CN114697085A - Missing scanning test system in web application safety test and implementation method - Google Patents

Abstract

The invention discloses a system and a method for testing missing scan in web application safety test, belonging to the technical field of network application safety test, aiming at solving the technical problems of reducing the time for installing tools and learning the missing scan test for functional testers, simplifying the early stage work of the missing scan test, realizing one-grab multi-purpose missing scan, improving the working efficiency and reducing the test cost of the workers, and the technical scheme is as follows: the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports; the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning; the agent setting service component is used for simplifying the step of setting an agent by a function tester; and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.

Description

Missing scanning test system in web application safety test and implementation method

Technical Field

The invention relates to the technical field of network application security testing, in particular to a system and a method for testing missing scanning in web application security testing.

Background

At present, the requirement on network application safety is increasingly improved, the requirement on safety testing is continuously increased, vulnerability scanning is taken as a common means for safety testing, the testing efficiency can be improved, and the labor cost can be reduced. However, in the process of using the bug miss-scanning tool, the following problems need to be solved:

firstly, in order to achieve better and more comprehensive coverage of an application test range, functional testers are often required to request for grabbing, so that for a person just contacting a missed scan functional test, a process of how to complete one missed scan needs to be learned: firstly, testing and learning are needed, various vulnerability missed-scanning tools are installed on a machine of the machine, then, how to set a system agent is learned, the request is guaranteed to be forwarded to the missed-scanning tool, the missed-scanning tool is used for carrying out missed-scanning, and the learning cost is high.

Secondly, in order to reduce missing scanning, multiple tools are often used for missing scanning, and at the moment, a tester needs to grab requests for multiple times, so that repeated work is performed, and the testing efficiency is low.

The missing scanning process has certain requirements on the machine, the performance of a computer of a tester is affected frequently, the efficiency of doing other work during the missing scanning process is affected, and when scanning at night, the embarrassing situation that the missing scanning is interrupted due to computer dormancy and the like is faced frequently.

In summary, how to reduce the time for installing tools and learning the missing scan test for functional testers, simplify the early stage work of the missing scan test, and how to realize one-grab multi-purpose missing scan, improve the working efficiency, and reduce the testing cost of the workers is a technical problem to be solved urgently at present.

Disclosure of Invention

The technical task of the invention is to provide a system and a method for testing the missing scan in the web application safety test, so as to solve the problems of how to reduce the time for installing tools and learning the missing scan test for functional testers, simplify the early-stage work of the missing scan test, and how to realize one-grab multi-purpose missing scan, improve the working efficiency and reduce the testing cost of the workers.

The technical task of the invention is achieved in that a system for a missing scan test in a web application security test, the system comprises,

the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports;

the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning;

the agent setting service component is used for simplifying the step of setting an agent by a function tester;

and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.

Preferably, the missed-scan task management service component, the missed-scan automatic component, the proxy setting service component and the proxy setting service component are all developed and implemented by using Python.

Preferably, the proxy setting service component is implemented by the following steps:

(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;

(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;

(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;

(4) the automatic agent setting, namely the agent canceling and test accessing functions of the system are realized: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;

(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.

Preferably, the required proxy website and proxy server address specified by the proxy rule are implemented as follows:

generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule; for example, to PROXY 10.110.81.181 traffic to a 10.110.81.68:8080 port, i.e., add if (host) 10.110.81.181 return "PROXY 10.110.81.68: 8080"; the fields are spliced into a complete pac rule;

the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.

Preferably, the traffic multiplexing component includes the following three operation methods:

firstly, after a fixdler is started, a fixdler agent is set, (a menu Tools-Options selects Gateway) to carry out agent ip and port setting, so that a request is grabbed by a Bursusit, ZAP and Xray missed scanning tool;

secondly, exporting the request into an HTTPArchive format by using an Export function (File-Export Sessions-All Sessions), wherein the type is imported by an appscan (opening the appscan selection File-importing exploration data);

and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.

Preferably, the operation process of the system is as follows:

(1) accessing the proxy setting service, filling in information of the server to be tested, and acquiring and setting a proxy script: the function tester sets the IP or domain name of the service address to be tested on the interface, and clicks and submits the IP or domain name; returning to the automatic configuration agent script, executing the script by the user, and automatically setting a local agent;

(2) and grabbing the request, and performing missing scanning by the test server: a function tester opens a browser to access a tested website, performs function traversal, and completes the acquisition of an original request and forwards the original request to a test server;

(3) informing the safety measurement personnel to complete the request capture;

(4) after receiving the feedback of the functional tester, the safety tester logs in the test server, starts the scanning missing tool to scan, analyzes the scanning result, feeds back the scanning missing problem and gives a scanning missing test report.

A method for realizing a missing scan test in a web application security test comprises the following specific steps:

s1, creating a submitted test task through the missed scanning task management component;

s2, after the security personnel agree with the test task, the automatic missing scanning assembly automatically performs missing scanning, and a missing scanning tool flow monitoring mode is started; meanwhile, an agent task is issued to the agent setting service component, a pac agent rule is generated by the agent setting service component, a script address and a configuration script are issued, and system agent setting is completed by executing or importing the configuration script;

s3, network link inspection is carried out by using the network link test component, a user request flows through the traffic multiplexing component through a proxy, the traffic multiplexing component carries out request storage and forwarding functions, and the traffic multiplexing component reserves, converts and forwards the request to other corresponding missed scanning tools;

and S4, submitting a test through the missed scan task management service component, and closing the traffic monitoring mode of the missed scan tool.

The method for implementing the missing scan test in the web application security test according to claim 7, wherein the proxy setting service component is implemented by the following steps:

(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;

(2) the safety testing personnel select the allocated testing service ip and port according to the testing service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the testing machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;

(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;

(4) automatically setting an agent, namely canceling the agent and accessing the test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;

(5) and automatically configuring the script address by executing the configuration script, and completing the proxy activity detection by the script command.

Preferably, the required proxy website and proxy server address specified by the proxy rule are implemented as follows:

generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule; the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.

Preferably, the traffic multiplexing component includes the following three operation methods:

firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;

secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;

and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.

The system and the implementation method for the missing scanning test in the web application safety test have the following advantages:

the method comprises the steps that a web application request is forwarded to a proxy server in an automatic configuration system proxy mode, so that the missing scanning work is transferred to other machines for processing, and the request is forwarded to each missing scanning tool through a flow multiplexing component, so that the utilization of various requested missing scanning tools is realized, and the test cost of testers is effectively reduced;

the invention can solve the problem that the function tester installs tools to learn time for carrying out the missing scan test and the like, limits the missing scan time, simplifies the working process of the early stage of the missing scan test to the maximum extent, improves the repeated utilization rate of the captured request by a one-capture multi-purpose missing scan method, and finally achieves the purpose of improving the working efficiency;

thirdly, the invention transfers the missing scanning tool to a specific machine, automatically completes the setting of the system agent, omits the steps of learning, installing, using and setting the missing scanning tool by functional testers, and does not need to perform operations such as test result storage and analysis;

the agent setting service assembly simplifies the step of setting the agent by the functional tester, and does not influence the access of the tester to other websites;

the user firstly accesses the proxy setting service to provide the tested environment so as to obtain the configuration script, and the aim of automatically configuring the system proxy is achieved by executing the script, at the moment, the request of the test user and the web for accessing the tested environment is forwarded to the proxy server, and then the request is converted and forwarded to each test missing scanning tool through the request conversion and the forwarder of the proxy server, so that the aims of remote scanning and one-time capture of multiple scanning are achieved;

and sixthly, the threshold of using the missed scanning tool is reduced by using the method, so that a tester without safety experience can easily complete the missed scanning test, and the method is favorable for quickly carrying out the missed scanning test on the product, thereby greatly improving the quality of the company product and greatly saving the manpower and material resources for testing.

Drawings

The invention is further described below with reference to the accompanying drawings.

FIG. 1 is a flow diagram of a process for operating a missing scan test system in a web application security test.

Detailed Description

The invention provides a system and a method for testing the web application security test by means of the missing scanning, which are described in detail below with reference to the accompanying drawings and specific embodiments.

Example 1:

the embodiment provides a system for the missing scan test in the web application security test, which comprises,

the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports;

the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning;

the agent setting service component is used for simplifying the step of setting an agent by a function tester;

and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.

The missed-scan task management service component, the missed-scan automatic component, the proxy setting service component and the proxy setting service component in the embodiment are all developed and implemented by Python.

The specific implementation steps of the proxy setting service component in this embodiment are as follows:

(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a pac _ ruls table, and distributing a unique uid;

(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;

(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;

(4) the automatic agent setting, namely the agent canceling and test accessing functions of the system are realized: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;

(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.

The concrete implementation of the proxy website and the proxy server address required by the proxy rule provision in step (2) of this embodiment is as follows:

generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule; for example, to PROXY 10.110.81.181 traffic to a 10.110.81.68:8080 port, i.e., add if (host) 10.110.81.181 return "PROXY 10.110.81.68: 8080"; the fields are spliced into a complete pac rule;

the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.

The traffic multiplexing component in this embodiment includes the following three operation methods:

firstly, after a folder is started, a folder proxy is set, (menu Tools-Options, Gateway is selected) to carry out proxy ip and port setting, so that a request is grabbed by a Burpresit, ZAP and Xray missed-scanning tool;

secondly, exporting the request into an HTTPArchive format by using an Export function (File-Export Sessions-All Sessions), wherein the type is imported by an appscan (opening the appscan selection File-importing exploration data);

thirdly, fiddler uses a storage function to store the files as saz files, and a request multiplexing script developed by python is used to convert the saz file into a single request file, so that batch vulnerability scanning is conveniently performed by using sqlmap.

As shown in fig. 1, the operation of the system is as follows:

preparing a tested server, testing the server, deploying a missing scanning tool, and setting a service and requesting a service component by an agent. So as to be convenient for later use; next, the existing function testing personnel request to capture, and then the safety testing personnel perform missing scanning and analysis; the method comprises the following specific steps:

(I) operation flow of the missed cleaning personnel:

(1) accessing the proxy setting service, filling in information of the server to be tested, and acquiring and setting a proxy script: the function tester sets the IP or domain name of the service address to be tested on the interface, and clicks and submits the IP or domain name; returning to the automatic configuration proxy script, executing the script by the user, and automatically setting a ground proxy;

(2) and grabbing the request, and performing missing scanning by the test server: a function tester opens a browser to access a tested website, performs function traversal, and completes the acquisition of an original request and forwards the original request to a test server;

(3) informing the safety measurement personnel to complete the request capture;

(II) operation process of safety testing personnel

(4) After receiving the feedback of the functional tester, the safety tester logs in the test server, starts the scanning missing tool to scan, analyzes the scanning result, feeds back the scanning missing problem and gives a scanning missing test report.

Example 2:

the embodiment provides a method for implementing a missing scan test in a web application security test, which specifically comprises the following steps:

s1, creating a submitted test task through the missed scanning task management component;

s2, after the security personnel agree with the testing task, the automatic missing scanning component automatically performs missing scanning, and a missing scanning tool flow monitoring mode is started; meanwhile, an agent task is issued to the agent setting service component, a pac agent rule is generated by the agent setting service component, a script address and a configuration script are issued, and system agent setting is completed by executing or importing the configuration script;

s3, network link inspection is carried out by using the network link test component, a user request flows through the traffic multiplexing component through a proxy, the traffic multiplexing component carries out request storage and forwarding functions, and the traffic multiplexing component reserves, converts and forwards the request to other corresponding missed scanning tools;

and S4, submitting a test through the missed scan task management service component, and closing the traffic monitoring mode of the missed scan tool.

The specific implementation steps of the proxy setting service component in this embodiment are as follows:

(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;

(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;

(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;

(4) automatically setting an agent, namely canceling the agent and accessing the test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;

(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.

The concrete implementation of the proxy website and the proxy server address required by the proxy rule provision in step (2) of this embodiment is as follows:

generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; fields are spliced into a complete pac rule; the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.

The traffic multiplexing component in this embodiment includes the following three operation methods:

firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;

secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;

and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A system for testing missing scan in web application security test is characterized in that the system comprises,

the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports;

the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning;

the agent setting service component is used for simplifying the step of setting an agent by a function tester;

and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.

2. The system of claim 1, wherein the task management service component, the automatic component, the proxy setup service component, and the proxy setup service component are implemented using Python development.

3. The system for testing the missing scan in the web application security test according to claim 1 or 2, wherein the proxy setting service component is implemented by the following steps:

(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;

(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;

(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;

(4) automatically setting proxy, namely canceling proxy and accessing test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;

(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.

4. The system of claim 3, wherein the specification of the required proxy website and proxy server address by the proxy rule is implemented as follows:

generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to the corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule;

the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.

5. The system of claim 1, wherein the traffic multiplexing component comprises three methods of operation:

firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;

secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;

thirdly, fiddler uses a storage function to store the files as saz files, and a request multiplexing script developed by python is used to convert the saz file into a single request file, so that batch vulnerability scanning is conveniently performed by using sqlmap.

6. The system for testing the missing scan in the web application security test of claim 1, wherein the operation process of the system is specifically as follows:

(1) accessing the proxy setting service, filling in information of the server to be tested, and acquiring and setting a proxy script: the function tester sets the IP or domain name of the service address to be tested on the interface, and clicks and submits the IP or domain name; returning to the automatic configuration agent script, executing the script by the user, and automatically setting a local agent;

(2) and grabbing the request, and performing missing scanning by the test server: a function tester opens a browser to access a tested website, performs function traversal, and completes the acquisition of an original request and forwards the original request to a test server;

(3) informing the safety measurement personnel to complete the request capture;

(4) after receiving the feedback of the functional tester, the safety tester logs in the test server, starts the scanning missing tool to scan, analyzes the scanning result, feeds back the scanning missing problem and gives a scanning missing test report.

7. A method for realizing a missing scan test in a web application security test is characterized by comprising the following steps:

s1, creating a submitted test task through the missed scanning task management component;

s2, after the security personnel agree with the testing task, the automatic missing scanning component automatically performs missing scanning, and a missing scanning tool flow monitoring mode is started; meanwhile, an agent task is issued to the agent setting service component, a pac agent rule is generated by the agent setting service component, a script address and a configuration script are issued, and system agent setting is completed by executing or importing the configuration script;

s3, network link inspection is carried out by using the network link test component, a user request flows through the traffic multiplexing component through a proxy, the traffic multiplexing component carries out request storage and forwarding functions, and the traffic multiplexing component reserves, converts and forwards the request to other corresponding missed scanning tools;

and S4, submitting a test through the missed scan task management service component, and closing the traffic monitoring mode of the missed scan tool.

8. The method for implementing the missing scan test in the web application security test according to claim 7, wherein the proxy setting service component is implemented by the following steps:

(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;

(2) the safety testing personnel select the allocated testing service ip and port according to the testing service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the testing machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;

(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;

(4) automatically setting proxy, namely canceling proxy and accessing test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;

(5) and automatically configuring the script address by executing the configuration script, and completing the proxy activity detection by the script command.

9. The method for implementing the missing scan test in the web application security test of claim 8, wherein the specific implementation of the required proxy website and the proxy server address specified by the proxy rule is as follows:

generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; fields are spliced into a complete pac rule; the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.

10. The method for implementing the missing scan test in the web application security test according to claim 7, wherein the traffic multiplexing component includes three operation methods:

firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;

secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;

and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.

Images