CN115879116A

CN115879116A - Method, apparatus, storage medium and computer program product for unauthorized vulnerability detection

Info

Publication number: CN115879116A
Application number: CN202211614341.9A
Authority: CN
Inventors: 阙培欣
Original assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Current assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Priority date: 2022-12-15
Filing date: 2022-12-15
Publication date: 2023-03-31

Abstract

The invention discloses a method, a device, a storage medium and a computer program product for detecting unauthorized vulnerabilities, which are applied to the field of security detection, and the method comprises the following steps: acquiring a normal request sent by a test port from a probe deployed for an application, and generating a normal data stream between normal response data streams returned by a server of the application based on the normal request; the probe is used for detecting data transmitted and received by the application; extracting user identity parameters and request parameters from normal data streams; according to the identity parameters and the request parameters, the normal request is modified to obtain a test request; sending the test request to the server through the test port, and receiving a test response data stream returned by the server based on the test request and a test data stream generated between the test request and the response data stream; and determining whether the unauthorized loophole exists in the test port or not according to the normal data stream and the test data stream.

Description

Method, apparatus, storage medium and computer program product for unauthorized vulnerability detection

Technical Field

The present invention relates to the field of security testing, and in particular, to a method, an apparatus, a storage medium, and a computer program product for detecting an unauthorized vulnerability.

Background

Among Open Web Application Security Project (OWASP) top10 vulnerabilities, the unauthorized vulnerability is a major member of a failed Access Control (BAC) type vulnerability, which is in the front for a long time, and is ranked first in the OWASP 2021top10, which is a vulnerability common in Web applications, and has a wide range of existence and great harm.

The unauthorized vulnerability is generated because an authentication mechanism is not used or is incomplete during application development, so that an attacker can realize unauthorized operation by replacing identity parameters or request parameters in a request, for example, a low-authority user adds, deletes, queries and modifies other data by using the identity of an administrator, a light person causes user data leakage, and a heavy person causes the core authority of the system to be controlled.

Current limitations of detection methods for unauthorized vulnerabilities include manual penetration, black box scanning, and agent-based request replay. Although the manual infiltration has high accuracy, the efficiency is low because professional safety testers are required to carry out testing and judgment, and the requirement of frequent version iteration can not be met; although the black box scanning can reduce the repeated manual work to a certain extent, the testing speed is improved, the defects that the loophole cannot be automatically judged, manual intervention is still needed, the testing efficiency is not high, the testing coverage degree seriously depends on the crawler of the tool, the full testing cannot be ensured, and the missing report is easily caused; the proxy-based request replay still detects and judges the loophole from the perspective of a black box, the false alarm rate is also increased rapidly along with large-batch detection requests, particularly, the loophole judgment can only depend on comparison request response, the request which belongs to normal authority is easy to manufacture, the loophole is judged, all parameters of a single request cannot be screened and key parameters cannot be focused, only one-by-one attempt is carried out, some parameters which originally have no influence on the response are added into a detection range, the detection times are wasted while the false alarm is further increased, the testing efficiency is reduced, and source loopholes still need to be positioned manually.

In view of this, how to reduce the false alarm rate while improving the unauthorized vulnerability detection efficiency becomes an urgent technical problem to be solved.

Disclosure of Invention

The invention provides a method, a device, a storage medium and a computer program product for detecting an unauthorized vulnerability, which are used for solving the technical problems of low detection efficiency and high false alarm rate of the unauthorized vulnerability in the prior art.

In a first aspect, to solve the above technical problem, a technical solution of a method for unauthorized vulnerability detection provided in an embodiment of the present invention is as follows:

acquiring a normal request sent by a test port from a probe deployed for an application, and generating a normal data stream between a normal response data stream returned by a server of the application based on the normal request; wherein, the probe is used for detecting the data transmitted and received by the application;

extracting user identity parameters and request parameters from the normal data stream;

according to the identity parameters and the request parameters, the normal request is modified to obtain a test request;

sending the test request to the server through the test port, and receiving a test response data stream returned by the server based on the test request and a test data stream generated between the test request and the response data stream;

and determining whether the unauthorized vulnerability exists in the test port according to the normal data stream and the test data stream.

Before acquiring a normal request sent through a test port from a probe deployed for an application and a normal data stream generated between normal response data streams returned by a server based on the normal request, a possible implementation further includes:

acquiring a configuration file of the application;

loading the probe in the configuration file;

restarting the application causes the probe to run.

One possible implementation of extracting the user identity parameter and the request parameter from the normal data stream includes:

acquiring a first parameter set used initially in a call stack and a second parameter set used finally in the normal data stream; the call stack is used for managing the function call relation of the application;

obtaining overlapping parameters from the first set of parameters and the second set of parameters;

and acquiring the user identity parameter and the request parameter from the overlapping parameter.

One possible implementation manner, obtaining the user identity parameter and the request parameter from the overlapping parameter, includes:

determining a request type of the normal request according to marking information corresponding to a page accessed by a user;

and extracting the user identity parameter from the normal request according to the request type, and extracting an overlapping parameter from the head and tail positions of the call stack as the request parameter.

One possible implementation manner, in which the normal request is modified according to the identity parameter and the request parameter to obtain a test request, includes:

removing the identity parameters in the normal request to obtain an unauthorized test request;

replacing the identity parameters in the normal request to obtain a vertical unauthorized test request;

and replacing the request parameters in the normal request to obtain a test request with a horizontal override.

One possible implementation manner of determining whether the unauthorized vulnerability exists in the test port according to the normal data stream and the test data stream includes:

detecting whether the test data stream corresponding to each test request is complete, whether the details of the test data stream are consistent with those of the normal data stream, consistency of the normal response data and the test response data stream, and whether the test request is not in the request range of the normal request;

if any one of the test ports is yes, determining that the unauthorized vulnerability exists in the test port, and reporting the unauthorized vulnerability;

and if not, determining that the unauthorized vulnerability does not exist in the test port.

One possible implementation manner of detecting whether the test data stream corresponding to each test request is complete, whether the details of the test data stream are consistent with the details of the normal data stream, whether the normal response data are consistent with the test response data stream, and whether the test request is not within the request range of the normal request includes:

the detection procedure for any one test request is as follows:

detecting whether the test data stream corresponding to any test request is complete;

if the test data stream corresponding to any test request is determined to be incomplete, detecting whether the details of the test data stream corresponding to any test request are consistent with the details of the normal data stream;

if the detail of the test data stream corresponding to any test request is determined to be inconsistent with the detail of the normal data stream, detecting whether the test response data stream of any test request is consistent with the normal response data stream;

and if the test response data stream of any test request is determined to be inconsistent with the normal response data stream, detecting whether any test request is not in the request range of the normal request.

One possible implementation manner of detecting whether a test data stream corresponding to any one of the test requests is complete includes:

detecting whether the test data stream corresponding to any test request is completely consistent with the middle function calling process of the formal data stream or not;

if the test data flow is completely consistent, determining that the test data flow corresponding to the test request is complete;

otherwise, determining that the test data stream corresponding to the test request is incomplete.

One possible implementation manner, detecting whether details of a test data stream corresponding to any one of the test requests are consistent with details of the normal data stream, includes:

detecting whether the data processing logic of the test data stream corresponding to any test request is consistent with the data processing logic of the normal data stream;

if so, determining that the details of the test data stream corresponding to any test request are consistent with the details of the normal data stream;

otherwise, determining that the details of the test data stream corresponding to any test request are inconsistent with the details of the normal data stream.

One possible embodiment, detecting whether the test response data flow of any one of the test requests is consistent with the normal response data flow, includes:

detecting whether the parameter information returned by the test response data flow of the test request and the normal response data flow is completely consistent or not;

if the data flow is completely consistent with the normal response data flow, determining that the test response data flow of any test request is consistent with the normal response data flow;

and if any one of the test requests is inconsistent, determining that the test response data stream of any one of the test requests is inconsistent with the normal response data stream.

One possible implementation of detecting whether the any one of the test requests is not within the request range of the normal request includes:

judging whether any test request is in the request range of the normal request or not;

if yes, determining that any test request is a normal request, and recording the normal request to avoid repeated use.

In a second aspect, an embodiment of the present invention provides an apparatus for detecting an unauthorized vulnerability, including:

the device comprises an acquisition unit, a test unit and a processing unit, wherein the acquisition unit is used for acquiring a normal request sent by a test port from a probe deployed for an application and a normal data stream generated between a normal response data stream returned by a server of the application based on the normal request; wherein, the probe is used for detecting the data transmitted and received by the application;

the extracting unit is used for extracting user identity parameters and request parameters from the normal data stream;

the transformation unit is used for transforming the normal request according to the identity parameter and the request parameter to obtain a test request;

the replay unit is used for sending the test request to the server through the test port and receiving a test response data stream returned by the server based on the test request and a test data stream generated between the test request and the response data stream;

and the determining unit is used for determining whether the unauthorized loophole exists in the test port according to the normal data stream and the test data stream.

In a possible embodiment, the apparatus further comprises a setting unit configured to:

acquiring a normal request sent by a test port from a probe deployed for an application, and acquiring a configuration file of the application before a normal data stream generated between normal response data streams returned by a server based on the normal request;

loading the probe in the configuration file;

restarting the application causes the probe to run.

In a possible implementation, the extraction unit is further configured to:

determining the request type of the normal request according to the marking information corresponding to the page accessed by the user;

In a possible embodiment, the retrofit unit is further configured to:

replacing the identity parameters in the normal request to obtain a vertical override test request;

In one possible embodiment, the determining unit is further configured to:

the detection process for any one test request is as follows:

if the details of the test data stream corresponding to any test request are determined to be inconsistent with the details of the normal data stream, detecting whether the test response data stream of any test request is consistent with the normal response data stream;

In one possible embodiment, the determining unit is further configured to:

detecting whether the test data stream corresponding to any test request is completely consistent with the middle function calling process of the formal data stream;

In one possible embodiment, the determining unit is further configured to:

if the test data stream is consistent with the normal data stream, determining that the details of the test data stream corresponding to any test request are consistent with the details of the normal data stream;

In one possible embodiment, the determining unit is further configured to:

detecting whether the test response data flow of the test request is completely consistent with the parameter information returned by the normal response data flow;

In one possible embodiment, the determining unit is further configured to:

if so, determining that any test request is a normal request, and recording the normal request to avoid repeated use.

In a third aspect, an embodiment of the present invention further provides an apparatus for detecting an unauthorized vulnerability, including:

at least one processor, and

a memory coupled to the at least one processor;

wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method of the first aspect by executing the instructions stored by the memory.

In a fourth aspect, an embodiment of the present invention further provides a readable storage medium, including:

a memory for storing a plurality of data files to be transmitted,

the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method as described in the first aspect above.

In a fifth aspect, an embodiment of the present invention provides a computer program product, which includes a computer program that, when executed by a processor, implements the method according to the first aspect.

Through the technical solutions in one or more of the above embodiments of the present invention, the embodiments of the present invention have at least the following technical effects:

in the embodiment provided by the invention, by deploying the probe for the application, the normal request sent by the application and the corresponding data stream can be collected through the probe, and the function call and the data change process sent by the normal request are recorded in detail in the data streams and can be used as the basis for unauthorized vulnerability detection; after a normal data stream generated between a normal request sent by a test port and a normal response data stream returned by an application server based on the normal request is obtained from a probe, user identity parameters and request parameters are extracted from the normal data stream; according to the identity parameters and the request parameters, the normal request is modified to obtain the test request, so that the interference of the test request and irrelevant parameters in the corresponding data stream can be removed, the test request of the unauthorized bug is accurately constructed, and the test efficiency is improved; the test request is sent to the server through the test port, and a test response data stream returned by the server based on the test request and a test data stream generated between the test request and the response data stream are received; and according to the normal data stream and the test data stream, whether the unauthorized vulnerability exists in the test port is determined, and the false alarm rate can be reduced to the maximum extent, so that the unauthorized vulnerability test efficiency is improved, and the false alarm rate is reduced.

Drawings

Fig. 1 is a flowchart of an unauthorized vulnerability detection method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram illustrating a request response of a browser to a server corresponding to the browser;

fig. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to an embodiment of the present invention.

Detailed Description

The embodiment of the invention provides a method, a device, a storage medium and a computer program product for detecting an unauthorized vulnerability, which aim to solve the technical problems of low detection efficiency and high false alarm rate of the unauthorized vulnerability in the prior art. According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations.

In order to better understand the technical solutions of the present invention, the following detailed descriptions of the technical solutions of the present invention are provided with the accompanying drawings and specific embodiments, and it should be understood that the specific features in the embodiments and examples of the present invention are detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and examples of the present invention may be combined with each other without conflict.

An unauthorized vulnerability: the unauthorized vulnerability is that an application system is not strict when checking the user right, so that an attacker can complete the operation without the right by replacing parameters in a request, such as changing data of other people, improving the self right, an illegal control system and the like, generally, unauthorized vulnerabilities can be divided into three categories, namely unauthorized, vertical unauthorized and horizontal unauthorized, unauthorized requests generally refer to normal response without carrying identity parameters, vertical unauthorized refers to completing the operation which normally requires higher rights such as that an administrator has the right through the unauthorized vulnerability, horizontal unauthorized refers to performing increasing, deleting, checking and changing on other user data with the same right through the unauthorized vulnerability, and the unauthorized manner is generally divided into identity unauthorized and parameter unauthorized, wherein the former refers to unauthorized operation through replacing the identity parameters in the request, and the latter refers to unauthorized operation through replacing the service parameters in the request.

At present, the detection methods for the unauthorized vulnerability are all from the perspective of a black box, and can be classified into three types from the perspective of a test method, namely manual penetration, black box scanning and request replay based on an agent.

The manual penetration means that the safety tester manually carries out the unauthorized test on the application, the test process may be completed by professional safety testers by means of tools or scripts such as packet capturing, dictionaries, packet sending and the like, and the result is also manual judgment. The manual penetration has the advantages that the accuracy is high, the condition of false alarm hardly exists, the defects are obvious, the verification and judgment results need to be replaced one by one under the condition that a plurality of request parameters exist in a single request, the limited energy of testers is put into repeated labor, and the testing efficiency is low; moreover, under the condition of overlapping numerous requests of a single system and concurrent detection requirements of a plurality of systems, the condition of missing report is easily caused.

Black box scanning, namely testing an application by means of an automatic scanning tool, taking AppScan as an example, firstly logging in a high-authority user, recording the access resource range of the high-authority user after scanning is executed, then logging in a low-authority user, automatically trying to access the recorded high-authority resource by the tool with the identity of the low-authority user, recording and listing the accessible resource range, and finally manually judging whether an unauthorized vulnerability exists. If the automatic tool of sweeping that misses of this kind belongs to semi-automatization's unauthorized detection, can reduce artificial repetitive work to a certain extent, improve test speed, and its shortcoming is unable automatic judgement leak, still needs artifical the intervention, and efficiency of software testing is not high, and the serious reptile technique that relies on tool itself of test coverage, can't guarantee the test abundant, causes the false positive easily.

The basic idea of flow-based replay is to detect and judge the vulnerability from the perspective of a black box, the false alarm rate is also increased rapidly along with a large number of detection requests, particularly, vulnerability judgment can only depend on comparison request response, the request which belongs to normal authority is easy to manufacture, the vulnerability is judged, all parameters of a single request cannot be screened and key parameters cannot be focused, only one-by-one attempt is performed, parameters which do not affect the response originally are added into a detection range, the detection times are wasted while false alarm is further increased, the test efficiency is reduced, a detection method based on the black box cannot specifically position a code source generated by the vulnerability, and developers are required to further research and position the vulnerability.

In order to solve the above problem, embodiments of the present invention provide a method, an apparatus, a storage medium, and a computer program product for unauthorized vulnerability detection, which are as follows:

referring to fig. 1, an embodiment of the invention provides a method for unauthorized vulnerability detection, which includes the following steps.

Step 101: acquiring a normal request sent by a test port from a probe deployed for an application, and generating a normal data stream between normal response data streams returned by a server of the application based on the normal request; the probe is used for detecting data transmitted and received by the application;

in one or more embodiments, before acquiring a normal data stream generated between a normal request sent through a test port from a probe deployed for an application and a normal response data stream returned by a server based on the normal request, the probe is also deployed locally for the application, which is specifically as follows:

acquiring a configuration file of an application; loading a probe in a configuration file; restarting the application causes the probe to run.

For example, before starting the detection, the probe is deployed locally for the application, so that all information transmitted and received between the application and the corresponding server side and data volume generated in the transmitting and receiving process can be captured by the probe. The specific deployment of the probe can be realized by modifying the configuration file of the application, adding the calling mode of the probe into the configuration file of the application, reloading the configuration file, restarting the loaded file to complete the deployment of the probe of the application, and then, the probe can be used all the time without repeated deployment.

Assuming that the application is a browser, the server may be a server providing services for the browser, please refer to fig. 2, which is a schematic diagram illustrating a request response of the server corresponding to a request of the browser.

Step S10: and generating a corresponding service request based on the user operation.

Assuming that a user inputs a certain URL address in a URL field of a browser (i.e., a user operation), the browser generates a corresponding service request based on the user operation, and sends the service request to a server corresponding to the browser.

Step S20: the server receives a service request.

Step S21: the server analyzes the service request to obtain the URL and the positioning template file thereof.

Step S22: and the server generates an HTML document according to the parameters in the URL and the positioning template file and sends the HTML document to the browser.

Step S11: the browser receives and parses the HTML document.

Step S12: and the browser requests the related resource files according to the analysis result.

And the browser generates a request according to an analysis result obtained by analyzing the HTML document and sends the request to the server so as to request the server for the related resource file.

Step S23: and the server searches the resource file according to the request and sends the resource file to the browser.

Step S13: and the browser arranges the resource files.

Step S14: the browser renders the page.

The browser renders the page according to steps S12 and S13.

The execution process of the above steps S10 to S14 (i.e. the browser side), such as the browser obtaining the user operation, generating the service request according to the user operation, sending the service request, and the like, all need to be implemented by calling related functions, and these functions are pushed into the corresponding call stack, and the content in the call stack will not be cleared until the page corresponding to the normal request is closed.

The service request in step S10 is recorded as a normal request in the embodiment of the present invention, the page presented in step S14 is the response data stream in the embodiment of the present invention, and they are respectively located at the head and tail positions in the function call stack, and the data between the normal request and the response data stream in the function call stack is the normal data stream in the embodiment of the present invention.

It should be understood that the application of the present invention is not limited to the browser, and may also be other applications, and is not particularly limited.

In one or more embodiments, deduplication may be performed for normal requests that are obtained over a period of time, which may reduce data throughput and improve test efficiency.

After the normal request, its response data and corresponding normal data stream are obtained, step 102 may be performed.

Step 102: user identity parameters and request parameters are extracted from the normal data stream.

Extracting the user identity parameters and the request parameters from the normal data stream can be realized by the following modes:

acquiring a first parameter set used initially in a call stack of a normal data stream and a second parameter set used finally; the call stack is used for managing the function call relation of the application; acquiring overlapping parameters from the first parameter set and the second parameter set; and acquiring the user identity parameter and the request parameter from the overlapping parameters. The normal data stream comprises a call stack used in code running, and the call stack can display specific function processing and function return of requests (including normal requests and test requests) in the sending process.

The number of elements in the first parameter set and the second parameter set may be one or more. An input box corresponding to a user name, an input box corresponding to a user password, a login button and the like are displayed in a login page of the browser, the user inputs the user name in the input box of the user name, the user password is input in the input box of the user password, the login button is clicked, the browser generates a service request (namely a normal request) for logging in a user account according to the input user name, the user password and the login button, and the service request is sent to the server through a corresponding port.

The server returns a response data stream to the browser based on the service request, and records the service request, the response data stream thereof and a normal data stream between the service request and the response data stream thereof in a call stack. The unauthorized vulnerability system acquires the call stack of the login page through a probe, extracts parameters such as a user name, a user password and an operation name from a position corresponding to the head address of the call stack (namely the position corresponding to the normal data stream in the call stack at first) to form a first parameter set, and extracts a second data set formed by the parameters such as the user name and the operation name from a position corresponding to the bit address of the call stack (namely the position corresponding to the normal data stream in the call stack at last). And acquiring the overlapping parameters from the first parameter set and the second parameter set, and changing and acquiring the user identity parameters and the request parameters.

In one or more embodiments, obtaining the user identity parameter and the request parameter from the overlapping parameters includes:

determining a request type of a normal request according to marking information corresponding to a page accessed by a user; and extracting a user identity parameter from the normal request according to the request type, and extracting an overlapping parameter from the head and tail positions of the call stack as a request parameter.

For example, before starting detection, parameters may be preset in a system background, where the parameters include a sign of a login page and a sign of a user, and the normal request may be determined to be a login request by marking the login page, so as to facilitate automatic extraction of user identity parameters and request parameters, and the authority level of the user may be marked by marking the user, such as a user name admin (a first user) marked as 1, a user with the highest authority, a user name user1 (a second user)) marked as 2, a user with a common authority, and a user name user2 (a third user)) marked as a user with the same authority as the user 1.

When a user accesses a certain page, because the page is marked as a login page, the corresponding normal request can be determined as a login request; in the login request, the user identity parameter is usually located in a cokkie or htpp request header or a request body, so that a user name can be extracted from the login request, and a corresponding user grade is determined according to a mark of the user name, so that the user identity parameter is determined.

Similarly, for example, in a data query request, the parameters used at the beginning of the call stack (i.e. information obtained from the http request) and the parameters used at the end of the call stack (i.e. Sql query statement) are compared in the normal data stream, and the overlapped parameters are determined as the key parameters for functioning. Therefore, the background can know user names and authority levels corresponding to different user identity parameters, and vertical and horizontal override tests are conveniently implemented.

After the user identity parameter and the request parameter are extracted, step 103 is performed.

Step 103: and modifying the normal request according to the identity parameters and the request parameters to obtain the test request.

Because the unauthorized vulnerabilities, the vertical unauthorized vulnerabilities and the horizontal unauthorized vulnerabilities are included, when a normal request is modified, the normal request can be modified according to identity parameters and request parameters to obtain a test request, and then the three types of unauthorized vulnerabilities are tested by using the test request, wherein the specific modification mode is as follows:

and replacing request parameters in the normal request to obtain a test request with a horizontal override.

For example, if the normal request is a login request, assuming that the user identity parameter (denoted as a first user identity parameter) and the request parameter (denoted as a first request parameter) corresponding to the normal request are obtained through the scheme in step 102, an unauthorized test request can be constructed by removing the first user identity parameter in the login request and reserving the rest of the parameters; replacing the first user identity parameter in the login request by the second user identity parameter, and constructing a vertical override test request by the warranty period and part of the warranty period; by replacing the first request parameter in the login request with the second request parameter and reserving the rest, a horizontal override test request can be constructed.

It should be understood that the order of constructing the above three test requests may be any one, or may be performed simultaneously, and is not limited specifically.

After the test request is constructed, step 104 may be performed.

Step 104: sending the test request to the server through the test port, and receiving a test response data stream returned by the server based on the test request and a test data stream generated between the test request and the response data stream;

step 105: and determining whether the unauthorized loophole exists in the test port or not according to the normal data stream and the test data stream.

In step 103, step 104 and step 105 may be executed once each test request is constructed, that is, after a test request is constructed, the test request may be sent to the server through the test port, and a test response data stream returned by the server based on the test request and a test data stream generated between the test request and the response data stream are received; step 104 and step 105 may also be performed one by one for each test request after all test requests have been constructed.

For example, after a normal request is constructed as an unauthorized test request corresponding to a login request, the unauthorized test request is sent to a server, a test response data stream returned by the server based on the unauthorized test request and a test data stream generated between the unauthorized test request and a response data stream thereof are received, and whether an unauthorized vulnerability exists at a test port is determined according to a normal data stream corresponding to the login request and a test data stream corresponding to the unauthorized test request; if the unauthorized access hole is determined to exist, the test is finished, if the unauthorized access hole does not exist, a vertical unauthorized test request corresponding to a login request is further constructed, the vertical unauthorized test request is sent to a server, a test response data stream returned by the server based on the vertical unauthorized test request and a test data stream generated between the vertical unauthorized test request and the response data stream are received, and whether the vertical unauthorized access hole exists in the test port or not is determined according to a normal data stream corresponding to the login request and the test data stream corresponding to the vertical unauthorized test request; after determining whether a vertical override bug exists, further constructing a horizontal override test request corresponding to a login request, sending the horizontal override test request to a server, receiving a test corresponding data stream returned by the server based on the horizontal override test request, generating a test data stream between the horizontal override test request and a response data stream thereof, and determining whether the horizontal override bug exists at the test port according to a normal data stream corresponding to the login request and the test data stream corresponding to the horizontal override test request. If it is determined that the unauthorized override bugs, the vertical override bugs and the horizontal override bugs do not exist, it can be determined that the unauthorized override bugs do not exist in the test port. If it is determined that at least one of an unauthorized override bug, a vertical override bug and a horizontal override bug exists in the test port, it may be determined that an override bug exists in the test port.

For another example, after the normal requests are constructed as an unauthorized test request, a vertical override test request and a horizontal override test request corresponding to the login request, the three test requests can be sequentially sent to the server, response data streams and test data streams corresponding to the three test requests are sequentially obtained, whether override bugs corresponding to the test requests exist or not is determined according to the test data streams corresponding to the test requests and the normal data streams of the login request, if no override bugs exist, it is determined that the override bugs do not exist in the test port, and if at least one override bug corresponding to the test request exists, it is determined that the override bugs are applied to the test port.

In one or more embodiments, if it is determined that at least one of an unauthorized vulnerability, a vertical unauthorized vulnerability, and a horizontal unauthorized vulnerability exists at a test port, it may be further determined whether a test request corresponding to the unauthorized vulnerability exists within a request range of a normal test request, and if it is determined that the test request is a normal request with authority, the test request is removed, and if not, the test request and a corresponding unauthorized vulnerability type are reported.

Since the application may access different or the same server through multiple ports, whether the application has an unauthorized vulnerability or not can be detected in the above manner.

In one or more embodiments, determining whether the unauthorized vulnerability exists in the test port according to the normal data stream and the test data stream may be implemented in the following manner:

detecting whether the test data stream corresponding to each test request is complete, whether the details of the test data stream are consistent with those of the normal data stream, consistency of the normal response data and the test response data stream, and whether the test request is out of the request range of the normal request; if any one of the test ports is yes, determining that the unauthorized vulnerability exists in the test port, and reporting the unauthorized vulnerability; if not, determining that the unauthorized access hole does not exist in the test port.

For example, taking the test request as an unauthorized test request as an example, whether a test data stream corresponding to the unauthorized test request is complete or not is detected, whether details of the test data stream corresponding to the unauthorized test request are consistent with details of a normal data stream or not is detected, consistency of a test response data stream corresponding to the unauthorized test request and a normal response data stream is detected, whether the test request is not in a request range of the normal request or not is detected, if all the test requests are not in the request range of the normal request, it is determined that an unauthorized access hole does not exist in the test port, if any one of the test requests is yes, it is determined that the unauthorized access hole exists in the test port, and at this time, a position where the unauthorized access hole is located can also be reported.

When the test request is a vertical override test request or a horizontal override test request, the determination method is the same as that of the unauthorized test request, and is not described herein again.

In one or more embodiments, detecting whether the test data stream corresponding to each test request is complete, whether the details of the test data stream are consistent with the details of the normal data stream, whether the normal response data are consistent with the test response data stream, and whether the test request is not within the request range of the normal request includes:

the detection process for any one test request is as follows:

detecting whether the test data stream corresponding to any one of the test requests is complete; if the test data stream corresponding to any test request is determined to be incomplete, detecting whether the details of the test data stream corresponding to any test request are consistent with the details of the normal data stream; if the details of the test data stream corresponding to any test request are determined to be inconsistent with the details of the normal data stream, detecting whether the test response data stream of any test request is consistent with the normal response data stream; if the test response data stream of any test request is determined to be inconsistent with the normal response data stream, whether any test request is within the request range of the abnormal request is detected.

For example, taking the test request as a vertical override test request as an example, detecting whether the test data stream corresponding to the vertical override test request is complete; if the detection result is complete, determining that a vertical override vulnerability exists; if the data stream is not complete, further detecting whether the details of the test data stream corresponding to the vertical unauthorized test request are consistent with the details of the normal data stream; if the two are consistent, determining that a vertical override loophole exists; if the test response data stream is not consistent with the normal response data stream, whether the test response data stream corresponding to the vertical override test request is consistent with the normal response data stream or not is further detected, if so, a vertical override bug is determined to exist, if not, whether the test response data stream corresponding to the vertical override test request is not in the request range of the normal request or not is detected, if so, the vertical override bug is determined not to exist, and if not, the vertical override bug is determined to exist.

The determination process of other test requests is similar to this, and is not described herein again.

In one or more embodiments, detecting whether a test data stream corresponding to any test request is complete may be implemented by:

detecting whether the test data stream corresponding to any test request is completely consistent with the middle function calling process of the formal data stream; if the test data streams are completely consistent, determining that the test data streams corresponding to the test requests are complete; otherwise, determining that the test data stream corresponding to the test request is incomplete.

For example, after comparing the test data stream of the vertical override test request with the normal data stream of the normal request, it is found that the test data stream does not go to the last step (for example, the last step is an execution query statement) as the normal request, but is truncated by the authority discrimination function in the code in the intermediate processing process, and it is determined that the test data stream corresponding to the vertical override test request is incomplete, it can be determined that the authority discrimination in the application is valid, and the constructed vertical override test request fails to override. If the test data stream of the vertical override test request is compared with the normal data stream of the normal request, the last step is found to be reached like the normal request, the test data stream corresponding to the vertical override test request is determined to be complete, which indicates that the right item authentication in the application fails, the constructed vertical override test request is successfully overridden, the existence of the vertical override loophole is determined, and the position of the vertical override loophole can be recorded as a corresponding authority authentication function.

In one or more embodiments, detecting whether the details of the test data stream corresponding to any test request are consistent with the details of the normal data stream may be implemented by:

detecting whether the data processing logic of the test data stream corresponding to any test request is consistent with the data processing logic of the normal data stream; if so, determining that the details of the test data stream corresponding to any test request are consistent with the details of the normal data stream; otherwise, determining that the details of the test data stream corresponding to any test request are inconsistent with the details of the normal data stream.

For example, still taking the test request as the vertical override test request as an example, if it is determined through the foregoing scheme that the function call process in the test data stream of the vertical override test request is not completely consistent with the function call process in the normal data stream, it is further detected whether the data processing logic of the test data stream of the vertical override test request is consistent with the data processing logic of the normal data stream, if the normal data stream is from the acquisition input, to the character string processing, to the regular matching, to the query statement execution, and the test data stream is from the acquisition input, to the character string processing, to the regular matching, to the error reporting execution, it is obvious that the details of the test data stream of the vertical override request are inconsistent with the details of the normal data stream, then the protection filtering function in the application can also be considered to be valid, and the constructed vertical override test request override fails. And if the test data stream of the vertical override test request and the normal data stream are from the acquisition input, the character string processing, the regular matching and the query statement execution, determining that the details of the test data stream of the vertical override request are consistent with the details of the normal data stream, and determining that a vertical override vulnerability exists.

In one or more embodiments, detecting whether the test response data flow of any test request is consistent with the normal response data flow may be implemented by:

detecting whether the test response data flow of the test request is completely consistent with the parameter information returned by the normal response data flow; if the data flow is completely consistent with the normal response data flow, determining that the test response data flow of any test request is consistent with the normal response data flow; and if any one of the test requests is inconsistent, determining that the test response data flow of any one of the test requests is inconsistent with the normal response data flow.

For example, still taking the test request as the vertical override test request as an example, if it is determined through the foregoing scheme that the function call process in the test data stream of the vertical override test request is not completely consistent with the function call process in the normal data stream, and the details of the test data stream corresponding to the test request are not completely consistent with the details of the normal data stream, it is further detected whether parameter information and data length returned by the test response data stream of the test request are completely consistent with the parameters returned by the normal response data stream, if the parameter information related to the normal response data stream includes a returned http status code, response error information, and returned data length, if any one of the parameters in the parameter information returned by the response data stream corresponding to the vertical override test request is different from the parameters in the normal data stream, it is determined that the test response data stream of the vertical override test request is not consistent with the normal response data stream, and if the parameters are the same, it is determined that the test response data stream of the vertical override test request is consistent with the normal response data stream, and a vertical override vulnerability exists.

In one or more embodiments, detecting whether any of the test requests is not within the request range of the normal request may be accomplished by:

judging whether any test request is not in the request range of the normal request; if not, determining any test request as a normal request, and recording the normal request to avoid repeated use.

For example, taking the test request as the vertical override test request as an example, if it is determined that the test data stream of the vertical override test request is incomplete and is inconsistent with the details of the normal data stream, and the test response data stream corresponding to the vertical override test request is also inconsistent with the normal response data stream, it is further determined whether the vertical override test request is not within the request range of the normal request, if so, it is determined that the request belongs to the normal request with the right under the parameter, and the request is rejected to determine that no vertical override exists, and meanwhile, the vertical override test request and the related parameters are marked, and the subsequent detection is not repeated when the same condition is met, thereby further improving the detection efficiency. If the request is not in the request range of the normal request, the existence of the vertical override bug is determined, and the corresponding complete data stream is reported, so that a developer can conveniently locate the code with the problem from the bug, and the bug can be conveniently repaired.

In the embodiment provided by the invention, by deploying the probe for the application, the normal request sent by the application and the corresponding data stream can be collected through the probe, and the function call and the data change process sent by the normal request are recorded in detail in the data streams and can be used as the basis for unauthorized vulnerability detection; after a normal data stream generated between a normal request sent by a test port and a normal response data stream returned by an application server based on the normal request is obtained from a probe, user identity parameters and request parameters are extracted from the normal data stream; according to the identity parameters and the request parameters, the normal request is modified to obtain the test request, so that the interference of the test request and irrelevant parameters in the corresponding data stream can be removed, the test request of the unauthorized bug is accurately constructed, and the test efficiency is improved; the test request is sent to the server through the test port, and the test response data stream returned by the server based on the test request and the test data stream generated between the test request and the response data stream are received; and according to the normal data stream and the test data stream, whether the unauthorized bug exists in the test port is determined, so that the false alarm rate can be reduced to the maximum extent, and the false alarm rate is reduced while the unauthorized bug test efficiency is improved.

Based on the same inventive concept, an embodiment of the present invention provides an apparatus for detecting an unauthorized vulnerability, and a specific implementation manner of an unauthorized vulnerability detection method of the apparatus may refer to the description of the method embodiment, and repeated parts are not repeated, please refer to fig. 3, and the apparatus includes:

an obtaining unit 301, configured to obtain, from a probe deployed for an application, a normal request sent through a test port, and a normal data stream generated between a normal response data stream returned by a server of the application based on the normal request; wherein, the probe is used for detecting the data transmitted and received by the application;

an extracting unit 302, configured to extract a user identity parameter and a request parameter from the normal data stream;

a modification unit 303, configured to modify the normal request according to the identity parameter and the request parameter, so as to obtain a test request;

a replay unit 304, configured to send the test request to the server through the test port, and receive a test response data stream returned by the server based on the test request, and a test data stream generated between the test request and the response data stream;

a determining unit 305, configured to determine whether there is an unauthorized vulnerability in the test port according to the normal data stream and the test data stream.

In a possible implementation manner, the apparatus further includes a setting unit 306, where the setting unit 306 is configured to:

loading the probe in the configuration file;

restarting the application causes the probe to run.

In a possible implementation, the extracting unit 302 is further configured to:

and extracting the user identity parameters from the normal request according to the request type, and extracting overlapping parameters from the head and tail positions of the call stack to serve as the request parameters.

In a possible implementation, the modification unit 303 is further configured to:

In a possible implementation, the determining unit 305 is further configured to:

if not, determining that the unauthorized access does not exist in the test port.

In one possible implementation, the determining unit 305 is further configured to:

the detection procedure for any one test request is as follows:

otherwise, the test data stream corresponding to the test request is determined to be incomplete.

It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented as a software functional unit and sold or used as a stand-alone product, may be stored in a processor readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

It should be noted that the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment, and can achieve the same technical effects, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are not repeated herein.

Based on the same inventive concept, the embodiment of the invention provides a device for detecting unauthorized vulnerabilities, which comprises: at least one processor, and

a memory coupled to the at least one processor;

wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method of unauthorized vulnerability detection as described above by executing the instructions stored by the memory.

Based on the same inventive concept, an embodiment of the present invention further provides a readable storage medium, including:

a memory for storing a plurality of data files to be transmitted,

the memory is configured to store instructions that, when executed by the processor, cause the apparatus comprising the readable storage medium to perform the method of unauthorized vulnerability detection as described above.

The readable storage medium may be any available medium or data storage device that can be accessed by the processor, including volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. By way of example and not limitation, nonvolatile Memory may include Read-Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash Memory, solid State Disk (SSD), magnetic Memory (e.g., floppy Disk, hard Disk, magnetic tape, magneto-Optical Disk (MO), etc.), optical Memory (e.g., CD, BD, DVD, HVD, etc.), and so forth. Volatile Memory can include Random Access Memory (RAM), which can act as external cache Memory. By way of example and not limitation, RAM is available in many forms, such as Dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.

Based on the same inventive concept, embodiments of the present invention provide a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the method for detecting an unauthorized vulnerability as described above.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product embodied on one or more readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer/processor-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These program instructions may also be stored in a readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer/processor implemented process such that the instructions which execute on the computer/processor or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method for detecting unauthorized vulnerabilities, comprising:

acquiring a normal request sent by a test port from a probe deployed for an application, and generating a normal data stream between a normal response data stream returned by a server of the application based on the normal request; wherein the probe is used for detecting data transmitted and received by the application;

and determining whether the unauthorized loopholes exist in the test port or not according to the normal data stream and the test data stream.

2. The method of claim 1, wherein prior to normal data flow generated between normal request sent via a test port obtained from a probe deployed for an application and normal response data flow returned by a server based on the normal request, further comprising:

acquiring a configuration file of the application;

loading the probe in the configuration file;

restarting the application causes the probe to run.

3. The method of claim 1, wherein extracting user identity parameters and request parameters from the normal data stream comprises:

4. The method of claim 3, wherein obtaining the user identity parameter and the request parameter from the overlapping parameter comprises:

5. The method of any of claims 1-4, wherein transforming the normal request to obtain a test request based on the identity parameter and the request parameter comprises:

6. The method of claim 5, wherein determining whether the test port has an override hole based on the normal data flow and the test data flow comprises:

7. The method of claim 6, wherein detecting whether the test data stream corresponding to each test request is complete, whether the details of the test data stream are consistent with the details of the normal data stream, whether the normal response data are consistent with the test response data stream, and whether the test request is not within the request range of the normal request comprises:

the detection process for any one test request is as follows:

8. The method of claim 7, wherein detecting whether the test data stream corresponding to any of the test requests is complete comprises:

9. The method as claimed in claim 7, wherein detecting whether the details of the test data stream corresponding to any of the test requests are consistent with the details of the normal data stream comprises:

10. The method of claim 7, wherein detecting whether the test response data flow of any of the test requests is consistent with the normal response data flow comprises:

11. The method of claim 7, wherein detecting whether the any of the test requests is not within a request range of the normal request comprises:

12. An apparatus for unauthorized vulnerability detection, comprising:

the system comprises an acquisition unit, a test unit and a processing unit, wherein the acquisition unit is used for acquiring a normal request sent by a test port from a probe deployed for an application and a normal data stream generated between normal response data streams returned by a server based on the normal request; wherein, the probe is used for detecting the data transmitted and received by the application;

the transformation unit is used for transforming the normal request according to the identity parameters and the request parameters to obtain a test request;

and the determining unit is used for determining whether the unauthorized vulnerability exists in the test port according to the normal data stream and the test data stream.

13. An apparatus for unauthorized vulnerability detection, comprising:

at least one processor, and

a memory coupled to the at least one processor;

wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any one of claims 1-11 by executing the instructions stored by the memory.

14. A readable storage medium, comprising a memory,

the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method of any one of claims 1-11.

15. A computer program product, characterized in that it comprises a computer program which, when being executed by a processor, carries out the method of any one of claims 1-11.