CN113420298A - PHP Web application program vulnerability detection method based on PHP extension and storage medium thereof - Google Patents
PHP Web application program vulnerability detection method based on PHP extension and storage medium thereof Download PDFInfo
- Publication number
- CN113420298A CN113420298A CN202110577039.XA CN202110577039A CN113420298A CN 113420298 A CN113420298 A CN 113420298A CN 202110577039 A CN202110577039 A CN 202110577039A CN 113420298 A CN113420298 A CN 113420298A
- Authority
- CN
- China
- Prior art keywords
- php
- extension
- function
- application program
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 54
- 238000004590 computer program Methods 0.000 claims description 3
- 235000014510 cooky Nutrition 0.000 claims description 3
- 238000003780 insertion Methods 0.000 abstract 1
- 230000037431 insertion Effects 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000009781 safety test method Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a PHP Web application program vulnerability detection method based on PHP extension and a storage medium thereof, wherein the method comprises the following steps: and (4) functional pile inserting: the PHP extension carries out instrumentation on a PHP function in the application program; and (3) spot marking: recording whether the PHP variable structure is polluted or not by using unused marking bits in the PHP variable structure; and (3) stain tracking: the PHP expansion monitors the PHP function of the pile insertion, and performs stain marking tracking according to data propagation logic in the PHP function; detecting a vulnerability: and judging whether the external data passes through the security check function before being transmitted into the risk function, if not, judging that the security hole exists, and if so, judging that the security hole does not exist. The invention tracks the data flow direction of the application program in real time, can detect the real forming process of the vulnerability and the specific code position thereof, and realizes online real-time, comprehensive and accurate vulnerability detection.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a PHP Web application program vulnerability detection method based on PHP extension and a storage medium thereof.
Background
The existing technology mainly comprises two categories for detecting the vulnerability of the PHP Web application. One is a black box detection technology, namely testing an application program by simulating hacker attack, replaying a data packet with a characteristic character string, and analyzing the response of the application program according to the loophole principles of different loophole types to detect loopholes; the second type is a code auditing technology, namely, syntax and semantic analysis are carried out on source codes of an application program, and vulnerability of the program on a code level is analyzed through data flow during program operation simulation, so that the purpose of vulnerability detection is achieved. The black box detection technology needs to send a large amount of data packets with characteristic character strings to perform vulnerability detection, so that the technology generates a large amount of dirty data and dirty operation in the test process, and the black box detection technology also has the problems of low scene coverage rate and the like because the data packets cannot be constructed under the scenes of data packet encryption, signature and the like. The code auditing technology needs to carry out deep analysis on the source code of the application program, the consumed time and the cost are high, and the bug false alarm rate is higher because the technology analyzes data when the simulation program runs.
Disclosure of Invention
The invention aims to solve the technical problems and provides a PHP Web application program vulnerability detection method based on PHP extension.
The technical scheme adopted by the invention for solving the technical problems is as follows: a PHP Web application program vulnerability detection method based on PHP extension comprises the following contents:
and (4) functional pile inserting: before the application program runs, adding a PHP extension to the application program, and performing instrumentation on a PHP function in the application program by using the PHP extension;
and (3) spot marking: presetting a definition of whether a PHP variable is polluted in a PHP extension, and recording whether the PHP variable is polluted by unused marking bits in a PHP variable structure;
and (3) stain tracking: when the PHP function is called, the PHP extension monitors the PHP function of the inserted pile, and performs stain marking tracking according to data propagation logic in the PHP function;
detecting a vulnerability: when external data are transmitted to the risk function, the PHP extension judges whether the external data pass through the safety check function or not before being transmitted into the risk function according to the stain tracking process, if not, the PHP extension judges that a safety hole exists, and if the external data pass through the safety check function, the PHP extension judges that no safety hole exists.
Preferably, the function instrumentation comprises the following: the PHP extension captures PHP functions by modifying the handle orientation in the PHP. The PHP function is captured by modifying the handle direction of the zend _ internal _ function structure in the PHP, namely, the handle direction is firstly pointed to the code for acquiring the function execution information, and then the original processing function is called.
Preferably, the function instrumentation further comprises the following: the PHP extension hijacks the opcode to obtain the required function information by modifying the opcode, so that the PHP function is captured. The realization of opcode is modified through the zend _ set _ user _ opcode _ handle (opcode is an intermediate language after PHP code compilation, and function calls in PHP are all performed by one opcode of zend _ do _ fcall, zend _ do-icall or zend _ do _ fcall _ by _ name), and the required function information can be acquired by hijacking a specific opcode, so that the purpose of capturing a PHP function is achieved.
Preferably, the spot markings comprise the following: the PHP extension performs taint marking on data of the super variable in the PHP variable structure.
Preferably, the hypervariable comprises GET and/or POST and/or FILE and/or COOKIE and/or SERVER and/or REQUEST.
Preferably, in the running process of the application program, after the PHP receives the processing request, the following steps are executed:
the method comprises the following steps: and (3) spot marking: presetting a definition of whether a PHP variable is polluted in a PHP extension, and recording whether the PHP variable is polluted by unused marking bits in a PHP variable structure;
step two: and (3) stain tracking: when the PHP function is called, the PHP extension monitors the function of the inserted pile, and performs stain marking tracking according to data propagation logic in the PHP function;
step three: detecting a vulnerability: when external data are transmitted to the risk function, the PHP extension judges whether the external data pass through the safety check function or not before being transmitted into the risk function according to the stain tracking process, and if the external data do not pass through the safety check function, the PHP extension judges that a safety leak exists;
step four: after the vulnerability detection is finished, the request is finished; when the HTTP request is received again, the dirty mark loop is performed again until the PHP process is finished. And the PHP always receives the request in the running process, and the steps from the first step to the third step are circulated until the PHP processing is finished.
A computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements contents of the PHP extension-based PHP Web application vulnerability detection method.
The invention has the beneficial effects that:
the invention expands the real data stream when the dynamic stain tracking program runs through PHP, does not need to construct and send a data packet containing a characteristic character string, and is suitable for application vulnerability detection of complex scenes such as encryption of a plurality of data packets, signature of data packets and the like. Meanwhile, the obtained real data stream can clearly show the cause of the bug formation and the specific code position of the bug, so that real and effective data are provided for subsequent bug repair, and the bug repair efficiency is greatly improved. By means of PHP extension, vulnerability analysis can be completed in real-time operation of a PHP application program, online real-time detection of application vulnerabilities is achieved, and safety testing efficiency of the application program is improved.
Drawings
FIG. 1 is a schematic flow diagram of the present invention.
Fig. 2 is a detailed flowchart of fig. 1.
Detailed Description
The present invention will be further described with reference to the accompanying drawings and embodiments.
As shown in fig. 1-2, the method for detecting the bugs of the PHP Web application based on the PHP extension of the present invention includes the following steps:
the method comprises the following steps: and (4) functional pile inserting: before the application program runs, adding a PHP extension to the application program, and performing instrumentation on a PHP function in the application program by using the PHP extension;
step two: and (3) spot marking: presetting a definition of whether a PHP variable is polluted in a PHP extension, and recording whether the PHP variable is polluted by unused marking bits in a PHP variable structure;
step three: and (3) stain tracking: when the PHP function is called, the PHP extension monitors the function of the inserted pile, and performs stain marking tracking according to data propagation logic in the PHP function;
step four: detecting a vulnerability: when external data are transmitted to the risk function, the PHP extension judges whether the external data pass through the safety check function or not before being transmitted into the risk function according to the stain tracking process, and if the external data do not pass through the safety check function, the PHP extension judges that a safety leak exists.
Step five: after the vulnerability detection is finished, the request is finished; when the HTTP request is received again, the dirty mark loop is performed again until the PHP process is finished. And when the HTTP request is received again, executing the second step to the fourth step until the PHP processing is finished, and executing the fifth step.
In this embodiment, an example of the data propagation logic in step two is as follows: in a trim function in PHP, if there is a dirty mark in the first parameter of the function, the returned value will also be dirty.
The function instrumentation includes the following: the PHP extension captures the PHP function by modifying the handle orientation of the zend _ internal _ function structure in the PHP.
The stain marks include the following: the PHP extension performs taint marking on data of the super variable in the PHP variable structure. The PHP extended dirty flag defines the GC _ FLAGS function by the macro in the PHP kernel, which records whether it is dirty or not by means of the unused flag bits of the GC. The PHP extension defines whether the file is contaminated, and in this embodiment, if the file is contaminated, the file is marked as 1, otherwise, the file is marked as 0. The reserved flag bits in the PHP can then be distinguished.
The super variables comprise GET and/or POST and/or FILE and/or COOKIE and/or SERVER and/or REQUEST.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the PHP extension-based PHP Web application vulnerability detection method.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. A PHP Web application program vulnerability detection method based on PHP extension is characterized by comprising the following steps: the method comprises the following steps:
and (4) functional pile inserting: before the application program runs, adding a PHP extension to the application program, and performing instrumentation on a PHP function in the application program by using the PHP extension;
and (3) spot marking: presetting a definition of whether a PHP variable is polluted in a PHP extension, and recording whether the PHP variable is polluted by unused marking bits in a PHP variable structure;
and (3) stain tracking: when the PHP function is called, the PHP extension monitors the PHP function of the inserted pile, and performs stain marking tracking according to data propagation logic in the PHP function;
detecting a vulnerability: when external data are transmitted to the risk function, the PHP extension judges whether the external data pass through the safety check function before being transmitted into the risk function according to the stain tracking process, and if the external data do not pass through the safety check function, the PHP extension judges that a safety leak exists.
2. The PHP extension-based PHP Web application vulnerability detection method of claim 1, wherein: the function instrumentation includes the following: the PHP extension captures PHP functions by modifying the handle orientation in the PHP.
3. The PHP extension-based PHP Web application vulnerability detection method of claim 1, wherein: the function instrumentation also includes the following: the PHP extension hijacks the opcode to obtain the required function information by modifying the opcode, so that the PHP function is captured.
4. The PHP extension-based PHP Web application vulnerability detection method of claim 1, wherein: the stain marks include the following: the PHP extension performs taint marking on data of the super variable in the PHP variable structure.
5. The PHP-extension-based PHP Web application vulnerability detection method of claim 4, wherein: the super variables comprise GET and/or POST and/or FILE and/or COOKIE and/or SERVER and/or REQUEST.
6. A computer-readable storage medium characterized by: the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the contents of the PHP extension-based PHP Web application vulnerability detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110577039.XA CN113420298A (en) | 2021-05-26 | 2021-05-26 | PHP Web application program vulnerability detection method based on PHP extension and storage medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110577039.XA CN113420298A (en) | 2021-05-26 | 2021-05-26 | PHP Web application program vulnerability detection method based on PHP extension and storage medium thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113420298A true CN113420298A (en) | 2021-09-21 |
Family
ID=77712951
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110577039.XA Pending CN113420298A (en) | 2021-05-26 | 2021-05-26 | PHP Web application program vulnerability detection method based on PHP extension and storage medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113420298A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114386045A (en) * | 2021-12-24 | 2022-04-22 | 深圳开源互联网安全技术有限公司 | Web application program vulnerability detection method and device and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102081719A (en) * | 2009-12-01 | 2011-06-01 | 王伟 | Software security testing system and method based on dynamic taint propagation |
| CN103995782A (en) * | 2014-06-17 | 2014-08-20 | 电子科技大学 | Taint analyzing method based on taint invariable set |
| US20160180081A1 (en) * | 2013-09-06 | 2016-06-23 | Michael Guidry | Systems And Methods For Security In Computer Systems |
| CN109002721A (en) * | 2018-07-12 | 2018-12-14 | 南方电网科学研究院有限责任公司 | Mining analysis method for information security vulnerability |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111259399A (en) * | 2020-04-28 | 2020-06-09 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting vulnerability attacks for web applications |
| CN112632560A (en) * | 2020-12-25 | 2021-04-09 | 苏州浪潮智能科技有限公司 | Web vulnerability confirmation method and device |
| CN112765026A (en) * | 2021-01-21 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Method and related device for dynamically monitoring phpWeb application code bugs |
-
2021
- 2021-05-26 CN CN202110577039.XA patent/CN113420298A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102081719A (en) * | 2009-12-01 | 2011-06-01 | 王伟 | Software security testing system and method based on dynamic taint propagation |
| US20160180081A1 (en) * | 2013-09-06 | 2016-06-23 | Michael Guidry | Systems And Methods For Security In Computer Systems |
| CN103995782A (en) * | 2014-06-17 | 2014-08-20 | 电子科技大学 | Taint analyzing method based on taint invariable set |
| CN109002721A (en) * | 2018-07-12 | 2018-12-14 | 南方电网科学研究院有限责任公司 | Mining analysis method for information security vulnerability |
| CN111046396A (en) * | 2020-03-13 | 2020-04-21 | 深圳开源互联网安全技术有限公司 | Web application test data flow tracking method and system |
| CN111259399A (en) * | 2020-04-28 | 2020-06-09 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting vulnerability attacks for web applications |
| CN112632560A (en) * | 2020-12-25 | 2021-04-09 | 苏州浪潮智能科技有限公司 | Web vulnerability confirmation method and device |
| CN112765026A (en) * | 2021-01-21 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Method and related device for dynamically monitoring phpWeb application code bugs |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114386045A (en) * | 2021-12-24 | 2022-04-22 | 深圳开源互联网安全技术有限公司 | Web application program vulnerability detection method and device and storage medium |
| CN114386045B (en) * | 2021-12-24 | 2023-07-07 | 深圳开源互联网安全技术有限公司 | Web application program vulnerability detection method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Melicher et al. | Riding out domsday: Towards detecting and preventing dom cross-site scripting | |
| CN109002721B (en) | Mining analysis method for information security vulnerability | |
| CN101661543B (en) | Method and device for detecting security flaws of software source codes | |
| Halfond et al. | Improving penetration testing through static and dynamic analysis | |
| CN111291384B (en) | Vulnerability scanning method and device and electronic equipment | |
| CN104765687A (en) | J2EE (Java 2 Enterprise Edition) program bug detection method based on object tracking and taint analysis | |
| Antunes et al. | Penetration testing for web services | |
| CN110096433B (en) | Method for acquiring encrypted data on iOS platform | |
| CN111259399B (en) | Method and system for dynamically detecting vulnerability attacks for web applications | |
| US20170220805A1 (en) | Determine secure activity of application under test | |
| CN105791261A (en) | Detection method and detection device for cross-site scripting attack | |
| CN111859380A (en) | Zero false alarm detection method for Android App vulnerability | |
| CN114780398B (en) | Cisco IOS-XE-oriented Web command injection vulnerability detection method | |
| CN118051920B (en) | Vulnerability verification request packet generation method, device, equipment and storage medium | |
| CN106845248A (en) | A kind of XSS leak detection methods based on state transition graph | |
| Kang et al. | Scaling javascript abstract interpretation to detect and exploit node. js taint-style vulnerability | |
| CN113420298A (en) | PHP Web application program vulnerability detection method based on PHP extension and storage medium thereof | |
| Pieczul et al. | Runtime detection of zero-day vulnerability exploits in contemporary software systems | |
| Ouchani et al. | A security risk assessment framework for SysML activity diagrams | |
| Song et al. | Enhancing conformance testing using symbolic execution for network protocols | |
| CN116541022A (en) | Automatic PHP second-order vulnerability mining method based on semantic state diagram | |
| Büchler et al. | Model inference and security testing in the spacios project | |
| CN108256338B (en) | Chrome extension sensitive data tracking method based on extension API (application programming interface) rewriting | |
| Acosta et al. | Network data curation toolkit: cybersecurity data collection, aided-labeling, and rule generation | |
| Liu et al. | SEEKER: A Root Cause Analysis Method Based on Deterministic Replay for Multi-Type Network Protocol Vulnerabilities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210921 |
|
| RJ01 | Rejection of invention patent application after publication |