CN112395597A - Method and device for detecting website application vulnerability attack and storage medium - Google Patents
Method and device for detecting website application vulnerability attack and storage medium Download PDFInfo
- Publication number
- CN112395597A CN112395597A CN201910755467.XA CN201910755467A CN112395597A CN 112395597 A CN112395597 A CN 112395597A CN 201910755467 A CN201910755467 A CN 201910755467A CN 112395597 A CN112395597 A CN 112395597A
- Authority
- CN
- China
- Prior art keywords
- executed
- code
- flow
- execution
- key function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a method and a device for detecting website application vulnerability attacks, a storage medium and computer equipment, wherein the method comprises the following steps: monitoring an interpreter corresponding to the target website application, and capturing a code to be executed of a key function from the interpreter through a hook function; analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed; and judging whether the code to be executed is an execution code of the vulnerability attack behavior according to the standard execution flow and the flow to be executed corresponding to the key function. According to the method and the device, whether the attack behavior is judged by checking whether the execution flow of the script meets the regulation or not through the key function of the hook script execution layer so as to realize accurate protection on the vulnerability of the website application layer.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for detecting a vulnerability attack of a website application, a storage medium, and a computer device.
Background
In recent years, intranet security events frequently occur, important data or sensitive data in enterprises or organizations are lost, and loss and influence on governments and enterprises are serious.
In order to prevent the vulnerability attack from causing adverse effects on a user terminal or a website server, protection aiming at various application layer vulnerabilities (such as deserialization, code execution vulnerabilities and the like) of website applications is mainly implemented in a feature matching mode at present, and by detecting whether a request data packet sent to the website applications contains specific attack features, the protection mode cannot be associated with specific services, if the rules are too strict, a large number of false reports can be generated, and if the rules are too loose, a large number of vulnerabilities can be generated, and accurate protection cannot be realized.
Therefore, how to design a fast and efficient attack defense mechanism to defend the vulnerability attack in time after the vulnerability attack is generated becomes a difficult problem to be put in the front of the technicians in the field.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting a website application vulnerability attack, a storage medium, and a computer device, which determine whether the website application vulnerability is an attack behavior by checking whether an execution flow of a script conforms to a specification through a hook script execution layer key function, so as to implement accurate protection of the website application layer vulnerability.
According to one aspect of the application, a method for detecting a website application vulnerability attack is provided, which includes:
monitoring an interpreter corresponding to a target website application, and capturing a code to be executed of a key function from the interpreter through a hook function;
analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and judging whether the code to be executed is an execution code of the vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed.
Specifically, before the monitoring of the corresponding interpreter of the target website, the method further includes:
carrying out at least one safe call on the key function;
collecting a safety execution code corresponding to the safety call by monitoring the interpreter;
and analyzing the standard execution flow of the safety call according to the safety execution code, and adding the safety execution flow into a standard execution flow library.
Specifically, after the analyzing the code to be executed to obtain the flow to be executed corresponding to the code to be executed, the method further includes:
and acquiring the standard execution flow corresponding to the key function in the standard execution flow library.
Specifically, analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed, specifically including:
and sequentially extracting corresponding operation behaviors from the code to be executed according to the sequence from front to back to obtain the flow to be executed.
Specifically, the determining, according to the standard execution flow corresponding to the key function and the to-be-executed flow, whether the to-be-executed code is an execution code of a vulnerability attack behavior specifically includes:
if the to-be-executed flow is inconsistent with the standard execution flow, judging that the to-be-executed code has a bug attack behavior, and preventing the to-be-executed code from being executed;
and if the to-be-executed flow is consistent with the standard execution flow, judging that the to-be-executed code has no vulnerability attack behavior, and executing the to-be-executed code.
Specifically, the determining that the code to be executed has a vulnerability attack behavior and preventing the code to be executed from being executed specifically includes:
reporting the code to be executed to a security management system so as to generate and feed back a judgment result of the code to be executed by using the security management system;
if the received judgment result indicates that the code to be executed has a vulnerability attack behavior, the code to be executed is prevented from being executed;
and if the received judgment result indicates that the code to be executed does not have a vulnerability attack behavior, executing the code to be executed, and adding the flow to be executed corresponding to the code to be executed into the standard execution flow library.
According to another aspect of the present application, there is provided a device for detecting a vulnerability attack on a website, including:
the system comprises a monitoring module, a processing module and a processing module, wherein the monitoring module is used for monitoring an interpreter corresponding to a target website application and capturing a code to be executed of a key function from the interpreter through a hook function;
the code analysis module is used for analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and the vulnerability detection module is used for judging whether the code to be executed is an execution code of vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed.
Specifically, the apparatus further comprises:
the safety calling module is used for carrying out at least one safety calling on the key function before monitoring the interpreter corresponding to the target website application;
the security code collection module is used for collecting the security execution code corresponding to the security call through monitoring the interpreter;
and the standard library establishing module is used for analyzing the standard execution flow of the safety call according to the safety execution code and adding the safety execution flow into a standard execution flow library.
Specifically, the apparatus further comprises:
and the standard execution flow acquisition module is used for analyzing the code to be executed to obtain the standard execution flow corresponding to the key function in the standard execution flow library after the flow to be executed corresponding to the code to be executed is obtained.
Specifically, the code analysis module is specifically configured to:
and sequentially extracting corresponding operation behaviors from the code to be executed according to the sequence from front to back to obtain the flow to be executed.
Specifically, the vulnerability detection module specifically includes:
the intercepting unit is used for judging that the code to be executed has a bug attack behavior and preventing the code to be executed from being executed if the flow to be executed is inconsistent with the standard execution flow;
and the execution unit is used for judging that the code to be executed has no vulnerability attack behavior and executing the code to be executed if the flow to be executed is consistent with the standard execution flow.
Specifically, the intercepting unit specifically includes:
the reporting subunit is configured to report the code to be executed to a security management system, so as to generate and feed back a determination result of the code to be executed by using the security management system;
the intercepting subunit is used for preventing the code to be executed from being executed if the received judgment result indicates that the code to be executed has a bug attack behavior;
and the execution subunit is configured to execute the code to be executed if the received determination result indicates that the code to be executed does not have a vulnerability attack behavior, and add the flow to be executed corresponding to the code to be executed to the standard execution flow library.
According to yet another aspect of the present application, there is provided a storage medium having a computer program stored thereon, which when executed by a processor, implements the above-described method for detecting a vulnerability attack to a website application.
According to still another aspect of the present application, a computer device is provided, which includes a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the method for detecting the vulnerability attack of the website application when executing the program.
By means of the technical scheme, the method and the device for detecting the website application vulnerability attack, the storage medium and the computer equipment provided by the application monitor the key function of the website application, call the code to be executed of the key function from the hook in the interpreter, analyze the corresponding flow of the code to be executed, and judge whether the calling behavior of the key function is vulnerability behavior or not by comparing the standard execution flow corresponding to the key function. According to the method and the device, whether the attack behavior is judged by checking whether the execution flow of the script meets the regulation or not through the key function of the hook script execution layer so as to realize accurate protection on the vulnerability of the website application layer.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for detecting a vulnerability attack of a website application according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another method for detecting a vulnerability attack in a website application according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating a detection apparatus for detecting a vulnerability attack of a website application according to an embodiment of the present application;
fig. 4 is a schematic structural diagram illustrating another apparatus for detecting a vulnerability attack applied to a website according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a method for detecting a website application vulnerability attack is provided, as shown in fig. 1, the method includes:
The embodiment of the application is mainly applied to the detection of the attack of an intruder on the application script vulnerability of the website server, in addition, the embodiment of the application is mainly directed to interpreting the execution class script, so that by monitoring the interpreter, when the key function corresponding to the application is called, the key function of the script execution layer is applied through the hook website, the key execution code is captured, the corresponding hook function is used to capture the code to be executed calling the key function, before the system is not executed, the hook program captures the code first, the hook function obtains the control right first, after the security of the code to be executed is analyzed, whether the code is safe is analyzed, whether the code can be executed is determined, and the specific hook function can process (change) the execution behavior of the function and also can forcibly end the message transmission. For example, hook is performed on exec function of the PHP interpreter in a certain website service system, and a code "exec (" ping127.0.0.1 ")" to be executed is obtained.
In addition, it should be noted that the embodiment of the present application may be used for vulnerability attack protection of a website application compiled based on an interpreted language such as PHP, Python, or Java, and may specifically monitor a key function in a language interpreter, where the language interpreter may specifically include a PHP language interpreter, a Python language interpreter, and a Java language interpreter.
And 102, analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed.
Capturing the code to be executed, further analyzing the code to be executed, and extracting the corresponding flow to be executed of the code to be executed, for example, the code to be executed captured from the PHP interpreter
"exec (" ping127.0.0.1 ")" indicates that the system ping command is completed when the exec function of the PHP is used.
And 103, judging whether the code to be executed is an execution code of the vulnerability attack behavior according to the standard execution flow and the flow to be executed corresponding to the key function.
Comparing the consistency of a preset standard execution flow corresponding to the key function and a to-be-executed flow extracted from the to-be-executed code, so as to analyze whether the to-be-executed code is an attack behavior code for website vulnerabilities, specifically, if the to-be-executed code and the to-be-executed code are not consistent, the calling behavior of the key function at this time is possibly a vulnerability attack behavior, and if the to-be-executed code and the vulnerability attack behavior are not consistent, the code is continuously executed, at this time, the code can be prevented from being executed, so that corresponding operation is forcibly ended, the security threat to the website application caused by continuously executing the code is prevented, correspondingly, if the to-be-executed code and the key function are consistent, the code is corresponding calling operation can be executed, and corresponding functions can be realized.
For example, an attacker can tamper with the execution flow of the exec function in the PHP by introducing malicious payload, so that the code of the exec function is changed into "exec (" ping127.0.0.1; ipconfig ")", so that the exec can also execute the ipconfig command after the execution of the ping command, and the exec does not coincide with the end of the ping command of the exec function execution system in the original flow, so that the original execution flow is changed, the attack behavior is determined, and the code is prevented from being executed.
By applying the technical scheme of the embodiment, the key function of the website application is monitored, the code to be executed of the key function is called from hook in the interpreter, so that the corresponding flow of the code to be executed is analyzed, and whether the calling behavior of the key function is vulnerability attack behavior is judged by comparing the standard execution flow corresponding to the key function. According to the method and the device, whether the attack behavior is judged by checking whether the execution flow of the script meets the regulation or not through the key function of the hook script execution layer, so that the accurate protection of the vulnerability of the website application layer is realized.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully describe the specific implementation process of the embodiment, another method for detecting a vulnerability attack of a website application is provided, as shown in fig. 2, the method includes:
In steps 201 to 203 of the embodiment of the present application, in order to implement detection of a vulnerability attack, before monitoring an interpreter, an execution flow corresponding to a security call behavior of a key function should be predetermined, so as to establish a standard execution flow library of the key function.
Specifically, firstly, at least one time of safe calling operation is performed on the key function, the specific operation can be completed by the operation of a technician, secondly, execution codes corresponding to the safe calling operation are collected by monitoring the interpreter, and finally, the codes to be executed are analyzed into corresponding execution flows, and a standard execution flow library is established by utilizing the analyzed execution flows. Because the execution flows stored in the standard execution flow library are obtained by analyzing and extracting the security call codes, in the subsequent attack detection, as long as the to-be-executed flow can be matched with the standard execution flow in the standard execution flow library, the operation is the security call which is operated in advance, and does not belong to the attack behavior.
And 204, monitoring an interpreter corresponding to the target website application, and capturing a code to be executed of the key function from the interpreter through a hook function.
Monitoring an interpreter corresponding to the target website application, capturing a code to be executed in the interpreter by utilizing a hook technology, namely a hook function, so as to analyze whether the calling behavior of the key function is a vulnerability attack behavior by utilizing the code to be executed.
And step 205, sequentially extracting corresponding operation behaviors from the code to be executed according to a sequence from front to back to obtain the flow to be executed.
Ignoring parameters in the code to be executed, and sequentially extracting system commands in the code to be executed from the parameters to obtain a flow to be executed corresponding to the code to be executed, wherein the code to be executed is ' exec ' (ping) ', for example
127.0.0.1 ")" indicates that the ping command of the exec function execution system is ended, and the to-be-executed flow corresponding to the to-be-executed code from which the key function exec can be extracted is "ping", and for example, the to-be-executed code is "exec (" ping127.0.0.1; ipconfig ")" indicates that the exec function is used to execute the system ping command and then execute the ipconfig command, and the to-be-executed flow corresponding to the to-be-executed code from which the key function exec can be extracted is "ping, ipconfig".
After the to-be-executed flow corresponding to the to-be-executed code is obtained, a standard execution flow library established in advance is utilized to search for a standard execution flow corresponding to the relevant key function, and therefore whether the key function calling behavior corresponding to the to-be-executed flow is an attack behavior or not is analyzed through the standard execution flow.
In the embodiment of the present application, if a to-be-executed flow corresponding to an actual call behavior of a key function is not consistent with a standard execution flow corresponding to the same key function pre-stored in a standard execution flow library, which indicates that the call behavior does not belong to a pre-planned security call behavior when the standard execution flow library is established, the behavior may be a vulnerability attack behavior, and the to-be-executed code is intercepted, so that the code is prevented from being executed, and the security of the website application is prevented from being affected by an attack.
In addition, in order to avoid the situation that the standard execution flow library is not established comprehensively and the to-be-executed flow is inconsistent with the standard execution flow, the to-be-executed flow can be reported when the to-be-executed flow is inconsistent with the standard execution flow, so that a safety management system or a safety manager is used for analyzing the to-be-executed flow, and a final judgment result is obtained. Specifically, step 207 may include the following specific steps:
step 2071, reporting the code to be executed to the security management system, so as to generate and feed back the determination result of the code to be executed by using the security management system.
Step 2072, if the received determination result is that the code to be executed has a bug attack behavior, the code to be executed is prevented from being executed.
Step 2073, if the received determination result is that the code to be executed does not have a bug attack behavior, executing the code to be executed, and adding the flow to be executed corresponding to the code to be executed into the standard execution flow library.
In the above embodiment, if the code to be executed is not consistent with the standard execution code, reporting the code to be executed to the security management system, so as to analyze the code to be executed by using the security management system, determine whether the corresponding key function call behavior is a vulnerability attack behavior, and receive a determination result fed back by the security management system, specifically, if the determination result is that the code to be executed has the vulnerability attack behavior, it indicates that the determination result of the flow to be executed through the standard execution flow library and the security management system indicates that the call behavior of the key function has the vulnerability attack risk, and the code to be executed should be prevented from being executed; if the judgment result shows that the code to be executed does not have the vulnerability attack behavior, the key function calling behavior at this time does not belong to the security behavior which is already operated when the standard execution flow library is established, but the standard execution flow library possibly has the problem of incomplete establishment.
And 208, if the to-be-executed flow is consistent with the standard execution flow, judging that the to-be-executed code has no vulnerability attack behavior, and executing the to-be-executed code.
If the flow to be executed is consistent with the standard execution flow, the calling behavior of the key function is the same as the behavior of operation when the standard execution flow library is established in advance, and the key function belongs to the safety behavior, the calling does not belong to the vulnerability attack behavior, and the code to be executed can be executed.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides a detection apparatus for a website application vulnerability attack, and as shown in fig. 3, the apparatus includes: a monitoring module 31, a code analysis module 32, and a vulnerability detection module 33.
The monitoring module 31 is configured to monitor an interpreter corresponding to the target website application, and capture a to-be-executed code of the key function from the interpreter through a hook function;
the code analysis module 32 is configured to analyze the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and the vulnerability detection module 33 is configured to determine whether the code to be executed is an execution code of a vulnerability attack behavior according to the standard execution flow and the flow to be executed corresponding to the key function.
In a specific application scenario, the apparatus further includes: a security calling module 34, a security code collecting module 35 and a standard library establishing module 36.
The safety calling module 34 is used for carrying out at least one safety calling on the key function before monitoring the interpreter corresponding to the target website application;
the security code collection module 35 is used for collecting security execution codes corresponding to security calls through monitoring the interpreter;
and the standard library establishing module 36 is configured to analyze a standard execution flow of the security call according to the security execution code, and add the security execution flow to the standard execution flow library.
In a specific application scenario, the apparatus further includes: the standard execution flow acquisition module 37.
And a standard execution flow obtaining module 37, configured to parse the code to be executed, obtain a flow to be executed corresponding to the code to be executed, and obtain a standard execution flow corresponding to the key function in a standard execution flow library.
In a specific application scenario, the code parsing module 32 is specifically configured to: and sequentially extracting corresponding operation behaviors from the code to be executed according to the sequence from front to back to obtain the flow to be executed.
In a specific application scenario, the vulnerability detection module 33 specifically includes: an interception unit 331 and an execution unit 332.
The intercepting unit 331 is configured to determine that a bug attack behavior exists in the code to be executed if the flow to be executed is inconsistent with the standard execution flow, and prevent the code to be executed from being executed;
the execution unit 332 is configured to determine that there is no vulnerability attack behavior in the code to be executed if the flow to be executed is consistent with the standard execution flow, and execute the code to be executed.
In a specific application scenario, the intercepting unit 331 specifically includes: a reporting subunit 3311, an intercepting subunit 3312, and an executing subunit 3313.
A reporting subunit 3311, configured to report the code to be executed to the security management system, so as to generate and feed back a determination result of the code to be executed by using the security management system;
the intercepting subunit 3312 is configured to, if the received determination result indicates that the code to be executed has a bug attack behavior, prevent the code to be executed from being executed;
the execution subunit 3313 is configured to execute the code to be executed if the received determination result indicates that the code to be executed does not have a bug attack behavior, and add the flow to be executed corresponding to the code to be executed to the standard execution flow library.
It should be noted that other corresponding descriptions of the functional units related to the detection apparatus for detecting a website application vulnerability attack provided in the embodiment of the present application may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, an embodiment of the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for detecting a vulnerability attack of a website application shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the method for detecting a vulnerability attack of a website application as shown in fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can monitor a key function of a website application by hardware, call a to-be-executed code of the key function from hook in an interpreter, so as to analyze a corresponding flow of the to-be-executed code, and compare the to-be-executed code with a standard execution flow corresponding to the key function to determine whether a call behavior of the key function is a vulnerability attack behavior. According to the method and the device, whether the attack behavior is judged by checking whether the execution flow of the script meets the regulation or not through the key function of the hook script execution layer, so that the accurate protection of the vulnerability of the website application layer is realized.
The embodiment of the invention provides the following technical scheme:
1. a method for detecting a website application vulnerability attack comprises the following steps:
monitoring an interpreter corresponding to a target website application, and capturing a code to be executed of a key function from the interpreter through a hook function;
analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and judging whether the code to be executed is an execution code of the vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed.
2. The method according to 1, wherein before the monitoring of the target website application corresponding to the interpreter, the method further comprises:
carrying out at least one safe call on the key function;
collecting a safety execution code corresponding to the safety call by monitoring the interpreter;
and analyzing the standard execution flow of the safety call according to the safety execution code, and adding the safety execution flow into a standard execution flow library.
3. According to the method of 2, after the analyzing the code to be executed and obtaining the flow to be executed corresponding to the code to be executed, the method further includes:
and acquiring the standard execution flow corresponding to the key function in the standard execution flow library.
4. According to the method in 2 or 3, analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed, specifically comprising:
and sequentially extracting corresponding operation behaviors from the code to be executed according to the sequence from front to back to obtain the flow to be executed.
5. According to the method of 4, the determining whether the code to be executed is an execution code of a vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed specifically includes:
if the to-be-executed flow is inconsistent with the standard execution flow, judging that the to-be-executed code has a bug attack behavior, and preventing the to-be-executed code from being executed;
and if the to-be-executed flow is consistent with the standard execution flow, judging that the to-be-executed code has no vulnerability attack behavior, and executing the to-be-executed code.
6. According to the method of 5, the determining that the code to be executed has a vulnerability attack behavior and preventing the code to be executed from being executed specifically includes:
reporting the code to be executed to a security management system so as to generate and feed back a judgment result of the code to be executed by using the security management system;
if the received judgment result indicates that the code to be executed has a vulnerability attack behavior, the code to be executed is prevented from being executed;
and if the received judgment result indicates that the code to be executed does not have a vulnerability attack behavior, executing the code to be executed, and adding the flow to be executed corresponding to the code to be executed into the standard execution flow library.
7. A detection device for website application vulnerability attacks comprises:
the system comprises a monitoring module, a processing module and a processing module, wherein the monitoring module is used for monitoring an interpreter corresponding to a target website application and capturing a code to be executed of a key function from the interpreter through a hook function;
the code analysis module is used for analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and the vulnerability detection module is used for judging whether the code to be executed is an execution code of vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed.
8. The apparatus of 7, further comprising:
the safety calling module is used for carrying out at least one safety calling on the key function before monitoring the interpreter corresponding to the target website application;
the security code collection module is used for collecting the security execution code corresponding to the security call through monitoring the interpreter;
and the standard library establishing module is used for analyzing the standard execution flow of the safety call according to the safety execution code and adding the safety execution flow into a standard execution flow library.
9. The apparatus of 8, further comprising:
and the standard execution flow acquisition module is used for analyzing the code to be executed to obtain the standard execution flow corresponding to the key function in the standard execution flow library after the flow to be executed corresponding to the code to be executed is obtained.
10. According to the apparatus of 8 or 9, the code parsing module is specifically configured to:
and sequentially extracting corresponding operation behaviors from the code to be executed according to the sequence from front to back to obtain the flow to be executed.
11. The apparatus according to claim 10, wherein the vulnerability detection module specifically includes:
the intercepting unit is used for judging that the code to be executed has a bug attack behavior and preventing the code to be executed from being executed if the flow to be executed is inconsistent with the standard execution flow;
and the execution unit is used for judging that the code to be executed has no vulnerability attack behavior and executing the code to be executed if the flow to be executed is consistent with the standard execution flow.
12. The apparatus according to 11, wherein the intercepting unit specifically includes:
the reporting subunit is configured to report the code to be executed to a security management system, so as to generate and feed back a determination result of the code to be executed by using the security management system;
the intercepting subunit is used for preventing the code to be executed from being executed if the received judgment result indicates that the code to be executed has a bug attack behavior;
and the execution subunit is configured to execute the code to be executed if the received determination result indicates that the code to be executed does not have a vulnerability attack behavior, and add the flow to be executed corresponding to the code to be executed to the standard execution flow library.
13. A storage medium having stored thereon a computer program which, when executed by a processor, implements the method of detecting a web application vulnerability attack as described in any one of claims 1 to 6.
14. A computer device comprises a storage medium, a processor and a computer program which is stored on the storage medium and can run on the processor, wherein the processor executes the program to realize the detection method of the website application vulnerability attack according to any one of 1 to 6.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A method for detecting a website application vulnerability attack is characterized by comprising the following steps:
monitoring an interpreter corresponding to a target website application, and capturing a code to be executed of a key function from the interpreter through a hook function;
analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and judging whether the code to be executed is an execution code of the vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed.
2. The method of claim 1, wherein before the monitoring the target website applies the corresponding interpreter, the method further comprises:
carrying out at least one safe call on the key function;
collecting a safety execution code corresponding to the safety call by monitoring the interpreter;
and analyzing the standard execution flow of the safety call according to the safety execution code, and adding the safety execution flow into a standard execution flow library.
3. The method according to claim 2, wherein after the analyzing the code to be executed to obtain the flow to be executed corresponding to the code to be executed, the method further comprises:
and acquiring the standard execution flow corresponding to the key function in the standard execution flow library.
4. The method according to claim 2 or 3, wherein analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed specifically comprises:
and sequentially extracting corresponding operation behaviors from the code to be executed according to the sequence from front to back to obtain the flow to be executed.
5. The method according to claim 4, wherein the determining whether the code to be executed is an execution code of a vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed specifically includes:
if the to-be-executed flow is inconsistent with the standard execution flow, judging that the to-be-executed code has a bug attack behavior, and preventing the to-be-executed code from being executed;
and if the to-be-executed flow is consistent with the standard execution flow, judging that the to-be-executed code has no vulnerability attack behavior, and executing the to-be-executed code.
6. The method according to claim 5, wherein the determining that the code to be executed has a vulnerability attack behavior and preventing the code to be executed from being executed specifically comprises:
reporting the code to be executed to a security management system so as to generate and feed back a judgment result of the code to be executed by using the security management system;
if the received judgment result indicates that the code to be executed has a vulnerability attack behavior, the code to be executed is prevented from being executed;
and if the received judgment result indicates that the code to be executed does not have a vulnerability attack behavior, executing the code to be executed, and adding the flow to be executed corresponding to the code to be executed into the standard execution flow library.
7. A detection device for a website application vulnerability attack is characterized by comprising:
the system comprises a monitoring module, a processing module and a processing module, wherein the monitoring module is used for monitoring an interpreter corresponding to a target website application and capturing a code to be executed of a key function from the interpreter through a hook function;
the code analysis module is used for analyzing the code to be executed to obtain a flow to be executed corresponding to the code to be executed;
and the vulnerability detection module is used for judging whether the code to be executed is an execution code of vulnerability attack behavior according to the standard execution flow corresponding to the key function and the flow to be executed.
8. The apparatus of claim 7, further comprising:
the safety calling module is used for carrying out at least one safety calling on the key function before monitoring the interpreter corresponding to the target website application;
the security code collection module is used for collecting the security execution code corresponding to the security call through monitoring the interpreter;
and the standard library establishing module is used for analyzing the standard execution flow of the safety call according to the safety execution code and adding the safety execution flow into a standard execution flow library.
9. A storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the method for detecting a web application vulnerability attack according to any of claims 1 to 6.
10. A computer device comprising a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method for detecting a web application vulnerability attack according to any one of claims 1 to 6 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755467.XA CN112395597A (en) | 2019-08-15 | 2019-08-15 | Method and device for detecting website application vulnerability attack and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755467.XA CN112395597A (en) | 2019-08-15 | 2019-08-15 | Method and device for detecting website application vulnerability attack and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112395597A true CN112395597A (en) | 2021-02-23 |
Family
ID=74601847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755467.XA Pending CN112395597A (en) | 2019-08-15 | 2019-08-15 | Method and device for detecting website application vulnerability attack and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395597A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407417A (en) * | 2021-07-14 | 2021-09-17 | 广州博冠信息科技有限公司 | Method, apparatus, medium, and device for capturing and receiving abnormality |
| CN113946869A (en) * | 2021-11-02 | 2022-01-18 | 深圳致星科技有限公司 | Internal security attack detection method and device for federal learning and privacy calculation |
| CN115080061A (en) * | 2022-06-28 | 2022-09-20 | 中国电信股份有限公司 | Anti-serialization attack detection method, device, electronic equipment and medium |
| CN116467221A (en) * | 2023-06-16 | 2023-07-21 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
| CN116628694A (en) * | 2023-07-25 | 2023-08-22 | 杭州海康威视数字技术股份有限公司 | Anti-serialization 0day security risk defense method, device and equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100005528A1 (en) * | 2008-07-02 | 2010-01-07 | Check Point Software Technologies, Ltd. | Methods for hooking applications to monitor and prevent execution of security-sensitive operations |
| US20120233692A1 (en) * | 2009-11-03 | 2012-09-13 | Ahnlab., Inc. | Apparatus and method for detecting malicious sites |
| CN102780684A (en) * | 2011-05-12 | 2012-11-14 | 同济大学 | XSS defensive system |
| CN102916937A (en) * | 2012-09-11 | 2013-02-06 | 北京奇虎科技有限公司 | Method and device for intercepting web attacks, and customer premise equipment |
| CN103699480A (en) * | 2013-11-29 | 2014-04-02 | 杭州安恒信息技术有限公司 | WEB dynamic security flaw detection method based on JAVA |
| CN105303073A (en) * | 2015-11-26 | 2016-02-03 | 北京深思数盾科技有限公司 | Protecting method for software codes |
| CN106101145A (en) * | 2016-08-10 | 2016-11-09 | 北京神州绿盟信息安全科技股份有限公司 | A kind of website vulnerability detection method and device |
| CN107483510A (en) * | 2017-10-09 | 2017-12-15 | 杭州安恒信息技术有限公司 | A kind of method and device of raising Web application layer attack Detection accuracies |
| US20190180036A1 (en) * | 2017-12-13 | 2019-06-13 | Jayant Shukla | Deterministic method for detecting and blocking of exploits on interpreted code |
-
2019
- 2019-08-15 CN CN201910755467.XA patent/CN112395597A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100005528A1 (en) * | 2008-07-02 | 2010-01-07 | Check Point Software Technologies, Ltd. | Methods for hooking applications to monitor and prevent execution of security-sensitive operations |
| US20120233692A1 (en) * | 2009-11-03 | 2012-09-13 | Ahnlab., Inc. | Apparatus and method for detecting malicious sites |
| CN102780684A (en) * | 2011-05-12 | 2012-11-14 | 同济大学 | XSS defensive system |
| CN102916937A (en) * | 2012-09-11 | 2013-02-06 | 北京奇虎科技有限公司 | Method and device for intercepting web attacks, and customer premise equipment |
| CN103699480A (en) * | 2013-11-29 | 2014-04-02 | 杭州安恒信息技术有限公司 | WEB dynamic security flaw detection method based on JAVA |
| CN105303073A (en) * | 2015-11-26 | 2016-02-03 | 北京深思数盾科技有限公司 | Protecting method for software codes |
| CN106101145A (en) * | 2016-08-10 | 2016-11-09 | 北京神州绿盟信息安全科技股份有限公司 | A kind of website vulnerability detection method and device |
| CN107483510A (en) * | 2017-10-09 | 2017-12-15 | 杭州安恒信息技术有限公司 | A kind of method and device of raising Web application layer attack Detection accuracies |
| US20190180036A1 (en) * | 2017-12-13 | 2019-06-13 | Jayant Shukla | Deterministic method for detecting and blocking of exploits on interpreted code |
Non-Patent Citations (2)
| Title |
|---|
| 童瀛 等: "基于沙箱技术的恶意代码行为检测方法", 西安邮电大学学报, no. 05 * |
| 陈震杭 等: "针对未知PHP反序列化漏洞利用的检测拦截系统研究", 信息网络安全, no. 04 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407417A (en) * | 2021-07-14 | 2021-09-17 | 广州博冠信息科技有限公司 | Method, apparatus, medium, and device for capturing and receiving abnormality |
| CN113946869A (en) * | 2021-11-02 | 2022-01-18 | 深圳致星科技有限公司 | Internal security attack detection method and device for federal learning and privacy calculation |
| CN115080061A (en) * | 2022-06-28 | 2022-09-20 | 中国电信股份有限公司 | Anti-serialization attack detection method, device, electronic equipment and medium |
| CN115080061B (en) * | 2022-06-28 | 2023-09-29 | 中国电信股份有限公司 | Anti-serialization attack detection method and device, electronic equipment and medium |
| CN116467221A (en) * | 2023-06-16 | 2023-07-21 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
| CN116467221B (en) * | 2023-06-16 | 2024-04-02 | 荣耀终端有限公司 | Pile inserting method and system based on interpreter and related electronic equipment |
| CN116628694A (en) * | 2023-07-25 | 2023-08-22 | 杭州海康威视数字技术股份有限公司 | Anti-serialization 0day security risk defense method, device and equipment |
| CN116628694B (en) * | 2023-07-25 | 2023-11-21 | 杭州海康威视数字技术股份有限公司 | Anti-serialization 0day security risk defense method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112395597A (en) | Method and device for detecting website application vulnerability attack and storage medium | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| US10652274B2 (en) | Identifying and responding to security incidents based on preemptive forensics | |
| CN110881043B (en) | Method and device for detecting web server vulnerability | |
| CN111698214A (en) | Network attack security processing method and device and computer equipment | |
| KR101266037B1 (en) | Method and apparatus for treating malicious action in mobile terminal | |
| CN104392177A (en) | Android platform based virus forensics system and method | |
| CN109600387B (en) | Attack event tracing method and device, storage medium and computer equipment | |
| Luoshi et al. | A3: automatic analysis of android malware | |
| CN109815702B (en) | Software behavior safety detection method, device and equipment | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| CN111541701B (en) | Attack trapping method, device, equipment and computer readable storage medium | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| KR101022167B1 (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| CN105827627A (en) | Method and apparatus for acquiring information | |
| CN109726548B (en) | Application program behavior processing method, server, system and storage medium | |
| CN106713215B (en) | Information processing method, terminal and server | |
| CN115174192A (en) | Application security protection method and device, electronic equipment and storage medium | |
| CN112395637A (en) | Database protection method and device, storage medium and computer equipment | |
| CN109218315B (en) | Safety management method and safety management device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |