CN112653670B - Business logic vulnerability detection method and device, storage medium and terminal - Google Patents
Business logic vulnerability detection method and device, storage medium and terminal Download PDFInfo
- Publication number
- CN112653670B CN112653670B CN202011431712.0A CN202011431712A CN112653670B CN 112653670 B CN112653670 B CN 112653670B CN 202011431712 A CN202011431712 A CN 202011431712A CN 112653670 B CN112653670 B CN 112653670B
- Authority
- CN
- China
- Prior art keywords
- http traffic
- data stream
- http
- sql statement
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 39
- 238000000034 method Methods 0.000 claims abstract description 56
- 238000012545 processing Methods 0.000 claims abstract description 34
- 230000008569 process Effects 0.000 claims abstract description 32
- 230000001960 triggered effect Effects 0.000 claims abstract description 20
- 238000012360 testing method Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- RZVAJINKPMORJF-UHFFFAOYSA-N Acetaminophen Chemical group CC(=O)NC1=CC=C(O)C=C1 RZVAJINKPMORJF-UHFFFAOYSA-N 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 235000009470 Theobroma cacao Nutrition 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 244000240602 cacao Species 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the application discloses a business logic vulnerability detection method, a device, a storage medium and a terminal. The method comprises the following steps: acquiring a first HTTP traffic generated by a web application, wherein the first HTTP traffic carries a first data stream, obtaining a second HTTP traffic after carrying out marking processing and identity replacement processing on the first HTTP traffic, accessing based on the second HTTP traffic, acquiring a second data stream triggered in the accessing process, and judging whether an unauthorized vulnerability exists based on the first data stream and the second data stream. The application judges whether the unauthorized loophole exists according to the triggered data flow in the flow, can reduce the false alarm rate of the loophole detection, and can avoid generating less dirty data.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a service logic vulnerability detection method, device, storage medium, and terminal.
Background
With the development of the internet, network security issues have attracted more and more attention. The security vulnerability ratio caused by the web application is the largest, and an attacker can enter the enterprise intranet by utilizing the web application, so that very serious security events such as user information leakage, malicious luxury and the like are very easy to occur. Most conventional scanners have difficulty finding logical vulnerabilities, particularly override vulnerabilities, that exist in web applications. Although some automatic override detection tools exist, the detection thinking is based on comparison of request response contents, so that the false alarm rate is very high, a large amount of dirty data is very easy to bring, and very large interference is brought to testers.
Disclosure of Invention
The embodiment of the application provides a business logic vulnerability detection method, a device, a computer storage medium and a terminal, which aim at solving the technical problem of how to detect unauthorized vulnerabilities in web applications. The technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a service logic vulnerability detection method, where the method includes:
acquiring a first HTTP traffic generated by a web application; wherein the first HTTP traffic carries a first data stream;
the first HTTP traffic is subjected to marking processing and identity replacement processing to obtain second HTTP traffic;
and accessing based on the second HTTP traffic, acquiring a second data stream triggered in the accessing process, and judging whether an unauthorized vulnerability exists or not based on the first data stream and the second data stream.
In a second aspect, an embodiment of the present application provides a service logic vulnerability detection apparatus, where the apparatus includes:
the request acquisition module is used for acquiring a first HTTP traffic generated by the web application; wherein the first HTTP traffic carries a first data stream;
the request processing module is used for carrying out marking processing and identity replacement processing on the first HTTP traffic to obtain second HTTP traffic;
and the request detection module is used for accessing based on the second HTTP traffic, acquiring a second data stream triggered in the access process, and judging whether an override vulnerability exists based on the first data stream and the second data stream.
In a third aspect, embodiments of the present application provide a computer storage medium having a plurality of instructions adapted to be loaded by a processor and to perform the above-described method steps.
In a fourth aspect, an embodiment of the present application provides a terminal, which may include: a memory and a processor; wherein the memory stores a computer program adapted to be loaded by the memory and to perform the above-mentioned method steps.
The technical scheme provided by the embodiment of the application has the beneficial effects that at least:
when the scheme of the embodiment of the application is executed, a first HTTP flow generated by a web application is acquired through a server, the first HTTP flow carries a first data flow, then the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow, access is performed based on the second HTTP flow, a second data flow triggered in the access process is acquired, and whether an override vulnerability exists is judged based on the first data flow and the second data flow. The application judges whether the override vulnerability exists according to the triggered data flow in the HTTP traffic, reduces the false alarm rate of the override vulnerability and can also avoid generating less dirty data.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application and that other drawings may be obtained from them without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a system architecture of a business logic vulnerability detection method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a business logic vulnerability detection method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a business logic vulnerability detection method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a service logic vulnerability detection device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present application;
FIG. 6 is a schematic diagram of an operating system and user space provided by an embodiment of the present application;
FIG. 7 is an architecture diagram of the android operating system of FIG. 5;
FIG. 8 is an architecture diagram of the IOS operating system of FIG. 5.
Detailed Description
In order to make the objects, features and advantages of the embodiments of the present application more obvious and understandable, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application as detailed in the accompanying claims.
In the description of the present application, it should be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art.
Referring to fig. 1, fig. 1 shows an application scenario schematic diagram of a service logic vulnerability detection method or a service logic vulnerability detection device applied to an embodiment of the present application. As shown in fig. 1, the system architecture 100 may include one or more of a first terminal 101, 102, 103, a network 104, a plurality of servers 105, and one or more of a second terminal 106, 107, 108. The network 104 is used to provide communication links between the terminals 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
It should be understood that the number of first terminals 101, networks 104, second terminals 106, and servers 105 in fig. 1 is merely illustrative. There may be any number of first terminals 101, networks 104, second terminals 106, and servers 105 as practical. For example, the server 105 may be a server cluster formed by a plurality of servers. The first terminals 101, 102, 103 and the second terminals 106, 107, 108 may interact with the server 105 via the network 104 to receive or send messages or the like. The first terminals 101, 102, 103 and the second terminals 106, 107, 108 may be various electronic devices with display screens including, but not limited to, smart terminals, personal computers, tablet computers, hand-held devices, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems, etc. Terminals may be called different names in different networks, for example: a user equipment, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent or user equipment, a cellular telephone, a cordless telephone, a personal digital assistant (personal digital assistant, PDA), a terminal device in a 5G network or a future evolution network, and the like.
In the application, the first terminal can be the terminal of the tester, the second terminal can be the terminal of the security personnel, and when the tester performs web test, a plurality of HTTP flows are generated, so that the web client on the terminal of the tester can upload the flows to the web server, and the security personnel terminal acquires a plurality of flows of the tester from the web server and detects the unauthorized holes of the flows.
The service logic vulnerability detection method provided by the embodiment of the application is generally executed by the second terminal 106, and accordingly, the service logic vulnerability detection device is generally disposed in the second terminal 106, but the application is not limited thereto.
In the following method embodiments, for convenience of explanation, only the execution subject of each step is described as a terminal.
Fig. 2 is a schematic flow chart of a business logic vulnerability detection method according to an embodiment of the present application. As shown in fig. 2, the method according to the embodiment of the present application may include the following steps:
s201, acquiring a first HTTP traffic generated by a web application; the first HTTP traffic carries a first data stream.
The first HTTP traffic comprises a first data stream and first HTTP request information, wherein the first data stream comprises a triggered sql statement, a triggered restart call, a triggered rpc call and the like. The HTTP traffic acquired in the embodiment of the application can be the user traffic information acquired in a preset time period, and the acquisition of the user traffic information can be acquired by technologies such as proxy, pile insertion and the like. The HTTP request information may include: IP information, URL parameter information, session identification in cookie field, etc. Wherein the preset time period may be set to 1 day, 1 week, 2 weeks, etc. The URL parameter information may include relevant information such as a U RL parameter and a corresponding parameter value. The session identifier in the cookie field is used to identify the identity of the user initiating the HTTP request, and the session identifier may be understood as user identity information.
S202, marking and identity replacement are carried out on the first HTTP traffic to obtain second HTTP traffic.
The marking means that the first HTTP request information in the first HTTP traffic is marked, and a mark is mainly added in a header of the first HTTP request information. The first HTTP request information carries identity information of the user, which may be referred to as first user identity information. Likewise, the second HTTP traffic includes second HTTP request information and a second data stream, where the second HTTP request information also carries identity information of the user, which may be referred to as second user identity information. The identity replacement process is to replace the first user identity information in the first HTTP request information with the second user identity information to obtain the second HTTP traffic.
It will be appreciated that after adding a flag to the first HTTP request message, if the instrumented program finds that the header in the request message contains the flag, in the subsequent process of replaying the traffic, the update type sql statement will be intercepted and the packet will be tampered, so that dirty data can be prevented from being generated.
S203, accessing based on the second HTTP traffic, acquiring a second data stream triggered in the accessing process, and judging whether an override vulnerability exists based on the first data stream and the second data stream.
The data flow triggered in the access process of the HTTP traffic may include sql statement data, data called by restapi, data called by rpc, and the like. The override vulnerability is a common logic security vulnerability, and is caused by that the web server overtrusts the data operation request proposed by the user, ignores the judgment of the operation authority of the user, and can have the functions of adding, deleting, checking and changing other accounts by modifying related parameters.
It can be understood that, based on the second HTTP traffic, access is performed, and the second data stream triggered in the access process is acquired, where the acquired data stream in the embodiment of the present application refers to sql statement data in the access process, and no other data stream is involved, and whether an override vulnerability exists is determined based on the sql statement data. Specifically, whether an override vulnerability exists is judged based on the sql statement data stream, and whether the sql statement executed in the second HTTP request is identical with the sql statement executed in the first HTTP request is mainly judged. If the two types of the information are the same, indicating that an override vulnerability exists; if the two types of the information are different, the fact that the unauthorized loopholes exist is indicated.
When the scheme of the embodiment of the application is executed, a first HTTP traffic generated by a web application is acquired through a server, the first HTTP traffic carries a first data stream, then the first HTTP traffic is subjected to marking processing and identity replacement processing to obtain a second HTTP traffic, then access is performed based on the second HTTP traffic, a second data stream triggered in the access process is acquired, and whether an override vulnerability exists is judged based on the first data stream and the second data stream. The application judges whether the override vulnerability exists according to the triggered data flow in the HTTP traffic, reduces the false alarm rate of the override vulnerability and can also avoid generating less dirty data.
Fig. 3 is a schematic flow chart of a business logic vulnerability detection method according to an embodiment of the present application. As shown in fig. 3, the method according to the embodiment of the present application may include the following steps:
s301, acquiring a first HTTP traffic generated by a web application; and the first HTTP traffic carries a first data stream.
In one possible implementation, collecting multiple HTTP traffic generated by the web application in the test environment may randomly select one HTTP traffic from the multiple HTTP traffic as the first HTTP traffic. When a plurality of HTTP traffic is collected, the HTTP traffic in a preset time period can be collected, so that whether the application has an unauthorized vulnerability in a certain time period can be detected, and the vulnerability detection efficiency can be improved. The preset time period may be set to 1 day, 7 days, 15 days, etc., and the embodiment of the present application is not limited in any way. When a plurality of HTTP flows are collected, the collection of the preset quantity of HTTP flows can be set, and the collection is stopped when the collected HTTP flows reach the preset quantity, so that the range of detecting holes can be enlarged. The preset number may be set to 100, 200, 500, etc., to which the embodiment of the present application is not limited in any way.
In one possible implementation, the collecting web application generates a plurality of HTTP traffic in the test environment, and one HTTP traffic may be selected from the plurality of HTTP traffic as the first HTTP traffic according to a preset time sequence. The preset time sequence may be to sequence the plurality of HTTP traffic from the early to the late, sequentially detect each HTTP traffic from the plurality of HTTP traffic in the early to the late time sequence, and sequentially detect each traffic from the plurality of HTTP traffic in the late to the early time sequence. Similarly, when collecting a plurality of HTTP traffic, the HTTP traffic within the preset collection time may be set, or the HTTP traffic with the preset collection number may be set, which may be specifically referred to the above embodiment, and will not be described herein.
S302, the first HTTP traffic is subjected to marking processing and identity replacement processing to obtain second HTTP traffic.
The identity replacement processing indicates that the first user identity information is replaced by the second user identity information, the first user identity information indicates the user identity information carried in the first HTTP request information in the first HTTP traffic, and the second user identity information is used for indicating the user identity information carried in the second HTTP request information in the second HTTP traffic.
In general, the marking of the first HTTP traffic refers to adding a mark, such as testSource, security, to a header of a request in the first HTTP request message. In this way, in the subsequent process of accessing based on the second HTTP traffic, the header included in the instrumented program discovery request intercepts the update type sql statement and tampers with the packet to prevent dirty data.
S303, acquiring a second SQL statement executed by the second HTTP traffic in the access process, and judging whether the SQL statement executed by the second HTTP traffic is identical with the first SQL statement executed by the first HTTP traffic.
S304, if the same, an override vulnerability exists.
S305, if they are different, no override vulnerability exists.
S303 to S305 will be specifically described below.
In general, in the process of accessing the second HTTP traffic carrying the second identity information, an sql statement executed in the process of accessing is obtained, if the sql statement executed by the second HTTP traffic is defined as a second sql statement, and the sql statement executed by the first HTTP traffic is defined as a first sql statement, whether an override vulnerability exists may be determined according to the first sql statement and the second sql statement. In addition, when the sql statement executed by the second HTTP traffic includes an update statement, the update statement is modified. Generating a data packet based on the modified sql statement, then sending the data packet to a database, and modifying the operation characters in the update statement into preset characters.
For example: the first HTTP traffic carries user identity information (sessionID: aaaaaa) of the user a, and then the user identity information (sessionID: bbbbb) of the user a in the first HTTP traffic is changed to user identity information (sessionID: bbbbb) of the user B. If the first sql statement in the first HTTP traffic is "update table set username = sara where userid =teacher_a", the first HTTP traffic is initiated by the user a, and it can be understood that the user identity information carried in the first HTTP traffic is sessionID: aaaaaa. Then access is made to the second HTTP traffic, and if the second sql statement executed by the second HTTP traffic is "update table set username = sara where userid =teacher_a", where the first sql statement and the second sql statement are identical, then it is indicated that an override vulnerability exists. And if the unauthorized hole does not exist, the user identity information carried in the second HTTP traffic is sessionID (session ID) bbbbb, after verification, the related information of the user B is acquired in the process of accessing the second HTTP traffic, the related information of the B is also added, deleted and checked in the executed sql statement, and the unauthorized hole does not exist, so that the executed second sql statement is update table set username = sara where userid =teacher_b.
It can be understood that the purpose of executing the second HTTP traffic is to detect whether an override vulnerability exists, and when the sql statement is executed, when the update statement is involved, it is not necessary to actually modify the information of the user B corresponding to the user identity information carried by the second HTTP traffic, or repeatedly modify the information of the user a corresponding to the user identity information carried by the second HTTP traffic. Dirty data may be generated by modifying the information of user B or by repeatedly modifying the information of user a. Therefore, in order to avoid the generation of dirty data, the update statement may be modified when the update statement is included in the sql statement. The modification here may modify the functional character update in the update statement to a preset character or an arbitrary character. For example, "update table set username = sara where userid =teacher_a" is modified to "select table set username = sara where userid =teacher_a" or "updateng table set username = sara where userid =teacher_a". Then after modifying the update statement, a data packet is generated based on the modified sql statement and then sent to the database. Thus, dirty data can be effectively avoided when the unauthorized loophole is detected.
When the scheme of the embodiment of the application is executed, a first HTTP flow generated by a web application is acquired through a server, the first HTTP flow carries a first data flow, then the first HTTP flow is subjected to marking processing and identity replacement processing to obtain a second HTTP flow, then access is performed based on the second HTTP flow, a second sql statement executed in the access process is acquired, and the second sql statement executed by the second HTTP flow is compared with the first sql statement executed by the first HTTP flow. If the two are the same, the existence of the override vulnerability is indicated, and if the two are different, the existence of the override vulnerability is indicated. In addition, when the sql statement includes an update statement, the update statement may be modified, and the modified sql statement may be sent to the database. The method of the application not only can reduce the false alarm rate of the unauthorized loopholes, but also can avoid generating less dirty data.
Fig. 4 is a schematic structural diagram of a service logic vulnerability detection device according to an embodiment of the present application. The in-service logical vulnerability detection device can be implemented as all or part of the terminal through software, hardware or a combination of the two. The apparatus 400 includes:
a request acquisition module 410, configured to acquire a first hypertext transfer protocol HTTP traffic generated by a web application; wherein the first HTTP traffic carries a first data stream;
the request processing module 420 is configured to perform a marking process and an identity replacement process on the first HTTP traffic to obtain a second HTTP traffic;
the request detection module 430 is configured to access based on the second HTTP traffic, obtain a second data stream triggered in the access process, and determine whether an override vulnerability exists based on the first data stream and the second data stream.
Optionally, the request processing module 420 includes:
and the request processing unit is used for marking the first HTTP request information and replacing the first user identity information with second user identity information to obtain the second HTTP traffic.
Optionally, the request detection module 430 includes:
the first request detection unit is used for acquiring the second SQL statement executed by the second HTTP traffic in the access process;
and the second request detection unit is used for detecting that the second SQL statement executed in the second HTTP traffic is identical to the first SQL statement executed in the first HTTP traffic, and an override vulnerability exists.
Optionally, the request detection module 430 further includes:
and the third request detection unit is used for detecting whether the second SQL statement executed in the second HTTP traffic is different from the first SQL statement executed in the first HTTP traffic or not, and if so, no override vulnerability exists.
Optionally, the request detection module 430 includes:
a fourth request detection unit, configured to modify an update statement when the second SQL statement executed by the second HTTP traffic includes the update statement;
and the fifth request detection unit is used for generating a data packet based on the modified second SQL statement and sending the data packet to the database.
Optionally, the request acquisition module 410 includes:
the first acquisition unit is used for acquiring a plurality of HTTP traffic generated by the web application in the test environment;
the second collection unit is used for randomly selecting one HTTP traffic from the HTTP traffic as the first HTTP traffic.
Optionally, the request acquisition module 410 includes:
the third acquisition unit is used for acquiring a plurality of HTTP traffic generated by the web application in the test environment;
and the fourth acquisition unit is used for selecting one HTTP traffic from the plurality of HTTP traffic as the first HTTP traffic according to a preset time sequence.
When the scheme of the embodiment of the application is executed, a first HTTP traffic generated by a web application is acquired through a server, the first HTTP traffic carries a first data stream, then the first HTTP traffic is subjected to marking processing and identity replacement processing to obtain a second HTTP traffic, then access is performed based on the second HTTP traffic, a second data stream triggered in the access process is acquired, and whether an override vulnerability exists is judged based on the first data stream and the second data stream. The application judges whether the override vulnerability exists according to the triggered data flow in the HTTP traffic, reduces the false alarm rate of the override vulnerability and can also avoid generating less dirty data.
Referring to fig. 5, a block diagram illustrating a structure of a terminal according to an exemplary embodiment of the present application is shown. The terminal of the present application may include one or more of the following components: processor 510, memory 520, input device 530, output device 540, and bus 550. The processor 510, memory 520, input device 530, and output device 540 may be connected by a bus 550.
Processor 510 may include one or more processing cores. The processor 510 connects various parts within the overall terminal using various interfaces and lines, performs various functions of the terminal and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 520, and invoking data stored in the memory 520. Alternatively, the processor 510 may be implemented in at least one hardware form of digital signal processing (digital signal processing, DSP), field-programmable gate array (field-programmable gate array, FPGA), programmable logic array (programmable logic Array, PLA). The processor 510 may integrate one or a combination of several of a central processing unit (central processing unit, CPU), an image processor (graphics processing unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for being responsible for rendering and drawing of display content; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 510 and may be implemented solely by a single communication chip.
The memory 520 may include a random access memory (random Access Memory, RAM) or a read-only memory (ROM). Optionally, the memory 520 includes a non-transitory computer readable medium (non-transitory computer-readable storage medium). Memory 520 may be used to store instructions, programs, code sets, or instruction sets. The memory 520 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, which may be an Android (Android) system (including a system developed based on the Android system), an IOS system developed by apple corporation (including a system developed based on the IOS system), or other systems, instructions for implementing at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing various method embodiments described below, and the like. The storage data area may also store data created by the terminal in use (such as phonebook, audio-video data, chat-record data), etc.
Referring to FIG. 6, memory 520 may be divided into an operating system space in which the operating system runs and a user space in which native and third party applications run. In order to ensure that different third party application programs can achieve better operation effects, the operating system allocates corresponding system resources for the different third party application programs. However, the requirements of different application scenarios in the same third party application program on system resources are different, for example, under the local resource loading scenario, the third party application program has higher requirement on the disk reading speed; in the animation rendering scene, the third party application program has higher requirements on the GPU performance. The operating system and the third party application program are mutually independent, and the operating system often cannot timely sense the current application scene of the third party application program, so that the operating system cannot perform targeted system resource adaptation according to the specific application scene of the third party application program.
In order to enable the operating system to distinguish specific application scenes of the third-party application program, data communication between the third-party application program and the operating system needs to be communicated, so that the operating system can acquire current scene information of the third-party application program at any time, and targeted system resource adaptation is performed based on the current scene.
Taking an operating system as an Android system as an example, as shown in fig. 7, a Linux kernel layer 720, a system runtime library layer 740, an application framework layer 760 and an application layer 780 may be stored in the memory 520, where the Linux kernel layer 720, the system runtime library layer 740 and the application framework layer 760 belong to an operating system space, and the application layer 780 belongs to a user space. The Linux kernel layer 720 provides the underlying drivers for the various hardware of the terminal, such as display drivers, audio drivers, camera drivers, bluetooth drivers, wi-Fi drivers, power management, and the like. The system runtime layer 740 provides the main feature support for the Android system through some C/c++ libraries. For example, the SQLite library provides support for databases, the OpenGL/ES library provides support for 3D graphics, the Webkit library provides support for browser kernels, and the like. Also provided in the system runtime library layer 740 is a An Zhuoyun runtime library (Android run) which provides mainly some core libraries that can allow developers to write Android applications using the Java language. The application framework layer 760 provides various APIs that may be used in building applications, which developers can also build their own applications by using, for example, campaign management, window management, view management, notification management, content provider, package management, call management, resource management, location management. At least one application program is running in the application layer 780, and these application programs may be native application programs of the operating system, such as a contact program, a short message program, a clock program, a camera application, and the like; and may also be a third party application developed by a third party developer, such as a game-like application, instant messaging program, photo beautification program, shopping program, etc.
Taking an operating system as an IOS system as an example, the programs and data stored in the memory 520 are shown in fig. 8, the IOS system includes: core operating system layer 820 (Core OS layer), core services layer 840 (Core Services layer), media layer 860 (Media layer), and touchable layer 880 (Cocoa Touch Layer). The core operating system layer 820 includes an operating system kernel, drivers, and underlying program frameworks that provide more hardware-like functionality for use by the program frameworks at the core services layer 840. The core services layer 840 provides system services and/or program frameworks required by an application, such as a Foundation (Foundation) framework, an account framework, an advertisement framework, a data storage framework, a network connection framework, a geographic location framework, a sports framework, and the like. The media layer 860 provides an interface for applications related to audiovisual aspects, such as graphics-image related interfaces, audio technology related interfaces, video technology related interfaces, audio-video transmission technology wireless play (AirPlay) interfaces, and the like. The touchable layer 880 provides various commonly used interface-related frameworks for application development, with the touchable layer 880 being responsible for user touch interactions on the terminal. Such as a local notification service, a remote push service, an advertisement framework, a game tool framework, a message User Interface (UI) framework, a User Interface UIKit framework, a map framework, and so forth.
Among the frameworks illustrated in fig. 8, frameworks related to most applications include, but are not limited to: the infrastructure in core services layer 840 and the UIKit framework in touchable layer 880. The infrastructure provides many basic object classes and data types, providing the most basic system services for all applications, independent of the UI. While the class provided by the UIKit framework is a basic UI class library for creating touch-based user interfaces, iOS applications can provide UIs based on the UIKit framework, so it provides the infrastructure for applications to build user interfaces, draw, process and user interaction events, respond to gestures, and so on.
The manner and principle of implementing data communication between the third party application program and the operating system in the IOS system can refer to the Android system, and the application is not described herein.
The input device 530 is configured to receive input instructions or data, and the input device 530 includes, but is not limited to, a keyboard, a mouse, a camera, a microphone, or a touch device. Output devices 540 are used to output instructions or data, and output devices 540 include, but are not limited to, display equipment, speakers, and the like. In one example, the input device 530 and the output device 540 may be combined, and the input device 530 and the output device 540 are a touch display screen for receiving a touch operation by a user using a finger, a stylus, or any other suitable object thereon or thereabout, and displaying a user interface for each application program. The touch display screen is typically provided at the front panel of the terminal. The touch display screen may be designed as a full screen, a curved screen, or a contoured screen. The touch display screen may also be designed as a combination of a full screen and a curved screen, and the combination of a special-shaped screen and a curved screen, which is not limited in the embodiment of the present application.
In addition, those skilled in the art will appreciate that the configuration of the terminal illustrated in the above-described figures does not constitute a limitation of the terminal, and the terminal may include more or less components than illustrated, or may combine certain components, or may have a different arrangement of components. For example, the terminal further includes components such as a radio frequency circuit, an input unit, a sensor, an audio circuit, a wireless fidelity (wireless fidelity, wiFi) module, a power supply, and a bluetooth module, which are not described herein.
In the embodiment of the present application, the execution subject of each step may be the terminal described above. Optionally, the execution subject of each step is an operating system of the terminal. The operating system may be an android system, an IOS system, or other operating systems, which is not limited by the embodiments of the present application.
The terminal of the embodiment of the application can be further provided with a display device, and the display device can be various devices capable of realizing display functions, such as: cathode ray tube displays (cathode ray tubedisplay, CR), light-emitting diode displays (light-emitting diode display, LED), electronic ink screens, liquid crystal displays (liquid crystal display, LCD), plasma display panels (plasma display panel, PDP), and the like. A user may view displayed text, images, video, etc. information using a display device on the terminal 101. The terminal may be a smart phone, a tablet computer, a gaming device, an AR (Augmented Reality ) device, an automobile, a data storage device, an audio playing device, a video playing device, a notebook, a desktop computing device, a wearable device such as an electronic watch, electronic glasses, an electronic helmet, an electronic bracelet, an electronic necklace, an electronic article of clothing, etc.
In the terminal shown in fig. 5, the processor 510 may be configured to invoke an application program stored in the memory 520, and specifically execute the business logic vulnerability detection method according to the embodiment of the present application.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The foregoing describes a business logic vulnerability detection method, device, storage medium and terminal provided by the present application, and for those skilled in the art, according to the idea of the embodiment of the present application, there are changes in the specific implementation and application scope, and in summary, the content of this specification should not be construed as limiting the present application.
Claims (10)
1. A business logic vulnerability detection method, the method comprising:
acquiring a first HTTP traffic generated by a web application; the first HTTP traffic carries a first data stream, and the first data stream comprises a first SQL statement;
the first HTTP traffic is subjected to marking processing and identity replacement processing to obtain second HTTP traffic;
accessing based on the second HTTP traffic, acquiring a second data stream triggered in the accessing process, and judging whether an override vulnerability exists or not based on the first data stream and the second data stream, wherein the second data stream comprises a second SQL statement;
the step of acquiring the second data stream triggered in the access process, and judging whether an override vulnerability exists or not based on the first data stream and the second data stream comprises the following steps:
acquiring the second SQL statement executed by the second HTTP traffic in the access process;
if the second SQL statement executed by the second HTTP traffic is the same as the first SQL statement executed by the first HTTP traffic, an override vulnerability exists;
when the sql statement executed by the second HTTP traffic comprises an update statement, modifying the update statement, generating a data packet based on the modified sql statement, and sending the data packet to a database.
2. The method of claim 1, wherein the first HTTP traffic comprises first HTTP request information and the first data stream; wherein the first HTTP request information includes first user identity information.
3. The method according to claim 2, wherein the performing the marking process and the identity replacing process on the first HTTP traffic to obtain a second HTTP traffic includes:
and marking the first HTTP request information, and replacing the first user identity information with second user identity information to obtain the second HTTP traffic.
4. The method according to claim 1, wherein the method further comprises:
if the second SQL statement executed by the second HTTP traffic is different from the first SQL statement executed by the first HTTP traffic, no override vulnerability exists.
5. The method according to claim 1 or 4, characterized in that the method further comprises:
when the second SQL statement executed by the second HTTP traffic comprises an update statement, modifying the update statement;
generating a data packet based on the modified second SQL statement, and sending the data packet to a database.
6. The method of claim 1, wherein the obtaining the first HTTP traffic generated by the web application comprises:
collecting a plurality of HTTP traffic generated by the web application in the test environment;
and randomly selecting one HTTP traffic from the plurality of HTTP traffic as a first HTTP traffic.
7. The method of claim 1, wherein the obtaining the first HTTP traffic generated by the web application comprises:
collecting a plurality of HTTP traffic generated by the web application in the test environment;
and selecting one HTTP traffic from the plurality of HTTP traffic as a first HTTP traffic according to a preset time sequence.
8. A business logic vulnerability detection apparatus, the apparatus comprising:
the request acquisition module is used for acquiring a first HTTP traffic generated by the web application; the first HTTP traffic carries a first data stream, and the first data stream comprises a first SQL statement;
the request processing module is used for carrying out marking processing and identity replacement processing on the first HTTP traffic to obtain second HTTP traffic;
the request detection module is used for accessing based on the second HTTP traffic, acquiring a second data stream triggered in the accessing process, judging whether an override vulnerability exists or not based on the first data stream and the second data stream, wherein the second data stream comprises a second SQL statement;
the request detection module is specifically configured to obtain the second SQL statement executed by the second HTTP traffic during the accessing process; if the second SQL statement executed by the second HTTP traffic is the same as the first SQL statement executed by the first HTTP traffic, an override vulnerability exists; when the sql statement executed by the second HTTP traffic comprises an update statement, modifying the update statement, generating a data packet based on the modified sql statement, and sending the data packet to a database.
9. A computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method steps of any one of claims 1 to 7.
10. A terminal, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the method steps of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011431712.0A CN112653670B (en) | 2020-12-08 | 2020-12-08 | Business logic vulnerability detection method and device, storage medium and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011431712.0A CN112653670B (en) | 2020-12-08 | 2020-12-08 | Business logic vulnerability detection method and device, storage medium and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112653670A CN112653670A (en) | 2021-04-13 |
| CN112653670B true CN112653670B (en) | 2023-11-10 |
Family
ID=75350597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011431712.0A Active CN112653670B (en) | 2020-12-08 | 2020-12-08 | Business logic vulnerability detection method and device, storage medium and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112653670B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
| CN113885958B (en) * | 2021-09-30 | 2023-10-31 | 杭州默安科技有限公司 | Method and system for intercepting dirty data |
| CN114499960B (en) * | 2021-12-24 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method, device and computer readable storage medium |
| CN114640506B (en) * | 2022-02-28 | 2023-10-31 | 天翼安全科技有限公司 | Vulnerability detection method, device, equipment and medium |
| CN114422274B (en) * | 2022-03-29 | 2022-07-05 | 腾讯科技(深圳)有限公司 | Multi-scene vulnerability detection method and device based on cloud protogenesis and storage medium |
| CN115348086B (en) * | 2022-08-15 | 2024-02-23 | 中国电信股份有限公司 | Attack protection method and device, storage medium and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101312393A (en) * | 2007-05-24 | 2008-11-26 | 北京启明星辰信息技术有限公司 | Detection method and system for SQL injection loophole |
| CN106713347A (en) * | 2017-01-18 | 2017-05-24 | 国网江苏省电力公司电力科学研究院 | Method for detecting unauthorized access vulnerability of power mobile application |
| CN110688659A (en) * | 2019-09-10 | 2020-01-14 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8800042B2 (en) * | 2005-05-16 | 2014-08-05 | Hewlett-Packard Development Company, L.P. | Secure web application development and execution environment |
-
2020
- 2020-12-08 CN CN202011431712.0A patent/CN112653670B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101312393A (en) * | 2007-05-24 | 2008-11-26 | 北京启明星辰信息技术有限公司 | Detection method and system for SQL injection loophole |
| CN106713347A (en) * | 2017-01-18 | 2017-05-24 | 国网江苏省电力公司电力科学研究院 | Method for detecting unauthorized access vulnerability of power mobile application |
| CN110688659A (en) * | 2019-09-10 | 2020-01-14 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting horizontal override based on IAST test tool |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112653670A (en) | 2021-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112653670B (en) | Business logic vulnerability detection method and device, storage medium and terminal | |
| CN107889070B (en) | Picture processing method, device, terminal and computer readable storage medium | |
| CN112260853B (en) | Disaster recovery switching method and device, storage medium and electronic equipment | |
| CN111447107B (en) | Network state determining method and device, storage medium and electronic equipment | |
| CN111767554B (en) | Screen sharing method and device, storage medium and electronic equipment | |
| CN110098998B (en) | Method and apparatus for processing information | |
| CN112214653B (en) | Character string recognition method and device, storage medium and electronic equipment | |
| CN112231617A (en) | Service call checking method and device, storage medium and electronic equipment | |
| CN111596971B (en) | Application cleaning method and device, storage medium and electronic equipment | |
| CN111124668A (en) | Memory release method and device, storage medium and terminal | |
| CN110572815A (en) | Network access method, device, storage medium and terminal | |
| CN112905281A (en) | View display method and device, electronic equipment and storage medium | |
| CN113950043B (en) | Communication method, device, storage medium and terminal | |
| CN113098859B (en) | Webpage page rollback method, device, terminal and storage medium | |
| CN113572676B (en) | Mail processing method and device | |
| CN113268414A (en) | Distribution method and device of experimental versions, storage medium and computer equipment | |
| CN109151557B (en) | Video creation method and related device | |
| CN112612487B (en) | Application installation method, device, storage medium and terminal | |
| CN113315687B (en) | Proxy network management method, device, storage medium and terminal | |
| CN117591488B (en) | File detection method and device, storage medium and electronic equipment | |
| CN113778386B (en) | Component generation method and device, storage medium and electronic equipment | |
| CN115314588B (en) | Background synchronization method, device, terminal, equipment, system and storage medium | |
| CN114125048B (en) | Message push setting method and device, storage medium and electronic equipment | |
| US20240104808A1 (en) | Method and system for creating stickers from user-generated content | |
| US20200195738A1 (en) | Automatic browser inactivity detection method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |