CN114357467A - Unauthorized access vulnerability testing method - Google Patents
Unauthorized access vulnerability testing method Download PDFInfo
- Publication number
- CN114357467A CN114357467A CN202210022495.2A CN202210022495A CN114357467A CN 114357467 A CN114357467 A CN 114357467A CN 202210022495 A CN202210022495 A CN 202210022495A CN 114357467 A CN114357467 A CN 114357467A
- Authority
- CN
- China
- Prior art keywords
- account
- test
- interface
- unauthorized access
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an unauthorized access vulnerability testing method, and relates to the technical field of computer data security. The method comprises the steps of obtaining a function interface of a first account which is logged in as a first test interface; the test interface comprises first login information of a first account; modifying the first login information according to the second login information of the second account by using an interface testing tool to obtain a second testing interface; initiating a functional test on the test account through the second test interface using the interface test tool; the test account is a first account, or the test account is a second account; if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists. The task of testing the unauthorized access vulnerability can be efficiently completed, the method is simple in operation steps, high in detection efficiency, low in follow-up maintenance cost, labor resource saving and capable of achieving large-scale detection of the unauthorized access vulnerability.
Description
Technical Field
The invention relates to the technical field of computer data security, in particular to an unauthorized access vulnerability testing method.
Background
In the operation process of the internet service system, the access authority of each user needs to be set, so that each user can only operate own data information, and data isolation and authority isolation are ensured. However, when the service application program of the client submits a data request, the server may ignore the judgment of the account operation authority, so that an attacker can use a legal account, i.e., can perform illegal operation on data of other accounts with unauthorized access holes, and the attacked account cannot use or consumes available resources.
In the prior art, in order to deal with the problem of unauthorized access vulnerabilities, a technician may use an unauthorized access vulnerability scanning tool, such as Burp Suite, to perform a packet capturing operation, then modify request parameters, compare interface return message results to determine whether sensitive information is included, and then act on other interfaces which may have defects, thereby implementing some conventional unauthorized access vulnerabilities tests on Web applications. However, the above solution has the disadvantages that the learning cost of the user is high, and a large amount of repeated work is required, so that the user relies on the subjective experience of the safety tester, which causes great human resource consumption, and the operation steps are frequent and complicated, the detection efficiency is low, and the tested program is not attached, and especially, large-scale unauthorized access vulnerability detection and subsequent flexible maintenance cannot be performed.
Disclosure of Invention
The invention aims to provide an unauthorized access vulnerability testing method. The task of testing the unauthorized access vulnerability can be efficiently completed, the method is simple in operation steps, high in detection efficiency, low in follow-up maintenance cost, labor resource saving and capable of achieving large-scale detection of the unauthorized access vulnerability.
The specific technical scheme is as follows:
in a first aspect of the present invention, there is provided an unauthorized access vulnerability testing method, including:
acquiring a function interface of a first account which is logged in as a first test interface; the test interface comprises first login information of the first account;
modifying the first login information according to second login information of a second account by using an interface testing tool to obtain a second testing interface;
initiating a functional test on the test account through the second test interface using an interface test tool; the test account is the first account, or the test account is the second account;
and if the returned result aiming at the function test is operation failure, indicating that no unauthorized access loophole exists, otherwise, indicating that the unauthorized access loophole exists.
Optionally, the acquiring a functional interface of the first account that has been logged in as the first test interface includes:
logging in a first account through a world wide area network web browser;
opening a developer tool Network of a web browser and starting a recording function;
and acquiring all available functional interfaces of the first account as a first test interface.
Optionally, the interface type of the first test interface includes one or more of a dictionary request, a Controller And Action, a just-in-time programming language JavaScript, a hypertext markup language HTML, And a model request.
Optionally, the modifying, by using the interface testing tool, the first login information according to the second login information of the second account to obtain a second testing interface includes:
acquiring a first identity authentication proof field of second login information of a second account;
replacing, using an interface testing tool, the second proof of identity field of the first login information with the first proof of identity field.
Optionally, the data operation corresponding to the functional test includes one or more of adding data, deleting data, modifying data, and viewing data.
Optionally, the first account and the second account are two sub-accounts in the same parent-child account respectively; the first account and the second account do not have operation authority for data of the other party; the test account is the second account;
if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists, and the method comprises the following steps:
and if the returned result aiming at the function test is operation failure, indicating that no transverse data unauthorized access loophole exists, otherwise, indicating that the transverse data unauthorized access loophole exists.
Optionally, the first account and the second account belong to the same parent-child account, the first account is a parent account, and the second account is a child account; the first account has operating permissions for the data of the second account, the second account does not have operating permissions for the data of the first account; the test account is the first account;
if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists, and the method comprises the following steps:
and if the returned result aiming at the function test is operation failure, indicating that the longitudinal data unauthorized access vulnerability does not exist, otherwise, indicating that the longitudinal data unauthorized access vulnerability exists.
Optionally, the first account and the second account do not belong to the same parent-child account; the first account and the second account do not have operation authority for data of the other party;
if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists, and the method comprises the following steps:
and if the returned result aiming at the function test is operation failure, indicating that the longitudinal data unauthorized access vulnerability does not exist, otherwise, indicating that the longitudinal data unauthorized access vulnerability exists.
In another aspect of the embodiments of the present invention, an electronic device is further provided, which includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing any one of the unauthorized access vulnerability testing methods when executing the program stored in the memory.
In yet another aspect of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any one of the above-mentioned unauthorized access vulnerability testing methods.
In yet another aspect of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described unauthorized access vulnerability testing methods.
According to the unauthorized access vulnerability testing method provided by the embodiment of the invention, the function interface of the first account which is logged in is obtained and used as the first testing interface; the test interface comprises first login information of a first account; modifying the first login information according to the second login information of the second account by using an interface testing tool to obtain a second testing interface; initiating a functional test on the test account through the second test interface using the interface test tool; the test account is a first account, or the test account is a second account; if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists. Therefore, the task of unauthorized access vulnerability testing can be efficiently completed, the operation steps are simple, the detection efficiency is high, the subsequent maintenance cost is low, the human resources are saved, and the large-scale detection work of unauthorized access vulnerabilities can be realized.
Drawings
The invention will be further described with reference to the accompanying drawings.
Fig. 1 is a flowchart of an unauthorized access vulnerability testing method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides an unauthorized access vulnerability testing method. Referring to fig. 1, fig. 1 is a flowchart of an unauthorized access vulnerability testing method according to an embodiment of the present invention, where the method may include the following steps:
s101, acquiring a function interface of the first account which is logged in as a first test interface.
S102, modifying the first login information according to the second login information of the second account by using an interface testing tool to obtain a second testing interface.
And S103, initiating a function test on the test account through the second test interface by using the interface test tool.
And S104, if the returned result aiming at the function test is operation failure, indicating that no unauthorized access loophole exists, otherwise, indicating that the unauthorized access loophole exists.
The test interface includes first login information for the first account.
The test account is a first account, or the test account is a second account.
The unauthorized access testing method provided by the embodiment of the invention can efficiently complete the unauthorized testing task, has simple operation steps, high detection efficiency and low subsequent maintenance cost, saves human resources and can realize large-scale detection work of unauthorized holes.
In an implementation manner, the interface test tool in the embodiment of the present invention may be any one of postman, restcontent, meter, loadrunner, and soap ui. The functional interface is input to the testing tool, the testing tool can be used for sending a request of functional operation through the functional interface and receiving a return result of the request, so that the testing of the functional interface is realized.
In one implementation, the functional interface of an account may contain login information for logging into the account. For example, the login information may be an account name and a login password for logging into the account.
In one implementation, whether the test account is the first account or the second account may be determined by a relationship between the first account and the second account.
In one embodiment, the data operations corresponding to the functional test include one or more of adding data, deleting data, modifying data, and viewing data.
In one implementation, a user may operate data of an account through a functional interface of the account, specifically, add data, delete data, modify data, and view data, where each operation corresponds to one functional interface, that is, one account may have multiple functional interfaces, so as to implement different operations.
In one embodiment, step S101 includes:
step one, logging in a first account through a global wide area network web browser.
And step two, opening a developer tool Network of the web browser and starting a recording function.
And step three, acquiring all available functional interfaces of the first account as a first test interface.
In one implementation manner, a user may log in a first account through a web browser, open a recording function of an F12 developer tool Network in the web browser, and obtain all available function interfaces of the first account.
In one embodiment, the interface types of the first test interface include one or more of dictionary requests, Controller And Action, just-in-time programming language JavaScript, hypertext markup language HTML, And model requests.
In one implementation, different interface types may implement different operational functions.
In one embodiment, step S102 includes:
step one, a first identity authentication proof field of second login information of a second account is obtained.
And step two, replacing the second authentication field of the first login information with the first authentication field by using an interface testing tool.
In one implementation, the login information of the account may include an authentication field for authentication, and the operation authority of the account may be determined through the authentication field.
In one embodiment, the first account and the second account are respectively two sub-accounts in the same parent-child account, and the first account and the second account do not have an operation authority for data of the other party, so that the test account is the second account.
Step S104 specifically includes:
and if the returned result aiming at the function test is operation failure, indicating that the transverse data unauthorized access vulnerability does not exist, otherwise, indicating that the transverse data unauthorized access vulnerability exists.
In one implementation, when the first account and the second account are two sub-accounts in the same parent-child account, respectively, a horizontal data unauthorized access hole may exist between the two sub-accounts. A new interface (the second test interface described above) may be obtained by obtaining the functional interface of the first account and modifying the authentication field of the functional interface to the authentication field of the second account. If the data of the second account cannot be operated through the second test interface, it can be determined that the second account does not have the lateral data unauthorized access vulnerability. If the data of the second account can be operated through the second test interface, it can be determined that the second account has a horizontal data unauthorized access vulnerability. The same method can be used for testing whether the first account has a horizontal data unauthorized access vulnerability.
In one embodiment, the first account and the second account belong to the same parent-child account, the first account is a parent account, the second account is a child account, the first account has the operation authority for the data of the second account, and the second account does not have the operation authority for the data of the first account, then the test account is the first account.
Step S104 specifically includes:
and if the returned result aiming at the function test is operation failure, indicating that the longitudinal data unauthorized access vulnerability does not exist, otherwise, indicating that the longitudinal data unauthorized access vulnerability exists.
In one implementation, the first account may have a longitudinal data unauthorized access hole. A new interface (the second test interface described above) may be obtained by obtaining the functional interface of the first account and modifying the authentication field of the functional interface to the authentication field of the second account. If the data of the first account cannot be operated through the second test interface, it can be determined that the first account does not have a longitudinal data unauthorized access vulnerability.
In one embodiment, the first account and the second account do not belong to the same parent-child account, and neither the first account nor the second account has the operation authority for the data of the other party, so that the test account is the second account.
Step S104 specifically includes:
if the returned result aiming at the function test is operation failure, the condition that the right and left access loopholes do not exist is indicated, otherwise, the condition that the right and left access loopholes exist is indicated.
In one implementation, when the first account and the second account do not belong to the same parent-child account, there may be a rights-to-profit access hole between the two accounts. A new interface (the second test interface described above) may be obtained by obtaining the functional interface of the first account and modifying the authentication field of the functional interface to the authentication field of the second account. And if the data of the second account cannot be operated through the second test interface, determining that the second account has no rights and interests access vulnerability. If the data of the second account can be operated through the second test interface, it can be determined that the second account has the rights and interests access vulnerability. The same method can be used to test whether the first account has an equity access vulnerability.
An embodiment of the present invention further provides an electronic device, as shown in fig. 2, including a processor 201, a communication interface 202, a memory 203 and a communication bus 204, where the processor 201, the communication interface 202, and the memory 203 complete mutual communication through the communication bus 204,
a memory 203 for storing a computer program;
the processor 201 is configured to implement the unauthorized access vulnerability testing method according to any of the above embodiments when executing the program stored in the memory 203.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the unauthorized access vulnerability testing method described in any of the above embodiments.
In yet another embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method for testing for unauthorized access vulnerabilities described in any of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the electronic device, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (8)
1. An unauthorized access vulnerability testing method, the method comprising:
acquiring a function interface of a first account which is logged in as a first test interface; the first test interface comprises first login information of the first account;
modifying the first login information according to second login information of a second account by using an interface testing tool to obtain a second testing interface;
initiating a functional test on a test account through the second test interface using the interface test tool; the test account is the first account, or the test account is the second account;
and if the returned result aiming at the function test is operation failure, indicating that no unauthorized access loophole exists, otherwise, indicating that the unauthorized access loophole exists.
2. The method of claim 1, wherein obtaining the functional interface of the first account that has been logged in as the first test interface comprises:
logging in a first account through a world wide area network web browser;
opening a developer tool Network of a web browser and starting a recording function;
and acquiring all available functional interfaces of the first account as a first test interface.
3. The method of claim 2, wherein the interface types of the first test interface include one or more of dictionary requests, Controller And Action, just-in-time programming language (JavaScript), hypertext markup language (HTML), And model requests.
4. The method of claim 1, wherein modifying the first login information based on second login information for a second account using an interface testing tool to obtain a second test interface comprises:
acquiring a first identity authentication proof field of second login information of a second account;
replacing, using an interface testing tool, the second proof of identity field of the first login information with the first proof of identity field.
5. The method of claim 4, wherein the functional testing of the corresponding data operation includes one or more of adding data, deleting data, modifying data, and viewing data.
6. The method of claim 4, wherein the first account and the second account are two sub-accounts in the same parent-child account; the first account and the second account do not have operation authority for data of the other party; the test account is the second account;
if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists, and the method comprises the following steps:
and if the returned result aiming at the function test is operation failure, indicating that no transverse data unauthorized access loophole exists, otherwise, indicating that the transverse data unauthorized access loophole exists.
7. The method of claim 4, wherein the first account and the second account belong to the same parent-child account, and wherein the first account is a parent account and the second account is a child account; the first account has operating permissions for the data of the second account, the second account does not have operating permissions for the data of the first account; the test account is the first account;
if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists, and the method comprises the following steps:
and if the returned result aiming at the function test is operation failure, indicating that the longitudinal data unauthorized access vulnerability does not exist, otherwise, indicating that the longitudinal data unauthorized access vulnerability exists.
8. The method of claim 4, wherein the first account and the second account do not belong to the same parent-child account; the first account and the second account do not have operation authority for data of the other party; the test account is the second account;
if the returned result aiming at the function test is operation failure, the unauthorized access vulnerability does not exist, otherwise, the unauthorized access vulnerability exists, and the method comprises the following steps:
and if the returned result aiming at the function test is operation failure, indicating that no rights and interests override access loopholes exist, otherwise, indicating that the rights and interests override access loopholes exist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210022495.2A CN114357467A (en) | 2022-01-10 | 2022-01-10 | Unauthorized access vulnerability testing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210022495.2A CN114357467A (en) | 2022-01-10 | 2022-01-10 | Unauthorized access vulnerability testing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114357467A true CN114357467A (en) | 2022-04-15 |
Family
ID=81108891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210022495.2A Pending CN114357467A (en) | 2022-01-10 | 2022-01-10 | Unauthorized access vulnerability testing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114357467A (en) |
-
2022
- 2022-01-10 CN CN202210022495.2A patent/CN114357467A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210382949A1 (en) | Systems and methods for web content inspection | |
| CN111416811B (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| US8621613B1 (en) | Detecting malware in content items | |
| Jonker et al. | Fingerprint surface-based detection of web bot detectors | |
| DE202014010889U1 (en) | Priority static hosted web applications | |
| Deepa et al. | DetLogic: A black-box approach for detecting logic vulnerabilities in web applications | |
| JP2015534155A (en) | Security scan based on dynamic taint | |
| CN106548075B (en) | Vulnerability detection method and device | |
| CN111914262A (en) | Test method, device, system, electronic equipment and storage medium | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| Li et al. | The application of fuzzing in web software security vulnerabilities test | |
| US10129278B2 (en) | Detecting malware in content items | |
| Mahadewa et al. | Identifying privacy weaknesses from multi-party trigger-action integration platforms | |
| Ghasemisharif et al. | Towards automated auditing for account and session management flaws in single sign-on deployments | |
| CN114024764A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| US11303670B1 (en) | Pre-filtering detection of an injected script on a webpage accessed by a computing device | |
| Alidoosti et al. | Evaluating the web‐application resiliency to business‐layer DoS attacks | |
| Le et al. | Automated reverse engineering of role-based access control policies of web applications | |
| Zhu et al. | Detecting privilege escalation attacks through instrumenting web application source code | |
| CN113162937A (en) | Application safety automatic detection method, system, electronic equipment and storage medium | |
| CN113411333A (en) | Unauthorized access vulnerability detection method, device, system and storage medium | |
| CN112671605A (en) | Test method and device and electronic equipment | |
| CN111241547B (en) | Method, device and system for detecting override vulnerability | |
| CN114357467A (en) | Unauthorized access vulnerability testing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |