CN114697085A - Missing scanning test system in web application safety test and implementation method - Google Patents
Missing scanning test system in web application safety test and implementation method Download PDFInfo
- Publication number
- CN114697085A CN114697085A CN202210251481.8A CN202210251481A CN114697085A CN 114697085 A CN114697085 A CN 114697085A CN 202210251481 A CN202210251481 A CN 202210251481A CN 114697085 A CN114697085 A CN 114697085A
- Authority
- CN
- China
- Prior art keywords
- scanning
- proxy
- test
- missed
- missing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 118
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000011076 safety test Methods 0.000 title abstract description 6
- 230000006870 function Effects 0.000 claims abstract description 36
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 238000013515 script Methods 0.000 claims description 56
- 101000657326 Homo sapiens Protein TANC2 Proteins 0.000 claims description 6
- 102100034784 Protein TANC2 Human genes 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 6
- 230000001105 regulatory effect Effects 0.000 claims description 6
- 238000009781 safety test method Methods 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 238000011161 development Methods 0.000 claims 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000005059 dormancy Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000011990 functional testing Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a system and a method for testing missing scan in web application safety test, belonging to the technical field of network application safety test, aiming at solving the technical problems of reducing the time for installing tools and learning the missing scan test for functional testers, simplifying the early stage work of the missing scan test, realizing one-grab multi-purpose missing scan, improving the working efficiency and reducing the test cost of the workers, and the technical scheme is as follows: the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports; the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning; the agent setting service component is used for simplifying the step of setting an agent by a function tester; and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.
Description
Technical Field
The invention relates to the technical field of network application security testing, in particular to a system and a method for testing missing scanning in web application security testing.
Background
At present, the requirement on network application safety is increasingly improved, the requirement on safety testing is continuously increased, vulnerability scanning is taken as a common means for safety testing, the testing efficiency can be improved, and the labor cost can be reduced. However, in the process of using the bug miss-scanning tool, the following problems need to be solved:
firstly, in order to achieve better and more comprehensive coverage of an application test range, functional testers are often required to request for grabbing, so that for a person just contacting a missed scan functional test, a process of how to complete one missed scan needs to be learned: firstly, testing and learning are needed, various vulnerability missed-scanning tools are installed on a machine of the machine, then, how to set a system agent is learned, the request is guaranteed to be forwarded to the missed-scanning tool, the missed-scanning tool is used for carrying out missed-scanning, and the learning cost is high.
Secondly, in order to reduce missing scanning, multiple tools are often used for missing scanning, and at the moment, a tester needs to grab requests for multiple times, so that repeated work is performed, and the testing efficiency is low.
The missing scanning process has certain requirements on the machine, the performance of a computer of a tester is affected frequently, the efficiency of doing other work during the missing scanning process is affected, and when scanning at night, the embarrassing situation that the missing scanning is interrupted due to computer dormancy and the like is faced frequently.
In summary, how to reduce the time for installing tools and learning the missing scan test for functional testers, simplify the early stage work of the missing scan test, and how to realize one-grab multi-purpose missing scan, improve the working efficiency, and reduce the testing cost of the workers is a technical problem to be solved urgently at present.
Disclosure of Invention
The technical task of the invention is to provide a system and a method for testing the missing scan in the web application safety test, so as to solve the problems of how to reduce the time for installing tools and learning the missing scan test for functional testers, simplify the early-stage work of the missing scan test, and how to realize one-grab multi-purpose missing scan, improve the working efficiency and reduce the testing cost of the workers.
The technical task of the invention is achieved in that a system for a missing scan test in a web application security test, the system comprises,
the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports;
the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning;
the agent setting service component is used for simplifying the step of setting an agent by a function tester;
and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.
Preferably, the missed-scan task management service component, the missed-scan automatic component, the proxy setting service component and the proxy setting service component are all developed and implemented by using Python.
Preferably, the proxy setting service component is implemented by the following steps:
(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;
(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;
(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;
(4) the automatic agent setting, namely the agent canceling and test accessing functions of the system are realized: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;
(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.
Preferably, the required proxy website and proxy server address specified by the proxy rule are implemented as follows:
generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule; for example, to PROXY 10.110.81.181 traffic to a 10.110.81.68:8080 port, i.e., add if (host) 10.110.81.181 return "PROXY 10.110.81.68: 8080"; the fields are spliced into a complete pac rule;
the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.
Preferably, the traffic multiplexing component includes the following three operation methods:
firstly, after a fixdler is started, a fixdler agent is set, (a menu Tools-Options selects Gateway) to carry out agent ip and port setting, so that a request is grabbed by a Bursusit, ZAP and Xray missed scanning tool;
secondly, exporting the request into an HTTPArchive format by using an Export function (File-Export Sessions-All Sessions), wherein the type is imported by an appscan (opening the appscan selection File-importing exploration data);
and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.
Preferably, the operation process of the system is as follows:
(1) accessing the proxy setting service, filling in information of the server to be tested, and acquiring and setting a proxy script: the function tester sets the IP or domain name of the service address to be tested on the interface, and clicks and submits the IP or domain name; returning to the automatic configuration agent script, executing the script by the user, and automatically setting a local agent;
(2) and grabbing the request, and performing missing scanning by the test server: a function tester opens a browser to access a tested website, performs function traversal, and completes the acquisition of an original request and forwards the original request to a test server;
(3) informing the safety measurement personnel to complete the request capture;
(4) after receiving the feedback of the functional tester, the safety tester logs in the test server, starts the scanning missing tool to scan, analyzes the scanning result, feeds back the scanning missing problem and gives a scanning missing test report.
A method for realizing a missing scan test in a web application security test comprises the following specific steps:
s1, creating a submitted test task through the missed scanning task management component;
s2, after the security personnel agree with the test task, the automatic missing scanning assembly automatically performs missing scanning, and a missing scanning tool flow monitoring mode is started; meanwhile, an agent task is issued to the agent setting service component, a pac agent rule is generated by the agent setting service component, a script address and a configuration script are issued, and system agent setting is completed by executing or importing the configuration script;
s3, network link inspection is carried out by using the network link test component, a user request flows through the traffic multiplexing component through a proxy, the traffic multiplexing component carries out request storage and forwarding functions, and the traffic multiplexing component reserves, converts and forwards the request to other corresponding missed scanning tools;
and S4, submitting a test through the missed scan task management service component, and closing the traffic monitoring mode of the missed scan tool.
The method for implementing the missing scan test in the web application security test according to claim 7, wherein the proxy setting service component is implemented by the following steps:
(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;
(2) the safety testing personnel select the allocated testing service ip and port according to the testing service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the testing machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;
(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;
(4) automatically setting an agent, namely canceling the agent and accessing the test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;
(5) and automatically configuring the script address by executing the configuration script, and completing the proxy activity detection by the script command.
Preferably, the required proxy website and proxy server address specified by the proxy rule are implemented as follows:
generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule; the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.
Preferably, the traffic multiplexing component includes the following three operation methods:
firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;
secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;
and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.
The system and the implementation method for the missing scanning test in the web application safety test have the following advantages:
the method comprises the steps that a web application request is forwarded to a proxy server in an automatic configuration system proxy mode, so that the missing scanning work is transferred to other machines for processing, and the request is forwarded to each missing scanning tool through a flow multiplexing component, so that the utilization of various requested missing scanning tools is realized, and the test cost of testers is effectively reduced;
the invention can solve the problem that the function tester installs tools to learn time for carrying out the missing scan test and the like, limits the missing scan time, simplifies the working process of the early stage of the missing scan test to the maximum extent, improves the repeated utilization rate of the captured request by a one-capture multi-purpose missing scan method, and finally achieves the purpose of improving the working efficiency;
thirdly, the invention transfers the missing scanning tool to a specific machine, automatically completes the setting of the system agent, omits the steps of learning, installing, using and setting the missing scanning tool by functional testers, and does not need to perform operations such as test result storage and analysis;
the agent setting service assembly simplifies the step of setting the agent by the functional tester, and does not influence the access of the tester to other websites;
the user firstly accesses the proxy setting service to provide the tested environment so as to obtain the configuration script, and the aim of automatically configuring the system proxy is achieved by executing the script, at the moment, the request of the test user and the web for accessing the tested environment is forwarded to the proxy server, and then the request is converted and forwarded to each test missing scanning tool through the request conversion and the forwarder of the proxy server, so that the aims of remote scanning and one-time capture of multiple scanning are achieved;
and sixthly, the threshold of using the missed scanning tool is reduced by using the method, so that a tester without safety experience can easily complete the missed scanning test, and the method is favorable for quickly carrying out the missed scanning test on the product, thereby greatly improving the quality of the company product and greatly saving the manpower and material resources for testing.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a flow diagram of a process for operating a missing scan test system in a web application security test.
Detailed Description
The invention provides a system and a method for testing the web application security test by means of the missing scanning, which are described in detail below with reference to the accompanying drawings and specific embodiments.
Example 1:
the embodiment provides a system for the missing scan test in the web application security test, which comprises,
the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports;
the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning;
the agent setting service component is used for simplifying the step of setting an agent by a function tester;
and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.
The missed-scan task management service component, the missed-scan automatic component, the proxy setting service component and the proxy setting service component in the embodiment are all developed and implemented by Python.
The specific implementation steps of the proxy setting service component in this embodiment are as follows:
(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a pac _ ruls table, and distributing a unique uid;
(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;
(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;
(4) the automatic agent setting, namely the agent canceling and test accessing functions of the system are realized: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;
(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.
The concrete implementation of the proxy website and the proxy server address required by the proxy rule provision in step (2) of this embodiment is as follows:
generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule; for example, to PROXY 10.110.81.181 traffic to a 10.110.81.68:8080 port, i.e., add if (host) 10.110.81.181 return "PROXY 10.110.81.68: 8080"; the fields are spliced into a complete pac rule;
the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.
The traffic multiplexing component in this embodiment includes the following three operation methods:
firstly, after a folder is started, a folder proxy is set, (menu Tools-Options, Gateway is selected) to carry out proxy ip and port setting, so that a request is grabbed by a Burpresit, ZAP and Xray missed-scanning tool;
secondly, exporting the request into an HTTPArchive format by using an Export function (File-Export Sessions-All Sessions), wherein the type is imported by an appscan (opening the appscan selection File-importing exploration data);
thirdly, fiddler uses a storage function to store the files as saz files, and a request multiplexing script developed by python is used to convert the saz file into a single request file, so that batch vulnerability scanning is conveniently performed by using sqlmap.
As shown in fig. 1, the operation of the system is as follows:
preparing a tested server, testing the server, deploying a missing scanning tool, and setting a service and requesting a service component by an agent. So as to be convenient for later use; next, the existing function testing personnel request to capture, and then the safety testing personnel perform missing scanning and analysis; the method comprises the following specific steps:
(I) operation flow of the missed cleaning personnel:
(1) accessing the proxy setting service, filling in information of the server to be tested, and acquiring and setting a proxy script: the function tester sets the IP or domain name of the service address to be tested on the interface, and clicks and submits the IP or domain name; returning to the automatic configuration proxy script, executing the script by the user, and automatically setting a ground proxy;
(2) and grabbing the request, and performing missing scanning by the test server: a function tester opens a browser to access a tested website, performs function traversal, and completes the acquisition of an original request and forwards the original request to a test server;
(3) informing the safety measurement personnel to complete the request capture;
(II) operation process of safety testing personnel
(4) After receiving the feedback of the functional tester, the safety tester logs in the test server, starts the scanning missing tool to scan, analyzes the scanning result, feeds back the scanning missing problem and gives a scanning missing test report.
Example 2:
the embodiment provides a method for implementing a missing scan test in a web application security test, which specifically comprises the following steps:
s1, creating a submitted test task through the missed scanning task management component;
s2, after the security personnel agree with the testing task, the automatic missing scanning component automatically performs missing scanning, and a missing scanning tool flow monitoring mode is started; meanwhile, an agent task is issued to the agent setting service component, a pac agent rule is generated by the agent setting service component, a script address and a configuration script are issued, and system agent setting is completed by executing or importing the configuration script;
s3, network link inspection is carried out by using the network link test component, a user request flows through the traffic multiplexing component through a proxy, the traffic multiplexing component carries out request storage and forwarding functions, and the traffic multiplexing component reserves, converts and forwards the request to other corresponding missed scanning tools;
and S4, submitting a test through the missed scan task management service component, and closing the traffic monitoring mode of the missed scan tool.
The specific implementation steps of the proxy setting service component in this embodiment are as follows:
(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;
(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;
(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;
(4) automatically setting an agent, namely canceling the agent and accessing the test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;
(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.
The concrete implementation of the proxy website and the proxy server address required by the proxy rule provision in step (2) of this embodiment is as follows:
generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; fields are spliced into a complete pac rule; the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.
The traffic multiplexing component in this embodiment includes the following three operation methods:
firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;
secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;
and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A system for testing missing scan in web application security test is characterized in that the system comprises,
the missed-scanning task management service component is used for managing tasks, submitting created tasks, executing the tasks and providing various missed-scanning reports;
the missed-scanning automatic assembly is used for realizing the automation of the missed-scanning tool, starting a flow monitoring mode of the missed-scanning tool, executing the missed-scanning operation, and generating a missed-scanning report and automatic missed-scanning;
the agent setting service component is used for simplifying the step of setting an agent by a function tester;
and the flow multiplexing component is used for storing and copying the requests, using the fixdler to capture and forward the packets, and forwarding the captured requests to other testing tools.
2. The system of claim 1, wherein the task management service component, the automatic component, the proxy setup service component, and the proxy setup service component are implemented using Python development.
3. The system for testing the missing scan in the web application security test according to claim 1 or 2, wherein the proxy setting service component is implemented by the following steps:
(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;
(2) the safety tester selects the allocated test service ip and port according to the test service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the test machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;
(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;
(4) automatically setting proxy, namely canceling proxy and accessing test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;
(5) and automatically configuring script addresses by executing the configuration scripts, and completing proxy activity detection through script commands.
4. The system of claim 3, wherein the specification of the required proxy website and proxy server address by the proxy rule is implemented as follows:
generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to the corresponding port, namely adding if (host) return "PROXY port"; the fields are spliced into a complete pac rule;
the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.
5. The system of claim 1, wherein the traffic multiplexing component comprises three methods of operation:
firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;
secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;
thirdly, fiddler uses a storage function to store the files as saz files, and a request multiplexing script developed by python is used to convert the saz file into a single request file, so that batch vulnerability scanning is conveniently performed by using sqlmap.
6. The system for testing the missing scan in the web application security test of claim 1, wherein the operation process of the system is specifically as follows:
(1) accessing the proxy setting service, filling in information of the server to be tested, and acquiring and setting a proxy script: the function tester sets the IP or domain name of the service address to be tested on the interface, and clicks and submits the IP or domain name; returning to the automatic configuration agent script, executing the script by the user, and automatically setting a local agent;
(2) and grabbing the request, and performing missing scanning by the test server: a function tester opens a browser to access a tested website, performs function traversal, and completes the acquisition of an original request and forwards the original request to a test server;
(3) informing the safety measurement personnel to complete the request capture;
(4) after receiving the feedback of the functional tester, the safety tester logs in the test server, starts the scanning missing tool to scan, analyzes the scanning result, feeds back the scanning missing problem and gives a scanning missing test report.
7. A method for realizing a missing scan test in a web application security test is characterized by comprising the following steps:
s1, creating a submitted test task through the missed scanning task management component;
s2, after the security personnel agree with the testing task, the automatic missing scanning component automatically performs missing scanning, and a missing scanning tool flow monitoring mode is started; meanwhile, an agent task is issued to the agent setting service component, a pac agent rule is generated by the agent setting service component, a script address and a configuration script are issued, and system agent setting is completed by executing or importing the configuration script;
s3, network link inspection is carried out by using the network link test component, a user request flows through the traffic multiplexing component through a proxy, the traffic multiplexing component carries out request storage and forwarding functions, and the traffic multiplexing component reserves, converts and forwards the request to other corresponding missed scanning tools;
and S4, submitting a test through the missed scan task management service component, and closing the traffic monitoring mode of the missed scan tool.
8. The method for implementing the missing scan test in the web application security test according to claim 7, wherein the proxy setting service component is implemented by the following steps:
(1) providing information of a tested service address according to the test requirement of a user, storing the information as a piece of data of a database pac _ ruls table, and distributing a unique uid;
(2) the safety testing personnel select the allocated testing service ip and port according to the testing service address, namely, the ip list in the pac _ ruls table is allocated to the corresponding port of the testing machine; meanwhile, the required proxy website and the proxy server address are regulated through proxy rules;
(3) providing a rule service: returning the rule contents in the database through/vulscanner/pac/< uid > and HttpResponse;
(4) automatically setting proxy, namely canceling proxy and accessing test function: providing a service and dynamically setting a configuration script through/vulscanner/pac/< uid >/bat, and returning a script file through HttpResponse;
(5) and automatically configuring the script address by executing the configuration script, and completing the proxy activity detection by the script command.
9. The method for implementing the missing scan test in the web application security test of claim 8, wherein the specific implementation of the required proxy website and the proxy server address specified by the proxy rule is as follows:
generating a pac proxy rule through JavaScript syntax: proxying the traffic of the ip address to a corresponding port, namely adding if (host) return "PROXY port"; fields are spliced into a complete pac rule; the complete pac rule is saved in the rols field of the pac _ ruls table of the database table according to the uid.
10. The method for implementing the missing scan test in the web application security test according to claim 7, wherein the traffic multiplexing component includes three operation methods:
firstly, after starting a fixdler, setting a fixdler agent, and setting an agent ip and a port, so that a request is grabbed by a Bursusit, ZAP and Xray missing scanning tool;
secondly, exporting the request into an HTTPArchive format by using an export function, wherein the type is imported by an appscan;
and thirdly, using a storage function by the folder to store the file as saz file, and using a request multiplexing script developed by python to convert the saz file into a single request file so as to conveniently use sqlmap to carry out batch vulnerability scanning.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210251481.8A CN114697085B (en) | 2022-03-15 | 2022-03-15 | Missing scan test system in web application security test and implementation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210251481.8A CN114697085B (en) | 2022-03-15 | 2022-03-15 | Missing scan test system in web application security test and implementation method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114697085A true CN114697085A (en) | 2022-07-01 |
CN114697085B CN114697085B (en) | 2024-01-30 |
Family
ID=82138976
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210251481.8A Active CN114697085B (en) | 2022-03-15 | 2022-03-15 | Missing scan test system in web application security test and implementation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114697085B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102104601A (en) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | Web vulnerability scanning method and device based on infiltration technology |
US20120240235A1 (en) * | 2011-03-14 | 2012-09-20 | Rapdi7, LLC | Methods and systems for providing a framework to test the security of computing system over a network |
CN110516449A (en) * | 2019-09-03 | 2019-11-29 | 国网重庆市电力公司电力科学研究院 | A kind of lightweight vulnerability detection method and readable storage medium storing program for executing |
CN110659481A (en) * | 2019-09-27 | 2020-01-07 | 上海赛可出行科技服务有限公司 | Vulnerability scanning method based on agent |
CN113596114A (en) * | 2021-07-12 | 2021-11-02 | 杭州电子科技大学 | Extensible automatic Web vulnerability scanning system and method |
US20210400074A1 (en) * | 2020-06-23 | 2021-12-23 | Tenable, Inc. | Distributed network based vulnerability scanning via endpoint agent deployment |
-
2022
- 2022-03-15 CN CN202210251481.8A patent/CN114697085B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102104601A (en) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | Web vulnerability scanning method and device based on infiltration technology |
US20120240235A1 (en) * | 2011-03-14 | 2012-09-20 | Rapdi7, LLC | Methods and systems for providing a framework to test the security of computing system over a network |
CN110516449A (en) * | 2019-09-03 | 2019-11-29 | 国网重庆市电力公司电力科学研究院 | A kind of lightweight vulnerability detection method and readable storage medium storing program for executing |
CN110659481A (en) * | 2019-09-27 | 2020-01-07 | 上海赛可出行科技服务有限公司 | Vulnerability scanning method based on agent |
US20210400074A1 (en) * | 2020-06-23 | 2021-12-23 | Tenable, Inc. | Distributed network based vulnerability scanning via endpoint agent deployment |
CN113596114A (en) * | 2021-07-12 | 2021-11-02 | 杭州电子科技大学 | Extensible automatic Web vulnerability scanning system and method |
Also Published As
Publication number | Publication date |
---|---|
CN114697085B (en) | 2024-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8667147B2 (en) | Monitoring related content requests | |
US8051163B2 (en) | Synthetic transactions based on system history and load | |
US8578017B2 (en) | Automatic correlation of service level agreement and operating level agreement | |
US7343523B2 (en) | Web-based analysis of defective computer programs | |
US9740991B2 (en) | Calculating in-flight metrics for non-interruptible business transactions | |
CN109560996B (en) | Automatic testing system and method for terminal of Internet of things | |
CN111130922A (en) | Airborne information safety automatic test method and test platform | |
CN112738230B (en) | Automatic network gate testing system and working method thereof | |
CN107040429A (en) | A kind of method of testing and system of port forwarding performance | |
CN107634871B (en) | Connectivity test method, device and system | |
CN104040538A (en) | Internet application interaction method, device and system | |
CN109558328A (en) | A kind of test method of code coverage, system, device and readable storage medium storing program for executing | |
CN105721568A (en) | Remote debugging system, method and device | |
CN114039899B (en) | Method for realizing network performance test of WEB product based on Fiddler tool | |
CN114697085A (en) | Missing scanning test system in web application safety test and implementation method | |
CN105573905A (en) | Software compatibility testing method and system | |
CN116545891A (en) | Automatic distribution network testing method based on intelligent equipment | |
CN105227644A (en) | Item file generation method and device | |
CN109614337A (en) | A kind of Performance Test System and testing tool based on Linux system | |
Antunes et al. | A monitoring and testing framework for critical off-the-shelf applications and services | |
CN109739754A (en) | Application program automated testing method and system based on wechat exploitation | |
CN112511386B (en) | Vehicle-mounted Ethernet test method and system based on robotframe and Ethernet test equipment | |
CN104270431A (en) | Method and device for concurrency control | |
CN105306278B (en) | The system and method for PING network diagnosises is realized based on embedded Web webmaster | |
US20220021592A1 (en) | Incorporation of a trace visualization with a traffic graph visualization in a service mesh |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |