CN115809204A

CN115809204A - SQL injection detection test method, device and medium for cloud platform WAF

Info

Publication number: CN115809204A
Application number: CN202310090177.4A
Authority: CN
Inventors: 王炎; 吴雷; 谭佐艳; 杨洋; 俞沁; 张贺然
Original assignee: Tianyi Cloud Technology Co Ltd
Current assignee: Tianyi Cloud Technology Co Ltd
Priority date: 2023-02-09
Filing date: 2023-02-09
Publication date: 2023-03-17

Abstract

The invention provides a method, a device and a medium for SQL injection detection test facing a cloud platform WAF, relating to the technical field of computers, wherein the method comprises the steps of obtaining an initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements; for any test statement, carrying out mutation operation on the test statement based on a target mutation operator set corresponding to the test statement to obtain a test statement to be selected corresponding to the test statement; adding the test statement to be selected corresponding to each test statement into the initial test statement set to obtain a target test statement set; and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the target test statement set so as to obtain a test result. Therefore, a large number of test sentences do not need to be written manually, and a target test sentence set containing a large number of test sentences can be obtained only through a small number of initial test sentences, so that the generation efficiency of the test sentences is improved, and the acquisition cost of the test sentences is reduced.

Description

SQL injection detection test method, device and medium for cloud platform WAF

Technical Field

The invention relates to the technical field of computers, in particular to a method, a device and a medium for SQL injection detection test for a cloud platform WAF.

Background

With the rapid development of computer technology, more and more World Wide Web applications (Web applications) are integrated into a cloud platform, which causes the cloud platform to face more security risks, including Structured Query Language (SQL) injection (SQL injection) risks, and in the face of the above security risks, security protection is often implemented by constructing a Web Application Firewall (WAF).

In this case, in order to ensure the security protection capability of the WAF, a large number of test statements are required to test the SQL injection detection capability of the WAF, in the prior art, a large number of SQL injection statements for testing are often written manually, however, in the manual writing manner, the acquisition cost of the test statements is high.

Disclosure of Invention

An object of the embodiments of the present invention is to provide a method, an apparatus, and a medium for SQL injection detection test for a cloud platform WAF, so as to solve the above problems. The specific technical scheme is as follows:

in a first aspect of the present invention, a method for testing SQL injection test oriented to a cloud platform WAF is first provided, where the method may include:

acquiring an initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements;

for any test statement, carrying out mutation operation on the test statement based on a target mutation operator set corresponding to the test statement to obtain a test statement to be selected corresponding to the test statement;

adding the test statement to be selected corresponding to each test statement into the initial test statement set to obtain a target test statement set;

and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the target test statement set so as to obtain a test result.

In a second aspect of the present invention, there is provided a cloud platform WAF-oriented SQL injection detection testing apparatus, where the apparatus may include:

an initial test statement set acquisition module, configured to acquire an initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements;

the mutation module is used for carrying out mutation operation on any test statement based on a target mutation operator set corresponding to the test statement to obtain a to-be-selected test statement corresponding to the test statement;

a test statement adding module, configured to add a test statement to be selected corresponding to each test statement to the initial test statement set, so as to obtain a target test statement set;

and the testing module is used for carrying out SQL injection detection testing on the cloud platform WAF to be tested by adopting the target testing statement set so as to obtain a testing result.

In a third aspect of the present invention, an electronic device is further provided, which includes a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;

a memory for storing a computer program;

a processor for performing the method of the first aspect when executing a program stored in the memory.

In a fourth aspect implemented by the present invention, there is also provided a computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of the first aspect described above.

In a fifth aspect of the present invention, there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the first aspect described above.

The embodiment of the invention obtains an initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements; for any test statement, carrying out mutation operation on the test statement based on a target mutation operator set corresponding to the test statement to obtain a test statement to be selected corresponding to the test statement; adding the test statements to be selected corresponding to the test statements into the initial test statement set to obtain a target test statement set; and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the target test statement set so as to obtain a test result. Therefore, by carrying out mutation operation on any test statement in the initial test statements, a large number of test statements do not need to be written manually, and a target test statement set containing a large number of test statements can be obtained only by a small number of initial test statements, so that the generation efficiency of the test statements is improved, and the acquisition cost of the test statements is reduced. Meanwhile, the test sentences to be selected obtained through the mutation operation can often cover more test angles, so that the problem of limited test coverage generated by directly using an initial test sentence set for testing can be avoided to a certain extent, and the test effect is improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below.

Fig. 1 is a flowchart illustrating steps of an SQL injection detection test method for a cloud platform WAF according to an embodiment of the present invention;

FIG. 2 is a diagram illustrating a test statement analysis according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a scenario provided by an embodiment of the present invention;

fig. 4 is a block diagram of a structure of a cloud platform WAF-oriented SQL injection detection testing apparatus according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.

Fig. 1 is a flowchart of steps of an SQL injection detection test method for a cloud platform WAF according to an embodiment of the present invention, and as shown in fig. 1, the method may include the following steps:

step 101, obtaining an initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements.

The initial test statement set refers to a statement set for executing SQL injection test, which usually includes a plurality of test statements, and it can be understood that, in order to test the SQL injection test capability of the WAF, the test statements used should be SQL injection statements. Each test statement may be a statement for instructing to manipulate sensitive information in a manner of accessing unauthorized information, creating or modifying new user permissions, or in other manners, so as to achieve a test purpose, and as can be understood, the test statement is equivalent to performing simulated attack on a WAF of a cloud platform, and thus the test statement may also be referred to as an attack load (payload).

Specifically, the initial test statement set can be represented as a set S = { S = { S = } _i I =1,2, \8230;, w }, where the above i may represent the number of the initial test statement, and accordingly, s _i Different initial test statements may be represented, w above representing the number of initial test statements comprised by the initial set of test statements. The initial test statement set can be randomly acquired on the network or a historically constructed test set, and the test statements in the initial test set statements are usually few in number and single.

And 102, for any test statement, carrying out mutation operation on the test statement based on a target mutation operator set corresponding to the test statement to obtain a to-be-selected test statement corresponding to the test statement.

The target mutation operator set refers to a mutation operator set corresponding to the test statement, mutation operator sets corresponding to different test statements are different, the mutation operator set can comprise a plurality of mutation operators, the mutation operators refer to operators for mutating the original payload, and can comprise various SQL injection bypass technologies, including case and case replacement, space replacement, quotation or substitution of quotation marks, annotation addition and the like. The mutation operation refers to changing the original payload on the basis of the original payload, and the diversity of the test sentences can be increased through the mutation operation.

It should be noted that one mutation operator may correspond to one mutated test statement, so that the number of the test statements to be selected corresponds to the number of mutation operators in the target mutation operator set.

Step 103, adding the to-be-selected test statement corresponding to each test statement to the initial test statement set to obtain a target test statement set.

Further, through the step 102, the test statements included in the initial test statement set may be mutated, and each test statement may obtain a mutated test statement to be selected, so that the embodiment of the present invention may add the test statement to be selected, which is obtained through the mutation operation, to the initial test statement set, so that the number of the test statements in the initial test statement set is increased, and a target test statement set in which the number of the test statements is greater than that of the initial test statement set is obtained.

And 104, performing SQL injection detection test on the cloud platform WAF to be tested by adopting the target test statement set to obtain a test result.

The cloud platform WAF to be tested is a Web application firewall of the cloud platform to be tested, a user does not need to install a software program or deploy hardware equipment in a network of the user, the security protection can be realized by handing over Domain Name resolution right by utilizing a Domain Name System (DNS) technology, the request of the user can be sent to a cloud end node for detection, and is intercepted when the request is abnormal, otherwise, the request is forwarded to a real server.

Specifically, the test statements contained in the target test statement set include initial test statements and candidate test statements obtained through mutation, each test statement can be used for sequentially carrying out simulated attack on the cloud platform WAF to be tested, different test statements can represent different attack modes, when the WAF has an interception response to any test statement, the cloud platform WAF to be tested has a protection effect on the test statements in the target test statement set, and correspondingly, when a certain test statement exists and the WAF does not have an interception response to the certain test statement, the WAF does not have a protection effect on the SQL injection mode represented by the test statement.

In summary, the embodiment of the present invention obtains the initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements; for any test statement, carrying out mutation operation on the test statement based on a target mutation operator set corresponding to the test statement to obtain a test statement to be selected corresponding to the test statement; adding the test statement to be selected corresponding to each test statement into the initial test statement set to obtain a target test statement set; and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the target test statement set so as to obtain a test result. Therefore, by carrying out mutation operation on any test statement in the initial test statements, a large number of test statements do not need to be written manually, and a target test statement set containing a large number of test statements can be obtained only by a small number of initial test statements, so that the generation efficiency of the test statements is improved, and the acquisition cost of the test statements is reduced. Meanwhile, the test sentences to be selected obtained through the mutation operation can often cover more test angles, so that the problem of limited test coverage generated by directly using an initial test sentence set for testing can be avoided to a certain extent, and the test effect is improved.

Optionally, before performing mutation operation on the test statement based on the target mutation operator set corresponding to the test statement, the embodiment of the present invention may further include:

step 201, dividing an initial mutation operator subset into a plurality of subsets according to the mutation mode of a mutation operator in an initial mutation operator set; the plurality of subsets includes an add class subset, a replace class subset, and an encode class subset.

Specifically, the mutation operator of the added class may generate a new mutation payload by adding some symbols or elements to the original payload, and accordingly, the mutation operator of the replaced class may generate a new mutation payload by equivalently replacing some elements in the original payload, and accordingly, the mutation operator of the encoding class may generate a new mutation payload by encoding a specified element in the original payload.

It can be understood that, since mutation modes are different, corresponding mutation operations executed actually are also different, in the embodiment of the present invention, an initial mutation operator set may be split according to the mutation mode, and the initial mutation operator set is split into an addition class subset, a replacement class subset, and a coding class subset, accordingly, a mutation operator included in the addition class subset is an addition class mutation operator, a mutation operator included in the replacement class subset is a replacement class mutation operator, and a mutation operator included in the coding class subset is a coding class mutation operator.

Step 202, for any one test statement, obtaining an element type of a test element contained in the test statement as a to-be-selected type.

The test elements refer to elements forming the test statements, and it can be understood that the SQL injection statements are generally formed by elements such as SQL statement keywords, character strings, numbers, punctuation marks, operation marks, control characters, various coding character representations, and the like.

Further, for any test statement, the embodiment of the present invention may also store the identified elements in the set E _i In, E _i ={e _i，j L j =1,2, \8230;, n }, wherein E _i For representing test statements s _i Corresponding test element set, respectively, e _i,j Can be used to represent a test statement s _i N represents the number of test elements included in the test statement.

Further, embodiments of the present inventionThe type identification of each obtained test element can be carried out through a predefined type coding rule, corresponding type codes can be generated for different types, and the type codes can be further stored into a type set T _i In, T _i ={t _i,j I j =1,2, \8230;, n }, it being understood that the above-mentioned set E _i Each element e of _i,j All correspond to an element type t _i,j . The type coding rule may be defined by itself according to actual requirements, one code may be defined for elements of a numeric type, codes of different numbers may be the same, one code may be defined for elements of a string type, codes of different strings may be the same, different codes may be defined for different keywords and different operators, different codes may also be defined for different punctuation symbols, specifically, code definition may be performed according to the role of each element in an SQL injection statement, if the roles are the same, the same code may be defined, and if the roles are different, the different codes may be defined, specifically, different type coding rules may be set according to actual requirements, which is not limited in this embodiment of the present invention.

Fig. 2 is a schematic diagram of a test statement analysis according to an embodiment of the present invention, and as shown in fig. 2, a lexical analysis is performed on a test statement "admin' OR 1=1#", so that test elements (which may also be referred to as participles) included in the test statement are obtained as follows: "admin", "", "OR", "1", "=", "1", "#", wherein a double quote contains one test element and the different test elements are separated by commas. It can be seen that the test statement shown in fig. 2 contains 9 elements, and further, corresponding type codes can be generated for the 9 elements, and it can be seen that the coding rule adopted in the figure is: the type code corresponding to "admin" is 23, the type code corresponding to a single quotation mark is 153, the type code corresponding to a space is 146, the type code corresponding to the logical operator "OR" is 1060, the type code corresponding to the number 1 is 125, the type code corresponding to "=" is 68, and the type code corresponding to the comment "#" is 128.

Step 203, adding an addition class operator included in the addition class subset to an original computation subset corresponding to the test statement, adding a substitution class operator with a substitution object type as the to-be-selected type in the substitution class subset to the original computation subset, and adding a coding class operator with a coding object type as the to-be-selected type in the coding class subset to the original computation subset to obtain the target mutation computation subset.

The initial mutation subset M can be divided into three subsets in the above step 201: add class operation subset a = { a = _j I j =1,2, \8230;, o }, alternative class operation subset R = { R } _j I j =1,2, \8230;, p }, subset of encoding class operations C = { C } _j L j =1,2, \8230;, q }. Embodiments of the present invention may be applied to every payload, i.e., every s _i Defining a target variant computation set CM _i And the mutation operator in the target mutation operator set corresponding to each test statement is directly used for carrying out mutation operation on the test statement subsequently. The mutation operators contained in the added class subset are called added class operators, correspondingly, the mutation operators contained in the replaced class subset are called replaced class operators, and correspondingly, the mutation operators contained in the encoded class subset are called encoded class operators.

Specifically, the addition class operator is generally common to the SQL injection statements, that is, different test statements may use the same addition class operator for mutation operation, so that the embodiment of the present invention may add all the addition class operators included in the addition class subset a to the original operator set. And because the replacement operator and the encoding operator usually replace and encode a specific element type, and the replacement object types and the encoding object types which are aimed at by different replacement operators and different encoding operators are different, the embodiment of the invention can add the replacement operator with the replacement object type of the to-be-selected type in the replacement operator set R into the original operator set, and correspondingly add the encoding operator with the encoding object type of the to-be-selected type in the encoding operator set C into the original operator set, thereby obtaining the test statement s _i Corresponding target variant algorithm subset CM _i 。

Specifically, the embodiment of the present invention may first perform the test on the test statement s _i Type set T of _i Type t in (1) _i,j Removing duplicate to determine s _i The type of the included element, for example, the type code shown in fig. 2, is removed, and s can be determined _i The element types contained are 7. Second, the de-duplicated set T can be compared _i Each type t in (1) _i,j And matching with element types processed by mutation operators in the substitution class subset R and the coding class subset C, wherein different type codes can be used in the subsets R and C to characterize the substitution object type or the coding object type respectively corresponding to the subsets R and C, so that the matching can be performed by using the type codes. Further, at T _i T in (1) _i,j The mutation operator R is processed by the same element type as the mutation operator in the substitution operation subset R and the encoding operation subset C _j Or c _j Adding the test statement s into the original operator set, or else, adding the test statement s into the original operator set, and finally obtaining the test statement s for each test statement s _i Target variant algorithm set CM _i ={cm _i,j L j =1,2, \8230;, z }, where z represents the number of mutation operators included in the target set of mutation operators.

In the embodiment of the invention, the initial mutation operator subset is divided into a plurality of subsets according to the mutation mode of the mutation operator in the initial mutation operator set; the plurality of subsets include an add class subset, a replace class subset, and an encode class subset; for any test statement, acquiring an element type of a test element contained in the test statement as a to-be-selected type; adding an adding operator included in the adding class subset to an original computation subset corresponding to the test statement, adding a replacing operator with a replacing object type as the to-be-selected type in the replacing class subset to the original computation subset, and adding a coding operator with a coding object type as the to-be-selected type in the coding class subset to the original computation subset to obtain the target mutation computation subset. Therefore, by means of the element types of the test elements contained in each test statement, the target mutation operator subsets containing different mutation operators are constructed for different test statements, invalid mutation operation can be avoided, the situation that the adopted mutation operators cannot effectively mutate the test statements is avoided, repeated test statements are avoided, and the generation efficiency of the test statements is further improved.

Optionally, the operation of performing mutation operation on the test statement based on the target mutation operator set corresponding to the test statement may specifically include the following steps:

step 301, determining a test element of which a to-be-selected type belongs to the alternative object type in the test statement as a first target element, and replacing the first target element by using an alternative operator of which the alternative object type included in the target mutation operator set is the to-be-selected type; the test elements are elements that constitute the test statement.

When the type to be selected belongs to a type of a substitution object, it indicates that there exists a substitution class operator in the target mutation operator set, where the substitution class operator is usable by a test element corresponding to the type to be selected, where the substitution object type refers to a type of an element to which a substitution operation of the substitution class operator is directed, and types of elements to be substituted by different substitution class operators are different, it needs to be noted that semantics of the substitution class operator and a corresponding substitution object in a test statement or a purpose to be achieved are the same.

Further, in the target mutation operator set, each mutation operator may include the mutation operator itself, and may also include the type of the targeted object or the targeted location. The above-mentioned replacement object type may also be represented using a type code, so that the corresponding first target element may be determined by the type code for which the replacement class operator is directed.

Step 302, and/or determining a test element of the to-be-selected type in the test statement, which belongs to the coding object type, as a second target element, and coding the second target element by using a coding object type included in the target mutation operator set as a coding operator of the to-be-selected type.

When the type to be selected belongs to the type of the encoding object, it indicates that there is an encoding class operator that can be used by the test element corresponding to the type to be selected in the target mutation operator set, where the type of the encoding object refers to an element type to which an encoding operation of the encoding class operator is directed, and the encoding class operator may be an element other than a number or a character, and may be in different encoding manners, for example, URL encoding, HTML encoding, BASE64 encoding, and the like.

Specifically, in this step, after the second target element is encoded by using the encoding operator, the original second target element is updated or replaced by using the encoded second target element.

Step 303, and/or determining a target adding position of the added operator in the test statement based on an adding rule of the added operator for any added operator contained in the target mutation operator set, and adding the added operator to the target adding position.

The adding class operator usually adds some specific symbols at any position of the test statement to implement mutation operation, and accordingly, the target adding position is the position indicated by the adding class operator, and the adding class operator can be added to the target adding position of the original test statement to implement mutation operation.

Further, the mutation operation may be to execute any one of the operations in the steps 301 to 303, or certainly, two or three operations may be executed sequentially, and the mutation operation may be set according to actual requirements, which is not limited in this embodiment of the present invention.

Further, for any test statement, mutation operator cm in the corresponding target mutation operator set can be selected in sequence _i,j Make variations on it, illustratively, in the variation operationWhen any one of the steps 301 to 303 is operated, the number of the to-be-selected test sentences obtained from one test sentence is the same as the number of mutation operators in the target mutation operator set, and after the steps are carried out, each test sentence can obtain the corresponding to-be-selected test sentence set CP _i ={cp _i,j I j =1,2, \8230;, z }, where z is the number of mutators in the target set of mutators. The mutation operation may be executed in parallel, that is, each mutation operator included in the target mutation operator set may mutate the test statement at the same time, and z test statements to be selected are obtained at the same time, where the mutation operations executed by different test statements to be selected are different.

In the embodiment of the invention, a test element of which a to-be-selected type belongs to the alternative object type in the test statement is determined as a first target element, and the first target element is replaced by adopting an alternative operator of which the alternative object type included in the target mutation operator set is the to-be-selected type; the test elements are elements constituting the test statement; and/or determining a test element of which the type to be selected in the test statement belongs to the coding object type as a second target element, and coding the second target element by adopting a coding object type included in the coding class subset as a coding class operator of the type to be selected; and/or determining a target adding position of the adding class operator in the test statement based on an adding rule of the adding class operator for any adding class operator contained in the target mutation operator set, and adding the adding class operator to the target adding position. Therefore, different mutation operators are selected to perform corresponding mutation operations on different elements of the test statement, and different mutation operations can be executed on the same test statement, so that a plurality of mutated statements can be obtained for one original test statement, the initial test statement set is effectively expanded, and the test statement generation efficiency is improved.

Optionally, before the test statement to be selected corresponding to each test statement is added to the initial test statement set, the embodiment of the present invention may further include the following steps:

step 401, for any test statement, obtaining a first information entropy of the test statement, and obtaining a second information entropy of each to-be-selected test statement corresponding to the test statement.

In the case of too many mutation operators, the number of the obtained test statements to be selected tends to increase exponentially, and in the case of serious cases, the problem of combinatorial explosion is also caused, so that the number of the test statements to be selected can be limited in the embodiment of the present invention. Further, the ability of different test statements to bypass the WAF detection is different, and to reflect this difference, entropy can be used for CP _i The test statements to be selected in the step (1) are screened, wherein the information entropy can represent the uncertainty of the test statements, the larger the information entropy is, the larger the uncertainty is, and the larger the uncertainty of the test statements is, the stronger the WAF detection bypassing capability of the test statements is, the larger the bypassing probability is, so that the test effect is better. Therefore, the embodiment of the invention can carry out screening and filtering on the test sentences to be selected obtained by the mutation operation according to the information entropy.

Wherein, the information entropy can be calculated by the following formula:

wherein, the X can represent a test statement or a test statement to be selected, the n represents the number of elements in the X, and p represents _i Representing the probability, p, of the ith element in the sentence _i Can be calculated by the following formula:

where the count (i) represents the number of occurrences of the ith element in the sentence, and sum represents the number of all elements included in the sentence.

Further, since the keyword has a certain influence on the detection of bypassing the WAF in the SQL injection statement, when the ith element is the keyword, a weight w may be added to the count (i), and accordingly, the weight w is also added when sum is calculated. For example, the weight w may be 50, and may be set according to actual requirements, which is not limited in this embodiment of the present invention.

In the operation of adding the to-be-selected test statement corresponding to each test statement to the initial test statement set, an embodiment of the present invention may specifically include the following steps:

step 402, for any candidate test statement corresponding to any test statement, adding the candidate test statement to the initial test statement set under the condition that the second information entropy is larger than the first information entropy.

Further, because the uncertainty of the test statement is in direct proportion to the information entropy, and the higher the uncertainty is, the better the test effect is, the embodiment of the present invention may select the candidate test statement whose information entropy is greater than that of the original test statement, that is, select the candidate test statement that satisfies the following conditions:

specifically, when the second information entropy is larger than the first information entropy, it indicates that the uncertainty of the current test statement to be selected is larger than that of the original test statement, the higher the probability of detection of bypassing the WAF is, the better the performance test effect on the WAF is, and the SQL injection detection capability of the WAF can be tested to the maximum extent.

Optionally, a candidate test statement set CCP may also be established for the candidate test statements that satisfy the above-mentioned screening requirements _i ={ccp _(i,j) L j =1,2, \8230 |, g }, where g denotes the total number of candidate mutation samples, so that CCP can be combined _i Each ccp in _i,j Are added to the initial set of test statements S.

In the embodiment of the invention, for any test statement, a first information entropy of the test statement is obtained, and a second information entropy of each to-be-selected test statement corresponding to the test statement is obtained; and for any candidate test statement corresponding to any test statement, adding the candidate test statement to the initial test statement set under the condition that the second information entropy is larger than the first information entropy. In this way, the test statements and the information entropies of the to-be-selected test statements corresponding to the test statements are obtained respectively, the to-be-selected test statements can be screened according to the size of the information entropies, the test quality of the selected to-be-selected test statements can be guaranteed while the excessive number of the to-be-selected test statements is avoided, and the test effect is guaranteed by the entropy to a certain degree.

Optionally, after the test statement to be selected corresponding to each test statement is added to the initial test statement set, the embodiment of the present invention may specifically include the following steps:

step 501, for any test statement, under the condition that the number of variation rounds of the test statement is smaller than a preset round number threshold, acquiring a candidate variation calculation subset of a candidate test statement corresponding to the test statement; and the number of the mutation rounds is the sum of the number of times of performing mutation operations on the test statement and the number of times of performing mutation operations on the test statement to be selected corresponding to the test statement.

And 502, performing mutation operation on the to-be-selected test statement corresponding to the test statement by using the to-be-selected mutation operator set, and adding the mutated to-be-selected test statement to the initial test statement set until the mutation round number of the test statement is not less than the preset round number threshold.

Specifically, the initial test statement may be used as a root statement to which all the candidate test statements obtained by mutation of the root statement belong, so that the mutation round number of the root statement refers to the mutation times of all the test statements included in the root statement. Specifically, any mutation operator is selected to perform mutation operation once, so that a test statement to be selected can be obtained, and at this time, a round of mutation is equivalently performed.

The preset wheel number threshold may be set according to actual requirements, which is not limited in the embodiment of the present invention. Specifically, when the number of variation rounds of any test statement is smaller than the preset round threshold, it indicates that the number of variation payloads currently generated by one original payload may be small, resulting in a poor expansion effect on the initial test statement set.

Further, after a candidate mutation operator set corresponding to the test statement to be selected is obtained, mutation operation may be performed on the test statement to be selected by using the candidate mutation operator set to obtain a variant statement obtained by mutation of the test statement to be selected, and the variant statement is also added to the initial test statement set, at this time, the number of mutation rounds of the original test statement may be recalculated, and under the condition that the number of mutation rounds is smaller than the preset round number threshold, the mutation operation is continued on the variant statement newly added to the initial test statement set until the number of mutation rounds of the original test statement is not smaller than the preset round number threshold.

In the embodiment of the invention, for any test statement, under the condition that the number of variation rounds of the test statement is smaller than a preset round number threshold, a candidate variation computation subset of a candidate test statement corresponding to the test statement is obtained; the number of the mutation rounds is the sum of the number of times of performing mutation operations on the test statement and the number of times of performing mutation operations on the test statement to be selected corresponding to the test statement; and performing mutation operation on the to-be-selected test statement corresponding to the test statement by using the to-be-selected mutation operator set, and adding the mutated to-be-selected test statement to the initial test statement set until the mutation round number of the test statement is not less than the preset round number threshold. In this way, by setting the preset round threshold, when the mutation round number of any test statement is smaller than the threshold, the mutation operation is performed on the test statement to be selected by using the mutation operator set to be selected corresponding to the test statement to be selected, so that an original test statement can generate multiple cycles of mutated test statements to be selected, the expansion effect on the initial test statement set is ensured, and the coverage rate of the SQL injection detection test on the WAF can be further improved.

Optionally, the embodiment of the present invention may further include the following steps:

and 601, sequentially coding the target test statements contained in the target test statement set to obtain a coded target test statement set.

The operation of performing SQL injection detection test on the cloud platform WAF to be tested by using the target test statement set may specifically include the following steps:

step 602, performing SQL injection detection test on the cloud platform WAF to be tested by using the encoded target test statement set.

For the steps 601 to 602, the encoding may be implemented by preset different encoders, and may include encoders such as Base64 encoding, URL encoding, double-URL encoding, unicode-URL encoding, HTML encoding, and Long UTF-8 encoding. Specifically, different encoders may be used to encode each target test statement, and certainly, a corresponding encoder may also be allocated to each target test statement according to a preset allocation rule, which is not limited in this embodiment of the present invention.

Correspondingly, the operation of testing the WAF by using the encoded target test statement set refers to performing SQL injection detection testing on the WAF by using the encoded target test statement.

In the embodiment of the invention, the target test statements contained in the target test statement set are sequentially coded to obtain a coded target test statement set; and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the coded target test statement set. Therefore, by coding the target test statements in the target test statement set, the uncertainty of the test statements can be further improved, so that the WAF bypassing detection capability of the test statements is improved, and the test effect is improved.

Optionally, the operation of performing SQL injection detection test on the cloud platform WAF to be tested by using the encoded target test statement set may specifically include the following steps:

step 701, for any target test statement in the encoded target test statement set, generating a request data packet based on the target test statement and the address of the cloud platform to be tested WAF.

Step 702, sending the request data packet to the cloud platform WAF to be tested.

And 703, receiving a response data packet returned by the cloud platform WAF to be tested based on the request data packet.

Step 704, under the condition that the interception feature exists in the response data packet, determining that the test result of the cloud platform WAF to be tested for the target test statement meets the requirement.

For the steps 701 to 704, the address of the cloud platform WAF to be tested is usually a URL address, and may be directly obtained when a test request for the cloud platform WAF to be tested is received, or may be carried in the test request.

Specifically, each target test statement in the target test statement set may be assembled with the URL address of the WAF to generate different request data packets, and the request data packets are sent to the corresponding URL addresses, so as to implement SQL injection on the WAF to be tested. Further, after receiving the request data packet, the WAF returns a corresponding response data packet for each request data packet.

The intercept feature is a feature, typically a specific code (e.g., 404), that indicates that the WAF intercepted the request. Specifically, the field content may be obtained in the feature field of the response data packet, and in the case that the field content is an interception feature, it indicates that the SQL injection detection rule of the cloud platform WAF to be tested includes the attack rule of the target test statement in the request data packet, and indicates that the detection capability of the WAF on the target test statement meets the requirement. Correspondingly, under the condition that the interception feature does not exist in the response data packet, the WAF is indicated to not detect the non-compliance of the target test statement, the operation indicated by the target test statement is executed, the interception omission exists, the SQL injection detection rule of the cloud platform WAF to be tested does not contain the attack rule of the target test statement in the request data packet, and the detection capability of the WAF on the target test statement is indicated to be not satisfied.

In the embodiment of the invention, a request data packet is generated by any target test statement in the encoded target test statement set based on the target test statement and the address of the cloud platform WAF to be tested; sending the request data packet to the cloud platform WAF to be tested; receiving a response data packet returned by the cloud platform WAF to be tested based on the request data packet; and under the condition that the interception features exist in the response data packet, determining that the test result of the cloud platform WAF to be tested for the target test statement meets the requirement. In this way, by sending the request data packet generated according to the target test statement to the cloud platform WAF to be tested, different target test statements can be adopted to test the detection capability of the WAF, and the test coverage rate is improved. Meanwhile, by detecting the interception features in the response data packet, the detection effect of the WAF can be determined through the interception features, and the purpose of SQL injection detection test on the cloud platform WAF is achieved.

Fig. 3 is a schematic view of a scenario provided in an embodiment of the present invention, as shown in fig. 3, the scenario may include a cloud platform WAF, and the following operations may be performed in the scenario:

firstly, SQL lexical analysis is carried out on an initial test statement set, self-adaptive matching is carried out on different initial test statements, candidate mutation operators for different initial test statements are obtained from a mutation operator set, mutation is carried out on the initial test statements through the candidate mutation operators to obtain mutated samples, the mutated samples are further screened, the samples meeting screening conditions are added into the candidate test statement set, test statements in the candidate test statement set are coded, a request data packet is constructed according to the coded test statements, the constructed request data packet is sent to a cloud platform WAF to be tested for access, and finally a response data packet returned by the WAF is analyzed to obtain test results of the WAF for different test statements.

It should be noted that with the development of cloud computing, more and more Web applications are integrated into a cloud platform, which also causes a great challenge to the security risk of the cloud platform. Common security risks include SQL (Structured Query Language) injection, cross-site scripting, cross-site request forgery, distributed denial of service, etc. SQL injection is one of the most common and threatening attacks, and an attacker directly accesses unauthorized information, creates or modifies new user rights, or otherwise manipulates sensitive information by injecting SQL characters or commands into the input fields of the Web in order to manipulate query execution of the Web backend SQL statements. To deal with these security risks, the conventional security solutions for Web applications are increasingly clouded, which includes a Web Application Firewall (WAF). In order to ensure the effectiveness of the WAF function of the cloud platform, a simulated hacker attack is required to test the performance of the WAF before the WAF is online. There must be a way to verify that the WAF interception rules are perfect or that there is a vulnerability.

The detection of the existing cloud platform WAF aiming at SQL injection mainly adopts a signature-based or machine learning method. Signature-based WAFs respond to threats by implementing application-specific rules to block malicious traffic. However, these rules must be continually adjusted to address the evolving threats. The resulting rules can become complex and difficult to maintain, requiring administrators to have a high level of skill and detailed knowledge of the application. Not to mention that in the face of a zero-day attack, the WAF may generate high false positives and false negatives, thereby adversely affecting performance and providing poor protection against the zero-day attack. Machine learning based methods are advantageous over signature/rule based methods because the former can address the vulnerability of zero-day attacks and are easier to configure and update. Their performance is often limited by training data and they are not interpretable.

Given the importance of the WAF security protection capabilities, testing for SQL injection detection for WAFs will become especially important. The existing testing method mainly comprises manual testing and automatic testing. The manual test is to make test data by manually writing SQL injection attack load (payload) scripts in advance, and the automatic test is to automatically execute a test process by collecting or generating a large amount of SQL injection payloads. However, the existing test method still has the following defects:

for example, manual testing is difficult to meet the requirement of cloud platform WAF systems for a large amount of real, reasonable and complex test data. Moreover, manual test script compiling is high in labor cost and low in efficiency. Alternatively, the effectiveness of the assembly test based on pre-collected payloads is often directly related to the quality of the payload, and the coverage of the test is limited. Or, with the increase of the variety of the variant operators, the variant-based fuzzy test method increases the number of the variant test cases exponentially, which may cause a combinatorial explosion problem, and conversely, if the number of the variant operators is controlled, the element combinatorial coverage rate may be reduced. Alternatively, existing methods based on combination and variation tests may produce many invalid variations, thereby reducing testing efficiency. The elements of the original input payload are limited, and most mutation strategies are performed for specific elements, such as replacement strategies for the symbol "=" or "| =". If these elements are not contained in the input payload, the corresponding mutation strategy is not effective.

Compared with a manual test method and an assembly test method based on pre-collected payload, the SQL injection detection test method for the cloud platform WAF provided by the embodiment of the invention has more different types of payload, can realize more comprehensive bypassing of the test, and can reduce mutation processes of other invalid mutation operators, eliminate occurrence of repeated payload and improve sample generation efficiency by performing lexical analysis on the payload and then mutating the payload by using the adaptively selected mutation operator. Especially when multiple rounds of variation are required for the same original payload, most of the ineffective variation processes can be eliminated. Meanwhile, through sample screening based on the information entropy, the probability of sample space explosion can be reduced, and a large amount of payload with low probability of bypassing WAF is filtered, so that the test times are reduced, the test efficiency is effectively improved, and detailed process information of each tested payload, including an original payload, a variant payload, an executed variant operator, the information entropy, an encoder, an encoded payload, a response state and the like, can be recorded. By utilizing the information, the reason that WAF can be bypassed can be quickly traced, and the efficiency of reinforcing WAF protection strategy is improved.

Fig. 4 is a block diagram of a structure of an SQL injection detection testing apparatus 80 for a cloud platform WAF according to an embodiment of the present invention, and as shown in fig. 4, the apparatus may include:

an initial test statement set obtaining module 801, configured to obtain an initial test statement set; the initial test statement set comprises a plurality of test statements, and the test statements are SQL injection statements;

a mutation module 802, configured to perform a mutation operation on any test statement based on a target mutation operator set corresponding to the test statement to obtain a to-be-selected test statement corresponding to the test statement;

a test statement adding module 803, configured to add a test statement to be selected corresponding to each test statement to the initial test statement set, so as to obtain a target test statement set;

the testing module 804 is configured to perform SQL injection detection testing on the cloud platform WAF to be tested by using the target testing statement set, so as to obtain a testing result.

Optionally, the apparatus further comprises:

a dividing module, configured to divide an initial mutation subset into multiple subsets according to mutation modes of mutation operators in an initial mutation operator set before the mutation module performs mutation operation on the test statement based on a target mutation operator set corresponding to the test statement; the plurality of subsets include an add class subset, a replace class subset, and an encode class subset;

the element type acquisition module is used for acquiring the element type of the test element contained in the test statement as a type to be selected for any test statement;

an operator adding module, configured to add an addition class operator included in the addition class subset to an original computation subset corresponding to the test statement, add a replacement class operator whose replacement object type in the replacement class subset is the to-be-selected type to the original computation subset, and add a coding class operator whose coding object type in the coding class subset is the to-be-selected type to the original computation subset, to obtain the target mutation computation subset.

Optionally, the variant module is specifically configured to:

determining a test element of which the type to be selected in the test statement belongs to the type of the alternative object as a first target element, and replacing the first target element by adopting an alternative operator of which the type of the alternative object included in the target mutation operator set is the type to be selected; the test elements are elements constituting the test statement;

and/or determining a test element of which the type to be selected in the test statement belongs to the coding object type as a second target element, and coding the second target element by adopting a coding object type included in the target mutation operator set as a coding class operator of the type to be selected;

and/or determining a target adding position of the adding class operator in the test statement based on an adding rule of the adding class operator for any adding class operator contained in the target mutation operator set, and adding the adding class operator to the target adding position.

Optionally, the apparatus 80 further comprises:

the information entropy acquisition module is used for acquiring a first information entropy of a test statement and acquiring a second information entropy of each to-be-selected test statement corresponding to the test statement for any test statement;

the test statement adding module is specifically configured to: and for any candidate test statement corresponding to any test statement, adding the candidate test statement to the initial test statement set under the condition that the second information entropy is larger than the first information entropy.

Optionally, the apparatus 80 further comprises:

a candidate mutation subset obtaining module, configured to, after the test statement adding module adds the candidate test statement corresponding to each test statement to the initial test statement set, for any one of the test statements, obtain a candidate mutation subset of the candidate test statement corresponding to the test statement when a mutation round number of the test statement is smaller than a preset round number threshold; the number of the mutation rounds is the sum of the times of performing mutation operations on the test statements and the times of performing mutation operations on the test statements to be selected corresponding to the test statements;

the variant module is further configured to: and performing mutation operation on the to-be-selected test statement corresponding to the test statement by using the to-be-selected mutation operator set, and adding the mutated to-be-selected test statement to the initial test statement set until the mutation round number of the test statement is not less than the preset round number threshold.

Optionally, the apparatus further comprises:

the coding module is used for sequentially coding the target test statements contained in the target test statement set to obtain a coded target test statement set;

the test module is specifically configured to: and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the coded target test statement set.

Optionally, the test module is specifically further configured to:

generating a request data packet for any target test statement in the encoded target test statement set based on the target test statement and the address of the cloud platform WAF to be tested;

sending the request data packet to the cloud platform WAF to be tested;

receiving a response data packet returned by the cloud platform WAF to be tested based on the request data packet;

and under the condition that the interception features exist in the response data packet, determining that the test result of the cloud platform WAF to be tested for the target test statement meets the requirement.

In another embodiment provided by the present invention, an electronic device is further provided, which includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;

a memory for storing a computer program;

a processor for performing any of the above methods when executing a program stored in the memory.

In yet another embodiment, the present invention further provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of any of the above embodiments.

In a further embodiment provided by the present invention, there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of the above embodiments.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the invention may be carried out in whole or in part by loading and executing the computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.

It should be noted that, in the embodiments of the present application, the various data related processes are performed under the premise of complying with the data protection regulation policy corresponding to the country of the location, and obtaining the authorization given by the owner of the corresponding device.

It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a" \8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims

1. A SQL injection detection test method for a cloud platform WAF is characterized by comprising the following steps:

adding the test statements to be selected corresponding to the test statements into the initial test statement set to obtain a target test statement set;

2. The method of claim 1, wherein before performing mutation operation on the test statement based on a target mutation operator set corresponding to the test statement, the method further comprises:

dividing the initial mutation operator subset into a plurality of subsets according to the mutation mode of the mutation operator in the initial mutation operator set; the plurality of subsets include an add class subset, a replace class subset, and an encode class subset;

for any test statement, acquiring an element type of a test element contained in the test statement as a to-be-selected type;

adding an addition class operator included in the addition class subset to an original computation subset corresponding to the test statement, adding a substitution class operator of which a substitution object type is the to-be-selected type in the substitution class subset to the original computation subset, and adding a coding class operator of which a coding object type is the to-be-selected type in the coding class subset to the original computation subset to obtain the target mutation computation subset.

3. The method of claim 2, wherein performing mutation operations on the test statement based on a target mutation operator set corresponding to the test statement comprises:

4. The method of claim 3, wherein before adding the candidate test statement corresponding to each of the test statements to the initial set of test statements, the method further comprises:

for any test statement, acquiring a first information entropy of the test statement, and acquiring a second information entropy of each to-be-selected test statement corresponding to the test statement;

adding the to-be-selected test statement corresponding to each test statement to the initial test statement set, including: and for any test statement to be selected corresponding to any test statement, adding the test statement to be selected to the initial test statement set under the condition that the second information entropy is larger than the first information entropy.

5. The method of claim 1, wherein after adding the candidate test statement corresponding to each of the test statements to the initial set of test statements, the method further comprises:

for any test statement, under the condition that the variation round number of the test statement is smaller than a preset round number threshold, acquiring a to-be-selected variation calculation subset of a to-be-selected test statement corresponding to the test statement; the number of the mutation rounds is the sum of the times of performing mutation operations on the test statements and the times of performing mutation operations on the test statements to be selected corresponding to the test statements;

and performing mutation operation on the to-be-selected test statement corresponding to the test statement by adopting the to-be-selected mutation operator set, and adding the mutated to-be-selected test statement into the initial test statement set until the mutation round number of the test statement is not less than the preset round number threshold.

6. The method of claim 1, further comprising:

sequentially coding the target test statements contained in the target test statement set to obtain a coded target test statement set;

the method for performing SQL injection detection test on the cloud platform WAF to be tested by adopting the target test statement set comprises the following steps:

and carrying out SQL injection detection test on the cloud platform WAF to be tested by adopting the coded target test statement set.

7. The method according to claim 6, wherein the performing SQL injection detection test on the cloud platform WAF to be tested by using the encoded target test statement set includes:

for any target test statement in the encoded target test statement set, generating a request data packet based on the target test statement and the address of the cloud platform WAF to be tested;

sending the request data packet to the cloud platform WAF to be tested;

8. The utility model provides a SQL injection detection testing arrangement towards cloud platform WAF, characterized in that, the device includes:

9. The apparatus of claim 8, further comprising:

10. The apparatus of claim 9, wherein the mutation module is specifically configured to:

and/or determining a test element of which the type to be selected in the test statement belongs to the coding object type as a second target element, and coding the second target element by adopting a coding object type included in the target mutation operator set as a coding operator of the type to be selected;

11. The apparatus of claim 10, further comprising:

12. The apparatus of claim 8, further comprising:

a candidate variant computation subset obtaining module, configured to, after the test statement adding module adds the test statements to be selected corresponding to each test statement to the initial test statement set, for any test statement, obtain a candidate variant computation subset of the test statements to be selected corresponding to the test statement when a number of variation rounds of the test statements is smaller than a preset round threshold; the number of the mutation rounds is the sum of the number of times of performing mutation operations on the test statement and the number of times of performing mutation operations on the test statement to be selected corresponding to the test statement;

the variant module is specifically further configured to: and performing mutation operation on the to-be-selected test statement corresponding to the test statement by adopting the to-be-selected mutation operator set, and adding the mutated to-be-selected test statement into the initial test statement set until the mutation round number of the test statement is not less than the preset round number threshold.

13. The apparatus of claim 8, further comprising:

14. The apparatus of claim 13, wherein the testing module is further configured to:

sending the request data packet to the cloud platform WAF to be tested;

15. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 7.