CN117785650A - Automatic fuzzy test system for embedded browser software - Google Patents
Automatic fuzzy test system for embedded browser software Download PDFInfo
- Publication number
- CN117785650A CN117785650A CN202211515457.7A CN202211515457A CN117785650A CN 117785650 A CN117785650 A CN 117785650A CN 202211515457 A CN202211515457 A CN 202211515457A CN 117785650 A CN117785650 A CN 117785650A
- Authority
- CN
- China
- Prior art keywords
- test
- sample
- software
- program
- fuzzy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 133
- 238000004458 analytical method Methods 0.000 claims abstract description 10
- 238000000034 method Methods 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 238000011160 research Methods 0.000 abstract description 8
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an automatic fuzzy test system for embedded browser software, which relates to the technical field of browser software safety research and comprises cloud platform deployment, analysis and identification of general browser software, general browser fuzzy test and file management; according to the automatic fuzzy test system for the embedded browser software, a universal virtual machine template is generated by adopting a virtualization technology, the embedded browser software is automatically added through a built-in fuzzy test frame, the built-in DNS hijacking of the fuzzy test frame is realized, a safety researcher only needs to select corresponding target software in the system by utilizing a browser redirection technology and the like, a fuzzy test environment can be automatically generated, and fuzzy test is carried out on the target software.
Description
Technical Field
The invention relates to the technical field of browser software safety research, in particular to an automatic fuzzy test system for embedded browser software.
Background
Various client software popular in the market at present is used for better user experience, service popularization, profit and other factors, and a plurality of manufacturers embed analysis engines of browsers in the software of the client software for user login, service display, information integration, advertisement pushing and the like.
Different vendors use different development kits and browser parsing engine libraries, are relatively fixed, have a hysteresis version compared with the mainstream professional browsers (edge, chrome, firefox, etc.) on the market, have little attention on the security problem of the third party development kit, have uneven levels of developers, and are easy to have security risks.
Because the software of the embedded browser is mostly built in the code with the accessed webpage address, and the accessed path is also various, aiming at the security research of the software, an internal network is mostly required to be simulated, the artificial interference is carried out on the network boundary, the work of security researchers is tedious and low-efficiency, and the influence is not large, so that the situation that the network boundary needs to be simulated when the security research of the software of the browser is carried out in the prior art exists, the research environment is complex, the built-in address is various, and the manual configuration is required, thereby the manual efficiency is low.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an automatic fuzzy test system aiming at embedded browser software, which solves the problems that most of the accessed webpage addresses are built in codes and the access paths are various due to the embedded browser software in the background art, so that an internal network is required to be simulated for safety research of the software, artificial interference is carried out on a network boundary, the work of safety researchers is tedious and low-efficiency, and the influence is small, so that the network boundary is required to be simulated when the safety research of the browser software is carried out in the prior art, the research environment is complex, the built-in addresses are various, and manual configuration is required, and the manual efficiency is low.
In order to achieve the above purpose, the invention is realized by the following technical scheme: an automatic fuzzy test system for embedded browser software comprises cloud platform deployment, analysis and identification of universal browser software, universal browser fuzzy test and file management;
the cloud platform deployment is used for rapidly distributing and deploying virtualized environment resources and maintaining the operation of the whole system;
the universal browser software analysis and identification is used for identifying a browser module in the main stream application software and providing support for fuzzy test of the universal browser software;
the universal browser fuzzy test is used for carrying out fuzzy test on browser software embedded in the mainstream application software;
the file management is used for providing support for dynamically updating test samples and program components for the fuzzy test.
Optionally, the cloud platform deployment comprises cloud platform host management, fuzzy test template machine generation and template machine deployment, wherein the cloud platform host management is used for managing host machines in the private cloud platform; the user can dynamically add and delete any host node by using the cloud platform host management module; the fuzzy test template machine is used for dynamically generating a virtual environment which can be adapted to the software selected by the user and the fuzzy test according to the original host template selected by the user and different software in the universal browser software library; the template machine deployment is used for remotely issuing and deploying the generated fuzzy test template machine to a server node appointed by a user, and operating and starting the template machine.
Optionally, the resolving and identifying of the generic browser software includes resolving and identifying HTTP traffic and universal DNS hijacking and redirecting, where the universal DNS hijacking and redirecting are used to start and intercept the built-in access address of the test target software through DNS hijacking, and redirect the address to the test web page of the access setting.
Optionally, the pan-browser fuzzy test comprises automatic sample generation, artificial sample access and automatic fuzzy test, wherein the automatic sample generation is used for calling the automatic sample generation to dynamically generate a sample file after the artificial sample is tested; the automatic fuzzy test is used for fuzzy test programs built in the fuzzy test virtual machine, manual sample files are preferentially selected for fuzzy test, and then the newly generated dynamic generated sample files are used for fuzzy test on target software; and the artificial sample access is used for accessing a preset artificial sample when the fuzzy test program built in the fuzzy test virtual machine selects the artificial sample file to perform the fuzzy test.
Optionally, the file management includes a generic browser software library, a crash record, a program and a sample update, where the generic browser software library is configured to store relevant data of a plurality of browser software; the crash record is used for storing abnormal program crashes detected by the fuzzy test program; the program and sample update is used for updating the program and sample file.
Optionally, after the program detected by the fuzzy test program is crashed abnormally, the universal browser software library records a log of a crashed site and a sample file which is currently crashed, and packages and uploads the data to a system platform.
Optionally, before the program and the sample are updated, the monitor program built in the fuzzy test virtual machine requests whether the program and the sample file with new versions need to be updated from the server, if so, the program or the sample is updated first, then the monitor program is restarted, and if not, the program or the sample is not updated.
Optionally, the HTTP traffic parsing and identifying may learn which fixed URL addresses the target software needs to access through the data requested by the software and the set test script, and the type, version, etc. of the browser parsing engine of the target software is convenient for the user to adjust and optimize the test sample with the existing information.
The invention provides an automatic fuzzy test system for embedded browser software, which has the following beneficial effects:
according to the automatic fuzzy test system for the embedded browser software, a universal virtual machine template can be generated by adopting a virtualization technology, the embedded browser software is automatically added through the built-in fuzzy test frame, the built-in DNS hijacking of the fuzzy test frame is realized, a safety researcher only needs to select corresponding target software in the system by utilizing a browser redirection technology and the like, a fuzzy test environment can be automatically generated, and fuzzy test is carried out on the target software, so that compared with the prior art, the system can automatically generate the virtual machine test environment of the target software, meanwhile, a complex network environment is integrated into the system, the researcher does not need to additionally configure the environment, the automatic fuzzy test can be carried out on the target software, and manual operation is reduced.
Drawings
FIG. 1 is a schematic diagram of a module structure of the present invention;
FIG. 2 is a flow chart of the system of the present invention;
FIG. 3 is a block diagram of software developed in accordance with the present technique.
In the figure: 1. deploying a cloud platform; 2. managing a cloud platform host; 3. generating a fuzzy test template machine; 4. deploying a template machine; 5. the universal browser software analyzes and identifies; 6. HTTP traffic analysis and identification; 7. universal DNS hijacking and redirection; 8. performing fuzzy test on the universal browser; 9. automated sample generation; 10. artificial sample access; 11. automatic fuzzy test; 12. managing files; 13. a pan browser software library; 14. a crash record; 15. program and sample updates.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
Example 1
Referring to fig. 1 and 2, the present invention provides a technical solution: an automatic fuzzy test system for embedded browser software comprises cloud platform deployment 1, analysis and identification 5 of general browser software, fuzzy test 8 of general browser and file management 12;
the cloud platform deployment 1 is used for rapidly distributing and deploying virtualized environment resources and maintaining the operation of the whole system;
the universal browser software analysis and identification 5 is used for identifying a browser module in the main stream application software and providing support for fuzzy test of the universal browser software;
the universal browser fuzzy test 8 is used for carrying out fuzzy test on browser software embedded in the main stream application software;
file management 12 provides support for dynamic updating of test samples and program components for fuzzy testing.
Further, the cloud platform deployment 1 comprises cloud platform host management 2, fuzzy test template machine generation 3 and template machine deployment 4, wherein the cloud platform host management 2 is used for managing hosts in the private cloud platform; the user can dynamically add and delete any host node by using the cloud platform host management 2 module; the system has extremely strong calculation resources and dynamic expansibility of storage, and the fuzzy test template machine generates 3 which is used for dynamically generating a virtual environment which can adapt to software selected by a user and fuzzy test according to different software in an original host template selected by the user and the universal browser software library 13; and the template machine deployment 4 is used for remotely issuing and deploying the generated fuzzy test template machine to a server node designated by a user and starting the operation.
Further, the universal browser software analysis and identification 5 comprises HTTP traffic analysis and identification 6 and universal DNS hijacking and redirection 7, wherein the universal DNS hijacking and redirection 7 is used for starting and intercepting the built-in access address of the test target software through DNS hijacking and redirecting the address to the test webpage of the access setting, so that the automatic fuzzy test can be carried out on the browser software.
Further, the universal browser fuzzy test 8 comprises an automatic sample generation 9, a manual sample access 10 and an automatic fuzzy test 11, wherein the automatic sample generation 9 is used for calling the automatic sample generation 9 to dynamically generate a sample file after the manual sample is tested; the automatic fuzzy test 11 is used for fuzzy testing a built-in fuzzy test program of the virtual machine, preferably selecting an artificial sample file for fuzzy testing, and then using a newly generated dynamic generation sample file for fuzzy testing the target software; and the artificial sample access 10 is used for accessing a preset artificial sample when the fuzzy test program built in the fuzzy test virtual machine selects an artificial sample file to perform the fuzzy test.
Further, the file management 12 includes a generic browser software library 13, a crash record 14, and a program and sample update 15, where the generic browser software library 13 is used to store relevant data of multiple browser software; a crash record 14, configured to store a program exception crash detected by the fuzzy test program; program and sample updates 15 for updating program and sample files.
Further, the universal browser software library 13 records the log of the crash site and the current crash sample file after the program detected by the fuzzy test program is abnormally crashed, and packages and uploads the data to the system platform, so that the user can check the data conveniently.
Further, before the test, the monitor program built in the fuzzy test virtual machine requests the server whether the new version of the program and the sample file need to be updated or not through the program and sample update 15, if the new version of the program and the sample file need to be updated, the program or the sample is updated first, then the monitor program is restarted, and if the new version of the program and the sample file does not need to be updated, the program or the sample is not updated.
Furthermore, the HTTP traffic analysis and identification 6 can learn which fixed URL addresses the target software needs to access through the data requested by the software and the set test script, and the browser of the target software analyzes the type, version and the like of the engine, so that a user can conveniently adjust and optimize the test sample through the existing information.
In summary, when the automatic fuzzy test system for embedded browser software is used, a user can dynamically add and delete any host node through the cloud platform host management 2, the user dynamically generates a virtual environment which can adapt to the software selected by the user and the fuzzy test according to the original host template selected by the user and different software in the universal browser software library 13 through the fuzzy test template machine generation 3, then the template machine deployment 4 remotely distributes and deploys the generated fuzzy test template machine to a server node appointed by the user, and operates and starts, after the appointed fuzzy test virtual machine is deployed and operates, a monitoring program built in the fuzzy test virtual machine requests a server whether a new version of program and a sample file need to be updated through a program and sample update 15, if the test target software needs to be updated, updating a program or a sample, restarting a monitoring program, then using DNS hijacking through a universal DNS hijack and redirection 7, starting and intercepting a built-in access address of the test target software, redirecting the address to a test webpage with access setting, analyzing and identifying 6 data requested by the software and a set test script through HTTP traffic, recording fixed URL addresses to be accessed by the target software, analyzing the type, version and the like of an engine of a browser of the target software, facilitating a user to adjust and optimize the test sample through the existing information, and when the user selects to start a test task, carrying out fuzzy test on a fuzzy test program in an automatic fuzzy test 11 built in a fuzzy test virtual machine, and preferentially selecting a manual sample file for fuzzy test; when the manual sample test is finished, the fuzzy test program dynamically generates a sample file by using the automatic sample generation 9, and uses a new sample to carry out fuzzy test on the target software, if the fuzzy test program detects that the program is abnormally crashed in the fuzzy test process, a log of a crashed field and the sample file which is currently crashed are recorded through a crashed record 14, and the log and the sample file are packaged together and uploaded to a system platform, so that a user can conveniently check the program.
Example two
Referring to fig. 3, software developed according to the present system includes: the system comprises a login module, an admin module, a node management module, a template management page module and a virtual machine management page module;
the login module comprises a user name module and a password module; the user name module is used for inputting registered user names by a user; the password module is used for inputting a password corresponding to the registered user name by the user.
The admin module comprises an exit module and a password modifying module; the exit module is used for exiting the software through the exit module after the user logs in the software; and the password modifying module is used for modifying the password after the user successfully logs in, the old password and the new password are required to be input, clicking the modified password to modify the password, and inputting the new password into the bullet box to modify.
The node management module comprises a node adding module, a node deleting module and a node connection testing module; the node adding module is used for adding a node button, inputting a new node address, a user name and adding a node; the node deleting module is used for selecting the node record, clicking the deleting button of the operation area or clicking the deleting button under the operation column of the corresponding node record to delete the node record; the node connection test module is used for clicking a connection test button under the node recording operation column and judging the node connection state.
The template management page module comprises a template downloading module, a template creating module and a template deleting module; the template downloading module is used for downloading the template required to be used; the template creation module is used for classifying the software according to the selected host template, clicking a creation button after the software name, and creating a new template; and the template deleting module is used for selecting a certain record and clicking a deleting button under an operation instruction column to delete the template.
The virtual machine management page module comprises a virtual machine creation module, a virtual machine starting module, a virtual machine shutdown module, a virtual machine restarting module, a virtual machine vnc viewing module and a virtual machine deleting module.
Application scene:
some security researchers need to detect the security of some software, test the security of some software, or conduct vulnerability mining.
The testing process comprises the following steps:
the tester logs in the system, clicks a template management page module, selects a host template as pan_win7x86.qcow2, selects corresponding classification and software in software classification, clicks and creates, and generates a virtual machine template needing to be subjected to fuzzy test.
Clicking a virtual machine management page module, clicking and creating, selecting a server IP through a node management module, selecting software which is just created by a software template, selecting default by a network card, selecting the number of CPUs, selecting 2G of memory, selecting 1 of the number of instances, and clicking and creating;
after the creation is completed, the newly created virtual machine including the virtual machine IP address, virtual machine name, etc. is displayed on the current page. Virtual machine state can be checked by clicking on VNC icons on virtual machine records
The task center under the universal browser fuzzy test 8 clicks to create, and the target software just created is selected in the software category to click to create the task.
At this time, a new task record is generated on the current page, and the fuzzy test progress and the virtual machine state can be checked by clicking the VNC icon. The task can be terminated here as the case may be.
If the target software generates a crash record, the crash record can be checked by clicking a test result, the crash record comprises the crash time of the target software, a crash sample and a crash site, and a tester can select a corresponding record to download for analysis.
The foregoing is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical scheme of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.
Claims (8)
1. An automatic fuzzy test system for embedded browser software, which is characterized in that: the method comprises cloud platform deployment (1), universal browser software analysis and identification (5), universal browser fuzzy test (8) and file management (12);
the cloud platform deployment (1) is used for rapidly distributing and deploying virtualized environment resources and maintaining the operation of the whole system;
the universal browser software analysis and identification (5) is used for identifying a browser module in the main stream application software and providing support for fuzzy test of the universal browser software;
the universal browser fuzzy test (8) is used for carrying out fuzzy test on browser software embedded in the main stream application software;
the file management (12) is used for providing support for dynamically updating test samples and program components for fuzzy tests.
2. An automated fuzzing test system for embedded browser software according to claim 1, wherein: the cloud platform deployment (1) comprises cloud platform host management (2), fuzzy test template machine generation (3) and template machine deployment (4), wherein the cloud platform host management (2) is used for managing hosts in the private cloud platform; the user can dynamically add and delete any host node by using the cloud platform host management (2) module; the fuzzy test template machine generation (3) is used for dynamically generating a virtual environment which can adapt to software selected by a user and fuzzy test according to different software in an original host template selected by the user and a universal browser software library (13); and the template machine deployment (4) is used for remotely issuing and deploying the generated fuzzy test template machine to a server node appointed by a user, and operating and starting.
3. An automated fuzzing test system for embedded browser software according to claim 1, wherein: the universal browser software analysis and identification (5) comprises HTTP traffic analysis and identification (6) and general DNS hijacking and redirection (7), wherein the general DNS hijacking and redirection (7) is used for starting and intercepting the built-in access address of the test target software through DNS hijacking and redirecting the address to the test webpage of the access setting.
4. An automated fuzzing test system for embedded browser software according to claim 1, wherein: the universal browser fuzzy test (8) comprises automatic sample generation (9), artificial sample access (10) and automatic fuzzy test (11), wherein the automatic sample generation (9) is used for calling the automatic sample generation (9) to dynamically generate a sample file after the artificial sample is tested; the automatic fuzzy test (11) is used for fuzzy testing a built-in fuzzy test program of the virtual machine, preferably selecting an artificial sample file for fuzzy testing, and then using a newly generated dynamic generation sample file for fuzzy testing of target software; and the artificial sample access (10) is used for accessing a preset artificial sample when the fuzzy test program built in the fuzzy test virtual machine selects an artificial sample file to perform the fuzzy test.
5. An automated fuzzing test system for embedded browser software according to claim 1, wherein: the file management (12) comprises a universal browser software library (13), a crash record (14) and program and sample updating (15), wherein the universal browser software library (13) is used for storing relevant data of a plurality of browser software; the crash record (14) is used for storing program abnormal crashes detected by the fuzzy test program; the program and sample updates (15) are used for updating the program and sample files.
6. An automated fuzzing test system for embedded browser software according to claim 5, wherein: and the universal browser software library (13) records a log of a crashed field and a sample file which is currently crashed after the program detected by the fuzzy test program is crashed abnormally, and packages and uploads the data to the system platform.
7. An automated fuzzing test system for embedded browser software according to claim 1, wherein: before testing, the program and sample updating (15) is used for fuzzily testing whether a built-in monitoring program of the virtual machine requests a server for whether a new version of the program and sample files need to be updated or not, if so, the program or sample is updated, then the monitoring program is restarted, and if not, the program or sample is not updated.
8. An automated fuzzing test system for embedded browser software according to claim 1, wherein: the HTTP traffic analysis and identification (6) can learn which fixed URL addresses are to be accessed by the target software through the data requested by the software and the set test script, and the browser of the target software analyzes the type, version and the like of the engine, so that a user can conveniently adjust and optimize the test sample through the existing information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211515457.7A CN117785650A (en) | 2022-11-29 | 2022-11-29 | Automatic fuzzy test system for embedded browser software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211515457.7A CN117785650A (en) | 2022-11-29 | 2022-11-29 | Automatic fuzzy test system for embedded browser software |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117785650A true CN117785650A (en) | 2024-03-29 |
Family
ID=90378785
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211515457.7A Pending CN117785650A (en) | 2022-11-29 | 2022-11-29 | Automatic fuzzy test system for embedded browser software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117785650A (en) |
-
2022
- 2022-11-29 CN CN202211515457.7A patent/CN117785650A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8839107B2 (en) | Context based script generation | |
| US9342273B1 (en) | Automatic communications graphing for a source application | |
| US8245222B2 (en) | Image installer | |
| US7165189B1 (en) | Distributed test framework for clustered systems | |
| US6789215B1 (en) | System and method for remediating a computer | |
| US11449370B2 (en) | System and method for determining a process flow of a software application and for automatically generating application testing code | |
| US8954955B2 (en) | Standard commands for native commands | |
| US8291405B2 (en) | Automatic dependency resolution by identifying similar machine profiles | |
| US20090307763A1 (en) | Automated Test Management System and Method | |
| US20080127093A1 (en) | Server testing framework | |
| US20050071838A1 (en) | System-updating method and computer system adopting the method | |
| JP2001273388A (en) | System and method for security management | |
| US7752005B2 (en) | Integrated instrument driver network | |
| CN113515453B (en) | Webpage testing system | |
| CN115794519A (en) | Test method, test system, electronic device and readable storage medium | |
| CN111708712A (en) | User behavior test case generation method, flow playback method and electronic equipment | |
| CN113342629B (en) | Operation track restoration method and device, computer equipment and storage medium | |
| WO2009108416A2 (en) | Building operating system images based on applications | |
| CN116719736A (en) | Test case generation method and device for testing software interface | |
| CN117785650A (en) | Automatic fuzzy test system for embedded browser software | |
| CN115454856B (en) | Multi-application security detection method, device, medium and electronic equipment | |
| CN113656291A (en) | Dynamic calling method for software script engine | |
| CN111666471A (en) | Information acquisition method and device, computer equipment and storage medium | |
| CN118427802B (en) | Automatic certificate detection method and device, electronic equipment and storage medium | |
| US20240232060A9 (en) | Information processing system with intelligent program smoke testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |