CN112653670A - Service logic vulnerability detection method, device, storage medium and terminal - Google Patents
Service logic vulnerability detection method, device, storage medium and terminal Download PDFInfo
- Publication number
- CN112653670A CN112653670A CN202011431712.0A CN202011431712A CN112653670A CN 112653670 A CN112653670 A CN 112653670A CN 202011431712 A CN202011431712 A CN 202011431712A CN 112653670 A CN112653670 A CN 112653670A
- Authority
- CN
- China
- Prior art keywords
- http
- data stream
- flow
- sql statement
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 58
- 238000012545 processing Methods 0.000 claims abstract description 39
- 230000008569 process Effects 0.000 claims abstract description 25
- 230000001960 triggered effect Effects 0.000 claims abstract description 18
- 238000012360 testing method Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000007726 management method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- RZVAJINKPMORJF-UHFFFAOYSA-N Acetaminophen Chemical group CC(=O)NC1=CC=C(O)C=C1 RZVAJINKPMORJF-UHFFFAOYSA-N 0.000 description 6
- 238000011161 development Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 235000009470 Theobroma cacao Nutrition 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 244000240602 cacao Species 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the application discloses a service logic vulnerability detection method, a service logic vulnerability detection device, a storage medium and a terminal. The method comprises the following steps: the method comprises the steps of obtaining a first HTTP flow generated by a web application, carrying a first data flow, carrying out marking processing and identity replacement processing on the first HTTP flow to obtain a second HTTP flow, carrying out access based on the second HTTP flow, obtaining a second data flow triggered in an access process, and judging whether an unauthorized vulnerability exists based on the first data flow and the second data flow. According to the method and the device, whether the unauthorized vulnerability exists or not is judged according to the data flow triggered in the flow, the false alarm rate of vulnerability detection can be reduced, and meanwhile, less dirty data can be prevented from being generated.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting a service logic vulnerability, a storage medium, and a terminal.
Background
With the development of the internet, the network security problem has attracted more and more attention. The security vulnerability caused by the web application accounts for the largest proportion, and an attacker can enter an enterprise intranet by utilizing the web application vulnerability, so that very serious security events such as user information leakage and malicious lasso are easily caused. Most conventional scanners have difficulty discovering logic vulnerabilities, particularly unauthorized vulnerabilities, that exist in web applications. Although some automatic unauthorized detection tools appear, the detection idea is based on comparison of request response contents, so that a very high false alarm rate exists, meanwhile, a large amount of dirty data is easily brought, and very large interference is brought to testers.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting a business logic vulnerability, a computer storage medium and a terminal, and aims to solve the technical problem of how to detect an unauthorized vulnerability in web application. The technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a method for detecting a business logic vulnerability, where the method includes:
acquiring a first HTTP flow generated by a web application; wherein the first HTTP traffic carries a first data stream;
performing marking processing and identity replacement processing on the first HTTP flow to obtain a second HTTP flow;
and accessing based on the second HTTP flow, acquiring a second data stream triggered in the accessing process, and judging whether the unauthorized vulnerability exists based on the first data stream and the second data stream.
In a second aspect, an embodiment of the present application provides a service logic vulnerability detection apparatus, where the apparatus includes:
the request acquisition module is used for acquiring a first HTTP flow generated by the web application; wherein the first HTTP traffic carries a first data stream;
the request processing module is used for performing marking processing and identity replacement processing on the first HTTP flow to obtain a second HTTP flow;
and the request detection module is used for accessing based on the second HTTP flow, acquiring a second data stream triggered in the accessing process, and judging whether the unauthorized vulnerability exists based on the first data stream and the second data stream.
In a third aspect, embodiments of the present application provide a computer storage medium having a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
In a fourth aspect, an embodiment of the present application provides a terminal, which may include: a memory and a processor; wherein the memory stores a computer program adapted to be loaded by the memory and to perform the above-mentioned method steps.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
when the scheme of the embodiment of the application is executed, a first HTTP flow generated by a web application is obtained through a server, the first HTTP flow carries a first data stream, then the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow, access is carried out based on the second HTTP flow, a second data stream triggered in an access process is obtained, and whether an unauthorized vulnerability exists is judged based on the first data stream and the second data stream. According to the method and the device, whether the unauthorized vulnerability exists or not is judged according to the data flow triggered in the HTTP flow, the false alarm rate of the unauthorized vulnerability is reduced, and less dirty data can be prevented from being generated.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of a system architecture of a service logic vulnerability detection method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a service logic vulnerability detection method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a service logic vulnerability detection method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a service logic vulnerability detection apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a terminal provided in an embodiment of the present application;
FIG. 6 is a schematic structural diagram of an operating system and a user space provided in an embodiment of the present application;
FIG. 7 is an architectural diagram of the android operating system of FIG. 5;
FIG. 8 is an architecture diagram of the IOS operating system of FIG. 5.
Detailed Description
In order to make the objects, features and advantages of the embodiments of the present application more obvious and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
In the description of the present application, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art.
Referring to fig. 1, fig. 1 is a schematic view illustrating an application scenario of a business logic vulnerability detection method or a business logic vulnerability detection apparatus applied to the embodiment of the present application. As shown in fig. 1, the system architecture 100 may include one or more of a first terminal 101, 102, 103, a network 104, a plurality of servers 105, and one or more of a second terminal 106, 107, 108. The network 104 is used to provide communication links between the terminals 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
It should be understood that the number of first terminals 101, networks 104, second terminals 106 and servers 105 in fig. 1 is merely illustrative. There may be any number of first terminals 101, networks 104, teaching second terminals 106, and servers 105, as desired for the reality. For example, server 105 may be a server cluster comprised of multiple servers, or the like. The first terminals 101, 102, 103 and the second terminals 106, 107, 108 may interact with the server 105 via the network 104 to receive or send messages or the like. The first terminals 101, 102, 103 and the second terminals 106, 107, 108 may be various electronic devices having display screens including, but not limited to, smart terminals, personal computers, tablet computers, handheld devices, in-vehicle devices, wearable devices, computing devices or other processing devices connected to a wireless modem, and the like. Terminals can be called different names in different networks, for example: user equipment, access terminal, subscriber unit, subscriber station, mobile station, remote terminal, mobile device, user terminal, wireless communication device, user agent or user equipment, cellular telephone, cordless telephone, Personal Digital Assistant (PDA), terminal equipment in a 5G network or future evolution network, and the like.
In the application, the first terminal can be a terminal of a tester, the second terminal can be a terminal of a security worker, the tester can generate a plurality of HTTP flows during web test, a web client on the terminal of the tester can upload the flows to the web server, and the terminal of the security worker obtains the flows of the tester from the web server and detects unauthorized vulnerabilities of the flows.
The service logic vulnerability detection method provided in the embodiment of the present application is generally executed by the second terminal 106, and accordingly, the service logic vulnerability detection apparatus is generally disposed in the second terminal 106, but the present application is not limited thereto.
In the following method embodiments, for convenience of description, only the main execution body of each step is described as a terminal.
Please refer to fig. 2, which is a flowchart illustrating a method for detecting a service logic vulnerability according to an embodiment of the present application. As shown in fig. 2, the method of the embodiment of the present application may include the steps of:
s201, acquiring a first HTTP flow generated by a web application; the first HTTP traffic carries a first data stream.
The first HTTP traffic comprises a first data stream and first HTTP request information, and the first data stream comprises triggered sql statements, restapi calls, rpc calls and the like. The HTTP traffic acquired in the embodiment of the present application may be user traffic information acquired within a preset time period, and the acquisition of the user traffic information may be acquired through technologies such as proxy and instrumentation. The HTTP request information may include: IP information, URL parameter information, session identification in a cookie field, etc. Wherein the preset time period may be set to 1 day, 1 week, 2 weeks, etc. The URL parameter information may include the U RL parameter and the corresponding parameter value. The session identifier in the cookie field is used to identify the user identity that initiated the HTTP request, and the session identifier may be understood as user identity information.
S202, the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow.
The marking processing means that the marking processing is performed on the first HTTP request information in the first HTTP traffic, and a mark is mainly added to a header of the first HTTP request information. The first HTTP request message carries identity information of the user, which may be referred to as first user identity information. Similarly, the second HTTP traffic includes second HTTP request information and a second data stream, and the second HTTP request information also carries identity information of the user, which may be referred to as second user identity information. The identity replacement process is to replace the first user identity information in the first HTTP request message with the second user identity information to obtain the second HTTP traffic.
It can be understood that, after adding a tag in the first HTTP request message, if the instrumented program finds that the header in the request message contains the tag, during the subsequent traffic replay of the traffic, the sql statement of the update type is intercepted, and the packet is tampered, so that dirty data can be prevented from being generated.
S203, accessing based on the second HTTP flow, acquiring a second data stream triggered in the accessing process, and judging whether the unauthorized vulnerability exists based on the first data stream and the second data stream.
The data stream triggered during the access of the HTTP traffic may include sql statement data, restapi invoked data, rpc invoked data, and the like. The unauthorized vulnerability is a common logic security vulnerability, and is caused by the fact that a web server excessively trusts a data operation request provided by a user, the judgment on the operation authority of the user is omitted, and related parameters can be modified to have the functions of adding, deleting, checking and modifying other accounts, so that the unauthorized vulnerability is caused.
It can be understood that the access is performed based on the second HTTP traffic, and the second data stream triggered in the access process is acquired, the acquired data stream in the embodiment of the present application refers to sql statement data in the access process, and does not relate to other data streams, and whether an unauthorized vulnerability exists is determined based on the sql statement data. Specifically, whether an unauthorized vulnerability exists is judged based on the sql statement data stream, and whether the sql statement executed in the second HTTP request is the same as the sql statement executed in the first HTTP request is mainly judged. If the two are the same, the unauthorized vulnerability exists; if not, the unauthorized access hole does not exist.
When the scheme of the embodiment of the application is executed, a first HTTP flow generated by a web application is obtained through a server, the first HTTP flow carries a first data stream, then the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow, access is carried out based on the second HTTP flow, a second data stream triggered in an access process is obtained, and whether an unauthorized vulnerability exists is judged based on the first data stream and the second data stream. According to the method and the device, whether the unauthorized vulnerability exists or not is judged according to the data flow triggered in the HTTP flow, the false alarm rate of the unauthorized vulnerability is reduced, and less dirty data can be prevented from being generated.
Please refer to fig. 3, which is a flowchart illustrating a method for detecting a service logic vulnerability according to an embodiment of the present application. As shown in fig. 3, the method of the embodiment of the present application may include the steps of:
s301, acquiring a first HTTP flow generated by the web application; wherein the first HTTP traffic carries a first data stream.
In one possible implementation, a collection web application generates a plurality of HTTP traffic in a test environment, and one HTTP traffic may be randomly selected from the plurality of HTTP traffic as a first HTTP traffic. When collecting a plurality of HTTP flows, the HTTP flows in a preset time period can be collected, so that whether the unauthorized vulnerability exists in a certain time period can be detected, and the vulnerability detection efficiency can be improved. The preset time period may be set to 1 day, 7 days, 15 days, etc., and the embodiment of the present application does not set any limitation thereto. When a plurality of HTTP flows are collected, the preset number of collected HTTP flows can be set, and the collection is stopped when the collected HTTP flows reach the preset number, so that the range of detecting the vulnerability can be enlarged. The preset number may be set to 100, 200, 500, etc., and the embodiment of the present application does not set any limitation thereto.
In one possible implementation, a collection web application generates a plurality of HTTP traffic in a test environment, and one HTTP traffic may be selected from the plurality of HTTP traffic as a first HTTP traffic according to a preset time sequence. The preset time sequence here may be that the plurality of HTTP traffic are sequenced from the beginning to the end, each HTTP traffic may be sequentially detected from the plurality of HTTP traffic according to the time sequence from the beginning to the end, or each traffic may be sequentially detected from the plurality of HTTP traffic according to the time sequence from the end to the end. Similarly, when collecting multiple HTTP traffic, collecting HTTP traffic within a preset time may be set, or collecting HTTP traffic of a preset number may be set, which may specifically refer to the foregoing embodiments and is not described herein again.
S302, the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow.
The identity replacement processing means that the first user identity information is replaced with second user identity information, the first identity information represents user identity information carried in first HTTP request information in first HTTP traffic, and the second user identity information is used for representing user identity information carried in second HTTP request information in second HTTP traffic.
Generally, the marking process on the first HTTP traffic means adding a mark, for example, testSource: securityteam, to the request header in the first HTTP request message. Thus, in the subsequent process of accessing based on the second HTTP traffic, the instrumented program finds that the header in the request contains securityteam, and intercepts the update type sql statement, and tampering the packet prevents dirty data from being generated.
S303, acquiring a second SQL statement executed by the second HTTP flow in the access process, and judging whether the SQL statement executed by the second HTTP flow is the same as the first SQL statement executed by the first HTTP flow.
S304, if the two are the same, an unauthorized bug exists.
S305, if not the same, the unauthorized access hole does not exist.
S303 to S305 will be specifically described below.
Generally, in the process of accessing a second HTTP traffic carrying second identity information, an sql statement executed in the accessing process is obtained, and if the sql statement executed by the second HTTP traffic is defined as a second sql statement and the sql statement executed by the first HTTP traffic is defined as a first sql statement, whether an override vulnerability exists or not can be determined according to the first sql statement and the second sql statement. In addition, when the sql statement executed by the second HTTP traffic includes an update statement, the update statement is modified. And generating a data packet based on the modified sql statement, then sending the data packet to a database, and modifying the operation character in the update statement into a preset character.
For example: the first HTTP traffic carries the user identity information (sessionID: aaaaa) of the user A, and then the user identity information of the user A in the first HTTP traffic is changed into the user identity information (sessionID: bbbbbbb) of the user B. If the first sql statement in the first HTTP traffic is "update table set user name ═ sara where used material ═ teacher _ a", and the first HTTP traffic is originated by the user a, it can be understood that the user identity information carried in the first HTTP traffic is sessionID: aaaa. If the second HTTP traffic is accessed, if the second sql statement executed by the second HTTP traffic is "update table set user name ═ sara where user material ═ teacher _ a", at this time, the first sql statement and the second sql statement are the same, it is said that there is an override vulnerability. If no unauthorized hole exists, the user identity information carried in the second HTTP traffic is sessionID: bbbbb, in the process of accessing the second HTTP traffic, after verification, the related information of the user B is obtained, the related information of the user B is also subjected to add-delete check in the executed sql statement, no unauthorized hole exists, and the executed second sql statement should be "update table set user name ═ sara where used ═ teacher _ B".
It can be understood that the purpose of executing the second HTTP traffic is to detect whether there is an unauthorized vulnerability, and when the sql statement is executed and the update statement is related, it is not necessary to really modify the information of the user B corresponding to the user identity information carried in the second HTTP traffic, or repeatedly modify the information of the user a corresponding to the user identity information carried in the second HTTP traffic. Modifying the information of user B, or repeatedly modifying the information of user a, results in dirty data. Thus, to avoid the generation of dirty data, the update statement may be modified when it is included in the sql statement. The modification here can modify the function character update in the update statement to a preset character or an arbitrary character. For example, "update table set user name ═ sara where used ═ teacher _ a" is modified to "select table set user name ═ sara where used ═ teacher _ a" or "update table set user name ═ sara where used ═ teacher _ a". Then after the update statement is modified, a data packet is generated based on the modified sql statement and then sent to the database. In this way, the generation of dirty data can be effectively avoided when detecting the unauthorized hole.
When the scheme of the embodiment of the application is executed, a first HTTP flow generated by a web application is obtained through a server, the first HTTP flow carries a first data stream, then the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow, access is carried out based on the second HTTP flow to obtain a second sql statement executed in the access process, and the second sql statement executed by the second HTTP flow is compared with the first sql statement executed by the first HTTP flow. If the two are the same, it is indicated that the unauthorized vulnerability exists, and if the two are different, it is indicated that the unauthorized vulnerability does not exist. In addition, when the sql statement comprises the update statement, the update statement can be modified, and the modified sql statement is sent to the database. The method can reduce the false alarm rate of the unauthorized vulnerability and avoid generating less dirty data.
Please refer to fig. 4, which is a schematic structural diagram of a service logic vulnerability detection apparatus according to an embodiment of the present application. The business logic vulnerability detection device can be realized by software, hardware or a combination of the two to form all or part of the terminal. The apparatus 400 comprises:
a request collection module 410, configured to obtain a first hypertext transfer protocol HTTP traffic generated by a web application; wherein the first HTTP traffic carries a first data stream;
the request processing module 420 is configured to perform marking processing and identity replacement processing on the first HTTP traffic to obtain a second HTTP traffic;
and the request detection module 430 is configured to access based on the second HTTP traffic, obtain a second data stream triggered in an access process, and determine whether an unauthorized vulnerability exists based on the first data stream and the second data stream.
Optionally, the request processing module 420 includes:
and the request processing unit is used for marking the first HTTP request information and replacing the first user identity information with second user identity information to obtain the second HTTP flow.
Optionally, the request detection module 430 includes:
the first request detection unit is used for acquiring the second SQL statement executed by the second HTTP flow in the access process;
and the second request detection unit is used for judging whether the second SQL statement executed in the second HTTP flow is the same as the first SQL statement executed in the first HTTP flow or not, and judging whether an override vulnerability exists.
Optionally, the request detection module 430 further includes:
and the third request detection unit is used for judging that the second SQL statement executed by the second HTTP flow is different from the first SQL statement executed by the first HTTP flow, so that the unauthorized vulnerability does not exist.
Optionally, the request detection module 430 includes:
a fourth request detection unit, configured to modify the update statement when the second SQL statement executed by the second HTTP traffic includes the update statement;
and the fifth request detection unit is used for generating a data packet based on the modified second SQL statement and sending the data packet to the database.
Optionally, the request collecting module 410 includes:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a plurality of HTTP flows generated by a web application in a test environment;
and the second acquisition unit is used for randomly selecting one HTTP flow from the plurality of HTTP flows as the first HTTP flow.
Optionally, the request collecting module 410 includes:
the third acquisition unit is used for acquiring a plurality of HTTP flows generated by the web application in the test environment;
and the fourth acquisition unit is used for selecting one HTTP flow from the plurality of HTTP flows according to a preset time sequence as the first HTTP flow.
When the scheme of the embodiment of the application is executed, a first HTTP flow generated by a web application is obtained through a server, the first HTTP flow carries a first data stream, then the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow, access is carried out based on the second HTTP flow, a second data stream triggered in an access process is obtained, and whether an unauthorized vulnerability exists is judged based on the first data stream and the second data stream. According to the method and the device, whether the unauthorized vulnerability exists or not is judged according to the data flow triggered in the HTTP flow, the false alarm rate of the unauthorized vulnerability is reduced, and less dirty data can be prevented from being generated.
Referring to fig. 5, a block diagram of a terminal according to an exemplary embodiment of the present application is shown. A terminal in the present application may include one or more of the following components: a processor 510, a memory 520, an input device 530, an output device 540, and a bus 550. The processor 510, memory 520, input device 530, and output device 540 may be connected by a bus 550.
The Memory 520 may include a Random Access Memory (RAM) or a read-only Memory (ROM). Optionally, the memory 520 includes a non-transitory computer-readable medium. The memory 520 may be used to store instructions, programs, code sets, or instruction sets. The memory 520 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for implementing at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing various method embodiments described below, and the like, and the operating system may be an Android (Android) system (including a system based on Android system depth development), an IOS system developed by apple inc (including a system based on IOS system depth development), or other systems. The storage data area may also store data created by the terminal in use, such as a phonebook, audio-video data, chat log data, and the like.
Referring to fig. 6, the memory 520 may be divided into an operating system space, in which an operating system is run, and a user space, in which native and third-party applications are run. In order to ensure that different third-party application programs can achieve a better operation effect, the operating system allocates corresponding system resources for the different third-party application programs. However, the requirements of different application scenarios in the same third-party application program on system resources are different, for example, in a local resource loading scenario, the third-party application program has a higher requirement on the disk reading speed; in the animation rendering scene, the third-party application program has a high requirement on the performance of the GPU. The operating system and the third-party application program are independent from each other, and the operating system cannot sense the current application scene of the third-party application program in time, so that the operating system cannot perform targeted system resource adaptation according to the specific application scene of the third-party application program.
In order to enable the operating system to distinguish a specific application scenario of the third-party application program, data communication between the third-party application program and the operating system needs to be opened, so that the operating system can acquire current scenario information of the third-party application program at any time, and further perform targeted system resource adaptation based on the current scenario.
Taking an operating system as an Android system as an example, programs and data stored in the memory 520 are as shown in fig. 7, and a Linux kernel layer 720, a system runtime library layer 740, an application framework layer 760, and an application layer 780 may be stored in the memory 520, where the Linux kernel layer 720, the system runtime library layer 740, and the application framework layer 760 belong to an operating system space, and the application layer 780 belongs to a user space. The Linux kernel layer 720 provides underlying drivers for various hardware of the terminal, such as a display driver, an audio driver, a camera driver, a bluetooth driver, a Wi-Fi driver, a power management, and the like. The system runtime library layer 740 provides a main feature support for the Android system through some C/C + + libraries. For example, the SQLite library provides support for a database, the OpenGL/ES library provides support for 3D drawing, the Webkit library provides support for a browser kernel, and the like. Also provided in the system runtime library layer 740 is an Android runtime library (Android runtime), which mainly provides some core libraries that can allow developers to write Android applications using the Java language. The application framework layer 760 provides various APIs that may be used in building applications, and developers may build their own applications by using these APIs, such as activity management, window management, view management, notification management, content provider, package management, session management, resource management, and location management. The application layer 780 runs at least one application program, which may be a native application program of the operating system itself, such as a contact program, a short message program, a clock program, a camera application, and the like; or a third-party application developed by a third-party developer, such as a game-like application, an instant messaging program, a photo beautification program, a shopping program, and the like.
Taking an operating system as an IOS system as an example, programs and data stored in the memory 520 are as shown in fig. 8, and the IOS system includes: a Core operating system Layer 820(Core OS Layer), a Core Services Layer 840(Core Services Layer), a Media Layer 860(Media Layer), and a touchable Layer 880(Cocoa Touch Layer). The kernel operating system layer 820 includes an operating system kernel, drivers, and underlying program frameworks that provide functionality closer to hardware for use by program frameworks located in the core services layer 840. The core services layer 840 provides system services and/or program frameworks, such as a Foundation framework, an account framework, an advertisement framework, a data storage framework, a network connection framework, a geographic location framework, a sports framework, etc., that are needed by the application. The media layer 860 provides audiovisual interfaces for applications, such as graphics-related interfaces, audio-related interfaces, video-related interfaces, and the air interface for audiovisual transmission (AirPlay). The touchable layer 880 provides various commonly used interface-related frameworks for application development, and the touchable layer 880 is responsible for touch interaction operations of a user on the terminal. Such as a local notification service, a remote push service, an advertising framework, a game tool framework, a messaging User Interface (UI) framework, a User Interface UIKit framework, a map framework, and so forth.
In the framework illustrated in FIG. 8, the framework associated with most applications includes, but is not limited to: a base framework in the core services layer 840 and a UIKit framework in the touchable layer 880. The base framework provides many basic object classes and data types, provides the most basic system services for all applications, and is UI independent. While the class provided by the UIKit framework is a basic library of UI classes for creating touch-based user interfaces, iOS applications can provide UIs based on the UIKit framework, so it provides an infrastructure for applications for building user interfaces, drawing, processing and user interaction events, responding to gestures, and the like.
The Android system can be referred to as a mode and a principle for realizing data communication between the third-party application program and the operating system in the IOS system, and details are not repeated herein.
The input device 530 is used for receiving input instructions or data, and the input device 530 includes, but is not limited to, a keyboard, a mouse, a camera, a microphone, or a touch device. The output device 540 is used for outputting instructions or data, and the output device 540 includes, but is not limited to, a display device, a speaker, and the like. In one example, the input device 530 and the output device 540 may be combined, and the input device 530 and the output device 540 are touch display screens for receiving touch operations of a user on or near the touch screen by using any suitable object such as a finger, a touch pen, and the like, and displaying user interfaces of various applications. The touch display screen is generally provided at a front panel of the terminal. The touch display screen may be designed as a full-face screen, a curved screen, or a profiled screen. The touch display screen can also be designed to be a combination of a full-face screen and a curved-face screen, and a combination of a special-shaped screen and a curved-face screen, which is not limited in the embodiment of the present application.
In addition, those skilled in the art will appreciate that the configurations of the terminals illustrated in the above-described figures do not constitute limitations on the terminals, as the terminals may include more or less components than those illustrated, or some components may be combined, or a different arrangement of components may be used. For example, the terminal further includes a radio frequency circuit, an input unit, a sensor, an audio circuit, a wireless fidelity (WiFi) module, a power supply, a bluetooth module, and other components, which are not described herein again.
In the embodiment of the present application, the main body of execution of each step may be the terminal described above. Optionally, the execution subject of each step is an operating system of the terminal. The operating system may be an android system, an IOS system, or another operating system, which is not limited in this embodiment of the present application.
The terminal of the embodiment of the application can also be provided with a display device, and the display device can be various devices capable of realizing a display function, for example: a cathode ray tube display (CR), a light-emitting diode display (LED), an electronic ink panel, a Liquid Crystal Display (LCD), a Plasma Display Panel (PDP), and the like. The user can view information such as displayed text, images, video, etc. using the display device on the terminal 101. The terminal may be a smart phone, a tablet computer, a gaming device, an AR (Augmented Reality) device, an automobile, a data storage device, an audio playing device, a video playing device, a notebook, a desktop computing device, a wearable device such as an electronic watch, an electronic glasses, an electronic helmet, an electronic bracelet, an electronic necklace, an electronic garment, or the like.
In the terminal shown in fig. 5, the processor 510 may be configured to call an application program stored in the memory 520, and specifically execute the service logic vulnerability detection method according to the embodiment of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
Modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present application is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the above description of the service logic vulnerability detection method, apparatus, storage medium and terminal provided by the present application, for those skilled in the art, according to the ideas of the embodiments of the present application, there may be changes in the specific implementation and application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (12)
1. A service logic vulnerability detection method is characterized by comprising the following steps:
acquiring a first HTTP flow generated by a web application; wherein the first HTTP traffic carries a first data stream;
performing marking processing and identity replacement processing on the first HTTP flow to obtain a second HTTP flow;
and accessing based on the second HTTP flow, acquiring a second data stream triggered in the accessing process, and judging whether the unauthorized vulnerability exists based on the first data stream and the second data stream.
2. The method of claim 1, wherein the first HTTP traffic includes first HTTP request information and the first data stream; wherein the first HTTP request information contains first user identity information.
3. The method according to claim 2, wherein said marking and identity replacing the first HTTP traffic to obtain a second HTTP traffic comprises:
and marking the first HTTP request information, and replacing the first user identity information with second user identity information to obtain the second HTTP flow.
4. The method of claim 1, wherein the first data stream comprises a first SQL statement and the second data stream comprises a second SQL statement.
5. The method of claim 4, wherein the obtaining the second data stream triggered in the access process, and determining whether the unauthorized vulnerability exists based on the first data stream and the second data stream comprises:
acquiring the second SQL statement executed by the second HTTP flow in the access process;
and if the second SQL statement executed by the second HTTP flow is the same as the first SQL statement executed by the first HTTP flow, an override vulnerability exists.
6. The method of claim 5, further comprising:
and if the second SQL statement executed by the second HTTP flow is different from the first SQL statement executed by the first HTTP flow, the unauthorized vulnerability does not exist.
7. The method of claim 5 or 6, further comprising:
when the second SQL statement executed by the second HTTP traffic comprises an update statement, modifying the update statement;
and generating a data packet based on the modified second SQL statement, and sending the data packet to a database.
8. The method of claim 1, wherein obtaining the first HTTP traffic generated by the web application comprises:
collecting a plurality of HTTP traffic generated by a web application in a test environment;
randomly selecting one HTTP traffic from the plurality of HTTP traffic as a first HTTP traffic.
9. The method of claim 1, wherein obtaining the first HTTP traffic generated by the web application comprises:
collecting a plurality of HTTP traffic generated by a web application in a test environment;
selecting one HTTP flow from the plurality of HTTP flows according to a preset time sequence as a first HTTP flow.
10. An apparatus for detecting a business logic vulnerability, the apparatus comprising:
the request acquisition module is used for acquiring a first HTTP flow generated by the web application; wherein the first HTTP traffic carries a first data stream;
the request processing module is used for performing marking processing and identity replacement processing on the first HTTP flow to obtain a second HTTP flow;
and the request detection module is used for accessing based on the second HTTP flow, acquiring a second data stream triggered in the accessing process, and judging whether the unauthorized vulnerability exists based on the first data stream and the second data stream.
11. A computer storage medium, characterized in that it stores a plurality of instructions adapted to be loaded by a processor and to carry out the method steps according to any one of claims 1 to 9.
12. A terminal, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the method steps of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011431712.0A CN112653670B (en) | 2020-12-08 | 2020-12-08 | Business logic vulnerability detection method and device, storage medium and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011431712.0A CN112653670B (en) | 2020-12-08 | 2020-12-08 | Business logic vulnerability detection method and device, storage medium and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112653670A true CN112653670A (en) | 2021-04-13 |
| CN112653670B CN112653670B (en) | 2023-11-10 |
Family
ID=75350597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011431712.0A Active CN112653670B (en) | 2020-12-08 | 2020-12-08 | Business logic vulnerability detection method and device, storage medium and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112653670B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
| CN113885958A (en) * | 2021-09-30 | 2022-01-04 | 杭州默安科技有限公司 | Method and system for intercepting dirty data |
| CN114422274A (en) * | 2022-03-29 | 2022-04-29 | 腾讯科技(深圳)有限公司 | Multi-scene vulnerability detection method and device based on cloud protogenesis and storage medium |
| CN114499960A (en) * | 2021-12-24 | 2022-05-13 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method and device and computer readable storage medium |
| CN114640506A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN115348086A (en) * | 2022-08-15 | 2022-11-15 | 中国电信股份有限公司 | Attack protection method and device, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060282897A1 (en) * | 2005-05-16 | 2006-12-14 | Caleb Sima | Secure web application development and execution environment |
| CN101312393A (en) * | 2007-05-24 | 2008-11-26 | 北京启明星辰信息技术有限公司 | Detection method and system for SQL injection loophole |
| CN106713347A (en) * | 2017-01-18 | 2017-05-24 | 国网江苏省电力公司电力科学研究院 | Method for detecting unauthorized access vulnerability of power mobile application |
| CN110688659A (en) * | 2019-09-10 | 2020-01-14 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
-
2020
- 2020-12-08 CN CN202011431712.0A patent/CN112653670B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060282897A1 (en) * | 2005-05-16 | 2006-12-14 | Caleb Sima | Secure web application development and execution environment |
| CN101312393A (en) * | 2007-05-24 | 2008-11-26 | 北京启明星辰信息技术有限公司 | Detection method and system for SQL injection loophole |
| CN106713347A (en) * | 2017-01-18 | 2017-05-24 | 国网江苏省电力公司电力科学研究院 | Method for detecting unauthorized access vulnerability of power mobile application |
| CN110688659A (en) * | 2019-09-10 | 2020-01-14 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
| CN113885958A (en) * | 2021-09-30 | 2022-01-04 | 杭州默安科技有限公司 | Method and system for intercepting dirty data |
| CN113885958B (en) * | 2021-09-30 | 2023-10-31 | 杭州默安科技有限公司 | Method and system for intercepting dirty data |
| CN114499960A (en) * | 2021-12-24 | 2022-05-13 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method and device and computer readable storage medium |
| CN114499960B (en) * | 2021-12-24 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method, device and computer readable storage medium |
| CN114640506A (en) * | 2022-02-28 | 2022-06-17 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN114640506B (en) * | 2022-02-28 | 2023-10-31 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN114422274A (en) * | 2022-03-29 | 2022-04-29 | 腾讯科技(深圳)有限公司 | Multi-scene vulnerability detection method and device based on cloud protogenesis and storage medium |
| CN115348086A (en) * | 2022-08-15 | 2022-11-15 | 中国电信股份有限公司 | Attack protection method and device, storage medium and electronic equipment |
| CN115348086B (en) * | 2022-08-15 | 2024-02-23 | 中国电信股份有限公司 | Attack protection method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112653670B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112653670B (en) | Business logic vulnerability detection method and device, storage medium and terminal | |
| CN107889070B (en) | Picture processing method, device, terminal and computer readable storage medium | |
| CN111596971B (en) | Application cleaning method and device, storage medium and electronic equipment | |
| CN112214653B (en) | Character string recognition method and device, storage medium and electronic equipment | |
| CN112231617A (en) | Service call checking method and device, storage medium and electronic equipment | |
| CN112260853A (en) | Disaster recovery switching method and device, storage medium and electronic equipment | |
| CN110572815A (en) | Network access method, device, storage medium and terminal | |
| CN111414154A (en) | Method and device for front-end development, electronic equipment and storage medium | |
| CN108289056B (en) | Method and device for sharing dynamic chart and computing equipment | |
| CN113098859B (en) | Webpage page rollback method, device, terminal and storage medium | |
| CN113950043B (en) | Communication method, device, storage medium and terminal | |
| CN115379005A (en) | Message processing method and device, storage medium and electronic equipment | |
| CN113572676B (en) | Mail processing method and device | |
| CN111324386B (en) | Method and device for starting split application program, electronic equipment and storage medium | |
| CN113312572A (en) | Resource processing method and device, storage medium and electronic equipment | |
| CN114185845A (en) | File management method and device, computer equipment and storage medium | |
| CN111770510A (en) | Network experience state determination method and device, storage medium and electronic equipment | |
| CN113315687B (en) | Proxy network management method, device, storage medium and terminal | |
| CN111008006A (en) | RFC file modification method and device, storage medium and terminal | |
| CN112612487B (en) | Application installation method, device, storage medium and terminal | |
| CN114125048B (en) | Message push setting method and device, storage medium and electronic equipment | |
| CN113778386B (en) | Component generation method and device, storage medium and electronic equipment | |
| CN117591488B (en) | File detection method and device, storage medium and electronic equipment | |
| CN110278331B (en) | System attribute feedback method, device, terminal and storage medium | |
| CN115495177A (en) | Interface display method, device, storage medium and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |