CN114301673A - A vulnerability detection method, device, electronic device and storage medium - Google Patents

A vulnerability detection method, device, electronic device and storage medium Download PDF

Info

Publication number
CN114301673A
CN114301673A CN202111624807.9A CN202111624807A CN114301673A CN 114301673 A CN114301673 A CN 114301673A CN 202111624807 A CN202111624807 A CN 202111624807A CN 114301673 A CN114301673 A CN 114301673A
Authority
CN
China
Prior art keywords
request
target detection
interface
access request
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111624807.9A
Other languages
Chinese (zh)
Inventor
梁超越
邓贞明
张洋洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Shizhuang Information Technology Co ltd
Original Assignee
Shanghai Shizhuang Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Shizhuang Information Technology Co ltd filed Critical Shanghai Shizhuang Information Technology Co ltd
Priority to CN202111624807.9A priority Critical patent/CN114301673A/en
Publication of CN114301673A publication Critical patent/CN114301673A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本申请提供一种漏洞检测方法、装置、电子设备及存储介质。该方法包括:获取待检测服务端的接口访问请求,接口访问请求中包括多个请求参数;确定接口访问请求中多个请求参数中的风险参数;将接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,攻击载荷为指向域名解析系统的地址;向待检测服务端发送目标检测请求;监听域名解析系统上生成的域名解析日志,并根据域名解析日志判断目标检测请求是否存在漏洞。该方法通过确定风险参数的方式构造带有攻击载荷的检测请求,从而实现了对接口风险点的精准测试,从而完成对漏洞的定位,避免了攻击载荷造成的脏数据过多,影响接口的正常运行。

Figure 202111624807

The present application provides a vulnerability detection method, device, electronic device and storage medium. The method includes: acquiring an interface access request of a server to be detected, where the interface access request includes multiple request parameters; determining a risk parameter in the multiple request parameters in the interface access request; and replacing the risk parameter in the interface access request with a preset one Attack payload, obtain the target detection request, the attack payload is the address pointing to the domain name resolution system; send the target detection request to the server to be detected; monitor the domain name resolution log generated on the domain name resolution system, and judge whether the target detection request exists according to the domain name resolution log Vulnerability. The method constructs a detection request with an attack payload by determining the risk parameters, thereby realizing the accurate test of the risk point of the interface, thus completing the location of the vulnerability, avoiding too much dirty data caused by the attack payload and affecting the normal operation of the interface. run.

Figure 202111624807

Description

一种漏洞检测方法、装置、电子设备及存储介质A vulnerability detection method, device, electronic device and storage medium

技术领域technical field

本申请涉及计算机技术领域,具体而言,涉及一种漏洞检测方法、装置、电子设备及存储介质。The present application relates to the field of computer technology, and in particular, to a vulnerability detection method, apparatus, electronic device, and storage medium.

背景技术Background technique

由于WEB互联网技术的发展,互联网的安全隐患也越来越严重,例如SSRF(Server-Side Request Forgery)服务端请求伪装漏洞是一种非常常见的漏洞,该SSRF漏洞产生的原因是服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。比如从指定URL地址获取网页文本内容,加载指定地址的图片,下载等等。还有一些外部资源的加载,涉及不良信息也会导致安全合规漏洞的产生,不法分子利用存在缺陷的WEB应用作为代理攻击远程和本地的服务器,容易造成不可挽回的损失。Due to the development of WEB Internet technology, the security risks of the Internet are becoming more and more serious. For example, SSRF (Server-Side Request Forgery) server request masquerading vulnerability is a very common vulnerability. The reason for this SSRF vulnerability is that the server provides The function of obtaining data from other server applications without filtering and limiting the target address. For example, get the text content of the web page from the specified URL address, load the picture of the specified address, download and so on. There are also loading of some external resources, involving bad information will also lead to the generation of security compliance loopholes, criminals use the flawed WEB application as a proxy to attack remote and local servers, which is easy to cause irreparable losses.

对于这些漏洞的检测,目前的手段是通过一些开源或商业的扫描软件进行漏洞检测,通过构造大量的攻击载荷,机械地执行测试用例,从而造成了大量的检测脏数据,影响业务的正常使用功能。For the detection of these vulnerabilities, the current method is to use some open source or commercial scanning software for vulnerability detection. By constructing a large number of attack loads and mechanically executing test cases, a large amount of detection dirty data is generated, which affects the normal use of the business. .

发明内容SUMMARY OF THE INVENTION

本申请实施例的目的在于提供一种漏洞检测方法、装置、电子设备及存储介质,用以减少测试过程中产生的脏数据。The purpose of the embodiments of the present application is to provide a vulnerability detection method, apparatus, electronic device, and storage medium, so as to reduce dirty data generated during testing.

第一方面,本申请实施例提供一种漏洞检测方法,所述方法包括:获取待检测服务端的接口访问请求,所述接口访问请求中包括多个请求参数;确定所述接口访问请求中多个所述请求参数中的风险参数;将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,所述攻击载荷为指向域名解析系统的地址;向所述待检测服务端发送所述目标检测请求;监听所述域名解析系统上生成的域名解析日志,并根据所述域名解析日志判断所述目标检测请求是否存在漏洞。In a first aspect, an embodiment of the present application provides a vulnerability detection method. The method includes: acquiring an interface access request of a server to be detected, where the interface access request includes multiple request parameters; The risk parameter in the request parameter; replace the risk parameter in the interface access request with a preset attack load, and obtain a target detection request, where the attack load is an address pointing to the domain name resolution system; The terminal sends the target detection request; monitors the domain name resolution log generated on the domain name resolution system, and determines whether there is a loophole in the target detection request according to the domain name resolution log.

本申请实施例中,通过获取待检测服务端接口访问请求,该接口访问请求中包括多个请求参数,然后确定接口访问请求中的风险参数,利用预设的攻击载荷替换该风险参数,获得目标检测请求,然后监听域名解析系统上的解析日志,从而判断该目标检测请求是否存在漏洞。通过对风险参数的精准定位,减少了目标检测请求的数量,从而减少了测试过程中产生的脏数据,避免对接口的正常使用造成影响。In this embodiment of the present application, by acquiring an interface access request of the server to be detected, the interface access request includes multiple request parameters, then determining the risk parameter in the interface access request, and replacing the risk parameter with a preset attack load, the target is obtained. Detect the request, and then monitor the resolution log on the domain name resolution system to determine whether the target detection request has vulnerabilities. Through the precise positioning of risk parameters, the number of target detection requests is reduced, thereby reducing the dirty data generated during the testing process and avoiding the impact on the normal use of the interface.

进一步地,所述确定所述接口访问请求中多个所述请求参数中的风险参数,包括:对所述接口访问请求中多个请求参数分别与预先设置的地址特征值进行匹配;若匹配成功,将对应的请求参数确定为风险参数。Further, the determining of the risk parameters in the multiple request parameters in the interface access request includes: matching the multiple request parameters in the interface access request with the preset address feature values respectively; if the matching is successful. , and the corresponding request parameter is determined as the risk parameter.

本申请实施例中,通过对接口访问请求中的多个请求参数与预先设置的地址特征值进行匹配,在匹配成功之后就将该请求参数设为风险参数。通过对接口访问请求成分中包括的请求参数进行匹配,从而实现了接口访问请求成分中风险参数的精准定位,确定漏洞的风险点,减少不必要的目标检测请求的。In this embodiment of the present application, multiple request parameters in the interface access request are matched with preset address feature values, and the request parameters are set as risk parameters after the matching is successful. By matching the request parameters included in the interface access request component, the precise positioning of the risk parameters in the interface access request component is realized, the risk point of the vulnerability is determined, and unnecessary target detection requests are reduced.

进一步地,所述接口访问请求中的风险参数包括多个,所述将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,包括:分别将所述接口访问请求中的多个风险参数替换为不同的预设的攻击载荷,并获得与所述风险参数对应的目标检测请求。Further, the risk parameters in the interface access request include a plurality of risk parameters, and the replacing the risk parameters in the interface access request with a preset attack load to obtain a target detection request includes: A plurality of risk parameters in are replaced with different preset attack payloads, and a target detection request corresponding to the risk parameters is obtained.

本申请实施例中,由于接口访问请求中包括多个风险参数,通过分别将接口访问请求中的多个风险参数替换成不同的预设的攻击载荷,并获得与风险参数对应的目标检测请求。通过将不同风险参数的目标检测请求独立开来,可以避免风险参数之间的测试干扰,实现了攻击载荷和风险参数的一一对应,有利于确定接口中的风险点。In the embodiment of the present application, since the interface access request includes multiple risk parameters, the target detection request corresponding to the risk parameter is obtained by replacing the multiple risk parameters in the interface access request with different preset attack payloads respectively. By separating the target detection requests of different risk parameters, the test interference between the risk parameters can be avoided, and the one-to-one correspondence between the attack load and the risk parameters is realized, which is beneficial to determine the risk points in the interface.

进一步地,所述根据所述域名解析日志判断所述目标检测请求是否存在漏洞,包括:判断所述域名解析日志中是否包括与所述攻击载荷对应的日志信息;其中,若所述域名解析日志中包括与所述攻击载荷对应的日志信息,则所述目标检测请求中存在漏洞;若所述域名解析日志中不包括与所述攻击载荷对应的日志信息,则所述目标检测请求中不存在漏洞。Further, judging whether the target detection request has a loophole according to the domain name resolution log includes: judging whether the domain name resolution log includes log information corresponding to the attack load; wherein, if the domain name resolution log If the log information corresponding to the attack payload is included in the target detection request, there is a loophole in the target detection request; if the domain name resolution log does not include the log information corresponding to the attack payload, the target detection request does not exist. Vulnerability.

本申请实施例中,由于攻击载荷指向域名解析系统中的地址,因此当攻击载荷被触发时,就会在域名解析日志中产生日志信息,通过判断在域名解析日志中是否包括与攻击载荷对应的日志信息,从而实现了根据攻击载荷确定目标检测请求中是否存在漏洞,完成了对漏洞的检测,并且能够根据攻击载荷确定漏洞的风险点,有利于开发人员确定漏洞的产生位置。In the embodiment of the present application, since the attack payload points to the address in the domain name resolution system, when the attack payload is triggered, log information will be generated in the domain name resolution log. Log information, thus realizing whether there is a vulnerability in the target detection request according to the attack load, completing the detection of the vulnerability, and determining the risk point of the vulnerability according to the attack load, which is helpful for developers to determine the location of the vulnerability.

进一步地,所述获取待检测服务端的接口访问请求,包括:获取待检测服务端的来自用户访问的实时流量;根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求。Further, the obtaining the interface access request of the server to be detected includes: obtaining the real-time traffic from the user access of the server to be detected; processing the real-time traffic according to the interface type of the access and the requirements of the protocol format, and obtaining a request that conforms to the protocol. Interface access request in the format required.

本申请实施例中,在通过获取待检测服务端的接口访问请求之前,还可以通过获取待检测服务端来自用户访问的实时流量,根据访问的接口类型以及协议格式要求对实时流量进行处理,从而得到与目标检测请求对应的符合协议格式要求的接口访问请求,实现了根据用户产生的实时流量生成接口访问请求,从而能够保障接口的覆盖程度,利用格式处理保证测试数据的有效性。In the embodiment of the present application, before obtaining the interface access request of the server to be detected, the real-time traffic from the user access from the server to be detected can also be obtained, and the real-time traffic can be processed according to the type of the interface accessed and the requirements of the protocol format, so as to obtain The interface access request corresponding to the target detection request that meets the requirements of the protocol format realizes the generation of the interface access request according to the real-time traffic generated by the user, so as to ensure the coverage of the interface, and use the format processing to ensure the validity of the test data.

进一步地,所述根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求,包括:根据协议格式要求对所述实时流量进行格式化,生成符合所述协议格式要求的标准访问请求;根据所述接口类型对所述标准访问请求进行归类和合并,获得与所述接口类型对应的接口访问请求。Further, the processing of the real-time traffic according to the interface type to be accessed and the protocol format requirements to obtain an interface access request that meets the protocol format requirements includes: formatting the real-time traffic according to the protocol format requirements, generating Standard access requests that meet the requirements of the protocol format; classify and combine the standard access requests according to the interface types to obtain interface access requests corresponding to the interface types.

本申请实施例中,根据协议格式要求对实时流量进行格式化处理,从而可以生成符合协议格式要求的标准访问请求,然后利用访问的接口类型对标准访问请求进行归类和合并,从而可以获得与目标检测请求对应的接口访问请求。通过对实时流量的格式化处理和归类合并操作,实现了实时流量和接口访问请求的转换,从而可以对实时流量进行改造,完成接口访问请求的快速生成。In the embodiment of the present application, the real-time traffic is formatted according to the requirements of the protocol format, so that a standard access request that meets the requirements of the protocol format can be generated, and then the standard access requests are classified and combined by using the accessed interface type, so as to obtain the The interface access request corresponding to the target detection request. Real-time traffic and interface access requests are converted by formatting, classifying, and merging real-time traffic, so that real-time traffic can be transformed to complete the rapid generation of interface access requests.

进一步地,在获得目标检测请求之后,所述方法还包括:获取预先配置的认证信息池,所述认证信息池中包括与所述目标检测请求对应的认证信息;从所述认证信息池中获取所述认证信息,并加入到目标检测请求中,以实现所述待检测服务端对所述目标检测请求的认证。Further, after obtaining the target detection request, the method further includes: obtaining a pre-configured authentication information pool, where the authentication information pool includes authentication information corresponding to the target detection request; obtaining from the authentication information pool The authentication information is added to the target detection request, so as to realize the authentication of the target detection request by the server to be detected.

本申请实施例中,还可以获取预先配置的认证信息池,该认证信息池中包括和目标检测请求对应的认证信息,通过从认证信息池中获取认证信息,并加入到目标检测请求中,从而可以实现待检测服务端对目标检测请求的认证。通过预设的认证信息池,从而完成对目标检测请求的认证,避免目标检测请求认证不通过的情况。In this embodiment of the present application, a pre-configured authentication information pool may also be obtained, and the authentication information pool includes authentication information corresponding to the target detection request. By obtaining the authentication information from the authentication information pool and adding it to the target detection request, The authentication of the target detection request by the server to be detected can be realized. Through the preset authentication information pool, the authentication of the target detection request is completed, and the situation that the authentication of the target detection request is not passed is avoided.

进一步地,在获得目标检测请求之后,所述方法还包括:在所述目标检测请求中添加标记参数,所述标记参数用于区分所述目标检测请求来自所述实时流量或者测试流量。Further, after obtaining the target detection request, the method further includes: adding a marker parameter to the target detection request, where the marker parameter is used to distinguish the target detection request from the real-time traffic or the test traffic.

本申请实施例中,在获得目标检测请求之后,还可以在该目标检测请求中添加标记参数,通过标记参数来区分该目标检测请求来自实时流量还是测试流量。从而实现了对目标检测请求的标记,有利于业务人员对异常信息的判断。In this embodiment of the present application, after the target detection request is obtained, a mark parameter may be added to the target detection request, and the mark parameter is used to distinguish whether the target detection request comes from real-time traffic or test traffic. Thus, marking of the target detection request is realized, which is beneficial for business personnel to judge abnormal information.

第二方面,本申请实施例提供一种漏洞检测装置,所述装置包括:获取模块,用于获取待检测服务端的接口访问请求,所述接口访问请求中包括多个请求参数;风险参数确定模块,用于确定所述接口访问请求中多个所述请求参数中的风险参数;请求生成模块,用于将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,所述攻击载荷为指向域名解析系统的地址;发送模块,用于向所述待检测服务端发送所述目标检测请求;判断模块,用于监听所述域名解析系统上生成的域名解析日志,并根据所述域名解析日志判断所述目标检测请求是否存在漏洞。In a second aspect, an embodiment of the present application provides a vulnerability detection device, the device includes: an acquisition module configured to acquire an interface access request of a server to be detected, the interface access request includes multiple request parameters; a risk parameter determination module , which is used to determine the risk parameters in the multiple request parameters in the interface access request; the request generation module is used to replace the risk parameters in the interface access request with a preset attack load, and obtain a target detection request, The attack payload is an address pointing to a domain name resolution system; a sending module is used to send the target detection request to the to-be-detected server; a judgment module is used to monitor the domain name resolution log generated on the domain name resolution system, and According to the domain name resolution log, it is determined whether the target detection request has a loophole.

第三方面,本申请实施例提供一种电子设备,包括:处理器、存储器和总线,其中,所述处理器和所述存储器通过所述总线完成相互间的交互;In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus, wherein the processor and the memory complete mutual interaction through the bus;

所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行第一方面的方法。The memory stores program instructions executable by the processor, the processor invoking the program instructions capable of performing the method of the first aspect.

第四方面,本申请实施例提供一种计算机可读存储介质,包括:In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, including:

所述计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行第一方面的方法。The computer-readable storage medium stores computer instructions that cause the computer to perform the method of the first aspect.

本申请的其他特征和优点将在随后的说明书阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请实施例了解。本申请的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present application will be set forth in the description which follows, and, in part, will be apparent from the description, or may be learned by practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description, claims, and drawings.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to explain the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings that need to be used in the embodiments of the present application. It should be understood that the following drawings only show some embodiments of the present application, therefore It should not be regarded as a limitation of the scope. For those of ordinary skill in the art, other related drawings can also be obtained from these drawings without any creative effort.

图1为本申请实施例提供的一种漏洞检测方法流程示意图;1 is a schematic flowchart of a vulnerability detection method provided by an embodiment of the present application;

图2为本申请实施例提供的一种实时流量获取方法流程示意图;2 is a schematic flowchart of a real-time traffic acquisition method provided by an embodiment of the present application;

图3为本申请实施例提供的另一种漏洞检测方法流程示意图;3 is a schematic flowchart of another vulnerability detection method provided by an embodiment of the present application;

图4为本申请实施例提供的一种漏洞检测装置结构示意图;FIG. 4 is a schematic structural diagram of a vulnerability detection apparatus provided by an embodiment of the present application;

图5为本申请实施例提供的电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.

具体实施方式Detailed ways

针对现有的漏洞检测过程中检测脏数据产生过多的问题,本申请提供一种漏洞检测方法,该方法通过获取待检测服务端的接口访问请求,并在接口访问请求中包括的多个请求参数中确定风险参数,并利用风险系数生成带有攻击载荷的目标检测请求进行漏洞检测,从而实现了对风险点的精确定位,避免了测试过程中产生的检测脏数据过多,影响接口的正常运行。Aiming at the problem that too much dirty data is detected in the existing vulnerability detection process, the present application provides a vulnerability detection method. The method obtains the interface access request of the server to be detected and includes multiple request parameters in the interface access request. Determine the risk parameters in the test, and use the risk coefficient to generate a target detection request with an attack payload for vulnerability detection, so as to realize the precise location of the risk point, avoid too much detection dirty data generated during the test process, and affect the normal operation of the interface. .

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.

图1为本申请实施例提供的一种漏洞检测方法流程示意图,如图1所示,该方法可以应用于测试终端,该测试终端可以为终端设备(也可以称为电子设备)以及服务器;其中终端设备具体可以为智能手机、平板电脑、计算机、个人数字助理(Personal DigitalAssitant,PDA)等;服务器具体可以为应用服务器,也可以为Web服务器。测试终端上部署测试平台系统,用于对待检测服务端的接口进行漏洞检测。该方法包括:FIG. 1 is a schematic flowchart of a vulnerability detection method provided by an embodiment of the present application. As shown in FIG. 1 , the method can be applied to a test terminal, and the test terminal can be a terminal device (also referred to as an electronic device) and a server; wherein The terminal device may specifically be a smart phone, a tablet computer, a computer, a personal digital assistant (Personal DigitalAssitant, PDA), etc. The server may specifically be an application server or a Web server. A test platform system is deployed on the test terminal to perform vulnerability detection on the interface of the server to be detected. The method includes:

步骤101:获取待检测服务端的接口访问请求,所述接口访问请求中包括多个请求参数。Step 101: Obtain an interface access request of the server to be detected, where the interface access request includes multiple request parameters.

其中,待检测服务端可以为部署WEB应用的服务器,WEB应用中包括多个接口,可以通过获取接口对应的访问请求来对这些接口进行漏洞检测,接口访问请求可以为统一资源定位符URL路径,例如“xxxabc.com”。该接口访问请求可以包括多个部分的数据,例如请求行、请求体以及请求数据,每个部分均可以包括多个请求参数。Among them, the server to be detected can be a server that deploys a WEB application, and the WEB application includes multiple interfaces. Vulnerability detection can be performed on these interfaces by obtaining the access request corresponding to the interface. The interface access request can be a uniform resource locator URL path. For example "xxxabc.com". The interface access request may include data of multiple parts, such as request line, request body, and request data, and each part may include multiple request parameters.

步骤102:确定所述接口访问请求中多个所述请求参数中的风险参数。Step 102: Determine a risk parameter among the plurality of request parameters in the interface access request.

其中,风险参数可以为在该WEB应用服务器上的接口中容易产生漏洞的风险参数,例如SSRF漏洞,对应接口中包括的各项参数中存在地址信息的请求参数,该请求参数可以确定为风险参数。确定风险参数的方式可以为利用常用的地址协议值如http,与这些请求中包括的请求参数进行比对,确定存在风险的风险参数。从而实现了对接口成分的特征分析,避免对接口的全盘检测,产生大量检测脏数据。Wherein, the risk parameter may be a risk parameter that is prone to vulnerabilities in the interface on the WEB application server, such as SSRF vulnerability, corresponding to a request parameter of address information in each parameter included in the interface, and the request parameter may be determined as a risk parameter . The way of determining the risk parameter may be to use a commonly used address protocol value such as http to compare with the request parameters included in these requests to determine the risk parameter with risk. Therefore, the feature analysis of the interface components is realized, the overall detection of the interface is avoided, and a large amount of detection dirty data is generated.

步骤103:将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,所述攻击载荷为指向域名解析系统的地址。Step 103: Replace the risk parameter in the interface access request with a preset attack payload to obtain a target detection request, where the attack payload is an address pointing to a domain name resolution system.

预设的攻击载荷payload可以为根据风险参数生成的一一对应的地址值,该攻击载荷可以为指向域名解析系统的地址,域名解析系统可以将域名DNS和IP地址相互映射,进而使得带有攻击载荷的目标检测请求在接口存在漏洞时,会被域名解析系统所捕获。例如域名解析系统的地址可以为“xxxdnslog.com”,那么测试终端通过设置该攻击载荷为该域名解析系统下的三级域名,例如“dfga2.xxxdnslog.com”,从而生成与风险参数对应的地址,获得修改后的目标检测请求。The preset attack payload payload can be a one-to-one corresponding address value generated according to the risk parameter. The attack payload can be an address pointing to the domain name resolution system, and the domain name resolution system can map the domain name DNS and IP addresses to each other, so as to make attacks with attacks. The target detection request of the payload will be captured by the domain name resolution system when there is a vulnerability in the interface. For example, the address of the domain name resolution system can be "xxxdnslog.com", then the test terminal generates the address corresponding to the risk parameter by setting the attack payload to the third-level domain name under the domain name resolution system, such as "dfga2.xxxdnslog.com" , to obtain the modified target detection request.

步骤104:向所述待检测服务端发送所述目标检测请求。Step 104: Send the target detection request to the to-be-detected server.

步骤105:监听所述域名解析系统上生成的域名解析日志,并根据所述域名解析日志判断所述目标检测请求是否存在漏洞。Step 105: Monitor the domain name resolution log generated on the domain name resolution system, and determine whether there is a loophole in the target detection request according to the domain name resolution log.

其中,测试终端向待检测服务端发送目标检测请求之后,由于攻击载荷指向了域名解析系统所在的地址,若目标检测请求的风险参数存在漏洞时,那么就会触发该替换后的攻击载荷对应的目标检测请求,该带有攻击载荷的目标检测请求会被域名解析系统所捕获,并生成相应的日志信息,通过监听该域名解析系统上生成的域名解析日志,就可以判断该目标检测请求中的攻击载荷是否被触发,来判断目标检测请求中是否存在漏洞。应理解,待检测服务端上可以包括多个待检测的接口,每个接口可以构造多个目标检测请求用于检测该接口是否存在漏洞,当该接口对应的所有目标检测请求均不存在漏洞时,则该接口不存在漏洞。通过确定请求参数中的风险参数,实现目标检测请求的精准构造,避免了接口中产生大量的检测脏数据,保证了接口的正常运行。Among them, after the test terminal sends a target detection request to the server to be detected, since the attack payload points to the address where the domain name resolution system is located, if there is a loophole in the risk parameter of the target detection request, the corresponding attack payload after the replacement will be triggered. Target detection request, the target detection request with the attack payload will be captured by the domain name resolution system, and corresponding log information will be generated. By monitoring the domain name resolution log generated on the domain name resolution system, you can determine the target detection request Whether the attack payload is triggered to determine whether there is a vulnerability in the target detection request. It should be understood that the server to be detected can include multiple interfaces to be detected, and each interface can construct multiple target detection requests to detect whether the interface has loopholes. When all target detection requests corresponding to the interface have no loopholes , there is no vulnerability in the interface. By determining the risk parameters in the request parameters, the precise construction of the target detection request is realized, a large amount of detection dirty data is avoided in the interface, and the normal operation of the interface is ensured.

在上述实施例的基础上,所述确定所述接口访问请求中多个所述请求参数中的风险参数,包括:On the basis of the foregoing embodiment, the determining of the risk parameters in the multiple request parameters in the interface access request includes:

对所述接口访问请求中多个请求参数分别与预先设置的地址特征值进行匹配;Matching multiple request parameters in the interface access request with preset address feature values respectively;

若匹配成功,将对应的请求参数确定为风险参数。If the match is successful, the corresponding request parameter is determined as the risk parameter.

预先设置的地址特征值可以为互联网常用的协议传输地址值,例如“file://”、“dict://”、“sftp://”、“ldap://”、“tftp://”、“gopher://”等等地址栏特征值,可能会被漏洞利用,将待检测服务端作为跳板从而获取到其他服务器中的内部数据进行篡改,产生漏洞风险,因此这些地址值均是可能引发接口产生漏洞的风险点,需要将接口访问请求中的多个请求参数与这些地址进行匹配,如果匹配成功了就可以将该请求参数确定为风险参数。如果该接口访问请求中的多个请求参数中均未检测到上述地址值,则未匹配上,那么该目标检测请求也就不存在漏洞。The preset address feature value can transmit address values for protocols commonly used in the Internet, such as "file://", "dict://", "sftp://", "ldap://", "tftp://" ”, “gopher://” and other address bar feature values may be exploited by vulnerabilities, and the server to be detected is used as a springboard to obtain internal data in other servers for tampering, resulting in vulnerability risks, so these address values are all For risk points that may cause vulnerabilities in the interface, it is necessary to match multiple request parameters in the interface access request with these addresses. If the matching is successful, the request parameters can be determined as risk parameters. If none of the above-mentioned address values are detected in multiple request parameters in the interface access request, they do not match, and there is no loophole in the target detection request.

在上述实施例的基础上,所述接口访问请求中的风险参数包括多个,所述将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,包括:On the basis of the above embodiment, the risk parameters in the interface access request include a plurality of risk parameters, and replacing the risk parameters in the interface access request with a preset attack load to obtain a target detection request includes:

分别将所述接口访问请求中的多个风险参数替换为不同的预设的攻击载荷,并获得与所述风险参数对应的目标检测请求。The multiple risk parameters in the interface access request are respectively replaced with different preset attack payloads, and a target detection request corresponding to the risk parameters is obtained.

在一些实现方式中,在上述利用攻击载荷对风险参数的替换中,如果该接口访问请求中存在多个风险参数,那么需要分别将这些风险参数,替换为不同的预设的攻击载荷,然后获得与风险参数对应的目标检测请求。也就是说,风险参数和攻击载荷是一一对应的关系,如果接口访问请求中存在N个风险参数,那么需要根据风险参数构造对应的N个攻击载荷,然后生成N个目标检测请求进行测试,从而实现了各个攻击载荷的独立检测,保证根据各个风险参数分别生成的目标检测请求的测试过程互不干扰。In some implementation manners, in the above-mentioned replacement of risk parameters with attack payload, if there are multiple risk parameters in the interface access request, these risk parameters need to be replaced with different preset attack payloads, and then obtain The target detection request corresponding to the risk parameter. That is to say, there is a one-to-one correspondence between risk parameters and attack payloads. If there are N risk parameters in the interface access request, it is necessary to construct corresponding N attack payloads according to the risk parameters, and then generate N target detection requests for testing. Thus, independent detection of each attack load is realized, and the test process of the target detection request generated according to each risk parameter is guaranteed not to interfere with each other.

在上述实施例的基础上,所述获取待检测服务端的接口访问请求,包括:On the basis of the above embodiment, the obtaining the interface access request of the server to be detected includes:

获取待检测服务端的来自用户访问的实时流量;Obtain the real-time traffic from user access of the server to be detected;

根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求。The real-time traffic is processed according to the type of the accessed interface and the requirements of the protocol format, and an interface access request that meets the requirements of the protocol format is obtained.

例如,接口访问请求的来源可以为用户访问待检测服务端的实时流量,通过实时流量来建立对待检测服务端的接口访问请求。图2为本申请实施例提供的一种实时流量获取方法流程示意图,如图2所示,具体实施方式可以为:For example, the source of the interface access request may be the real-time traffic of the user accessing the server to be detected, and the interface access request of the server to be detected is established through the real-time traffic. FIG. 2 is a schematic flowchart of a real-time traffic acquisition method provided by an embodiment of the present application. As shown in FIG. 2, the specific implementation may be as follows:

步骤201:首先测试终端获取由客户端向后台WEB服务器发送实时访问请求;Step 201: First, the test terminal obtains a real-time access request sent by the client to the background WEB server;

步骤202:测试终端利用预先构建的Nginx代理服务器利用镜像复制客户端发送的实时访问请求的实时流量,并向测试终端发送实时流量;Nginx通过添加ngx_http_mirror_module实现流量镜像。通过对代理服务器进行配置,可以实时访问流量拷贝至用于测试待检测服务端的电子设备中。代理配置如下:Step 202: The test terminal uses the pre-built Nginx proxy server to mirror the real-time traffic of the real-time access request sent by the client, and sends the real-time traffic to the test terminal; Nginx implements traffic mirroring by adding ngx_http_mirror_module. By configuring the proxy server, real-time access traffic can be copied to the electronic device used to test the server to be detected. The proxy configuration is as follows:

Figure BDA0003439603360000091
Figure BDA0003439603360000091

Figure BDA0003439603360000101
Figure BDA0003439603360000101

步骤203:测试终端收集待检测服务端的实时流量,并利用实时流量实现接口访问请求的构建。构建的方式可以为根据访问的接口类型以及协议格式要求对实时流量处理,分别获得不同接口的符合协议格式要求的访问请求。Step 203: The test terminal collects real-time traffic of the server to be detected, and uses the real-time traffic to construct an interface access request. The construction method can be to process the real-time traffic according to the type of the accessed interface and the requirements of the protocol format, and obtain the access requests of different interfaces that meet the requirements of the protocol format.

在上述实施例的基础上,所述根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求,包括:On the basis of the above embodiment, the process of processing the real-time traffic according to the interface type to be accessed and the requirements of the protocol format, and obtaining the interface access request that meets the requirements of the protocol format, includes:

根据协议格式要求对所述实时流量进行格式化,生成符合所述协议格式要求的标准访问请求;Format the real-time traffic according to the requirements of the protocol format, and generate a standard access request that meets the requirements of the protocol format;

根据所述接口类型对所述标准访问请求进行归类和合并,获得与所述接口类型对应的接口访问请求。Classify and combine the standard access requests according to the interface types, and obtain interface access requests corresponding to the interface types.

例如,测试终端为了保障访问请求能够符合协议格式要求,需要先对实时流量进行格式化,格式化的方法可以为,采用KAFKA消息队列对拷贝的实时流量进行统一处理。每个访问请求对应的实时流量处理后的格式可以为一个json字符串,包括多个请求参数对应的参数值,如下所示:For example, in order to ensure that the access request can meet the requirements of the protocol format, the test terminal needs to format the real-time traffic first. The formatting method can be to use the KAFKA message queue to uniformly process the copied real-time traffic. The processed format of the real-time traffic corresponding to each access request can be a json string, including parameter values corresponding to multiple request parameters, as shown below:

Figure BDA0003439603360000102
Figure BDA0003439603360000102

Figure BDA0003439603360000111
Figure BDA0003439603360000111

其中,由于用户实时访问的流量很大,考虑到访问请求的URL大部分是重复的,无需让测试终端进行重复扫描检测,因此测试终端还需要根据接口类型来进行归类和合并处理,将属于同一接口的访问请求数据进行归类,下面以一个例子进行说明:Among them, due to the large amount of traffic accessed by users in real time, considering that most of the URLs of the access requests are repeated, there is no need for the test terminal to perform repeated scanning and detection. Therefore, the test terminal also needs to be classified and merged according to the interface type. The access request data of the same interface is classified. The following is an example to illustrate:

Figure BDA0003439603360000112
Figure BDA0003439603360000112

在上述访问请求中,测试终端可以对这些参数进一步归类,提取多个请求参数。而在接口中还存在一些不规则的URL地址,例如www.xxxabc.com/test/212dasxdas12313/prd,可以采用归一化的方式转换为www.xxxabc.com/test/*/prd,从中获取对应的请求参数。实施的具体方式可以为:通过正则匹配来合并URL路径中含有序列码、纯数字、标签、中文等信息,归为一类。如下表1所示,表1为提供的请求参数对照表。In the above access request, the test terminal can further classify these parameters and extract multiple request parameters. There are also some irregular URL addresses in the interface, such as www.xxxabc.com/test/212dasxdas12313/prd, which can be converted to www.xxxabc.com/test/*/prd in a normalized way, and get the corresponding request parameters. The specific manner of implementation may be as follows: by regular matching, the URL paths contain information such as serial codes, pure numbers, labels, Chinese, etc., which are classified into one category. As shown in Table 1 below, Table 1 is a comparison table of the provided request parameters.

表1请求参数对照表Table 1 Request parameter comparison table

请求参数request parameter 参数值parameter value PROTOCAL(协议)PROTOCAL (protocol) httphttp DOMAIN(域名)DOMAIN (domain name) www.xxxabc.comwww.xxxabc.com PATH(路径)PATH (path) /api/list/api/list PARAM(参数)PARAM(parameter) appKeyappKey BODY(消息体)BODY (message body) name,agename, age FRAGMENT(片段)FRAGMENT (fragment) #top#top

在上述实施例的基础上,在获得目标检测请求之后,所述方法还包括:On the basis of the above embodiment, after obtaining the target detection request, the method further includes:

获取预先配置的认证信息池,所述认证信息池中包括与所述目标检测请求对应的认证信息;acquiring a preconfigured authentication information pool, where the authentication information pool includes authentication information corresponding to the target detection request;

从所述认证信息池中获取所述认证信息,并加入到目标检测请求中,以实现所述待检测服务端对所述目标检测请求的认证。The authentication information is obtained from the authentication information pool and added to the target detection request, so as to realize the authentication of the target detection request by the to-be-detected server.

其中,认证信息池可以为测试终端从用户访问待检测服务端的实时流量中提取的用于认证目标检测请求的认证信息,为了保障漏洞检测的成功率,测试终端通过对接口的认证类型进行精准识别。如在目标检测请求的认证信息失效时,测试终端会自动的使用配置的认证信息进行请求更新。认证信息池的配置方法可以通过配置接口的认证字段,例如可以采用如下配置:The authentication information pool can be the authentication information extracted by the test terminal from the real-time traffic of the user accessing the server to be tested and used to authenticate the target detection request. In order to ensure the success rate of vulnerability detection, the test terminal can accurately identify the authentication type of the interface. . For example, when the authentication information of the target detection request is invalid, the test terminal will automatically use the configured authentication information to request an update. The authentication information pool can be configured by configuring the authentication field of the interface. For example, the following configuration can be used:

[[

{“hostname”:“xxxabc.com”,{"hostname":"xxxabc.com",

“auth_path”:“request_header|cookie”"auth_path": "request_header|cookie"

},},

{“hostname”:“xxxabc.com”,{"hostname":"xxxabc.com",

“auth_path”:“request_body|token”"auth_path": "request_body|token"

},},

]]

在该接口的认证字段中存在两个:request_header中的cookie和request_body的token字段,在目标检测请求的认证信息失效时,测试终端可以通过获取认证信息池中的认证信息更新cookie信息和token信息,进行接口认证。There are two authentication fields in this interface: the cookie in the request_header and the token field in the request_body. When the authentication information of the target detection request is invalid, the test terminal can update the cookie information and token information by obtaining the authentication information in the authentication information pool. Perform interface authentication.

在上述实施例的基础上,在获得目标检测请求之后,所述方法还包括:在所述目标检测请求中添加标记参数,所述标记参数用于区分所述目标检测请求来自所述实时流量或者测试流量。Based on the above embodiment, after obtaining the target detection request, the method further includes: adding a marker parameter to the target detection request, where the marker parameter is used to distinguish that the target detection request comes from the real-time traffic or Test traffic.

例如,测试终端还可以通过在目标检测请求中添加标记参数的方式来对目标检测请求进行标记。标记的目的是区分目标检测请求是来自用户发送的正常访问请求还是测试终端发送的测试请求,标记的参数可以为在request header中添加“scan-request-id-security”参数。测试终端可以根据此参数判断是否为安全的检测请求,并以此区分测试流量和实时流量,判断异常信息的产生原因。For example, the test terminal may also mark the target detection request by adding a mark parameter to the target detection request. The purpose of the mark is to distinguish whether the target detection request is a normal access request sent by the user or a test request sent by the test terminal. The parameter of the mark can be adding the "scan-request-id-security" parameter in the request header. The test terminal can judge whether it is a safe detection request according to this parameter, and distinguish the test traffic and real-time traffic based on this parameter, and judge the cause of abnormal information.

对上述提供的实施例进行总结,图3为本申请实施例提供的另一种漏洞检测方法流程示意图。如图3所述,应用于测试终端,该测试终端用于对待检测服务端的接口进行测试,具体实施方式可以为:Summarizing the embodiments provided above, FIG. 3 is a schematic flowchart of another vulnerability detection method provided by the embodiments of the present application. As shown in Figure 3, it is applied to a test terminal, and the test terminal is used to test the interface of the server to be detected. The specific implementation may be:

步骤301:测试终端利用Nginx复制来自用户访问待检测服务端的实时流量,转换为接口访问请求。具体的实施方式可以参照图2对应实施例中提供的实时流量处理方法,不再赘述。Step 301: The test terminal uses Nginx to copy the real-time traffic from the user accessing the server to be detected, and converts it into an interface access request. For a specific implementation manner, reference may be made to the real-time traffic processing method provided in the embodiment corresponding to FIG. 2 , which will not be repeated.

步骤302:测试终端对接口进行认证配置,拾取用户实时流量中的认证信息,用于认证目标检测请求。具体的实施方法可以参照图1实施例提供的认证信息池获取认证信息的方法。Step 302: The test terminal performs authentication configuration on the interface, picks up the authentication information in the real-time traffic of the user, and uses it to authenticate the target detection request. For a specific implementation method, reference may be made to the method for acquiring authentication information from the authentication information pool provided in the embodiment of FIG. 1 .

步骤303:测试终端确定接口访问请求中多个请求参数的风险参数。具体的实施方法可以参照图1对应实施例提供的确定风险参数的方法。Step 303: The test terminal determines risk parameters of multiple request parameters in the interface access request. For a specific implementation method, reference may be made to the method for determining risk parameters provided by the corresponding embodiment of FIG. 1 .

步骤304:测试终端将风险参数替换为预设的攻击载荷,获得目标检测请求,并在目标检测请求中添加标记参数,用于接口标记处理。具体的实施方式可以参照图1对应实施例提供的目标检测请求的获得方法以及添加标记参数的方法。Step 304: The test terminal replaces the risk parameter with a preset attack payload, obtains a target detection request, and adds a tag parameter to the target detection request for interface tag processing. For specific implementations, reference may be made to the method for obtaining a target detection request and the method for adding a marker parameter provided by the corresponding embodiment of FIG. 1 .

步骤305:测试终端向待检测服务端发送目标检测请求,根据域名解析日志系统上的解析日志判断接口中有无漏洞风险。具体的实施方式可以参照图1对应实施例的漏洞判断的方法。Step 305: The test terminal sends a target detection request to the server to be detected, and determines whether there is a vulnerability risk in the interface according to the resolution log on the domain name resolution log system. For a specific implementation manner, reference may be made to the method for determining a vulnerability in the embodiment corresponding to FIG. 1 .

图4为本申请实施例提供的一种漏洞检测装置400的结构示意图,该装置可以是电子设备上的模块、程序段或代码。应理解,该装置与上述图1方法实施例对应,能够执行图1方法实施例涉及的各个步骤,该装置具体的功能可以参见上文中的描述,为避免重复,此处适当省略详细描述。FIG. 4 is a schematic structural diagram of a vulnerability detection apparatus 400 according to an embodiment of the present application, and the apparatus may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus corresponds to the method embodiment of FIG. 1 and can perform various steps involved in the method embodiment of FIG. 1 . For specific functions of the apparatus, refer to the above description. To avoid repetition, the detailed description is appropriately omitted here.

本申请实施例提供了一种漏洞检测装置400,该装置包括:The embodiment of the present application provides a vulnerability detection apparatus 400, and the apparatus includes:

获取模块401,用于获取待检测服务端的接口访问请求,所述接口访问请求中包括多个请求参数;The obtaining module 401 is used to obtain the interface access request of the server to be detected, where the interface access request includes a plurality of request parameters;

风险参数确定模块402,用于确定所述接口访问请求中多个所述请求参数中的风险参数;a risk parameter determination module 402, configured to determine a risk parameter among the plurality of request parameters in the interface access request;

请求生成模块403,用于将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,所述攻击载荷为指向域名解析系统的地址;A request generation module 403, configured to replace the risk parameter in the interface access request with a preset attack load, and obtain a target detection request, where the attack load is an address pointing to a domain name resolution system;

发送模块404,用于向所述待检测服务端发送所述目标检测请求;A sending module 404, configured to send the target detection request to the to-be-detected server;

判断模块405,用于监听所述域名解析系统上生成的域名解析日志,并根据所述域名解析日志判断所述目标检测请求是否存在漏洞。The judging module 405 is configured to monitor the domain name resolution log generated on the domain name resolution system, and judge whether there is a loophole in the target detection request according to the domain name resolution log.

在上述实施例的基础上,风险参数确定模块402具体用于:On the basis of the above embodiment, the risk parameter determination module 402 is specifically used for:

对所述接口访问请求中多个请求参数分别与预先设置的地址特征值进行匹配;Matching multiple request parameters in the interface access request with preset address feature values respectively;

若匹配成功,将对应的请求参数确定为风险参数。If the match is successful, the corresponding request parameter is determined as the risk parameter.

在上述实施例的基础上,所述接口访问请求中的风险参数包括多个。On the basis of the foregoing embodiment, the risk parameters in the interface access request include a plurality of risk parameters.

在上述实施例的基础上,风险参数确定模块具体用于:On the basis of the above embodiment, the risk parameter determination module is specifically used for:

分别将所述接口访问请求中的多个风险参数替换为不同的预设的攻击载荷,并获得与所述风险参数对应的目标检测请求。The multiple risk parameters in the interface access request are respectively replaced with different preset attack payloads, and a target detection request corresponding to the risk parameters is obtained.

在上述实施例的基础上,判断模块405具体用于:On the basis of the above embodiment, the judgment module 405 is specifically used for:

判断所述域名解析日志中是否包括与所述攻击载荷对应的日志信息;Determine whether the domain name resolution log includes log information corresponding to the attack payload;

其中,若所述域名解析日志中包括与所述攻击载荷对应的日志信息,则所述目标检测请求中存在漏洞;若所述域名解析日志中不包括与所述攻击载荷对应的日志信息,则所述目标检测请求中不存在漏洞。Wherein, if the domain name resolution log includes log information corresponding to the attack payload, there is a loophole in the target detection request; if the domain name resolution log does not include log information corresponding to the attack payload, then There is no loophole in the target detection request.

在上述实施例的基础上,所述装置还包括访问请求生成模块:On the basis of the above embodiment, the device further includes an access request generation module:

获取待检测服务端的来自用户访问的实时流量;Obtain the real-time traffic from user access of the server to be detected;

根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求。The real-time traffic is processed according to the type of the accessed interface and the requirements of the protocol format, and an interface access request that meets the requirements of the protocol format is obtained.

在上述实施例的基础上,访问请求生成模块具体用于:On the basis of the above embodiment, the access request generation module is specifically used for:

根据协议格式要求对所述实时流量进行格式化,生成符合所述协议格式要求的标准访问请求;Format the real-time traffic according to the requirements of the protocol format, and generate a standard access request that meets the requirements of the protocol format;

根据所述接口类型对所述标准访问请求进行归类和合并,获得与所述接口类型对应的接口访问请求。Classify and combine the standard access requests according to the interface types, and obtain interface access requests corresponding to the interface types.

在上述实施例的基础上,该装置还包括认证模块,用于:On the basis of the above embodiment, the device further includes an authentication module for:

获取预先配置的认证信息池,所述认证信息池中包括与所述目标检测请求对应的认证信息;acquiring a preconfigured authentication information pool, where the authentication information pool includes authentication information corresponding to the target detection request;

从所述认证信息池中获取所述认证信息,并加入到目标检测请求中,以实现所述待检测服务端对所述目标检测请求的认证。The authentication information is obtained from the authentication information pool and added to the target detection request, so as to realize the authentication of the target detection request by the to-be-detected server.

在上述实施例的基础上,该装置还包括标记模块,用于:On the basis of the above embodiment, the device further includes a marking module for:

在所述目标检测请求中添加标记参数,所述标记参数用于区分所述目标检测请求来自所述实时流量或者测试流量。A marker parameter is added to the target detection request, where the marker parameter is used to distinguish that the target detection request comes from the real-time traffic or the test traffic.

图5为本申请实施例提供的电子设备的结构示意图,如图5所示,所述电子设备,包括:处理器(processor)501、存储器(memory)502和总线503;其中,FIG. 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present application. As shown in FIG. 5 , the electronic device includes: a processor (processor) 501, a memory (memory) 502, and a bus 503; wherein,

所述处理器501和存储器502通过所述总线503完成相互间的交互;The processor 501 and the memory 502 complete the mutual interaction through the bus 503;

所述处理器501用于调用所述存储器502中的程序指令,以执行上述各方法实施例所提供的漏洞检测方法。The processor 501 is configured to call program instructions in the memory 502 to execute the vulnerability detection methods provided by the above method embodiments.

处理器501可以是一种集成电路芯片,具有信号处理能力。上述处理器501可以是通用处理器,包括中央处理器(Central Processing Unit,CPU)、网络处理器(NetworkProcessor,NP)等;还可以是数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。其可以实现或者执行本申请实施例中公开的各种方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 501 may be an integrated circuit chip with signal processing capability. The aforementioned processor 501 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it may also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. It can implement or execute various methods, steps and logic block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

存储器502可以包括但不限于随机存取存储器(Random Acc·ess Memory,RAM),只读存储器(Read Only Memory,ROM),可编程只读存储器(Programmable Read-OnlyMemory,PROM),可擦除只读存储器(Erasable Programmable Read-Only Memory,EPROM),电可擦除只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)等。The memory 502 may include, but is not limited to, random access memory (Random Acc·ess Memory, RAM), read only memory (Read Only Memory, ROM), programmable read only memory (Programmable Read-Only Memory, PROM), and erasable only memory. Read memory (Erasable Programmable Read-Only Memory, EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), etc.

本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的漏洞检测方法。This embodiment discloses a computer program product. The computer program product includes a computer program stored on a computer-readable storage medium. The computer program includes program instructions. When the program instructions are executed by a computer, the computer can execute the above-mentioned program instructions. The vulnerability detection method provided by each method embodiment.

本实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的漏洞检测方法。This embodiment provides a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the vulnerability detection methods provided by the foregoing method embodiments.

在本申请所提供的实施例中,应该理解到,所揭露装置和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或交互连接可以是通过一些交互接口,装置或单元的间接耦合或交互连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or interactive connection may be through some interactive interfaces, indirect coupling or interactive connection of devices or units, and may be in electrical, mechanical or other forms.

另外,作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。In addition, units described as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

再者,在本申请各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。Furthermore, each functional module in each embodiment of the present application may be integrated together to form an independent part, or each module may exist alone, or two or more modules may be integrated to form an independent part.

在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。In this document, relational terms such as first and second, etc. are used only to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such existence between these entities or operations. The actual relationship or sequence.

以上所述仅为本申请的实施例而已,并不用于限制本申请的保护范围,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are merely examples of the present application, and are not intended to limit the protection scope of the present application. For those skilled in the art, various modifications and changes may be made to the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the protection scope of this application.

Claims (10)

1.一种漏洞检测方法,其特征在于,包括:1. a vulnerability detection method, is characterized in that, comprises: 获取待检测服务端的接口访问请求,所述接口访问请求中包括多个请求参数;Obtain the interface access request of the server to be detected, where the interface access request includes multiple request parameters; 确定所述接口访问请求中多个所述请求参数中的风险参数;determining a risk parameter among the plurality of request parameters in the interface access request; 将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,所述攻击载荷为指向域名解析系统的地址;Replace the risk parameter in the interface access request with a preset attack load to obtain a target detection request, where the attack load is an address pointing to the domain name resolution system; 向所述待检测服务端发送所述目标检测请求;sending the target detection request to the to-be-detected server; 监听所述域名解析系统上生成的域名解析日志,并根据所述域名解析日志判断所述目标检测请求是否存在漏洞。Monitor the domain name resolution log generated on the domain name resolution system, and determine whether there is a loophole in the target detection request according to the domain name resolution log. 2.根据权利要求1所述的方法,其特征在于,所述确定所述接口访问请求中多个所述请求参数中的风险参数,包括:2. The method according to claim 1, wherein the determining the risk parameter among the plurality of the request parameters in the interface access request comprises: 对所述接口访问请求中多个请求参数分别与预先设置的地址特征值进行匹配;Matching multiple request parameters in the interface access request with preset address feature values respectively; 若匹配成功,将对应的请求参数确定为风险参数。If the match is successful, the corresponding request parameter is determined as the risk parameter. 3.根据权利要求1所述的方法,其特征在于,所述接口访问请求中的风险参数包括多个,所述将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,包括:3. The method according to claim 1, wherein the risk parameter in the interface access request includes a plurality of risk parameters, and the risk parameter in the interface access request is replaced with a preset attack load to obtain the target Inspection requests, including: 分别将所述接口访问请求中的多个风险参数替换为不同的预设的攻击载荷,并获得与所述风险参数对应的目标检测请求。The multiple risk parameters in the interface access request are respectively replaced with different preset attack payloads, and a target detection request corresponding to the risk parameters is obtained. 4.根据权利要求1所述的方法,其特征在于,所述根据所述域名解析日志判断所述目标检测请求是否存在漏洞,包括:4. The method according to claim 1, wherein the determining whether the target detection request has a loophole according to the domain name resolution log comprises: 判断所述域名解析日志中是否包括与所述攻击载荷对应的日志信息;Determine whether the domain name resolution log includes log information corresponding to the attack payload; 其中,若所述域名解析日志中包括与所述攻击载荷对应的日志信息,则所述目标检测请求中存在漏洞;若所述域名解析日志中不包括与所述攻击载荷对应的日志信息,则所述目标检测请求中不存在漏洞。Wherein, if the domain name resolution log includes log information corresponding to the attack payload, there is a loophole in the target detection request; if the domain name resolution log does not include log information corresponding to the attack payload, then There is no loophole in the target detection request. 5.根据权利要求1所述的方法,其特征在于,所述获取待检测服务端的接口访问请求,包括:5. The method according to claim 1, wherein the obtaining the interface access request of the server to be detected comprises: 获取待检测服务端的来自用户访问的实时流量;Obtain the real-time traffic from user access of the server to be detected; 根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求。The real-time traffic is processed according to the type of the accessed interface and the requirements of the protocol format, and an interface access request that meets the requirements of the protocol format is obtained. 6.根据权利要求5所述的方法,其特征在于,所述根据访问的接口类型以及协议格式要求对所述实时流量进行处理,获得符合所述协议格式要求的接口访问请求,包括:6. The method according to claim 5, wherein, the real-time traffic is processed according to the interface type of access and the protocol format requirements, and the interface access request that meets the protocol format requirements is obtained, comprising: 根据协议格式要求对所述实时流量进行格式化,生成符合所述协议格式要求的标准访问请求;Format the real-time traffic according to the requirements of the protocol format, and generate a standard access request that meets the requirements of the protocol format; 根据所述接口类型对所述标准访问请求进行归类和合并,获得与所述接口类型对应的接口访问请求。Classify and combine the standard access requests according to the interface types, and obtain interface access requests corresponding to the interface types. 7.根据权利要求1-6任一项所述的方法,其特征在于,在获得目标检测请求之后,所述方法还包括:7. The method according to any one of claims 1-6, wherein after obtaining the target detection request, the method further comprises: 获取预先配置的认证信息池,所述认证信息池中包括与所述目标检测请求对应的认证信息;acquiring a preconfigured authentication information pool, where the authentication information pool includes authentication information corresponding to the target detection request; 从所述认证信息池中获取所述认证信息,并加入到目标检测请求中,以实现所述待检测服务端对所述目标检测请求的认证。The authentication information is obtained from the authentication information pool and added to the target detection request, so as to realize the authentication of the target detection request by the to-be-detected server. 8.一种漏洞检测装置,其特征在于,包括:8. A vulnerability detection device, characterized in that, comprising: 获取模块,用于获取待检测服务端的接口访问请求,所述接口访问请求中包括多个请求参数;an acquisition module, configured to acquire an interface access request of the server to be detected, where the interface access request includes a plurality of request parameters; 风险参数确定模块,用于确定所述接口访问请求中多个所述请求参数中的风险参数;a risk parameter determination module, configured to determine a risk parameter among a plurality of the request parameters in the interface access request; 请求生成模块,用于将所述接口访问请求中的风险参数替换为预设的攻击载荷,获得目标检测请求,所述攻击载荷为指向域名解析系统的地址;a request generation module, configured to replace the risk parameter in the interface access request with a preset attack load to obtain a target detection request, where the attack load is an address pointing to a domain name resolution system; 发送模块,用于向所述待检测服务端发送所述目标检测请求;a sending module, configured to send the target detection request to the to-be-detected server; 判断模块,用于监听所述域名解析系统上生成的域名解析日志,并根据所述域名解析日志判断所述目标检测请求是否存在漏洞。The judgment module is configured to monitor the domain name resolution log generated on the domain name resolution system, and judge whether the target detection request has loopholes according to the domain name resolution log. 9.一种电子设备,其特征在于,包括:处理器、存储器和总线,其中,9. An electronic device, comprising: a processor, a memory and a bus, wherein, 所述处理器和所述存储器通过所述总线完成相互间的通信;The processor and the memory communicate with each other through the bus; 所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行如权利要求1-7任一项所述的方法。The memory stores program instructions executable by the processor, and the processor invokes the program instructions to be able to perform the method of any one of claims 1-7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储计算机指令,所述计算机指令被计算机运行时,使所述计算机执行如权利要求1-7任一项所述的方法。10. A computer-readable storage medium, characterized in that, the computer-readable storage medium stores computer instructions, and when the computer instructions are executed by a computer, the computer is caused to execute the method according to any one of claims 1-7. Methods.
CN202111624807.9A 2021-12-28 2021-12-28 A vulnerability detection method, device, electronic device and storage medium Pending CN114301673A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111624807.9A CN114301673A (en) 2021-12-28 2021-12-28 A vulnerability detection method, device, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111624807.9A CN114301673A (en) 2021-12-28 2021-12-28 A vulnerability detection method, device, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN114301673A true CN114301673A (en) 2022-04-08

Family

ID=80970694

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111624807.9A Pending CN114301673A (en) 2021-12-28 2021-12-28 A vulnerability detection method, device, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN114301673A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785581A (en) * 2022-04-14 2022-07-22 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN114785621A (en) * 2022-06-17 2022-07-22 上海斗象信息科技有限公司 Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN114826756A (en) * 2022-05-10 2022-07-29 深信服科技股份有限公司 WEB vulnerability detection method and related components
CN114996712A (en) * 2022-05-25 2022-09-02 中能电力科技开发有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN115296941A (en) * 2022-10-10 2022-11-04 北京知其安科技有限公司 Method for detecting traffic safety monitoring equipment, attack request generation method and equipment
CN115378655A (en) * 2022-07-26 2022-11-22 北京奇艺世纪科技有限公司 Vulnerability detection method and device
CN115412353A (en) * 2022-09-01 2022-11-29 深信服科技股份有限公司 API data security management method, device, equipment and computer storage medium
CN116566739A (en) * 2023-06-29 2023-08-08 北京安天网络安全技术有限公司 Security detection system, electronic equipment and storage medium
CN116861419A (en) * 2023-09-05 2023-10-10 国网江西省电力有限公司信息通信分公司 A method to proactively defend against log alarms on SSR

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846407A (en) * 2017-11-10 2018-03-27 郑州云海信息技术有限公司 A kind of method and system of batch detection SSRF leaks
CN108809890A (en) * 2017-04-26 2018-11-13 腾讯科技(深圳)有限公司 Leak detection method, test server and client
CN108989355A (en) * 2018-09-07 2018-12-11 郑州云海信息技术有限公司 A kind of leak detection method and device
CN110011955A (en) * 2018-12-06 2019-07-12 阿里巴巴集团控股有限公司 A kind of SSRF loophole or attack determination, processing method, device, equipment and medium
CN111294345A (en) * 2020-01-20 2020-06-16 支付宝(杭州)信息技术有限公司 Vulnerability detection method, device and equipment
CN111600885A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 SQL injection vulnerability detection method and device, equipment and storage medium
US20200314136A1 (en) * 2019-03-28 2020-10-01 Naver Business Platform Corporation Apparatus and method for analyzing security vulnerabilities
CN111770104A (en) * 2020-07-02 2020-10-13 浪潮云信息技术股份公司 Web vulnerability detection method, system, terminal and computer readable storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108809890A (en) * 2017-04-26 2018-11-13 腾讯科技(深圳)有限公司 Leak detection method, test server and client
CN107846407A (en) * 2017-11-10 2018-03-27 郑州云海信息技术有限公司 A kind of method and system of batch detection SSRF leaks
CN108989355A (en) * 2018-09-07 2018-12-11 郑州云海信息技术有限公司 A kind of leak detection method and device
CN110011955A (en) * 2018-12-06 2019-07-12 阿里巴巴集团控股有限公司 A kind of SSRF loophole or attack determination, processing method, device, equipment and medium
US20200314136A1 (en) * 2019-03-28 2020-10-01 Naver Business Platform Corporation Apparatus and method for analyzing security vulnerabilities
CN111294345A (en) * 2020-01-20 2020-06-16 支付宝(杭州)信息技术有限公司 Vulnerability detection method, device and equipment
CN111600885A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 SQL injection vulnerability detection method and device, equipment and storage medium
CN111770104A (en) * 2020-07-02 2020-10-13 浪潮云信息技术股份公司 Web vulnerability detection method, system, terminal and computer readable storage medium

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785581A (en) * 2022-04-14 2022-07-22 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN114785581B (en) * 2022-04-14 2023-08-11 深圳开源互联网安全技术有限公司 Attack load generation method and device and computer readable storage medium
CN114826756A (en) * 2022-05-10 2022-07-29 深信服科技股份有限公司 WEB vulnerability detection method and related components
CN114996712A (en) * 2022-05-25 2022-09-02 中能电力科技开发有限公司 Vulnerability detection method and device, electronic equipment and readable storage medium
CN114785621A (en) * 2022-06-17 2022-07-22 上海斗象信息科技有限公司 Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN114785621B (en) * 2022-06-17 2022-11-01 上海斗象信息科技有限公司 Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN115378655A (en) * 2022-07-26 2022-11-22 北京奇艺世纪科技有限公司 Vulnerability detection method and device
CN115412353A (en) * 2022-09-01 2022-11-29 深信服科技股份有限公司 API data security management method, device, equipment and computer storage medium
CN115296941B (en) * 2022-10-10 2023-03-24 北京知其安科技有限公司 Method for detecting traffic safety monitoring equipment, attack request generation method and equipment
CN115296941A (en) * 2022-10-10 2022-11-04 北京知其安科技有限公司 Method for detecting traffic safety monitoring equipment, attack request generation method and equipment
CN116566739A (en) * 2023-06-29 2023-08-08 北京安天网络安全技术有限公司 Security detection system, electronic equipment and storage medium
CN116566739B (en) * 2023-06-29 2023-09-15 北京安天网络安全技术有限公司 Security detection system, electronic equipment and storage medium
CN116861419A (en) * 2023-09-05 2023-10-10 国网江西省电力有限公司信息通信分公司 A method to proactively defend against log alarms on SSR
CN116861419B (en) * 2023-09-05 2023-12-08 国网江西省电力有限公司信息通信分公司 Active defending log alarming method on SSR

Similar Documents

Publication Publication Date Title
CN114301673A (en) A vulnerability detection method, device, electronic device and storage medium
US12081503B2 (en) Determining authenticity of reported user action in cybersecurity risk assessment
US9379952B2 (en) Monitoring NAT behaviors through URI dereferences in web browsers
CN105430011B (en) A kind of method and apparatus detecting distributed denial of service attack
US20170223043A1 (en) Determine vulnerability using runtime agent and network sniffer
US9225731B2 (en) System for detecting the presence of rogue domain name service providers through passive monitoring
CN105635064B (en) CSRF attack detection method and device
CN109218457B (en) Network data processing method, device and system
CN113810381B (en) Crawler detection method, web application cloud firewall device and storage medium
WO2019076014A1 (en) Webpage generation method and apparatus, terminal device and medium
CN108063833B (en) HTTP DNS analysis message processing method and device
CN110266737A (en) Vulnerability detection method, device, equipment and medium for cross-domain resource sharing
CN113422759B (en) Vulnerability scanning method, electronic device and storage medium
CN107612926B (en) One-sentence speech WebShell interception method based on client recognition
US20170070520A1 (en) Website information extraction device, system, website information extraction method, and website information extraction program
CN115695043A (en) Vulnerability scanning attack detection method, model training method and device
US8910281B1 (en) Identifying malware sources using phishing kit templates
CN109525682B (en) Service processing method, device, network element entity, and computer-readable storage medium
CN113965392B (en) Malicious server detection method, system, readable medium and electronic device
CN106453598A (en) A proxy scanning method based on a HTTP protocol
CN114866277A (en) An application access method, apparatus, device and storage medium
CN114827085B (en) Root server correctness monitoring method, device, device and storage medium
CN114070819B (en) Malicious domain name detection method, device, electronic device and storage medium
CN115065540B (en) Method and device for detecting web vulnerability attack and electronic equipment
CN112073258B (en) Method for identifying user, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Country or region after: China

Address after: Room 6416, Building 13, No. 723 Tongxin Road, Hongkou District, Shanghai 200080

Applicant after: Shanghai Dewu Information Group Co.,Ltd.

Address before: Room B6-2005, No. 121 Zhongshan North 1st Road, Hongkou District, Shanghai

Applicant before: SHANGHAI SHIZHUANG INFORMATION TECHNOLOGY Co.,Ltd.

Country or region before: China