CN112632561A - Web application vulnerability detection method and related device - Google Patents
Web application vulnerability detection method and related device Download PDFInfo
- Publication number
- CN112632561A CN112632561A CN202011576182.9A CN202011576182A CN112632561A CN 112632561 A CN112632561 A CN 112632561A CN 202011576182 A CN202011576182 A CN 202011576182A CN 112632561 A CN112632561 A CN 112632561A
- Authority
- CN
- China
- Prior art keywords
- point
- web application
- http request
- indicated
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 478
- 230000008569 process Effects 0.000 claims abstract description 35
- 238000004891 communication Methods 0.000 claims description 3
- 238000011161 development Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a method and a related device for detecting web application vulnerabilities, wherein the method applied to a server side comprises the following steps: receiving a method set of http requests; the http request method set refers to: a set formed by target methods in the method for triggering hook points in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method; determining a method call graph of a method set of the http request; and determining that the web application has a vulnerability under the condition that a calling chain meeting a preset condition exists in the method calling graph. According to the method and the system, vulnerability detection of the web application is achieved through the server side, and the vulnerability detection is achieved based on the method call graph and the vulnerability detection strategy. The vulnerability detection logics of the web applications written by the server side aiming at different languages are the same, so that the problem of high development cost caused by the fact that the web applications developed by different languages need to adopt different languages to develop the vulnerability detection logics is solved.
Description
Technical Field
The present application relates to the field of vulnerability detection processing, and in particular, to a method and a related apparatus for detecting a vulnerability of a web application.
Background
With the development of technologies such as the internet, 5G and cloud, everything interconnection formed by the internet of vehicles and the internet of things becomes the mainstream in the future, and massive web applications will appear in everything interconnection, and different data will be collected and stored, so that the safety (whether a vulnerability exists) heat of the web applications processing data will be raised again.
At present, vulnerability detection logic of a web application can be developed in web middleware running the web application, but has a problem of high development cost.
Disclosure of Invention
The application provides a method and a related device for detecting a vulnerability in a web application, and aims to provide a vulnerability detection scheme of the web application.
In order to achieve the above object, the present application provides the following technical solutions:
the application provides a method for detecting web application vulnerabilities, which is applied to a server and comprises the following steps:
receiving a method set of http requests; the http request method set refers to: a set formed by target methods in the method for triggering the hook point in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method;
determining a method call graph of the method set of the http request;
determining that the web application has a vulnerability under the condition that a calling chain meeting a preset condition exists in the calling graph of the method; the preset conditions include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
Optionally, the obtaining manner of the preset condition includes: reading preset conditions configured in advance, and/or receiving the preset conditions from the outside.
Optionally, determining a method call graph of the http request method set includes:
sorting the methods in the method set according to the calling sequence to obtain a sorted method set;
determining all paths from the method for triggering source points to the method for triggering sink points from the sorted method set;
when output data of all adjacent methods in any path, which satisfy the former method, is input data of the latter method, the method sequence indicated by the path is used as a method call chain;
and generating a method call graph of the http request according to the method call chain.
The application also provides a method for detecting the web application vulnerability, which is applied to web middleware and comprises the following steps:
loading a preset hook point; the preset hook points comprise: a source point, a propageta point, a filter point and a sink point;
inserting a preset stain collection code into the position of the method indicated by the preset hook point in the code of the middleware and the JavaWEB application;
inserting the stain collection code at the position of a method indicated by a non-preset hook point in the user class of the web application program code;
after a web application is started, determining a target method in a method for triggering a hook point in a process that the web application responds to an http request according to taint data acquired by the taint acquisition code in the process that the web application responds to the http request, and obtaining a method set of the http request; the target method is as follows: starting from a method of triggering a source point, and the output data of the previous method is the input data of the next method;
and sending the http request method set to a server.
The application also provides a detection device for web application vulnerabilities, which is applied to a server and comprises:
the receiving module is used for receiving a method set of the http request; the http request method set refers to: a set formed by target methods in the method for triggering the hook point in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method;
the first determining module is used for determining a method call graph of the http request method set;
the second determining module is used for determining that the web application has a vulnerability under the condition that a calling chain meeting a preset condition exists in the method calling graph; the preset conditions include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
Optionally, the obtaining manner of the preset condition includes: reading preset conditions configured in advance, and/or receiving the preset conditions from the outside.
Optionally, the first determining module is configured to determine a method call graph of the http request method set, and includes:
the first determining module is specifically configured to sort the methods in the method set according to a calling sequence to obtain a sorted method set; determining all paths from the method for triggering source points to the method for triggering sink points from the sorted method set; when output data of all adjacent methods in any path, which satisfy the former method, is input data of the latter method, the method sequence indicated by the path is used as a method call chain; and generating a method call graph of the http request according to the method call chain.
The application also provides a detection device for web application vulnerabilities, which is applied to web middleware and comprises:
the loading module is used for loading a preset hook point; the preset hook points comprise: a source point, a propageta point, a filter point and a sink point;
the first inserting module is used for inserting a preset stain collecting code into the position of the method indicated by the preset hook point in the code of the middleware and the JavaWEB application;
the second inserting module is used for inserting the stain collection code into the position where the method indicated by the non-preset hook point in the user class of the web application program code is located;
the third determining module is used for determining a target method in a method for triggering a hook point in a process that the web application responds to an http request according to taint data acquired by the taint acquisition code in the process that the web application responds to the http request after the web application is started, so as to obtain a method set of the http request; the target method is as follows: starting from a method of triggering a source point, and the output data of the previous method is the input data of the next method;
and the sending module is used for sending the http request method set to a server.
The application also provides a storage medium, wherein the storage medium comprises a stored program, and the program executes the method for detecting the vulnerability of any web application executed by the server.
The application also provides a device, which comprises at least one processor, at least one memory connected with the processor, and a bus; the processor and the memory complete mutual communication through the bus; the processor is used for calling the program instructions in the memory so as to execute the detection method of the web application vulnerability executed by the server side.
According to the vulnerability detection method and the related device for the web application, the web middleware only needs to provide a method set of the http request, the method call graph of the method set of the http request is determined by the method set of the http request based on the server side, and whether the web application has a vulnerability or not is judged according to the method call graph, so that vulnerability detection of the web application is realized.
In addition, in the application, the vulnerability detection is carried out at the server side, and as the vulnerability detection logics of the method set are the same at the server side for the vulnerability detection of the web applications written in different languages, the vulnerability detection of the web applications developed in different languages can be realized only by developing the vulnerability detection logic written in one language at the server side, so that the problem of high development cost caused by the fact that the web applications developed in different languages need to adopt different languages to develop the vulnerability detection logic is solved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for detecting a web application vulnerability disclosed in an embodiment of the present application;
FIG. 2 is a process diagram of a set of methods for determining an http request disclosed in an embodiment of the present application;
FIG. 3 is an exemplary diagram of a method call graph as disclosed in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a detection apparatus for detecting a web application vulnerability disclosed in an embodiment of the present application;
fig. 5 is a schematic structural diagram of another apparatus for detecting a web application vulnerability, disclosed in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 is a method for detecting a web application vulnerability, which may include the following steps:
s101, loading a preset hook point by the web middleware.
In this embodiment, the web middleware refers to Java web middleware, and when a Java Virtual Machine (JVM) is started, the Java web middleware loads a hook point defined in advance, that is, loads a preset hook point. In this embodiment, the preset hook points may include: source point, propageta point, filter point and sink point.
Wherein, the Source point refers to: in Web applications and middleware, methods for obtaining external data. Specifically, the method of source point indication may include various methods, that is, any method may be used as long as external data is acquired.
The Propageta point refers to: in WEB application and middleware, a method for processing data. Specifically, the method indicated by the Propageta point may include a plurality of methods, that is, any method may be used as long as the data is processed.
The Filter points refer to: in Web application and middleware, a method for filtering and detecting data. Specifically, the method of indicating the Filter point may include various methods, that is, any method may be used as long as the data is filtered and detected.
The Sink point indicates: a method for triggering dangerous operation in WEB application and middleware. Specifically, the method indicated by the Sink point may include various methods, for example, a method of executing an operating system command, a method of executing an SQL query, and the like.
It should be noted that, in the definitions of Source point, Propageta point, Filter point, and Sink point, the Web application refers to a java Web application.
In an embodiment of the present application, the java web application includes: user-written applications and a Java framework.
S102, inserting a preset stain collection code into the position where a method indicated by hook points is preset in codes of the middleware and the JavaWEB application under the condition that the web application is started.
In this embodiment, since the method for presetting hook point indication may include multiple methods, in this step, a preset stain collection code is inserted into the position where the method for presetting hook point indication is located in the code of the middleware and the java web application, and the meaning represented by the code is as follows: in the code of the middleware and the JavaWEB application, as long as a method indicated by preset hook appears, a stain collection code is inserted at the position of the method.
In this step, the taint collection code is used to collect taint data. Wherein the taint data refers to: in web applications, all data from external inputs is tainted with taint. Such as HTTP request headers, request bodies, file and message queues, etc.
S103, identifying the user class in the web application program code by the web middleware.
In this step, a user class in the web application code is identified.
S104, inserting a stain collection code into the position where the method indicated by the non-preset hook point in the user class of the web application program code is located by the web middleware.
In this embodiment, the user class in the web application code may include many methods. The non-preset hook point refers to a method except the method indicated by the preset hook point in the methods included by the user class.
In the step, a stain collection code is inserted into the position of the method indicated by the non-preset hook point in the user class. Namely, a stain collection code is inserted at the position of a method only by the method indicated by a non-preset hook point in the user class. Wherein the taint acquisition code is used to acquire taint data.
S105, determining a target method in the method for triggering hook points in the process that the web application responds to the http request according to the taint data acquired by the taint acquisition code in the process that the web application responds to the http request by the web middleware, and obtaining a method set of the http request.
In practice, if there are multiple http requests, determining a method set of each http request, wherein the principle of determining the method sets of different http requests is the same. For convenience of description, in this embodiment, a process of determining a method set of an http request is described as an example of a process of a web application responding to an http request.
In this embodiment, in the process of responding to the request by the web application, a plurality of methods are executed, wherein in the case that any one of the executed methods is any one of the methods indicated by a certain hook point, the method is called a method for triggering the hook point. Thus, there are several ways to trigger a hook point in the response to a request.
In the request responding process, the steps in the embodiment corresponding to fig. 2 are executed by each current method for triggering hook point, so as to obtain a method set of http request.
In this embodiment, the target method refers to: the method indicated by the source point starts, and the output data of the previous method is the method of the input data of the next method.
For example, in the process of responding to the http request, the output data of the executed first method triggering source point is the input data of the second method triggering hook, the output data of the second method triggering hook is the input data of the third method triggering hook, and so on, and the methods in the chain are connected in series in sequence as the methods in the http request. In practice, during the process of responding to the http request, a plurality of methods which are sequentially connected in series to form a chain may occur, and this embodiment refers to a set formed by all the methods which are connected in series to form the chain, which is called a method set of the http request.
And S106, the web middleware sends the http request method set to the server.
S107, the server side determines a method call graph of the http request method set.
In this step, the process of determining the method call graph corresponding to the http request method set may specifically include the following steps a1 to a 4:
and A1, sorting the methods in the method set according to the calling sequence to obtain a sorted method set.
In the present embodiment, for the http request method set, although a plurality of methods starting from the method triggering the source point are stored in the method set, the output data of the previous method is the input data of the next method. However, in practice, since the process of responding to the http request is multi-threaded, it is detected that the methods in the method set as the http request are out of order, that is, not stored according to the calling order, and therefore, the operation of this step needs to be executed.
In this embodiment, each method in the method set has a number that characterizes the order of invocation. The smaller the number, the earlier the calling order of the method. Therefore, in this step, the methods in the method set may be sorted according to the size of the call number. For convenience of description, the method set obtained by sorting in this step is referred to as a sorted method set.
A2, determining all paths from the method of triggering source point to the method of triggering sink point from the sorted method set.
As an example, in this step, the depth-first algorithm and the breadth-first algorithm of the graph may be used to search for all paths from the method of triggering source points to the method of triggering sink points.
A3, respectively judging whether output data of all adjacent methods in each path meet the requirements of the previous method is input data of the next method, and if so, executing the step A4.
In this step, all the neighboring methods in each path are determined, respectively. Taking any adjacent method as an example, it is determined whether the output data of the adjacent method satisfying the previous method is the input data of the next method. Specifically, a value matching algorithm may be used for the determination, wherein the determination method may include: and directly judging whether the memory addresses are the same or not according to the Java basic type. And aiming at the set type in Java, judging whether the memory addresses are the same or not, then disassembling the set into a single data node, and performing a value matching algorithm again. And directly calling the equals method to judge whether the reference types are the same or not aiming at the self-defined reference types in the Java.
A4, using the method order indicated by the path as a method call chain.
In the case where the output data of the former method is the input data of the latter method, all the adjacent methods in any path satisfy the requirement, the operation of this step is performed.
In this step, the method order indicated by the path is used as a method call chain.
In this step, there may be multiple chains of method calls.
A5, generating a method call graph according to the method call chain.
In this step, if there are a plurality of method call chains, the plurality of method call chains are used to generate one method call graph.
In the present embodiment, in order to visually demonstrate the relationship between the method call chain and the method call graph, the graph shown in fig. 3 is given. The contents in each ellipse in fig. 3 represent a method, i.e., "getParameter" represents a method, "decode" represents a method, "put" represents a method, and "exec" represents a method. Wherein the arrows between the different methods indicate the direction of the method call. The content "id" next to each arrow represents taint data. For example, "id" is the output data of "getParameter".
In fig. 3, from "getParameter" to "decode" to "put", is a method call chain. From "getParameter" to "decode" to "exec" is a chain of method calls. The two method call chains are linked together by "decode" to form the method call graph shown in FIG. 3.
S108, the server side determines that the web application has a vulnerability under the condition that a calling chain meeting preset conditions exists in the method calling graph.
In this embodiment, the preset conditions may include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
In this embodiment, the method of source point indication may include a plurality of methods, for example, a1, a2, and A3. The method of sink point indication may also include a variety of methods, for example, B1, B2, B3, and B4. The method of filter point indication may also include a variety of methods, for example, C1, C2, C3, C4, and C5.
In this step, the detection policy indicated by the preset condition may be: a1 and B1 were included, but no C1 was included between a1 and B1. The detection strategy indicated by the preset condition may also be: a1 and B1 were included, but no C2 was included between a1 and B1. Of course, the retrieval policy indicated by the preset condition may also be other contents, as long as any method indicated by the source point and any method indicated by the sink point are included, and any method indicated by the filter point does not pass between any method indicated by the source point and any method indicated by the sink point.
Optionally, in this embodiment, the detection policy indicated by the preset condition may be configured in advance at the server, and since the detection policy is conceived by a human, the detection policy configured in advance at the server is limited, and may not be comprehensive, that is, may not be applicable to vulnerability detection in all scenarios.
In order to implement vulnerability detection applicable to all scenes, in this embodiment, the preset condition indicates a detection policy, which may be obtained by receiving from the outside, in addition to being configured in advance. Wherein the detection strategy of the received preset condition can be determined by the user.
Fig. 2 is a process of determining a set of http requests according to an embodiment of the present application, where the process may include the following steps:
s201, in the process that the web application program responds to the request, loading the method for triggering the hook point currently.
In this step, the method that currently triggers the hook point is loaded.
S202, judging whether the currently triggered hook point is used for representing the hook point of the request response end, if not, executing S203, and if so, executing S211.
S203, judging whether the http request is received or the http request is entered currently, if so, executing S204, and if not, executing S205.
And S204, judging whether the http request is received, if so, executing S205, and if not, executing S206.
And S205, marking the incoming http request.
After the present step is executed, step S206 is executed.
S206, judging whether the current method for triggering the hook point is the method indicated by the source point, if so, executing S207, and if not, executing S209.
And S207, saving output data in the data of the current method for triggering the hook point as taint data, and saving the current method for triggering the hook point as one method in the http request method set.
And S208, marking the entry source point.
After the present step is executed, the process returns to the step S201.
S209, judging whether the data input point of the current method for triggering hook is already stored as taint data, if so, executing S210, and if not, executing S201.
In this step, if the data input point of the current method for triggering hook is already stored as taint data, it indicates that the current method for triggering hook starts from the method for triggering source point, and the output data of the previous method is one of the methods for inputting data of the next method, i.e. one of the methods in the method chain triggered sequentially from the method for triggering source point is one of the methods in the method set required to be http request.
If the data entry point of the current method triggering hook is not saved as taint data, it indicates that the method triggering hook is not one of the http requested method set, so step S201 is executed, i.e. the method waiting for the next method triggering hook.
S210, storing the current method for triggering the hook point as one method in the http request method set.
After this step is performed, step S201 is performed, i.e. the method of waiting for the next trigger hook point.
And S211, sending the http request method set to a server.
Fig. 4 is a device for detecting a web application vulnerability, which may include: the method is applied to the server side and can comprise the following steps: a receiving module 401, a first determining module 402 and a second determining module 403, wherein,
a receiving module 401, configured to receive a method set of http requests; the http request method set refers to: a set formed by target methods in the method for triggering the hook point in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method;
a first determining module 402, configured to determine a method call graph of the http request;
a second determining module 403, configured to determine that a vulnerability exists in the web application when a call chain that meets a preset condition exists in the method call graph; the preset conditions include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
Optionally, the obtaining manner of the preset condition includes: reading preset conditions configured in advance, and/or receiving the preset conditions from the outside.
Optionally, the first determining module 402 is configured to determine a method call graph of the http request method set, where the method call graph includes:
the first determining module 402 is specifically configured to sort the methods in the method set according to a calling sequence to obtain a sorted method set; determining all paths from the method for triggering source points to the method for triggering sink points from the sorted method set; when output data of all adjacent methods in any path, which satisfy the former method, is input data of the latter method, the method sequence indicated by the path is used as a method call chain; and generating a method call graph of the http request according to the method call chain.
The web application vulnerability detection device comprises a processor and a memory, wherein the receiving module 401, the first determining module 402, the second determining module 403 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be provided with one or more than one, and the vulnerability detection scheme of the web application is provided by adjusting the parameters of the kernel.
The embodiment of the invention provides a storage medium, wherein a program is stored on the storage medium, and the program realizes the vulnerability detection method of the web application when being executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the vulnerability detection method of a web application is executed when the program runs.
Fig. 5 is a schematic diagram of another apparatus for detecting a web application vulnerability, which is applied to web middleware and may include: a loading module 501, a first insertion module 502, a second insertion module 503, a third determination module 504 and a sending module 505, wherein,
a loading module 501, configured to load a preset hook point; the preset hook points comprise: a source point, a propageta point, a filter point and a sink point;
a first inserting module 502, configured to insert a preset stain collection code at a position where the method indicated by the preset hook point in the code of the middleware or the java web application is located;
a second inserting module 503, configured to insert the stain collection code into a location where a method indicated by a non-preset hook point in the user class of the web application program code is located;
a third determining module 504, configured to determine, after starting the web application, a target method in a method for triggering a hook point in a process in which the web application responds to an http request according to taint data acquired by the taint acquisition code in the process in which the web application responds to the http request, so as to obtain a method set of the http request; the target method is as follows: starting from a method of triggering a source point, and the output data of the previous method is the input data of the next method;
and a sending module 505, configured to send the http request method set to the server.
The web application vulnerability detection device comprises a processor and a memory, wherein the loading module 501, the first inserting module 502, the second inserting module 503, the third determining module 504, the sending module 505 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be provided with one or more than one, and the vulnerability detection scheme of the web application is provided by adjusting the parameters of the kernel.
The embodiment of the invention provides a storage medium, wherein a program is stored on the storage medium, and the program realizes the vulnerability detection method of the web application when being executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the vulnerability detection method of a web application is executed when the program runs.
An embodiment of the present invention provides an apparatus, as shown in fig. 6, the apparatus includes at least one processor, and at least one memory and a bus connected to the processor; the processor and the memory complete mutual communication through a bus; the processor is used for calling the program instructions in the memory to execute the identification method of the peer. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
receiving a method set of http requests; the http request method set refers to: a set formed by target methods in the method for triggering the hook point in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method;
determining a method call graph of the method set of the http request;
determining that the web application has a vulnerability under the condition that a calling chain meeting a preset condition exists in the calling graph of the method; the preset conditions include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a device includes one or more processors (CPUs), memory, and a bus. The device may also include input/output interfaces, network interfaces, and the like.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip. The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
The functions described in the method of the embodiment of the present application, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Features described in the embodiments of the present specification may be replaced with or combined with each other, each embodiment is described with a focus on differences from other embodiments, and the same or similar portions among the embodiments may be referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for detecting web application vulnerabilities is applied to a server side and comprises the following steps:
receiving a method set of http requests; the http request method set refers to: a set formed by target methods in the method for triggering the hook point in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method;
determining a method call graph of the method set of the http request;
determining that the web application has a vulnerability under the condition that a calling chain meeting a preset condition exists in the calling graph of the method; the preset conditions include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
2. The method according to claim 1, wherein the preset condition is obtained by: reading preset conditions configured in advance, and/or receiving the preset conditions from the outside.
3. The method of claim 1, wherein determining a method call graph for the set of methods for the http request comprises:
sorting the methods in the method set according to the calling sequence to obtain a sorted method set;
determining all paths from the method for triggering source points to the method for triggering sink points from the sorted method set;
when output data of all adjacent methods in any path, which satisfy the former method, is input data of the latter method, the method sequence indicated by the path is used as a method call chain;
and generating a method call graph of the http request according to the method call chain.
4. A method for detecting web application vulnerabilities is applied to web middleware and comprises the following steps:
loading a preset hook point; the preset hook points comprise: a source point, a propageta point, a filter point and a sink point;
inserting a preset stain collection code into the position of the method indicated by the preset hook point in the code of the middleware and the JavaWEB application;
inserting the stain collection code at the position of a method indicated by a non-preset hook point in the user class of the web application program code;
after a web application is started, determining a target method in a method for triggering a hook point in a process that the web application responds to an http request according to taint data acquired by the taint acquisition code in the process that the web application responds to the http request, and obtaining a method set of the http request; the target method is as follows: starting from a method of triggering a source point, and the output data of the previous method is the input data of the next method;
and sending the http request method set to a server.
5. The utility model provides a detection apparatus of web application vulnerability which is characterized in that, is applied to the server side, includes:
the receiving module is used for receiving a method set of the http request; the http request method set refers to: a set formed by target methods in the method for triggering the hook point in the process that the web application responds to the http request; the target method is as follows: starting from the method of the source point, and the output data of the previous method is the method of the input data of the next method;
the first determining module is used for determining a method call graph of the http request method set;
the second determining module is used for determining that the web application has a vulnerability under the condition that a calling chain meeting a preset condition exists in the method calling graph; the preset conditions include: any method indicated by a source point and any method indicated by a sink point are included, and any method indicated by a filter point is not passed between any method indicated by the source point and any method indicated by the sink point.
6. The apparatus of claim 5, wherein the preset condition is obtained by: reading preset conditions configured in advance, and/or receiving the preset conditions from the outside.
7. The apparatus of claim 5, wherein the first determining module is configured to determine a method call graph of the set of methods for the http request, and comprises:
the first determining module is specifically configured to sort the methods in the method set according to a calling sequence to obtain a sorted method set; determining all paths from the method for triggering source points to the method for triggering sink points from the sorted method set; when output data of all adjacent methods in any path, which satisfy the former method, is input data of the latter method, the method sequence indicated by the path is used as a method call chain; and generating a method call graph of the http request according to the method call chain.
8. The detection device for the web application vulnerability is applied to web middleware and comprises the following steps:
the loading module is used for loading a preset hook point; the preset hook points comprise: a source point, a propageta point, a filter point and a sink point;
the first inserting module is used for inserting a preset stain collecting code into the position of the method indicated by the preset hook point in the code of the middleware and the JavaWEB application;
the second inserting module is used for inserting the stain collection code into the position where the method indicated by the non-preset hook point in the user class of the web application program code is located;
the third determining module is used for determining a target method in a method for triggering a hook point in a process that the web application responds to an http request according to taint data acquired by the taint acquisition code in the process that the web application responds to the http request after the web application is started, so as to obtain a method set of the http request; the target method is as follows: starting from a method of triggering a source point, and the output data of the previous method is the input data of the next method;
and the sending module is used for sending the http request method set to a server.
9. A storage medium comprising a stored program, wherein the program performs the method for detecting web application vulnerabilities of any of claims 1 to 3.
10. An apparatus comprising at least one processor, and at least one memory, bus connected to the processor; the processor and the memory complete mutual communication through the bus; the processor is used for calling the program instructions in the memory to execute the detection method of the web application vulnerability according to any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011576182.9A CN112632561A (en) | 2020-12-28 | 2020-12-28 | Web application vulnerability detection method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011576182.9A CN112632561A (en) | 2020-12-28 | 2020-12-28 | Web application vulnerability detection method and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112632561A true CN112632561A (en) | 2021-04-09 |
Family
ID=75325701
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011576182.9A Pending CN112632561A (en) | 2020-12-28 | 2020-12-28 | Web application vulnerability detection method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112632561A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115967551A (en) * | 2022-12-12 | 2023-04-14 | 中国人民解放军国防科技大学 | Vulnerability information guide-based detection method and device for server side request forgery vulnerability |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120266247A1 (en) * | 2011-04-18 | 2012-10-18 | International Business Machines Corporation | Automatic Inference Of Whitelist-Based Validation As Part Of Static Analysis For Security |
| CN110381033A (en) * | 2019-06-24 | 2019-10-25 | 深圳开源互联网安全技术有限公司 | Web application hole detection method, apparatus, system, storage medium and server |
| CN110401634A (en) * | 2019-06-24 | 2019-11-01 | 北京墨云科技有限公司 | A kind of web application hole detection regulation engine implementation method and terminal |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111506900A (en) * | 2020-04-15 | 2020-08-07 | 北京字节跳动网络技术有限公司 | Vulnerability detection method and device, electronic equipment and computer storage medium |
| CN112016096A (en) * | 2020-08-28 | 2020-12-01 | 苏州浪潮智能科技有限公司 | XSS vulnerability auditing method and device |
-
2020
- 2020-12-28 CN CN202011576182.9A patent/CN112632561A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120266247A1 (en) * | 2011-04-18 | 2012-10-18 | International Business Machines Corporation | Automatic Inference Of Whitelist-Based Validation As Part Of Static Analysis For Security |
| CN110381033A (en) * | 2019-06-24 | 2019-10-25 | 深圳开源互联网安全技术有限公司 | Web application hole detection method, apparatus, system, storage medium and server |
| CN110401634A (en) * | 2019-06-24 | 2019-11-01 | 北京墨云科技有限公司 | A kind of web application hole detection regulation engine implementation method and terminal |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111506900A (en) * | 2020-04-15 | 2020-08-07 | 北京字节跳动网络技术有限公司 | Vulnerability detection method and device, electronic equipment and computer storage medium |
| CN112016096A (en) * | 2020-08-28 | 2020-12-01 | 苏州浪潮智能科技有限公司 | XSS vulnerability auditing method and device |
Non-Patent Citations (1)
| Title |
|---|
| 腾讯安全应急响应中心: "主机安全——洋葱Webshell检测实践与思考", Retrieved from the Internet <URL:https://mp.weixin.qq.com/s/ol70aVdvybzMJmtfxaAAZQ> * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115967551A (en) * | 2022-12-12 | 2023-04-14 | 中国人民解放军国防科技大学 | Vulnerability information guide-based detection method and device for server side request forgery vulnerability |
| CN115967551B (en) * | 2022-12-12 | 2024-05-17 | 中国人民解放军国防科技大学 | Method and device for detecting falsified vulnerability of server side request based on vulnerability information guidance |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347787B (en) | Identity information identification method and device | |
| CN107040585B (en) | Service checking method and device | |
| CN111104664B (en) | Risk identification method of electronic equipment and server | |
| CN103679022B (en) | Virus scan method and apparatus | |
| KR20190025005A (en) | Method and device for controlling data risk | |
| CN106713396B (en) | Server scheduling method and system | |
| CN111881448B (en) | Malicious file determination method and device | |
| CN110865982A (en) | Data matching method and device, electronic equipment and storage medium | |
| CN112052858A (en) | Method for extracting target field in bill image and related device | |
| CN111507714B (en) | Verification method, verification device, server and storage medium | |
| CN112052857A (en) | Method and related device for detecting target field in bill image | |
| CN112632561A (en) | Web application vulnerability detection method and related device | |
| CN112905399A (en) | Data processing method, abnormal situation prediction method and related product | |
| CN114024761B (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN112598321A (en) | Risk prevention and control method, system and terminal equipment | |
| CN111581226B (en) | Data sharing method and device based on big data platform and administrative enterprise cloud platform | |
| KR102393913B1 (en) | Apparatus and method for detecting abnormal behavior and system having the same | |
| CN112286968A (en) | Service identification method, equipment, medium and electronic equipment | |
| CN108268775B (en) | Web vulnerability detection method and device, electronic equipment and storage medium | |
| CN115688099A (en) | Computer virus retrieval method and device, computer equipment and storage medium | |
| CN113572747A (en) | Method and device for processing IP address, storage medium and processor | |
| CN112257106A (en) | Data detection method and device | |
| CN110768957A (en) | Network security cooperative processing method, system and storage medium | |
| CN111324732A (en) | Model training method, text processing device and electronic equipment | |
| CN111158565A (en) | Page turning prompting method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231117 Address after: Room 301, building 1, No. 5, Xiaguangli, Chaoyang District, Beijing 100027 Applicant after: Beijing keynote Network Inc. Address before: 100085 1-312-338, floor 3, building 1, courtyard 35, Shangdi East Road, Haidian District, Beijing Applicant before: Beijing safety consensus Technology Co.,Ltd. |