CN115879115B - Method and system for detecting security holes of Web application - Google Patents
Method and system for detecting security holes of Web application Download PDFInfo
- Publication number
- CN115879115B CN115879115B CN202211594869.4A CN202211594869A CN115879115B CN 115879115 B CN115879115 B CN 115879115B CN 202211594869 A CN202211594869 A CN 202211594869A CN 115879115 B CN115879115 B CN 115879115B
- Authority
- CN
- China
- Prior art keywords
- fuzz
- url
- mutation
- module
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims description 23
- 230000035772 mutation Effects 0.000 claims abstract description 52
- 238000012360 testing method Methods 0.000 claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 16
- 239000003471 mutagenic agent Substances 0.000 claims abstract description 5
- 238000012795 verification Methods 0.000 claims description 16
- 239000003795 chemical substances by application Substances 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 abstract description 4
- 239000000575 pesticide Substances 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 14
- 230000003993 interaction Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 239000002917 insecticide Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a detection method and a detection system for Web application security holes, wherein a client calls an AFL tool to perform fuzz test according to a user test instruction, and a designated mutator is utilized to perform parameter mutation on a URL of a program to be tested, wherein the URL is subjected to directional mutation according to key information of the program to be tested, which is collected by spot tracking, as a characteristic value of auxiliary mutation, and mutation results are integrated into an http request and sent to a server; the server analyzes the obtained http request, performs security vulnerability detection and coverage rate analysis on the program to be tested based on the mutation result obtained through analysis as input, obtains a test result by calling the stain tracking module, and returns the test result to the client. By utilizing the stain tracking technology, the accuracy of webfuzz testing mutation is realized, meanwhile, false alarm in traditional web vulnerability scanning is reduced, and the fuzz technology can eliminate pesticide paradox in traditional automatic testing software.
Description
Technical Field
The invention relates to the technical field of security hole detection, in particular to a method and a system for detecting security holes of Web application.
Background
Vulnerability scanning, a computer program, is intended to evaluate and discover known vulnerabilities of computers, networks, or applications and to identify and detect vulnerabilities in firewalls, routers, web servers, application servers, etc. that result from misconfigured or defective programs. The vulnerability scanner may also scan the installed software, open ports, certificates, and other host information on the computer and give a vulnerability report as well as detailed and accurate information about the operating system and installed software, such as configuration issues and security patches that the system lacks. Fuzzling (fuzzling) is a software testing technique. The core idea is to input random data generated automatically or semi-automatically into a program and monitor program exceptions, such as crashes, assertion (assertion) failures, to discover possible program errors, such as memory leaks.
Traditional Web vulnerability scanning, especially static code scanning, can generate a large number of false positives, and due to the limitation of the test case library, insecticide paradox is generated, and after the test software runs for a period of time, new bug is difficult to monitor. Current fuzzy test techniques test java web programs or can only detect single errors, such as crashes (kelini); or the assertion needs to be appointed for each target to be tested in a complex mode, so that the system is complex to use, and has high cost in actual production and is difficult to use.
Disclosure of Invention
Therefore, the invention provides a method and a system for detecting Web application security vulnerabilities, which are used for solving the technical problems.
In order to achieve the above object, the present invention provides the following technical solutions:
according to a first aspect of an embodiment of the present invention, a method for detecting a security vulnerability of a Web application is provided, where the method includes:
the fuzz client calls an AFL tool according to a user test instruction and designates a specific URL path of the program to be tested to carry out fuzz test, the AFL tool carries out parameter mutation on the URL of the program to be tested by utilizing a designated mutation device, wherein the URL is subjected to directional mutation according to key information of the program to be tested collected by spot tracking as a characteristic value of auxiliary mutation, and mutation results are integrated into an http request and sent to a fuzz server;
the fuzz server analyzes the acquired http request, performs security hole detection and coverage rate analysis on the program to be tested based on a mutation result obtained through analysis, acquires a test result by calling a taint tracking module, determines a URL (uniform resource locator) of the program to be tested possibly having a security problem and the detected web security hole, and returns the test result to the fuzz client.
Further, the method further comprises:
and the fuzz client calls a fuzz verification module to start verification on the web security vulnerabilities found in the acquired test results, and removes false alarm information through verification to obtain a final detection result.
Further, the method further comprises:
and the user sends a test instruction to the fuzz client through operating the SDK, wherein the test instruction comprises a start instruction and a stop instruction.
Further, the method further comprises:
the method comprises the steps that a fuzz server responds to a request of a fuzz client to obtain a URL list of a program to be tested and returns the URL list to the fuzz client, so that the fuzz client starts fuzz testing on the URL of the program to be tested;
the method for acquiring url information of the program to be tested comprises recording called url and analyzing url in a frame.
Further, the method for performing directional mutation on the URL according to the key information of the program to be detected collected by the spot tracking as the characteristic value of the auxiliary mutation specifically comprises the following steps:
responding to the request of the fuzz client by the fuzz server, and returning the key information of the program to be tested, collected by the taint tracking module, to the fuzz client as a mutation characteristic value;
and the fuzz client mutates the parameters in the URL according to a preset mutation mode through a designated mutation device.
According to a second aspect of an embodiment of the present invention, a system for detecting a security hole of a Web application is provided, where the system includes a fuzz client and a fuzz server;
the fuzz client comprises a fuzz management module and a fuzz proxy module;
the fuzz management module is used for calling an AFL tool according to a user test instruction and designating a specific URL path of the program to be tested to carry out fuzz test, and the AFL tool carries out parameter mutation on the URL of the program to be tested by using a designated mutation device, wherein the URL is subjected to directional mutation according to key information of the program to be tested collected by spot tracking as a characteristic value of auxiliary mutation; the fuzz agent module is used for sending an http request of the fuzz client to the fuzz server and receiving a request feedback result of the fuzz server;
the fuzz server comprises a request processing module, a stain tracking module and a JQF proxy module;
the request processing module is used for acquiring an http request sent by the fuzz client and feeding back a request return result to the fuzz client; the stain tracking module is used for acquiring possible safety problems, stack information and mutation characteristic values of the program to be tested; the JQF agent module is used for acquiring coverage rate information of the program to be tested based on the JQF fuzzy test platform.
Further, the fuzz client also comprises a fuzz verification module, which is used for starting verification on the web security vulnerabilities found in the acquired test results, and removing false alarm information through verification to obtain a final detection result.
Further, the system also comprises an SDK, and the SDK is used for sending test instructions to the fuzz client by a user through operation of the SDK, including start and stop instructions.
Further, the fuzz server also comprises a fuzz URL collection module, which is used for obtaining a URL list of the program to be tested; the method for acquiring url information of the program to be tested comprises recording called url and analyzing url in a frame.
Further, the mutator is specifically configured to mutate parameters in the URL according to a preset mutation manner according to the obtained mutation feature value.
The invention has the following advantages:
the invention provides a method and a system for detecting Web application security vulnerabilities, wherein the method comprises the following steps: the fuzz client calls an AFL tool according to a user test instruction and designates a specific URL path of the program to be tested to carry out fuzz test, the AFL tool carries out parameter mutation on the URL of the program to be tested by utilizing a designated mutation device, wherein the URL is subjected to directional mutation according to key information of the program to be tested collected by spot tracking as a characteristic value of auxiliary mutation, and mutation results are integrated into an http request and sent to a fuzz server; the fuzz server analyzes the acquired http request, performs security hole detection and coverage rate analysis on the program to be tested based on a mutation result obtained through analysis, acquires a test result by calling a taint tracking module, determines a URL (uniform resource locator) of the program to be tested possibly having a security problem and the detected web security hole, and returns the test result to the fuzz client. And collecting key information of the system to be tested through taint tracking, and carrying out the fuzz test by the client side through directional mutation by utilizing the collected information. By utilizing the stain tracking technology, the accuracy of webfuzz testing mutation is realized, meanwhile, false alarm in traditional web vulnerability scanning is reduced, and the fuzz technology can eliminate pesticide paradox in traditional automatic testing software.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those of ordinary skill in the art that the drawings in the following description are exemplary only and that other implementations can be obtained from the extensions of the drawings provided without inventive effort.
FIG. 1 is a schematic flow chart of a method for detecting security vulnerabilities of a Web application according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a detection system for Web application security vulnerabilities provided in an embodiment of the present invention.
Detailed Description
Other advantages and advantages of the present invention will become apparent to those skilled in the art from the following detailed description, which, by way of illustration, is to be read in connection with certain specific embodiments, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, this embodiment proposes a method for detecting a security hole of a Web application, where the method includes:
s100, invoking an AFL (automatic force-limiting platform) tool by using a fuzz client according to a user test instruction, designating a specific URL (uniform resource locator) path of a program to be tested for fuzz test, and carrying out parameter mutation on the URL of the program to be tested by using a designated mutation device by using the AFL tool, wherein the URL is subjected to directional mutation according to key information of the program to be tested collected by spot tracking as a characteristic value of auxiliary mutation, and a mutation result is integrated into an http request and sent to a fuzz server;
s200, the fuzz server analyzes the obtained http request, performs security hole detection and coverage rate analysis on the program to be tested based on a mutation result obtained through analysis, obtains a test result through calling a taint tracking module, determines a URL (uniform resource locator) of the program to be tested possibly having a security problem and the detected web security hole, and returns the test result to the fuzz client.
Further, the method further comprises:
s300, the fuzz client calls a fuzz verification module to start verification on the web security vulnerabilities found in the acquired test results, and false alarm information is removed through verification to obtain a final detection result.
Fig. 2 is a schematic structural diagram of a Web application security hole detection system for implementing the detection method of the present embodiment, where the overall workflow of the system is as follows:
the first step: issuing a test instruction by a sdk requester;
and a second step of: after a test instruction arrives at a webfuzz (webfuzz is a product function abbreviation, namely a fuzz tool for a web site), a fuzz-manager module calls afl, a specified mutator module is utilized to carry out fuzz, a mutation result is returned to the fuzz-manager module, and then the fuzz-manager module integrates a request and transmits the request to a fuzz-proxy module;
and a third step of: the fuzz-proxy module sends a request to a webFuzz server side;
fourth step: after the server side acquires the request, the fuzz-java-agent performs security vulnerability detection, the JQFagent performs coverage rate analysis, the request is intercepted by the HTTP-server, external requests are intercepted, and the request return value is processed;
the HTTP-server calls the functions of fuzz-URL-Collection, taint tracking or problem verification according to the difference of the input requests;
fifth step: after receiving the return value of the server, the web client calls a fuzz-validation-module (fuzz verification module) to verify the discovered bug.
In particular:
the module calling sequence for realizing url acquisition is as follows:
fuzz-proxy (webfuzz server side) fuzz-java-agent- > http-server- > fuzz-url-colletion.
The calling sequence of the modules for realizing the security hole detection is as follows:
fuzz-manager- > -fuse-proxy- > -fuse-java-agent- > -Http-server- > -stain track.
The specific functions and interaction content of each module of the system are described in detail below:
client side:
fuzz-manager (fuzz management module)
The module functions: scheduling and managing a fuzz main flow, and recording and interacting a fuzz result:
sdk: instructions such as start and stop sent by the user operation sdk;
fuzz-proxy: acquiring url information of the to-be-fuzz through a fuzz-proxy module;
afl: designating a specific URL path to start fuzz;
2.afl
the module functions: fuzz of a single url is performed (may be stopped under various conditions, e.g., no new path)
Interaction:
fuzz-manager: returning the fuzz result to the fuzz-manager, and ending or not;
a multiplexer: designating a mutation device to obtain mutated contents;
fuzz-proxy: delivering the mutated content to a fuzz-proxy and sending the mutated content to a target program;
mutator (mutation Module)
The module functions: performing parameter mutation in url, designating specific mutation mode by assisting mutation characteristic value, such as adding special symbol, adding character of designated length, etc., and mutating the parameters in url into completely new content
Interaction: afl: issuing the mutated content to afl;
fuzz-proxy: acquiring information of auxiliary variation such as characteristic values obtained by fuzz-proxy;
Fuzz-validation-Module
The module functions: the web security vulnerability problem discovered in the fuzz process has a large number of false positives, and the module is used for removing false positive information and intensively verifying
Interaction:
sdk: acquiring url of the detected problem and corresponding problem conditions;
fuzz-proxy: transmitting request verification information to a program to be tested;
fuzz-proxy (fuzz proxy module)
The module functions: transmitting the HTTPrest request to the server, analyzing and processing the return value of the server, and returning specific information such as url list, test result, characteristic value and the like by the server according to different transmission requests
Interaction:
fuzz-manager: returning to the url list to be tested;
afl: returning the test result of the single request;
a multiplexer: returning the characteristic value of the measured url;
fuzz-validation-module: returning a request result;
webfuzz plug-in-HTTP-server: all requests are sent to the target program, and the requests are intercepted and processed by the module
The server side:
1.fuzz-java-agent
the module functions: scheduling and management of agent main flow
Interaction:
sdk: receiving instructions such as start and stop sent by sdk;
http-server: monitoring and controlling the use condition of the HTTP-server;
2.HTTP-server
the module functions: intercepting external requests, analyzing functions of webFuzz tool-fuzz-proxy module targets, and processing request return values
Interaction:
fuzz-java-agent: receiving scheduling control;
Fuzz-URL-Collection: acquiring a url list to be tested;
3. stain tracking: acquiring possible safety problems, stack information, mutation characteristic values and the like of the target program;
Fuzz-URL-Collection (Fuzz URL Collection Module)
The module functions: acquiring url information of a program to be tested in two modes, namely, 1, recording called url; 2. parsing url in a frame
Interaction:
http-server: the obtained url information is returned;
4. stain tracking
The module functions: finding security problems with a program under test
Interaction:
http-server: returning the stack information triggering sink points and other problems;
5.JQFAgent
the module functions: acquiring coverage rate information of a program to be tested
Interaction:
http-server: coverage of return requests
While the invention has been described in detail in the foregoing general description and specific examples, it will be apparent to those skilled in the art that modifications and improvements can be made thereto. Accordingly, such modifications or improvements may be made without departing from the spirit of the invention and are intended to be within the scope of the invention as claimed.
Claims (3)
1. The system for detecting the Web application security hole is characterized by comprising a fuzz client and a fuzz server;
the fuzz client comprises a fuzz management module and a fuzz proxy module;
the fuzz management module is used for calling the AFL tool according to a user test instruction and designating a specific URL path of the program to be tested to carry out fuzz test, the AFL tool carries out parameter mutation on the URL of the program to be tested by using a designated mutation device, wherein the URL is subjected to directional mutation according to key information of the program to be tested, which is collected by a stain tracking module in the fuzz server, as a characteristic value of auxiliary mutation, and mutated content is obtained;
the fuzz agent module is used for sending an http request of the fuzz client to the fuzz server and receiving a request feedback result of the fuzz server;
the fuzz server comprises a request processing module, a fuzz URL collecting module, a stain tracking module and a JQF proxy module;
the request processing module is used for acquiring http requests sent by the fuzz client and respectively calling the fuzz URL collection module, the stain tracking module or the problem verification function according to different incoming requests; feeding back the request return result to the fuzz client;
the fuzz URL collection module is used for acquiring a URL list of the program to be tested; the method for acquiring url information of the program to be tested comprises the steps of recording called url and analyzing url in a frame;
the stain tracking module is used for acquiring possible safety problems, stack information and mutation characteristic values of the program to be tested;
the JQF agent module is used for acquiring coverage rate information of a program to be tested based on the JQF fuzzy test platform;
the fuzz client also comprises a fuzz verification module, which is used for starting verification on the web security vulnerabilities found in the acquired test results, and removing false alarm information through verification to obtain a final detection result.
2. The system for detecting security vulnerabilities of Web applications of claim 1, further comprising an SDK, wherein the SDK is configured to enable a user to send test instructions to the fuzz client by operating the SDK, including start and stop instructions.
3. The system for detecting a security hole of a Web application according to claim 1, wherein the mutator is specifically configured to mutate parameters in a URL according to a preset mutation manner according to the obtained mutation characteristic value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211594869.4A CN115879115B (en) | 2022-12-13 | 2022-12-13 | Method and system for detecting security holes of Web application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211594869.4A CN115879115B (en) | 2022-12-13 | 2022-12-13 | Method and system for detecting security holes of Web application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115879115A CN115879115A (en) | 2023-03-31 |
| CN115879115B true CN115879115B (en) | 2024-03-29 |
Family
ID=85767169
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211594869.4A Active CN115879115B (en) | 2022-12-13 | 2022-12-13 | Method and system for detecting security holes of Web application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115879115B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化系统有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN109308415A (en) * | 2018-09-21 | 2019-02-05 | 四川大学 | One kind is towards binary guiding performance fuzz testing method and system |
| CN110516448A (en) * | 2019-09-02 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing |
| CN114297079A (en) * | 2021-12-30 | 2022-04-08 | 北京工业大学 | XSS fuzzy test case generation method based on time convolution network |
| CN114780398A (en) * | 2022-04-14 | 2022-07-22 | 中国人民解放军战略支援部队信息工程大学 | Cisco IOS-XE-oriented Web command injection vulnerability detection method |
| CN114968750A (en) * | 2021-02-23 | 2022-08-30 | 腾讯科技(深圳)有限公司 | Test case generation method, device, equipment and medium based on artificial intelligence |
| CN115422543A (en) * | 2022-08-19 | 2022-12-02 | 复旦大学 | Vulnerability detection method based on applet framework |
-
2022
- 2022-12-13 CN CN202211594869.4A patent/CN115879115B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化系统有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN109308415A (en) * | 2018-09-21 | 2019-02-05 | 四川大学 | One kind is towards binary guiding performance fuzz testing method and system |
| CN110516448A (en) * | 2019-09-02 | 2019-11-29 | 杭州安恒信息技术股份有限公司 | A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing |
| CN114968750A (en) * | 2021-02-23 | 2022-08-30 | 腾讯科技(深圳)有限公司 | Test case generation method, device, equipment and medium based on artificial intelligence |
| CN114297079A (en) * | 2021-12-30 | 2022-04-08 | 北京工业大学 | XSS fuzzy test case generation method based on time convolution network |
| CN114780398A (en) * | 2022-04-14 | 2022-07-22 | 中国人民解放军战略支援部队信息工程大学 | Cisco IOS-XE-oriented Web command injection vulnerability detection method |
| CN115422543A (en) * | 2022-08-19 | 2022-12-02 | 复旦大学 | Vulnerability detection method based on applet framework |
Non-Patent Citations (2)
| Title |
|---|
| 基于动态污点分析的工控设备硬件漏洞挖掘方法研究;段斌;李兰;赖俊;詹俊;;信息网络安全;20190410(04);全文 * |
| 基于动态能量调控的导向式灰盒模糊测试技术;戴渭;陆余良;朱凯龙;;浙江大学学报(工学版);20200815(08);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115879115A (en) | 2023-03-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110912776B (en) | Automatic fuzzy test method and device for entity router management protocol | |
| US8631124B2 (en) | Network analysis system and method utilizing collected metadata | |
| KR101259897B1 (en) | Apparatus for the efficient remote security threat diagnosis and its method | |
| CN112906011B (en) | Vulnerability discovery method, testing method, security testing method, related device and platform | |
| CN110943984B (en) | Asset safety protection method and device | |
| CN113810408B (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN113392409B (en) | Risk automated assessment and prediction method and terminal | |
| EP2149090A1 (en) | System diagnostic utility | |
| CN111259399A (en) | Method and system for dynamically detecting vulnerability attacks for web applications | |
| CN113411333A (en) | Unauthorized access vulnerability detection method, device, system and storage medium | |
| JP2007172517A (en) | Vulnerability determination system, monitor, inspection device and command character string monitoring program | |
| Kim et al. | Smart seed selection-based effective black box fuzzing for IIoT protocol | |
| CN115879115B (en) | Method and system for detecting security holes of Web application | |
| CN110784364B (en) | Data monitoring method and device, storage medium and terminal | |
| CN112765611A (en) | Unauthorized vulnerability detection method, device, equipment and storage medium | |
| CN114531345A (en) | Method, device and equipment for storing flow comparison result and storage medium | |
| CN116166536A (en) | Test method, test device, electronic equipment and storage medium | |
| CN113704763B (en) | Pipelined device scanning detection method | |
| CN113032255A (en) | Response noise recognition method, model, electronic device, and computer storage medium | |
| CN115714719B (en) | Operation and maintenance processing method and device of server, electronic equipment and storage medium | |
| CN115913754A (en) | Access behavior detection method and device | |
| CN106970878A (en) | One kind debugging event monitoring method and debugging event monitoring system | |
| CN113645191B (en) | Method, device and equipment for determining suspicious host and computer readable storage medium | |
| CN112541183B (en) | Data processing method and device, edge computing equipment and storage medium | |
| Suchorab et al. | Effective Fuzz Testing for Programmable Logic Controllers Vulnerability Research to Ensure Nuclear Safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |