CN116260643A - Security testing method, device and equipment for web service of Internet of things - Google Patents

Security testing method, device and equipment for web service of Internet of things Download PDF

Info

Publication number
CN116260643A
CN116260643A CN202310209940.0A CN202310209940A CN116260643A CN 116260643 A CN116260643 A CN 116260643A CN 202310209940 A CN202310209940 A CN 202310209940A CN 116260643 A CN116260643 A CN 116260643A
Authority
CN
China
Prior art keywords
internet
things
data
web service
test data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310209940.0A
Other languages
Chinese (zh)
Inventor
王旭元
郑志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Huawei Cloud Computing Technology Co ltd
Original Assignee
Shenzhen Huawei Cloud Computing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Huawei Cloud Computing Technology Co ltd filed Critical Shenzhen Huawei Cloud Computing Technology Co ltd
Priority to CN202310209940.0A priority Critical patent/CN116260643A/en
Publication of CN116260643A publication Critical patent/CN116260643A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/10Detection; Monitoring
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a security test method, device and equipment for web services of the Internet of things, wherein the method comprises the following steps: the method comprises the steps that safety test equipment obtains first data, wherein the first data are requests or responses of web services of the Internet of things; performing mutation on the first data to obtain first test data; the first test data are sent to the Internet of things equipment; and receiving a first monitoring result sent by the Internet of things equipment, wherein the first monitoring result comprises one or more of a first abnormal condition, first error information and first program coverage rate, and judging whether the web service of the Internet of things has a vulnerability or not according to the first monitoring result. In the process, the security test equipment introduces the fuzzy test technology into the security test of the web service of the Internet of things, generates test data according to the first rule applicable to the web service of the Internet of things, and can perform comprehensive automatic detection on the web service under the condition of unknown web program source codes of the Internet of things, thereby improving the security test efficiency.

Description

一种物联网web服务的安全测试方法、装置及设备A security testing method, device, and equipment for web services of the Internet of Things

技术领域technical field

本申请涉及网络安全技术领域,尤其涉及一种物联网web服务的安全测试方法、装置及设备。The present application relates to the technical field of network security, and in particular to a security testing method, device and equipment for Internet of Things web services.

背景技术Background technique

物联网设备指连接到网络的嵌入式设备,广泛应用于交通、工业、家居生活等多个领域,其中,物联网设备提供的web服务是漏洞的高发地带,攻击者根据web服务漏洞可以攻击物联网设备,因此,物联网web服务安全问题日益凸显。IoT devices refer to embedded devices connected to the network, which are widely used in many fields such as transportation, industry, and home life. Among them, the web services provided by IoT devices are high-incidence areas for vulnerabilities. Attackers can attack IoT devices based on web service vulnerabilities. Internet-connected devices, therefore, IoT web services security issues are becoming increasingly prominent.

当前,用于通用web服务的安全测试方法,通过脚本文件模拟对系统进行攻击的行为,记录并分析响应结果,确定web服务漏洞。物联网设备具有特殊性,例如,物联网设备web服务基于C/C++语言开发不同于现有的基于JAVA、PHP、python等脚本语言开发的web服务,物联网web接口功能也不同于现有的接口等等。因此,上述传统的web安全测试方法应用于物联网设备,存在无法对物联网web服务的所有功能进行安全测试等问题,导致安全测试效率低,效果差。Currently, the security testing method used for general web services simulates the behavior of attacking the system through script files, records and analyzes the response results, and determines web service vulnerabilities. IoT devices have particularities. For example, the development of web services for IoT devices based on C/C++ language is different from existing web services based on scripting languages such as JAVA, PHP, and python, and the functions of IoT web interface are also different from existing interface and so on. Therefore, when the above-mentioned traditional web security testing methods are applied to IoT devices, there are problems such as being unable to perform security testing on all functions of the IoT web services, resulting in low security testing efficiency and poor effect.

发明内容Contents of the invention

本申请实施例提供一种物联网web服务的安全测试方法、装置及设备,通过将模糊测试引入物联网web服务的安全测试,根据适用于物联网web服务的规则生成测试数据,并根据监控结果确定潜在漏洞,可以在未知物联网web程序源码的情况下,对物联网web服务进行全面的自动化测试,提高了安全测试的效率以及效果。The embodiment of the present application provides a security testing method, device, and equipment for Internet of Things web services. By introducing fuzzy testing into security testing for Internet of Things web services, test data is generated according to rules applicable to Internet of Things web services, and according to monitoring results To determine potential vulnerabilities, a comprehensive automated test can be performed on the Internet of Things web service without knowing the source code of the Internet of Things web program, which improves the efficiency and effect of security testing.

第一方面,本申请提供一种物联网web服务的安全测试方法,该方法应用于安全测试设备。该方法包括:安全测试设备获取第一数据,其中,第一数据是安全测试设备获取的物联网web服务的请求或者响应;对第一数据进行变异,得到第一测试数据;将第一测试数据发送给物联网设备,其中,物联网设备用于提供物联网web服务;接收物联网设备发送的第一监控结果,第一监控结果包括第一异常情况、第一错误信息或者第一程序覆盖率中的一个或者多个,并根据第一监控结果判断物联网web服务是否存在漏洞。In a first aspect, the present application provides a security testing method for an Internet of Things web service, and the method is applied to a security testing device. The method includes: the security testing equipment acquires first data, wherein the first data is a request or response of an Internet of Things web service acquired by the security testing equipment; the first data is mutated to obtain the first test data; the first test data is Sending to the IoT device, wherein the IoT device is used to provide the IoT web service; receiving the first monitoring result sent by the IoT device, the first monitoring result includes the first abnormal situation, the first error message or the first program coverage One or more of them, and judge whether there is a loophole in the Internet of Things web service according to the first monitoring result.

在上述过程中,安全测试设备将模糊测试技术引入物联网web服务的安全检测方法中。安全测试设备根据适用于物联网web服务的第一规则,在第一数据的基础上进行变异,向物联网设备发送第一测试数据,通过接收物联网设备根据第一测试数据生成的第一监控结果,确定物联网web服务存在的漏洞。安全测试设备通过生成多个非预期的测试数据,可以更大程度地提高程序覆盖率,对物联网web服务进行全面的测试,减少现有的安全测试技术存在的不适用物联网web服务的应用场景以及无法检测出特有问题的情况,从而提高安全测试的效果。安全测试设备通过监控结果中的异常情况以及错误信息确定物联网web服务可能存在的漏洞,相较于现有技术,不需要根据响应结果进行漏洞分析,过程更加简单,可以提高安全测试效率。In the above process, the safety testing equipment introduces the fuzzing technology into the safety detection method of the web service of the Internet of Things. The security testing device mutates on the basis of the first data according to the first rule applicable to the web service of the Internet of Things, sends the first test data to the Internet of Things device, and receives the first monitoring data generated by the Internet of Things device according to the first test data. As a result, vulnerabilities exist in IoT web services are identified. By generating multiple unexpected test data, the security test equipment can increase program coverage to a greater extent, conduct a comprehensive test on the Internet of Things web service, and reduce the application of the existing security test technology that is not suitable for the Internet of Things web service Scenarios and situations where unique problems cannot be detected, thereby improving the effectiveness of security testing. The security testing equipment determines the possible loopholes in the IoT web service through abnormal conditions and error messages in the monitoring results. Compared with the existing technology, it does not need to analyze the loopholes based on the response results, the process is simpler, and the efficiency of security testing can be improved.

在一种可能的实施方式中,在获取第一数据之后,安全测试设备还识别第一数据中的第一参数,其中,第一参数影响物联网设备的运行。安全测试设备通过识别第一参数,可以确定后续第一数据变异过程中进行变异的数据,以及变异使用的第一规则,尽可能影响物联网web服务的运行,可以提高安全测试的效率,更大程度地提升物联网web服务的程序覆盖率。In a possible implementation manner, after acquiring the first data, the security testing device further identifies a first parameter in the first data, where the first parameter affects the operation of the IoT device. By identifying the first parameter, the security testing equipment can determine the data that is mutated in the subsequent first data mutation process, and the first rule used by the mutation, so as to affect the operation of the Internet of Things web service as much as possible, and can improve the efficiency of security testing. Maximize the program coverage of IoT web services.

在一种可能的实施方式中,安全测试设备根据第一规则对第一数据进行变异,得到第一测试数据,其中,第一规则是安全测试设备根据第一参数确定的。安全测试设备根据第一参数确定第一规则,可以保证第一规则适用于物联网web服务的安全测试,从而保证根据第一规则变异得到的第一测试数据可以对物联网web服务的功能进行全面的检测,提升安全测试的效果。In a possible implementation manner, the safety testing device mutates the first data according to a first rule to obtain the first test data, wherein the first rule is determined by the safety testing device according to the first parameter. The security testing device determines the first rule according to the first parameter, which can ensure that the first rule is applicable to the security test of the Internet of Things web service, thereby ensuring that the first test data obtained according to the variation of the first rule can comprehensively test the functions of the Internet of Things web service detection to improve the effectiveness of security testing.

在一种可能的实施方式中,在将第一测试数据发送给物联网设备之后,安全测试设备除接收第一监控结果外,还接收物联网设备发送的第一响应。In a possible implementation manner, after sending the first test data to the IoT device, the security testing device also receives the first response sent by the IoT device in addition to receiving the first monitoring result.

在一种可能的实施方式中,安全测试设备在第一监控结果中的程序覆盖率提升的情况下,将所述第一响应发送给所述物联网设备。第一监控结果中的程序覆盖率提升说明该第一监控结果对应的第一测试数据覆盖到了物联网设备web程序中的未知部分。安全测试设备将第一响应发送给物联网设备,可以增加测试数据的类型,更大程度地提高程序覆盖率,检测物联网web服务的未知漏洞,提高安全测试效率。In a possible implementation manner, the security testing device sends the first response to the IoT device when the program coverage rate in the first monitoring result is increased. The increase in program coverage in the first monitoring result indicates that the first test data corresponding to the first monitoring result has covered an unknown part of the web program of the IoT device. The security test equipment sends the first response to the IoT device, which can increase the types of test data, increase program coverage to a greater extent, detect unknown vulnerabilities in IoT web services, and improve security testing efficiency.

在一种可能的实施方式中,在第一测试数据未完成所有变异的情况下,安全测试设备将第一测试数据进行变异,得到第二测试数据;将第二测试数据发送至物联网设备。安全测试设备在第一测试数据的基础上继续进行变异,得到的第二测试数据可以检测不同的web服务漏洞,可以提升程序覆盖率,获得更好的安全测试效果。In a possible implementation manner, when all the mutations of the first test data have not been completed, the safety test device mutates the first test data to obtain the second test data; and sends the second test data to the IoT device. The security testing equipment continues to mutate on the basis of the first test data, and the obtained second test data can detect different web service vulnerabilities, improve program coverage, and obtain better security test results.

第二方面,本申请提供一种安全测试装置,应用于安全测试设备,该安全测试装置包括获取模块、变异模块、发送模块和接收模块。其中,获取模块,用于获取第一数据,其中,第一数据是获取模块获取的物联网web服务的请求或者响应;变异模块,用于对第一数据进行变异,得到第一测试数据;发送模块,用于将第一测试数据发送给物联网设备,其中,物联网设备用于提供物联网web服务;接收模块,用于接收物联网设备发送的第一监控结果,第一监控结果包括第一异常情况、第一错误信息或者第一程序覆盖率中的一个或者多个,并根据第一监控结果判断物联网web服务是否存在漏洞。In a second aspect, the present application provides a security testing device, which is applied to security testing equipment, and the security testing device includes an acquisition module, a variation module, a sending module, and a receiving module. Wherein, the obtaining module is used to obtain the first data, wherein the first data is the request or response of the Internet of Things web service obtained by the obtaining module; the mutation module is used to mutate the first data to obtain the first test data; send The module is used to send the first test data to the IoT device, wherein the IoT device is used to provide the IoT web service; the receiving module is used to receive the first monitoring result sent by the IoT device, the first monitoring result includes the first One or more of an abnormal situation, the first error message or the first program coverage, and judge whether there is a loophole in the Internet of Things web service according to the first monitoring result.

第三方面,本申请提供了一种计算设备集群,计算设备集群包括至少一个计算设备,每个计算设备包括处理器和存储器;至少一个计算设备的处理器用于执行至少一个计算设备的存储器中存储的指令,以使得计算设备集群执行第一方面提供的方法。In a third aspect, the present application provides a cluster of computing devices, the cluster of computing devices includes at least one computing device, each computing device includes a processor and a memory; the processor of the at least one computing device is used to perform storage in the memory of the at least one computing device instructions, so that the computing device cluster executes the method provided in the first aspect.

第四方面,本申请提供了一种包含指令的计算机程序产品,当指令被计算设备集群运行时,使得计算设备集群执行第一方面的方法。In a fourth aspect, the present application provides a computer program product containing instructions, and when the instructions are executed by the computing device cluster, the computing device cluster executes the method of the first aspect.

第五方面,本申请提供了一种计算机可读存储介质,计算机可读存储介质包括计算机程序指令,当计算机程序指令由计算设备集群执行时,计算设备集群执行第一方面提供的方法。In a fifth aspect, the present application provides a computer-readable storage medium, the computer-readable storage medium includes computer program instructions, and when the computer program instructions are executed by a cluster of computing devices, the cluster of computing devices executes the method provided in the first aspect.

本申请在上述各方面提供的实现方式的基础上,还可以进行进一步组合以提供更多实现方式。On the basis of the implementation manners provided in the foregoing aspects, the present application may further be combined to provide more implementation manners.

附图说明Description of drawings

为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍。In order to illustrate the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the drawings that need to be used in the description of the embodiments.

图1是本申请实施例提供的一种web服务安全测试方法的流程图;Fig. 1 is a flow chart of a web service security testing method provided by the embodiment of the present application;

图2是本申请实施例提供的一种物联网web服务安全测试系统的结构示意图;Fig. 2 is a schematic structural diagram of an Internet of Things web service security testing system provided by an embodiment of the present application;

图3是本申请实施例提供的一种物联网web服务安全测试方法的流程图;Fig. 3 is the flow chart of a kind of Internet of Things web service security testing method provided by the embodiment of the present application;

图4是本申请实施例提供的一种部分模糊测试方法的流程图;Fig. 4 is a flow chart of a partial fuzz testing method provided by the embodiment of the present application;

图5是本申请实施例提供的一种安全测试装置的结构示意图;Fig. 5 is a schematic structural diagram of a safety testing device provided in an embodiment of the present application;

图6是本申请实施例提供的一种计算设备的结构示意图;FIG. 6 is a schematic structural diagram of a computing device provided by an embodiment of the present application;

图7是本申请实施例提供的一种计算设备集群的结构示意图;FIG. 7 is a schematic structural diagram of a computing device cluster provided by an embodiment of the present application;

图8是本申请实施例提供的一种一个或多个计算设备通过网络连接的结构示意图。Fig. 8 is a schematic structural diagram of one or more computing devices connected through a network according to an embodiment of the present application.

具体实施方式Detailed ways

如图1所示,图1是本申请实施例提供的一种web服务安全测试方法的流程图,该方法应用于扫描器110和服务设备120构成的系统中的扫描器中,其中,扫描器和服务设备通过网络进行连接,服务设备用于提供web服务,并且包括用于监控web服务数据的监控模块121。该方法针对信息和通信技术(information and communications technology,ICT)领域中由通用Web框架(例如,Spring、React、PHP等)构建的web服务进行安全测试,其中,web服务是由JAVA、(hypertext preprocessor,PHP)等作为脚本语言开发的。该方法包括以下步骤。As shown in Figure 1, Figure 1 is a flow chart of a web service security testing method provided by the embodiment of the present application, which is applied to the scanner in the system composed of the scanner 110 and the service device 120, wherein the scanner It is connected with the service device through the network, the service device is used for providing web services, and includes a monitoring module 121 for monitoring web service data. This method conducts security testing for web services built by common web frameworks (such as Spring, React, PHP, etc.) in the field of information and communications technology (ICT), where web services are implemented by JAVA, (hypertext preprocessor , PHP) etc. are developed as scripting languages. The method includes the following steps.

扫描器获取web服务所有的初始业务请求。之后,扫描器获取web服务的目标特征,目标特征包括编写语言、Web服务框架、前后端状态、中间件状态、组件版本、接口参数等等,是扫描器根据已知的web程序源码获取的。扫描器根据web服务的目标特征,生成预置规则库,其中,预置规则库中包括多种规则,扫描器根据多种规则对初始业务请求进行处理,生成新的请求,将其作为进行web服务安全测试的测试请求。之后,扫描器将生成的测试请求发送至服务设备中,服务设备根据测试请求,运行web应用,监控模块开始监控web服务相关数据,生成监控数据并发送给扫描器,其中,监控数据可以是web服务的响应信息,或者是web服务的业务状态等等。扫描器判断监控数据是否匹配异常特征库,在监控数据中存在与异常特征库中的异常情况匹配的情况下,扫描器记录异常情况,其中,异常特征库中的异常特征是根据web程序源码确定的。扫描器在记录完异常情况,或者,在监控数据中不存在与异常特征库中的异常情况匹配的情况下,判断是否存在未发送至服务设备的测试请求。如果存在未发送给服务设备的测试请求,扫描器重复上述步骤,直至扫描器中所有测试请求都发送给服务设备进行安全测试的情况下,结束测试。The scanner captures all initial business requests for web services. Afterwards, the scanner obtains the target features of the web service. The target features include writing language, web service framework, front-end and back-end status, middleware status, component version, interface parameters, etc., which are obtained by the scanner based on known web program source code. The scanner generates a preset rule base according to the target characteristics of the web service, wherein the preset rule base includes a variety of rules, and the scanner processes the initial business request according to a variety of rules, generates a new request, and uses it as a web service Serves test requests for security tests. Afterwards, the scanner sends the generated test request to the service device, and the service device runs the web application according to the test request, and the monitoring module starts to monitor the data related to the web service, generates monitoring data and sends it to the scanner, wherein the monitoring data can be web The response information of the service, or the business status of the web service, etc. The scanner judges whether the monitoring data matches the abnormal feature database. If the monitoring data matches the abnormal situation in the abnormal characteristic database, the scanner records the abnormal situation. The abnormal characteristics in the abnormal characteristic database are determined according to the source code of the web program of. The scanner determines whether there is a test request that has not been sent to the service device after recording the abnormal situation, or when there is no match between the monitoring data and the abnormal situation in the abnormal signature database. If there are test requests not sent to the service device, the scanner repeats the above steps until all test requests in the scanner are sent to the service device for security testing, and the test ends.

在上述过程中,预置规则库中的规则越全面,或者,初始业务请求越丰富,扫描器根据规则和初始业务请求生成的测试请求可以覆盖的web服务范围越大,安全测试效果越好,效率越高。In the above process, the more comprehensive the rules in the preset rule base, or the richer the initial business requests, the greater the scope of web services that the test requests generated by the scanner based on the rules and initial business requests can cover, and the better the security testing effect. The higher the efficiency.

目前,物联网设备广泛应用于智能生活、交通、工业等多个领域,物联网设备的web服务是漏洞的高发地带。在图1所示的web服务安全测试方法应用于物联网web服务的情况下,由于物联网设备的web服务使用C/C++语言开发,不同于当前JAVA、PHP等脚本语言开发的web服务,因此上述安全测试方法无法检测出C/C++语言的编码问题(例如,缓冲区溢出,整数溢出等)。除此之外,物联网设备web接口功能也不同于现有的web服务接口,上述web服务安全测试方法无法对物联网web服务的所有功能进行安全测试,导致针对物联网web服务的安全测试效率低,效果差。At present, IoT devices are widely used in many fields such as smart life, transportation, and industry. The web services of IoT devices are a high-risk area for vulnerabilities. In the case where the web service security testing method shown in Figure 1 is applied to the Internet of Things web service, since the web service of the Internet of Things device is developed using C/C++ language, which is different from the current web service developed by scripting languages such as JAVA and PHP, The above-mentioned security testing method cannot detect coding problems (for example, buffer overflow, integer overflow, etc.) of C/C++ language. In addition, the function of the web interface of the Internet of Things device is also different from the existing web service interface. The above-mentioned web service security testing method cannot perform security testing on all functions of the Internet of Things web service, resulting in the efficiency of security testing for the Internet of Things web service. Low, poor effect.

因此,本申请提供一种物联网web服务的安全测试方法,通过安全测试设备识别物联网设备的应用场景以及关键参数的类型,确定生成物联网web服务测试请求时使用的变异规则,并根据物联网设备获取的监控信息,确定程序漏洞等等。上述方法将模糊测试技术引入物联网web服务的安全测试中,可以在未知物联网web服务程序源码的情况下,自动地对物联网web服务进行全面测试,提高安全测试的效率,合适的变异规则可以提高程序覆盖率,检测更多未知的程序漏洞。该物联网web服务的安全测试方法应用于图2所示的系统中的安全测试设备中。Therefore, the present application provides a security testing method for the Internet of Things web service, which identifies the application scenarios of the Internet of Things device and the type of key parameters through the security testing equipment, determines the mutation rule used when generating the Internet of Things web service test request, and according to the Monitor information obtained by networked devices, identify program vulnerabilities, and more. The above method introduces the fuzzy testing technology into the security test of the Internet of Things web service, and can automatically perform a comprehensive test on the Internet of Things web service without knowing the source code of the Internet of Things web service program, so as to improve the efficiency of security testing. Appropriate mutation rules It can improve program coverage and detect more unknown program vulnerabilities. The security testing method of the Internet of Things web service is applied to the security testing equipment in the system shown in FIG. 2 .

如图2所示,图2是本申请实施例提供的一种物联网web服务安全测试系统的结构示意图。该系统中包括安全测试设备210以及物联网设备220,物联网设备和安全测试设备通过网络230进行连接。As shown in FIG. 2 , FIG. 2 is a schematic structural diagram of an Internet of Things web service security testing system provided by an embodiment of the present application. The system includes a safety testing device 210 and an Internet of Things device 220 , and the Internet of Things device and the safety testing device are connected through a network 230 .

具体实现中,物联网设备可以是路由器、监控摄像头、智能家居、智能音箱等通过有线或者无线的方式连接到网络的非标准计算设备,具有传输数据的能力,可以进行通信和交互,也可以被远程监控和控制。不同物联网设备在不同的应用场景下,提供的对外的web服务存在差异,例如,路由器提供网络的配置与管理等功能,而智能音箱提供的服务就较为简单。In specific implementation, IoT devices can be routers, surveillance cameras, smart homes, smart speakers, and other non-standard computing devices that are connected to the network through wired or wireless means, have the ability to transmit data, can communicate and interact, and can also be used Remote monitoring and control. Different IoT devices provide different external web services in different application scenarios. For example, routers provide functions such as network configuration and management, while smart speakers provide relatively simple services.

在一种可能的实施方式中,物联网设备可以替换为任一对外提供接口,或者提供远程访问功能的设备或者芯片,对此本申请不作具体限定。In a possible implementation manner, the IoT device may be replaced with any device or chip that provides an external interface or provides a remote access function, which is not specifically limited in this application.

具体实现中,安全测试设备可以是安装有物联网web服务安全测试软件的手机、平板电脑、台式电脑等,或者,是包括物联网web服务安全测试应用的裸金属服务器(baremetal server,BMS)、容器、虚拟机(virtual machine,VM)等,对此本申请不作具体限定。In a specific implementation, the security testing device can be a mobile phone, a tablet computer, a desktop computer, etc. installed with the security testing software of the Internet of Things web service, or a bare metal server (baremetal server, BMS) including the Internet of Things web service security testing application, Containers, virtual machines (virtual machine, VM), etc., which are not specifically limited in this application.

如图3所示,图3是本申请实施例提供的一种物联网web服务安全测试方法的流程图。该方法应用于图2所示的物联网web服务安全测试系统中的安全测试设备,物联网web服务安全测试方法包括以下步骤。As shown in FIG. 3 , FIG. 3 is a flow chart of a security testing method for an Internet of Things web service provided by an embodiment of the present application. The method is applied to the security testing equipment in the Internet of Things web service security testing system shown in FIG. 2, and the Internet of Things web service security testing method includes the following steps.

步骤S310:安全测试设备获取第一数据,其中,第一数据是安全测试设备获取的物联网web服务的请求或者响应。Step S310: the security testing device acquires first data, wherein the first data is a request or a response of the Internet of Things web service acquired by the security testing device.

安全测试设备通过爬虫程序爬取物联网web服务的请求或者响应。The security testing equipment crawls the request or response of the web service of the Internet of Things through a crawler program.

在一种可能的实施方式中,由于物联网设备的web服务相对简单并且具有典型的特征,例如,网站主页需要输入管理员密码进行登录等,安全测试设备根据物联网设备的应用场景确定爬虫程序。根据物联网设备的应用场景定制化的爬虫程序可以更加精确高效地获取物联网设备的服务接口,从而提高第一数据获取的效率。安全测试设备还可以通过其他方式获取第一数据,对此本申请不作具体限定。In a possible implementation, since the web service of the IoT device is relatively simple and has typical characteristics, for example, the homepage of the website requires an administrator password to log in, etc., the security testing device determines the crawler program according to the application scenario of the IoT device . The crawler program customized according to the application scenario of the IoT device can obtain the service interface of the IoT device more accurately and efficiently, thereby improving the efficiency of the first data acquisition. The safety testing equipment may also acquire the first data in other ways, which is not specifically limited in this application.

步骤S320:安全测试设备对第一数据进行变异,得到第一测试数据,将第一测试数据发送给物联网设备。Step S320: the safety testing device mutates the first data to obtain the first test data, and sends the first test data to the IoT device.

在获取第一数据后,安全测试设备识别第一数据包括的第一参数,其中,第一参数影响物联网设备的运行。安全测试设备根据第一参数确定适用于物联网web服务安全测试的第一规则,并根据第一规则对第一数据进行变异,得到第一测试数据,将第一测试数据发送给物联网设备。After acquiring the first data, the security testing device identifies a first parameter included in the first data, wherein the first parameter affects the operation of the IoT device. The security testing device determines the first rule applicable to the security test of the IoT web service according to the first parameter, and mutates the first data according to the first rule to obtain the first test data, and sends the first test data to the IoT device.

在一种可能的实施方式中,第一参数可以是请求头部分、硬件接口相关参数,数字、字符串、IP地址等可以解析与理解的内容,与产品的接口功能相关的参数等,对此本申请不作具体限定。通过识别第一参数,安全测试设备可以确定后续第一数据变异过程中进行变异的数据,从而影响物联网web服务的运行,更大程度地提升物联网web服务的程序覆盖率,触发物联网web服务漏洞,提高安全测试效率。In a possible implementation, the first parameter may be the request header part, hardware interface related parameters, numbers, character strings, IP addresses and other content that can be parsed and understood, parameters related to the interface function of the product, etc. This application does not make specific limitations. By identifying the first parameter, the security testing device can determine the mutated data in the subsequent first data mutation process, thereby affecting the operation of the Internet of Things web service, improving the program coverage of the Internet of Things web service to a greater extent, and triggering the Internet of Things web service. Service vulnerabilities, improve security testing efficiency.

在一种可能的实施方式中,安全测试设备在识别出第一数据中的第一参数以及第一参数的类型后,根据第一参数以及第一参数的类型确定合适的第一规则。第一规则的确定还可以与物联网设备的应用场景等更多或者更少的内容有关,对此本申请不作具体限定。安全测试设备将第一规则用于第一数据的变异,可以实现对物联网web服务功能的全面测试,提高安全检测效率。In a possible implementation manner, after identifying the first parameter and the type of the first parameter in the first data, the safety testing device determines an appropriate first rule according to the first parameter and the type of the first parameter. The determination of the first rule may also be related to more or less content such as the application scenario of the IoT device, which is not specifically limited in this application. The safety testing equipment uses the first rule for the variation of the first data, which can realize a comprehensive test of the web service function of the Internet of Things and improve the safety detection efficiency.

在一种可能的实施方式中,第一规则包括基于常规程序覆盖率的变异规则,以及基于物联网设备web服务特性的变异规则。其中,基于常规程序覆盖率的变异规则包括:多次复制输入,对于数字类型的数据进行增减,或者按照输入类型进行原输入的替换等等,本申请对此不作具体限定。基于物联网设备web服务特性的变异规则包括:触发缓冲区溢出与命令注入漏洞,触发整数溢出与整数翻转漏洞;触发序列化与反序列化漏洞等,第一规则还可以包括更多或者更少的内容,对此本申请对此不作具体限定。In a possible implementation manner, the first rule includes a mutation rule based on coverage of a regular program, and a mutation rule based on a web service characteristic of an Internet of Things device. Among them, the mutation rules based on routine program coverage include: copying input multiple times, adding or subtracting digital data, or replacing original input according to the input type, etc., which are not specifically limited in this application. The mutation rules based on the web service characteristics of IoT devices include: triggering buffer overflow and command injection vulnerabilities, triggering integer overflow and integer flipping vulnerabilities; triggering serialization and deserialization vulnerabilities, etc. The first rule can also include more or less The content of this application is not specifically limited.

在一种具体的实施方式中,在第一数据中包括“Host:192.168.128.30”的情况下,安全测试设备对第一数据进行识别,确定Host对应一个IP地址,确定了第一参数的类型。安全测试设备根据第一参数以及第一参数的类型确定使用的第一规则,对第一数据进行变异,将第一数据中的IP地址“192.168.128.30”替换为“0.0.0.0”、“11111.0.0.0”或者“3.300”等多种形式,生成一系列的第一测试数据,将第一测试数据发送给物联网设备。上述过程中,安全测试设备对第一数据进行第一参数以及第一参数类型的识别,从而确定合适的第一规则,可以极大地加快生成第一测试数据的效率,提高第一测试数据引发物联网web服务潜在问题的概率,实现对物联网web服务进行全面的功能测试,以及安全测试效率的提升。In a specific implementation, when the first data includes "Host: 192.168.128.30", the safety testing device identifies the first data, determines that the Host corresponds to an IP address, and determines the type of the first parameter . The safety testing equipment determines the first rule used according to the first parameter and the type of the first parameter, mutates the first data, and replaces the IP address "192.168.128.30" in the first data with "0.0.0.0", "11111.0 .0.0” or “3.300” to generate a series of first test data and send the first test data to the IoT device. In the above process, the safety test equipment identifies the first parameter and the type of the first parameter for the first data, thereby determining the appropriate first rule, which can greatly speed up the efficiency of generating the first test data and improve the trigger rate of the first test data. The probability of potential problems in networked web services enables comprehensive functional testing of IoT web services and improves the efficiency of security testing.

上述生成第一测试数据的方法可以解决由于物联网设备的web服务接口逻辑简单,设备功能有限,造成的第一数据有限且固定的问题,安全测试设备根据第一规则对第一数据进行变异处理,生成多个不同的第一测试数据,可以提升物联网web服务的程序覆盖率,或者增加物联网设备响应的变化,提高安全测试的效果。The above method for generating the first test data can solve the problem that the first data is limited and fixed due to the simple logic of the web service interface of the Internet of Things device and limited device functions. The security test device performs mutation processing on the first data according to the first rule , generating a plurality of different first test data can improve the program coverage rate of the web service of the Internet of Things, or increase the change of the response of the Internet of Things device, and improve the effect of the security test.

步骤S330:物联网设备根据第一测试数据生成第一监控结果和第一响应,将第一监控结果和第一响应发送给安全测试设备。Step S330: The IoT device generates a first monitoring result and a first response according to the first test data, and sends the first monitoring result and the first response to the safety testing device.

物联网设备在接收第一测试数据之后,运行web服务程序,并执行监控功能,生成第一监控结果以及第一响应,将第一监控结果和第一响应一并发送给安全测试设备。其中,第一监控结果用于显示物联网web服务的漏洞,包括第一异常情况、第一错误信息或者第一程序覆盖率中的一个或者多个,第一监控结果与第一测试数据之间存在一一对应关系,第一响应与第一测试数据之间存在一一对应关系。After receiving the first test data, the IoT device runs the web service program and executes the monitoring function, generates the first monitoring result and the first response, and sends the first monitoring result and the first response to the safety testing device. Wherein, the first monitoring result is used to display the loopholes of the Internet of Things web service, including one or more of the first abnormal situation, the first error message or the first program coverage, and the difference between the first monitoring result and the first test data There is a one-to-one correspondence, and there is a one-to-one correspondence between the first response and the first test data.

在一种可能的实施方式中,第一监控结果中的第一异常情况是指测试目标的功能出现了意外结果,但是主体功能仍然可以正常运行的情况;第一错误信息是指导致测试目标崩溃、退出、重启等无法正常运行的信息;第一程序覆盖率是指测试对象中被执行过的功能的占比,本申请对于第一监控结果中包括的信息不作具体限定。上述安全测试设备获取的包括第一异常情况、第一错误信息或者第一程序覆盖率的第一监控结果,可以用于对第一测试数据对应的安全测试效果进行评估,例如,第一程序覆盖率的增加说明安全测试更加充分,获取的响应结果则可以在程序覆盖率增加的情况下作为新的测试数据,丰富测试数据类型,提升安全测试的效率,第一监控结果中可能包括更多或者更少的内容,对此本申请不作具体限定。In a possible implementation, the first abnormal situation in the first monitoring result refers to the situation that the function of the test target has an unexpected result, but the main function can still run normally; the first error message refers to the situation that the test target crashes , exit, restart, and other information that cannot run normally; the first program coverage rate refers to the proportion of functions that have been executed in the test object, and this application does not specifically limit the information included in the first monitoring result. The first monitoring results obtained by the above security testing equipment including the first abnormal situation, the first error information or the first program coverage rate can be used to evaluate the security test effect corresponding to the first test data, for example, the first program coverage The increase in the rate indicates that the security test is more sufficient, and the obtained response results can be used as new test data when the program coverage rate increases, enriching the type of test data, and improving the efficiency of security testing. The first monitoring results may include more or more Less content, this application is not specifically limited.

在一种可能的实施方式中,物联网设备在web服务程序运行后执行监控功能,可以通过固件模拟,监控代理注入,调试模式等方法实现对web服务相关数据的监控,获取第一测试数据对应的第一程序覆盖率,第一异常情况以及第一错误信息等。其中,固件模拟方法通过编写软件模拟硬件行为,使得物联网设备固件包在真实设备以外的模拟环境中运行,在虚拟环境中也可以运行并监控测试目标。监控代理注入通过编写一系列特定的程序,将程序植入到被测试的物联网设备中,监控并反馈监控结果。调试模式是在部分物联网设备中,打开调试开关进入调试模式,在调试模式的情况下,物联网设备可以直接获取相关监控结果,本申请对于安全测试过程中物联网设备的监控功能的具体实现方法不作具体限定。In a possible implementation, the Internet of Things device performs the monitoring function after the web service program is running, and can monitor the data related to the web service through firmware simulation, monitoring agent injection, debugging mode, etc., and obtain the corresponding data of the first test data. The first program coverage, the first exception and the first error message etc. Among them, the firmware simulation method simulates hardware behavior by writing software, so that the firmware package of the IoT device can run in a simulated environment other than the real device, and can also run and monitor the test target in a virtual environment. Monitoring agent injection writes a series of specific programs, implants the programs into the tested IoT devices, monitors and feeds back the monitoring results. The debugging mode is to turn on the debugging switch in some IoT devices to enter the debugging mode. In the debugging mode, the IoT devices can directly obtain relevant monitoring results. This application specifically implements the monitoring function of the IoT devices during the security test The method is not specifically limited.

在一种可能的实现方式中,物联网设备除监控程序覆盖率、异常情况以及错误信息外,还对生成的第一响应是否出现明显变化进行判断。In a possible implementation manner, in addition to monitoring program coverage, abnormal conditions, and error messages, the IoT device also judges whether there is an obvious change in the generated first response.

上述过程中,物联网设备在接收第一测试数据后,通过固件模拟,监控代理注入,调试模式等方法,获取程序覆盖率、异常情况、错误信息等数据,有助于安全测试设备判断测试数据检测到的物联网web服务中的潜在问题,相较于现有技术根据响应来分析可能存在的漏洞,可以提高安全测试效率。In the above process, after receiving the first test data, the IoT device obtains program coverage, abnormal conditions, error information and other data through firmware simulation, monitoring agent injection, debugging mode and other methods, which is helpful for the security test equipment to judge the test data The detected potential problems in the web service of the Internet of Things can improve the efficiency of security testing compared with the prior art that analyzes possible vulnerabilities according to the responses.

步骤S340:安全测试设备接收第一监控结果和第一响应,并根据第一监控结果判断物联网web服务是否存在漏洞。Step S340: The security testing device receives the first monitoring result and the first response, and judges whether there is a vulnerability in the Internet of Things web service according to the first monitoring result.

安全测试设备判断接收的第一监控结果中是否存在第一异常情况以及第一错误信息,根据第一异常情况以及第一错误信息判断物联网web服务是否存在漏洞。The safety testing device judges whether there is a first abnormality and the first error message in the received first monitoring result, and judges whether there is a loophole in the IoT web service according to the first abnormality and the first error message.

在一种可能的实施方式中,在存在第一异常情况以及第一错误信息的情况下,安全测试设备记录第一异常情况以及第一错误信息,确定第一测试数据检测到的物联网web服务中存在的漏洞,相比于现有技术中根据第一响应分析web服务中是否存在漏洞的方法更加方便,准确,可以提高安全测试的效果。In a possible implementation, in the case of the first abnormal situation and the first error information, the security testing device records the first abnormal situation and the first error information, and determines the Internet of Things web service detected by the first test data Compared with the method of analyzing whether there is a loophole in the web service according to the first response in the prior art, it is more convenient and accurate, and can improve the effect of the security test.

在另一种可能的实施方式中,在不存在第一异常情况以及第一错误信息的情况下,安全测试设备确定第一测试数据没有检测到物联网web服务中的漏洞,之后,安全测试设备判断测试数据队列中是否存在未发送给物联网设备的测试数据,在存在未发送的测试数据的情况下,安全测试设备重复步骤S340,在不存在未发送的测试数据的情况,安全测试设备结束本轮安全测试。In another possible implementation manner, in the absence of the first abnormal situation and the first error message, the security testing device determines that the first test data does not detect a loophole in the Internet of Things web service, and then the security testing device Determine whether there is test data not sent to the IoT device in the test data queue. If there is unsent test data, the safety test device repeats step S340. If there is no unsent test data, the safety test device ends This round of security testing.

安全测试设备除根据第一监控结果判断物联网web服务是否存在漏洞外,还根据第一监控结果、第一测试数据判断能否得到新的测试数据。In addition to judging whether there is a loophole in the Internet of Things web service according to the first monitoring result, the security testing device also judges whether new test data can be obtained according to the first monitoring result and the first test data.

在一种可能的实施方式中,安全测试设备在第一监控结果中的第一程序覆盖率提升的情况下,将第一响应发送至测试数据队列中,作为测试数据发送给物联网设备。安全测试设备将第一响应作为测试数据,可以丰富发送给物联网设备的测试数据的类型,更大程度地提高程序覆盖率,提高安全测试效率。In a possible implementation manner, when the coverage of the first program in the first monitoring result increases, the security testing device sends the first response to the test data queue, and sends it to the IoT device as test data. Security test equipment uses the first response as test data, which can enrich the types of test data sent to IoT devices, improve program coverage to a greater extent, and improve security test efficiency.

在一种可能的实施方式中,在安全测试设备接收第一监控结果和第一响应之后,在第一测试数据未完成所有变异的情况下,安全测试设备根据第一规则对第一测试数据进行变异,得到第二测试数据。安全测试设备生成第二测试数据,可以更大程度地提高程序覆盖率,提升安全测试的效率以及效果。In a possible implementation manner, after the safety testing device receives the first monitoring result and the first response, if the first test data has not completed all mutations, the safety testing device performs Mutation to obtain the second test data. The security test equipment generates the second test data, which can increase program coverage to a greater extent, and improve the efficiency and effect of security testing.

在一种可能的实施方式中,安全测试设备在获取第一监控结果和第一响应之后,需要对第一监控结果中的第一程序覆盖率、第一测试数据是否完成所有变异进行判断,根据判断结果得到新的测试数据。In a possible implementation manner, after obtaining the first monitoring result and the first response, the security testing equipment needs to judge the first program coverage in the first monitoring result and whether all mutations of the first test data have been completed, according to Judgment results get new test data.

如图4所示,图4是本申请实施例提供的一种部分模糊测试方法的流程图,安全测试设备执行如下步骤。As shown in FIG. 4, FIG. 4 is a flow chart of a partial fuzzing testing method provided by the embodiment of the present application, and the security testing equipment performs the following steps.

步骤S410:安全测试设备判断第一监控结果中的第一程序覆盖率是否提升。Step S410: the safety testing device judges whether the coverage of the first program in the first monitoring result is improved.

在第一监控结果中的第一程序覆盖率提升的情况下,安全测试设备执行步骤S420;在第一监控结果中的第一程序覆盖率没有提升的情况下,执行步骤S430。In the case that the coverage rate of the first program in the first monitoring result is increased, the security testing device executes step S420; in the case that the coverage rate of the first program in the first monitoring result does not increase, executes step S430.

步骤S420:安全测试设备将第一响应发送至测试数据队列。Step S420: the security testing device sends the first response to the test data queue.

在第一监控结果中的第一程序覆盖率提升的情况下,安全测试设备确定第一监控结果对应的第一测试数据覆盖到了物联网设备web程序中的未知部分,因此,将该第一测试数据对应的第一响应发送至测试数据队列,以发送给物联网设备,用于之后的安全测试,可以增加发送给物联网设备的测试数据的类型,更大程度地提高程序覆盖率,提高安全测试效率。In the case that the coverage of the first program in the first monitoring result is increased, the security testing device determines that the first test data corresponding to the first monitoring result has covered the unknown part of the web program of the Internet of Things device, and therefore, the first test The first response corresponding to the data is sent to the test data queue to be sent to the IoT device for subsequent security testing, which can increase the types of test data sent to the IoT device, improve program coverage to a greater extent, and improve security Test efficiency.

步骤S430:安全测试设备判断第一测试数据是否完成所有变异。Step S430: The safety testing device judges whether all mutations of the first test data are completed.

在监控结果中的程序覆盖率没有提升的情况下,或者,在安全测试设备将第一测试数据对应的第一响应发送至测试数据队列之后,安全测试设备判断第一测试数据是否完成所有变异。When the program coverage rate in the monitoring result is not improved, or after the security testing device sends the first response corresponding to the first test data to the test data queue, the security testing device determines whether all mutations of the first test data are completed.

在第一测试数据没有完成所有变异的情况下,安全测试设备执行步骤S440。In the case that all the mutations of the first test data have not been completed, the safety test equipment executes step S440.

在第一测试数据完成所有变异的情况下,安全测试设备执行步骤S450。In the case that all the mutations of the first test data are completed, the security testing equipment executes step S450.

步骤S440:安全测试设备将第一测试数据进行变异,得到第二测试数据。Step S440: the safety testing device mutates the first test data to obtain second test data.

在一种可能的实施方式中,安全测试设备利用第一规则对第一测试数据进行变异,得到第二测试数据,并将第二测试数据发送至测试数据队列,其具体过程与安全测试设备根据第一数据进行变异并得到第一测试数据的过程相同。安全测试设备根据第一测试数据,得到第二测试数据,通过生成测试数据,可以提升程序覆盖率,引发物联网web服务中未知的漏洞,获得更好的安全测试效果,提高安全测试的效率。In a possible implementation manner, the security testing equipment uses the first rule to mutate the first test data to obtain the second testing data, and sends the second testing data to the test data queue, the specific process of which is the same as that of the security testing equipment according to The process of mutating the first data and obtaining the first test data is the same. The security test equipment obtains the second test data according to the first test data. By generating the test data, the coverage rate of the program can be improved, unknown loopholes in the Internet of Things web service can be triggered, better security test results can be obtained, and the efficiency of the security test can be improved.

步骤S450:安全测试设备判断测试数据队列是否为空。Step S450: the safety testing device judges whether the test data queue is empty.

在一种可能的实施方式中,在测试数据队列不为空情况下,安全测试设备继续向物联网设备发送测试数据队列中包括的第一测试数据、第一响应或者第二测试数据,接收物联网设备发送的监控结果以及响应,执行步骤S340以及图4中的步骤,直至安全测试设备将测试数据队列中所有的测试数据发送给物联网设备。上述过程可以使安全测试设备尽可能多地向物联网设备发送测试数据,对物联网web服务的功能进行全面的测试,以提高安全测试的效果。In a possible implementation manner, when the test data queue is not empty, the security test device continues to send the first test data, the first response or the second test data included in the test data queue to the Internet of Things device, and the receiving object For the monitoring result and response sent by the networked device, step S340 and the steps in FIG. 4 are executed until the security test device sends all the test data in the test data queue to the IoT device. The above process can enable the security testing equipment to send test data to the IoT device as much as possible, and conduct a comprehensive test on the function of the IoT web service, so as to improve the effect of the security testing.

在另一种可能的实施方式中,在测试数据队列为空的情况下,安全测试设备执行步骤S460。In another possible implementation manner, in the case that the test data queue is empty, the security testing device executes step S460.

步骤S460:安全测试设备结束本轮安全测试。Step S460: the security testing device ends the current round of security testing.

在一种可能的实施方式中,在结束本轮安全测试的情况下,安全测试设备根据本轮安全测试获取的多个第一测试数据以及多个第二测试数据各自对应的监控结果,生成第二规则。在新一轮的物联网web服务安全测试过程中,安全测试设备根据第二规则对新获取的第一数据进行变异,以得到新的第一测试数据,对此本申请不作具体限定。In a possible implementation manner, when the current round of security testing ends, the security testing device generates the first round of monitoring results corresponding to the plurality of first test data and the plurality of second test data obtained in the current round of security testing. Two rules. During a new round of Internet of Things web service security testing process, the security testing equipment mutates the newly acquired first data according to the second rule to obtain new first test data, which is not specifically limited in this application.

在一种可能的实施方式中,本申请提供的一种物联网web服务的安全测试方法,除应用于物联网设备,还可以应用于更多不同的应用场景,例如,收发无线数据的各种芯片,或者,通过红外控制的各种设备等,对此本申请不作具体限定。也就是说,本申请提供的安全测试方法适用于任一对外提供接口,或者提供任何一种远程访问的功能的设备或者芯片。在需要进行安全测试的设备存在访问门槛以及协议解析的情况下,本申请提供的安全测试方法可以在专业人士处理后,接入并进行安全测试。In a possible implementation, the security testing method of the Internet of Things web service provided by this application can be applied to more different application scenarios besides being applied to the Internet of Things devices, for example, various methods of sending and receiving wireless data Chips, or various devices controlled by infrared, etc., are not specifically limited in this application. That is to say, the security testing method provided in this application is applicable to any device or chip that provides an external interface or provides any remote access function. In the case that there are access thresholds and protocol analysis for the equipment that needs to be tested, the security testing method provided by this application can be accessed and performed security testing after professionals handle it.

在一种具体的实施方式中,第一数据示例如下:In a specific implementation manner, the first data example is as follows:

POST/check.cgi?data=check_aio HTTP/1.1POST /check.cgi? data=check_aio HTTP/1.1

Host:192.168.128.30Host: 192.168.128.30

Connection:keep-aliveConnection: keep-alive

Content-Length:209Content-Length: 209

submit_flag=ntp_debug&conflict_wanlan=&ntpserver1=time.test1.comsubmit_flag=ntp_debug&conflict_wanlan=&ntpserver1=time.test1.com

&ntpserver2=a.test.com&ntpadjust=0&hidden_ntpserver=GMT8&h&ntpserver2=a.test.com&ntpadjust=0&hidden_ntpserver=GMT8&h

安全测试设备在获取到上述第一数据的情况下,识别第一数据中包括的第一参数以及第一参数的类型。例如,安全测试设备识别出data对应的“check_aio”为字符串;Host对应的“192.168.128.30”为IP地址,是数字的点分结构;Content-Length对应的“209”是一个整数;ntpserver2对应的“a.test.com”同IP地址,是由点分结构组成。The safety testing device identifies the first parameter included in the first data and the type of the first parameter when the first data is acquired. For example, the security test equipment recognizes that "check_aio" corresponding to data is a character string; "192.168.128.30" corresponding to Host is an IP address, which is a dotted structure of numbers; "209" corresponding to Content-Length is an integer; ntpserver2 corresponds to The "a.test.com" is the same as the IP address, which is composed of dotted structure.

安全测试设备根据字符串“check_aio”,选择用于构造并触发缓冲区溢出与命令注入漏洞的第一规则,根据第一规则对第一数据进行变异,将“check_aio”变异为1000个a组成的字符串“a”*1000,或者替换为更多不同长度的字符串,得到多个第一测试数据,将第一测试数据发送至物联网设备。之后,安全测试设备获取第一测试数据对应的第一监控结果以及第一响应,对物联网web服务产生的异常情况,错误信息等进行记录,并在第一测试数据没有完成所有变异的情况下对第一测试数据进行进一步变异。安全测试设备根据第一测试数据中的整数“209”,选择构造与触发整数溢出的第一规则,将“209”变异为“0”“-1”“100000000”等数据,得到多个第二测试数据,并将第二测试数据发送给物联网设备。安全测试设备不断重复上述过程直至测试数据队列中不存在测试数据,结束本轮安全测试,根据记录的异常情况与错误信息即可确定物联网web服务中存在的漏洞。The security testing device selects the first rule for constructing and triggering buffer overflow and command injection vulnerabilities according to the character string "check_aio", mutates the first data according to the first rule, and mutates "check_aio" into 1000 a The character string "a"*1000, or replaced by more character strings of different lengths, to obtain a plurality of first test data, and send the first test data to the IoT device. Afterwards, the security testing device obtains the first monitoring result and the first response corresponding to the first test data, records the abnormal situation and error information generated by the Internet of Things web service, and records all mutations of the first test data if the first test data has not completed all mutations. Further mutations are performed on the first test data. According to the integer "209" in the first test data, the security testing equipment selects the first rule to construct and trigger integer overflow, and mutates "209" into data such as "0", "-1", "100000000", and obtains multiple second test data, and send the second test data to the IoT device. The security testing equipment repeats the above process until there is no test data in the test data queue, and the current round of security testing ends, and the loopholes in the IoT web service can be determined according to the recorded abnormalities and error messages.

目前,并没有针对于物联网web服务的安全测试方法,只是将现有的信息和通信技术领域的web服务的安全测试方法应用于物联网web服务的安全测试中。在本申请提供的安全测试方法中,安全测试设备对第一数据进行变异得到第一测试数据,并在第一测试数据的基础上,对第一测试数据进行变异得到第二测试数据,将第一测试数据和第二测试数据发送至物联网设备。其中,第一规则是根据第一数据确定的,适用于物联网web服务安全测试的变异规则,根据第一规则生成的第一测试数据和第二测试数据可以更加全面地检测物联网web服务的功能,提升程序覆盖率,更大程度地检验到物联网web服务潜在的漏洞,提升安全测试效果,提高安全测试效率。安全测试设备根据物联网设备发送的根据第一测试数据或者第二测试数据生成的监控结果,即可确定物联网web服务潜在的漏洞,更加方便,提高了安全测试的效率。At present, there is no security testing method for the web service of the Internet of Things, but the existing security testing method of the web service in the field of information and communication technology is applied to the security testing of the web service of the Internet of Things. In the security testing method provided in this application, the security testing equipment mutates the first data to obtain the first test data, and on the basis of the first test data, mutates the first test data to obtain the second test data, and the second The first test data and the second test data are sent to the IoT device. Among them, the first rule is determined according to the first data, and is applicable to the mutation rule of the Internet of Things web service security test, and the first test data and the second test data generated according to the first rule can more comprehensively detect the Internet of Things web service Functions, improve program coverage, detect potential loopholes in IoT web services to a greater extent, improve security testing results, and improve security testing efficiency. The security testing equipment can determine the potential loopholes of the IoT web service according to the monitoring results sent by the IoT device based on the first test data or the second test data, which is more convenient and improves the efficiency of security testing.

综上所述,本申请实施例中,安全测试设备通过将模糊测试技术引入物联网web服务的安全测试中,自动地根据特殊的变异规则生成一系列非常规的测试数据,并发送给被测设备,根据被测设备生成的监控结果实现对于被测程序异常情况、错误信息以及程序覆盖率的检验,可以在未知web服务程序源码的情况下,根据监控结果确定潜在的漏洞,提高安全测试效果。To sum up, in the embodiment of this application, the security testing equipment automatically generates a series of unconventional test data according to special mutation rules by introducing fuzzy testing technology into the security testing of Internet of Things web services, and sends them to the tested Device, according to the monitoring results generated by the device under test, the inspection of abnormal conditions, error messages and program coverage of the program under test can be realized. In the case of unknown source code of the web service program, potential loopholes can be determined according to the monitoring results to improve the security test effect .

如图5所示,图5是本申请实施例提供的一种安全测试装置的结构示意图,该安全测试装置应用于图2所示的一种物联网web服务安全测试系统中的安全测试设备,应用于图3所示的一种物联网web服务安全测试方法中。该安全测试装置500包括:获取模块510、变异模块520、发送模块530以及接收模块540。其中,获取模块,用于获取第一数据,其中,第一数据是获取模块获取的物联网web服务的请求或者响应;变异模块,用于对第一数据进行变异,得到第一测试数据;发送模块,用于将第一测试数据发送给物联网设备,其中,物联网设备用于提供物联网web服务;接收模块,用于接收物联网设备发送的第一监控结果,第一监控结果包括第一异常情况、第一错误信息或者第一程序覆盖率中的一个或者多个,并根据第一监控结果判断物联网web服务是否存在漏洞。As shown in FIG. 5 , FIG. 5 is a schematic structural diagram of a security testing device provided in an embodiment of the present application. The security testing device is applied to the security testing equipment in a security testing system for Internet of Things web services shown in FIG. 2 , It is applied to a security testing method of an Internet of Things web service as shown in FIG. 3 . The security testing device 500 includes: an acquisition module 510 , a mutation module 520 , a sending module 530 and a receiving module 540 . Wherein, the obtaining module is used to obtain the first data, wherein the first data is the request or response of the Internet of Things web service obtained by the obtaining module; the mutation module is used to mutate the first data to obtain the first test data; send The module is used to send the first test data to the IoT device, wherein the IoT device is used to provide the IoT web service; the receiving module is used to receive the first monitoring result sent by the IoT device, the first monitoring result includes the first One or more of an abnormal situation, the first error message or the first program coverage, and judge whether there is a loophole in the Internet of Things web service according to the first monitoring result.

上述获取模块、变异模块、发送模块以及接收模块均可以通过软件实现,或者可以通过硬件实现。示例性的,接下来以变异模块为例,介绍变异模块的实现方式。类似的,获取模块、发送模块和接收模块的实现方式可以参考变异模块的实现方式。The above acquisition module, mutation module, sending module and receiving module can all be realized by software, or can be realized by hardware. Exemplarily, the mutation module is used as an example to introduce the implementation of the mutation module. Similarly, the implementation of the acquisition module, sending module and receiving module can refer to the implementation of the mutation module.

模块作为软件功能单元的一种举例,变异模块可以包括运行在计算实例上的代码。其中,计算实例可以包括物理主机(计算设备)、虚拟机、容器中的至少一种。进一步地,上述计算实例可以是一台或者多台。例如,变异模块可以包括运行在多个主机/虚拟机/容器上的代码。需要说明的是,用于运行该代码的多个主机/虚拟机/容器可以分布在相同的区域(region)中,也可以分布在不同的region中。进一步地,用于运行该代码的多个主机/虚拟机/容器可以分布在相同的可用区(availability zone,AZ)中,也可以分布在不同的AZ中,每个AZ包括一个数据中心或多个地理位置相近的数据中心。其中,通常一个region可以包括多个AZ。A module is an example of a software functional unit, and a variant module may include codes that run on computing instances. Wherein, the computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Further, the above computing instances may be one or more. For example, a mutation module can include code that runs on multiple hosts/VMs/containers. It should be noted that multiple hosts/virtual machines/containers used to run the code can be distributed in the same region (region), or in different regions. Furthermore, multiple hosts/virtual machines/containers used to run the code can be distributed in the same availability zone (availability zone, AZ), or in different AZs, and each AZ includes one data center or multiple geographically close data centers. Among them, usually a region can include multiple AZs.

同样,用于运行该代码的多个主机/虚拟机/容器可以分布在同一个虚拟私有云(virtual private cloud,VPC)中,也可以分布在多个VPC中。其中,通常一个VPC设置在一个region内,同一region内两个VPC之间,以及不同region的VPC之间跨区通信需在每个VPC内设置通信网关,经通信网关实现VPC之间的互连。Likewise, multiple hosts/virtual machines/containers for running the code can be distributed in the same virtual private cloud (virtual private cloud, VPC), or in multiple VPCs. Among them, usually a VPC is set in a region, and cross-region communication between two VPCs in the same region and between VPCs in different regions needs to set up a communication gateway in each VPC, and realize the interconnection between VPCs through the communication gateway. .

模块作为硬件功能单元的一种举例,变异模块可以包括至少一个计算设备,如服务器等。或者,变异模块也可以是利用专用集成电路(application-specific integratedcircuit,ASIC)实现、或可编程逻辑器件(programmable logic device,PLD)实现的设备等。其中,上述PLD可以是复杂程序逻辑器件(complex programmable logical device,CPLD)、现场可编程门阵列(field-programmable gate array,FPGA)、通用阵列逻辑(generic array logic,GAL)或其任意组合实现。A module is an example of a hardware functional unit, and a variant module may include at least one computing device, such as a server. Alternatively, the variation module may also be a device implemented by an application-specific integrated circuit (application-specific integrated circuit, ASIC) or a programmable logic device (programmable logic device, PLD). Wherein, the above-mentioned PLD may be realized by complex programmable logic device (complex programmable logical device, CPLD), field-programmable gate array (field-programmable gate array, FPGA), general array logic (generic array logic, GAL) or any combination thereof.

变异模块包括的多个计算设备可以分布在相同的region中,也可以分布在不同的region中。变异模块包括的多个计算设备可以分布在相同的AZ中,也可以分布在不同的AZ中。变异模块包括的多个计算设备可以分布在同一个VPC中,也可以分布在多个VPC中。上述多个计算设备可以是服务器、ASIC、PLD、CPLD、FPGA和GAL等计算设备的任意组合。Multiple computing devices included in the mutation module may be distributed in the same region or in different regions. Multiple computing devices included in the mutation module may be distributed in the same AZ or in different AZs. Multiple computing devices included in the mutation module can be distributed in the same VPC, or can be distributed in multiple VPCs. The aforementioned multiple computing devices may be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

其中,获取模块执行图3中的步骤S310,变异模块执行图3中的步骤S320,发送模块执行图3中的步骤S320,接收模块执行图3中的步骤S340。需要说明的是,在其他实施例中,获取模块、变异模块、发送模块和接收模块可以各自用于执行图2所示的联邦学习运行方法中的任意步骤,获取模块、变异模块、发送模块和接收模块负责实现的步骤可根据需要指定,通过获取模块、变异模块、发送模块和接收模块分别实现图3所示的物联网web服务安全测试方法中不同的步骤来实现安全测试装置的全部功能。Wherein, the obtaining module executes step S310 in FIG. 3 , the mutation module executes step S320 in FIG. 3 , the sending module executes step S320 in FIG. 3 , and the receiving module executes step S340 in FIG. 3 . It should be noted that, in other embodiments, the acquiring module, the mutation module, the sending module and the receiving module can each be used to execute any step in the federated learning running method shown in FIG. 2, the acquiring module, the mutation module, the sending module and The steps that the receiving module is responsible for implementing can be specified as required, and the different steps in the Internet of Things web service security testing method shown in Figure 3 are respectively implemented by the acquiring module, the mutation module, the sending module and the receiving module to realize all functions of the security testing device.

如图6所示,图6是本发明实施例提供的一种计算设备的结构示意图,该计算设备600可以是图2中的安全测试设备,应用于图3所示的一种物联网web服务安全测试方法中。计算设备600包括:处理器610、存储器620、通信接口630和总线640。其中,处理器、存储器、通信接口可以通过总线通信。计算设备600可以是服务器或终端设备。应理解,本申请不限定计算设备600中的处理器、存储器的个数。As shown in FIG. 6, FIG. 6 is a schematic structural diagram of a computing device provided by an embodiment of the present invention. The computing device 600 may be the security testing device in FIG. 2, and is applied to an Internet of Things web service shown in FIG. in the security testing method. The computing device 600 includes: a processor 610 , a memory 620 , a communication interface 630 and a bus 640 . Wherein, the processor, the memory, and the communication interface can communicate through the bus. Computing device 600 may be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 600 .

处理器610可以由至少一个通用处理器构成,例如中央处理器(centralprocessing unit,CPU),或者CPU和硬件芯片的组合。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC)、可编程逻辑器件(programmablelogic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complexprogrammable logic device,CPLD)、现场可编程逻辑门阵列(field-programmable gatearray,FPGA)、通用阵列逻辑(generic array logic,GAL)或其任意组合。处理器610用于执行各种类型的数字存储指令,各自执行的步骤,实现相应的功能。The processor 610 may be composed of at least one general-purpose processor, such as a central processing unit (central processing unit, CPU), or a combination of a CPU and a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (application-specific integrated circuit, ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. The aforementioned PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general array logic (generic array logic, GAL) or any combination thereof. The processor 610 is used to execute various types of digital storage instructions, and perform respective steps to realize corresponding functions.

存储器620可以是易失性存储器(volatile memory),例如随机存取存储器(random access memory,RAM)、动态随机存储器(dynamic RAM,DRAM)、静态随机存储器(static RAM,SRAM)、同步动态随机存储器(synchronous dynamic RAM,SDRAM)、双倍速率同步动态随机存储器(double data rate RAM,DDR)、高速缓存(cache)等等,存储器还可以包括上述种类的组合。存储器620中包括可执行的程序代码,处理器610通过执行该程序代码,可以实现前述获取模块510、变异模块520和发送模块530的功能,从而实现图3中的物联网web服务的安全测试方法。也即,存储器620上存有用于执行图3中的物联网web服务的安全测试方法的指令。The memory 620 may be a volatile memory (volatile memory), such as random access memory (random access memory, RAM), dynamic random access memory (dynamic RAM, DRAM), static random access memory (static RAM, SRAM), synchronous dynamic random access memory (synchronous dynamic RAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate RAM, DDR), high-speed cache (cache), etc., and the memory may also include a combination of the above types. The memory 620 includes executable program code, and the processor 610 can realize the functions of the acquisition module 510, the mutation module 520 and the sending module 530 by executing the program code, thereby realizing the security testing method of the Internet of Things web service in FIG. 3 . That is, the memory 620 stores instructions for executing the security testing method for the Internet of Things web service in FIG. 3 .

通信接口630使用例如但不限于网络接口卡、收发器一类的收发模块,来实现计算设备600与其他设备或通信网络之间的通信,可以用于接收物联网设备发送的响应结果、监控结果等,对此本申请不作具体限定。The communication interface 630 uses transceiver modules such as but not limited to network interface cards and transceivers to realize communication between the computing device 600 and other devices or communication networks, and can be used to receive response results and monitoring results sent by IoT devices. etc., which are not specifically limited in this application.

总线640可以是外设部件互连标准(peripheral component interconnect,PCI)总线或扩展工业标准结构(extended industry standard architecture,EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图6中仅用一条线表示,但并不表示仅有一根总线或一种类型的总线。总线640可包括在计算设备600各个部件(例如,处理器610、存储器620、通信接口630)之间传送信息的通路。The bus 640 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus, an extended industry standard architecture (extended industry standard architecture, EISA) bus, or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one line is used in FIG. 6 , but it does not mean that there is only one bus or one type of bus. Bus 640 may include pathways for communicating information between various components of computing device 600 (eg, processor 610, memory 620, communication interface 630).

需要说明的,图6仅仅是本申请实施例的一种可能的实现方式,实际应用中,网络设备还可以包括更多或更少的部件,这里不作限制。It should be noted that FIG. 6 is only a possible implementation manner of the embodiment of the present application. In practical applications, the network device may include more or fewer components, which is not limited here.

本申请实施例还提供了一种计算设备集群。该计算设备集群包括至少一台计算设备。该计算设备可以是服务器,例如是中心服务器、边缘服务器,或者是本地数据中心中的本地服务器。在一些实施例中,计算设备也可以是台式机、笔记本电脑或者智能手机等终端设备。The embodiment of the present application also provides a computing device cluster. The cluster of computing devices includes at least one computing device. The computing device may be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device may also be a terminal device such as a desktop computer, a notebook computer, or a smart phone.

如图7所示,图7是本申请实施例提供的一种计算设备集群的结构示意图,计算设备集群包括至少一个计算设备600。计算设备集群中的一个或多个计算设备600中的存储器620中可以存有相同的用于执行本申请实施例提供的一种物联网web服务安全测试方法的指令。As shown in FIG. 7 , FIG. 7 is a schematic structural diagram of a computing device cluster provided by an embodiment of the present application, and the computing device cluster includes at least one computing device 600 . The memory 620 of one or more computing devices 600 in the computing device cluster may store the same instructions for executing a security testing method for an Internet of Things web service provided by the embodiment of the present application.

在一些可能的实现方式中,该计算设备集群中的一个或多个计算设备600的存储器620中也可以分别存有用于执行上述物联网web服务安全测试方法的部分指令。换言之,一个或多个计算设备600的组合可以共同执行用于执行物联网web服务安全测试方法的指令。In some possible implementation manners, the memories 620 of one or more computing devices 600 in the computing device cluster may respectively store some instructions for executing the above-mentioned Internet of Things web service security testing method. In other words, a combination of one or more computing devices 600 can collectively execute instructions for executing the method for security testing of Internet of Things web services.

需要说明的是,计算设备集群中的不同的计算设备600中的存储器620可以存储不同的指令,不同的计算设备600中的存储器620存储的指令可以实现获取模块、变异模块、发送模块和接收模块中的一个或多个模块的功能。It should be noted that the memory 620 in different computing devices 600 in the computing device cluster can store different instructions, and the instructions stored in the memories 620 in different computing devices 600 can implement the acquiring module, mutation module, sending module and receiving module Functions of one or more modules in .

在一些可能的实现方式中,计算设备集群中的一个或多个计算设备可以通过网络连接。其中,所述网络可以是广域网或局域网等等。如图8所示,图8是本申请实施例提供的一种一个或多个计算设备通过网络连接的结构示意图。两个计算设备600A和600B之间通过网络进行连接,计算设备600A包括处理器610A、存储器620A、通信接口630A和总线640A,计算设备600B包括处理器610B、存储器620B、通信接口630B和总线640B。具体地,通过各个计算设备中的通信接口与所述网络进行连接。在这一类可能的实现方式中,计算设备600A中的存储器620A中存有执行获取模块的功能的指令。同时,计算设备600B中的存储器620B中存有执行变异模块和发送模块的功能的指令。应理解,图8中示出的计算设备600A的功能也可以由多个计算设备600完成。同样,计算设备600B的功能也可以由多个计算设备600完成。In some possible implementations, one or more computing devices in a cluster of computing devices may be connected through a network. Wherein, the network may be a wide area network or a local area network or the like. As shown in FIG. 8 , FIG. 8 is a schematic structural diagram of one or more computing devices connected through a network according to an embodiment of the present application. The two computing devices 600A and 600B are connected through a network. The computing device 600A includes a processor 610A, a memory 620A, a communication interface 630A, and a bus 640A. The computing device 600B includes a processor 610B, a memory 620B, a communication interface 630B, and a bus 640B. Specifically, it is connected to the network through a communication interface in each computing device. In this type of possible implementation, the memory 620A in the computing device 600A stores instructions to perform the functions of the acquisition module. Meanwhile, the memory 620B in the computing device 600B stores instructions for executing the functions of the mutation module and the sending module. It should be understood that the functions of the computing device 600A shown in FIG. 8 may also be performed by multiple computing devices 600 . Likewise, the functions of computing device 600B may also be performed by multiple computing devices 600 .

本申请实施例还提供了一种包含指令的计算机程序产品。所述计算机程序产品可以是包含指令的,能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当所述计算机程序产品在至少一个计算设备上运行时,使得至少一个计算设备执行图3所示的物联网web服务安全测试方法。The embodiment of the present application also provides a computer program product including instructions. The computer program product may be a software or program product containing instructions, executable on a computing device or stored on any available medium. When the computer program product runs on at least one computing device, at least one computing device is made to execute the Internet of Things web service security testing method shown in FIG. 3 .

本申请实施例还提供了一种计算机可读存储介质。所述计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令,所述指令指示计算设备执行图3所示的一种物联网web服务安全测试方法。The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium may be any available medium that a computing device can store, or a data storage device such as a data center that includes one or more available media. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state hard disk), etc. The computer-readable storage medium includes instructions, and the instructions instruct a computing device to execute a security testing method for Internet of Things web services shown in FIG. 3 .

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的保护范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the protection scope of the technical solutions of the various embodiments of the present invention.

Claims (10)

1. A security testing method for web services of the internet of things, which is applied to security testing equipment, the method comprising:
acquiring first data, wherein the first data is a request or a response of the Internet of things web service acquired by the security test equipment;
performing mutation on the first data to obtain first test data;
the first test data are sent to Internet of things equipment, wherein the Internet of things equipment is used for providing the Internet of things web service;
and receiving a first monitoring result sent by the Internet of things equipment, wherein the first monitoring result comprises one or more of a first abnormal condition, first error information and first program coverage rate, and judging whether the Internet of things web service has a vulnerability or not according to the first monitoring result.
2. The method of claim 1, wherein after the acquiring the first data, the method further comprises:
and identifying a first parameter in the first data, wherein the first parameter affects the operation of the Internet of things device.
3. The method of claim 2, wherein mutating the first data to obtain first test data comprises:
And mutating the first data according to a first rule to obtain first test data, wherein the first rule is determined by the safety test equipment according to the first parameter.
4. A method according to any one of claims 1 to 3, wherein after transmitting the first test data to an internet of things device, the method further comprises:
and receiving a first response sent by the Internet of things equipment.
5. The method of claim 4, wherein after the receiving the first monitoring result sent by the internet of things device, the method further comprises:
and under the condition that the coverage rate of the first program is improved, sending the first response to the Internet of things equipment.
6. The method of claim 5, wherein the method further comprises:
under the condition that all variations of the first test data are not completed, the first test data are subjected to variation to obtain second test data;
and sending the second test data to the Internet of things equipment.
7. The safety testing device is applied to safety testing equipment and is characterized by comprising an acquisition module, a mutation module, a sending module and a receiving module:
The acquisition module is used for acquiring first data, wherein the first data is a request or a response of the Internet of things web service acquired by the acquisition module;
the mutation module is used for mutating the first data to obtain first test data;
the sending module is configured to send the first test data to the internet of things device, where the internet of things device is configured to provide the internet of things web service;
the receiving module is configured to receive a first monitoring result sent by the internet of things device, where the first monitoring result includes one or more of a first abnormal condition, a first error message, and a first program coverage rate, and determine whether a vulnerability exists in the internet of things web service according to the first monitoring result.
8. A cluster of computing devices, comprising at least one computing device, each computing device comprising a processor and a memory;
the processor of the at least one computing device is configured to execute instructions stored in the memory of the at least one computing device to cause the cluster of computing devices to perform the method of claim 1.
9. A computer program product containing instructions that, when executed by a cluster of computing devices, cause the cluster of computing devices to perform the method of claim 1.
10. A computer readable storage medium comprising computer program instructions which, when executed by a cluster of computing devices, perform the method of claim 1.
CN202310209940.0A 2023-02-25 2023-02-25 Security testing method, device and equipment for web service of Internet of things Pending CN116260643A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310209940.0A CN116260643A (en) 2023-02-25 2023-02-25 Security testing method, device and equipment for web service of Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310209940.0A CN116260643A (en) 2023-02-25 2023-02-25 Security testing method, device and equipment for web service of Internet of things

Publications (1)

Publication Number Publication Date
CN116260643A true CN116260643A (en) 2023-06-13

Family

ID=86687730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310209940.0A Pending CN116260643A (en) 2023-02-25 2023-02-25 Security testing method, device and equipment for web service of Internet of things

Country Status (1)

Country Link
CN (1) CN116260643A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116956293A (en) * 2023-09-19 2023-10-27 天津华来科技股份有限公司 API security vulnerability detection system and method
CN118764326A (en) * 2024-09-09 2024-10-11 国网四川省电力公司乐山供电公司 A chain information collection and vulnerability troubleshooting method and related products

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109032927A (en) * 2018-06-26 2018-12-18 腾讯科技(深圳)有限公司 A kind of bug excavation method and device
CN110191019A (en) * 2019-05-28 2019-08-30 北京百度网讯科技有限公司 Test method, device, computer equipment and the storage medium of vehicle CAN bus
CN110955899A (en) * 2019-12-13 2020-04-03 中国工商银行股份有限公司 Safety test method, device, test equipment and medium
US20210216435A1 (en) * 2020-01-13 2021-07-15 Microsoft Technology Licensing, Llc Intelligently fuzzing data to exercise a service
CN115391792A (en) * 2022-10-26 2022-11-25 北京邮电大学 Fuzzy test method and related equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109032927A (en) * 2018-06-26 2018-12-18 腾讯科技(深圳)有限公司 A kind of bug excavation method and device
CN110191019A (en) * 2019-05-28 2019-08-30 北京百度网讯科技有限公司 Test method, device, computer equipment and the storage medium of vehicle CAN bus
CN110955899A (en) * 2019-12-13 2020-04-03 中国工商银行股份有限公司 Safety test method, device, test equipment and medium
US20210216435A1 (en) * 2020-01-13 2021-07-15 Microsoft Technology Licensing, Llc Intelligently fuzzing data to exercise a service
CN115391792A (en) * 2022-10-26 2022-11-25 北京邮电大学 Fuzzy test method and related equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116956293A (en) * 2023-09-19 2023-10-27 天津华来科技股份有限公司 API security vulnerability detection system and method
CN116956293B (en) * 2023-09-19 2024-01-30 天津华来科技股份有限公司 API security vulnerability detection system and method
CN118764326A (en) * 2024-09-09 2024-10-11 国网四川省电力公司乐山供电公司 A chain information collection and vulnerability troubleshooting method and related products

Similar Documents

Publication Publication Date Title
US12278825B2 (en) System and method for cybersecurity threat detection utilizing static and runtime data
TWI603600B (en) Determine vulnerability using runtime agent and network sniffer
WO2022016847A1 (en) Automatic test method and device applied to cloud platform
CN116260643A (en) Security testing method, device and equipment for web service of Internet of things
US20150371047A1 (en) Determining coverage of dynamic security scans using runtime and static code analyses
CN111628900B (en) Fuzzy test method, device and computer readable medium based on network protocol
CN113168472A (en) Utilization-based network security vulnerability repair method and system
CN113206850B (en) Malicious sample message information acquisition method, device, equipment and storage medium
CN112953896A (en) Playback method and device of log message
CN111198797A (en) Operation monitoring method and device, operation analysis method and device
WO2024007615A1 (en) Model training method and apparatus, and related device
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN115865758A (en) Method, device, equipment and storage medium for determining timeout time of network communication
CN113656314B (en) Pressure test processing method and device
CN114422175A (en) Network security supervision and inspection behavior audit method and device
US20150163238A1 (en) Systems and methods for testing and managing defensive network devices
CN112699369A (en) Method and device for detecting abnormal login through stack backtracking
US11985149B1 (en) System and method for automated system for triage of cybersecurity threats
CN110493254A (en) Industrial Yunan County's overall evaluating method and device
CN108650274B (en) A kind of network intrusion detection method and system
CN116166536A (en) Test method, test device, electronic equipment and storage medium
JP2024542621A (en) Method, system and program for obtaining information about an external computer system
CN115828256A (en) Unauthorized and unauthorized logic vulnerability detection method
US12238134B1 (en) Automated discovery and evaluation of vulnerability hotspots in computer networks
CN113596051B (en) Detection method, detection apparatus, electronic device, medium, and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination