WO2020062644A1 - Json hijack bug detection method, apparatus and device, and storage medium - Google Patents

Json hijack bug detection method, apparatus and device, and storage medium Download PDF

Info

Publication number
WO2020062644A1
WO2020062644A1 PCT/CN2018/122809 CN2018122809W WO2020062644A1 WO 2020062644 A1 WO2020062644 A1 WO 2020062644A1 CN 2018122809 W CN2018122809 W CN 2018122809W WO 2020062644 A1 WO2020062644 A1 WO 2020062644A1
Authority
WO
WIPO (PCT)
Prior art keywords
response result
website
format
json
hijacking
Prior art date
Application number
PCT/CN2018/122809
Other languages
French (fr)
Chinese (zh)
Inventor
何双宁
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020062644A1 publication Critical patent/WO2020062644A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method, a device, a device, and a storage medium for detecting a JSON hijacking vulnerability.
  • JSON JavaScript Object Notation, JavaScript Object Notation
  • JavaScript Object Notation is a lightweight data exchange format, and hijacking is stealing data (or should be called robbery or interception).
  • the malicious attacker intercepts the JSON data that should be returned to the user through some specific means, and then sends the data back to the malicious attacker. This is the approximate meaning of JSON hijacking.
  • the JSON data that is hijacked contains sensitive information or valuable data.
  • a static character analysis method is used to determine whether the response result can be used across domains, and then to detect whether a website has a JSON hijacking vulnerability. This method has a low accuracy in detecting JSON hijacking.
  • the main purpose of this application is to provide a method, device, device and storage medium for detecting a JSON hijacking vulnerability, which aims to solve the existing technical problem of low accuracy in detecting a JSON hijacking vulnerability.
  • the present application provides a method for detecting a JSON hijacking vulnerability.
  • the method for detecting a JSON hijacking vulnerability includes steps:
  • the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
  • the JSON hijacking vulnerability detection device includes:
  • An execution module configured to obtain the first response result by executing the URL in the website to be tested through the website login status after obtaining the uniform resource locator URL and website login status of the website to be tested;
  • the first response result can be used across domains, and the URL is executed in the website to be tested without using the website login status to obtain a second response result;
  • a determining module configured to determine, if the second response result is different from the first response result, that the website to be tested has a JS object notation JSON hijacking vulnerability.
  • the present application also provides a JSON hijacking vulnerability detection device.
  • the JSON hijacking vulnerability detection device includes a memory, a processor, and a processor that is stored on the memory and can run on the processor.
  • Computer-readable instructions that, when executed by the processor, implement the steps of the method for detecting a JSON hijacking vulnerability as described above.
  • the present application also provides a computer-readable storage medium, where the computer-readable instructions are stored, and when the computer-readable instructions are executed by a processor, the above-mentioned implementation is implemented. Steps of JSON Hijacking Detection Method.
  • This application first executes a URL on a website to be tested through a website login status to obtain a corresponding first response result. After determining that the first response result can be used across domains, the URL is executed on the website to be tested without using a website login status. For the corresponding second response result, if it is determined that the second response result is different from the first response result, it is determined that the website to be tested has a JSON hijacking vulnerability.
  • the method of dynamically simulating the execution URL is implemented to determine whether the website to be tested has a JSON hijacking vulnerability, and the accuracy of detecting whether a website has a JSON hijacking vulnerability is improved.
  • FIG. 1 is a schematic flowchart of a first embodiment of a JSON hijacking vulnerability detection method of the present application
  • FIG. 2 is a schematic flowchart of a second embodiment of a method for detecting a JSON hijacking vulnerability in this application
  • FIG. 3 is a schematic flowchart of a third embodiment of a method for detecting a JSON hijacking vulnerability of the present application
  • FIG. 4 is a functional schematic block diagram of a preferred embodiment of a detection device for JSON hijacking vulnerability in this application;
  • FIG. 5 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a first embodiment of a method for detecting a JSON hijacking vulnerability in this application.
  • the embodiment of the present application provides an embodiment of a method for detecting a JSON hijacking vulnerability. It should be noted that although the logical sequence is shown in the flowchart, in some cases, the execution may be performed in an order different from that shown here. Out or describe the steps.
  • the detection method of the JSON hijacking vulnerability is applied to a server or a terminal, and the terminal may include a mobile phone, a tablet computer, a laptop computer, a palmtop computer, a personal digital assistant (Personal Digital Assistant (PDA, PDA) and other mobile terminals, as well as fixed terminals such as digital TV, desktop computers.
  • the execution main body is omitted to describe each embodiment.
  • the detection methods of JSON hijacking vulnerability include:
  • step S10 after the uniform resource locator URL and the website login status of the website to be tested are obtained, the URL is executed on the website to be tested through the website login status to obtain a first response result.
  • a web browser If a web browser allows cross-domain use, the web browser should allow cross-domain use of Javascript code; or a JSONP solution is extracted. The response result must be cross-domain exploitable by URLs of other domain names, in order to form a JSON hijacking vulnerability attack.
  • the website to be tested is WEB (World Wide Web), the global wide area network, also known as the World Wide Web, commonly known as the website; it is based on Hypertext and HTTP (Hyper Text Transfer Protocol (Hypertext Transfer Protocol), global, dynamic interactive, cross-platform distributed graphical information system.
  • URL is a concise representation of the location and access method of resources that can be obtained from the Internet, and is the address of standard resources on the Internet.
  • the website login status is identification data used to identify the currently logged-in user in the website; the website login status can prove the uniqueness and legality of the website user.
  • the website login status refers to: Cookie, Session Id and Token, etc.
  • Cookie refers to the data (usually encrypted) stored on the user's local terminal by some websites in order to identify users and track sessions; sessions Ids identify users by recording information on the server side.
  • Token is a string generated by the server as a token requested by the client. After the first login, the server generates a token and returns this token to the client. In the future, the client only needs to bring this Token can come to request data, no need to bring username and password again.
  • step S20 if it is detected that the first response result can be used across domains, the URL is executed in the website to be tested without using the website login status to obtain a second response result.
  • the URL is not executed in the website to be tested through the website login status, that is, the URL is not executed in the website to be tested without the website login status.
  • the response result of the execution URL is recorded as the second response result. It should be noted that when a browser requests a resource of another domain name from a webpage of one domain name, any one of the different domain names, ports, and protocols is cross-domain.
  • the first response result can be used across domains, that is, the first response result can be executed across domains. At this time, the data of another page can be obtained through the response result.
  • step S30 if the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
  • JSON hijacking vulnerability also known as JSON Hijacking vulnerability.
  • CGI Common Gateway of the website under test
  • Interface public gateway interface
  • executing the URL will obtain corresponding response data. If the response data corresponding to the first response result and the second response result are different, it is determined that the first response result is different from the second response result; If the response data corresponding to the two response results are the same, it is determined that the first response result and the second response result are the same.
  • the URL is first executed on the website to be tested through the website login status to obtain the corresponding first response result. After determining that the first response result can be used across domains, the URL is not executed on the website to be tested through the website login status. A corresponding second response result is obtained. If it is determined that the second response result is different from the first response result, it is determined that the website to be tested has a JSON hijacking vulnerability.
  • the method of dynamically simulating the execution URL is implemented to determine whether the website to be tested has a JSON hijacking vulnerability, and the accuracy of detecting whether a website has a JSON hijacking vulnerability is improved.
  • the JSON hijacking vulnerability detection method further includes:
  • step S40 if the second response result is the same as the first response result, it is detected whether there is sensitive information in the first response result.
  • Sensitive information includes, but is not limited to, bank card account number, ID card number, user ID, mobile phone number, email account number, intranet address, and home address.
  • step S40 includes:
  • Step a if the second response result is the same as the first response result, obtain a regular expression corresponding to the preset sensitive information, and perform regular matching on the first response result and the regular expression.
  • a regular expression corresponding to the preset sensitive information is acquired, and the first response result is regular matched with the regular expression of the sensitive information.
  • the regular expression of sensitive information is set in advance and stored in the memory. Each kind of sensitive information corresponds to a regular expression. It should be noted that in the process of regular matching the first response result with the regular expression, the data contained in the first response result is regularly matched with all the regular expressions stored in the memory one by one until the first response result When it fails to match all regular expressions, it can be determined that no sensitive information exists in the first response result.
  • step b if the first response result and the regular expression regular match are successful, it is determined that sensitive information exists in the first response result.
  • the regular expression corresponding to the mobile phone number is: network identification number + 8 digits, where the network identification number is the first three digits of the mobile phone number, that is, 138, 189, and 188. If some data in the first response result is 138 followed by 8 digits, it can be determined that the first response result matches the regular expression of the mobile phone number successfully.
  • step c if the first response result fails to match the regular expression, it is determined that no sensitive information exists in the first response result.
  • a sensitive database may be preset in the memory, and sensitive data is stored in the sensitive database.
  • each piece of data in the first response result is extracted, and the extracted data is compared with the sensitive data in the sensitive database. If the sensitive data is consistent with the data, it is determined that there is sensitive information in the first response result; if no sensitive data consistent with the extracted data is found in the sensitive database, it is determined that there is no sensitive information in the first response result.
  • step S50 if the sensitive information is detected in the first response result, it is determined that the JSON hijacking vulnerability exists in the website to be tested.
  • a prompt message can be output through the website to be tested to prompt the corresponding operation and maintenance personnel to repair the JSON hijacking vulnerability in the website to be tested according to the prompt information, and the prompt information is output.
  • the methods include, but are not limited to, text or voice.
  • step S60 if it is detected that the sensitive information does not exist in the first response result, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  • This embodiment uses a method of dynamically simulating the execution of a URL to determine whether the website under test has a JSON hijacking vulnerability, and further determines whether the website under test has a JSON hijacking vulnerability by detecting whether there is sensitive information in the response result.
  • this embodiment improves the versatility of JSON hijacking vulnerability detection. , While reducing the false positive rate and false negative rate of JSON hijacking vulnerability detection. It should be noted that the use of sensitive keyword analysis to detect whether a website has a JSON hijacking vulnerability has low universality.
  • False positive is that during the process of website vulnerability detection, if a URL of a website does not have a vulnerability originally, it is incorrectly detected as a vulnerability, which is called a false positive. Underreporting is the process of detecting a vulnerability in a website. If a URL of a website is originally leaked but not detected, it is called a false negative.
  • the third embodiment of the method for detecting a JSON hijacking vulnerability is different from the first or second embodiment of the method for detecting a JSON hijacking vulnerability in that, referring to FIG. 3, the method for detecting a JSON hijacking vulnerability further includes:
  • step S70 it is detected whether the first response result can be used across domains.
  • step S70 includes:
  • Step d detecting whether the first response result is a Hypertext Markup Language HTML document.
  • the web browser corresponding to the website follows the security mechanism of the same-origin policy.
  • the same-origin policy is an important concept in the security model of web applications. Under this policy, the web browser allows script access of the first page The data on the second page, but only if the two pages have the same source, the source is the URI (Uniform Resource Identifier (Uniform Resource Identifier), host name, port number combination, this strategy can prevent malicious scripts on a page from passing through the page's DOM (Document Object Model (Document Object Model) object gains access to sensitive information on another page.
  • JSONP JSON with Padding
  • JSONP JSON A "use mode" allows web pages to obtain information from other domain names (websites), that is, to read data across domains.
  • JavaScript scripts implement their own functions by embedding them in HTML.
  • step d includes:
  • Step d1 detecting whether an HTML tag is carried in the first response result.
  • HTML DOM defines accessing and manipulating the HTML
  • HTML tags are stored in advance according to the HTML document in the form of a tree structure.
  • Step d2 if it is detected that the first response result carries the HTML tag, determine that the first response result is an HTML document.
  • the first response result If it is detected that the first response result carries an HTML tag, it is determined that the first response result is an HTML document.
  • step d3 if it is detected that the HTML response is not carried in the first response result, it is determined that the first response result is not an HTML document.
  • step e if it is detected that the first response result is the HTML document, it is determined that the first response result cannot be used across domains.
  • the first response result is an HTML document
  • step f if it is detected that the first response result is not the HTML document, the first response result is simulated and executed by a Javascript virtual machine to obtain a corresponding execution result.
  • the first response result is dynamically simulated and executed by a Javascript virtual machine to obtain a corresponding execution result.
  • the Javascript virtual machine includes, but is not limited to, Node.JS, PhantomJS, and so on.
  • Node.JS is a Javascript runtime environment (runtime environment);
  • PhantomJS is a WebKit-based server-side JavaScript API (Application Programming Interface). It fully supports the Web without the need for a browser, and its fast, native support for various Web standards.
  • step g after determining that the first response result is successfully executed according to the execution result, it is determined that the first response result can be used across domains.
  • the Javascript virtual machine simulates the execution of the first response result and the execution is successful, it indicates that the first response result is an executable piece of Javascript code and can be used across domains.
  • the Javascript virtual machine simulates the execution of the first response result
  • the virtual machine returns an identification of successful execution, and the execution result is an identification of successful execution; if the first response result fails to execute, the virtual machine An error message is returned.
  • the execution result is an error message. Therefore, whether the first execution result is successfully executed can be determined according to whether the execution result is an identification of successful execution or error information.
  • Step h after determining that the execution of the first response result fails according to the execution result, detecting whether the first response result is in a JSONP format.
  • the execution of the first response result After determining that the execution of the first response result fails according to the execution result, it is detected whether the first response result is in a JSONP format. When the execution of the first response result fails, it indicates that the first response result is not a piece of executable Javascript code.
  • step h includes:
  • Step h1 After determining that the execution of the first response result fails according to the execution result, determine a format of the first response result, and determine whether the format of the first response result is consistent with a preset JSONP format.
  • a pre-stored JSONP data format parsing engine is obtained, the format of the first response result is parsed according to the JSONP data format parsing engine, and the first response result is obtained. Compare the format of the JSONP with the preset JSONP format to determine whether the format of the first response result is consistent with the preset JSONP format.
  • Step h2 If the format of the first response result is consistent with the JSONP format, determine that the format of the first response result is the JSONP format.
  • the format of the first response result is consistent with the preset JSONP format, then it is determined that the format of the first response result is a JSONP format.
  • Step h3 If the format of the first response result is inconsistent with the JSONP format, determine that the format of the first response result is not a JSONP format.
  • step i if the format of the first response result is a JSONP format, it is determined that the first response result can be used across domains.
  • the format of the first response result is a JSONP format, it is determined that the first response result can be used across domains.
  • Step j if the format of the first response result is not a JSONP format, determine that the first response result cannot be used across domains.
  • the format of the first response result is not a JSONP format, then it is determined that the first response result cannot be used across domains.
  • step S80 if it is detected that the first response result cannot be used across domains, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  • a prompt message may be output through the website to be tested to prompt the user that the website to be tested is in a safe state according to the prompt information.
  • This embodiment uses multiple methods to detect whether the first response result can be used across domains. When it is determined that the first response result cannot be used across domains, it is determined that the website to be tested does not have a JSON hijacking vulnerability, which further improves the detection of whether the website to be tested is Accuracy of JSON hijacking vulnerability.
  • the JSON hijacking vulnerability detection device includes:
  • the execution module 10 is configured to: after obtaining the uniform resource locator URL and the website login status of the website to be tested, execute the URL in the website to be tested through the website login status to obtain a first response result; When the first response result can be used across domains, the URL is executed in the website to be tested without using the website login status, and a second response result is obtained;
  • a determining module 20 is configured to determine that, if the second response result is different from the first response result, the website to be tested has a JS object notation JSON hijacking vulnerability.
  • the detection device for the JSON hijacking vulnerability further includes:
  • a first detection module configured to detect whether there is sensitive information in the first response result if the second response result is the same as the first response result;
  • the determining module 20 is further configured to: if the sensitive information is detected in the first response result, determine that the JSON hijacking vulnerability exists in the website to be tested; if it is detected that the first response result does not exist For the sensitive information, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  • the first detection module includes:
  • An obtaining unit configured to obtain a regular expression corresponding to preset sensitive information if the second response result is the same as the first response result;
  • a matching unit configured to perform regular matching between the first response result and the regular expression
  • a first determining unit configured to determine that, if the first response result and the regular expression regular match succeed, sensitive information exists in the first response result; if the first response result matches the regular expression If the regular matching fails, it is determined that no sensitive information exists in the first response result.
  • the detection device for the JSON hijacking vulnerability further includes:
  • a second detection module configured to detect whether the first response result can be used across domains
  • the determining module 20 is further configured to determine that the JSON hijacking vulnerability does not exist on the website to be tested if it is detected that the first response result cannot be used across domains.
  • the second detection module includes:
  • a detecting unit configured to detect whether the first response result is a Hypertext Markup Language HTML document
  • a second determining unit configured to, if it is detected that the first response result is the HTML document, determine that the first response result cannot be used across domains;
  • An execution unit configured to, if it is detected that the first response result is not the HTML document, simulate and execute the first response result through a Javascript virtual machine to obtain a corresponding execution result;
  • the second determining unit is further configured to determine that the first response result can be used across domains after determining that the first response result is successfully executed according to the execution result;
  • the detecting unit is further configured to detect whether the first response result is in a JSONP format after determining that the execution of the first response result fails according to the execution result;
  • the second determining unit is further configured to determine that the first response result can be used across domains if the format of the first response result is a JSONP format; if the format of the first response result is not a JSONP format, then It is determined that the first response result cannot be used across domains.
  • the detection unit includes:
  • a detection subunit configured to detect whether an HTML tag is carried in the first response result
  • a first determining subunit configured to determine that the first response result is an HTML document if it is detected that the HTML response is carried in the first response result; if it is detected that the HTML is not carried in the first response result Tag, it is determined that the first response result is not an HTML document.
  • the detection unit further includes:
  • a second determining subunit configured to determine a format of the first response result after determining that the execution of the first response result fails according to the execution result
  • a judging unit configured to judge whether the format of the first response result is consistent with a preset JSONP format
  • the second determining subunit is further configured to determine that the format of the first response result is a JSONP format if the format of the first response result is consistent with the JSONP format; if the format of the first response result is the same as If the JSONP format is inconsistent, it is determined that the format of the first response result is not a JSONP format.
  • JSON hijacking vulnerability detection device is basically the same as the above embodiments of the JSON hijacking vulnerability detection method, and are not described in detail here.
  • FIG. 5 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a hardware operating environment of a detection device for a JSON hijacking vulnerability.
  • the detection device for the JSON hijacking vulnerability in the embodiment of the present application may be a terminal device such as a PC or a portable computer.
  • the detection device for the JSON hijacking vulnerability may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, and a communication bus 1002.
  • the communication bus 1002 is used to implement connection and communication between these components.
  • the user interface 1003 may include a display, an input unit such as a keyboard, and the optional user interface 1003 may further include a standard wired interface and a wireless interface.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high-speed RAM memory or a non-volatile memory. memory), such as disk storage.
  • the memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
  • the detection device for the JSON hijacking vulnerability may further include a camera, RF (Radio Frequency) circuits, sensors, audio circuits, WiFi modules, and more.
  • RF Radio Frequency
  • the structure of the detection device for the JSON hijacking vulnerability shown in FIG. 5 does not constitute a limitation on the detection device for the JSON hijacking vulnerability, and may include more or fewer components than shown, or a combination of some Components, or different component arrangements.
  • the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and computer-readable instructions.
  • the operating system is a program that manages and controls the hardware and software resources of the detection device for the JSON hijacking vulnerability, and supports the operation of computer-readable instructions and other software or programs.
  • the user interface 1003 can be used for the terminal held by the user to perform data communication with the terminal held by the user;
  • the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server;
  • the processor 1001 can be used to call the computer-readable instructions stored in the memory 1005 and execute the steps of the JSON hijacking vulnerability detection method described above.
  • the specific implementation manner of the detection device for the JSON hijacking vulnerability in this application is basically the same as the above embodiments of the method for detecting a JSON hijacking vulnerability, and details are not described herein again.
  • an embodiment of the present application further provides a computer-readable storage medium, where computer-readable instructions are stored, and the computer-readable instructions implement the JSON hijacking vulnerability described above when executed by a processor. Steps of the detection method.
  • the specific implementation manner of the computer-readable storage medium of the present application is basically the same as each embodiment of the method for detecting a JSON hijacking vulnerability described above, and details are not described herein again.

Abstract

Disclosed are a JSON hijack bug detection method, apparatus and device, and a storage medium. The method comprises the steps of: after a uniform resource locator (URL) and a website login state of a website to be tested are acquired, executing the URL in the website to be tested by means of the website login state to obtain a first response result (S10); if it is detected that the first response result can be utilized in a cross-domain manner, not executing the URL in the website to be tested by means of the website login state to obtain a second response result (S20); and if the second response result is different from the first response result, determining that there is a JS object notation (JSON) hijack bug in the website to be tested (S30). The method determines whether there is a JSON hijack bug in a website to be tested by means of a URL execution dynamic simulation method, thereby improving the accuracy of detecting whether there is the JSON hijack bug in the website.

Description

JSON劫持漏洞的检测方法、装置、设备及存储介质 Detection method, device, equipment and storage medium of JSON hijacking vulnerability Ranch
本申请要求于2018年9月25日提交中国专利局、申请号为201811112893.3、发明名称为“JSON劫持漏洞的检测方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on September 25, 2018, with application number 201811112893.3, and the invention name is "JSON Hijacking Vulnerability Detection Method, Device, Device, and Storage Medium." Citations are incorporated in the application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种JSON劫持漏洞的检测方法、装置、设备及存储介质。The present application relates to the field of communication technologies, and in particular, to a method, a device, a device, and a storage medium for detecting a JSON hijacking vulnerability.
背景技术Background technique
JSON(JavaScript Object Notation,JavaScript 对象简谱)是一种轻量级的数据交换格式,而劫持就是对数据进行窃取(或者应该称为打劫或、拦截)。恶意攻击者通过某些特定的手段,将本应该返回给用户的JSON数据进行拦截,转而将数据发送回给恶意攻击者,这就是JSON劫持的大概含义。一般来说进行劫持的JSON数据都是包含敏感信息或者有价值的数据。目前用基于静态的字符分析方法来判断响应结果是否可被跨域利用,进而检测网站是否存在JSON劫持漏洞,此种方法检测JSON劫持的准确度低。JSON (JavaScript Object Notation, JavaScript Object Notation) is a lightweight data exchange format, and hijacking is stealing data (or should be called robbery or interception). The malicious attacker intercepts the JSON data that should be returned to the user through some specific means, and then sends the data back to the malicious attacker. This is the approximate meaning of JSON hijacking. Generally, the JSON data that is hijacked contains sensitive information or valuable data. Currently, a static character analysis method is used to determine whether the response result can be used across domains, and then to detect whether a website has a JSON hijacking vulnerability. This method has a low accuracy in detecting JSON hijacking.
发明内容Summary of the Invention
本申请的主要目的在于提供一种JSON劫持漏洞的检测方法、装置、设备及存储介质,旨在解决现有的检测JSON劫持漏洞的准确度低下的技术问题。The main purpose of this application is to provide a method, device, device and storage medium for detecting a JSON hijacking vulnerability, which aims to solve the existing technical problem of low accuracy in detecting a JSON hijacking vulnerability.
为实现上述目的,本申请提供一种JSON劫持漏洞的检测方法,所述JSON劫持漏洞的检测方法包括步骤:To achieve the above purpose, the present application provides a method for detecting a JSON hijacking vulnerability. The method for detecting a JSON hijacking vulnerability includes steps:
当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;After obtaining the uniform resource locator URL and the website login status of the website to be tested, executing the URL in the website to be tested through the website login status to obtain a first response result;
若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;If it is detected that the first response result can be used across domains, execute the URL in the website to be tested without using the website login status to obtain a second response result;
若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。If the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
此外,为实现上述目的,本申请还提供一种JSON劫持漏洞的检测装置,所述JSON劫持漏洞的检测装置包括:In addition, in order to achieve the above object, the present application also provides a JSON hijacking vulnerability detection device. The JSON hijacking vulnerability detection device includes:
执行模块,用于当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;An execution module, configured to obtain the first response result by executing the URL in the website to be tested through the website login status after obtaining the uniform resource locator URL and website login status of the website to be tested; The first response result can be used across domains, and the URL is executed in the website to be tested without using the website login status to obtain a second response result;
确定模块,用于若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。A determining module, configured to determine, if the second response result is different from the first response result, that the website to be tested has a JS object notation JSON hijacking vulnerability.
此外,为实现上述目的,本申请还提供一种JSON劫持漏洞的检测设备,所述JSON劫持漏洞的检测设备包括存储器、处理器和存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令被所述处理器执行时实现如上所述的JSON劫持漏洞的检测方法的步骤。In addition, in order to achieve the above purpose, the present application also provides a JSON hijacking vulnerability detection device. The JSON hijacking vulnerability detection device includes a memory, a processor, and a processor that is stored on the memory and can run on the processor. Computer-readable instructions that, when executed by the processor, implement the steps of the method for detecting a JSON hijacking vulnerability as described above.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如上所述的JSON劫持漏洞的检测方法的步骤。In addition, in order to achieve the above object, the present application also provides a computer-readable storage medium, where the computer-readable instructions are stored, and when the computer-readable instructions are executed by a processor, the above-mentioned implementation is implemented. Steps of JSON Hijacking Detection Method.
本申请首先通过网站登录态在待测试网站中执行URL,得到对应的第一响应结果,在确定第一响应结果可被跨域利用后,不通过网站登录态在待测试网站中执行URL,得到对应的第二响应结果,若确定第二响应结果与第一响应结果不同,则确定待测试网站存在JSON劫持漏洞。实现了采用动态模拟执行URL的方法来判断待测试网站是否存在JSON劫持漏洞,提高了检测网站是否存在JSON劫持漏洞的准确性。This application first executes a URL on a website to be tested through a website login status to obtain a corresponding first response result. After determining that the first response result can be used across domains, the URL is executed on the website to be tested without using a website login status. For the corresponding second response result, if it is determined that the second response result is different from the first response result, it is determined that the website to be tested has a JSON hijacking vulnerability. The method of dynamically simulating the execution URL is implemented to determine whether the website to be tested has a JSON hijacking vulnerability, and the accuracy of detecting whether a website has a JSON hijacking vulnerability is improved.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本申请JSON劫持漏洞的检测方法第一实施例的流程示意图;FIG. 1 is a schematic flowchart of a first embodiment of a JSON hijacking vulnerability detection method of the present application;
图2是本申请JSON劫持漏洞的检测方法第二实施例的流程示意图;2 is a schematic flowchart of a second embodiment of a method for detecting a JSON hijacking vulnerability in this application;
图3是本申请JSON劫持漏洞的检测方法第三实施例的流程示意图;3 is a schematic flowchart of a third embodiment of a method for detecting a JSON hijacking vulnerability of the present application;
图4为本申请JSON劫持漏洞的检测装置较佳实施例的功能示意图模块图;4 is a functional schematic block diagram of a preferred embodiment of a detection device for JSON hijacking vulnerability in this application;
图5是本申请实施例方案涉及的硬件运行环境的结构示意图。FIG. 5 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional features and advantages of the purpose of this application will be further described with reference to the embodiments and the drawings.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described herein are only used to explain the application, and are not used to limit the application.
本申请提供一种JSON劫持漏洞的检测方法,参照图1,图1为本申请JSON劫持漏洞的检测方法第一实施例的流程示意图。This application provides a method for detecting a JSON hijacking vulnerability. Referring to FIG. 1, FIG. 1 is a schematic flowchart of a first embodiment of a method for detecting a JSON hijacking vulnerability in this application.
本申请实施例提供了JSON劫持漏洞的检测方法的实施例,需要说明的是,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The embodiment of the present application provides an embodiment of a method for detecting a JSON hijacking vulnerability. It should be noted that although the logical sequence is shown in the flowchart, in some cases, the execution may be performed in an order different from that shown here. Out or describe the steps.
JSON劫持漏洞的检测方法应用于服务器或者终端中,终端可以包括诸如手机、平板电脑、笔记本电脑、掌上电脑、个人数字助理(Personal Digital Assistant,PDA)等移动终端,以及诸如数字TV、台式计算机等固定终端。在JSON劫持漏洞的检测方法的各个实施例中,为了便于描述,省略执行主体进行阐述各个实施例。JSON劫持漏洞的检测方法包括:The detection method of the JSON hijacking vulnerability is applied to a server or a terminal, and the terminal may include a mobile phone, a tablet computer, a laptop computer, a palmtop computer, a personal digital assistant (Personal Digital Assistant (PDA, PDA) and other mobile terminals, as well as fixed terminals such as digital TV, desktop computers. In each embodiment of the method for detecting a JSON hijacking vulnerability, for convenience of description, the execution main body is omitted to describe each embodiment. The detection methods of JSON hijacking vulnerability include:
步骤S10,当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果。In step S10, after the uniform resource locator URL and the website login status of the website to be tested are obtained, the URL is executed on the website to be tested through the website login status to obtain a first response result.
当获取到待测试网站的URL和网站登录态后,通过网站登录态在待测试网站中执行URL(Uniform Resource Location,统一资源定位符),得到执行URL的响应结果,记为第一响应结果。可以理解的是,通过网站登录态在待测试网站中执行URL,即携带网站登录态在待测试网站中执行URL。URL是待测试网站中某个资源的地址。网站登录态可由用户根据需要在待测试网站中输入,或者将网站登录态预先存储在存储器中,当需要时,直接从存储器中提取网站登录态即可。需要说明的是,网页浏览器都遵循同源策略的安全机制,若某个网页浏览器允许跨域利用,则该网页浏览器应该允许跨域利用Javascript代码;或者提取出了JSONP的方案。响应结果必须能被其他域名的URL跨域利用,才可能形成JSON劫持漏洞攻击。After obtaining the URL of the website to be tested and the website login status, execute the URL (Uniform) on the website to be tested through the website login status. Resource Location (Uniform Resource Locator), get the response result of the execution URL, and record it as the first response result. It can be understood that the URL is executed in the website to be tested through the website login status, that is, the URL is executed in the website to be tested with the website login status. URL is the address of a resource in the website to be tested. The website login status can be entered by the user in the website to be tested as required, or the website login status can be stored in the memory in advance. When needed, the website login status can be directly extracted from the memory. It should be noted that web browsers follow the same-origin policy security mechanism. If a web browser allows cross-domain use, the web browser should allow cross-domain use of Javascript code; or a JSONP solution is extracted. The response result must be cross-domain exploitable by URLs of other domain names, in order to form a JSON hijacking vulnerability attack.
在本实施例中,待测试网站为WEB(World Wide Web),即全球广域网,也称为万维网,通俗称呼为网站;它是一种基于超文本和HTTP(Hyper Text Transfer Protocol,超文本传输协议)的、全球性的、动态交互的、跨平台的分布式图形信息系统。URL是对可以从互联网上得到的资源的位置和访问方法的一种简洁的表示,是互联网上标准资源的地址。网站登录态是用于网站中识别当前登录用户身份的标识数据;网站登录态能够证明网站用户的唯一性和合法性,网站登录态通指的是:Cookie,Session Id和Token等等。Cookie是指某些网站为了辨别用户身份、进行 Session跟踪而储存在用户本地终端上的数据(通常经过加密);Session Id通过在服务器端记录信息确定用户身份。Token是服务端生成的一串字符串,以作为客户端进行请求的一个令牌,当第一次登录后,服务器生成一个Token便将此Token返回给客户端,以后客户端只需带上这个Token前来请求数据即可,无需再次带上用户名和密码。In this embodiment, the website to be tested is WEB (World Wide Web), the global wide area network, also known as the World Wide Web, commonly known as the website; it is based on Hypertext and HTTP (Hyper Text Transfer Protocol (Hypertext Transfer Protocol), global, dynamic interactive, cross-platform distributed graphical information system. URL is a concise representation of the location and access method of resources that can be obtained from the Internet, and is the address of standard resources on the Internet. The website login status is identification data used to identify the currently logged-in user in the website; the website login status can prove the uniqueness and legality of the website user. The website login status refers to: Cookie, Session Id and Token, etc. Cookie refers to the data (usually encrypted) stored on the user's local terminal by some websites in order to identify users and track sessions; sessions Ids identify users by recording information on the server side. Token is a string generated by the server as a token requested by the client. After the first login, the server generates a token and returns this token to the client. In the future, the client only needs to bring this Token can come to request data, no need to bring username and password again.
步骤S20,若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果。In step S20, if it is detected that the first response result can be used across domains, the URL is executed in the website to be tested without using the website login status to obtain a second response result.
在得到第一响应结果后,若检测到第一响应结果可被跨域利用,则不通过网站登录态在待测试网站中执行URL,即不携带网站登录态在待测试网站中执行URL,得到执行URL的响应结果,记为第二响应结果。需要说明的是,浏览器从一个域名的网页去请求另一个域名的资源时,域名、端口、协议任一不同,都是跨域。第一响应结果可被跨域利用,即第一响应结果可被跨域执行,此时可通过该响应结果获取另一个页面的数据。After obtaining the first response result, if it is detected that the first response result can be used across domains, the URL is not executed in the website to be tested through the website login status, that is, the URL is not executed in the website to be tested without the website login status. The response result of the execution URL is recorded as the second response result. It should be noted that when a browser requests a resource of another domain name from a webpage of one domain name, any one of the different domain names, ports, and protocols is cross-domain. The first response result can be used across domains, that is, the first response result can be executed across domains. At this time, the data of another page can be obtained through the response result.
步骤S30,若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。In step S30, if the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
当得到第二响应结果后,判断第二响应结果是否与第一响应结果相同。若第二响应结果与第一响应结果不同,则确定待测试网站存在JSON劫持漏洞。JSON劫持漏洞也称为JSON Hijacking漏洞。待测试网站的CGI(Common Gateway Interface,公共网关接口)以JSON形式输出数据。当待测试网网站存在JSON劫持漏洞时,恶意攻击者控制的第三方站点以CSRF(Cross-site request forgery,跨站请求伪造)手段强迫用户浏览器请求CGI得到JSON数据,此时,恶意攻击者可以获取敏感信息。可以理解的是,执行URL会得到对应的响应数据,若第一响应结果和第二响应结果对应的响应数据不同,则确定第一响应结果和第二响应结果不同;若第一响应结果和第二响应结果对应的响应数据相同,则确定第一响应结果和第二响应结果相同。When the second response result is obtained, it is determined whether the second response result is the same as the first response result. If the second response result is different from the first response result, it is determined that the website to be tested has a JSON hijacking vulnerability. JSON hijacking vulnerability also known as JSON Hijacking vulnerability. CGI (Common Gateway of the website under test) Interface (public gateway interface) to output data in JSON format. When the website under test has a JSON hijacking vulnerability, the third-party site controlled by a malicious attacker uses CSRF (Cross-site request (forgery, cross-site request forgery) method to force the user's browser to request CGI to obtain JSON data. At this time, a malicious attacker can obtain sensitive information. It can be understood that executing the URL will obtain corresponding response data. If the response data corresponding to the first response result and the second response result are different, it is determined that the first response result is different from the second response result; If the response data corresponding to the two response results are the same, it is determined that the first response result and the second response result are the same.
本实施例首先通过网站登录态在待测试网站中执行URL,得到对应的第一响应结果,在确定第一响应结果可被跨域利用后,不通过网站登录态在待测试网站中执行URL,得到对应的第二响应结果,若确定第二响应结果与第一响应结果不同,则确定待测试网站存在JSON劫持漏洞。实现了采用动态模拟执行URL的方法来判断待测试网站是否存在JSON劫持漏洞,提高了检测网站是否存在JSON劫持漏洞的准确性。In this embodiment, the URL is first executed on the website to be tested through the website login status to obtain the corresponding first response result. After determining that the first response result can be used across domains, the URL is not executed on the website to be tested through the website login status. A corresponding second response result is obtained. If it is determined that the second response result is different from the first response result, it is determined that the website to be tested has a JSON hijacking vulnerability. The method of dynamically simulating the execution URL is implemented to determine whether the website to be tested has a JSON hijacking vulnerability, and the accuracy of detecting whether a website has a JSON hijacking vulnerability is improved.
进一步地,提出本申请JSON劫持漏洞的检测方法第二实施例。Further, a second embodiment of a method for detecting a JSON hijacking vulnerability in the present application is proposed.
所述JSON劫持漏洞的检测方法第二实施例与所述JSON劫持漏洞的检测方法第一实施例的区别在于,参照图2,JSON劫持漏洞的检测方法还包括:The difference between the second embodiment of the JSON hijacking vulnerability detection method and the first embodiment of the JSON hijacking vulnerability detection method is that, referring to FIG. 2, the JSON hijacking vulnerability detection method further includes:
步骤S40,若所述第二响应结果与所述第一响应结果相同,则检测所述第一响应结果中是否存在敏感信息。In step S40, if the second response result is the same as the first response result, it is detected whether there is sensitive information in the first response result.
若确定第二响应结果与第一响应结果相同,则检测第一响应结果中是否存在敏感信息。敏感信息包括但不限于银行卡账号、身份证号、用户ID、手机号、邮箱账号、内网地址和家庭住址等信息。If it is determined that the second response result is the same as the first response result, it is detected whether there is sensitive information in the first response result. Sensitive information includes, but is not limited to, bank card account number, ID card number, user ID, mobile phone number, email account number, intranet address, and home address.
进一步地,步骤S40包括:Further, step S40 includes:
步骤a,若所述第二响应结果与所述第一响应结果相同,则获取预设的敏感信息对应的正则表达式,并将所述第一响应结果与所述正则表达式进行正则匹配。Step a: if the second response result is the same as the first response result, obtain a regular expression corresponding to the preset sensitive information, and perform regular matching on the first response result and the regular expression.
具体地,当确定第二响应结果与第一响应结果相同时,获取预设的敏感信息对应的正则表达式,并将第一响应结果与敏感信息的正则表达式进行正则匹配。其中,敏感信息的正则表达式是预先设置好,存储在存储器中的。每一种敏感信息对应一个正则表达式。需要说明的是,在将第一响应结果与正则表达式进行正则匹配过程中,是将第一响应结果包含的数据与存储器中存储的所有正则表达式一一进行正则匹配,直到第一响应结果与所有正则表达式都匹配失败时,才能确定第一响应结果中未存在敏感信息。Specifically, when it is determined that the second response result is the same as the first response result, a regular expression corresponding to the preset sensitive information is acquired, and the first response result is regular matched with the regular expression of the sensitive information. Among them, the regular expression of sensitive information is set in advance and stored in the memory. Each kind of sensitive information corresponds to a regular expression. It should be noted that in the process of regular matching the first response result with the regular expression, the data contained in the first response result is regularly matched with all the regular expressions stored in the memory one by one until the first response result When it fails to match all regular expressions, it can be determined that no sensitive information exists in the first response result.
步骤b,若所述第一响应结果与所述正则表达式正则匹配成功,则确定所述第一响应结果中存在敏感信息。In step b, if the first response result and the regular expression regular match are successful, it is determined that sensitive information exists in the first response result.
当将第一响应结果与敏感信息对应的正则表达式进行正则匹配后,判断第一响应结果与正则表达式是否匹配成功。当确定第一响应结果与正则表达式正则匹配成功后,确定第一响应结果中存在敏感信息。After regular matching is performed on the first response result and the regular expression corresponding to the sensitive information, it is determined whether the first response result matches the regular expression successfully. When it is determined that the first response result matches the regular expression successfully, it is determined that sensitive information exists in the first response result.
可以理解的是,当第一响应结果中的某个数据的表现形式符合正则表达式时,表明第一响应结果与正则表达式正则匹配成功;当第一响应结果中不存在数据的表现形式符合正则表达式时,表明第一响应结果与正则表达式匹配失败。如手机号对应的正则表达式为:网络识别号+8位数字,其中,网络识别号为手机号码的前三位,即138、189和188等。若第一响应结果中的某个数据为138后面加上8位数字,则可确定第一响应结果与手机号的正则表达式匹配成功。It can be understood that when the expression form of some data in the first response result meets the regular expression, it indicates that the first response result matches the regular expression regular match successfully; when the expression form of no data in the first response result matches When the regular expression indicates that the first response result fails to match the regular expression. For example, the regular expression corresponding to the mobile phone number is: network identification number + 8 digits, where the network identification number is the first three digits of the mobile phone number, that is, 138, 189, and 188. If some data in the first response result is 138 followed by 8 digits, it can be determined that the first response result matches the regular expression of the mobile phone number successfully.
步骤c,若所述第一响应结果与所述正则表达式正则匹配失败,则确定所述第一响应结果中未存在敏感信息。In step c, if the first response result fails to match the regular expression, it is determined that no sensitive information exists in the first response result.
若第一响应结果与正则表达式正则匹配失败,则确定第一响应结果中未存在敏感信息。If the first response result fails to match the regular expression, it is determined that no sensitive information exists in the first response result.
进一步地,在本实施例中,也可以在存储器中预设设置一个敏感数据库,在该敏感数据库中存储有敏感数据。当确定第二响应结果与第一响应结果相同时,提取第一响应结果中的各个数据,将所提取的数据与敏感数据库中的敏感数据进行对比,若在敏感数据库中查找到与所提取的数据一致的敏感数据,则确定第一响应结果中存在敏感信息;若在敏感数据库中未查找到与所提取的数据一致的敏感数据,则确定第一响应结果中未存在敏感信息。Further, in this embodiment, a sensitive database may be preset in the memory, and sensitive data is stored in the sensitive database. When it is determined that the second response result is the same as the first response result, each piece of data in the first response result is extracted, and the extracted data is compared with the sensitive data in the sensitive database. If the sensitive data is consistent with the data, it is determined that there is sensitive information in the first response result; if no sensitive data consistent with the extracted data is found in the sensitive database, it is determined that there is no sensitive information in the first response result.
步骤S50,若检测到所述第一响应结果中存在所述敏感信息,则确定所述待测试网站存在所述JSON劫持漏洞。In step S50, if the sensitive information is detected in the first response result, it is determined that the JSON hijacking vulnerability exists in the website to be tested.
若检测到第一响应结果中存在敏感信息,则确定待测试网站存在JSON劫持漏洞。进一步地,当确定待测试网站存在JSON劫持漏洞后,可通过该待测试网站输出提示信息,以根据该提示信息提示对应的运维人员修护待测试网站中的JSON劫持漏洞,输出提示信息的方式包括但不限于文字或者语音等方式。If sensitive information is detected in the first response result, it is determined that the website to be tested has a JSON hijacking vulnerability. Further, after it is determined that a JSON hijacking vulnerability exists in the website to be tested, a prompt message can be output through the website to be tested to prompt the corresponding operation and maintenance personnel to repair the JSON hijacking vulnerability in the website to be tested according to the prompt information, and the prompt information is output. The methods include, but are not limited to, text or voice.
步骤S60,若检测到所述第一响应结果中未存在所述敏感信息,则确定所述待测试网站未存在所述JSON劫持漏洞。In step S60, if it is detected that the sensitive information does not exist in the first response result, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
若检测到第一响应结果中未存在敏感信息,则确定待测试网站中未存在JSON劫持漏洞。If no sensitive information is detected in the first response result, it is determined that there is no JSON hijacking vulnerability in the website to be tested.
本实施例通过在采用动态模拟执行URL的方法来判断待测试网站是否存在JSON劫持漏洞的基础上,进一步通过检测响应结果中是否存在敏感信息来判断待测试网站是否存在JSON劫持漏洞,即通过敏感信息与网站登录态结合的方式来检测到测试网站是否存在JSON劫持漏洞,相比单纯采用敏感关键字分析的方法来检测网站是否存在JSON劫持漏洞,本实施例提高了JSON劫持漏洞检测的通用性,同时减低了JSON劫持漏洞检测的误报率和漏报率。需要说明的是,采用敏感关键字分析的方法来检测网站是否存在JSON劫持漏洞的通用性低。误报是在网站漏洞检测过程中,如果网站的一个URL本来不存在漏洞,却被错误地检测为存在漏洞,称为误报。漏报是在网站漏洞检测过程中,如果网站的一个URL本来存在漏洞,却没有被检测出来,称为漏报。This embodiment uses a method of dynamically simulating the execution of a URL to determine whether the website under test has a JSON hijacking vulnerability, and further determines whether the website under test has a JSON hijacking vulnerability by detecting whether there is sensitive information in the response result. The method of combining information and website login status to detect whether a test website has a JSON hijacking vulnerability. Compared with a method that uses only sensitive keyword analysis to detect whether a website has a JSON hijacking vulnerability, this embodiment improves the versatility of JSON hijacking vulnerability detection. , While reducing the false positive rate and false negative rate of JSON hijacking vulnerability detection. It should be noted that the use of sensitive keyword analysis to detect whether a website has a JSON hijacking vulnerability has low universality. False positive is that during the process of website vulnerability detection, if a URL of a website does not have a vulnerability originally, it is incorrectly detected as a vulnerability, which is called a false positive. Underreporting is the process of detecting a vulnerability in a website. If a URL of a website is originally leaked but not detected, it is called a false negative.
进一步地,提出本申请JSON劫持漏洞的检测方法第三实施例。Further, a third embodiment of a method for detecting a JSON hijacking vulnerability in the present application is proposed.
所述JSON劫持漏洞的检测方法第三实施例与所述JSON劫持漏洞的检测方法第一或第二实施例的区别在于,参照图3,JSON劫持漏洞的检测方法还包括:The third embodiment of the method for detecting a JSON hijacking vulnerability is different from the first or second embodiment of the method for detecting a JSON hijacking vulnerability in that, referring to FIG. 3, the method for detecting a JSON hijacking vulnerability further includes:
步骤S70,检测所述第一响应结果是否可被跨域利用。In step S70, it is detected whether the first response result can be used across domains.
当得到第一响应结果后,检测第一响应结果是否可被跨域利用。When the first response result is obtained, it is detected whether the first response result can be used across domains.
进一步地,步骤S70包括:Further, step S70 includes:
步骤d,检测所述第一响应结果是否是超级文本标记语言HTML文档。Step d, detecting whether the first response result is a Hypertext Markup Language HTML document.
具体地,在得到第一响应结果后,检测第一响应结果是否是HTML(Hyper Text Markup Language,超级文本标记语言)文档。需要说明的是,网站对应的网页浏览器遵循同源策略的安全机制,同源策略在web应用的安全模型中是一个重要概念,在这个策略下,web浏览器允许第一个页面的脚本访问第二个页面里的数据,但是也只有在两个页面有相同的源时,源是由URI(Uniform Resource Identifier,统一资源标识符),主机名,端口号组合而成的,这个策略可以阻止一个页面上的恶意脚本通过页面的DOM(Document Object Model,文档对象模型)对象获得访问另一个页面上敏感信息的权限。但是为了网站使用的便捷性,网页浏览器提出了两个方案来允许跨域利用:第一,允许跨域利用Javascript代码;第二,提出了JSONP(JSON with Padding)的方案。JSONP 是JSON 的一种“使用模式”,可以让网页从别的域名(网站)那获取资料,即跨域读取数据。通常JavaScript脚本是通过嵌入在HTML中来实现自身的功能的。Specifically, after the first response result is obtained, it is detected whether the first response result is HTML (Hyper Text Markup). Language) document. It should be noted that the web browser corresponding to the website follows the security mechanism of the same-origin policy. The same-origin policy is an important concept in the security model of web applications. Under this policy, the web browser allows script access of the first page The data on the second page, but only if the two pages have the same source, the source is the URI (Uniform Resource Identifier (Uniform Resource Identifier), host name, port number combination, this strategy can prevent malicious scripts on a page from passing through the page's DOM (Document Object Model (Document Object Model) object gains access to sensitive information on another page. However, for the convenience of website use, web browsers have proposed two schemes to allow cross-domain exploitation: first, allowing cross-domain exploitation of Javascript code; second, JSONP (JSON with Padding). JSONP is JSON A "use mode" allows web pages to obtain information from other domain names (websites), that is, to read data across domains. Usually JavaScript scripts implement their own functions by embedding them in HTML.
进一步地,步骤d包括:Further, step d includes:
步骤d1,检测所述第一响应结果中是否携带HTML标签。Step d1, detecting whether an HTML tag is carried in the first response result.
具体地,检测第一响应结果中是否携带HTML标签,其中,HTML DOM 定义了访问和操作 HTML 文档的标准方法;DOM 将 HTML 文档表达为树结构。因此,需要说明的是,HTML标签是根据树结构表现形式的HTML 文档而预先设置存储的。Specifically, detecting whether an HTML tag is carried in the first response result, wherein the HTML DOM defines accessing and manipulating the HTML The standard method for documents; the DOM expresses HTML documents as a tree structure. Therefore, it should be noted that the HTML tags are stored in advance according to the HTML document in the form of a tree structure.
步骤d2,若检测到所述第一响应结果中携带所述HTML标签,则确定所述第一响应结果是HTML文档。Step d2: if it is detected that the first response result carries the HTML tag, determine that the first response result is an HTML document.
若检测到第一响应结果中携带HTML标签,则确定第一响应结果是HTML文档。If it is detected that the first response result carries an HTML tag, it is determined that the first response result is an HTML document.
步骤d3,若检测所述第一响应结果中未携带所述HTML标签,则确定所述第一响应结果不是HTML文档。In step d3, if it is detected that the HTML response is not carried in the first response result, it is determined that the first response result is not an HTML document.
若检测到第一响应结果中未携带HTML标签,则确定第一响应结果不是HTML文档。If it is detected that the first response result does not carry an HTML tag, it is determined that the first response result is not an HTML document.
步骤e,若检测到所述第一响应结果是所述HTML文档,则确定所述第一响应结果不可被跨域利用。In step e, if it is detected that the first response result is the HTML document, it is determined that the first response result cannot be used across domains.
当检测到第一响应结果是HTML文档时,确定第一响应结果不可被跨域利用。When it is detected that the first response result is an HTML document, it is determined that the first response result cannot be used across domains.
步骤f,若检测所述第一响应结果不是所述HTML文档,则通过Javascript虚拟机模拟执行所述第一响应结果,得到对应的执行结果。In step f, if it is detected that the first response result is not the HTML document, the first response result is simulated and executed by a Javascript virtual machine to obtain a corresponding execution result.
当检测到第一响应结果不是HTML文档时,通过Javascript虚拟机动态模拟执行第一响应结果,得到对应的执行结果。其中,Javascript虚拟机包括但不限于Node.JS,PhantomJS等等。Node.JS是一个Javascript运行环境(runtime environment); PhantomJS 是一个基于 WebKit 的服务器端 JavaScript API(Application Programming Interface,应用程序编程接口)。它全面支持Web而不需浏览器支持,其快速,原生支持各种Web标准。When it is detected that the first response result is not an HTML document, the first response result is dynamically simulated and executed by a Javascript virtual machine to obtain a corresponding execution result. Among them, the Javascript virtual machine includes, but is not limited to, Node.JS, PhantomJS, and so on. Node.JS is a Javascript runtime environment (runtime environment); PhantomJS is a WebKit-based server-side JavaScript API (Application Programming Interface). It fully supports the Web without the need for a browser, and its fast, native support for various Web standards.
步骤g,当根据所述执行结果确定所述第一响应结果执行成功后,确定所述第一响应结果可被跨域利用。In step g, after determining that the first response result is successfully executed according to the execution result, it is determined that the first response result can be used across domains.
当根据执行结果确定第一响应结果执行成功后,确定第一响应结果可被跨域利用。需要说明的是,若Javascript虚拟机模拟执行第一响应结果执行成功,表明第一响应结果是一段可执行的Javascript代码,能被跨域利用。当Javascript虚拟机模拟执行第一响应结果后,若第一响应结果执行成功,虚拟机会返回一个执行成功的标识,此时执行结果是一个执行成功的标识;若第一响应结果执行失败,虚拟机会返回一个报错信息,此时执行结果是报错信息。因此,根据执行结果是执行成功的标识还是报错信息即可确定第一执行结果是否执行成功。在本实施例中,不限制执行成功的标识的具体表现形式。After determining that the first response result is successfully executed according to the execution result, it is determined that the first response result can be used across domains. It should be noted that if the Javascript virtual machine simulates the execution of the first response result and the execution is successful, it indicates that the first response result is an executable piece of Javascript code and can be used across domains. After the Javascript virtual machine simulates the execution of the first response result, if the first response result is successfully executed, the virtual machine returns an identification of successful execution, and the execution result is an identification of successful execution; if the first response result fails to execute, the virtual machine An error message is returned. At this time, the execution result is an error message. Therefore, whether the first execution result is successfully executed can be determined according to whether the execution result is an identification of successful execution or error information. In this embodiment, there is no limitation on the specific expression form of the identification that is successfully executed.
步骤h,当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式。Step h, after determining that the execution of the first response result fails according to the execution result, detecting whether the first response result is in a JSONP format.
当根据执行结果确定第一响应结果执行失败后,检测第一响应结果是否是JSONP格式。当第一响应结果执行失败后,表明第一响应结果不是一段可以执行的Javascript代码。After determining that the execution of the first response result fails according to the execution result, it is detected whether the first response result is in a JSONP format. When the execution of the first response result fails, it indicates that the first response result is not a piece of executable Javascript code.
进一步地,步骤h包括:Further, step h includes:
步骤h1,当根据所述执行结果确定所述第一响应结果执行失败后,确定所述第一响应结果的格式,并判断所述第一响应结果的格式与预设的JSONP格式是否一致。Step h1: After determining that the execution of the first response result fails according to the execution result, determine a format of the first response result, and determine whether the format of the first response result is consistent with a preset JSONP format.
当根据执行结果确定第一响应结果在Javascript虚拟机中执行失败后,获取预先存储的JSONP数据格式解析引擎,根据该JSONP数据格式解析引擎解析出第一响应结果的格式,并将第一响应结果的格式与预先设置的JSONP格式进行对比,判断第一响应结果的格式与预设的JSONP格式是否一致。When it is determined that the execution of the first response result fails in the Javascript virtual machine according to the execution result, a pre-stored JSONP data format parsing engine is obtained, the format of the first response result is parsed according to the JSONP data format parsing engine, and the first response result is obtained. Compare the format of the JSONP with the preset JSONP format to determine whether the format of the first response result is consistent with the preset JSONP format.
步骤h2,若所述第一响应结果的格式与所述JSONP格式一致,则确定所述第一响应结果的格式为JSONP格式。Step h2: If the format of the first response result is consistent with the JSONP format, determine that the format of the first response result is the JSONP format.
若确定第一响应结果的格式与预设的JSONP格式一致,则确定第一响应结果的格式是JSONP格式。If it is determined that the format of the first response result is consistent with the preset JSONP format, then it is determined that the format of the first response result is a JSONP format.
步骤h3,若所述第一响应结果的格式与所述JSONP格式不一致,则确定所述第一响应结果的格式不是JSONP格式。Step h3: If the format of the first response result is inconsistent with the JSONP format, determine that the format of the first response result is not a JSONP format.
若确定第一响应结果的格式与预设JSONP格式不一致,则确定第一响应结果的格式不是JSONP格式。If it is determined that the format of the first response result is inconsistent with the preset JSONP format, then it is determined that the format of the first response result is not a JSONP format.
步骤i,若所述第一响应结果的格式是JSONP格式,则确定所述第一响应结果可被跨域利用。In step i, if the format of the first response result is a JSONP format, it is determined that the first response result can be used across domains.
若确定第一响应结果的格式是JSONP格式,则确定第一响应结果可被跨域利用。If it is determined that the format of the first response result is a JSONP format, it is determined that the first response result can be used across domains.
步骤j,若所述第一响应结果的格式不是JSONP格式,则确定所述第一响应结果不可被跨域利用。Step j: if the format of the first response result is not a JSONP format, determine that the first response result cannot be used across domains.
若确定第一响应结果的格式不是JSONP格式,则确定第一响应结果不可跨域利用。If it is determined that the format of the first response result is not a JSONP format, then it is determined that the first response result cannot be used across domains.
步骤S80,若检测到所述第一响应结果不可被跨域利用,则确定所述待测试网站未存在所述JSON劫持漏洞。In step S80, if it is detected that the first response result cannot be used across domains, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
若检测到第一响应结果不可以被跨域利用,则确定待测试网站未存在JSON劫持漏洞。进一步地,若确定待测试网站未存在JSON劫持漏洞,可通过待测试网站输出提示信息,以根据该提示信息提示用户待测试网站处于安全状态。If it is detected that the first response result cannot be used across domains, it is determined that the website to be tested does not have a JSON hijacking vulnerability. Further, if it is determined that the website to be tested does not have a JSON hijacking vulnerability, a prompt message may be output through the website to be tested to prompt the user that the website to be tested is in a safe state according to the prompt information.
本实施例通过多种方法检测第一响应结果是否可被跨域利用,当确定第一响应结果不可被跨域利用时,确定待测试网站未存在JSON劫持漏洞,进一步提高了检测待测试网站是否存在JSON劫持漏洞的准确率。This embodiment uses multiple methods to detect whether the first response result can be used across domains. When it is determined that the first response result cannot be used across domains, it is determined that the website to be tested does not have a JSON hijacking vulnerability, which further improves the detection of whether the website to be tested is Accuracy of JSON hijacking vulnerability.
此外,参照图4,本申请还提供一种JSON劫持漏洞的检测装置,所述JSON劫持漏洞的检测装置包括:In addition, referring to FIG. 4, the present application also provides a JSON hijacking vulnerability detection device. The JSON hijacking vulnerability detection device includes:
执行模块10,用于当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;The execution module 10 is configured to: after obtaining the uniform resource locator URL and the website login status of the website to be tested, execute the URL in the website to be tested through the website login status to obtain a first response result; When the first response result can be used across domains, the URL is executed in the website to be tested without using the website login status, and a second response result is obtained;
确定模块20,用于若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。A determining module 20 is configured to determine that, if the second response result is different from the first response result, the website to be tested has a JS object notation JSON hijacking vulnerability.
进一步地,所述JSON劫持漏洞的检测装置还包括:Further, the detection device for the JSON hijacking vulnerability further includes:
第一检测模块,用于若所述第二响应结果与所述第一响应结果相同,则检测所述第一响应结果中是否存在敏感信息;A first detection module, configured to detect whether there is sensitive information in the first response result if the second response result is the same as the first response result;
所述确定模块20还用于若检测到所述第一响应结果中存在所述敏感信息,则确定所述待测试网站存在所述JSON劫持漏洞;若检测到所述第一响应结果中未存在所述敏感信息,则确定所述待测试网站未存在所述JSON劫持漏洞。The determining module 20 is further configured to: if the sensitive information is detected in the first response result, determine that the JSON hijacking vulnerability exists in the website to be tested; if it is detected that the first response result does not exist For the sensitive information, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
进一步地,所述第一检测模块包括:Further, the first detection module includes:
获取单元,用于若所述第二响应结果与所述第一响应结果相同,则获取预设的敏感信息对应的正则表达式;An obtaining unit, configured to obtain a regular expression corresponding to preset sensitive information if the second response result is the same as the first response result;
匹配单元,用于将所述第一响应结果与所述正则表达式进行正则匹配;A matching unit, configured to perform regular matching between the first response result and the regular expression;
第一确定单元,用于若所述第一响应结果与所述正则表达式正则匹配成功,则确定所述第一响应结果中存在敏感信息;若所述第一响应结果与所述正则表达式正则匹配失败,则确定所述第一响应结果中未存在敏感信息。A first determining unit, configured to determine that, if the first response result and the regular expression regular match succeed, sensitive information exists in the first response result; if the first response result matches the regular expression If the regular matching fails, it is determined that no sensitive information exists in the first response result.
进一步地,所述JSON劫持漏洞的检测装置还包括:Further, the detection device for the JSON hijacking vulnerability further includes:
第二检测模块,用于检测所述第一响应结果是否可被跨域利用;A second detection module, configured to detect whether the first response result can be used across domains;
所述确定模块20还用于若检测到所述第一响应结果不可被跨域利用,则确定所述待测试网站未存在所述JSON劫持漏洞。The determining module 20 is further configured to determine that the JSON hijacking vulnerability does not exist on the website to be tested if it is detected that the first response result cannot be used across domains.
进一步地,所述第二检测模块包括:Further, the second detection module includes:
检测单元,用于检测所述第一响应结果是否是超级文本标记语言HTML文档;A detecting unit, configured to detect whether the first response result is a Hypertext Markup Language HTML document;
第二确定单元,用于若检测到所述第一响应结果是所述HTML文档,则确定所述第一响应结果不可被跨域利用;A second determining unit, configured to, if it is detected that the first response result is the HTML document, determine that the first response result cannot be used across domains;
执行单元,用于若检测所述第一响应结果不是所述HTML文档,则通过Javascript虚拟机模拟执行所述第一响应结果,得到对应的执行结果;An execution unit configured to, if it is detected that the first response result is not the HTML document, simulate and execute the first response result through a Javascript virtual machine to obtain a corresponding execution result;
所述第二确定单元还用于当根据所述执行结果确定所述第一响应结果执行成功后,确定所述第一响应结果可被跨域利用;The second determining unit is further configured to determine that the first response result can be used across domains after determining that the first response result is successfully executed according to the execution result;
所述检测单元还用于当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式;The detecting unit is further configured to detect whether the first response result is in a JSONP format after determining that the execution of the first response result fails according to the execution result;
所述第二确定单元还用于若所述第一响应结果的格式是JSONP格式,则确定所述第一响应结果可被跨域利用;若所述第一响应结果的格式不是JSONP格式,则确定所述第一响应结果不可被跨域利用。The second determining unit is further configured to determine that the first response result can be used across domains if the format of the first response result is a JSONP format; if the format of the first response result is not a JSONP format, then It is determined that the first response result cannot be used across domains.
进一步地,所述检测单元包括:Further, the detection unit includes:
检测子单元,用于检测所述第一响应结果中是否携带HTML标签;A detection subunit, configured to detect whether an HTML tag is carried in the first response result;
第一确定子单元,用于若检测到所述第一响应结果中携带所述HTML标签,则确定所述第一响应结果是HTML文档;若检测所述第一响应结果中未携带所述HTML标签,则确定所述第一响应结果不是HTML文档。A first determining subunit, configured to determine that the first response result is an HTML document if it is detected that the HTML response is carried in the first response result; if it is detected that the HTML is not carried in the first response result Tag, it is determined that the first response result is not an HTML document.
进一步地,所述检测单元还包括:Further, the detection unit further includes:
第二确定子单元,用于当根据所述执行结果确定所述第一响应结果执行失败后,确定所述第一响应结果的格式;A second determining subunit, configured to determine a format of the first response result after determining that the execution of the first response result fails according to the execution result;
判断单元,用于判断所述第一响应结果的格式与预设的JSONP格式是否一致;A judging unit, configured to judge whether the format of the first response result is consistent with a preset JSONP format;
所述第二确定子单元还用于若所述第一响应结果的格式与所述JSONP格式一致,则确定所述第一响应结果的格式是JSONP格式;若所述第一响应结果的格式与所述JSONP格式不一致,则确定所述第一响应结果的格式不是JSONP格式。The second determining subunit is further configured to determine that the format of the first response result is a JSONP format if the format of the first response result is consistent with the JSONP format; if the format of the first response result is the same as If the JSONP format is inconsistent, it is determined that the format of the first response result is not a JSONP format.
需要说明的是,JSON劫持漏洞的检测装置的各个实施例与上述JSON劫持漏洞的检测方法的各实施例基本相同,在此不再详细赘述。It should be noted that various embodiments of the JSON hijacking vulnerability detection device are basically the same as the above embodiments of the JSON hijacking vulnerability detection method, and are not described in detail here.
此外,本申请还提供一种JSON劫持漏洞的检测设备。如图5所示,图5是本申请实施例方案涉及的硬件运行环境的结构示意图。In addition, this application also provides a detection device for a JSON hijacking vulnerability. As shown in FIG. 5, FIG. 5 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present application.
需要说明的是,图5即可为JSON劫持漏洞的检测设备的硬件运行环境的结构示意图。本申请实施例JSON劫持漏洞的检测设备可以是PC,便携计算机等终端设备。It should be noted that FIG. 5 is a schematic structural diagram of a hardware operating environment of a detection device for a JSON hijacking vulnerability. The detection device for the JSON hijacking vulnerability in the embodiment of the present application may be a terminal device such as a PC or a portable computer.
如图5所示,该JSON劫持漏洞的检测设备可以包括:处理器1001,例如CPU,存储器1005,用户接口1003,网络接口1004,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 5, the detection device for the JSON hijacking vulnerability may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, and a communication bus 1002. The communication bus 1002 is used to implement connection and communication between these components. The user interface 1003 may include a display, an input unit such as a keyboard, and the optional user interface 1003 may further include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory. memory), such as disk storage. The memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
可选地,JSON劫持漏洞的检测设备还可以包括摄像头、RF(Radio Frequency,射频)电路,传感器、音频电路、WiFi模块等等。Optionally, the detection device for the JSON hijacking vulnerability may further include a camera, RF (Radio Frequency) circuits, sensors, audio circuits, WiFi modules, and more.
本领域技术人员可以理解,图5中示出的JSON劫持漏洞的检测设备结构并不构成对JSON劫持漏洞的检测设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure of the detection device for the JSON hijacking vulnerability shown in FIG. 5 does not constitute a limitation on the detection device for the JSON hijacking vulnerability, and may include more or fewer components than shown, or a combination of some Components, or different component arrangements.
如图5所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及计算机可读指令。其中,操作系统是管理和控制JSON劫持漏洞的检测设备硬件和软件资源的程序,支持计算机可读指令以及其它软件或程序的运行。As shown in FIG. 5, the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and computer-readable instructions. Among them, the operating system is a program that manages and controls the hardware and software resources of the detection device for the JSON hijacking vulnerability, and supports the operation of computer-readable instructions and other software or programs.
在图5所示的JSON劫持漏洞的检测设备中,用户接口1003可用于用户所持终端,与用户所持终端进行数据通信;网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;处理器1001可以用于调用存储器1005中存储的计算机可读指令,并执行如上所述的JSON劫持漏洞的检测方法的步骤。In the detection device for the JSON hijacking vulnerability shown in FIG. 5, the user interface 1003 can be used for the terminal held by the user to perform data communication with the terminal held by the user; the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server; the processor 1001 can be used to call the computer-readable instructions stored in the memory 1005 and execute the steps of the JSON hijacking vulnerability detection method described above.
本申请JSON劫持漏洞的检测设备具体实施方式与上述JSON劫持漏洞的检测方法各实施例基本相同,在此不再赘述。The specific implementation manner of the detection device for the JSON hijacking vulnerability in this application is basically the same as the above embodiments of the method for detecting a JSON hijacking vulnerability, and details are not described herein again.
此外,本申请实施例还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如上所述的JSON劫持漏洞的检测方法的步骤。In addition, an embodiment of the present application further provides a computer-readable storage medium, where computer-readable instructions are stored, and the computer-readable instructions implement the JSON hijacking vulnerability described above when executed by a processor. Steps of the detection method.
本申请计算机可读存储介质具体实施方式与上述JSON劫持漏洞的检测方法各实施例基本相同,在此不再赘述。The specific implementation manner of the computer-readable storage medium of the present application is basically the same as each embodiment of the method for detecting a JSON hijacking vulnerability described above, and details are not described herein again.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, in this article, the terms "including", "including" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, It also includes other elements not explicitly listed, or elements inherent to such a process, method, article, or device. Without more restrictions, an element limited by the sentence "including a ..." does not exclude that there are other identical elements in the process, method, article, or device that includes the element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the superiority or inferiority of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods in the above embodiments can be implemented by means of software plus a necessary universal hardware platform, and of course, also by hardware, but in many cases the former is better. Implementation. Based on such an understanding, the technical solution of this application that is essentially or contributes to the existing technology can be embodied in the form of a software product, which is stored in a storage medium (such as ROM / RAM, magnetic disk, The optical disc) includes several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the methods described in the embodiments of this application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of the present application, and thus do not limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made by using the contents of the specification and drawings of the present application, or directly or indirectly used in other related technical fields Are included in the scope of patent protection of this application.

Claims (20)

  1. 一种JSON劫持漏洞的检测方法,其特征在于,所述JSON劫持漏洞的检测方法包括以下步骤:A method for detecting a JSON hijacking vulnerability is characterized in that the method for detecting a JSON hijacking vulnerability includes the following steps:
    当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;After obtaining the uniform resource locator URL and the website login status of the website to be tested, executing the URL in the website to be tested through the website login status to obtain a first response result;
    若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;If it is detected that the first response result can be used across domains, execute the URL in the website to be tested without using the website login status to obtain a second response result;
    若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。If the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
  2. 如权利要求1所述的JSON劫持漏洞的检测方法,其特征在于,所述若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果的步骤之后,还包括:The method for detecting a JSON hijacking vulnerability according to claim 1, characterized in that, if the first response result is detected to be cross-domain exploitable, it is not in the website to be tested through the website login status After the step of executing the URL to obtain a second response result, the method further includes:
    若所述第二响应结果与所述第一响应结果相同,则检测所述第一响应结果中是否存在敏感信息;If the second response result is the same as the first response result, detecting whether there is sensitive information in the first response result;
    若检测到所述第一响应结果中存在所述敏感信息,则确定所述待测试网站存在所述JSON劫持漏洞;If the sensitive information is detected in the first response result, determining that the JSON hijacking vulnerability exists in the website to be tested;
    若检测到所述第一响应结果中未存在所述敏感信息,则确定所述待测试网站未存在所述JSON劫持漏洞。If it is detected that the sensitive information does not exist in the first response result, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  3. 如权利要求2所述的JSON劫持漏洞的检测方法,其特征在于,所述若所述第二响应结果与所述第一响应结果相同,则检测所述第一响应结果中是否存在敏感信息的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 2, wherein if the second response result is the same as the first response result, detecting whether there is sensitive information in the first response result The steps include:
    若所述第二响应结果与所述第一响应结果相同,则获取预设的敏感信息对应的正则表达式,并将所述第一响应结果与所述正则表达式进行正则匹配;If the second response result is the same as the first response result, obtaining a regular expression corresponding to the preset sensitive information, and performing regular matching on the first response result and the regular expression;
    若所述第一响应结果与所述正则表达式正则匹配成功,则确定所述第一响应结果中存在敏感信息;If the first response result and the regular expression regular match are successful, determining that sensitive information exists in the first response result;
    若所述第一响应结果与所述正则表达式正则匹配失败,则确定所述第一响应结果中未存在敏感信息。If the first response result fails to match the regular expression, it is determined that no sensitive information exists in the first response result.
  4. 如权利要求1所述的JSON劫持漏洞的检测方法,其特征在于,所述当获取到待测试网站的URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果的步骤之后,还包括:The method for detecting a JSON hijacking vulnerability according to claim 1, wherein after obtaining the URL of the website to be tested and the website login status, the method is executed in the website to be tested through the website login status. The URL, after the step of obtaining the first response result, further includes:
    检测所述第一响应结果是否可被跨域利用;Detecting whether the first response result can be used across domains;
    若检测到所述第一响应结果不可被跨域利用,则确定所述待测试网站未存在所述JSON劫持漏洞。If it is detected that the first response result cannot be used across domains, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  5. 如权利要求4所述的JSON劫持漏洞的检测方法,其特征在于,所述检测所述第一响应结果是否可被跨域利用的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 4, wherein the step of detecting whether the first response result can be used across domains comprises:
    检测所述第一响应结果是否是超级文本标记语言HTML文档;Detecting whether the first response result is a Hypertext Markup Language HTML document;
    若检测到所述第一响应结果是所述HTML文档,则确定所述第一响应结果不可被跨域利用;If it is detected that the first response result is the HTML document, determining that the first response result cannot be used across domains;
    若检测所述第一响应结果不是所述HTML文档,则通过Javascript虚拟机模拟执行所述第一响应结果,得到对应的执行结果;If it is detected that the first response result is not the HTML document, simulating and executing the first response result through a Javascript virtual machine to obtain a corresponding execution result;
    当根据所述执行结果确定所述第一响应结果执行成功后,确定所述第一响应结果可被跨域利用;After determining that the first response result is successfully executed according to the execution result, determining that the first response result can be used across domains;
    当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式;After determining that the execution of the first response result fails according to the execution result, detecting whether the first response result is in a JSONP format;
    若所述第一响应结果的格式是JSONP格式,则确定所述第一响应结果可被跨域利用;If the format of the first response result is a JSONP format, determining that the first response result can be used across domains;
    若所述第一响应结果的格式不是JSONP格式,则确定所述第一响应结果不可被跨域利用。If the format of the first response result is not a JSONP format, it is determined that the first response result cannot be used across domains.
  6. 如权利要求5所述的JSON劫持漏洞的检测方法,其特征在于,所述检测所述第一响应结果是否是HTML文档的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 5, wherein the step of detecting whether the first response result is an HTML document comprises:
    检测所述第一响应结果中是否携带HTML标签;Detecting whether an HTML tag is carried in the first response result;
    若检测到所述第一响应结果中携带所述HTML标签,则确定所述第一响应结果是HTML文档;If it is detected that the first response result carries the HTML tag, determining that the first response result is an HTML document;
    若检测所述第一响应结果中未携带所述HTML标签,则确定所述第一响应结果不是HTML文档。If it is detected that the HTML response is not carried in the first response result, it is determined that the first response result is not an HTML document.
  7. 如权利要求5所述的JSON劫持漏洞的检测方法,其特征在于,所述当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 5, wherein the step of detecting whether the first response result is in the JSONP format after determining that the first response result fails to be executed according to the execution result include:
    当根据所述执行结果确定所述第一响应结果执行失败后,确定所述第一响应结果的格式,并判断所述第一响应结果的格式与预设的JSONP格式是否一致;After determining that the execution of the first response result fails according to the execution result, determining a format of the first response result, and determining whether the format of the first response result is consistent with a preset JSONP format;
    若所述第一响应结果的格式与所述JSONP格式一致,则确定所述第一响应结果的格式是JSONP格式;If the format of the first response result is consistent with the JSONP format, determining that the format of the first response result is a JSONP format;
    若所述第一响应结果的格式与所述JSONP格式不一致,则确定所述第一响应结果的格式不是JSONP格式。If the format of the first response result is inconsistent with the JSONP format, it is determined that the format of the first response result is not a JSONP format.
  8. 如权利要求2所述的JSON劫持漏洞的检测方法,其特征在于,所述当获取到待测试网站的URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果的步骤之后,还包括:The method for detecting a JSON hijacking vulnerability according to claim 2, characterized in that after obtaining the URL of the website to be tested and the login status of the website, the execution is performed on the website to be tested through the website login status. The URL, after the step of obtaining the first response result, further includes:
    检测所述第一响应结果是否可被跨域利用;Detecting whether the first response result can be used across domains;
    若检测到所述第一响应结果不可被跨域利用,则确定所述待测试网站未存在所述JSON劫持漏洞。If it is detected that the first response result cannot be used across domains, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  9. 如权利要求8所述的JSON劫持漏洞的检测方法,其特征在于,所述检测所述第一响应结果是否可被跨域利用的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 8, wherein the step of detecting whether the first response result can be used across domains comprises:
    检测所述第一响应结果是否是超级文本标记语言HTML文档;Detecting whether the first response result is a Hypertext Markup Language HTML document;
    若检测到所述第一响应结果是所述HTML文档,则确定所述第一响应结果不可被跨域利用;If it is detected that the first response result is the HTML document, determining that the first response result cannot be used across domains;
    若检测所述第一响应结果不是所述HTML文档,则通过Javascript虚拟机模拟执行所述第一响应结果,得到对应的执行结果;If it is detected that the first response result is not the HTML document, simulating and executing the first response result through a Javascript virtual machine to obtain a corresponding execution result;
    当根据所述执行结果确定所述第一响应结果执行成功后,确定所述第一响应结果可被跨域利用;After determining that the first response result is successfully executed according to the execution result, determining that the first response result can be used across domains;
    当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式;After determining that the execution of the first response result fails according to the execution result, detecting whether the first response result is in a JSONP format;
    若所述第一响应结果的格式是JSONP格式,则确定所述第一响应结果可被跨域利用;If the format of the first response result is a JSONP format, determining that the first response result can be used across domains;
    若所述第一响应结果的格式不是JSONP格式,则确定所述第一响应结果不可被跨域利用。If the format of the first response result is not a JSONP format, it is determined that the first response result cannot be used across domains.
  10. 如权利要求9所述的JSON劫持漏洞的检测方法,其特征在于,所述检测所述第一响应结果是否是HTML文档的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 9, wherein the step of detecting whether the first response result is an HTML document comprises:
    检测所述第一响应结果中是否携带HTML标签;Detecting whether an HTML tag is carried in the first response result;
    若检测到所述第一响应结果中携带所述HTML标签,则确定所述第一响应结果是HTML文档;If it is detected that the first response result carries the HTML tag, determining that the first response result is an HTML document;
    若检测所述第一响应结果中未携带所述HTML标签,则确定所述第一响应结果不是HTML文档。If it is detected that the HTML response is not carried in the first response result, it is determined that the first response result is not an HTML document.
  11. 如权利要求9所述的JSON劫持漏洞的检测方法,其特征在于,所述当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 9, wherein the step of detecting whether the first response result is in the JSONP format after determining that the first response result fails to be executed according to the execution result include:
    当根据所述执行结果确定所述第一响应结果执行失败后,确定所述第一响应结果的格式,并判断所述第一响应结果的格式与预设的JSONP格式是否一致;After determining that the execution of the first response result fails according to the execution result, determining a format of the first response result, and determining whether the format of the first response result is consistent with a preset JSONP format;
    若所述第一响应结果的格式与所述JSONP格式一致,则确定所述第一响应结果的格式是JSONP格式;If the format of the first response result is consistent with the JSONP format, determining that the format of the first response result is a JSONP format;
    若所述第一响应结果的格式与所述JSONP格式不一致,则确定所述第一响应结果的格式不是JSONP格式。If the format of the first response result is inconsistent with the JSONP format, it is determined that the format of the first response result is not a JSONP format.
  12. 如权利要求3所述的JSON劫持漏洞的检测方法,其特征在于,所述当获取到待测试网站的URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果的步骤之后,还包括:The method for detecting a JSON hijacking vulnerability according to claim 3, wherein after obtaining the URL of the website to be tested and the website login status, the method is executed on the website to be tested through the website login status. The URL, after the step of obtaining the first response result, further includes:
    检测所述第一响应结果是否可被跨域利用;Detecting whether the first response result can be used across domains;
    若检测到所述第一响应结果不可被跨域利用,则确定所述待测试网站未存在所述JSON劫持漏洞。If it is detected that the first response result cannot be used across domains, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  13. 如权利要求12所述的JSON劫持漏洞的检测方法,其特征在于,所述检测所述第一响应结果是否可被跨域利用的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 12, wherein the step of detecting whether the first response result can be used across domains comprises:
    检测所述第一响应结果是否是超级文本标记语言HTML文档;Detecting whether the first response result is a Hypertext Markup Language HTML document;
    若检测到所述第一响应结果是所述HTML文档,则确定所述第一响应结果不可被跨域利用;If it is detected that the first response result is the HTML document, determining that the first response result cannot be used across domains;
    若检测所述第一响应结果不是所述HTML文档,则通过Javascript虚拟机模拟执行所述第一响应结果,得到对应的执行结果;If it is detected that the first response result is not the HTML document, simulating and executing the first response result through a Javascript virtual machine to obtain a corresponding execution result;
    当根据所述执行结果确定所述第一响应结果执行成功后,确定所述第一响应结果可被跨域利用;After determining that the first response result is successfully executed according to the execution result, determining that the first response result can be used across domains;
    当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式;After determining that the execution of the first response result fails according to the execution result, detecting whether the first response result is in a JSONP format;
    若所述第一响应结果的格式是JSONP格式,则确定所述第一响应结果可被跨域利用;If the format of the first response result is a JSONP format, determining that the first response result can be used across domains;
    若所述第一响应结果的格式不是JSONP格式,则确定所述第一响应结果不可被跨域利用。If the format of the first response result is not a JSONP format, it is determined that the first response result cannot be used across domains.
  14. 如权利要求13所述的JSON劫持漏洞的检测方法,其特征在于,所述检测所述第一响应结果是否是HTML文档的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 13, wherein the step of detecting whether the first response result is an HTML document comprises:
    检测所述第一响应结果中是否携带HTML标签;Detecting whether an HTML tag is carried in the first response result;
    若检测到所述第一响应结果中携带所述HTML标签,则确定所述第一响应结果是HTML文档;If it is detected that the first response result carries the HTML tag, determining that the first response result is an HTML document;
    若检测所述第一响应结果中未携带所述HTML标签,则确定所述第一响应结果不是HTML文档。If it is detected that the HTML response is not carried in the first response result, it is determined that the first response result is not an HTML document.
  15. 如权利要求13所述的JSON劫持漏洞的检测方法,其特征在于,所述当根据所述执行结果确定所述第一响应结果执行失败后,检测所述第一响应结果是否是JSONP格式的步骤包括:The method for detecting a JSON hijacking vulnerability according to claim 13, wherein the step of detecting whether the first response result is in a JSONP format after determining that the first response result fails to be executed according to the execution result include:
    当根据所述执行结果确定所述第一响应结果执行失败后,确定所述第一响应结果的格式,并判断所述第一响应结果的格式与预设的JSONP格式是否一致;After determining that the execution of the first response result fails according to the execution result, determining a format of the first response result, and determining whether the format of the first response result is consistent with a preset JSONP format;
    若所述第一响应结果的格式与所述JSONP格式一致,则确定所述第一响应结果的格式是JSONP格式;If the format of the first response result is consistent with the JSONP format, determining that the format of the first response result is a JSONP format;
    若所述第一响应结果的格式与所述JSONP格式不一致,则确定所述第一响应结果的格式不是JSONP格式。If the format of the first response result is inconsistent with the JSONP format, it is determined that the format of the first response result is not a JSONP format.
  16. 一种JSON劫持漏洞的检测装置,其特征在于,所述JSON劫持漏洞的检测装置包括:A detection device for a JSON hijacking vulnerability is characterized in that the detection device for a JSON hijacking vulnerability includes:
    执行模块,用于当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;An execution module, configured to obtain the first response result by executing the URL in the website to be tested through the website login status after obtaining the uniform resource locator URL and website login status of the website to be tested; The first response result can be used across domains, and the URL is executed in the website to be tested without using the website login status to obtain a second response result;
    确定模块,用于若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。A determining module, configured to determine, if the second response result is different from the first response result, that the website to be tested has a JS object notation JSON hijacking vulnerability.
  17. 如权利要求16所述的JSON劫持漏洞的检测装置,其特征在于,所述JSON劫持漏洞的检测装置还包括:The device for detecting a JSON hijacking vulnerability according to claim 16, wherein the device for detecting a JSON hijacking vulnerability further comprises:
    第一检测模块,用于若所述第二响应结果与所述第一响应结果相同,则检测所述第一响应结果中是否存在敏感信息;A first detection module, configured to detect whether there is sensitive information in the first response result if the second response result is the same as the first response result;
    所述确定模块还用于若检测到所述第一响应结果中存在所述敏感信息,则确定所述待测试网站存在所述JSON劫持漏洞;若检测到所述第一响应结果中未存在所述敏感信息,则确定所述待测试网站未存在所述JSON劫持漏洞。The determining module is further configured to: if the sensitive information is detected in the first response result, determine that the JSON hijacking vulnerability exists in the website to be tested; if it is detected that the first response result does not exist, The sensitive information, it is determined that the website to be tested does not exist the JSON hijacking vulnerability.
  18. 如权利要求17所述的JSON劫持漏洞的检测装置,其特征在于,所述第一检测模块包括:The device for detecting a JSON hijacking vulnerability according to claim 17, wherein the first detection module comprises:
    获取单元,用于若所述第二响应结果与所述第一响应结果相同,则获取预设的敏感信息对应的正则表达式;An obtaining unit, configured to obtain a regular expression corresponding to preset sensitive information if the second response result is the same as the first response result;
    匹配单元,用于将所述第一响应结果与所述正则表达式进行正则匹配;A matching unit, configured to perform regular matching between the first response result and the regular expression;
    第一确定单元,用于若所述第一响应结果与所述正则表达式正则匹配成功,则确定所述第一响应结果中存在敏感信息;若所述第一响应结果与所述正则表达式正则匹配失败,则确定所述第一响应结果中未存在敏感信息。A first determining unit, configured to determine that, if the first response result and the regular expression regular match succeed, sensitive information exists in the first response result; if the first response result matches the regular expression If the regular matching fails, it is determined that no sensitive information exists in the first response result.
  19. 一种JSON劫持漏洞的检测设备,其特征在于,所述JSON劫持漏洞的检测设备包括存储器、处理器和存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令被所述处理器执行时实现如下步骤:A detection device for a JSON hijacking vulnerability, characterized in that the detection device for a JSON hijacking vulnerability includes a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor. The computer-readable instructions, when executed by the processor, implement the following steps:
    当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;After obtaining the uniform resource locator URL and the website login status of the website to be tested, executing the URL in the website to be tested through the website login status to obtain a first response result;
    若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;If it is detected that the first response result can be used across domains, execute the URL in the website to be tested without using the website login status to obtain a second response result;
    若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。If the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如下步骤:A computer-readable storage medium is characterized in that computer-readable instructions are stored on the computer-readable storage medium, and when the computer-readable instructions are executed by a processor, the following steps are implemented:
    当获取到待测试网站的统一资源定位符URL和网站登录态后,通过所述网站登录态在所述待测试网站中执行所述URL,得到第一响应结果;After obtaining the uniform resource locator URL and the website login status of the website to be tested, executing the URL in the website to be tested through the website login status to obtain a first response result;
    若检测到所述第一响应结果可被跨域利用,则不通过所述网站登录态在所述待测试网站中执行所述URL,得到第二响应结果;If it is detected that the first response result can be used across domains, execute the URL in the website to be tested without using the website login status to obtain a second response result;
    若所述第二响应结果与所述第一响应结果不同,则确定所述待测试网站存在JS对象简谱JSON劫持漏洞。If the second response result is different from the first response result, it is determined that the website to be tested has a JS object notation JSON hijacking vulnerability.
PCT/CN2018/122809 2018-09-25 2018-12-21 Json hijack bug detection method, apparatus and device, and storage medium WO2020062644A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811112893.3 2018-09-25
CN201811112893.3A CN109672658B (en) 2018-09-25 2018-09-25 JSON hijacking vulnerability detection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2020062644A1 true WO2020062644A1 (en) 2020-04-02

Family

ID=66141596

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/122809 WO2020062644A1 (en) 2018-09-25 2018-12-21 Json hijack bug detection method, apparatus and device, and storage medium

Country Status (2)

Country Link
CN (1) CN109672658B (en)
WO (1) WO2020062644A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953556A (en) * 2020-07-02 2020-11-17 中盈优创资讯科技有限公司 Website automatic dial testing method and device, computer equipment and readable storage medium
CN112612700A (en) * 2020-12-21 2021-04-06 北京达佳互联信息技术有限公司 Interface test method and device and electronic equipment
CN115664833A (en) * 2022-11-03 2023-01-31 天津大学 Network hijacking detection method based on local area network security equipment

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278207B (en) * 2019-06-21 2023-04-07 深圳前海微众银行股份有限公司 Click hijacking vulnerability detection method and device and computer equipment
CN111723400A (en) * 2020-06-16 2020-09-29 杭州安恒信息技术股份有限公司 JS sensitive information leakage detection method, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753730A (en) * 2013-12-30 2015-07-01 腾讯科技(深圳)有限公司 Vulnerability detection method and device
CN105471821A (en) * 2014-08-29 2016-04-06 腾讯科技(深圳)有限公司 Browser-based information processing method and device
CN106209748A (en) * 2015-05-08 2016-12-07 阿里巴巴集团控股有限公司 The means of defence of internet interface and device
CN106302337A (en) * 2015-05-22 2017-01-04 腾讯科技(深圳)有限公司 leak detection method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103023790A (en) * 2012-12-31 2013-04-03 北京京东世纪贸易有限公司 Method and system used for realizing cross-domain interactive access
US20160182561A1 (en) * 2014-12-18 2016-06-23 Level 3 Communications, Llc Route monitoring system for a communication network
CN106375144B (en) * 2016-08-29 2019-07-30 北京知道未来信息技术有限公司 A kind of network source tracing method based on the cross-domain acquisition information of JSONP

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753730A (en) * 2013-12-30 2015-07-01 腾讯科技(深圳)有限公司 Vulnerability detection method and device
CN105471821A (en) * 2014-08-29 2016-04-06 腾讯科技(深圳)有限公司 Browser-based information processing method and device
CN106209748A (en) * 2015-05-08 2016-12-07 阿里巴巴集团控股有限公司 The means of defence of internet interface and device
CN106302337A (en) * 2015-05-22 2017-01-04 腾讯科技(深圳)有限公司 leak detection method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953556A (en) * 2020-07-02 2020-11-17 中盈优创资讯科技有限公司 Website automatic dial testing method and device, computer equipment and readable storage medium
CN112612700A (en) * 2020-12-21 2021-04-06 北京达佳互联信息技术有限公司 Interface test method and device and electronic equipment
CN115664833A (en) * 2022-11-03 2023-01-31 天津大学 Network hijacking detection method based on local area network security equipment
CN115664833B (en) * 2022-11-03 2024-04-02 天津大学 Network hijacking detection method based on local area network safety equipment

Also Published As

Publication number Publication date
CN109672658A (en) 2019-04-23
CN109672658B (en) 2022-01-21

Similar Documents

Publication Publication Date Title
WO2020062644A1 (en) Json hijack bug detection method, apparatus and device, and storage medium
WO2016169410A1 (en) Login method and device, server and login system
US9479496B2 (en) Communication terminal and secure log-in method acquiring password from server using user ID and sensor data
WO2019127973A1 (en) Authority authentication method, system and device for mirror repository, and storage medium
WO2015069018A1 (en) System for secure login, and method and apparatus for same
WO2021072881A1 (en) Object storage-based request processing method, apparatus and device, and storage medium
WO2019144738A1 (en) Financial service verification method, apparatus and device, and computer storage medium
WO2016137307A1 (en) Attestation by proxy
WO2021150032A1 (en) Method for providing authentication service by using decentralized identity and server using the same
WO2021006616A1 (en) Method for providing relational decentralized identifier service and blockchain node using the same
WO2014008858A1 (en) Method for implementing cross-domain jump, browser, and domain name server
WO2020077832A1 (en) Cloud desktop access method, apparatus and device, and storage medium
WO2013191325A1 (en) Method for authenticating trusted platform-based open id, and apparatus and system therefor
WO2015101332A1 (en) Password classification management method and system
WO2014112754A1 (en) Web service push method and web service push server and web service providing server performing same
WO2020073494A1 (en) Webpage backdoor detecting method, device, storage medium and apparatus
WO2020253120A1 (en) Webpage registration method, system and device, and computer storage medium
WO2014196708A1 (en) Authentication method using security token, and system and apparatus for same
WO2020258672A1 (en) Network access anomaly detection method and device
WO2018014594A1 (en) Network request and response processing method, device, terminal, server and storage medium
WO2015194829A2 (en) Method for detecting number of selected devices among plurality of client terminals on private network using same public ip by web server provided with additional non-specified domain name from internet access request traffic of client terminal making request for internet access, and selective detection system for device in state in which public ip is shared
WO2021003956A1 (en) Product information management method, apparatus and device, and storage medium
WO2012022215A1 (en) Interaction method, device, and system for interactive message on internet
WO2019205288A1 (en) Connection establishment method, system, and device, and computer readable storage medium
US8381269B2 (en) System architecture and method for secure web browsing using public computers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18935441

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18935441

Country of ref document: EP

Kind code of ref document: A1