CN112738068A - Network vulnerability scanning method and device - Google Patents
Network vulnerability scanning method and device Download PDFInfo
- Publication number
- CN112738068A CN112738068A CN202011564031.1A CN202011564031A CN112738068A CN 112738068 A CN112738068 A CN 112738068A CN 202011564031 A CN202011564031 A CN 202011564031A CN 112738068 A CN112738068 A CN 112738068A
- Authority
- CN
- China
- Prior art keywords
- scanning
- data
- scanned
- type
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The embodiment of the application provides a network vulnerability scanning method and device, relates to the technical field of network security, and the network vulnerability scanning method comprises the steps of firstly obtaining data to be scanned, then determining the source type of the data to be scanned, determining a scanning strategy aiming at the data to be scanned according to the source type, and finally carrying out vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result.
Description
Technical Field
The application relates to the technical field of network security, in particular to a network vulnerability scanning method and device.
Background
At present, web-related vulnerability detection can be realized through a network vulnerability scanning technology, and then the security of a network is effectively improved. In the existing network vulnerability scanning method, a network administrator usually performs manual testing and auditing through a scanning plug-in, so as to obtain a vulnerability scanning result. However, in practice, it is found that a network administrator needs not only patience but also rich professional experience, applicability is poor, and the manual scanning method is inefficient and has low accuracy. Therefore, the conventional network vulnerability scanning method has high professional requirement, poor applicability, low scanning efficiency and low accuracy.
Disclosure of Invention
An object of the embodiments of the present application is to provide a network vulnerability scanning method and apparatus, which can automatically perform network vulnerability scanning, have low professional requirements and strong applicability, do not require manual operation, and further facilitate improvement of scanning efficiency and scanning accuracy.
A first aspect of the embodiments of the present application provides a network vulnerability scanning method, including:
acquiring data to be scanned;
determining the source type of the data to be scanned;
determining a scanning strategy aiming at the data to be scanned according to the source type;
and performing vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result.
In the implementation process, the data to be scanned is obtained firstly, then the source type of the data to be scanned is determined, the scanning strategy aiming at the data to be scanned is determined according to the source type, finally the data to be scanned is subjected to vulnerability scanning according to the scanning strategy, a network vulnerability scanning result is obtained, network vulnerability scanning can be automatically carried out, the professional requirement is low, the applicability is strong, manual operation is not needed, and the scanning efficiency and the scanning accuracy are improved.
Further, the determining the source type of the data to be scanned includes:
when the data to be scanned is log data, determining that the source type of the data to be scanned is a log type;
and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
In the implementation process, the source type of the data to be scanned is determined according to the source of the data to be scanned so as to realize the source standardization of the data to be scanned, and then a corresponding scanning strategy is adopted.
Further, the determining a scanning strategy for the data to be scanned according to the source type includes:
when the source type is the log type, acquiring a preset knowledge base and a first scanning strategy corresponding to the log type;
and generating a scanning strategy aiming at the data to be scanned according to the preset knowledge base and the first scanning strategy.
In the implementation process, when the source type is the log type, the preset knowledge base and the corresponding first scanning strategy are obtained, and then the scanning strategy is obtained.
Further, the determining a scanning strategy for the data to be scanned according to the source type includes:
when the source type is the scanning target type, acquiring a preset conventional scanning strategy and a second scanning strategy corresponding to the scanning target type;
and generating a scanning strategy aiming at the data to be scanned according to the preset conventional scanning strategy and the second scanning strategy.
In the implementation process, when the source type is the scanning target type, the preset conventional scanning strategy and the second scanning strategy are obtained to further obtain the scanning strategy.
Further, the performing vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result includes:
when the source type is the log type, carrying out flow identification on the data to be scanned to obtain a flow identification result;
performing collision comparison on the flow identification result and the preset knowledge base to obtain a comparison data set;
performing vulnerability scanning on the flow identification result through the first scanning strategy to obtain a first scanning result;
and generating a network vulnerability scanning result according to the flow identification result, the comparison data set and the first scanning result.
In the implementation process, for the log types, a comparison data set is obtained through flow content identification and knowledge base collision, potential safety hazards existing in the network can be known according to the comparison data set, then the first scanning strategy is adopted for further scanning, network vulnerabilities of deeper layer detection can be excavated, the missing report rate can be reduced, and the scanning accuracy rate can be improved.
Further, the performing vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result includes:
when the source type is the scanning target type, information collection is carried out on the data to be scanned to obtain collected data;
carrying out heuristic detection processing on the collected data through the preset conventional scanning strategy to obtain a detection result, and carrying out network simulation operation according to the collected data to obtain simulation operation data;
determining a network address set capable of being normally accessed according to the detection result and the simulation operation data;
performing deep vulnerability scanning on the network address set according to the second scanning strategy to obtain a second scanning result;
and generating a network vulnerability scanning result according to the detection result, the simulation operation data, the network address set and the second scanning result.
In the implementation process, for the scanning target type, firstly, information collection is carried out, and a proxy website is mounted; and then carrying out network simulation operation, then discovering more network address sets according to the detection result and the simulation operation data, and further carrying out deep scanning on the network address sets to carry out deep vulnerability self-discovery.
A second aspect of the embodiments of the present application provides a network vulnerability scanning apparatus, which includes:
the data acquisition module is used for acquiring data to be scanned;
the type determining module is used for determining the source type of the data to be scanned;
the strategy determining module is used for determining a scanning strategy aiming at the data to be scanned according to the source type;
and the scanning module is used for carrying out vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result.
In the implementation process, the data acquisition module acquires data to be scanned firstly, the type determination module determines the source type of the data to be scanned, the strategy determination module determines a scanning strategy aiming at the data to be scanned according to the source type, and finally the scanning module performs vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result.
Further, the type determining module is specifically configured to determine that the source type of the data to be scanned is a log type when the data to be scanned is log data; and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
In the implementation process, the type determining module can determine the source type of the data to be scanned according to the source of the data to be scanned, so as to achieve source standardization of the data to be scanned, and further adopt a corresponding scanning strategy.
A third aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the network vulnerability scanning method described in any one of the first aspect of the embodiments of the present application.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the network vulnerability scanning method according to any one of the first aspect of the embodiments of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart illustrating a network vulnerability scanning method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a network vulnerability scanning method according to a second embodiment of the present application;
fig. 3 is a schematic flowchart of a network vulnerability scanning method according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of a network vulnerability scanning apparatus according to a fourth embodiment of the present application;
fig. 5 is a schematic structural diagram of a network vulnerability scanning apparatus according to a fifth embodiment of the present application;
fig. 6 is a schematic structural diagram of a network vulnerability scanning apparatus according to a sixth embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a network vulnerability scanning method according to an embodiment of the present application. The network vulnerability scanning method comprises the following steps:
and S101, acquiring data to be scanned.
In this embodiment of the present application, the data to be scanned may be log data, scan target data, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the present application, the scan target is preset, and specifically may be a network address target, such as a URL (Uniform Resource Locator).
In this embodiment, the main body of the method may be a scanning device.
In the embodiment of the present application, the scanning device may be a computing device such as a computer and a server, and is not limited in this embodiment.
In this embodiment, the scanning device may also be an intelligent device such as a smart phone and a tablet computer, which is not limited in this embodiment.
In this embodiment of the present application, the log data may include http protocol logs, proxy log data of a scanning device, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the present application, the http protocol log is generally an offline log, and includes an access log collected by a conventional middleware (tomcat/nginx/apache2/iis, and the like), a log of a mobile phone of an internet behavior management device, a har file of a firefox, and the like, which is not limited in the embodiment of the present application.
After step S101, the following steps are also included:
s102, determining the source type of the data to be scanned.
In the embodiment of the application, the corresponding source type can be determined according to the source of the data to be scanned, so that the source normalization of the data to be scanned is realized.
S103, determining a scanning strategy aiming at the data to be scanned according to the source type.
In this embodiment of the present application, when the source type is a log type, that is, the source of the data to be scanned is a log that has already stored a web access record, for example, a log of a web application device, an http log of a gateway device, a middleware log, an output log of a client agent (that is, a scanning device) that enables the method, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the present application, when the source type is the scan target type, the scan target is preset in the scan apparatus. After the scan parameter configuration is performed, a set of scan strategies is loaded, for example, an information collection module may be loaded to perform lateral asset information collection, a custom scanned plug-in set may also be loaded, and a corresponding study and judgment report is output.
In the embodiment of the application, the scanning strategy comprises scanning plug-in information, and the scanning plug-ins adopted by the method can be transplanted and expanded and can be directly related to reports.
In the embodiment of the application, through the scanning strategy, a plurality of plug-in units can be integrated for use, the missing report rate can be reduced, and the scanning speed can be greatly increased. In practical use, the scanning strategy can also be configured in a self-defined way, for example, some information is known in advance, only some scanning plug-ins of a java framework are called, but a php framework is not called, and the optimization of setting parameters can be realized by setting a User-Agent, setting timeout and the like in scanning. If the static file is set when the plug-in is scanned, only the plug-in for information leakage check needs to be called.
In the embodiment of the application, for the setting of the custom configuration, a scanning configuration with default association property may be adopted, and the configuration may also be performed according to user interaction.
After step S103, the following steps are also included:
and S104, performing vulnerability scanning processing on the data to be scanned according to a scanning strategy to obtain a network vulnerability scanning result.
In the embodiment of the application, when vulnerability scanning is performed on data to be scanned, the vulnerability scanning comprises offline detection scanning and interactive scanning, wherein the offline detection scanning comprises static detection, specifically comprises flow extraction and knowledge base collision; the interactive scanning includes active scanning and vulnerability scanning, wherein the active scanning includes automatic scanning and information collection, and the vulnerability scanning includes conventional vulnerability identification, custom policy scanning, multiple detection verification and the like, which is not limited in the embodiment of the present application.
In the embodiment of the application, a normalized scanning report can be obtained by summarizing the network vulnerability scanning results. The scanning report comprises the whole http message information in the data to be scanned, an alarm studying and judging method, a network vulnerability scanning process and the like.
In the embodiment of the application, by outputting a normalized scanning report, a unified log management system can be adopted to output a more detailed and visual report, and a chart form is adopted to display the performance condition of the plug-in, the url scanning condition of the site, the performance condition of the historical plug-in, the detailed description of the vulnerability and the related vulnerability description, and a vulnerability reproduction method (providing request header information for flow replay), which may cause harm, disposal suggestions and the like, strictly meet the OWASP report specification, and are also suitable for carrying out secondary development and expansion of a report module.
In the embodiment of the application, after the network vulnerability scanning result is obtained, if part of the scanning report is in doubt, the scanning report can still be subjected to recheck, or scanning strategies and parameters are adjusted to perform recheck of scanning scheme redeployment.
In the embodiment of the application, the alarm logs generated in the scanning process can be acquired for filtering, and the scanning result entries are unified for carrying out normalized logs.
In the embodiment of the application, the scanned alarm can be displayed by a UI (user interface), the component performance condition, the performance condition of the asset scanning result and the like by using the visual chart. And querying, downloading, exporting and the like can be carried out on the related data.
In the embodiment of the application, the network vulnerability scanning method provided by the embodiment can be used for rapidly mining the web vulnerability and performing security check on the intranet assets based on http/https protocol service.
In the embodiment of the application, the network vulnerability scanning method provided by the embodiment greatly reduces the operation cost of a security administrator, and has the advantages of low missing report rate, rapid scanning, less man-machine interaction and clear report.
The network vulnerability scanning method provided by the embodiment of the application is suitable for web project testing, and can be used for finding vulnerability hidden dangers possibly existing in a project and further repairing the vulnerability hidden dangers. The method can reduce the workload of web penetration engineers or related practitioners, and can perform rapid vulnerability discovery on a large number of web websites.
The network vulnerability scanning method provided by the embodiment of the application has the advantages of being rapid in scanning, accurate in vulnerability discovery, capable of being decoupled, easy in technology transplantation, capable of realizing multi-dimensional vulnerability verification and standardized in vulnerability output report.
Therefore, the network vulnerability scanning method described in the embodiment can automatically perform network vulnerability scanning, has low professional requirements and strong applicability, does not need manual operation, and is further beneficial to improving the scanning efficiency and the scanning accuracy.
Example 2
Referring to fig. 2, fig. 2 is a flowchart illustrating a network vulnerability scanning method according to an embodiment of the present application. As shown in fig. 2, the network vulnerability scanning method includes:
s201, acquiring data to be scanned.
S202, when the data to be scanned is log data, determining that the source type of the data to be scanned is a log type; and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
In the embodiment of the present application, by implementing the step S202, the source type of the data to be scanned can be determined.
S203, when the source type is the log type, acquiring a preset knowledge base and a first scanning strategy corresponding to the log type.
In this embodiment of the application, before step S201, detection parameters may also be configured in advance, and are mainly used to configure a policy for enabling corresponding scanning detection according to different source types.
And S204, generating a scanning strategy aiming at the data to be scanned according to a preset knowledge base and the first scanning strategy.
In the embodiment of the present application, the first scanning policy includes, for example, plugin information used in scanning, and the embodiment of the present application is not limited thereto.
In the embodiment of the present application, by implementing the steps S203 to S204, the scanning policy for the data to be scanned can be determined according to the source type.
And S205, when the source type is the log type, performing traffic identification on the data to be scanned to obtain a traffic identification result.
In the embodiment of the present application, when performing traffic identification on data to be scanned, information extraction needs to be performed on the data to be scanned, where the information extraction mainly extracts specific information of a request header, a request body, a response header, a response body, and the like of the data to be scanned, and payload decoding, request header information decoding, request parameter key value pair, request Cookie key value pair, and the like of the data to be scanned, and the embodiment of the present application is not limited.
And S206, performing collision comparison on the flow identification result and a preset knowledge base to obtain a comparison data set.
In the embodiment of the present application, the preset knowledge base at least includes information sets such as a payload rule set and a vulnerability crawler knowledge base that have been currently stored, and the embodiment of the present application is not limited thereto.
In the embodiment of the application, learning analysis of knowledge base collision is performed on the basis of logs generated offline.
In the embodiment of the application, through learning analysis of the preset knowledge base, machine learning splicing attempt is performed on payload to test whether similar utilization methods exist.
In the embodiment of the application, the collision process of the knowledge base can be realized by performing collision comparison with the preset knowledge base, specifically, the flow identification result and the preset knowledge base are collided, and the comparison data set is output.
In the embodiment of the application, the comparison data set at least comprises a network address (URL) with hidden loopholes and payload content used for comparison, and the preset knowledge base comprises the payload content.
In the embodiment of the application, the comparison data set comprises the probability of the existence of the vulnerability hidden danger, and when the probability reaches a preset probability threshold value, alarm prompt information is output.
In the embodiment of the application, through step S205 to step S206, traffic content identification and knowledge base collision may be performed to obtain a comparison data set, and what type of network attack type exists or what type of security hidden danger exists in a url in the log (to-be-scanned data) may be known according to the comparison data set.
In the embodiment of the application, the active detection of the network vulnerability can be realized through a flow replay strategy and an interactive scanning technology.
In the embodiment of the application, the traffic replay policy is a related policy that a request header with a certificate, a request body and the like replay and cache to gateway equipment and the like, and whether vulnerability hidden danger exists in an interface for web access is tried out by reconstructing a method used by payload.
After step S206, the following steps are also included:
and S207, performing vulnerability scanning on the flow identification result through a first scanning strategy to obtain a first scanning result.
In this embodiment, the first scanning policy may include a depth scanning policy, and when performing depth scanning, the depth scanning policy is loaded to perform other url attempts.
In this embodiment of the application, the first scanning strategy may further include a conventional vulnerability identification strategy, and the conventional scanning is performed through the conventional vulnerability identification strategy. The conventional vulnerability identification strategy includes conventional web vulnerability detection tools and the like, such as appscan/awvs/nikto2/x-ray and the like, and loads an open source scanning plug-in or a charging plug-in which performs better currently, and the embodiment of the present application is not limited thereto. Different scanners can also be adopted for sites with different fingerprints, for example, wpscan is used for websites with wordpress fingerprints, awvs is used for websites with java/stuck 2 types, and the like.
In this embodiment of the application, the first scanning policy may further include a custom policy, and custom policy detection may be implemented by the custom policy. The customized strategy detection can perform retransmission detection and recording according to related customized rules of the payload captured by the web, for example, detection such as xsstrike/sqlmap/cme/self-research buffer overflow tool is performed, and partial strategies are selected only aiming at certain parameters.
In this embodiment of the application, the first scanning strategy may further include a multiple detection strategy, and multiple detections may be implemented by the multiple detection strategy. Sequential detection of all web threat types is done from payload content (e.g., sql injection attack, xss attack, ssrf, rce, rfi, weak password login, insecure access control, important file leaks, etc.).
After step S207, the following steps are also included:
and S208, generating a network vulnerability scanning result according to the flow identification result, the comparison data set and the first scanning result.
In the embodiment of the application, after the network vulnerability scanning result is obtained, the alarm information can be obtained according to the network vulnerability scanning result, then all the scanning information is counted to carry out normalized output, the basic quantity statistics is carried out, the related statistical chart is generated to be displayed, the report is generated, and the like.
In the embodiment of the present application, the url that has been found and the detection result thereof are summarized according to the network vulnerability scanning result, and then a detailed report is output according to the network vulnerability scanning result, which includes the utilized payload content, policy information (including scanning plug-in identifier, plug-in historical performance information, etc.), vulnerability description, and disposal suggestion, and the embodiment of the present application is not limited herein.
In the embodiment of the present application, by implementing the steps S205 to S208, vulnerability scanning processing can be performed on data to be scanned according to a scanning policy, so as to obtain a network vulnerability scanning result.
In the embodiment of the application, a heuristic vulnerability scanning task scheduling strategy is adopted, and a specific scanning plug-in is scheduled based on the analysis conclusion and the passive vulnerability and service analysis of flow and logs; the method has the advantages that the learning analysis of knowledge base collision is carried out on the basis of the logs generated by the flow, the service analysis can be carried out according to historical flow records without active detection, the specific type of vulnerability utilization event is researched and judged, and the scanning plug-in is reasonably scheduled, so that the scanning cost after the plug-in is added blindly later is greatly reduced.
In the embodiment of the application, the method adopts a cross validation mechanism based on heterogeneous scanning components, and reduces false alarm through various scanning strategies (namely various plug-ins), a replay mechanism and the like; the false alarm rate of the security event is reduced by combining various heterogeneous scanning plug-ins and a flow playback mechanism, the scanning result and the performance of each scanning plug-in are recorded, and the strategy of the scanning plug-ins is automatically updated and maintained.
In the embodiment of the application, vulnerability scanning is performed on any scanned url, a preset scanning plug-in is used for detection, and some self-research scanning or other business plug-ins hatched in an attack and defense exercise environment are added, so that the risk of possible report missing is reduced. For example, for a vulnerability site where Remote Command Execution (RCE) may exist, we may employ a conventional RCE scanner tool, use a self-developed knowledge base scanner, use an open-source nikto scanner, etc. The method comprises the steps that joint scanning is carried out through a plurality of scanners, command injection of php templates, java development framework, python/django framework and the like are distinguished, and the synergistic scanning is carried out through the mutually complementary and cross-validation ideas. On the other hand, a scanner of a self-research knowledge base (a preset knowledge base) is added, the scanner of the self-research knowledge base has a method of scanning according to a certificate after head information derived from a browser is directly replayed, and can also perform replay packet sending and offline knowledge base comparison on fields of an http request head (mainly compared with background interfaces with the same frame source or the same development preference, and similar vulnerability is carried), so that the beneficial effect of low missing report rate is achieved.
In the embodiment of the application, the scanning is quickly embodied in a multi-process asynchronous task scanning mechanism, and by the method provided by the embodiment, after a user accesses a normal page, the request information is sent to the server side, and the server side carries out the multi-process asynchronous task scanning mechanism, so that the scanning efficiency can be accelerated very quickly without blocking the task.
In the embodiment of the application, the less man-machine interaction is realized in that the operations of manually deploying related scanning tools, checking and generating reports, confirming and the like are not needed, and the method can supplement log standardization, log standardization modules and the like of the scanner according to the permeation thought of conventional permeating personnel, so that the man-machine interaction process is reduced.
Therefore, the network vulnerability scanning method described in the embodiment can automatically perform network vulnerability scanning, has low professional requirements and strong applicability, does not need manual operation, and is further beneficial to improving the scanning efficiency and the scanning accuracy.
Example 3
Referring to fig. 3, fig. 3 is a flowchart illustrating a network vulnerability scanning method according to an embodiment of the present application. As shown in fig. 3, the network vulnerability scanning method includes:
s301, acquiring data to be scanned.
S302, when the data to be scanned is log data, determining that the source type of the data to be scanned is a log type; and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
In this embodiment of the application, the source type of the data to be scanned can be determined by implementing the step S302.
In the embodiment of the present application, when the source type is the scan target type, the scan target is preset in the scan apparatus. After the scan parameter configuration is performed, a set of scan strategies is loaded, for example, an information collection module may be loaded to perform lateral asset information collection, a custom scanned plug-in set may also be loaded, and a corresponding study and judgment report is output.
And S303, when the source type is the scanning target type, acquiring a preset conventional scanning strategy and a second scanning strategy corresponding to the scanning target type.
S304, generating a scanning strategy aiming at the data to be scanned according to a preset conventional scanning strategy and a second scanning strategy.
In this embodiment of the present application, the second scanning policy includes plug-in information used in scanning, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the present application, by implementing the steps S303 to S304, the scanning policy for the data to be scanned can be determined according to the source type.
After step S304, the following steps are also included:
s305, when the source type is the scanning target type, information collection is carried out on data to be scanned, and collected data are obtained.
In the embodiment of the application, information collection is performed on data to be scanned, that is, asset lateral information collection is performed, specifically, the information includes domain name/ip information, asset service information and site map information, wherein the domain name/ip information includes sub-domain name information collection corresponding to accessed urls, real ip tracking for providing services, and the like; the asset service information includes whether the asset corresponding to the url has other vulnerability services (the part can be scanned by itself \ or obtained from a third party, such as shodan, heaven and the like); the site map information includes a site fingerprint (e.g., java/springboot), a site url set, and the like, which is not limited in this embodiment of the present application.
S306, carrying out heuristic detection processing on the collected data through a preset conventional scanning strategy to obtain a detection result, and carrying out network simulation operation according to the collected data to obtain simulation operation data.
In the embodiment of the present application, the preset conventional scanning policy includes conventional integrated scanning plug-in information, which is not limited in this embodiment of the present application.
In the embodiment of the application, the network simulation operation is to simulate the login of a browser, click a relevant button, simulate inquiry, submit a form and the like.
In the embodiment of the application, step S306 is implemented to realize penetration testing, and first, information collection and proxy website mounting are performed; and then performing network simulation operation, specifically, after logging in by using a simulation browser, automatically clicking and returning a discovery button, discovering a form input box, performing random input and selection, and then submitting a form.
In the embodiment of the present application, step S306 is implemented to perform active and passive detection, on one hand, heuristic detection is performed using a conventional integrated scanning tool, for example, appscan/awvs/sn1per is loaded, and on the other hand, operations such as clicking a relevant button, simulating a query, submitting a form, and the like are performed using a simulated browser to log in.
In the embodiment of the application, automatic scanning can be realized, and a browser is simulated to discover the interface and the url.
After step S306, the following steps are also included:
and S307, determining a network address set capable of being normally accessed according to the detection result and the simulation operation data.
In the embodiment of the application, each discovered url is subjected to heuristic search to discover more urls, and gradient-specific scanning is performed according to the discovered urls.
In this embodiment of the application, after step S306, a network address set may be obtained by collecting normal access urls.
And S308, carrying out deep vulnerability scanning on the network address set according to a second scanning strategy to obtain a second scanning result.
In the embodiment of the present application, through step S308, a deep vulnerability probe can be performed on each url in the network address set, for example, each url is subjected to an sql injection attack test, an xss attack test, an ssrf attack test, a remote command execution test, a remote directory inclusion test, and the like. It should be noted that the above processes all adopt a multi-process asynchronous task technology to accelerate the whole scanning process, the technology stack of the method includes a mitmprox transparent agent, a celery asynchronous task queue, an apscheduler task scheduling, a pocsuit3 vulnerability detection kafka storage database seclusits knowledge base self-research threat intelligence knowledge base, and the like, and the embodiment of the present invention is not limited.
In this embodiment of the present application, the second scanning policy further includes a depth vulnerability scanning policy, and the depth vulnerability scanning policy includes a depth scanning plug-in, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the application, through step S308, deep vulnerability scanning can be performed on the network address set, all information in the request header is carried, a plug-in the scanning strategy is selected, vulnerability scanning detection is performed, and deep vulnerability self-discovery is performed.
In the embodiment of the application, a preset plug-in (including a conventional and self-research web scanning plug-in) and an appscan/awvs can be enabled to simultaneously detect and scan the target site.
After step S308, the following steps are also included:
s309, generating a network vulnerability scanning result according to the detection result, the simulation operation data, the network address set and the second scanning result.
In the embodiment of the present application, by implementing the steps S305 to S309, vulnerability scanning processing can be performed on data to be scanned according to a scanning policy, so as to obtain a network vulnerability scanning result.
In the embodiment of the application, the automatic penetration test of one station can be rapidly carried out, and the test cost is reduced. And the safety of the intranet web resources can be rapidly checked. According to the quality and the quantity of the plug-ins, the false alarm rate is low, the time for a web administrator to perform manual testing can be greatly shortened, and the professional ability requirement of the web administrator is reduced.
Therefore, the network vulnerability scanning method described in the embodiment can automatically perform network vulnerability scanning, has low professional requirements and strong applicability, does not need manual operation, and is further beneficial to improving the scanning efficiency and the scanning accuracy.
Example 4
Referring to fig. 4, fig. 4 is a schematic structural diagram of a network vulnerability scanning apparatus according to an embodiment of the present application. As shown in fig. 4, the network vulnerability scanning apparatus includes:
a data obtaining module 410, configured to obtain data to be scanned;
a type determining module 420, configured to determine a source type of data to be scanned;
a policy determination module 430, configured to determine a scanning policy for data to be scanned according to a source type;
the scanning module 440 is configured to perform vulnerability scanning processing on data to be scanned according to a scanning policy to obtain a network vulnerability scanning result.
In the embodiment of the present application, for the explanation of the network vulnerability scanning apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
It can be seen that, the network vulnerability scanning device described in this embodiment can automatically perform network vulnerability scanning, has low professional requirements and strong applicability, and does not need manual operation, thereby being beneficial to improving the scanning efficiency and the scanning accuracy.
Example 5
Referring to fig. 5, fig. 5 is a schematic structural diagram of a network vulnerability scanning apparatus according to an embodiment of the present application. The network vulnerability scanning device shown in fig. 5 is optimized by the network vulnerability scanning device shown in fig. 4. As shown in fig. 5, the type determining module 420 is specifically configured to determine that the source type of the data to be scanned is a log type when the data to be scanned is log data; and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
As an optional implementation, the policy determination module 430 includes:
the first obtaining submodule 431 is used for obtaining a preset knowledge base and a first scanning strategy corresponding to the log type when the source type is the log type;
the first generating sub-module 432 is configured to generate a scanning strategy for the data to be scanned according to a preset knowledge base and a first scanning strategy.
As an alternative embodiment, the scanning module 440 includes:
the identifying sub-module 441 is configured to, when the source type is the log type, perform traffic identification on the data to be scanned to obtain a traffic identification result;
the comparison submodule 442 is used for performing collision comparison on the flow identification result and a preset knowledge base to obtain a comparison data set;
the depth scanning submodule 443 is configured to perform vulnerability scanning on the flow identification result through a first scanning strategy to obtain a first scanning result;
and the second generating submodule 444 is configured to generate a network vulnerability scanning result according to the traffic identification result, the comparison data set, and the first scanning result.
In the embodiment of the present application, for the explanation of the network vulnerability scanning apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
It can be seen that, the network vulnerability scanning device described in this embodiment can automatically perform network vulnerability scanning, has low professional requirements and strong applicability, and does not need manual operation, thereby being beneficial to improving the scanning efficiency and the scanning accuracy.
Example 6
Referring to fig. 6, fig. 6 is a schematic structural diagram of a network vulnerability scanning apparatus according to an embodiment of the present application. The network vulnerability scanning device shown in fig. 6 is optimized by the network vulnerability scanning device shown in fig. 4. As shown in fig. 6, the type determining module 420 is specifically configured to determine that the source type of the data to be scanned is a log type when the data to be scanned is log data; and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
As an optional implementation, the policy determination module 430 includes:
the second obtaining submodule 433 is configured to, when the source type is a scan target type, obtain a preset conventional scan policy and a second scan policy corresponding to the scan target type;
and a third generating sub-module 434, configured to generate a scanning policy for the data to be scanned according to a preset conventional scanning policy and the second scanning policy.
As an alternative embodiment, the scanning module 440 includes:
the information collecting submodule 445 is configured to, when the source type is the scanning target type, perform information collection on data to be scanned to obtain collected data;
the detection submodule 446 is configured to perform heuristic detection processing on the collected data through a preset conventional scanning strategy to obtain a detection result, and perform network simulation operation according to the collected data to obtain simulation operation data;
determining submodule 447, configured to determine, according to the detection result and the simulation operation data, a set of network addresses that can be normally accessed;
the second scanning submodule 448 is configured to perform deep vulnerability scanning on the network address set according to a second scanning policy to obtain a second scanning result;
and a fourth generating sub-module 449, configured to generate a network vulnerability scanning result according to the detection result, the simulation operation data, the network address set, and the second scanning result.
In the embodiment of the present application, for the explanation of the network vulnerability scanning apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
It can be seen that, the network vulnerability scanning device described in this embodiment can automatically perform network vulnerability scanning, has low professional requirements and strong applicability, and does not need manual operation, thereby being beneficial to improving the scanning efficiency and the scanning accuracy.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute a network vulnerability scanning method in any one of embodiment 1 or embodiment 2 of the present application.
The embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions execute the network vulnerability scanning method in any one of embodiment 1 or embodiment 2 of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for network vulnerability scanning, comprising:
acquiring data to be scanned;
determining the source type of the data to be scanned;
determining a scanning strategy aiming at the data to be scanned according to the source type;
and performing vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result.
2. The method according to claim 1, wherein the determining a source type of the data to be scanned comprises:
when the data to be scanned is log data, determining that the source type of the data to be scanned is a log type;
and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
3. The method according to claim 2, wherein the determining a scanning policy for the data to be scanned according to the source type comprises:
when the source type is the log type, acquiring a preset knowledge base and a first scanning strategy corresponding to the log type;
and generating a scanning strategy aiming at the data to be scanned according to the preset knowledge base and the first scanning strategy.
4. The method according to claim 2, wherein the determining a scanning policy for the data to be scanned according to the source type comprises:
when the source type is the scanning target type, acquiring a preset conventional scanning strategy and a second scanning strategy corresponding to the scanning target type;
and generating a scanning strategy aiming at the data to be scanned according to the preset conventional scanning strategy and the second scanning strategy.
5. The method according to claim 3, wherein the performing vulnerability scanning processing on the data to be scanned according to the scanning policy to obtain a network vulnerability scanning result includes:
when the source type is the log type, carrying out flow identification on the data to be scanned to obtain a flow identification result;
performing collision comparison on the flow identification result and the preset knowledge base to obtain a comparison data set;
performing vulnerability scanning on the flow identification result through the first scanning strategy to obtain a first scanning result;
and generating a network vulnerability scanning result according to the flow identification result, the comparison data set and the first scanning result.
6. The method according to claim 4, wherein the performing vulnerability scanning processing on the data to be scanned according to the scanning policy to obtain a network vulnerability scanning result includes:
when the source type is the scanning target type, information collection is carried out on the data to be scanned to obtain collected data;
carrying out heuristic detection processing on the collected data through the preset conventional scanning strategy to obtain a detection result, and carrying out network simulation operation according to the collected data to obtain simulation operation data;
determining a network address set capable of being normally accessed according to the detection result and the simulation operation data;
performing deep vulnerability scanning on the network address set according to the second scanning strategy to obtain a second scanning result;
and generating a network vulnerability scanning result according to the detection result, the simulation operation data, the network address set and the second scanning result.
7. A network vulnerability scanning apparatus, characterized in that the network vulnerability scanning apparatus comprises:
the data acquisition module is used for acquiring data to be scanned;
the type determining module is used for determining the source type of the data to be scanned;
the strategy determining module is used for determining a scanning strategy aiming at the data to be scanned according to the source type;
and the scanning module is used for carrying out vulnerability scanning processing on the data to be scanned according to the scanning strategy to obtain a network vulnerability scanning result.
8. The apparatus according to claim 7, wherein the type determining module is specifically configured to determine that the source type of the data to be scanned is a log type when the data to be scanned is log data; and when the data to be scanned is preset target data, determining that the source type of the data to be scanned is a scanning target type.
9. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the network vulnerability scanning method of any of claims 1 to 6.
10. A readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the network vulnerability scanning method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011564031.1A CN112738068B (en) | 2020-12-25 | 2020-12-25 | Network vulnerability scanning method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011564031.1A CN112738068B (en) | 2020-12-25 | 2020-12-25 | Network vulnerability scanning method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738068A true CN112738068A (en) | 2021-04-30 |
| CN112738068B CN112738068B (en) | 2023-03-07 |
Family
ID=75616889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011564031.1A Active CN112738068B (en) | 2020-12-25 | 2020-12-25 | Network vulnerability scanning method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738068B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117150453A (en) * | 2023-11-01 | 2023-12-01 | 建信金融科技有限责任公司 | Network application detection method, device, equipment, storage medium and program product |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471919A (en) * | 2016-01-15 | 2016-04-06 | 成都智扬易方软件有限公司 | Network security vulnerability scanning and managing system |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108206830A (en) * | 2017-12-30 | 2018-06-26 | 平安科技(深圳)有限公司 | Vulnerability scanning method, apparatus, computer equipment and storage medium |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
-
2020
- 2020-12-25 CN CN202011564031.1A patent/CN112738068B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471919A (en) * | 2016-01-15 | 2016-04-06 | 成都智扬易方软件有限公司 | Network security vulnerability scanning and managing system |
| CN108206830A (en) * | 2017-12-30 | 2018-06-26 | 平安科技(深圳)有限公司 | Vulnerability scanning method, apparatus, computer equipment and storage medium |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117150453A (en) * | 2023-11-01 | 2023-12-01 | 建信金融科技有限责任公司 | Network application detection method, device, equipment, storage medium and program product |
| CN117150453B (en) * | 2023-11-01 | 2024-02-02 | 建信金融科技有限责任公司 | Network application detection method, device, equipment, storage medium and program product |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738068B (en) | 2023-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9876753B1 (en) | Automated message security scanner detection system | |
| CN108471429B (en) | Network attack warning method and system | |
| US10387656B2 (en) | Integrated interactive application security testing | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN112822147B (en) | Method, system and equipment for analyzing attack chain | |
| Kumari et al. | An insight into digital forensics branches and tools | |
| CN110602032A (en) | Attack identification method and device | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| US11792221B2 (en) | Rest API scanning for security testing | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| EP3433782B1 (en) | Integrated interactive application security testing | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| Riadi et al. | Vulnerability analysis of E-voting application using open web application security project (OWASP) framework | |
| US11334666B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| CN112738068B (en) | Network vulnerability scanning method and device | |
| US20230094119A1 (en) | Scanning of Content in Weblink | |
| WO2023087554A1 (en) | Asset risk control method, apparatus, and device, and storage medium | |
| CN113852625A (en) | Weak password monitoring method, device, equipment and storage medium | |
| Athanasopoulos et al. | Hunting cross-site scripting attacks in the network | |
| Erturk et al. | Web Vulnerability Scanners: A Case Study | |
| Shaw et al. | Social network forensics: Survey and challenges | |
| CN113890866B (en) | Illegal application software identification method, device, medium and electronic equipment | |
| CN114826959B (en) | Vulnerability analysis method and system aiming at audio data anticreeper technology | |
| Deptula | Automation of cyber penetration testing using the detect, identify, predict, react intelligence automation model | |
| De Meo et al. | A formal and automated approach to exploiting multi-stage attacks of web applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |