CN113779585A - Unauthorized vulnerability detection method and device - Google Patents
Unauthorized vulnerability detection method and device Download PDFInfo
- Publication number
- CN113779585A CN113779585A CN202110003407.XA CN202110003407A CN113779585A CN 113779585 A CN113779585 A CN 113779585A CN 202110003407 A CN202110003407 A CN 202110003407A CN 113779585 A CN113779585 A CN 113779585A
- Authority
- CN
- China
- Prior art keywords
- access
- access request
- information
- database
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 60
- 230000004044 response Effects 0.000 claims abstract description 72
- 238000000034 method Methods 0.000 claims abstract description 63
- 230000008569 process Effects 0.000 claims abstract description 40
- 230000006870 function Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 11
- 238000003860 storage Methods 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 claims description 8
- 238000013341 scale-up Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 16
- 241001388118 Anisotremus taeniatus Species 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The disclosure provides an unauthorized vulnerability detection method and device, and relates to the field of network security. The method comprises the following steps: capturing an access request of a web application; collecting database access information related to the access request; capturing an access response corresponding to the access request; judging whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result. In the web application access process, relevant access information is automatically captured and collected, whether the web application access process has the unauthorized vulnerability or not is determined according to the judgment result of whether the access information comprises sensitive information or not and whether the access process is matched with a closed-scale type or not, and therefore the unauthorized vulnerability detection scheme which can automatically detect and is good in universality is achieved.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to an unauthorized vulnerability detection method and apparatus.
Background
The unauthorized vulnerability generally occurs because the use of data or resources exceeds the user's rights.
In some related techniques, the unauthorized exploit is detected by manually reviewing the code. However, manual detection is inefficient and limited by the level of detection personnel.
In other related technologies, the unauthorized vulnerability is detected by simulating whether a low-authority user (e.g., a normal user) can access a URL (Uniform Resource Locator) of a high-authority user (e.g., an administrator). Users with different authorities and different URLs need to be preset, and pertinence comparison needs to be carried out on a request return result, so that the universality is poor.
In other related technologies, all accessible page sets and access-limited page sets are collected, then simulated access is performed on the pages, and an unauthorized vulnerability is detected by comparing the results of the simulated access with the actual access rights of the pages. The page addresses need to be classified first and simulated access is carried out one by one, so that the workload is large and the universality is poor.
Disclosure of Invention
The purpose of the disclosed embodiment is to provide an unauthorized vulnerability detection scheme with good universality and capable of automatic detection.
The embodiment of the disclosure provides an unauthorized vulnerability detection method, which includes:
capturing an access request of a web application;
collecting database access information related to the access request;
capturing an access response corresponding to the access request;
judging whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result;
judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result;
and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
In some embodiments, capturing the access request of the web application comprises:
and acquiring an object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request as the address of a detector for detecting the unauthorized vulnerability.
In some embodiments, collecting database access information to which the access request relates comprises:
recording database operation command details, code execution context and return value details related to the access request based on a hook technology;
recording database metadata information based on a modified database join function, wherein the modified database join function inserts a database metadata information query command after an original database join operation.
In some embodiments, capturing the access response corresponding to the access request comprises:
identifying and acquiring an access response corresponding to the access request through a key value pair identifier additionally arranged at the head of the access request and the head of the access response;
and acquiring an object of the access response, creating an instance of the access response based on the object of the access response, and setting the address of the instance of the access response as the address of the detector for the unauthorized vulnerability detection.
In some embodiments, determining whether the access request, the access response, and the database access information include preset sensitive information includes:
associating the access request, the access response, and the parameter list of database access information with database metadata information;
and matching the associated database metadata information with preset sensitive information, if the associated database metadata information is matched with the preset sensitive information, judging that the associated database metadata information comprises the sensitive information, and outputting parameters associated with the database metadata information matched with the preset sensitive information, and if the associated database metadata information is not matched with the preset sensitive information, judging that the associated database metadata information does not comprise the sensitive information.
In some embodiments, determining whether the data access process of the access request matches a preset contract size comprises:
judging whether the data access process of the access request conforms to a standard access flow of a closed-scale constraint and a standard parameter which should be involved in the standard access flow;
if the two items are all in accordance, the matching is judged, and if any one item is not in accordance, the mismatching is judged.
In some embodiments, determining whether an override vulnerability exists according to the first determination result and the second determination result includes:
if the preset sensitive information is included and is not matched with the preset closed-scale type, determining that the unauthorized vulnerability exists;
if the preset sensitive information is not included and the preset scale-up type is matched, determining that the unauthorized vulnerability does not exist;
and if the preset sensitive information is included or the preset contract scale type is not matched, determining that the risk of unauthorized vulnerability exists.
In some embodiments, the database connection function is modified by the inspertafter operation of the hookMethod method.
In some embodiments, the method is performed by an agent disposed in the web application system: capturing an access request of a web application; collecting database access information related to the access request; capturing an access response corresponding to the access request; performing, by a detector of unauthorized vulnerability detection: judging whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
Some embodiments of the present disclosure provide an unauthorized vulnerability detection apparatus, including:
the proxy is arranged on the web application system and is configured to capture an access request of the web application; collecting database access information related to the access request; capturing an access response corresponding to the access request;
the unauthorized vulnerability detection detector is configured to judge whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
In some embodiments, the agent is configured to:
acquiring an object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request as the address of a detector for detecting the unauthorized vulnerability;
or recording database operation command details, code execution context and return value details related to the access request based on a hook technology, and recording database metadata information based on a modified database connection function, wherein the modified database connection function inserts a database metadata information query command after an original database connection operation;
or identifying and acquiring an access response corresponding to the access request through a key value pair identifier added in a header of the access request and a header of the access response, acquiring an object of the access response, creating an instance of the access response based on the object of the access response, and setting an address of the instance of the access response as an address of a detector for unauthorized vulnerability detection.
In some embodiments, the detector is configured to:
associating the access request, the access response and the parameter list of the database access information with database metadata information, matching the associated database metadata information with preset sensitive information, if the associated database metadata information is matched with the preset sensitive information, judging that the associated database metadata information comprises the sensitive information, outputting parameters associated with the database metadata information matched with the preset sensitive information, and if the associated database metadata information is not matched with the preset sensitive information, judging that the associated database metadata information does not comprise the sensitive information;
or, judging whether the data access process of the access request conforms to the standard access flow of the closed-scale constraint and the standard parameters related to the standard access flow, if so, judging matching, and if any one does not conform, judging mismatching;
or if the preset sensitive information is included and the preset closed-scale type is not matched, determining that the unauthorized vulnerability exists, if the preset sensitive information is not included and the preset closed-scale type is matched, determining that the unauthorized vulnerability does not exist, and if the preset sensitive information is included or the preset closed-scale type is not matched, determining that the risk of the unauthorized vulnerability exists.
Some embodiments of the present disclosure provide an unauthorized vulnerability detection apparatus, including: a memory; and a processor coupled to the memory, the processor configured to perform the unauthorized vulnerability detection method of any of the embodiments based on instructions stored in the memory.
Some embodiments of the present disclosure provide a non-transitory computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the unauthorized vulnerability detection method described in any of the embodiments.
According to the method and the device, the related access information is automatically captured and collected in the web application access process, whether the web application access process has the unauthorized vulnerability or not is determined according to the judgment result of whether the access information comprises sensitive information or not and whether the access process is matched with a closed-scale type or not, and therefore the unauthorized vulnerability detection scheme which can be automatically detected and is good in universality is achieved.
Drawings
The drawings that will be used in the description of the embodiments or the related art will be briefly described below. The present disclosure can be understood more clearly from the following detailed description, which proceeds with reference to the accompanying drawings.
It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without undue inventive faculty.
Fig. 1 illustrates a deployment scenario diagram of unauthorized vulnerability detection in some embodiments of the present disclosure.
Fig. 2 illustrates a flow diagram of an unauthorized vulnerability detection method according to some embodiments of the present disclosure.
Fig. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to some embodiments of the present disclosure.
Fig. 4 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to another embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure.
Unless otherwise specified, "first", "second", and the like in the present disclosure are described to distinguish different objects, and are not intended to mean size, timing, or the like.
Fig. 1 illustrates a deployment scenario diagram of unauthorized vulnerability detection in some embodiments of the present disclosure.
As shown in fig. 1, a Web (World Wide Web, also called World Wide Web) application system has a Web application accessible to a user. The web application system performs Identity identification and Access authentication on the user through an Identity and Access Management (IAM) in the process of accessing the web application by the user, and provides corresponding data or resources and the like through a database after the authentication is passed. An agent is deployed in the web application system, and a detector for unauthorized vulnerability detection is deployed outside the web application system. A hook function is set in the proxy. The proxy uses the hook function to automatically capture (hook) and collect the relevant access information during the user's access to the web application in the system and forwards it to the detector. And the detector determines whether the web application access process has an unauthorized vulnerability according to the judgment result of whether the access information comprises sensitive information and whether the access process is matched with the contract scale type. Therefore, the unauthorized vulnerability detection scheme which can automatically detect and is good in universality is realized. In addition, a console can be provided, and an administrator can control the unauthorized vulnerability detection tasks through the console, for example, the number of access users for concurrent detection is set, unauthorized vulnerability detection for specific applications is set, and the like. The administrator can also check the unauthorized vulnerability detection result through the console.
Fig. 2 illustrates a flow diagram of an unauthorized vulnerability detection method according to some embodiments of the present disclosure.
As shown in fig. 2, the unauthorized vulnerability detection method includes: step 210, 260. The unauthorized vulnerability detection method is executed by, for example, an unauthorized vulnerability detection apparatus, wherein step 210 and step 230 can be executed by an agent disposed in the web application system, and step 240 and step 260 can be executed by a detector for unauthorized vulnerability detection.
At step 210, an access request for a web application is captured.
The proxy acquires an object of the access request through a hook function, creates an instance of the access request based on the object of the access request, and sets the address of the instance of the access request as the address of the detector for detecting the unauthorized vulnerability so as to forward the instance of the access request to the detector.
The associated methods of access requests are typically placed under a specified directory, such as org/apache/catalina/. The hook function obtains the relevant method of the access request from the directory, such as onInputStreamRead, applicationFilterChain, etc.
In step 220, the database access information to which the access request relates is collected.
The agent records database access information such as database operation command details, code execution context (caller, calling parameter and the like) and return value details related to the access request based on the hook technology, records database metadata information based on the modified database connection function and sends the database metadata information to the detector. The modified database join function (e.g., connection) inserts database metadata information query commands (e.g., show tables) after the original database join operation, and obtains the database metadata information being operated through the commands. For example, the database connection function is modified by the insert after operation of the hookMethod method of javasist.
The associated method of access request is typically placed under a specified directory, such as com/mysql/jdbc. The hook function obtains various database access information from the directory, such as connection, execute query, execute update, checksqlquery result, and the like.
In step 230, the access response corresponding to the access request is captured.
The head of the access request and the head of the access response are additionally provided with key-value pair identifiers, and the access request and the corresponding access response are associated through the key-value pair identifiers.
The agent identifies and obtains the access response corresponding to the access request through the key value pair identification added in the head of the access request and the head of the access response, obtains the object of the access response, creates an instance of the access response based on the object of the access response, and sets the address of the instance of the access response as the address of the detector for the unauthorized vulnerability detection so as to forward the instance of the access response to the detector.
The associated method of accessing the response is typically placed under a specified directory, such as org/apache/catalina/. The hook function obtains the relevant method of accessing response from the directory, such as OutputBuffer, sendRedirect, sendError, etc.
After step 230, steps 240 and 250 may be performed separately in parallel, or step 240 may be performed first and step 250 may be performed second, or step 250 may be performed first and step 240 may be performed second.
In step 240, it is determined whether the access request, the access response, and the database access information include preset sensitive information, so as to obtain a first determination result.
Associating the parameter lists of the access request, the access response and the database access information with the database metadata information, matching the associated database metadata information with preset sensitive information, if the associated database metadata information is matched with the preset sensitive information, judging that the sensitive information is included, outputting the parameters associated with the database metadata information matched with the preset sensitive information, and if the associated database metadata information is not matched with the preset sensitive information, judging that the sensitive information is not included.
When the association operation is referred to, the parameter character string of the access request/access response is disassembled into a key value pair form, for example, the parameter character string a of the get/post request is 1& b 2, the parameter character string is firstly split by "&", then is respectively split by "&", and finally, the key value pair of { "a" = "1" and "b" ═ 2 "is obtained. The keys in the key-value pair are then utilized to associate with database metadata information. Since the Metadata (Metadata) is data (data about data) describing data, the business meaning of the parameter is clarified through the database Metadata information associated with the key of the parameter, and matching with sensitive information is facilitated.
The sensitive information includes, for example, a mobile phone number, an identification number, a detailed address, an order number, an express number, and the like.
In step 250, it is determined whether the data access process of the access request matches a preset contract scale type, resulting in a second determination result.
The contract-sized constraint is the standard access flow for various access requests and the standard parameters that the standard access flow should involve. For example, the data query function of a user accessing a certain page of a certain application involves a query operation on a certain table of a database, and the contract scale type is: the identity of an operator needs to be determined first, then whether the user has the authority of the operation needs to be determined, and then whether a data operation statement corresponding to the operation has a limiting condition (generally embodied by a where sub-statement of an sql statement) associated with the user identity and the like needs to be determined.
And when the data access process of the access request is matched with the standard access process of the qualified constraint and the standard parameters related to the standard access process, judging matching if the data access process of the access request is matched with the standard access process of the qualified constraint and the standard parameters related to the standard access process, and judging mismatching if any one of the data access process is not matched.
In step 260, it is determined whether an unauthorized hole exists according to the first determination result and the second determination result.
If the preset sensitive information is included and is not matched with the preset closed-scale type, determining that the unauthorized vulnerability exists; if the preset sensitive information is not included and the preset scale-up type is matched, determining that the unauthorized vulnerability does not exist; if the preset sensitive information is included or the preset contract scale type is not matched, the risk of the unauthorized vulnerability is determined, and the unauthorized vulnerability can be further judged by combining other methods (such as manual detection or other automatic unauthorized vulnerability detection methods).
According to the embodiment, in the web application access process, the relevant access information is automatically captured and collected, and whether the web application access process has the unauthorized vulnerability or not is determined according to the judgment result of whether the access information comprises sensitive information or not and whether the access process is matched with a closed-scale type or not, so that the unauthorized vulnerability detection scheme with good universality and capable of being automatically detected is realized. And moreover, horizontal override vulnerability detection is realized through sensitive information detection, vertical override vulnerability detection is realized through closed-scale matching, and the override vulnerability detection is comprehensive and is beneficial to improving the accuracy of the override vulnerability detection.
Fig. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to some embodiments of the present disclosure.
As shown in fig. 3, the apparatus 300 of this embodiment includes: an agent 310 disposed on the web application system and a detector 320 of unauthorized vulnerability detection. The detector 320 may be, for example, an implementation of a plug-in.
An agent 310 provided to the web application system, configured to capture an access request of the web application; collecting database access information related to the access request; and capturing the corresponding access response of the access request.
The unauthorized vulnerability detection detector 320 is configured to determine whether the access request, the access response and the database access information include preset sensitive information or not, and obtain a first determination result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
In some embodiments, the agent 310 is configured to: and acquiring an object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request as the address of a detector for detecting the unauthorized vulnerability.
In some embodiments, the agent 310 is configured to: recording database operation command details, code execution context and return value details related to the access request based on a hook technology, and recording database metadata information based on a modified database connection function, wherein the modified database connection function inserts a database metadata information query command after an original database connection operation.
In some embodiments, the agent 310 is configured to: identifying and obtaining an access response corresponding to the access request through a key value pair identifier added in a head of the access request and a head of the access response, obtaining an object of the access response, creating an instance of the access response based on the object of the access response, and setting an address of the instance of the access response as an address of a detector for unauthorized vulnerability detection.
In some embodiments, the detector 320 is configured to: and associating the access request, the access response and the parameter list of the database access information with database metadata information, matching the associated database metadata information with preset sensitive information, if the associated database metadata information is matched with the preset sensitive information, judging that the sensitive information is included, outputting parameters associated with the database metadata information matched with the preset sensitive information, and if the associated database metadata information is not matched with the preset sensitive information, judging that the sensitive information is not included.
In some embodiments, the detector 320 is configured to: and judging whether the data access process of the access request meets the standard access flow of the closed-scale constraint and the standard parameters related to the standard access flow, if so, judging that the data access process of the access request is matched, and if any one of the data access process of the access request is not matched, judging that the data access process of the access request is not matched.
In some embodiments, the detector 320 is configured to: and if the preset sensitive information is included and the preset closed-scale type is not matched, determining that the unauthorized vulnerability exists, if the preset sensitive information is not included and the preset closed-scale type is matched, determining that the unauthorized vulnerability does not exist, and if the preset sensitive information is included or the preset closed-scale type is not matched, determining that the risk of the unauthorized vulnerability exists.
Fig. 4 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to another embodiment of the present disclosure.
As shown in fig. 4, the apparatus 400 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410, the processor 420 configured to perform the unauthorized vulnerability detection method of any of the foregoing embodiments based on instructions stored in the memory 410.
For example, processor 420 captures an access request for a web application; collecting database access information related to the access request; capturing an access response corresponding to the access request; judging whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
The apparatus 400 may also include an input output interface 430, a network interface 440, a storage interface 450, and the like. These interfaces 430, 440, 450 and the connection between the memory 410 and the processor 420 may be, for example, via a bus 460. The input/output interface 430 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 440 provides a connection interface for various networking devices. The storage interface 450 provides a connection interface for external storage devices such as an SD card and a usb disk.
The disclosed embodiments provide a non-transitory computer readable storage medium having stored thereon a computer program that, when executed by a processor, performs the steps of the unauthorized vulnerability detection method.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more non-transitory computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present disclosure and is not intended to limit the present disclosure, so that any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (14)
1. An unauthorized vulnerability detection method is characterized by comprising the following steps:
capturing an access request of a web application;
collecting database access information related to the access request;
capturing an access response corresponding to the access request;
judging whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result;
judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result;
and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
2. The method of claim 1, wherein capturing the request for access to the web application comprises:
and acquiring an object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request as the address of a detector for detecting the unauthorized vulnerability.
3. The method of claim 1, wherein collecting database access information to which the access request relates comprises:
recording database operation command details, code execution context and return value details related to the access request based on a hook technology;
recording database metadata information based on a modified database join function, wherein the modified database join function inserts a database metadata information query command after an original database join operation.
4. The method of claim 1, wherein capturing the access response corresponding to the access request comprises:
identifying and acquiring an access response corresponding to the access request through a key value pair identifier additionally arranged at the head of the access request and the head of the access response;
and acquiring an object of the access response, creating an instance of the access response based on the object of the access response, and setting the address of the instance of the access response as the address of the detector for the unauthorized vulnerability detection.
5. The method of claim 1, wherein determining whether the access request, the access response, and the database access information include preset sensitive information comprises:
associating the access request, the access response, and the parameter list of database access information with database metadata information;
and matching the associated database metadata information with preset sensitive information, if the associated database metadata information is matched with the preset sensitive information, judging that the associated database metadata information comprises the sensitive information, and outputting parameters associated with the database metadata information matched with the preset sensitive information, and if the associated database metadata information is not matched with the preset sensitive information, judging that the associated database metadata information does not comprise the sensitive information.
6. The method of claim 1, wherein determining whether the data access process of the access request matches a preset contract-size pattern comprises:
judging whether the data access process of the access request conforms to a standard access flow of a closed-scale constraint and a standard parameter which should be involved in the standard access flow;
if the two items are all in accordance, the matching is judged, and if any one item is not in accordance, the mismatching is judged.
7. The method of claim 1, wherein determining whether an override hole exists according to the first determination result and the second determination result comprises:
if the preset sensitive information is included and is not matched with the preset closed-scale type, determining that the unauthorized vulnerability exists;
if the preset sensitive information is not included and the preset scale-up type is matched, determining that the unauthorized vulnerability does not exist;
and if the preset sensitive information is included or the preset contract scale type is not matched, determining that the risk of unauthorized vulnerability exists.
8. Method according to claim 3, characterized in that the database connection function is modified by means of the inspertafter operation of the hookMethod method.
9. The method according to any one of claims 1 to 8,
executing, by an agent provided to the web application system: capturing an access request of a web application; collecting database access information related to the access request; capturing an access response corresponding to the access request;
performing, by a detector of unauthorized vulnerability detection: judging whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
10. An unauthorized vulnerability detection device, comprising:
the proxy is arranged on the web application system and is configured to capture an access request of the web application; collecting database access information related to the access request; capturing an access response corresponding to the access request;
the unauthorized vulnerability detection detector is configured to judge whether the access request, the access response and the database access information comprise preset sensitive information or not to obtain a first judgment result; judging whether the data access process of the access request is matched with a preset closed-scale type or not to obtain a second judgment result; and determining whether the unauthorized access hole exists or not according to the first judgment result and the second judgment result.
11. The apparatus of claim 10, wherein the agent is configured to:
acquiring an object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request as the address of a detector for detecting the unauthorized vulnerability;
or recording database operation command details, code execution context and return value details related to the access request based on a hook technology, and recording database metadata information based on a modified database connection function, wherein the modified database connection function inserts a database metadata information query command after an original database connection operation;
or identifying and acquiring an access response corresponding to the access request through a key value pair identifier added in a header of the access request and a header of the access response, acquiring an object of the access response, creating an instance of the access response based on the object of the access response, and setting an address of the instance of the access response as an address of a detector for unauthorized vulnerability detection.
12. The apparatus of claim 10, wherein the detector is configured to:
associating the access request, the access response and the parameter list of the database access information with database metadata information, matching the associated database metadata information with preset sensitive information, if the associated database metadata information is matched with the preset sensitive information, judging that the associated database metadata information comprises the sensitive information, outputting parameters associated with the database metadata information matched with the preset sensitive information, and if the associated database metadata information is not matched with the preset sensitive information, judging that the associated database metadata information does not comprise the sensitive information;
or, judging whether the data access process of the access request conforms to the standard access flow of the closed-scale constraint and the standard parameters related to the standard access flow, if so, judging matching, and if any one does not conform, judging mismatching;
or if the preset sensitive information is included and the preset closed-scale type is not matched, determining that the unauthorized vulnerability exists, if the preset sensitive information is not included and the preset closed-scale type is matched, determining that the unauthorized vulnerability does not exist, and if the preset sensitive information is included or the preset closed-scale type is not matched, determining that the risk of the unauthorized vulnerability exists.
13. An unauthorized vulnerability detection device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the override vulnerability detection method of any of claims 1-9 based on instructions stored in the memory.
14. A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the unauthorized vulnerability detection method of any of claims 1-9.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110003407.XA CN113779585B (en) | 2021-01-04 | 2021-01-04 | Unauthorized vulnerability detection method and device |
| PCT/CN2021/137814 WO2022143145A1 (en) | 2021-01-04 | 2021-12-14 | Over-permission loophole detection method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110003407.XA CN113779585B (en) | 2021-01-04 | 2021-01-04 | Unauthorized vulnerability detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113779585A true CN113779585A (en) | 2021-12-10 |
| CN113779585B CN113779585B (en) | 2024-06-14 |
Family
ID=78835381
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110003407.XA Active CN113779585B (en) | 2021-01-04 | 2021-01-04 | Unauthorized vulnerability detection method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113779585B (en) |
| WO (1) | WO2022143145A1 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113961940A (en) * | 2021-12-21 | 2022-01-21 | 杭州海康威视数字技术股份有限公司 | Override detection method and device based on authority dynamic update mechanism |
| CN114499960A (en) * | 2021-12-24 | 2022-05-13 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method and device and computer readable storage medium |
| WO2022143145A1 (en) * | 2021-01-04 | 2022-07-07 | 北京沃东天骏信息技术有限公司 | Over-permission loophole detection method and apparatus |
| CN115051824A (en) * | 2022-03-30 | 2022-09-13 | 杭州默安科技有限公司 | Vertical override detection method, system, equipment and storage medium |
| CN115828256A (en) * | 2022-11-04 | 2023-03-21 | 杭州孝道科技有限公司 | Unauthorized and unauthorized logic vulnerability detection method |
| CN116346488A (en) * | 2023-04-13 | 2023-06-27 | 贝壳找房(北京)科技有限公司 | Unauthorized access detection method, device and storage medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115529171A (en) * | 2022-09-16 | 2022-12-27 | 浙江网商银行股份有限公司 | Behavior detection method and device |
| CN117807575A (en) * | 2024-01-02 | 2024-04-02 | 广州优加市场调研有限公司 | Visitor management method and system based on cloud computing |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241292A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | Leak detection method and device |
| CN109446819A (en) * | 2018-10-30 | 2019-03-08 | 北京知道创宇信息技术有限公司 | It goes beyond one's commission leak detection method and device |
| US20190205045A1 (en) * | 2017-12-29 | 2019-07-04 | Gemalto Sa | Method, first device, second device and system for managing access to data |
| CN110489966A (en) * | 2019-08-12 | 2019-11-22 | 腾讯科技(深圳)有限公司 | Parallel go beyond one's commission leak detection method, device, storage medium and electronic equipment |
| CN111125748A (en) * | 2019-11-04 | 2020-05-08 | 广发银行股份有限公司 | Judgment method and device for unauthorized query, computer equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107908959B (en) * | 2017-11-10 | 2020-02-14 | 北京知道创宇信息技术股份有限公司 | Website information detection method and device, electronic equipment and storage medium |
| CN111767573A (en) * | 2020-06-28 | 2020-10-13 | 北京天融信网络安全技术有限公司 | Database security management method and device, electronic equipment and readable storage medium |
| CN113779585B (en) * | 2021-01-04 | 2024-06-14 | 北京沃东天骏信息技术有限公司 | Unauthorized vulnerability detection method and device |
-
2021
- 2021-01-04 CN CN202110003407.XA patent/CN113779585B/en active Active
- 2021-12-14 WO PCT/CN2021/137814 patent/WO2022143145A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241292A (en) * | 2016-03-28 | 2017-10-10 | 阿里巴巴集团控股有限公司 | Leak detection method and device |
| US20190205045A1 (en) * | 2017-12-29 | 2019-07-04 | Gemalto Sa | Method, first device, second device and system for managing access to data |
| CN109446819A (en) * | 2018-10-30 | 2019-03-08 | 北京知道创宇信息技术有限公司 | It goes beyond one's commission leak detection method and device |
| CN110489966A (en) * | 2019-08-12 | 2019-11-22 | 腾讯科技(深圳)有限公司 | Parallel go beyond one's commission leak detection method, device, storage medium and electronic equipment |
| CN111125748A (en) * | 2019-11-04 | 2020-05-08 | 广发银行股份有限公司 | Judgment method and device for unauthorized query, computer equipment and storage medium |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022143145A1 (en) * | 2021-01-04 | 2022-07-07 | 北京沃东天骏信息技术有限公司 | Over-permission loophole detection method and apparatus |
| CN113961940A (en) * | 2021-12-21 | 2022-01-21 | 杭州海康威视数字技术股份有限公司 | Override detection method and device based on authority dynamic update mechanism |
| CN114499960A (en) * | 2021-12-24 | 2022-05-13 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method and device and computer readable storage medium |
| CN114499960B (en) * | 2021-12-24 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | CSRF vulnerability identification method, device and computer readable storage medium |
| CN115051824A (en) * | 2022-03-30 | 2022-09-13 | 杭州默安科技有限公司 | Vertical override detection method, system, equipment and storage medium |
| CN115051824B (en) * | 2022-03-30 | 2024-04-02 | 杭州默安科技有限公司 | Vertical override detection method, system, equipment and storage medium |
| CN115828256A (en) * | 2022-11-04 | 2023-03-21 | 杭州孝道科技有限公司 | Unauthorized and unauthorized logic vulnerability detection method |
| CN115828256B (en) * | 2022-11-04 | 2023-08-29 | 杭州孝道科技有限公司 | Unauthorized and unauthorized logic vulnerability detection method |
| CN116346488A (en) * | 2023-04-13 | 2023-06-27 | 贝壳找房(北京)科技有限公司 | Unauthorized access detection method, device and storage medium |
| CN116346488B (en) * | 2023-04-13 | 2024-05-17 | 贝壳找房(北京)科技有限公司 | Unauthorized access detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022143145A1 (en) | 2022-07-07 |
| CN113779585B (en) | 2024-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113779585B (en) | Unauthorized vulnerability detection method and device | |
| CN109687991B (en) | User behavior identification method, device, equipment and storage medium | |
| CN111209565B (en) | Horizontal override vulnerability detection method, equipment and computer readable storage medium | |
| Costin et al. | A {Large-scale} analysis of the security of embedded firmwares | |
| CN111695156A (en) | Service platform access method, device, equipment and storage medium | |
| CN109815704B (en) | Safety detection method and system for Kubernetes cloud native application | |
| CN108763951B (en) | Data protection method and device | |
| CN109190368B (en) | SQL injection detection device and SQL injection detection method | |
| US10586045B2 (en) | System and method for detecting malware in mobile device software applications | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| WO2009143742A1 (en) | Analysis method and system for suspicious file | |
| US20170277887A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN115033894B (en) | Software component supply chain safety detection method and device based on knowledge graph | |
| KR20150124020A (en) | System and method for setting malware identification tag, and system for searching malware using malware identification tag | |
| CN109726601A (en) | The recognition methods of unlawful practice and device, storage medium, computer equipment | |
| CN107797721B (en) | Interface information display method and device | |
| CN103942491A (en) | Internet malicious code disposal method | |
| CN105868056A (en) | Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines | |
| KR101589652B1 (en) | System and method for detecting and inquiring metamorphic malignant code based on action | |
| CN112905996A (en) | Information security traceability system and method based on multi-dimensional data association analysis | |
| KR20100112436A (en) | System for tracking and integrating user's session log and db query log and method thereof | |
| KR101308866B1 (en) | Open type system for analyzing and managing malicious code | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| CN116303069A (en) | Test method, device, upper computer, system and medium of vehicle-mounted terminal | |
| CN106778276B (en) | Method and system for detecting malicious codes of entity-free files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |