WO2020019515A1 - Injection vulnerability detection method and device - Google Patents

Injection vulnerability detection method and device Download PDF

Info

Publication number
WO2020019515A1
WO2020019515A1 PCT/CN2018/108718 CN2018108718W WO2020019515A1 WO 2020019515 A1 WO2020019515 A1 WO 2020019515A1 CN 2018108718 W CN2018108718 W CN 2018108718W WO 2020019515 A1 WO2020019515 A1 WO 2020019515A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
dom
field
target
nodes
Prior art date
Application number
PCT/CN2018/108718
Other languages
French (fr)
Chinese (zh)
Inventor
熊庆昌
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019515A1 publication Critical patent/WO2020019515A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present application relates to the field of Internet technologies, and in particular, to a method and a device for detecting an injection vulnerability.
  • the injection vulnerability is generated when the code is written without judging the legality of the user input data. Similarity detection is a common method in injection vulnerability detection.
  • the existing similarity detection mainly uses similar algorithms (such as local sensitive hashing algorithm simhash, minimum hashing algorithm minhash, etc.) to calculate page content returned by true logic (sql true logic) requests and false logic (sql false logic) requests.
  • the similarity value of the returned page content When the similarity value is greater than the preset threshold, the two pages are considered to be similar and there is no injection vulnerability. When the similarity value is less than the preset threshold, the two pages are considered to be not similar and there is an injection vulnerability.
  • the embodiments of the present application provide an injection vulnerability detection method and device, which can reduce the calculation amount and the calculation difficulty, thereby improving the processing efficiency of detecting an injection vulnerability.
  • an embodiment of the present application provides an injection vulnerability detection method, which includes:
  • a first request and a second request are determined according to the target request.
  • the first request is determined by inserting a field of a first logical type in the target request, and the second request is obtained by inserting a second logical type into the target request.
  • the first parsing result includes N first document object model DOM nodes
  • the second parsing result includes M second DOMs Node, the N and the M are both integers greater than or equal to 1;
  • an injection vulnerability detection device where the device includes:
  • a first determining module configured to determine a target request for injection vulnerability detection
  • a second determining module configured to determine a first request and a second request according to the target request determined by the first determining module, where the first request is determined by inserting a field of a first logical type into the target request, and the second The request is a request determined by inserting a field of a second logical type in the target request;
  • the transceiver module is configured to send the first request and the second request determined by the second determining module to the server, and receive the first page content returned by the server for the first request and the second page returned by the server Page content
  • An obtaining module configured to obtain a first analysis result of the first page content received by the transceiver module and a second analysis result of the second page content received by the transceiver module, where the first analysis result includes N first A document object model DOM node, the second parsing result includes M second DOM nodes, where N and M are integers greater than or equal to 1;
  • a third determining module configured to determine that an injection vulnerability exists in the server when there are at least one different DOM node between the N first DOM nodes and the M second DOM nodes.
  • an embodiment of the present application provides a terminal, including a processor, an input device, an output device, and a memory.
  • the processor, the input device, the output device, and the memory are connected to each other.
  • the memory is used to store and support the execution of the terminal.
  • the computer program of the above method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the injection vulnerability detection method of the first aspect.
  • an embodiment of the present application provides a computer-readable storage medium.
  • the computer storage medium stores a computer program, where the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes the foregoing first On the one hand injection detection methods.
  • the embodiment of the present application determines whether there is an injection vulnerability in the server by comparing whether the DOM nodes between the page contents returned by different requests are the same, which can reduce the calculation amount and the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
  • FIG. 1 is a schematic diagram of a data structure of an HTTP request
  • FIG. 2 is a schematic flowchart of an injection vulnerability detection method according to an embodiment of the present application.
  • Figure 3a is a schematic diagram of an HTML DOM tree
  • 3b is a schematic diagram of a first DOM node and a second DOM node
  • FIG. 4 is another schematic flowchart of an injection vulnerability detection method according to an embodiment of the present application.
  • 5a is a schematic diagram of a DOM tree structure of a first page content
  • FIG. 5b is a schematic diagram of a first DOM node
  • 5c is a schematic diagram of a DOM tree structure of a second page content
  • 5d is a schematic diagram of a second DOM node
  • FIG. 6 is a schematic block diagram of an injection vulnerability detection device according to an embodiment of the present application.
  • FIG. 7 is a schematic block diagram of a terminal according to an embodiment of the present application.
  • the target request, the first request, and the second request in the embodiments of the present application may be different Hypertext Transfer Protocol (HTTP) requests, respectively.
  • HTTP Hypertext Transfer Protocol
  • An HTTP request can refer to a request message from the client to the server.
  • FIG. 1 is a schematic diagram of a data structure of an HTTP request. Among them, the HTTP request consists of three parts: request line, request header, and request body (request data).
  • the HTTP request line contains the request method (such as GET or POST), the Uniform Resource Locator (URL) corresponding to the request, and the protocol name / version number used; the HTTP request header contains many header field names and values , Such as the Host field, Referer field, Cookie field, etc .; the HTTP request body contains the query string information submitted by the customer.
  • the Host field is used to indicate the domain name (IP address) and port number of the server requesting access; the Referer field is used to tell the server which page the request came from; the Cookie field is used to maintain the server session state, usually written by the server In, in subsequent requests, it is read by the server.
  • the injection vulnerability detection method provided in the embodiments of the present application can be applied to terminals such as smart phones, tablet computers, and desktop computers.
  • the injection vulnerability detection method provided by the embodiment of the present application may be executed by any terminal of any of the types described above, or may be executed by a functional module (such as a browser, etc.) of any terminal of any of the types described above.
  • a functional module such as a browser, etc.
  • the injection vulnerability detection method may include steps:
  • the terminal determines a target request for injection vulnerability detection.
  • the terminal may obtain one or more target HTTP requests preset by the user for detecting whether the server has an injection vulnerability.
  • the URL carried in the target HTTP request may be a URL existing in the server, that is, the terminal can normally access the server through the URL.
  • the terminal determines the first request and the second request according to the target request.
  • the terminal may insert a field of a first logical type into the target HTTP request determined above to obtain a first HTTP request, and may insert a field of a second logical type into the target HTTP request to obtain The second HTTP request.
  • the field of the first logical type may be a structured query language (SQL) statement of true logic
  • the field of the second logical type may be a SQL statement of false logic.
  • the terminal may insert a true logical SQL statement in a target field of the target HTTP request to obtain a first HTTP request, and may insert a false logical SQL statement in the target field of the target HTTP request.
  • the target field may include one or more of a Host field, a Referer field, and a Cookie field.
  • the first HTTP request and the second HTTP request are respectively determined by inserting different SQL statements in the same field of the target HTTP request.
  • the Host field of the target HTTP request is "ulog.jd.com”
  • the first HTTP request is obtained.
  • a preset "Ulog.jd.com” is inserted after the Host field of the target HTTP request.
  • the fake logical SQL statement "and 1> 2" obtains the second HTTP request.
  • the Host field of the second HTTP request is "ulog.jd.com and 1> 2".
  • the Referer field of the target HTTP request is "http://xx.xx.xx.com/xx.html"
  • the terminal may set the Referer field of the target HTTP request at "http://xx.xx.xx.com” /xx.html "and insert the preset true logical SQL statement" or 1 ⁇ 2 "to get the first HTTP request.
  • S203 The terminal sends a first request and a second request to the server, and receives the first page content returned by the server for the first request and the second page content returned for the second request.
  • the terminal may send the first HTTP request and the second HTTP request to the server, and the server receives the first HTTP request and the second HTTP request sent by the terminal, and targets the first HTTP
  • the request returns the first page content corresponding to the first HTTP request, and returns the second page content corresponding to the second HTTP request for the second HTTP request.
  • the terminal may receive the first page content and the second page content.
  • the terminal obtains a first analysis result of the first page content and a second analysis result of the second page content.
  • the terminal may parse the content of the first page received according to a document object model (DOM) to obtain N first DOM nodes, and may decode the second page received above.
  • the page content is parsed according to the DOM, and M second DOM nodes are obtained.
  • N and M are integers greater than or equal to 1.
  • the N first DOM nodes include at least one root node and at least one child node, and the M second DOM nodes also include at least one root node and at least one child node.
  • the DOM can logically build a tree model for an HTML document by parsing a Hypertext Markup Language (HTML) document.
  • HTML Hypertext Markup Language
  • HTML DOM Hypertext Markup Document Object Model
  • everything in an HTML document is a node, the entire document is a document node, each HTML element is an element node, and the text within the HTML element Are text nodes, each HTML attribute is an attribute node, and a comment is a comment node.
  • Figure 3a it is a schematic diagram of the HTML DOM tree. Among them, the root element is the root node, and the element is the child node.
  • Each HTML document can be parsed into a root element and one or more elements according to the DOM.
  • FIG. 3b it is a schematic diagram of a first DOM node and a second DOM node.
  • the content1 of the first page is parsed according to the DOM to obtain "root element ⁇ bookstore>: Sisyphus Bookstore”, “element ⁇ book>: books”, “element ⁇ title>: Harry Potter”, “element ⁇ author> : J.Kowling ",” Element ⁇ year>: 2005 “,” Element ⁇ price>: 29.99 ", a total of 6 first DOM nodes.
  • the terminal determines that an injection vulnerability exists in the server.
  • the N first DOM nodes include at least one root node and at least one child node
  • the M second DOM nodes also include at least one root node and at least one child node.
  • the terminal can compare whether there are differences between the corresponding nodes of the N first DOM nodes and the M second DOM nodes. If there is at least one difference between the N first DOM nodes and the M second DOM nodes, DOM node, the terminal can determine that an injection vulnerability exists in the above server.
  • the true logical SQL statement and the false logical SQL statement inserted in step S202 will be executed by the above server as SQL query statements, and further As a result, the first page content and the second page content returned are not similar, so after parsing the first page content and the second page content according to the DOM, there are different DOM nodes.
  • the embodiment of the present application compares whether the first page content (the page content returned by an HTTP request containing a true logic SQL statement) and the second page content (the page content returned by an HTTP request containing a false logic SQL statement) are compared.
  • There are different DOM nodes to determine whether there is an injection vulnerability in the above server, which can reduce the calculation amount of the terminal and reduce the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
  • the first DOM node and the second DOM node are shown in FIG. 3b, and the terminal compares the "root element ⁇ bookstore>: Sisyphus Bookstore" of the first page content content1 with the "root element ⁇ bookstore> of the second page content content2: "Sisyph Bookstore” is different. Compare “element ⁇ book>: book” of content1 with “element ⁇ book>: book” of content2.
  • the terminal may also compare whether there are differences between the corresponding nodes of all the first DOM nodes and all the second DOM nodes, record the different DOM nodes, and count whether the number of different DOM nodes is greater than or equal to 1. If yes, the terminal determines that an injection vulnerability exists in the above server.
  • the embodiment of the present application determines a target request for injection vulnerability detection, determines a first request and a second request according to the target request, and sends the first request and the second request to a server, and receives the server's response to the first request.
  • the result includes N DOM nodes
  • the second parsing result includes M second DOM nodes; if at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, determining the An injection vulnerability exists in the server, which can reduce the calculation amount of the terminal and reduce the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
  • the injection vulnerability detection method may include steps:
  • the terminal determines a target request for injection vulnerability detection.
  • step S401 in the embodiment of the present application, reference may be made to the implementation manner provided by step S201 in the embodiment shown in FIG. 2, and details are not described herein again.
  • the terminal inserts a field of a first logical type into a parameter field of a uniform resource locator URL requested by the target to obtain a first request.
  • the terminal inserts a field of the second logical type into the parameter field of the uniform resource locator URL requested by the target to obtain a second request.
  • the terminal determines the implementation manner of the first request and the second request according to the foregoing target HTTP request. For the implementation manner provided in step S202 of the embodiment shown in FIG. 2, details are not described herein again.
  • the question mark "?” Character is used to separate file names and parameters in the URL.
  • the terminal may extract the URL carried by the target HTTP request from the target HTTP request, and then insert a true logical SQL statement in the parameter field of the URL to obtain the first HTTP request, and may insert a false in the parameter field of the URL.
  • the terminal can preset multiple true logical SQL statements and multiple false logical SQL statements. When the terminal inserts true logical SQL statements in the parameter field of the URL, the terminal can preset multiple true logical SQL statements. Select any true logical SQL statement to insert. Similarly, when the terminal inserts a false logical SQL statement into the parameter field of the URL, it can also select one false logical SQL statement from a plurality of preset false logical SQL statements for insertion.
  • the terminal sends a first request and a second request to the server, and receives the first page content returned by the server for the first request and the second page content returned for the second request.
  • step S404 in the embodiment of the present application, reference may be made to the implementation manner provided by step S203 in the embodiment shown in FIG. 2, and details are not described herein again.
  • the terminal obtains a first analysis result of the first page content and a second analysis result of the second page content.
  • the terminal matches each first DOM node in the N first DOM nodes with each second DOM node in the M second DOM nodes, and determines whether there is a relationship between the N first DOM nodes and the M second DOM nodes. Not the same DOM node.
  • the terminal may parse the received first page content according to the DOM to obtain the DOM tree structure of the first page content, and then extract N from the DOM tree structure of the first page content.
  • First DOM nodes the terminal can parse the received second page content according to the DOM to obtain the DOM tree structure of the second page content, and then extract M second DOM nodes from the DOM tree structure of the second page content.
  • the terminal may match each first DOM node in the N first DOM nodes with corresponding second DOM nodes in the M second DOM nodes to determine the N first DOM nodes and the M second DOM. Different DOM nodes between nodes. Wherein, N and M are integers greater than or equal to 1.
  • the N first DOM nodes include at least one root node and at least one child node, and the M second DOM nodes also include at least one root node and at least one child node.
  • the terminal parses the first page content content1 according to the DOM to obtain the DOM tree structure of content1, as shown in FIG. 5a, which is a schematic diagram of the DOM tree structure of the first page content. Each element and text in the DOM tree structure are Can be called a node.
  • the terminal can extract N first DOM nodes from the DOM tree structure of content1, as shown in FIG. 5b, which is a schematic diagram of the first DOM nodes.
  • the terminal parses the content of the second page according to the DOM to obtain the DOM tree structure of content2, as shown in FIG. 5c, which is a schematic diagram of the DOM tree structure of the second page content.
  • the terminal can extract M second DOM nodes from the DOM tree structure of content2, as shown in FIG.
  • the terminal can compare the content of the text nodes in the N first DOM nodes and the M second DOM nodes, and the tag names and tag types of the element nodes ( ⁇ title>, ⁇ author>, ⁇ year>, and ⁇ price>). , Whether the content node ( ⁇ book>) has the same tag name, tag type, tag attribute, number of child nodes, type of child node, etc. If the content of a text node is different, the terminal may determine that the text node is a different DOM node between the N first DOM nodes and the M second DOM nodes.
  • the terminal may determine that the certain element node is a DOM node that is different between the N first DOM nodes and the M second DOM nodes. If any one of the content nodes has different tag names, tag types, tag attributes, number of child nodes, and child node types, the terminal can determine that the content node is the N first DOM nodes and the M second DOM nodes that are not the same between DOM nodes.
  • the terminal determines that an injection vulnerability exists in the server.
  • the terminal may count the number of the different DOM nodes determined above, and may determine whether the number of the different DOM nodes is greater than or equal to 1, and if so, indicate the N first DOM nodes. If there is at least one DOM node different from the M second DOM nodes, the terminal may determine that an injection vulnerability exists in the above server. If not, it means that there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, then the terminal can output a security prompt message, which is used to prompt that there is no injection in the server Loophole.
  • the security prompt information is output, which can improve the user experience.
  • the terminal may output alarm prompt information.
  • the alarm prompt information may include a parameter field of the URL of the target HTTP request.
  • the alarm prompt information may be used for prompt programming.
  • Personnel processing the injection loopholes in the parameter field of the URL in the above server can prevent the information of customers using the above server from being leaked, resulting in the loss of customer's property.
  • the embodiment of the present application determines a target request for injection vulnerability detection, inserts a field of a first logical type into a parameter field of a uniform resource locator URL of the target request, to obtain a first request, and inserts a uniform resource locator URL in the target request.
  • Insert a field of the second logical type into the parameter field of the get the second request, and then send the first request and the second request to the server, and receive the first page content returned by the server for the first request and the second returned by the server for the second request Page content, and obtain the first parsing result of the first page content and the second parsing result of the second page content, and each first DOM node in the N first DOM nodes and each second DOM in the M second DOM nodes The nodes are matched to determine different DOM nodes between the N first DOM nodes and the M second DOM nodes.
  • the security prompt information is output, which can reduce the calculation amount of the terminal and reduce the calculation difficulty, thereby improving the processing efficiency of detecting injection vulnerabilities.
  • the injection vulnerability detection device in the embodiment of the present application includes:
  • the first determining module 10 is configured to determine a target request for injection vulnerability detection.
  • the second determining module 20 is configured to determine the first request and the second request according to the target request determined by the first determining module 10.
  • the first request is determined by inserting a field of a first logical type into the target request
  • the second request is a request determined by inserting a field of a second logical type into the target request.
  • the transceiver module 30 is configured to send the first request and the second request determined by the second determining module 20 to the server, and receive the first page content returned by the server for the first request and the first page content returned by the server for the second request. Content of the second page.
  • the obtaining module 40 is configured to obtain a first analysis result of the first page content received by the transceiver module 30 and a second analysis result of the second page content received by the transceiver module 30.
  • the first parsing result includes N first document object model DOM nodes
  • the second parsing result includes M second DOM nodes, where N and M are integers greater than or equal to 1.
  • the third determining module 50 is configured to determine that an injection vulnerability exists in the server when there are at least one different DOM node between the N first DOM nodes and the M second DOM nodes.
  • the foregoing second determining module 20 is specifically configured to:
  • the foregoing second determining module 20 is specifically configured to:
  • the target field includes one or more of a Host field, a Referer field, and a Cookie field.
  • the device further includes a matching module 60.
  • the matching module 60 is configured to match each first DOM node in the N first DOM nodes obtained by the obtaining module 40 with each second DOM node in the M second DOM nodes to determine the N first DOM nodes. Whether there are different DOM nodes between the DOM node and the M second DOM nodes.
  • the apparatus further includes an output module 70, which is used when there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, Output a safety prompt message.
  • the security prompt information is used to indicate that the injection vulnerability does not exist in the server.
  • the output module 70 is further configured to output alarm prompt information after determining that an injection vulnerability exists in the server, and the alarm prompt information is used to prompt processing of the injection vulnerability of the server.
  • the foregoing obtaining module 40 is specifically configured to:
  • the field of the first logical type is a structured query of true logic; the field of the second logical type is a structured query of false logic.
  • the above-mentioned injection vulnerability detection device may implement the implementation manner provided by each step in the implementation manner provided in FIG. 2 or FIG. 4 through the foregoing modules to implement the functions implemented in the foregoing embodiments.
  • the above-mentioned injection vulnerability detection device may implement the implementation manner provided by each step in the implementation manner provided in FIG. 2 or FIG. 4 through the foregoing modules to implement the functions implemented in the foregoing embodiments.
  • the foregoing The corresponding description provided by each step in the method embodiment shown in FIG. 2 or FIG. 4 is not repeated here.
  • the injection vulnerability detection device may determine a target request for injection vulnerability detection, determine a first request and a second request according to the target request, and send the first request and the second request to a server.
  • Request receiving the first page content returned by the server for the first request and the second page content returned for the second request; and then obtaining the first parsing result of the first page content and the first page content of the second page content
  • the first parsing result includes N DOM nodes
  • the second parsing result includes M second DOM nodes. For the same DOM node, it is determined that an injection vulnerability exists in the server, which can reduce the calculation amount and reduce the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
  • the terminal in the embodiment of the present application may include: one or more processors 701; one or more input devices 702, one or more output devices 703, and a memory 704.
  • the processor 701, the input device 702, the output device 703, and the memory 704 are connected through a bus 705.
  • the memory 702 is configured to store a computer program, the computer program includes program instructions, and the processor 701 is configured to execute the program instructions stored in the memory 702.
  • the processor 701 is configured to call the program instruction for execution:
  • a first request and a second request are determined according to the target request, the first request is determined by inserting a field of a first logical type in the target request, and the second request is inserting a field of a second logical type in the target request determine.
  • the output device 703 is configured to send the first request and the second request to the server; the input device 702 is configured to receive the first page content returned by the server for the first request and the second page returned for the second request content.
  • the processor 701 is further configured to call the program instruction for execution:
  • the first parsing result includes N first document object model DOM nodes
  • the second parsing result includes M second DOMs Node, the N and the M are both integers greater than or equal to 1;
  • the processor 701 may be a central processing unit (CPU), and the processor may also be another general-purpose processor or a digital signal processor (DSP). , Application specific integrated circuit (ASIC), ready-made programmable gate array (field-programmable gate array), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the input device 702 may include a receiver, a receiving program interface, and the like, and the output device 703 may include a transmitter, a sending program interface, and the like.
  • the memory 704 may include a read-only memory and a random access memory, and provide instructions and data to the processor 701. A portion of the memory 704 may also include non-volatile random access memory. For example, the memory 704 may also store device type information.
  • the processor 701, the input device 702, and the output device 703 described in the embodiments of the present application may execute the implementation manner described in the injection vulnerability detection method provided in the embodiments of the present application, and may also execute The implementation manner of the described injection vulnerability detection device is not repeated here.
  • An embodiment of the present application further provides a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program includes program instructions. When the program instructions are executed by a processor, the injection shown in FIG. 2 or FIG.
  • the program instructions are executed by a processor, the injection shown in FIG. 2 or FIG.
  • FIG. 2 or FIG. 4 For details of the vulnerability detection method, please refer to the description of the embodiment shown in FIG. 2 or FIG. 4, and details are not described herein again.
  • the computer-readable storage medium may be an injection vulnerability detection device or an internal storage unit of a terminal according to any of the foregoing embodiments, such as a hard disk or a memory of the terminal.
  • the computer-readable storage medium may also be an external storage device of the terminal, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card, and a flash memory card provided on the terminal. (flash card) and so on.
  • the computer-readable storage medium may include both an internal storage unit of the terminal and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the terminal.
  • the computer-readable storage medium can also be used to temporarily store data that has been or will be output.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed are an injection vulnerability detection method and device. The method comprises: determining a target request for injection vulnerability detection, then determining a first request and a second request according to the target request, transmitting the first request and the second request to a server, and receiving first page content returned by the server for the first request and second page content returned by the server for the second request; then obtaining a first analysis result of the first page content and a second analysis result of the second page content, the first analysis result comprising N first DOM nodes, and the second analysis result comprising M second DOM nodes; and if at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, determining that an injection vulnerability exists in the server. The use of the embodiments of the present application may reduce the calculation amount and the calculation difficulty, thereby improving the processing efficiency of injection vulnerability detection.

Description

一种注入漏洞检测方法及装置Method and device for detecting injection loophole
本申请要求于2018年7月25日提交中国专利局、申请号为2018108320082、申请名称为“一种注入漏洞检测方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on July 25, 2018, with application number 2018108320082, and with the application name "An Injection Vulnerability Detection Method and Device", the entire contents of which are incorporated herein by reference. in.
技术领域Technical field
本申请涉及互联网技术领域,尤其涉及一种注入漏洞检测方法及装置。The present application relates to the field of Internet technologies, and in particular, to a method and a device for detecting an injection vulnerability.
背景技术Background technique
注入漏洞是编写代码的时候,没有对用户输入数据的合法性进行判断产生的。目前在注入漏洞检测中相似度检测是一种常见的方法。The injection vulnerability is generated when the code is written without judging the legality of the user input data. Similarity detection is a common method in injection vulnerability detection.
现有的相似度检测,主要是利用相似算法(如局部敏感哈希算法simhash、最小哈希算法minhash等)计算真逻辑(sql真逻辑)请求返回的页面内容与假逻辑(sql假逻辑)请求返回的页面内容的相似度值。当相似度值大于预设阈值时,则认为这两个页面相似,不存在注入漏洞,当相似度值小于预设阈值时,则认为这两个页面不相似,存在注入漏洞。The existing similarity detection mainly uses similar algorithms (such as local sensitive hashing algorithm simhash, minimum hashing algorithm minhash, etc.) to calculate page content returned by true logic (sql true logic) requests and false logic (sql false logic) requests. The similarity value of the returned page content. When the similarity value is greater than the preset threshold, the two pages are considered to be similar and there is no injection vulnerability. When the similarity value is less than the preset threshold, the two pages are considered to be not similar and there is an injection vulnerability.
然而,由于目前的simhash和minhash在计算时计算量大且复杂,从而增加了终端的计算难度,降低了检测注入漏洞的处理效率。However, the current simhash and minhash are computationally intensive and complicated, which increases the computational difficulty of the terminal and reduces the processing efficiency of detecting injection vulnerabilities.
发明内容Summary of the Invention
本申请实施例提供一种注入漏洞检测方法及装置,可以减少计算量,降低计算难度,从而提高检测注入漏洞的处理效率。The embodiments of the present application provide an injection vulnerability detection method and device, which can reduce the calculation amount and the calculation difficulty, thereby improving the processing efficiency of detecting an injection vulnerability.
第一方面,本申请实施例提供了一种注入漏洞检测方法,该方法包括:In a first aspect, an embodiment of the present application provides an injection vulnerability detection method, which includes:
确定用于注入漏洞检测的目标请求;Identify target requests for injection vulnerability detection;
根据该目标请求确定出第一请求和第二请求,该第一请求由在该目标请求中插入第一逻辑类型的字段确定,该第二请求为通过在该目标请求中插入第二逻辑类型的字段确定的请求;A first request and a second request are determined according to the target request. The first request is determined by inserting a field of a first logical type in the target request, and the second request is obtained by inserting a second logical type into the target request. Field determination request;
向服务器发送该第一请求和该第二请求,并接收该服务器针对该第一请求返回的第一页面内容和针对该第二请求返回的第二页面内容;Sending the first request and the second request to a server, and receiving the first page content returned by the server for the first request and the second page content returned for the second request;
获取该第一页面内容的第一解析结果和该第二页面内容的第二解析结果,该第一解析结果包括N个第一文档对象模型DOM节点,该第二解析结果包括M个第二DOM节点,该N和该M均为大于或等于1的整数;Obtain a first parsing result of the first page content and a second parsing result of the second page content, the first parsing result includes N first document object model DOM nodes, and the second parsing result includes M second DOMs Node, the N and the M are both integers greater than or equal to 1;
若该N个第一DOM节点与该M个第二DOM节点之间存在至少一个不相同的DOM节点,则确定该服务器中存在注入漏洞。If at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, it is determined that an injection vulnerability exists in the server.
第二方面,本申请实施例提供了一种注入漏洞检测装置,该装置包括:In a second aspect, an embodiment of the present application provides an injection vulnerability detection device, where the device includes:
第一确定模块,用于确定注入漏洞检测的目标请求;A first determining module, configured to determine a target request for injection vulnerability detection;
第二确定模块,用于根据该第一确定模块确定的该目标请求确定出第一请求和第二请求,该第一请求由在该目标请求中插入第一逻辑类型的字段确定,该第二请求为通过在该目标请求中插入第二逻辑类型的字段确定的请求;A second determining module, configured to determine a first request and a second request according to the target request determined by the first determining module, where the first request is determined by inserting a field of a first logical type into the target request, and the second The request is a request determined by inserting a field of a second logical type in the target request;
收发模块,用于向服务器发送该第二确定模块确定的该第一请求和该第二请求,并接收该服务器针对该第一请求返回的第一页面内容和针对该第二请求返回的第二页面内容;The transceiver module is configured to send the first request and the second request determined by the second determining module to the server, and receive the first page content returned by the server for the first request and the second page returned by the server Page content
获取模块,用于获取该收发模块接收到的该第一页面内容的第一解析结果和该收发模块接收到的该第二页面内容的第二解析结果,该第一解析结果包括N个第一文档对象模型DOM节点,该第二解析结果包括M个第二DOM节点,该N和该M均为大于或等于1的整数;An obtaining module, configured to obtain a first analysis result of the first page content received by the transceiver module and a second analysis result of the second page content received by the transceiver module, where the first analysis result includes N first A document object model DOM node, the second parsing result includes M second DOM nodes, where N and M are integers greater than or equal to 1;
第三确定模块,用于当该N个第一DOM节点与该M个第二DOM节点之间存在至少一个不相同的DOM节点时,确定该服务器中存在注入漏洞。A third determining module, configured to determine that an injection vulnerability exists in the server when there are at least one different DOM node between the N first DOM nodes and the M second DOM nodes.
第三方面,本申请实施例提供了一种终端,包括处理器、输入设备、输出设备和存储器,该处理器、输入设备、输出设备和存储器相互连接,其中,该存储器用于存储支持终端执行上述方法的计算机程序,该计算机程序包括程序指令,该处理器被配置用于调用该程序指令,执行上述第一方面的注入漏洞检测方法。In a third aspect, an embodiment of the present application provides a terminal, including a processor, an input device, an output device, and a memory. The processor, the input device, the output device, and the memory are connected to each other. The memory is used to store and support the execution of the terminal The computer program of the above method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the injection vulnerability detection method of the first aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,该计算机存储介质存储有计算机程序,该计算机程序包括程序指令,该程序指令当被处理器执行时使该处理器执行上述第一方面的注入漏洞检测方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium. The computer storage medium stores a computer program, where the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes the foregoing first On the one hand injection detection methods.
本申请实施例通过比较不同请求返回的页面内容之间的DOM节点是否相同,来确定服务器中是否存在注入漏洞,可以减少计算量,降低计算难度,从而提高检测注入漏洞的处理效率。The embodiment of the present application determines whether there is an injection vulnerability in the server by comparing whether the DOM nodes between the page contents returned by different requests are the same, which can reduce the calculation amount and the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是HTTP请求的数据结构的示意图;FIG. 1 is a schematic diagram of a data structure of an HTTP request;
图2是本申请实施例提供的一种注入漏洞检测方法的一示意流程图;FIG. 2 is a schematic flowchart of an injection vulnerability detection method according to an embodiment of the present application; FIG.
图3a是HTML DOM树的示意图;Figure 3a is a schematic diagram of an HTML DOM tree;
图3b是第一DOM节点和第二DOM节点的示意图;3b is a schematic diagram of a first DOM node and a second DOM node;
图4是本申请实施例提供的一种注入漏洞检测方法的另一示意流程图;FIG. 4 is another schematic flowchart of an injection vulnerability detection method according to an embodiment of the present application; FIG.
图5a是第一页面内容的DOM树结构的示意图;5a is a schematic diagram of a DOM tree structure of a first page content;
图5b是第一DOM节点的示意图;FIG. 5b is a schematic diagram of a first DOM node;
图5c是第二页面内容的DOM树结构的示意图;5c is a schematic diagram of a DOM tree structure of a second page content;
图5d是第二DOM节点的示意图;5d is a schematic diagram of a second DOM node;
图6是本申请实施例提供的一种注入漏洞检测装置的一示意性框图;6 is a schematic block diagram of an injection vulnerability detection device according to an embodiment of the present application;
图7是本申请实施例提供的一种终端的一示意性框图。FIG. 7 is a schematic block diagram of a terminal according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In the following, the technical solutions in the embodiments of the present application will be clearly and completely described with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of them. Based on the embodiments in the present application, all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
本申请实施例中的目标请求、第一请求、第二请求可以分别为不同的超文本传输协议(hypertext transfer protocol,HTTP)请求。为方便描述,下面将以HTTP请求为例进行说 明。HTTP请求可以指从客户端到服务器端的请求消息。如图1所示,图1为HTTP请求的数据结构的示意图。其中,HTTP请求由三个部分组成:请求行、请求头部、请求体(请求数据)。HTTP请求行中包含请求方法(如GET或POST等)、请求对应的统一资源定位符(uniform resource locator,URL)以及使用的协议名称/版本号;HTTP请求头部中包含很多头部字段名和值,如Host字段、Referer字段、Cookie字段等;HTTP请求体中包含客户提交的查询字符串信息。Host字段用于表示请求访问的服务器的域名(IP地址)和端口号;Referer字段用于告诉服务器请求是从哪个页面链接过来的;Cookie字段用于维持服务端会话状态的,通常由服务端写入,在后续请求中,供服务端读取。The target request, the first request, and the second request in the embodiments of the present application may be different Hypertext Transfer Protocol (HTTP) requests, respectively. For the convenience of description, the HTTP request will be taken as an example for description below. An HTTP request can refer to a request message from the client to the server. As shown in FIG. 1, FIG. 1 is a schematic diagram of a data structure of an HTTP request. Among them, the HTTP request consists of three parts: request line, request header, and request body (request data). The HTTP request line contains the request method (such as GET or POST), the Uniform Resource Locator (URL) corresponding to the request, and the protocol name / version number used; the HTTP request header contains many header field names and values , Such as the Host field, Referer field, Cookie field, etc .; the HTTP request body contains the query string information submitted by the customer. The Host field is used to indicate the domain name (IP address) and port number of the server requesting access; the Referer field is used to tell the server which page the request came from; the Cookie field is used to maintain the server session state, usually written by the server In, in subsequent requests, it is read by the server.
本申请实施例提供的注入漏洞检测方法可适用于智能手机、平板电脑、台式电脑等终端。可选的,本申请实施例提供的注入漏洞检测方法可由上述任一类型的任一终端执行,也可为上述任一类型的任一终端中的功能模块(比如浏览器等)执行,在此不做限制。为方便描述,下面将以终端为例进行说明。The injection vulnerability detection method provided in the embodiments of the present application can be applied to terminals such as smart phones, tablet computers, and desktop computers. Optionally, the injection vulnerability detection method provided by the embodiment of the present application may be executed by any terminal of any of the types described above, or may be executed by a functional module (such as a browser, etc.) of any terminal of any of the types described above. Here, No restrictions. For the convenience of description, the terminal will be taken as an example for description below.
下面将结合图2至图7,对本申请实施例提供的注入漏洞检测方法及装置进行说明。The method and device for detecting an injection vulnerability provided in the embodiments of the present application will be described below with reference to FIGS. 2 to 7.
参见图2,是本申请实施例提供的一种注入漏洞检测方法的一示意流程图。如图2所示,该注入漏洞检测方法可包括步骤:Referring to FIG. 2, it is a schematic flowchart of an injection vulnerability detection method according to an embodiment of the present application. As shown in FIG. 2, the injection vulnerability detection method may include steps:
S201,终端确定用于注入漏洞检测的目标请求。S201. The terminal determines a target request for injection vulnerability detection.
在一些可行的实施方式中,终端可以获取用户预设的一个或多个用于检测服务器是否存在注入漏洞的目标HTTP请求。该目标HTTP请求中携带的URL可以为该服务器中存在的URL,即终端通过该URL可以正常访问该服务器。In some feasible implementation manners, the terminal may obtain one or more target HTTP requests preset by the user for detecting whether the server has an injection vulnerability. The URL carried in the target HTTP request may be a URL existing in the server, that is, the terminal can normally access the server through the URL.
S202,终端根据目标请求确定出第一请求和第二请求。S202. The terminal determines the first request and the second request according to the target request.
在一些可行的实施方式中,终端可以在上述确定出的目标HTTP请求中插入第一逻辑类型的字段,得到第一HTTP请求,并可以在该目标HTTP请求中插入第二逻辑类型的字段,得到第二HTTP请求。其中,该第一逻辑类型的字段可以为真逻辑的结构化查询语言(structured query language,SQL)语句,该第二逻辑类型的字段可以为假逻辑的SQL语句。例如,第一逻辑类型的字段为“or 1=1”、“or 1<2”或“or 2=2”等恒真的SQL语句,第二逻辑类型的字段为“and 1=2”、“and 1>2”或“and 21=12”等恒假的SQL语句。In some feasible implementation manners, the terminal may insert a field of a first logical type into the target HTTP request determined above to obtain a first HTTP request, and may insert a field of a second logical type into the target HTTP request to obtain The second HTTP request. The field of the first logical type may be a structured query language (SQL) statement of true logic, and the field of the second logical type may be a SQL statement of false logic. For example, the field of the first logical type is an orthodox SQL statement such as "or 1 = 1", "or 1 <2", or "or 2 = 2", and the field of the second logical type is "and 1 = 2", SQL statements such as "and 1> 2" or "and 21 = 12".
在一些可行的实施方式中,终端可以在该目标HTTP请求的目标字段中插入真逻辑的SQL语句,得到第一HTTP请求,并可以在该目标HTTP请求的该目标字段中插入假逻辑的SQL语句,得到第二HTTP请求。该目标字段可以包括Host字段、Referer字段、Cookie字段中的一种或多种。其中,该第一HTTP请求和该第二HTTP请求分别由在该目标HTTP请求的同一字段中插入不同的SQL语句确定。In some feasible implementation manners, the terminal may insert a true logical SQL statement in a target field of the target HTTP request to obtain a first HTTP request, and may insert a false logical SQL statement in the target field of the target HTTP request. To get a second HTTP request. The target field may include one or more of a Host field, a Referer field, and a Cookie field. The first HTTP request and the second HTTP request are respectively determined by inserting different SQL statements in the same field of the target HTTP request.
例如,目标HTTP请求的Host字段为“ulog.jd.com”,终端可以在该目标HTTP请求的Host字段“ulog.jd.com”后插入预设的真逻辑SQL语句“or 1=1”,得到第一HTTP请求,此时该第一HTTP请求的Host字段为“ulog.jd.com or 1=1”,并在该目标HTTP请求的Host字段“ulog.jd.com”后插入预设的假逻辑SQL语句“and 1>2”,得到第二HTTP请求,此时该第二HTTP请求的Host字段为“ulog.jd.com and 1>2”。又如,目标HTTP请求的Referer字段为“http://xx.xx.xx.com/xx.html”,终端可以在该目标HTTP请求的Referer字段“http://xx.xx.xx.com/xx.html”后插入预设的真逻辑SQL语句“or 1<2”,得到第一HTTP 请求,此时该第一HTTP请求的Referer字段为“http://xx.xx.xx.com/xx.html or 1<2”,并在该目标HTTP请求的Referer字段“http://xx.xx.xx.com/xx.html”后插入预设的假逻辑SQL语句“and 1=2”,得到第二HTTP请求,此时该第二HTTP请求的Referer字段为“http://xx.xx.xx.com/xx.html and 1=2”。再如,目标HTTP请求的Cookie字段为“_jda=1387505529”,终端可以在该目标HTTP请求的Cookie字段“_jda=1387505529”后插入预设的真逻辑SQL语句“or 2=2”,得到第一HTTP请求,此时该第一HTTP请求的Cookie字段为“_jda=1387505529or 2=2”,并在该目标HTTP请求的Cookie字段“_jda=1387505529”后插入预设的假逻辑SQL语句“and 21=12”,得到第二HTTP请求,此时该第二HTTP请求的Cookie字段为“_jda=1387505529and 21=12”。For example, the Host field of the target HTTP request is "ulog.jd.com", and the terminal may insert a preset true logical SQL statement "or 1 = 1" after the Host field "ulog.jd.com" of the target HTTP request. The first HTTP request is obtained. At this time, the Host field of the first HTTP request is "ulog.jd.com or 1 = 1", and a preset "Ulog.jd.com" is inserted after the Host field of the target HTTP request. The fake logical SQL statement "and 1> 2" obtains the second HTTP request. At this time, the Host field of the second HTTP request is "ulog.jd.com and 1> 2". For another example, the Referer field of the target HTTP request is "http://xx.xx.xx.com/xx.html", and the terminal may set the Referer field of the target HTTP request at "http://xx.xx.xx.com" /xx.html "and insert the preset true logical SQL statement" or 1 <2 "to get the first HTTP request. At this time, the Referer field of the first HTTP request is" http://xx.xx.xx.com " /xx.html or 1 <2 ", and insert a preset fake logical SQL statement" and 1 = 1 "after the Referer field" http://xx.xx.xx.com/xx.html "of the target HTTP request "To obtain a second HTTP request. At this time, the Referer field of the second HTTP request is" http://xx.xx.xx.com/xx.html and 1 = 2 ". For another example, the cookie field of the target HTTP request is "_jda = 1387505529", and the terminal may insert a preset true logical SQL statement "or 2 = 2" after the cookie field of the target HTTP request "_jda = 1387505529" to obtain the first HTTP request, at this time, the cookie field of the first HTTP request is “_jda = 1387505529or 2 = 2”, and a preset fake logical SQL statement “and 21 =” is inserted after the cookie field of the target HTTP request “_jda = 1387505529” 12 "to get the second HTTP request. At this time, the cookie field of the second HTTP request is" _jda = 1387505529 and 21 = 12 ".
S203,终端向服务器发送第一请求和第二请求,接收服务器针对第一请求返回的第一页面内容和针对第二请求返回的第二页面内容。S203: The terminal sends a first request and a second request to the server, and receives the first page content returned by the server for the first request and the second page content returned for the second request.
在一些可行的实施方式中,终端可以向上述服务器发送上述第一HTTP请求和上述第二HTTP请求,该服务器接收终端发送的该第一HTTP请求和该第二HTTP请求,并针对该第一HTTP请求返回该第一HTTP请求对应的第一页面内容,且针对该第二HTTP请求返回该第二HTTP请求对应的第二页面内容。终端可以接收该第一页面内容和该第二页面内容。In some feasible implementation manners, the terminal may send the first HTTP request and the second HTTP request to the server, and the server receives the first HTTP request and the second HTTP request sent by the terminal, and targets the first HTTP The request returns the first page content corresponding to the first HTTP request, and returns the second page content corresponding to the second HTTP request for the second HTTP request. The terminal may receive the first page content and the second page content.
S204,终端获取第一页面内容的第一解析结果和第二页面内容的第二解析结果。S204. The terminal obtains a first analysis result of the first page content and a second analysis result of the second page content.
在一些可行的实施方式中,终端可以将上述接收到的第一页面内容按照文档对象模型(document object model,DOM)进行解析,得到N个第一DOM节点,并可以将上述接收到的第二页面内容按照DOM进行解析,得到M个第二DOM节点。其中,该N和该M均为大于或等于1的整数。该N个第一DOM节点中包括至少一个根节点和至少一个子节点,该M个第二DOM节点中也包括至少一个根节点和至少一个子节点。需要说明的是,DOM可通过解析超文本标记语言(hypertext markup language,HTML)文档,为HTML文档在逻辑上建立一个树模型。根据万维网联盟(W3C)的HTML DOM(超文本标记语言文档对象模型)标准,HTML 文档中的所有内容都是节点,整个文档是一个文档节点,每个HTML元素是元素节点,HTML元素内的文本是文本节点,每个HTML属性是属性节点,注释是注释节点。如图3a所示,是HTML DOM树的示意图。其中,根元素即根节点,元素即子节点。每个HTML文档都可以按照DOM被解析为一个根元素和一个或多个元素。In some feasible implementation manners, the terminal may parse the content of the first page received according to a document object model (DOM) to obtain N first DOM nodes, and may decode the second page received above. The page content is parsed according to the DOM, and M second DOM nodes are obtained. Wherein, N and M are integers greater than or equal to 1. The N first DOM nodes include at least one root node and at least one child node, and the M second DOM nodes also include at least one root node and at least one child node. It should be noted that the DOM can logically build a tree model for an HTML document by parsing a Hypertext Markup Language (HTML) document. According to the World Wide Web Consortium (W3C) HTML DOM (Hypertext Markup Document Object Model) standard, everything in an HTML document is a node, the entire document is a document node, each HTML element is an element node, and the text within the HTML element Are text nodes, each HTML attribute is an attribute node, and a comment is a comment node. As shown in Figure 3a, it is a schematic diagram of the HTML DOM tree. Among them, the root element is the root node, and the element is the child node. Each HTML document can be parsed into a root element and one or more elements according to the DOM.
如图3b所示,是第一DOM节点和第二DOM节点的示意图。其中,将第一页面内容content1按照DOM进行解析,得到“根元素<bookstore>:西西弗书店”、“元素<book>:书籍”、“元素<title>:Harry Potter”、“元素<author>:J K.Rowling”、“元素<year>:2005”、“元素<price>:29.99”共6个第一DOM节点。将第二页面内容content2按照DOM进行解析,得到“根元素<bookstore>:西西弗书店”、“元素<book>:书籍”、“元素<title>:The Little Price”、“元素<author>:圣埃克苏佩里”、“元素<year>:2005”、“元素<price>:21.2”共6个第二DOM节点。可选的,DOM树中包含哪些DOM节点是由页面内容决定的。换句话说,某个页面内容按照DOM进行解析后可能只包括图3a所示的HTML DOM树中的一部分DOM节点。本申请实施例对具体某个页面内容中包括哪些节点不做限定。As shown in FIG. 3b, it is a schematic diagram of a first DOM node and a second DOM node. The content1 of the first page is parsed according to the DOM to obtain "root element <bookstore>: Sisyphus Bookstore", "element <book>: books", "element <title>: Harry Potter", "element <author> : J.Kowling "," Element <year>: 2005 "," Element <price>: 29.99 ", a total of 6 first DOM nodes. Parse content2 of the second page according to the DOM, and obtain "root element <bookstore>: Sisyphus Bookstore", "element <book>: books", "element <title>: The Little Price", "element <author>: There are 6 second DOM nodes in St. Exupery "," Element <year>: 2005 ", and" Element <price>: 21.2 ". Optionally, which DOM nodes are included in the DOM tree is determined by the content of the page. In other words, after a page content is parsed according to the DOM, it may only include a part of DOM nodes in the HTML DOM tree shown in FIG. 3a. The embodiment of the present application does not limit which nodes are included in a specific page content.
S205,若N个第一DOM节点与M个第二DOM节点之间存在至少一个不相同的DOM节点,则终端确定服务器中存在注入漏洞。S205. If at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, the terminal determines that an injection vulnerability exists in the server.
在一些可行的实施方式中,上述N个第一DOM节点中包括至少一个根节点和至少一个子节点,上述M个第二DOM节点中也包括至少一个根节点和至少一个子节点。终端可以比较该N个第一DOM节点和该M个第二DOM节点的对应节点之间是否存在不相同,若该N个第一DOM节点与M个第二DOM节点之间存在至少一个不相同的DOM节点,则终端可以确定上述服务器中存在注入漏洞。这是因为如果上述服务器对用户数据未进行过滤(即存在注入漏洞),那么在步骤S202中插入的真逻辑的SQL语句和假逻辑的SQL语句将会被上述服务器当作SQL查询语句执行,进而导致返回的第一页面内容和第二页面内容不相似,所以对第一页面内容和第二页面内容按照DOM进行解析后,存在不相同的DOM节点。本申请实施例通过比较第一页面内容(针对包含真逻辑的SQL语句的HTTP请求返回的页面内容)和第二页面内容(针对包含假逻辑的SQL语句的HTTP请求返回的页面内容)之间是否存在不同的DOM节点,来判断上述服务器中是否存在注入漏洞,可以减少终端的计算量,降低计算难度,从而提高检测注入漏洞的处理效率。In some feasible implementation manners, the N first DOM nodes include at least one root node and at least one child node, and the M second DOM nodes also include at least one root node and at least one child node. The terminal can compare whether there are differences between the corresponding nodes of the N first DOM nodes and the M second DOM nodes. If there is at least one difference between the N first DOM nodes and the M second DOM nodes, DOM node, the terminal can determine that an injection vulnerability exists in the above server. This is because if the above server does not filter user data (that is, there is an injection vulnerability), then the true logical SQL statement and the false logical SQL statement inserted in step S202 will be executed by the above server as SQL query statements, and further As a result, the first page content and the second page content returned are not similar, so after parsing the first page content and the second page content according to the DOM, there are different DOM nodes. The embodiment of the present application compares whether the first page content (the page content returned by an HTTP request containing a true logic SQL statement) and the second page content (the page content returned by an HTTP request containing a false logic SQL statement) are compared. There are different DOM nodes to determine whether there is an injection vulnerability in the above server, which can reduce the calculation amount of the terminal and reduce the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
例如,第一DOM节点和第二DOM节点如图3b所示,终端比较第一页面内容content1的“根元素<bookstore>:西西弗书店”与第二页面内容content2的“根元素<bookstore>:西西弗书店”是否存在不同,比较content1的“元素<book>:书籍”与content2的“元素<book>:书籍”是否存在不同,比较content1的“元素<title>:Harry Potter”与content2的“元素<title>:The Little Price”是否存在不同,因为content1的“元素<title>:Harry Potter”与content2的“元素<title>:The Little Price”不相同,所以终端可以确定该服务器中存在注入漏洞,此时终端可以不再比较N个第一DOM节点和M个第二DOM节点中未作比较的节点,从而提高检测的效率。可选的,终端也可以比较所有第一DOM节点和所有第二DOM节点的对应节点之间是否存在不相同,并记录下不相同的DOM节点,统计不相同的DOM节点的数量是否大于或等于1,若是,则终端就确定上述服务器中存在注入漏洞。For example, the first DOM node and the second DOM node are shown in FIG. 3b, and the terminal compares the "root element <bookstore>: Sisyphus Bookstore" of the first page content content1 with the "root element <bookstore> of the second page content content2: "Sisyph Bookstore" is different. Compare "element <book>: book" of content1 with "element <book>: book" of content2. Compare "element <title>: HarryPotter" of content1 and "2 of content2" The element <title>: The Little Price is different, because the "Element <title>: Harry Potter" of content1 is not the same as the "Element <title>: The Little Price" of content2, so the terminal can determine that there is an injection in the server Vulnerability, at this time, the terminal can no longer compare the nodes that have not been compared among the N first DOM nodes and the M second DOM nodes, thereby improving the detection efficiency. Optionally, the terminal may also compare whether there are differences between the corresponding nodes of all the first DOM nodes and all the second DOM nodes, record the different DOM nodes, and count whether the number of different DOM nodes is greater than or equal to 1. If yes, the terminal determines that an injection vulnerability exists in the above server.
本申请实施例通过确定用于注入漏洞检测的目标请求,再根据该目标请求确定出第一请求和第二请求,并向服务器发送该第一请求和该第二请求,接收该服务器针对该第一请求返回的第一页面内容和针对该第二请求返回的第二页面内容;然后再获取该第一页面内容的第一解析结果和该第二页面内容的第二解析结果,该第一解析结果包括N个DOM节点,该第二解析结果包括M个第二DOM节点;若该N个第一DOM节点与该M个第二DOM节点之间存在至少一个不相同的DOM节点,则确定该服务器中存在注入漏洞,可以减少终端的计算量,降低计算难度,从而提高检测注入漏洞的处理效率。The embodiment of the present application determines a target request for injection vulnerability detection, determines a first request and a second request according to the target request, and sends the first request and the second request to a server, and receives the server's response to the first request. A first page content returned by a request and a second page content returned for the second request; and then obtaining a first parsing result of the first page content and a second parsing result of the second page content, the first parsing The result includes N DOM nodes, and the second parsing result includes M second DOM nodes; if at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, determining the An injection vulnerability exists in the server, which can reduce the calculation amount of the terminal and reduce the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
参见图4,是本申请实施例提供的一种注入漏洞检测方法的另一示意流程图。如图4所示,该注入漏洞检测方法可包括步骤:Referring to FIG. 4, it is another schematic flowchart of an injection vulnerability detection method according to an embodiment of the present application. As shown in FIG. 4, the injection vulnerability detection method may include steps:
S401,终端确定用于注入漏洞检测的目标请求。S401. The terminal determines a target request for injection vulnerability detection.
本申请实施例中上述步骤S401的实现方式可参考图2所示实施例的步骤S201所提供的实现方式,在此不再赘述。For the implementation manner of step S401 in the embodiment of the present application, reference may be made to the implementation manner provided by step S201 in the embodiment shown in FIG. 2, and details are not described herein again.
S402,终端在目标请求的统一资源定位符URL的参数字段中插入第一逻辑类型的字段, 得到第一请求。S402. The terminal inserts a field of a first logical type into a parameter field of a uniform resource locator URL requested by the target to obtain a first request.
S403,终端在目标请求的统一资源定位符URL的参数字段中插入第二逻辑类型的字段,得到第二请求。S403. The terminal inserts a field of the second logical type into the parameter field of the uniform resource locator URL requested by the target to obtain a second request.
在一些可行的实施方式中,终端根据上述目标HTTP请求确定出第一请求和第二请求的实现方式可参考图2所示实施例的步骤S202所提供的实现方式,在此不再赘述。In some feasible implementation manners, the terminal determines the implementation manner of the first request and the second request according to the foregoing target HTTP request. For the implementation manner provided in step S202 of the embodiment shown in FIG. 2, details are not described herein again.
在一些可行的实施方式中,URL的结构通常为“协议://服务器名称(IP地址)/路径/文件名?参数”,例如,一个URL为:http://xxx.pingna.com/sql.php?id=1,其中,id=1表示这个URL的参数字段,URL的参数字段由参数名和参数值组成,id表示参数名,1表示参数值,参数值可为数字、字母(包括大小写)、特殊字符(指除数字、字母之外的字符)和/或它们的组合。问号“?”字符用于分隔URL中的文件名和参数。终端可以从上述目标HTTP请求中提取该目标HTTP请求携带的URL,再可以在该URL的参数字段中插入真逻辑的SQL语句,得到第一HTTP请求,并可以在该URL的参数字段中插入假逻辑的SQL语句,得到第二HTTP请求。其中,终端可以预设多个真逻辑的SQL语句和多个假逻辑的SQL语句,终端在该URL的参数字段中插入真逻辑的SQL语句时,可以从预设的多个真逻辑的SQL语句任选一个真逻辑的SQL语句进行插入。同理终端在该URL的参数字段中插入假逻辑的SQL语句时,也可以从预设的多个假逻辑的SQL语句任选一个假逻辑的SQL语句进行插入。In some feasible implementations, the structure of the URL is usually "protocol: // servername (IP address) / path / filename? Parameter", for example, a URL is: http://xxx.pingna.com/sql .php? id = 1, where id = 1 represents the parameter field of this URL, the parameter field of the URL consists of the parameter name and parameter value, id represents the parameter name, 1 represents the parameter value, and the parameter value can be numbers, letters (including capitalization), Special characters (referring to characters other than numbers and letters) and / or combinations thereof. The question mark "?" Character is used to separate file names and parameters in the URL. The terminal may extract the URL carried by the target HTTP request from the target HTTP request, and then insert a true logical SQL statement in the parameter field of the URL to obtain the first HTTP request, and may insert a false in the parameter field of the URL. Logical SQL statement to get the second HTTP request. The terminal can preset multiple true logical SQL statements and multiple false logical SQL statements. When the terminal inserts true logical SQL statements in the parameter field of the URL, the terminal can preset multiple true logical SQL statements. Select any true logical SQL statement to insert. Similarly, when the terminal inserts a false logical SQL statement into the parameter field of the URL, it can also select one false logical SQL statement from a plurality of preset false logical SQL statements for insertion.
例如,目标HTTP请求携带的URL为http://xxx.pingna.com/sql.php?id=1,终端可以在该URL的参数字段“id=1”后插入预设的真逻辑的SQL语句“or 2=2”,得到第一HTTP请求,此时该第一HTTP请求的URL为http://xxx.pingna.com/sql.php?id=1or 2=2,并在该URL的参数字段“id=1”后插入预设的假逻辑的SQL语句“and 1>2”,得到第二HTTP请求,此时该第一HTTP请求的URL为http://xxx.pingna.com/sql.php?id=1and 1>2。For example, the URL carried in the target HTTP request is http://xxx.pingna.com/sql.php? id = 1, the terminal may insert a preset true logical SQL statement “or 2 = 2” after the parameter field “id = 1” of the URL to obtain the first HTTP request. At this time, the URL of the first HTTP request is http://xxx.pingna.com/sql.php? id = 1or 2 = 2, and insert a preset pseudo-logical SQL statement "and 1> 2" after the parameter field "id = 1" of the URL to obtain a second HTTP request. The URL is http://xxx.pingna.com/sql.php? id = 1 and 1> 2.
S404,终端向服务器发送第一请求和第二请求,接收服务器针对第一请求返回的第一页面内容和针对第二请求返回的第二页面内容。S404. The terminal sends a first request and a second request to the server, and receives the first page content returned by the server for the first request and the second page content returned for the second request.
本申请实施例中上述步骤S404的实现方式可参考图2所示实施例的步骤S203所提供的实现方式,在此不再赘述。For the implementation manner of step S404 in the embodiment of the present application, reference may be made to the implementation manner provided by step S203 in the embodiment shown in FIG. 2, and details are not described herein again.
S405,终端获取第一页面内容的第一解析结果和第二页面内容的第二解析结果。S405. The terminal obtains a first analysis result of the first page content and a second analysis result of the second page content.
S406,终端将N个第一DOM节点中各个第一DOM节点与M个第二DOM节点中各个第二DOM节点进行匹配,确定N个第一DOM节点与M个第二DOM节点之间是否存在不相同的DOM节点。S406. The terminal matches each first DOM node in the N first DOM nodes with each second DOM node in the M second DOM nodes, and determines whether there is a relationship between the N first DOM nodes and the M second DOM nodes. Not the same DOM node.
在一些可行的实施方式中,终端可以将上述接收到的第一页面内容按照DOM进行解析,得到该第一页面内容的DOM树结构,再可以从该第一页面内容的DOM树结构中提取N个第一DOM节点。同理,终端可以将上述接收到的第二页面内容按照DOM进行解析,得到该第二页面内容的DOM树结构,再可以从该第二页面内容的DOM树结构中提取M个第二DOM节点。终端可以将该N个第一DOM节点中各个第一DOM节点与该M个第二DOM节点中对应的各个第二DOM节点进行匹配,确定该N个第一DOM节点与该M个第二DOM节点之间不相同的DOM节点。其中,该N和该M均为大于或等于1的整数。该N个第一DOM节点中包括至少一个根节点和至少一个子节点,该M个第二DOM节点 中也包括至少一个根节点和至少一个子节点。In some feasible implementation manners, the terminal may parse the received first page content according to the DOM to obtain the DOM tree structure of the first page content, and then extract N from the DOM tree structure of the first page content. First DOM nodes. Similarly, the terminal can parse the received second page content according to the DOM to obtain the DOM tree structure of the second page content, and then extract M second DOM nodes from the DOM tree structure of the second page content. . The terminal may match each first DOM node in the N first DOM nodes with corresponding second DOM nodes in the M second DOM nodes to determine the N first DOM nodes and the M second DOM. Different DOM nodes between nodes. Wherein, N and M are integers greater than or equal to 1. The N first DOM nodes include at least one root node and at least one child node, and the M second DOM nodes also include at least one root node and at least one child node.
例如,终端对第一页面内容content1按照DOM进行解析,得到content1的DOM树结构,如图5a所示,是第一页面内容的DOM树结构的示意图,DOM树结构中的每个元素、文本都可称为一个节点。终端可以从content1的DOM树结构中提取N个第一DOM节点,如图5b所示,为第一DOM节点的示意图。同理,终端对第二页面内容content2按照DOM进行解析,得到content2的DOM树结构,如图5c所示,是第二页面内容的DOM树结构的示意图。终端可以从content2的DOM树结构中提取M个第二DOM节点,如图5d所示,为第二DOM节点的示意图。终端可以分别比较该N个第一DOM节点和该M个第二DOM节点中文本节点的内容,元素节点(<title>、<author>、<year>以及<price>)的标签名称、标签类型,内容节点(<book>)的标签名称、标签类型、标签属性、子节点数量、子节点类型等是否相同。若某个文本节点的内容不相同,终端就可以确定该某个文本节点为该N个第一DOM节点与该M个第二DOM节点之间不相同的DOM节点。若某个元素节点的标签名称和标签类型中任意一个不相同,终端就可以确定该某个元素节点为该N个第一DOM节点与该M个第二DOM节点之间不相同的DOM节点。若某个内容节点的标签名称、标签类型、标签属性、子节点数量和子节点类型中任意一个不相同,终端就可以确定该某个内容节点为该N个第一DOM节点与该M个第二DOM节点之间不相同的DOM节点。For example, the terminal parses the first page content content1 according to the DOM to obtain the DOM tree structure of content1, as shown in FIG. 5a, which is a schematic diagram of the DOM tree structure of the first page content. Each element and text in the DOM tree structure are Can be called a node. The terminal can extract N first DOM nodes from the DOM tree structure of content1, as shown in FIG. 5b, which is a schematic diagram of the first DOM nodes. Similarly, the terminal parses the content of the second page according to the DOM to obtain the DOM tree structure of content2, as shown in FIG. 5c, which is a schematic diagram of the DOM tree structure of the second page content. The terminal can extract M second DOM nodes from the DOM tree structure of content2, as shown in FIG. 5d, which is a schematic diagram of the second DOM nodes. The terminal can compare the content of the text nodes in the N first DOM nodes and the M second DOM nodes, and the tag names and tag types of the element nodes (<title>, <author>, <year>, and <price>). , Whether the content node (<book>) has the same tag name, tag type, tag attribute, number of child nodes, type of child node, etc. If the content of a text node is different, the terminal may determine that the text node is a different DOM node between the N first DOM nodes and the M second DOM nodes. If any one of the tag names and tag types of an element node is different, the terminal may determine that the certain element node is a DOM node that is different between the N first DOM nodes and the M second DOM nodes. If any one of the content nodes has different tag names, tag types, tag attributes, number of child nodes, and child node types, the terminal can determine that the content node is the N first DOM nodes and the M second DOM nodes that are not the same between DOM nodes.
S407,若N个第一DOM节点与M个第二DOM节点之间存在至少一个不相同的DOM节点,则终端确定服务器中存在注入漏洞。S407. If at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, the terminal determines that an injection vulnerability exists in the server.
S408,若N个第一DOM节点与M个第二DOM节点之间不存在不相同的DOM节点,则终端输出安全提示信息。S408: If there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, the terminal outputs security prompt information.
在一些可行的实施方式中,终端可以统计上述确定出的不相同的DOM节点的数量,并可以判断该不相同的DOM节点的数量是否大于或等于1,若是,说明上述N个第一DOM节点与上述M个第二DOM节点之间存在至少一个不相同的DOM节点,则终端可以确定上述服务器中存在注入漏洞。若否,说明该N个第一DOM节点与该M个第二DOM节点之间不存在不相同的DOM节点,则终端可以输出安全提示信息,该安全提示信息用于提示上述服务器中不存在注入漏洞。这是因为如果上述服务器对用户数据进行了过滤(即不存在注入漏洞),那么在步骤S402中插入的真逻辑的SQL语句和步骤S403中插入的假逻辑的SQL语句都将会被上述服务器过滤掉,那么返回的第一页面内容和第二页面内容将一致,所以对第一页面内容和第二页面内容按照DOM进行解析后,不会存在不相同的DOM节点。本申请实施例在确定出服务器中不存在注入漏洞时,输出安全提示信息,可以提高用户体验。In some feasible implementation manners, the terminal may count the number of the different DOM nodes determined above, and may determine whether the number of the different DOM nodes is greater than or equal to 1, and if so, indicate the N first DOM nodes. If there is at least one DOM node different from the M second DOM nodes, the terminal may determine that an injection vulnerability exists in the above server. If not, it means that there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, then the terminal can output a security prompt message, which is used to prompt that there is no injection in the server Loophole. This is because if the above server filters user data (that is, there is no injection vulnerability), then the true logical SQL statement inserted in step S402 and the false logical SQL statement inserted in step S403 will be filtered by the above server. If the content of the first page and the second page are the same, the content of the first page and the second page will be the same. Therefore, after parsing the content of the first page and the second page according to the DOM, there will be no different DOM nodes. In the embodiment of the present application, when it is determined that there is no injection vulnerability in the server, the security prompt information is output, which can improve the user experience.
在一些可行的实施方式中,终端在确定上述服务器中存在注入漏洞之后,可以输出报警提示信息,该报警提示信息可以包括上述目标HTTP请求的URL的参数字段,该报警提示信息可以用于提示编程人员对上述服务器中URL的参数字段存在的注入漏洞进行处理,可以防止使用上述服务器的客户的信息被泄露,从而导致客户的财产损失。同时可以更快地发现服务器中存在注入漏洞的地方,进而使得编程人员可以更快地对服务器中存在注入漏洞的地方进行处理。In some feasible implementation manners, after determining that an injection vulnerability exists in the server, the terminal may output alarm prompt information. The alarm prompt information may include a parameter field of the URL of the target HTTP request. The alarm prompt information may be used for prompt programming. Personnel processing the injection loopholes in the parameter field of the URL in the above server can prevent the information of customers using the above server from being leaked, resulting in the loss of customer's property. At the same time, it is possible to find out where there are injection holes in the server faster, so that programmers can process the places where there are injection holes in the server faster.
本申请实施例通过确定用于注入漏洞检测的目标请求,在目标请求的统一资源定位符 URL的参数字段中插入第一逻辑类型的字段,得到第一请求,在目标请求的统一资源定位符URL的参数字段中插入第二逻辑类型的字段,得到第二请求,再向服务器发送第一请求和第二请求,接收服务器针对第一请求返回的第一页面内容和针对第二请求返回的第二页面内容,并获取第一页面内容的第一解析结果和第二页面内容的第二解析结果,将N个第一DOM节点中各个第一DOM节点与M个第二DOM节点中各个第二DOM节点进行匹配,确定N个第一DOM节点与M个第二DOM节点之间不相同的DOM节点。当N个第一DOM节点与M个第二DOM节点之间存在至少一个不相同的DOM节点,则确定服务器中存在注入漏洞;当N个第一DOM节点与M个第二DOM节点之间不存在不相同的DOM节点时,则输出安全提示信息,可以减少终端的计算量,降低计算难度,从而提高检测注入漏洞的处理效率。The embodiment of the present application determines a target request for injection vulnerability detection, inserts a field of a first logical type into a parameter field of a uniform resource locator URL of the target request, to obtain a first request, and inserts a uniform resource locator URL in the target request. Insert a field of the second logical type into the parameter field of the, get the second request, and then send the first request and the second request to the server, and receive the first page content returned by the server for the first request and the second returned by the server for the second request Page content, and obtain the first parsing result of the first page content and the second parsing result of the second page content, and each first DOM node in the N first DOM nodes and each second DOM in the M second DOM nodes The nodes are matched to determine different DOM nodes between the N first DOM nodes and the M second DOM nodes. When there are at least one different DOM node between the N first DOM nodes and the M second DOM nodes, it is determined that there is an injection vulnerability in the server; when the N first DOM nodes and the M second DOM nodes are not When there are different DOM nodes, the security prompt information is output, which can reduce the calculation amount of the terminal and reduce the calculation difficulty, thereby improving the processing efficiency of detecting injection vulnerabilities.
参见图6,是本申请实施例提供的一种注入漏洞检测装置的一示意性框图。本申请实施例的注入漏洞检测装置包括:6 is a schematic block diagram of an injection vulnerability detection device according to an embodiment of the present application. The injection vulnerability detection device in the embodiment of the present application includes:
第一确定模块10,用于确定注入漏洞检测的目标请求。The first determining module 10 is configured to determine a target request for injection vulnerability detection.
第二确定模块20,用于根据该第一确定模块10确定的该目标请求确定出第一请求和第二请求。其中,该第一请求由在该目标请求中插入第一逻辑类型的字段确定,该第二请求为通过在该目标请求中插入第二逻辑类型的字段确定的请求。The second determining module 20 is configured to determine the first request and the second request according to the target request determined by the first determining module 10. The first request is determined by inserting a field of a first logical type into the target request, and the second request is a request determined by inserting a field of a second logical type into the target request.
收发模块30,用于向服务器发送该第二确定模块20确定的该第一请求和该第二请求,并接收该服务器针对该第一请求返回的第一页面内容和针对该第二请求返回的第二页面内容。The transceiver module 30 is configured to send the first request and the second request determined by the second determining module 20 to the server, and receive the first page content returned by the server for the first request and the first page content returned by the server for the second request. Content of the second page.
获取模块40,用于获取该收发模块30接收到的该第一页面内容的第一解析结果和该收发模块30接收到的该第二页面内容的第二解析结果。其中,该第一解析结果包括N个第一文档对象模型DOM节点,该第二解析结果包括M个第二DOM节点,该N和该M均为大于或等于1的整数。The obtaining module 40 is configured to obtain a first analysis result of the first page content received by the transceiver module 30 and a second analysis result of the second page content received by the transceiver module 30. The first parsing result includes N first document object model DOM nodes, and the second parsing result includes M second DOM nodes, where N and M are integers greater than or equal to 1.
第三确定模块50,用于当该N个第一DOM节点与该M个第二DOM节点之间存在至少一个不相同的DOM节点时,确定该服务器中存在注入漏洞。The third determining module 50 is configured to determine that an injection vulnerability exists in the server when there are at least one different DOM node between the N first DOM nodes and the M second DOM nodes.
在一些可行的实施方式中,上述第二确定模块20具体用于:In some feasible implementation manners, the foregoing second determining module 20 is specifically configured to:
在上述第一确定模块10确定的该目标请求的统一资源定位符URL的参数字段中插入第一逻辑类型的字段,得到该第一请求;在上述第一确定模块10确定的该目标请求的该URL的参数字段中插入第二逻辑类型的字段,得到该第二请求。Inserting a field of a first logical type into a parameter field of the uniform resource locator URL of the target request determined by the first determining module 10 to obtain the first request; the target request of the target request determined by the first determining module 10 A field of the second logical type is inserted into the parameter field of the URL to obtain the second request.
在一些可行的实施方式中,上述第二确定模块20具体用于:In some feasible implementation manners, the foregoing second determining module 20 is specifically configured to:
在上述第一确定模块10确定的该目标请求的目标字段中插入第一逻辑类型的字段,得到该第一请求;在上述第一确定模块10确定的该目标请求的该目标字段中插入第二逻辑类型的字段,得到该第二请求。其中,该目标字段包括Host字段、Referer字段、Cookie字段中的一种或多种。Inserting a field of a first logical type into a target field of the target request determined by the first determining module 10 to obtain the first request; inserting a second in the target field of the target request determined by the first determining module 10 A field of logical type to get the second request. The target field includes one or more of a Host field, a Referer field, and a Cookie field.
在一些可行的实施方式中,该装置还包括匹配模块60。该匹配模块60,用于将上述获取模块40获取的该N个第一DOM节点中各个第一DOM节点与该M个第二DOM节点中各个第二DOM节点进行匹配,确定该N个第一DOM节点与该M个第二DOM节点之间 是否存在不相同的DOM节点。In some feasible implementations, the device further includes a matching module 60. The matching module 60 is configured to match each first DOM node in the N first DOM nodes obtained by the obtaining module 40 with each second DOM node in the M second DOM nodes to determine the N first DOM nodes. Whether there are different DOM nodes between the DOM node and the M second DOM nodes.
在一些可行的实施方式中,该装置还包括输出模块70,该输出模块70,用于当该N个第一DOM节点与该M个第二DOM节点之间不存在不相同的DOM节点时,输出安全提示信息。其中,该安全提示信息用于提示该服务器中不存在该注入漏洞。In some feasible implementation manners, the apparatus further includes an output module 70, which is used when there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, Output a safety prompt message. The security prompt information is used to indicate that the injection vulnerability does not exist in the server.
在一些可行的实施方式中,上述输出模块70还用于在确定该服务器中存在注入漏洞之后,输出报警提示信息,该报警提示信息用于提示对该服务器的该注入漏洞进行处理。In some feasible implementation manners, the output module 70 is further configured to output alarm prompt information after determining that an injection vulnerability exists in the server, and the alarm prompt information is used to prompt processing of the injection vulnerability of the server.
在一些可行的实施方式中,上述获取模块40具体用于:In some feasible implementation manners, the foregoing obtaining module 40 is specifically configured to:
将该第一页面内容按照文档对象模型DOM进行解析,得到N个第一DOM节点;Parse the content of the first page according to the document object model DOM to obtain N first DOM nodes;
将该第二页面内容按照该DOM进行解析,得到M个第二DOM节点。Parse the content of the second page according to the DOM to obtain M second DOM nodes.
在一些可行的实施方式中,该第一逻辑类型的字段为真逻辑的结构化查询语句;该第二逻辑类型的字段为假逻辑的结构化查询语句。In some feasible implementation manners, the field of the first logical type is a structured query of true logic; the field of the second logical type is a structured query of false logic.
具体实现中,上述注入漏洞检测装置可通过上述各个模块执行上述图2或者图4所提供的实现方式中各个步骤所提供的实现方式,实现上述各实施例中所实现的功能,具体可参见上述图2或图4所示的方法实施例中各个步骤提供的相应描述,在此不再赘述。In specific implementation, the above-mentioned injection vulnerability detection device may implement the implementation manner provided by each step in the implementation manner provided in FIG. 2 or FIG. 4 through the foregoing modules to implement the functions implemented in the foregoing embodiments. For details, refer to the foregoing. The corresponding description provided by each step in the method embodiment shown in FIG. 2 or FIG. 4 is not repeated here.
在本申请实施例中,注入漏洞检测装置可通过确定用于注入漏洞检测的目标请求,再根据该目标请求确定出第一请求和第二请求,并向服务器发送该第一请求和该第二请求,接收该服务器针对该第一请求返回的第一页面内容和针对该第二请求返回的第二页面内容;然后再获取该第一页面内容的第一解析结果和该第二页面内容的第二解析结果,该第一解析结果包括N个DOM节点,该第二解析结果包括M个第二DOM节点;若该N个第一DOM节点与该M个第二DOM节点之间存在至少一个不相同的DOM节点,则确定该服务器中存在注入漏洞,可以减少计算量,降低计算难度,从而提高检测注入漏洞的处理效率。In the embodiment of the present application, the injection vulnerability detection device may determine a target request for injection vulnerability detection, determine a first request and a second request according to the target request, and send the first request and the second request to a server. Request, receiving the first page content returned by the server for the first request and the second page content returned for the second request; and then obtaining the first parsing result of the first page content and the first page content of the second page content Two parsing results. The first parsing result includes N DOM nodes, and the second parsing result includes M second DOM nodes. For the same DOM node, it is determined that an injection vulnerability exists in the server, which can reduce the calculation amount and reduce the calculation difficulty, thereby improving the processing efficiency of detecting the injection vulnerability.
参见图7,是本申请实施例提供的一种终端的一示意性框图。如图7所示,本申请实施例中的终端可以包括:一个或多个处理器701;一个或多个输入设备702,一个或多个输出设备703和存储器704。上述处理器701、输入设备702、输出设备703和存储器704通过总线705连接。存储器702用于存储计算机程序,该计算机程序包括程序指令,处理器701用于执行存储器702存储的程序指令。其中,上述处理器701被配置用于调用该程序指令执行:7 is a schematic block diagram of a terminal provided by an embodiment of the present application. As shown in FIG. 7, the terminal in the embodiment of the present application may include: one or more processors 701; one or more input devices 702, one or more output devices 703, and a memory 704. The processor 701, the input device 702, the output device 703, and the memory 704 are connected through a bus 705. The memory 702 is configured to store a computer program, the computer program includes program instructions, and the processor 701 is configured to execute the program instructions stored in the memory 702. The processor 701 is configured to call the program instruction for execution:
确定用于注入漏洞检测的目标请求;Identify target requests for injection vulnerability detection;
根据该目标请求确定出第一请求和第二请求,该第一请求由在该目标请求中插入第一逻辑类型的字段确定,该第二请求由在该目标请求中插入第二逻辑类型的字段确定。A first request and a second request are determined according to the target request, the first request is determined by inserting a field of a first logical type in the target request, and the second request is inserting a field of a second logical type in the target request determine.
上述输出设备703用于向服务器发送该第一请求和该第二请求;上述输入设备702用于接收该服务器针对该第一请求返回的第一页面内容和针对该第二请求返回的第二页面内容。The output device 703 is configured to send the first request and the second request to the server; the input device 702 is configured to receive the first page content returned by the server for the first request and the second page returned for the second request content.
上述处理器701还被配置用于调用该程序指令执行:The processor 701 is further configured to call the program instruction for execution:
获取该第一页面内容的第一解析结果和该第二页面内容的第二解析结果,该第一解析结果包括N个第一文档对象模型DOM节点,该第二解析结果包括M个第二DOM节点,该N和该M均为大于或等于1的整数;Obtain a first parsing result of the first page content and a second parsing result of the second page content, the first parsing result includes N first document object model DOM nodes, and the second parsing result includes M second DOMs Node, the N and the M are both integers greater than or equal to 1;
若该N个第一DOM节点与该M个第二DOM节点之间存在至少一个不相同的DOM节点,则确定该服务器中存在注入漏洞。If at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, it is determined that an injection vulnerability exists in the server.
应当理解,在本申请实施例中,所称处理器701可以是中央处理单元(central processing unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field-programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present application, the processor 701 may be a central processing unit (CPU), and the processor may also be another general-purpose processor or a digital signal processor (DSP). , Application specific integrated circuit (ASIC), ready-made programmable gate array (field-programmable gate array), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
输入设备702可以包括接收器、接收程序接口等,输出设备703可以包括发送器、发送程序接口等。The input device 702 may include a receiver, a receiving program interface, and the like, and the output device 703 may include a transmitter, a sending program interface, and the like.
该存储器704可以包括只读存储器和随机存取存储器,并向处理器701提供指令和数据。存储器704的一部分还可以包括非易失性随机存取存储器。例如,存储器704还可以存储设备类型的信息。The memory 704 may include a read-only memory and a random access memory, and provide instructions and data to the processor 701. A portion of the memory 704 may also include non-volatile random access memory. For example, the memory 704 may also store device type information.
具体实现中,本申请实施例中所描述的处理器701、输入设备702、输出设备703可执行本申请实施例提供的注入漏洞检测方法中所描述的实现方式,也可执行本申请实施例所描述的注入漏洞检测装置的实现方式,在此不再赘述。In specific implementation, the processor 701, the input device 702, and the output device 703 described in the embodiments of the present application may execute the implementation manner described in the injection vulnerability detection method provided in the embodiments of the present application, and may also execute The implementation manner of the described injection vulnerability detection device is not repeated here.
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序包括程序指令,该程序指令被处理器执行时实现图2或图4所示的注入漏洞检测方法,具体细节请参照图2或图4所示实施例的描述,在此不再赘述。An embodiment of the present application further provides a computer-readable storage medium. The computer-readable storage medium stores a computer program. The computer program includes program instructions. When the program instructions are executed by a processor, the injection shown in FIG. 2 or FIG. For details of the vulnerability detection method, please refer to the description of the embodiment shown in FIG. 2 or FIG. 4, and details are not described herein again.
上述计算机可读存储介质可以是前述任一实施例所述的注入漏洞检测装置或终端的内部存储单元,例如终端的硬盘或内存。该计算机可读存储介质也可以是该终端的外部存储设备,例如该终端上配备的插接式硬盘,智能存储卡(smart media card,SMC),安全数字(secure digital,SD)卡,闪存卡(flash card)等。进一步地,该计算机可读存储介质还可以既包括该终端的内部存储单元也包括外部存储设备。该计算机可读存储介质用于存储该计算机程序以及该终端所需的其他程序和数据。该计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。The computer-readable storage medium may be an injection vulnerability detection device or an internal storage unit of a terminal according to any of the foregoing embodiments, such as a hard disk or a memory of the terminal. The computer-readable storage medium may also be an external storage device of the terminal, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card, and a flash memory card provided on the terminal. (flash card) and so on. Further, the computer-readable storage medium may include both an internal storage unit of the terminal and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by the terminal. The computer-readable storage medium can also be used to temporarily store data that has been or will be output.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the scope of protection of the present invention is not limited to this. Any person skilled in the art can easily think of changes or replacements within the technical scope disclosed by the present invention. It should be covered by the protection scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (20)

  1. 一种注入漏洞检测方法,其特征在于,包括:An injection vulnerability detection method, comprising:
    确定用于注入漏洞检测的目标请求;Identify target requests for injection vulnerability detection;
    根据所述目标请求确定出第一请求和第二请求,所述第一请求为通过在所述目标请求中插入第一逻辑类型的字段确定的请求,所述第二请求由在所述目标请求中插入第二逻辑类型的字段确定;A first request and a second request are determined according to the target request. The first request is a request determined by inserting a field of a first logical type in the target request, and the second request is determined by the target request. Determine the field of the second logical type inserted;
    向服务器发送所述第一请求和所述第二请求,并接收所述服务器针对所述第一请求返回的第一页面内容和针对所述第二请求返回的第二页面内容;Sending the first request and the second request to a server, and receiving the first page content returned by the server for the first request and the second page content returned for the second request;
    获取所述第一页面内容的第一解析结果和所述第二页面内容的第二解析结果,所述第一解析结果包括N个第一文档对象模型DOM节点,所述第二解析结果包括M个第二DOM节点,所述N和所述M均为大于或等于1的整数;Acquiring a first parsing result of the first page content and a second parsing result of the second page content, the first parsing result includes N first document object model DOM nodes, and the second parsing result includes M Second DOM nodes, where N and M are integers greater than or equal to 1;
    若所述N个第一DOM节点与所述M个第二DOM节点之间存在至少一个不相同的DOM节点,则确定所述服务器中存在注入漏洞。If at least one different DOM node exists between the N first DOM nodes and the M second DOM nodes, it is determined that an injection vulnerability exists in the server.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述目标请求确定出第一请求和第二请求,包括:The method according to claim 1, wherein determining the first request and the second request according to the target request comprises:
    在所述目标请求的统一资源定位符URL的参数字段中插入第一逻辑类型的字段,得到所述第一请求;Inserting a field of a first logical type into a parameter field of the uniform resource locator URL of the target request to obtain the first request;
    在所述目标请求的所述URL的参数字段中插入第二逻辑类型的字段,得到所述第二请求。A field of a second logical type is inserted into a parameter field of the URL of the target request to obtain the second request.
  3. 根据权利要求1所述的方法,其特征在于,所述根据所述目标请求确定出第一请求和第二请求,包括:The method according to claim 1, wherein determining the first request and the second request according to the target request comprises:
    在所述目标请求的目标字段中插入第一逻辑类型的字段,得到所述第一请求;Inserting a field of a first logical type into a target field of the target request to obtain the first request;
    在所述目标请求的所述目标字段中插入第二逻辑类型的字段,得到所述第二请求;Inserting a field of a second logical type into the target field of the target request to obtain the second request;
    其中,所述目标字段包括Host字段、Referer字段、Cookie字段中的一种或多种。The target field includes one or more of a Host field, a Referer field, and a Cookie field.
  4. 根据权利要求1-3任意一项所述的方法,其特征在于,所述获取所述第一页面内容的第一解析结果和所述第二页面内容的第二解析结果之后,所述方法还包括:The method according to any one of claims 1 to 3, wherein after obtaining the first parsing result of the first page content and the second parsing result of the second page content, the method further include:
    将所述N个第一DOM节点中各个第一DOM节点与所述M个第二DOM节点中各个第二DOM节点进行匹配,确定所述N个第一DOM节点与所述M个第二DOM节点之间是否存在不相同的DOM节点。Matching each first DOM node in the N first DOM nodes with each second DOM node in the M second DOM nodes to determine the N first DOM nodes and the M second DOM Whether there are different DOM nodes between the nodes.
  5. 根据权利要求1-4任意一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-4, further comprising:
    若所述N个第一DOM节点与所述M个第二DOM节点之间不存在不相同的DOM节点,则输出安全提示信息,所述安全提示信息用于提示所述服务器中不存在所述注入漏洞。If there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, a security prompt message is output, and the security prompt information is used to prompt that the server does not exist. Inject holes.
  6. 根据权利要求1-5任意一项所述的方法,其特征在于,所述获取所述第一页面内容的第一解析结果和所述第二页面内容的第二解析结果,包括:The method according to any one of claims 1-5, wherein the acquiring a first parsing result of the first page content and a second parsing result of the second page content comprises:
    将所述第一页面内容按照文档对象模型DOM进行解析,得到N个第一DOM节点;Parse the first page content according to the document object model DOM to obtain N first DOM nodes;
    将所述第二页面内容按照所述DOM进行解析,得到M个第二DOM节点。The content of the second page is parsed according to the DOM to obtain M second DOM nodes.
  7. 根据权利要求1-6任意一项所述的方法,其特征在于,所述第一逻辑类型的字段为 真逻辑的结构化查询语句;所述第二逻辑类型的字段为假逻辑的结构化查询语句。The method according to any one of claims 1-6, wherein the fields of the first logical type are structured query statements of true logic; and the fields of the second logical type are structured queries of false logic. Statement.
  8. 一种注入漏洞检测装置,其特征在于,包括:An injection vulnerability detection device, comprising:
    第一确定模块,用于确定注入漏洞检测的目标请求;A first determining module, configured to determine a target request for injection vulnerability detection;
    第二确定模块,用于根据所述目标请求确定出第一请求和第二请求,所述第一请求为通过在所述目标请求中插入第一逻辑类型的字段确定的请求,所述第二请求由在所述目标请求中插入第二逻辑类型的字段确定;A second determining module, configured to determine a first request and a second request according to the target request, where the first request is a request determined by inserting a field of a first logical type in the target request, the second request The request is determined by inserting a field of a second logical type in the target request;
    收发模块,用于向服务器发送所述第一请求和所述第二请求,并接收所述服务器针对所述第一请求返回的第一页面内容和针对所述第二请求返回的第二页面内容;A transceiver module, configured to send the first request and the second request to a server, and receive the first page content returned by the server for the first request and the second page content returned for the second request ;
    获取模块,用于获取所述第一页面内容的第一解析结果和所述第二页面内容的第二解析结果,所述第一解析结果包括N个第一文档对象模型DOM节点,所述第二解析结果包括M个第二DOM节点,所述N和所述M均为大于或等于1的整数;An obtaining module, configured to obtain a first analysis result of the first page content and a second analysis result of the second page content, where the first analysis result includes N first document object model DOM nodes, and the first The second analysis result includes M second DOM nodes, where N and M are integers greater than or equal to 1.
    第三确定模块,用于当所述N个第一DOM节点与所述M个第二DOM节点之间存在至少一个不相同的DOM节点时,确定所述服务器中存在注入漏洞。A third determining module is configured to determine that an injection vulnerability exists in the server when there are at least one different DOM node between the N first DOM nodes and the M second DOM nodes.
  9. 根据权利要求8所述的装置,其特征在于,所述第二确定模块具体用于:The apparatus according to claim 8, wherein the second determining module is specifically configured to:
    在所述目标请求的统一资源定位符URL的参数字段中插入第一逻辑类型的字段,得到所述第一请求;Inserting a field of a first logical type into a parameter field of the uniform resource locator URL of the target request to obtain the first request;
    在所述目标请求的所述URL的参数字段中插入第二逻辑类型的字段,得到所述第二请求。A field of a second logical type is inserted into a parameter field of the URL of the target request to obtain the second request.
  10. 根据权利要求8所述的装置,其特征在于,所述第二确定模块具体用于:The apparatus according to claim 8, wherein the second determining module is specifically configured to:
    在所述目标请求的目标字段中插入第一逻辑类型的字段,得到所述第一请求;Inserting a field of a first logical type into a target field of the target request to obtain the first request;
    在所述目标请求的所述目标字段中插入第二逻辑类型的字段,得到所述第二请求;Inserting a field of a second logical type into the target field of the target request to obtain the second request;
    其中,所述目标字段包括Host字段、Referer字段、Cookie字段中的一种或多种。The target field includes one or more of a Host field, a Referer field, and a Cookie field.
  11. 根据权利要求8-10任意一项所述的装置,其特征在于,该装置还包括:The device according to any one of claims 8 to 10, wherein the device further comprises:
    匹配模块,用于将所述获取模块获取的所述N个第一DOM节点中各个第一DOM节点与所述M个第二DOM节点中各个第二DOM节点进行匹配,确定所述N个第一DOM节点与所述M个第二DOM节点之间是否存在不相同的DOM节点。A matching module, configured to match each first DOM node in the N first DOM nodes obtained by the obtaining module with each second DOM node in the M second DOM nodes to determine the N first Whether a different DOM node exists between a DOM node and the M second DOM nodes.
  12. 根据权利要求8-11任意一项所述的装置,其特征在于,该装置还包括:The device according to any one of claims 8-11, wherein the device further comprises:
    输出模块,用于当所述N个第一DOM节点与所述M个第二DOM节点之间不存在不相同的DOM节点时,输出安全提示信息,所述安全提示信息用于提示所述服务器中不存在所述注入漏洞。An output module, configured to output security prompt information when there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, and the security prompt information is used to prompt the server The injection vulnerability does not exist in.
  13. 根据权利要求8-12任意一项所述的装置,其特征在于,所述获取模块具体用于:The device according to any one of claims 8-12, wherein the obtaining module is specifically configured to:
    将所述第一页面内容按照文档对象模型DOM进行解析,得到N个第一DOM节点;Parse the first page content according to the document object model DOM to obtain N first DOM nodes;
    将所述第二页面内容按照所述DOM进行解析,得到M个第二DOM节点。The content of the second page is parsed according to the DOM to obtain M second DOM nodes.
  14. 根据权利要求8-13任意一项所述的装置,其特征在于,所述第一逻辑类型的字段为真逻辑的结构化查询语句;所述第二逻辑类型的字段为假逻辑的结构化查询语句。The device according to any one of claims 8-13, wherein the fields of the first logical type are structured query statements of true logic; and the fields of the second logical type are structured queries of false logic. Statement.
  15. 一种终端,其特征在于,包括处理器、输入设备、输出设备和存储器,所述处理器、输入设备、输出设备和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器用于执行所述存储器的所述程序指令,其中:A terminal is characterized in that it comprises a processor, an input device, an output device, and a memory, and the processor, the input device, the output device, and the memory are connected to each other, wherein the memory is used to store a computer program, and the computer program Including program instructions, the processor is configured to execute the program instructions of the memory, wherein:
    所述处理器,用于确定用于注入漏洞检测的目标请求;根据所述目标请求确定出第一请求和第二请求,所述第一请求为通过在所述目标请求中插入第一逻辑类型的字段确定的请求,所述第二请求由在所述目标请求中插入第二逻辑类型的字段确定;The processor is configured to determine a target request for injection vulnerability detection; and determine a first request and a second request according to the target request, where the first request is obtained by inserting a first logical type into the target request A field determination request, the second request is determined by inserting a field of a second logical type in the target request;
    所述输出设备,用于向服务器发送所述第一请求和所述第二请求;The output device is configured to send the first request and the second request to a server;
    所述输入设备,用于接收所述服务器针对所述第一请求返回的第一页面内容和针对所述第二请求返回的第二页面内容;The input device is configured to receive first page content returned by the server for the first request and second page content returned for the second request;
    所述处理器,还用于获取所述第一页面内容的第一解析结果和所述第二页面内容的第二解析结果,所述第一解析结果包括N个第一文档对象模型DOM节点,所述第二解析结果包括M个第二DOM节点,所述N和所述M均为大于或等于1的整数;当所述N个第一DOM节点与所述M个第二DOM节点之间存在至少一个不相同的DOM节点时,确定所述服务器中存在注入漏洞。The processor is further configured to obtain a first analysis result of the first page content and a second analysis result of the second page content, where the first analysis result includes N first document object model DOM nodes, The second parsing result includes M second DOM nodes, and N and M are integers greater than or equal to 1; when between the N first DOM nodes and the M second DOM nodes When there is at least one different DOM node, it is determined that an injection vulnerability exists in the server.
  16. 根据权利要求15所述的终端,其特征在于,所述处理器具体用于:The terminal according to claim 15, wherein the processor is specifically configured to:
    在所述目标请求的统一资源定位符URL的参数字段中插入第一逻辑类型的字段,得到所述第一请求;Inserting a field of a first logical type into a parameter field of the uniform resource locator URL of the target request to obtain the first request;
    在所述目标请求的所述URL的参数字段中插入第二逻辑类型的字段,得到所述第二请求。A field of a second logical type is inserted into a parameter field of the URL of the target request to obtain the second request.
  17. 根据权利要求15所述的终端,其特征在于,所述处理器具体用于:The terminal according to claim 15, wherein the processor is specifically configured to:
    在所述目标请求的目标字段中插入第一逻辑类型的字段,得到所述第一请求;Inserting a field of a first logical type into a target field of the target request to obtain the first request;
    在所述目标请求的所述目标字段中插入第二逻辑类型的字段,得到所述第二请求;Inserting a field of a second logical type into the target field of the target request to obtain the second request;
    其中,所述目标字段包括Host字段、Referer字段、Cookie字段中的一种或多种。The target field includes one or more of a Host field, a Referer field, and a Cookie field.
  18. 根据权利要求15-17任意一项所述的终端,其特征在于,所述处理器还用于:The terminal according to any one of claims 15-17, wherein the processor is further configured to:
    将所述N个第一DOM节点中各个第一DOM节点与所述M个第二DOM节点中各个第二DOM节点进行匹配,确定所述N个第一DOM节点与所述M个第二DOM节点之间是否存在不相同的DOM节点。Matching each first DOM node in the N first DOM nodes with each second DOM node in the M second DOM nodes to determine the N first DOM nodes and the M second DOM Whether there are different DOM nodes between the nodes.
  19. 根据权利要求15-18任意一项所述的终端,其特征在于,所述输出设备还用于:The terminal according to any one of claims 15 to 18, wherein the output device is further configured to:
    当所述N个第一DOM节点与所述M个第二DOM节点之间不存在不相同的DOM节点时,输出安全提示信息,所述安全提示信息用于提示所述服务器中不存在所述注入漏洞。When there are no different DOM nodes between the N first DOM nodes and the M second DOM nodes, a security prompt message is output, and the security prompt information is used to prompt that the server does not exist. Inject holes.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of 1-7 is required.
PCT/CN2018/108718 2018-07-25 2018-09-29 Injection vulnerability detection method and device WO2020019515A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810832008.2A CN109120603B (en) 2018-07-25 2018-07-25 Injection vulnerability detection method and device
CN201810832008.2 2018-07-25

Publications (1)

Publication Number Publication Date
WO2020019515A1 true WO2020019515A1 (en) 2020-01-30

Family

ID=64862212

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/108718 WO2020019515A1 (en) 2018-07-25 2018-09-29 Injection vulnerability detection method and device

Country Status (2)

Country Link
CN (1) CN109120603B (en)
WO (1) WO2020019515A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112202717B (en) * 2020-09-02 2023-09-05 深信服科技股份有限公司 HTTP request processing method and device, server and storage medium
CN114884730B (en) * 2022-05-07 2023-12-29 深信服科技股份有限公司 Request detection method, device, equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070156644A1 (en) * 2006-01-05 2007-07-05 Microsoft Corporation SQL injection detector
CN102902820A (en) * 2012-10-31 2013-01-30 华为技术有限公司 Method and device for identifying database type
CN103441985A (en) * 2013-07-25 2013-12-11 国家电网公司 SQL injection vulnerability detection method for COOKIE mode
CN107704758A (en) * 2017-08-25 2018-02-16 郑州云海信息技术有限公司 A kind of SQL injection leak detection method and detection means

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101122629B1 (en) * 2011-11-18 2012-03-09 김춘기 Method for creation of xml document using data converting of database
CN103902912B (en) * 2012-12-26 2017-09-19 深圳市腾讯计算机系统有限公司 The detection method and device of webpage leak

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070156644A1 (en) * 2006-01-05 2007-07-05 Microsoft Corporation SQL injection detector
CN102902820A (en) * 2012-10-31 2013-01-30 华为技术有限公司 Method and device for identifying database type
CN103441985A (en) * 2013-07-25 2013-12-11 国家电网公司 SQL injection vulnerability detection method for COOKIE mode
CN107704758A (en) * 2017-08-25 2018-02-16 郑州云海信息技术有限公司 A kind of SQL injection leak detection method and detection means

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHANG, CHEN ET AL.: "SQL Injection Vulnerability Detection Based on Webpage DOM Tree Comparison", COMPUTER ENGINEERING, vol. 38, no. 18, 30 September 2012 (2012-09-30) *

Also Published As

Publication number Publication date
CN109120603A (en) 2019-01-01
CN109120603B (en) 2021-05-18

Similar Documents

Publication Publication Date Title
US8051484B2 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
US9740869B1 (en) Enforcement of document element immutability
US10298599B1 (en) Systems for detecting a headless browser executing on a client computer
WO2016201819A1 (en) Method and apparatus for detecting malicious file
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
US10078687B2 (en) Deletion of elements from a probabilistic data structure
CN106878264A (en) A kind of data managing method and server
WO2017000439A1 (en) Detection method, system and device for malicious behaviour, and computer storage medium
WO2013143403A1 (en) Method and system for accessing website
US9954880B2 (en) Protection via webpage manipulation
US10972507B2 (en) Content policy based notification of application users about malicious browser plugins
WO2019076014A1 (en) Webpage generation method and apparatus, terminal device and medium
US20070288696A1 (en) Distributed content verification and indexing
WO2017167208A1 (en) Method and apparatus for recognizing malicious website, and computer storage medium
US20170070349A1 (en) Signature verification for data set components using probabilistic data structures
CN111835777A (en) Abnormal flow detection method, device, equipment and medium
WO2020019515A1 (en) Injection vulnerability detection method and device
WO2016201994A1 (en) Method and device for determining domain name credibility
WO2020019514A1 (en) Injection vulnerability detection method and apparatus
CN107786529B (en) Website detection method, device and system
CN112202717B (en) HTTP request processing method and device, server and storage medium
JP2015011659A (en) Communication device, access control method, and program
WO2015024435A1 (en) Method and device for processing system file
WO2020000748A1 (en) File detection method and apparatus
CN113852638B (en) Attack detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927342

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 03/05/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18927342

Country of ref document: EP

Kind code of ref document: A1