may be connected to the detection record database and the vulnerability processing record database, and the vulnerability processing module may be connected to the terminal. At this time, the process of the vulnerability detection method provided by the embodiment of the present application may include:
the detection module on the terminal can receive the URL input by the user, and generates a page acquisition request carrying the URL of the object to be detected based on the URL so as to send the page acquisition request to the server. The detection module may then parse the URL, calculate a hash value based on the parsed URL, and send object information of the URL to a detection record database of the server, the detection record database storing the object information. The detection module can generate a vulnerability test case based on the hash value, and splice the vulnerability test case and the URL to obtain a target URL containing the vulnerability test case. At this time, the terminal may display a page based on the target URL, receive a browsing operation event generated in the page, and monitor whether the browsing operation event triggers a vulnerability test case. And when the browsing operation event triggers the vulnerability test case, the terminal sends a vulnerability detection request to the vulnerability processing module. And the vulnerability processing module extracts a hash value, a vulnerability test case and the like from the vulnerability detection request and determines that the storage type XSS exists. Then the vulnerability processing module can send the page information of the page to a vulnerability processing record database, and the vulnerability processing record database stores the page information. The correlation module reads the hash value field in the detection record database, receives the hash value sent by the detection record database, reads the hash value field in the vulnerability processing record database, receives the hash value sent by the vulnerability processing record database, and correlates the URL with the page with the vulnerability based on the hash value. At this time, the vulnerability processing module generates warning information related to the vulnerability detection result, and sends the warning information to the terminal, and the terminal can output the warning information.
In the above embodiments, the descriptions of the embodiments have respective emphasis, and a part that is not described in detail in a certain embodiment may be referred to the above detailed description of the vulnerability detection method, and is not described herein again.
In order to better implement the vulnerability detection method provided by the embodiment of the present application, the embodiment of the present application further provides a device based on the vulnerability detection method. The meaning of the noun is the same as that in the vulnerability detection method, and specific implementation details can refer to the description in the method embodiment.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a vulnerability detection apparatus according to an embodiment of the present disclosure, where the vulnerability detection apparatus may include a receiving unit 301, an obtaining unit 302, a filling unit 303, a splicing unit 304, a feedback unit 305, a determining unit 306, and the like.
The receiving unit 301 is configured to receive a page acquisition request carrying an object to be detected sent by a terminal.
An obtaining unit 302, configured to obtain an object identifier of an object to be detected.
And the filling unit 303 is configured to fill the placeholder in the target test case template according to the object identifier to obtain the vulnerability test case.
And the splicing unit 304 is configured to process the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case.
The feedback unit 305 is configured to feed back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, where the page display instruction is used to instruct the terminal to display a page corresponding to the page display instruction.
The determining unit 306 is configured to determine that the object to be detected has a bug when the browsing operation event in the page triggers the bug test case.
In an embodiment, the obtaining unit 302 may include:
the analysis subunit is used for analyzing the object to be detected to obtain object parameters corresponding to the object to be detected;
and the generating subunit is used for generating the object identifier of the object to be detected based on the object parameters.
In one embodiment, the object to be detected comprises a web address, and the object parameters comprise a transmission protocol, a domain name, a port number, a request path name and query parameters of the web address;
the generating subunit is specifically configured to: carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name and the query parameter to obtain a hash value; and determining the object identification of the object to be detected based on the hash value.
In an embodiment, the generating subunit is specifically configured to: acquiring template identification information of a target test case template; performing hash value operation on a transmission protocol, a domain name, a port number, a request path name, query parameters and template identification information through a message digest algorithm to obtain a hash value; and determining the object identification of the object to be detected based on the hash value.
In an embodiment, the filling unit 303 is specifically configured to: identifying placeholders in the target test case template; and when the recognized placeholder is the preset placeholder, writing the object identifier into the position of the preset placeholder to obtain the vulnerability test case.
In an embodiment, the splicing unit 304 is specifically configured to: determining the position of test case identification information carried in an object to be detected; and splicing the vulnerability test cases based on the positions to obtain a target detection object.
In an embodiment, the determining unit 306 is specifically configured to: based on a browsing operation event in a page, receiving a vulnerability detection request sent by a terminal, wherein the vulnerability detection request carries a request source, a vulnerability test case and an object identifier; determining that the object to be detected has the storage type cross-site script vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning the page with the storage type cross-site script vulnerability based on the request source.
In an embodiment, the vulnerability detection apparatus may further include:
and the association storage unit is used for associating and storing the page with the vulnerability and the object to be detected based on the object identification.
In an embodiment, the association storage unit is specifically configured to: inquiring a first database for storing object information of a target detection object and a second database for inquiring page information of a storage page at intervals of preset time; and generating a vulnerability generation chain based on the inquired field for storing the object identifier in the first database and the field for storing the object identifier in the second database so as to associate the page and the object to be detected.
In an embodiment, the vulnerability detection apparatus may further include:
the generating unit is used for acquiring the vulnerability information and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected;
and the output unit is used for outputting the alarm information.
In the embodiment of the application, the obtaining unit 302 can obtain the object identifier of the object to be detected, and the filling unit 303 fills the placeholder in the target test case template according to the object identifier to obtain the vulnerability test case; then, the splicing unit 304 may process the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case; at this time, a feedback unit 305 may feed back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, where the page display instruction is used to instruct the terminal to display a page corresponding to the page display instruction; when a browsing operation event in the page triggers a vulnerability test case, the determining unit 306 may determine that the object to be detected has a vulnerability. According to the technical scheme, the target test object is generated based on the vulnerability test case, and when the vulnerability test case is triggered by the received browsing operation event in the page displayed by the terminal based on the page display instruction carrying the target test object, the object to be detected has the vulnerability, so that the accuracy and the reliability of vulnerability detection are improved.
The embodiment of the present application further provides a computer device, where the computer device may be a server, as shown in fig. 10, which shows a schematic structural diagram of a server according to the embodiment of the present application, and specifically:
the server may include components such as a processor 401 of one or more processing cores, memory 402 of one or more computer-readable storage media, a power supply 403, and an input unit 404. Those skilled in the art will appreciate that the server architecture shown in FIG. 10 is not meant to be limiting, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 401 is a control center of the server, connects various parts of the entire server using various interfaces and lines, and performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 402 and calling data stored in the memory 402, thereby performing overall monitoring of the server. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401.
The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by operating the software programs and modules stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 access to the memory 402.
The server further includes a power supply 403 for supplying power to each component, and preferably, the power supply 403 may be logically connected to the processor 401 through a power management system, so as to implement functions of managing charging, discharging, and power consumption through the power management system. The power supply 403 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
The server may also include an input unit 404, the input unit 404 being operable to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 401 in the server loads the executable file corresponding to the process of one or more application programs into the memory 402 according to the following instructions, and the processor 401 runs the application program stored in the memory 402, thereby implementing various functions as follows:
receiving a page acquisition request carrying an object to be detected sent by a terminal, acquiring an object identifier of the object to be detected, and filling a placeholder in a target test case template according to the object identifier to obtain a vulnerability test case; processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case; feeding back a page display instruction carrying a target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction; and when a browsing operation event in the page triggers a vulnerability test case, determining that the object to be detected has a vulnerability.
In one embodiment, when acquiring the object identifier of the object to be detected, the processor 401 is configured to: analyzing the object to be detected to obtain object parameters corresponding to the object to be detected; and generating an object identifier of the object to be detected based on the object parameters.
In one embodiment, the object to be detected comprises a web address, and the object parameters comprise a transmission protocol, a domain name, a port number, a request path name and query parameters of the web address; in generating the object identifier of the object to be detected based on the object parameter, the processor 401 is configured to perform: carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name and the query parameter to obtain a hash value; and determining the object identification of the object to be detected based on the hash value.
In an embodiment, when performing a hash operation on a transport protocol, a domain name, a port number, a request path name, and a query parameter to obtain a hash value, the processor 401 is configured to: acquiring template identification information of a target test case template; and carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value.
In an embodiment, when the placeholder in the target test case template is filled according to the object identifier to obtain the bug test case, the processor 401 is configured to execute: identifying placeholders in the target test case template; and when the recognized placeholder is the preset placeholder, writing the object identifier into the position of the preset placeholder to obtain the vulnerability test case.
In an embodiment, when the vulnerability test case and the object to be detected are processed to obtain the target detection object including the vulnerability test case, the processor 401 is configured to execute: determining the position of test case identification information carried in an object to be detected; and splicing the vulnerability test cases based on the positions to obtain a target detection object.
In an embodiment, when it is determined that the object to be detected has a bug, the processor 401 is configured to perform: based on a browsing operation event in a page, receiving a vulnerability detection request sent by a terminal, wherein the vulnerability detection request carries a request source, a vulnerability test case and an object identifier; determining that the object to be detected has the storage type cross-site script vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning the page with the storage type cross-site script vulnerability based on the request source.
In an embodiment, after determining that the object to be detected has a bug, the processor 401 is configured to perform: and storing the pages with the bugs and the objects to be detected in an associated manner based on the object identification.
In an embodiment, when storing the page with the bug in association with the object to be detected based on the object identifier, the processor 401 is configured to perform: inquiring a first database for storing object information of a target detection object and a second database for inquiring page information of a storage page at intervals of preset time; and generating a vulnerability generation chain based on the inquired field for storing the object identifier in the first database and the field for storing the object identifier in the second database so as to associate the page and the object to be detected.
In an embodiment, after determining that the object to be detected has a bug, the processor 401 is configured to perform: acquiring vulnerability information, and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected; and outputting alarm information.
In the above embodiments, the descriptions of the embodiments have respective emphasis, and a part that is not described in detail in a certain embodiment may be referred to the above detailed description of the vulnerability detection method, and is not described herein again.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations of the above embodiments.
It will be understood by those skilled in the art that all or part of the steps of the methods of the embodiments described above may be performed by computer instructions, or by computer instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, the present application provides a storage medium, which may be a computer storage medium, in which a computer program is stored, where the computer program includes computer instructions, and the computer program can be loaded by a processor to execute any one of the vulnerability detection methods provided in the present application.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Because the computer instructions stored in the storage medium may execute the steps in any vulnerability detection method provided in the embodiments of the present application, beneficial effects that can be achieved by any vulnerability detection method provided in the embodiments of the present application may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
The vulnerability detection method, the vulnerability detection device, the computer equipment and the storage medium provided by the embodiment of the application are introduced in detail, a specific example is applied in the method to explain the principle and the implementation mode of the application, and the description of the embodiment is only used for helping to understand the method and the core idea of the application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (14)
1. A vulnerability detection method is characterized by comprising the following steps:
receiving a page acquisition request carrying an object to be detected and sent by a terminal;
acquiring an object identifier of the object to be detected;
filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case;
processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;
feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction;
and when the browsing operation event in the page triggers the vulnerability test case, determining that the object to be detected has a vulnerability.
2. The vulnerability detection method according to claim 1, wherein the obtaining the object identification of the object to be detected comprises:
analyzing the object to be detected to obtain object parameters corresponding to the object to be detected;
and generating the object identification of the object to be detected based on the object parameters.
3. The vulnerability detection method according to claim 2, characterized in that the object to be detected comprises a web address, and the object parameters include a transmission protocol, a domain name, a port number, a request path name, and query parameters of the web address;
generating the object identifier of the object to be detected based on the object parameter comprises:
performing hash value operation on the transmission protocol, the domain name, the port number, the request path name and the query parameter to obtain a hash value;
and determining the object identification of the object to be detected based on the hash value.
4. The vulnerability detection method of claim 3, wherein the performing hash value operation on the transport protocol, the domain name, the port number, the request path name, and the query parameter to obtain a hash value comprises:
acquiring template identification information of the target test case template;
and carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value.
5. The vulnerability detection method of claim 1, wherein the filling placeholders in a target test case template according to the object identifier to obtain a vulnerability test case comprises:
identifying placeholders in the target test case template;
and when the recognized placeholder is a preset placeholder, writing the object identifier into the position of the preset placeholder to obtain the vulnerability test case.
6. The vulnerability detection method according to claim 1, wherein the processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case comprises:
determining the position of test case identification information carried in the object to be detected;
and splicing the vulnerability test cases based on the positions to obtain a target detection object.
7. The vulnerability detection method according to claim 1, wherein the determining that the object to be detected has a vulnerability comprises:
receiving a vulnerability detection request sent by the terminal based on a browsing operation event in the page, wherein the vulnerability detection request carries a request source, the vulnerability test case and the object identification;
determining that the object to be detected has the storage type cross-site script vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning a page with the storage type cross-site script vulnerability based on the request source.
8. The vulnerability detection method according to any one of claims 1 to 7, wherein after determining that the object to be detected has a vulnerability, the vulnerability detection method further comprises:
and storing the page with the vulnerability and the object to be detected in an associated manner based on the object identification.
9. The vulnerability detection method according to claim 8, wherein the storing the page with the vulnerability and the object to be detected in association based on the object identification comprises:
inquiring a first database for storing object information of the target detection object and a second database for storing page information of the page at intervals of preset time;
and generating a vulnerability generation chain based on the inquired field for storing the object identifier in the first database and the field for storing the object identifier in the second database so as to associate the page and the object to be detected.
10. The vulnerability detection method according to any one of claims 1 to 7, wherein after determining that the object to be detected has a vulnerability, the vulnerability detection method further comprises:
acquiring vulnerability information, and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected;
and outputting the alarm information.
11. A vulnerability detection apparatus, comprising:
the receiving unit is used for receiving a page acquisition request which is sent by a terminal and carries an object to be detected;
the acquisition unit is used for acquiring the object identification of the object to be detected;
the filling unit is used for filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case;
the splicing unit is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;
a feedback unit, configured to feed back, based on the page obtaining request, a page display instruction carrying the target detection object to the terminal based on the page obtaining request, where the page display instruction is used to instruct the terminal to display a page corresponding to the page display instruction;
and the determining unit is used for determining that the object to be detected has the bug when the browsing operation event in the page triggers the bug test case.
12. The vulnerability detection system is characterized by comprising a server and a terminal, wherein the terminal is used for sending a page acquisition request carrying an object to be detected to the server;
the server is used for acquiring an object identifier of the object to be detected, and filling placeholders in a target test case template according to the object identifier to obtain a vulnerability test case;
the server is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;
the server is used for feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request;
the terminal is used for displaying a page corresponding to the page display instruction;
and the server is used for determining that the object to be detected has a bug when the bug test case is triggered by the browsing operation event in the page.
13. A computer device comprising a processor and a memory, the memory having stored therein a computer program, the processor when calling the computer program in the memory performing the vulnerability detection method of any of claims 1 to 10.
14. A storage medium for storing a computer program which is loaded by a processor to perform the vulnerability detection method of any of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011124781.7A CN112231711A (en) | 2020-10-20 | 2020-10-20 | Vulnerability detection method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011124781.7A CN112231711A (en) | 2020-10-20 | 2020-10-20 | Vulnerability detection method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112231711A true CN112231711A (en) | 2021-01-15 |
Family
ID=74119113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011124781.7A Pending CN112231711A (en) | 2020-10-20 | 2020-10-20 | Vulnerability detection method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112231711A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112765645A (en) * | 2021-04-12 | 2021-05-07 | 南京文枫信息科技有限公司 | Privacy protection system and method for cloud storage |
| CN113392410A (en) * | 2021-08-17 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Interface security detection method and device, computer equipment and storage medium |
| CN113868659A (en) * | 2021-10-20 | 2021-12-31 | 前锦网络信息技术(上海)有限公司 | Vulnerability detection method and system |
| CN114244581A (en) * | 2021-11-29 | 2022-03-25 | 西安四叶草信息技术有限公司 | Cache poisoning vulnerability detection method and device, electronic equipment and storage medium |
-
2020
- 2020-10-20 CN CN202011124781.7A patent/CN112231711A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112765645A (en) * | 2021-04-12 | 2021-05-07 | 南京文枫信息科技有限公司 | Privacy protection system and method for cloud storage |
| CN113392410A (en) * | 2021-08-17 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Interface security detection method and device, computer equipment and storage medium |
| CN113392410B (en) * | 2021-08-17 | 2022-02-11 | 腾讯科技(深圳)有限公司 | Interface security detection method and device, computer equipment and storage medium |
| CN113868659A (en) * | 2021-10-20 | 2021-12-31 | 前锦网络信息技术(上海)有限公司 | Vulnerability detection method and system |
| CN114244581A (en) * | 2021-11-29 | 2022-03-25 | 西安四叶草信息技术有限公司 | Cache poisoning vulnerability detection method and device, electronic equipment and storage medium |
| CN114244581B (en) * | 2021-11-29 | 2024-03-29 | 西安四叶草信息技术有限公司 | Cache poisoning vulnerability detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10079854B1 (en) | Client-side protective script to mitigate server loading | |
| CN112231711A (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| US9876753B1 (en) | Automated message security scanner detection system | |
| US11716348B2 (en) | Malicious script detection | |
| US11361074B2 (en) | Efficient scanning for threat detection using in-doc markers | |
| CN106936793B (en) | Information interception processing method and terminal | |
| US8898796B2 (en) | Managing network data | |
| US8819819B1 (en) | Method and system for automatically obtaining webpage content in the presence of javascript | |
| US9614862B2 (en) | System and method for webpage analysis | |
| US8966446B1 (en) | Systems and methods of live experimentation on content provided by a web site | |
| US9147067B2 (en) | Security method and apparatus | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| CN105049440B (en) | Detect the method and system of cross-site scripting attack injection | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| CN109862021B (en) | Method and device for acquiring threat information | |
| CN103618626A (en) | Method and system for generating safety analysis report on basis of logs | |
| US8789177B1 (en) | Method and system for automatically obtaining web page content in the presence of redirects | |
| CN111787030A (en) | Network security inspection method, device, equipment and storage medium | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN111177623A (en) | Information processing method and device | |
| CN114357457A (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| US9398041B2 (en) | Identifying stored vulnerabilities in a web service | |
| CN103152356A (en) | Method, server and system for detecting safety of file sample | |
| Barhoom et al. | A new server-side solution for detecting cross site scripting attack | |
| CN113778709B (en) | Interface calling method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40037753 Country of ref document: HK |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |