CN114301673A - Vulnerability detection method and device, electronic equipment and storage medium - Google Patents
Vulnerability detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114301673A CN114301673A CN202111624807.9A CN202111624807A CN114301673A CN 114301673 A CN114301673 A CN 114301673A CN 202111624807 A CN202111624807 A CN 202111624807A CN 114301673 A CN114301673 A CN 114301673A
- Authority
- CN
- China
- Prior art keywords
- request
- target detection
- access request
- interface
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 138
- 238000000034 method Methods 0.000 claims abstract description 47
- 238000012544 monitoring process Methods 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims description 12
- 238000012360 testing method Methods 0.000 abstract description 47
- 238000004458 analytical method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The application provides a vulnerability detection method and device, electronic equipment and a storage medium. The method comprises the following steps: acquiring an interface access request of a server to be detected, wherein the interface access request comprises a plurality of request parameters; determining a risk parameter in a plurality of request parameters in an interface access request; replacing the risk parameters in the interface access request with preset attack load to obtain a target detection request, wherein the attack load is an address pointing to a domain name resolution system; sending a target detection request to a to-be-detected server; monitoring a domain name resolution log generated on a domain name resolution system, and judging whether a target detection request has a bug or not according to the domain name resolution log. According to the method, the detection request with the attack load is constructed in a mode of determining the risk parameter, so that the accurate test of the interface risk point is realized, the positioning of the vulnerability is completed, and the influence on the normal operation of the interface caused by excessive dirty data due to the attack load is avoided.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a vulnerability detection method and apparatus, an electronic device, and a storage medium.
Background
The security of the internet is also getting more and more serious due to the development of WEB internet technology, for example, a SSRF (Server-Side Request broker) Server requests a masquerading vulnerability which is a very common vulnerability, and the SSRF vulnerability is generated because the Server provides a function of acquiring data from other Server applications and does not filter or limit a target address. Such as obtaining text content of a web page from a specified URL address, loading a picture of the specified address, downloading, etc. And the loading of some external resources, which relates to bad information, can also cause the generation of security compliance loopholes, so that lawless persons can easily cause irreparable loss by using defective WEB applications as agents to attack remote and local servers.
For the detection of these vulnerabilities, the current approach is to perform vulnerability detection through some open-source or commercial scanning software, and to execute test cases mechanically by constructing a large amount of attack loads, so that a large amount of detection dirty data is generated, and the normal use function of the service is affected.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for vulnerability detection, an electronic device, and a storage medium, so as to reduce dirty data generated during a test process.
In a first aspect, an embodiment of the present application provides a vulnerability detection method, where the method includes: acquiring an interface access request of a server to be detected, wherein the interface access request comprises a plurality of request parameters; determining a risk parameter of a plurality of the request parameters in the interface access request; replacing the risk parameters in the interface access request with preset attack loads to obtain a target detection request, wherein the attack loads are addresses pointing to a domain name resolution system; sending the target detection request to the server to be detected; monitoring a domain name resolution log generated on the domain name resolution system, and judging whether the target detection request has a leak according to the domain name resolution log.
In the embodiment of the application, an interface access request of a server to be detected is obtained, the interface access request comprises a plurality of request parameters, then risk parameters in the interface access request are determined, the risk parameters are replaced by preset attack loads, a target detection request is obtained, then an analysis log on a domain name analysis system is monitored, and therefore whether a vulnerability exists in the target detection request is judged. Through the accurate positioning to the risk parameter, reduced the quantity of target detection request to dirty data that produces in the testing process has been reduced, the normal use of avoiding causing the influence to the interface.
Further, the determining a risk parameter of the plurality of request parameters in the interface access request includes: matching a plurality of request parameters in the interface access request with preset address characteristic values respectively; and if the matching is successful, determining the corresponding request parameter as a risk parameter.
In the embodiment of the application, a plurality of request parameters in the interface access request are matched with the preset address characteristic value, and the request parameters are set as risk parameters after the matching is successful. By matching the request parameters included in the interface access request component, the accurate positioning of the risk parameters in the interface access request component is realized, the risk points of the loopholes are determined, and unnecessary target detection requests are reduced.
Further, the obtaining of the target detection request by replacing the risk parameter in the interface access request with a preset attack load includes: and respectively replacing a plurality of risk parameters in the interface access request with different preset attack loads, and obtaining a target detection request corresponding to the risk parameters.
In the embodiment of the application, because the interface access request comprises a plurality of risk parameters, the plurality of risk parameters in the interface access request are respectively replaced by different preset attack loads, and a target detection request corresponding to the risk parameters is obtained. By independently opening the target detection requests of different risk parameters, the test interference among the risk parameters can be avoided, the one-to-one correspondence between the attack load and the risk parameters is realized, and the determination of the risk points in the interface is facilitated.
Further, the determining whether the target detection request has a vulnerability according to the domain name resolution log includes: judging whether the domain name resolution log comprises log information corresponding to the attack load or not; if the domain name resolution log comprises log information corresponding to the attack load, a vulnerability exists in the target detection request; and if the domain name resolution log does not include log information corresponding to the attack load, the target detection request has no loophole.
In the embodiment of the application, the attack load points to the address in the domain name resolution system, so that log information can be generated in the domain name resolution log when the attack load is triggered, and whether the log information corresponding to the attack load exists in the domain name resolution log is judged, so that whether a vulnerability exists in a target detection request is determined according to the attack load, the vulnerability is detected, a risk point of the vulnerability can be determined according to the attack load, and a developer can determine the generation position of the vulnerability.
Further, the acquiring the interface access request of the server to be detected includes: acquiring real-time flow from user access of a server to be detected; and processing the real-time flow according to the accessed interface type and the protocol format requirement to obtain an interface access request meeting the protocol format requirement.
In the embodiment of the application, before the interface access request of the server to be detected is obtained, the real-time traffic accessed by the server to be detected from a user can be obtained, and the real-time traffic is processed according to the type of the accessed interface and the protocol format requirement, so that the interface access request corresponding to the target detection request and meeting the protocol format requirement is obtained, the interface access request is generated according to the real-time traffic generated by the user, the coverage degree of the interface can be ensured, and the validity of the test data can be ensured by using format processing.
Further, the processing the real-time traffic according to the accessed interface type and the protocol format requirement to obtain the interface access request meeting the protocol format requirement includes: formatting the real-time flow according to a protocol format requirement, and generating a standard access request meeting the protocol format requirement; and classifying and combining the standard access requests according to the interface types to obtain the interface access requests corresponding to the interface types.
In the embodiment of the application, the real-time traffic is formatted according to the protocol format requirement, so that a standard access request meeting the protocol format requirement can be generated, and then the standard access request is classified and combined by using the accessed interface type, so that an interface access request corresponding to a target detection request can be obtained. The conversion between the real-time flow and the interface access request is realized through the formatting processing and the classifying and combining operation of the real-time flow, so that the real-time flow can be transformed, and the interface access request can be quickly generated.
Further, after obtaining the target detection request, the method further comprises: acquiring a pre-configured authentication information pool, wherein the authentication information pool comprises authentication information corresponding to the target detection request; and acquiring the authentication information from the authentication information pool, and adding the authentication information into a target detection request to realize the authentication of the to-be-detected server to the target detection request.
In the embodiment of the application, a pre-configured authentication information pool can be further obtained, the authentication information pool comprises authentication information corresponding to the target detection request, and the authentication information is obtained from the authentication information pool and added into the target detection request, so that the target detection request can be authenticated by the service end to be detected. And the authentication of the target detection request is completed through a preset authentication information pool, so that the condition that the authentication of the target detection request is not passed is avoided.
Further, after obtaining the target detection request, the method further comprises: and adding a marking parameter in the target detection request, wherein the marking parameter is used for distinguishing whether the target detection request comes from the real-time traffic or the test traffic.
In the embodiment of the application, after the target detection request is obtained, a marking parameter may be further added to the target detection request, and whether the target detection request is from real-time traffic or test traffic is distinguished through the marking parameter. Therefore, the marking of the target detection request is realized, and the judgment of business personnel on abnormal information is facilitated.
In a second aspect, an embodiment of the present application provides a vulnerability detection apparatus, the apparatus includes: the acquisition module is used for acquiring an interface access request of a server to be detected, wherein the interface access request comprises a plurality of request parameters; a risk parameter determination module, configured to determine a risk parameter in the plurality of request parameters in the interface access request; the request generation module is used for replacing the risk parameters in the interface access request with preset attack loads to obtain a target detection request, wherein the attack loads are addresses pointing to a domain name resolution system; the sending module is used for sending the target detection request to the server to be detected; and the judging module is used for monitoring a domain name resolution log generated on the domain name resolution system and judging whether the target detection request has a leak or not according to the domain name resolution log.
In a third aspect, an embodiment of the present application provides an electronic device, including: the system comprises a processor, a memory and a bus, wherein the processor and the memory complete mutual interaction through the bus;
the memory stores program instructions executable by the processor, the processor being capable of performing the method of the first aspect when invoked by the program instructions.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, including:
the computer readable storage medium stores computer instructions which cause the computer to perform the method of the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a vulnerability detection method provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a real-time traffic acquisition method according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of another vulnerability detection method provided in the embodiment of the present application;
fig. 4 is a schematic structural diagram of a vulnerability detection apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The method comprises the steps of obtaining an interface access request of a server to be detected, determining risk parameters in a plurality of request parameters included in the interface access request, and generating a target detection request with an attack load by utilizing the risk coefficients to carry out vulnerability detection, so that the accurate positioning of a risk point is realized, and the problem that the detection of the excessive dirty data generated in the test process affects the normal operation of an interface is avoided.
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Fig. 1 is a schematic flowchart of a vulnerability detection method provided in an embodiment of the present application, and as shown in fig. 1, the method may be applied to a test terminal, where the test terminal may be a terminal device (also referred to as an electronic device) and a server; the terminal device may be a smart phone, a tablet computer, a Personal Digital Assistant (PDA), or the like; the server may specifically be an application server, and may also be a Web server. And a test platform system is deployed on the test terminal and used for carrying out vulnerability detection on the interface of the service end to be detected. The method comprises the following steps:
step 101: the method comprises the steps of obtaining an interface access request of a server to be detected, wherein the interface access request comprises a plurality of request parameters.
The service end to be detected can be a server for deploying WEB application, the WEB application comprises a plurality of interfaces, vulnerability detection can be performed on the interfaces by acquiring access requests corresponding to the interfaces, and the interface access requests can be Uniform Resource Locators (URL) paths, such as xxxabc. The interface access request may include multiple portions of data, such as a request line, a request body, and request data, each of which may include multiple request parameters.
Step 102: determining a risk parameter of a plurality of the request parameters in the interface access request.
The risk parameter may be a risk parameter that is easy to generate a vulnerability in an interface on the WEB application server, for example, an SSRF vulnerability, and the request parameter that has address information in each parameter included in the corresponding interface may be determined as a risk parameter. The risk parameter may be determined by comparing the common address protocol value, such as http, with the request parameters included in the requests to determine the risk parameter with risk. Therefore, the characteristic analysis of the interface components is realized, the full-disk detection of the interface is avoided, and a large amount of detection dirty data is generated.
Step 103: and replacing the risk parameters in the interface access request with preset attack load to obtain a target detection request, wherein the attack load is an address pointing to a domain name resolution system.
The preset attack load payload can be a one-to-one corresponding address value generated according to the risk parameter, the attack load can be an address pointing to a domain name resolution system, and the domain name resolution system can map a domain name DNS (domain name system) and an IP (Internet protocol) address with each other, so that a target detection request with the attack load can be captured by the domain name resolution system when a leak exists in an interface. For example, the address of the domain name resolution system may be "xxxdnslog.com", and then the test terminal generates an address corresponding to the risk parameter by setting the attack load to a third-level domain name, for example, "dfga 2. xxxdnslog.com", under the domain name resolution system, so as to obtain the modified target detection request.
Step 104: and sending the target detection request to the server to be detected.
Step 105: monitoring a domain name resolution log generated on the domain name resolution system, and judging whether the target detection request has a leak according to the domain name resolution log.
After the test terminal sends a target detection request to a to-be-detected server, because the attack load points to the address of the domain name resolution system, if the risk parameter of the target detection request has a leak, the target detection request corresponding to the replaced attack load is triggered, the target detection request with the attack load is captured by the domain name resolution system and generates corresponding log information, and whether the attack load in the target detection request is triggered or not can be judged by monitoring the domain name resolution log generated on the domain name resolution system so as to judge whether the leak exists in the target detection request or not. It should be understood that the service side to be detected may include a plurality of interfaces to be detected, each interface may construct a plurality of target detection requests for detecting whether the interface has a bug, and when all target detection requests corresponding to the interface do not have a bug, the interface does not have a bug. By determining the risk parameters in the request parameters, the accurate construction of the target detection request is realized, a large amount of detection dirty data generated in the interface is avoided, and the normal operation of the interface is ensured.
On the basis of the foregoing embodiment, the determining a risk parameter in the plurality of request parameters in the interface access request includes:
matching a plurality of request parameters in the interface access request with preset address characteristic values respectively;
and if the matching is successful, determining the corresponding request parameter as a risk parameter.
The preset address characteristic values may be internet-used protocol transmission address values, for example, address bar characteristic values such as "file://", "ditct://", "sftp://", "ldap://", "tftp://", "gopher://" and the like, may be utilized by a vulnerability, and the service end to be detected is used as a patch board to acquire internal data in other servers for tampering, thereby generating a vulnerability risk, and therefore, these address values are all risk points that may cause an interface to generate a vulnerability, and it is necessary to match a plurality of request parameters in the interface access request with these addresses, and if matching is successful, the request parameters may be determined as risk parameters. If the address values are not detected in all the request parameters in the interface access request, the address values are not matched, and then the target detection request has no bug.
On the basis of the above embodiment, the obtaining a target detection request by replacing the risk parameter in the interface access request with a preset attack load includes:
and respectively replacing a plurality of risk parameters in the interface access request with different preset attack loads, and obtaining a target detection request corresponding to the risk parameters.
In some implementation manners, in the replacing of the risk parameters by using the attack load, if a plurality of risk parameters exist in the interface access request, the risk parameters need to be replaced by different preset attack loads respectively, and then the target detection request corresponding to the risk parameters is obtained. That is to say, the risk parameters and the attack loads are in a one-to-one correspondence relationship, and if N risk parameters exist in the interface access request, N corresponding attack loads need to be constructed according to the risk parameters, and then N target detection requests are generated for testing, so that independent detection of each attack load is realized, and it is ensured that the test processes of the target detection requests respectively generated according to each risk parameter do not interfere with each other.
On the basis of the above embodiment, the acquiring an interface access request of a server to be detected includes:
acquiring real-time flow from user access of a server to be detected;
and processing the real-time flow according to the accessed interface type and the protocol format requirement to obtain an interface access request meeting the protocol format requirement.
For example, the source of the interface access request may be real-time traffic of the user accessing the service end to be detected, and the interface access request of the service end to be detected is established through the real-time traffic. Fig. 2 is a schematic flow chart of a real-time traffic acquisition method provided in an embodiment of the present application, and as shown in fig. 2, a specific implementation may be:
step 201: firstly, a test terminal acquires a real-time access request sent to a background WEB server by a client;
step 202: the testing terminal copies the real-time traffic of the real-time access request sent by the client by using a pre-constructed Nginx proxy server and a mirror image, and sends the real-time traffic to the testing terminal; nginx implements traffic mirroring by adding ngx _ http _ mirror _ module. By configuring the proxy server, the flow can be accessed and copied to the electronic equipment for testing the server to be tested in real time. The agent configuration is as follows:
step 203: the test terminal collects the real-time flow of the server to be detected, and the real-time flow is used for realizing the construction of the interface access request. The construction mode can be that real-time flow is processed according to the type of the accessed interface and the protocol format requirement, and access requests of different interfaces which meet the protocol format requirement are respectively obtained.
On the basis of the above embodiment, the processing the real-time traffic according to the accessed interface type and the protocol format requirement to obtain the interface access request meeting the protocol format requirement includes:
formatting the real-time flow according to a protocol format requirement, and generating a standard access request meeting the protocol format requirement;
and classifying and combining the standard access requests according to the interface types to obtain the interface access requests corresponding to the interface types.
For example, in order to ensure that the access request can meet the protocol format requirement, the test terminal needs to format the real-time traffic first, and the formatting method may be to uniformly process the copied real-time traffic by using a KAFKA message queue. The format of the real-time traffic processed corresponding to each access request may be a json string, which includes parameter values corresponding to a plurality of request parameters, as shown below:
because the real-time access flow of the user is very large, considering that most of URLs of the access requests are repeated, and the test terminal does not need to perform repeated scanning detection, the test terminal also needs to classify and combine the URL according to the interface type, and classify the access request data belonging to the same interface, which is described as an example below:
in the above access request, the test terminal may further classify the parameters, and extract a plurality of request parameters. There are some irregular URL addresses in the interface, such as www.xxxabc.com/test/212dasxdas12313/prd, which can be converted into www.xxxabc.com/test/prd in a normalized manner, and obtain the corresponding request parameters. The specific implementation mode can be as follows: information including sequence codes, pure numbers, labels, Chinese and the like in the URL paths is merged through regular matching, and the URL paths are classified into one category. As shown in table 1 below, table 1 is a provided request parameter lookup table.
TABLE 1 request parameter lookup Table
| Request parameters | Parameter value |
| PROTOCAL (protocol) | http |
| DOMAIN (Domain name) | www.xxxabc.com |
| PATH (Path) | /api/list |
| PARAM (parameter) | appKey |
| BODY (message BODY) | name,age |
| FRAGMENT (FRAGMENT) | #top |
On the basis of the above embodiment, after obtaining the target detection request, the method further includes:
acquiring a pre-configured authentication information pool, wherein the authentication information pool comprises authentication information corresponding to the target detection request;
and acquiring the authentication information from the authentication information pool, and adding the authentication information into a target detection request to realize the authentication of the to-be-detected server to the target detection request.
The authentication information pool can be authentication information which is extracted by the test terminal from real-time flow of a user accessing the to-be-detected server and is used for authenticating a target detection request, and in order to guarantee the success rate of vulnerability detection, the test terminal accurately identifies the authentication type of the interface. For example, when the authentication information requested by the target detection fails, the test terminal automatically uses the configured authentication information to request updating. The configuration method of the authentication information pool can configure the authentication field of the interface, for example, the following configuration can be adopted:
[
{“hostname”:“xxxabc.com”,
“auth_path”:“request_header|cookie”
},
{“hostname”:“xxxabc.com”,
“auth_path”:“request_body|token”
},
]
there are two in the authentication field of this interface: and when the authentication information of the target detection request fails, the test terminal can update the cookie information and the token information by acquiring the authentication information in the authentication information pool to perform interface authentication.
On the basis of the above embodiment, after obtaining the target detection request, the method further includes: and adding a marking parameter in the target detection request, wherein the marking parameter is used for distinguishing whether the target detection request comes from the real-time traffic or the test traffic.
For example, the test terminal may also mark the target detection request by adding a marking parameter to the target detection request. The purpose of the flag is to distinguish whether the target detection request is from a normal access request sent by a user or a test request sent by a test terminal, and the parameter of the flag may be to add a "scan-request-id-security" parameter in the request header. The test terminal can judge whether the detection request is safe according to the parameters, distinguish the test flow from the real-time flow and judge the generation reason of the abnormal information.
To summarize the above-mentioned embodiments, fig. 3 is a schematic flow chart of another vulnerability detection method provided in the embodiments of the present application. As shown in fig. 3, the method is applied to a test terminal, where the test terminal is used to test an interface of a service end to be detected, and the specific implementation manner may be:
step 301: the test terminal uses Nginx to copy the real-time flow from the user to the server to be detected, and converts the real-time flow into an interface access request. For a specific implementation, reference may be made to the real-time traffic processing method provided in the embodiment corresponding to fig. 2, which is not described again.
Step 302: the test terminal carries out authentication configuration on the interface, picks up authentication information in the real-time flow of the user and is used for authenticating a target detection request. The specific implementation method may refer to the method for acquiring the authentication information from the authentication information pool provided in the embodiment of fig. 1.
Step 303: the test terminal determines a risk parameter of a plurality of request parameters in the interface access request. The specific implementation method may refer to the method for determining the risk parameter provided in the corresponding embodiment of fig. 1.
Step 304: and the test terminal replaces the risk parameters with preset attack loads to obtain a target detection request, and adds marking parameters in the target detection request for interface marking processing. Specific implementation manners may refer to the method for obtaining the target detection request and the method for adding the tag parameter provided in the corresponding embodiment of fig. 1.
Step 305: and the test terminal sends a target detection request to the server to be detected and judges whether the interface has a hole leakage risk according to the analysis log on the domain name analysis log system. In a specific implementation manner, reference may be made to the method for determining a vulnerability in the embodiment corresponding to fig. 1.
Fig. 4 is a schematic structural diagram of a vulnerability detection apparatus 400 according to an embodiment of the present application, where the apparatus may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus corresponds to the above-mentioned embodiment of the method of fig. 1, and can perform various steps related to the embodiment of the method of fig. 1, and the specific functions of the apparatus can be referred to the description above, and the detailed description is appropriately omitted here to avoid redundancy.
The embodiment of the present application provides a vulnerability detection apparatus 400, which includes:
an obtaining module 401, configured to obtain an interface access request of a server to be detected, where the interface access request includes multiple request parameters;
a risk parameter determining module 402, configured to determine a risk parameter in the plurality of request parameters in the interface access request;
a request generating module 403, configured to replace a risk parameter in the interface access request with a preset attack load, to obtain a target detection request, where the attack load is an address pointing to a domain name resolution system;
a sending module 404, configured to send the target detection request to the to-be-detected server;
the determining module 405 is configured to monitor a domain name resolution log generated on the domain name resolution system, and determine whether the target detection request has a bug according to the domain name resolution log.
On the basis of the foregoing embodiment, the risk parameter determining module 402 is specifically configured to:
matching a plurality of request parameters in the interface access request with preset address characteristic values respectively;
and if the matching is successful, determining the corresponding request parameter as a risk parameter.
On the basis of the above embodiment, the risk parameter in the interface access request includes a plurality of parameters.
On the basis of the above embodiment, the risk parameter determining module is specifically configured to:
and respectively replacing a plurality of risk parameters in the interface access request with different preset attack loads, and obtaining a target detection request corresponding to the risk parameters.
On the basis of the foregoing embodiment, the determining module 405 is specifically configured to:
judging whether the domain name resolution log comprises log information corresponding to the attack load or not;
if the domain name resolution log comprises log information corresponding to the attack load, a vulnerability exists in the target detection request; and if the domain name resolution log does not include log information corresponding to the attack load, the target detection request has no loophole.
On the basis of the above embodiment, the apparatus further includes an access request generation module:
acquiring real-time flow from user access of a server to be detected;
and processing the real-time flow according to the accessed interface type and the protocol format requirement to obtain an interface access request meeting the protocol format requirement.
On the basis of the foregoing embodiment, the access request generation module is specifically configured to:
formatting the real-time flow according to a protocol format requirement, and generating a standard access request meeting the protocol format requirement;
and classifying and combining the standard access requests according to the interface types to obtain the interface access requests corresponding to the interface types.
On the basis of the above embodiment, the apparatus further includes an authentication module configured to:
acquiring a pre-configured authentication information pool, wherein the authentication information pool comprises authentication information corresponding to the target detection request;
and acquiring the authentication information from the authentication information pool, and adding the authentication information into a target detection request to realize the authentication of the to-be-detected server to the target detection request.
On the basis of the above embodiment, the apparatus further includes a marking module configured to:
and adding a marking parameter in the target detection request, wherein the marking parameter is used for distinguishing whether the target detection request comes from the real-time traffic or the test traffic.
Fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, and as shown in fig. 5, the electronic device includes: a processor (processor)501, a memory (memory)502, and a bus 503; wherein,
the processor 501 and the memory 502 interact with each other through the bus 503;
the processor 501 is configured to call the program instructions in the memory 502 to execute the vulnerability detection method provided by the above-described method embodiments.
The processor 501 may be an integrated circuit chip having signal processing capabilities. The Processor 501 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 502 may include, but is not limited to, Random Access Memory (RAM), Read Only Memory (ROM), Programmable Read-Only Memory (PROM), Erasable Read-Only Memory (EPROM), Electrically Erasable Read-Only Memory (EEPROM), and the like.
The present embodiment discloses a computer program product, which includes a computer program stored on a computer-readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the vulnerability detection method provided by the above-mentioned method embodiments.
The present embodiment provides a computer-readable storage medium, which stores computer instructions, where the computer instructions cause the computer to execute the vulnerability detection method provided in the foregoing method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or mutual connection may be an indirect coupling or mutual connection of devices or units through some mutual interfaces, and may be in an electric, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A vulnerability detection method is characterized by comprising the following steps:
acquiring an interface access request of a server to be detected, wherein the interface access request comprises a plurality of request parameters;
determining a risk parameter of a plurality of the request parameters in the interface access request;
replacing the risk parameters in the interface access request with preset attack loads to obtain a target detection request, wherein the attack loads are addresses pointing to a domain name resolution system;
sending the target detection request to the server to be detected;
monitoring a domain name resolution log generated on the domain name resolution system, and judging whether the target detection request has a leak according to the domain name resolution log.
2. The method of claim 1, wherein determining a risk parameter in the plurality of request parameters in the interface access request comprises:
matching a plurality of request parameters in the interface access request with preset address characteristic values respectively;
and if the matching is successful, determining the corresponding request parameter as a risk parameter.
3. The method according to claim 1, wherein the risk parameter in the interface access request includes a plurality of parameters, and the replacing the risk parameter in the interface access request with a preset attack load to obtain the target detection request includes:
and respectively replacing a plurality of risk parameters in the interface access request with different preset attack loads, and obtaining a target detection request corresponding to the risk parameters.
4. The method of claim 1, wherein the determining whether the target detection request has a vulnerability according to the domain name resolution log comprises:
judging whether the domain name resolution log comprises log information corresponding to the attack load or not;
if the domain name resolution log comprises log information corresponding to the attack load, a vulnerability exists in the target detection request; and if the domain name resolution log does not include log information corresponding to the attack load, the target detection request has no loophole.
5. The method according to claim 1, wherein the acquiring the interface access request of the service to be detected comprises:
acquiring real-time flow from user access of a server to be detected;
and processing the real-time flow according to the accessed interface type and the protocol format requirement to obtain an interface access request meeting the protocol format requirement.
6. The method of claim 5, wherein the processing the real-time traffic according to the accessed interface type and the protocol format requirement to obtain the interface access request meeting the protocol format requirement comprises:
formatting the real-time flow according to a protocol format requirement, and generating a standard access request meeting the protocol format requirement;
and classifying and combining the standard access requests according to the interface types to obtain the interface access requests corresponding to the interface types.
7. The method of any of claims 1-6, wherein after obtaining the target detection request, the method further comprises:
acquiring a pre-configured authentication information pool, wherein the authentication information pool comprises authentication information corresponding to the target detection request;
and acquiring the authentication information from the authentication information pool, and adding the authentication information into a target detection request to realize the authentication of the to-be-detected server to the target detection request.
8. A vulnerability detection apparatus, comprising:
the acquisition module is used for acquiring an interface access request of a server to be detected, wherein the interface access request comprises a plurality of request parameters;
a risk parameter determination module, configured to determine a risk parameter in the plurality of request parameters in the interface access request;
the request generation module is used for replacing the risk parameters in the interface access request with preset attack loads to obtain a target detection request, wherein the attack loads are addresses pointing to a domain name resolution system;
the sending module is used for sending the target detection request to the server to be detected;
and the judging module is used for monitoring a domain name resolution log generated on the domain name resolution system and judging whether the target detection request has a leak or not according to the domain name resolution log.
9. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111624807.9A CN114301673A (en) | 2021-12-28 | 2021-12-28 | Vulnerability detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111624807.9A CN114301673A (en) | 2021-12-28 | 2021-12-28 | Vulnerability detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301673A true CN114301673A (en) | 2022-04-08 |
Family
ID=80970694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111624807.9A Pending CN114301673A (en) | 2021-12-28 | 2021-12-28 | Vulnerability detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301673A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114785621A (en) * | 2022-06-17 | 2022-07-22 | 上海斗象信息科技有限公司 | Vulnerability detection method and device, electronic equipment and computer readable storage medium |
| CN114785581A (en) * | 2022-04-14 | 2022-07-22 | 深圳开源互联网安全技术有限公司 | Attack load generation method and device and computer readable storage medium |
| CN114826756A (en) * | 2022-05-10 | 2022-07-29 | 深信服科技股份有限公司 | WEB vulnerability detection method and related components |
| CN115296941A (en) * | 2022-10-10 | 2022-11-04 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115378655A (en) * | 2022-07-26 | 2022-11-22 | 北京奇艺世纪科技有限公司 | Vulnerability detection method and device |
| CN116566739A (en) * | 2023-06-29 | 2023-08-08 | 北京安天网络安全技术有限公司 | Security detection system, electronic equipment and storage medium |
| CN116861419A (en) * | 2023-09-05 | 2023-10-10 | 国网江西省电力有限公司信息通信分公司 | Active defending log alarming method on SSR |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107846407A (en) * | 2017-11-10 | 2018-03-27 | 郑州云海信息技术有限公司 | A kind of method and system of batch detection SSRF leaks |
| CN108809890A (en) * | 2017-04-26 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Leak detection method, test server and client |
| CN108989355A (en) * | 2018-09-07 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of leak detection method and device |
| CN110011955A (en) * | 2018-12-06 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of SSRF loophole or attack determination, processing method, device, equipment and medium |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111600885A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | SQL injection vulnerability detection method and device, equipment and storage medium |
| US20200314136A1 (en) * | 2019-03-28 | 2020-10-01 | Naver Business Platform Corporation | Apparatus and method for analyzing security vulnerabilities |
| CN111770104A (en) * | 2020-07-02 | 2020-10-13 | 浪潮云信息技术股份公司 | Web vulnerability detection method, system, terminal and computer readable storage medium |
-
2021
- 2021-12-28 CN CN202111624807.9A patent/CN114301673A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108809890A (en) * | 2017-04-26 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Leak detection method, test server and client |
| CN107846407A (en) * | 2017-11-10 | 2018-03-27 | 郑州云海信息技术有限公司 | A kind of method and system of batch detection SSRF leaks |
| CN108989355A (en) * | 2018-09-07 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of leak detection method and device |
| CN110011955A (en) * | 2018-12-06 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of SSRF loophole or attack determination, processing method, device, equipment and medium |
| US20200314136A1 (en) * | 2019-03-28 | 2020-10-01 | Naver Business Platform Corporation | Apparatus and method for analyzing security vulnerabilities |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111600885A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | SQL injection vulnerability detection method and device, equipment and storage medium |
| CN111770104A (en) * | 2020-07-02 | 2020-10-13 | 浪潮云信息技术股份公司 | Web vulnerability detection method, system, terminal and computer readable storage medium |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114785581A (en) * | 2022-04-14 | 2022-07-22 | 深圳开源互联网安全技术有限公司 | Attack load generation method and device and computer readable storage medium |
| CN114785581B (en) * | 2022-04-14 | 2023-08-11 | 深圳开源互联网安全技术有限公司 | Attack load generation method and device and computer readable storage medium |
| CN114826756A (en) * | 2022-05-10 | 2022-07-29 | 深信服科技股份有限公司 | WEB vulnerability detection method and related components |
| CN114785621A (en) * | 2022-06-17 | 2022-07-22 | 上海斗象信息科技有限公司 | Vulnerability detection method and device, electronic equipment and computer readable storage medium |
| CN114785621B (en) * | 2022-06-17 | 2022-11-01 | 上海斗象信息科技有限公司 | Vulnerability detection method and device, electronic equipment and computer readable storage medium |
| CN115378655A (en) * | 2022-07-26 | 2022-11-22 | 北京奇艺世纪科技有限公司 | Vulnerability detection method and device |
| CN115296941A (en) * | 2022-10-10 | 2022-11-04 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115296941B (en) * | 2022-10-10 | 2023-03-24 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN116566739A (en) * | 2023-06-29 | 2023-08-08 | 北京安天网络安全技术有限公司 | Security detection system, electronic equipment and storage medium |
| CN116566739B (en) * | 2023-06-29 | 2023-09-15 | 北京安天网络安全技术有限公司 | Security detection system, electronic equipment and storage medium |
| CN116861419A (en) * | 2023-09-05 | 2023-10-10 | 国网江西省电力有限公司信息通信分公司 | Active defending log alarming method on SSR |
| CN116861419B (en) * | 2023-09-05 | 2023-12-08 | 国网江西省电力有限公司信息通信分公司 | Active defending log alarming method on SSR |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114301673A (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| US8949990B1 (en) | Script-based XSS vulnerability detection | |
| US9648033B2 (en) | System for detecting the presence of rogue domain name service providers through passive monitoring | |
| US8433811B2 (en) | Test driven deployment and monitoring of heterogeneous network systems | |
| CN108809890B (en) | Vulnerability detection method, test server and client | |
| CN110363020B (en) | Screen capturing monitoring method, device, computer equipment and storage medium | |
| CN111611140B (en) | Report verification method and device for buried point data, electronic equipment and storage medium | |
| CN110990205A (en) | Interface call testing method, device and computer readable storage medium | |
| CN110266737B (en) | Method, device, equipment and medium for detecting vulnerability of cross-domain resource sharing | |
| CN109672658B (en) | JSON hijacking vulnerability detection method, device, equipment and storage medium | |
| CN111953770A (en) | Route forwarding method and device, route equipment and readable storage medium | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| CN106713242B (en) | Data request processing method and processing device | |
| CN115695043A (en) | Vulnerability scanning attack detection method, model training method and device | |
| CN112019377B (en) | Method, system, electronic device and storage medium for network user role identification | |
| CN109165513A (en) | Method for inspecting, device and the server of system configuration information | |
| CN107094134A (en) | A kind of method and client of access website | |
| CN111385293B (en) | Network risk detection method and device | |
| CN115378655A (en) | Vulnerability detection method and device | |
| CN112671615A (en) | Method, system and storage medium for collecting operation behavior data of front-end user | |
| CN106970878B (en) | A kind of debugging event monitoring method and debugging event monitoring system | |
| JP4913002B2 (en) | Web application monitoring device | |
| CN115065540B (en) | Method and device for detecting web vulnerability attack and electronic equipment | |
| CN113691405B (en) | Access abnormality diagnosis method and device, storage medium and electronic equipment | |
| CN107277014A (en) | A kind of identifying device for detecting invalid access to computer network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 6416, Building 13, No. 723 Tongxin Road, Hongkou District, Shanghai 200080 Applicant after: Shanghai Dewu Information Group Co.,Ltd. Address before: Room B6-2005, No. 121 Zhongshan North 1st Road, Hongkou District, Shanghai Applicant before: SHANGHAI SHIZHUANG INFORMATION TECHNOLOGY Co.,Ltd. Country or region before: China |