WO2020181841A1 - Method for automatically testing horizontal over-permission vulnerabilities and related device - Google Patents

Method for automatically testing horizontal over-permission vulnerabilities and related device Download PDF

Info

Publication number
WO2020181841A1
WO2020181841A1 PCT/CN2019/122940 CN2019122940W WO2020181841A1 WO 2020181841 A1 WO2020181841 A1 WO 2020181841A1 CN 2019122940 W CN2019122940 W CN 2019122940W WO 2020181841 A1 WO2020181841 A1 WO 2020181841A1
Authority
WO
WIPO (PCT)
Prior art keywords
account
test request
request url
comparison test
url
Prior art date
Application number
PCT/CN2019/122940
Other languages
French (fr)
Chinese (zh)
Inventor
唐新玉
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2020181841A1 publication Critical patent/WO2020181841A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • This application relates to the field of comparative testing, and particularly relates to a method and related equipment for automatic testing for horizontal unauthorized vulnerabilities.
  • a system with a complete structure and secure rules should first determine the authority of the user who sent the request for each request received, and then provide corresponding services to it.
  • the system does not determine the authority of the user who sends the request for the authority in certain permissions, but directly serves the user who sends the request.
  • users who do not have the permission can also use the permission, that is, the permission is exceeded.
  • ultra vires there is a kind of ultra vires that is horizontal, that is, the attacker and the attacked belong to the same authority group, and each person should only be able to operate the content of their own account, but in fact the attacker passes the request sent to the system
  • the identity of the victim is modified to that of the attacked person, thus successfully operating the authority content of the attacked person.
  • User A changes his identity in the request to the system to the identity of user B, thereby successfully modifying the password of user B. This situation is an overreach.
  • this application provides a method and related equipment for automatically testing for horizontal unauthorized vulnerabilities.
  • the first aspect provides a method to automatically test for horizontal unauthorized vulnerabilities, including:
  • the account operation permission list displays all account operation permissions owned by the corresponding account
  • a device for automatically testing against horizontal unauthorized vulnerabilities including:
  • the creation module is used to create a first account and a second account with the same account operation permission list, the account operation permission list displays all account operation permissions owned by the corresponding account;
  • the reference test request module is configured to use the first account to make a reference test request for the operation authority of each of the accounts to obtain the corresponding reference test request URL;
  • the control test request module is configured to use the second account to perform a control test request for the operation authority of each account based on the reference test request URL, and obtain a corresponding control test request result;
  • the determining module is used to determine whether there is a horizontal overreach vulnerability based on the corresponding comparison test request result.
  • an electronic device that automatically tests for horizontal unauthorized vulnerabilities, including:
  • Memory configured to store executable instructions
  • the processor is configured to execute executable instructions stored in the memory to implement the above-mentioned method.
  • a computer-readable storage medium which stores computer program instructions, and when the computer instructions are executed by a computer, the computer executes the method described above.
  • the computer-readable storage medium may be a non-volatile computer-readable storage medium.
  • the embodiments of the present disclosure automatically create a first account and a second account, and use the second account to test account operation permissions, which improves the The level of efficiency of testing over vulnerabilities.
  • Fig. 1 shows a flowchart of automatic testing for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
  • Fig. 2 shows a block diagram of an apparatus for automatically testing horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
  • Fig. 3 shows a detailed flow chart of creating a first account and a second account with the same account operation authority list according to an exemplary embodiment of the present disclosure.
  • FIG. 4 shows a detailed flow chart of a comparison test request for each account operation authority based on the reference test request URL and the use of the second account according to an exemplary embodiment of the present disclosure to obtain the corresponding comparison test request result .
  • Fig. 5 shows a detailed flow chart of determining the corresponding comparison test request URL based on the identification parameter value corresponding to the first account for each account operation authority according to an exemplary embodiment of the present disclosure.
  • Fig. 6 shows a system architecture diagram for automatic testing of horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
  • Fig. 7 shows a diagram of an electronic device that automatically tests for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
  • FIG. 8 shows a diagram of a computer-readable storage medium that automatically tests for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
  • a method for automatically testing a horizontal unauthorized vulnerability includes: creating a first account and a second account with the same account operation permission list, the account operation permission list displays all accounts owned by the corresponding account Operation authority; use the first account to make a reference test request for the operation authority of each account to obtain the corresponding reference test request URL; based on the reference test request URL, use the second account to perform a reference test on each account
  • the operation authority performs a comparison test request to obtain a corresponding comparison test request result; based on the corresponding comparison test request result, it is determined whether there is a horizontal override vulnerability.
  • the embodiments of the present disclosure automatically create a first account and a second account, and use the second account to test account operation permissions, which improves the The level of efficiency of testing over vulnerabilities.
  • Fig. 1 shows a flowchart of automatic testing for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure:
  • Step S100 Create a first account and a second account with the same account operation authority list, where the account operation authority list displays all account operation authority owned by the corresponding account;
  • Step S110 Use the first account to make a reference test request for the operation authority of each account, and obtain a corresponding reference test request URL;
  • Step S120 Based on the reference test request URL, use the second account to perform a comparison test request for the operation authority of each account, and obtain a corresponding comparison test request result;
  • Step S130 Based on the corresponding comparison test request result, it is determined whether there is a horizontal unauthorized vulnerability.
  • step S100 a first account and a second account having the same account operation authority list are created, and the account operation authority list displays all account operation authority owned by the corresponding account.
  • the first account and the second account have the same status as the operating authority of any account, so that the horizontal unauthorized vulnerability test can be further performed.
  • step S100 includes:
  • Step S1001 Create the first account
  • Step S1002 creating the second account
  • Step S1003 Assign all account operation permissions in the summary account operation permission list to the first account and the second account.
  • the first account and the second account are created first.
  • the aggregated account operating permissions are opened to the first account and the second account, so that the server can perform horizontal unauthorized vulnerabilities on each account operating authority in the aggregated account operating permissions. Detection.
  • step S110 the first account is used to perform a reference test request for the operation authority of each account, and the corresponding reference test request URL is obtained.
  • the reference test request URL refers to the request URL sent by the first account to the system under test with the operating authority of the account to be tested.
  • the second account can refer to the reference test request URL, thereby further detecting the horizontal unauthorized vulnerability of the account operation authority.
  • the using the first account to perform a reference test request for the operating authority of each of the accounts includes: using the first account to send the corresponding legal request URL for the operating authority of each of the accounts, The legal request URL is determined as the corresponding reference test request URL.
  • the legal request URL refers to the request URL sent by the account when it requests its own permission content with its own identity.
  • step S120 based on the reference test request URL, the second account is used to perform a comparison test request for the operation authority of each account, and a corresponding comparison test request result is obtained.
  • the control test request URL refers to the request URL sent by the second account to the system under test with reference to the reference test request URL.
  • the control test request result refers to the corresponding response message returned by the system under test in response to the control test request.
  • Performing a comparison test request through the second account makes it possible to determine whether the corresponding account operation authority has a horizontal override vulnerability based on the content of the corresponding comparison test request.
  • step S120 includes:
  • Step S1201 Determine each identification parameter in the reference test request URL and the identification parameter value corresponding to the first account from the reference test request URL sent by the first account;
  • Step S1202 For each account operation authority, determine a corresponding comparison test request URL based on the identification parameter value corresponding to the first account;
  • Step S1203 For each account operation authority, use the second account to send the corresponding comparison test request URL, and determine the corresponding return message as the corresponding comparison test request result.
  • the identification parameter refers to the parameter that is preset by the tested system to identify the identity of each account or a certain attribute according to the unique parameter value, for example: "userID” corresponds to the identity of the account user, and "addressID” corresponds to the account user The address identification.
  • the second account can use the identification parameter value of the first account to pretend to be the first account, thereby attempting to perform operations on the account operation authority content of the first account.
  • step S1202 includes:
  • Step S12021 For each account operation authority, replace the identification parameter value in the legal request URL corresponding to the second account with the identification parameter value corresponding to the first account to obtain the corresponding illegal request URL;
  • Step S12022 Determine the illegal request URL as the corresponding comparison test request URL.
  • Illegal request URL refers to a request URL sent when an account pretends to be another account and tries to request permission content of another account.
  • the server can determine whether the system under test recognizes that the control test request is an illegal request based on the return message of the control test request from the system under test. In this way, it is determined whether the system under test has horizontal overreach vulnerabilities in the configuration of the corresponding account operation authority.
  • the first account sends a series of legal request URLs to the tested system, which are expressed in natural language, for example: "My userID is 02, my password is xxx, I want to log in to the account”, “I want Delete the address information with addressID 34", "My userID is 02, I want to change the avatar”... It can be determined from this that the parameter value of the identification parameter "userID” of the first account is "02", and the identification parameter "addressID" is The parameter value is "34".
  • the parameter value of the identification parameter "userID” of the second account is "03", and the parameter value of the identification parameter "addressID” is "57".
  • the legal request URL that the second account should send to the tested system is: "I want to view the personal information of the user whose userID is 03.”
  • the control test request for the second account should be: “I want to view the personal information of the user with userID 02.”
  • the legal request URL that the second account should send to the tested system is: “I want to change the address information with addressID 57”, and the corresponding control test request should be: “I want to change the address information with addressID 34".
  • step S130 based on the corresponding comparison test request result, it is determined whether there is a horizontal override vulnerability.
  • the server can determine whether the system under test has determined the authority of the sender of the control test request, thereby determining the operating authority of the corresponding account Is there a loophole in horizontal ultra vires?
  • the determining whether there is a horizontal unauthorized vulnerability based on the corresponding control test request result includes: operating permissions for each of the accounts, if the corresponding control test request result, the corresponding return report If the control test request is confirmed in the article, it is determined that there is a horizontal overreach vulnerability in the account operation authority.
  • the parameter value of the identification parameter "userID” of the first account is "02"
  • the parameter value of the identification parameter "userID” of the second account is "03".
  • the control test request sent by the second account is: "I want to view the personal information of the user with userID 02.” If the tested system operates on the account "View Personal Information” If the permission configuration is safe and complete, the tested system will verify whether the userID of the second account is indeed "02" according to the session table or other reliable verification methods. Once verified, the tested system will find the The second account does not have the authority to view the personal information of the account whose userID is "02", and the tested system will reject the comparison test request of the second account, and return information that rejects the comparison test request.
  • the tested system will not verify whether the userID of the second account is indeed "02", but Directly confirm the comparison test request of the second account, and return the corresponding personal information of the first account. Therefore, by viewing the content of the result of the control test request, it is determined whether the system under test has a horizontal overreach vulnerability in the configuration of the corresponding account operation authority.
  • the method includes: sending the information of the account operation authority with the horizontal overreach vulnerability to the management terminal. That is, after it is determined that there is a horizontal overreach vulnerability in an account operation authority, the information that the account operation authority has a horizontal overreach vulnerability is sent to the management terminal.
  • a device for automatically testing for horizontal unauthorized vulnerabilities which specifically includes:
  • the creation module 210 is configured to create a first account and a second account with the same account operation authority list, and the account operation authority list displays all account operation authority owned by the corresponding account;
  • the reference test request module 220 is configured to use the first account to make a reference test request for the operation authority of each account to obtain a corresponding reference test request URL;
  • the comparison test request module 230 is configured to use the second account to perform a comparison test request for each account operation authority based on the reference test request URL, and obtain a corresponding comparison test request result;
  • the determining module 240 is configured to determine whether there is a level unauthorized vulnerability based on the corresponding comparison test request result.
  • modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory.
  • the features and functions of two or more modules or units described above may be embodied in one module or unit.
  • the features and functions of a module or unit described above can be further divided into multiple modules or units to be embodied.
  • the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present disclosure.
  • a computing device which may be a personal computer, a server, a mobile terminal, or a network device, etc.
  • Fig. 6 shows a system architecture diagram for automatic testing of horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
  • the system architecture includes: a system to be tested 310, a database 320, a first virtual client 330, and a second virtual client 340.
  • the first virtual client 330 uses the first account to perform the test operation
  • the second virtual client 340 uses the second account to perform the test operation.
  • the first virtual client 330 sends a reference test request URL to the system under test 310
  • the database 320 sends the stored reference test request URL to the second virtual client 340
  • the second virtual client 340 sends
  • the received reference test request URL is used as a reference
  • the system to be tested 310 performs a comparison test request
  • the result of the comparison test request returned by the system to be tested 310 is received.
  • an electronic device capable of implementing the above method is also provided.
  • the electronic device 400 according to this embodiment of the present application will be described below with reference to FIG. 7.
  • the electronic device 400 shown in FIG. 7 is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present application.
  • the electronic device 400 takes the form of a general-purpose computing device.
  • the components of the electronic device 400 may include but are not limited to: the aforementioned at least one processing unit 410, the aforementioned at least one storage unit 420, and a bus 430 connecting different system components (including the storage unit 420 and the processing unit 410).
  • the storage unit stores program code, and the program code can be executed by the processing unit 410, so that the processing unit 410 executes the various exemplary methods described in the "Exemplary Method" section of this specification. Implementation steps.
  • the processing unit 410 may perform step S100 as shown in FIG.
  • Step S110 Use the first account to make a reference test request for each of the account operation permissions to obtain the corresponding reference test request URL
  • Step S120 Use the second account based on the reference test request URL, A comparison test request is performed on each of the account operation permissions to obtain a corresponding comparison test request result
  • Step S130 Based on the corresponding comparison test request result, it is determined whether there is a horizontal override vulnerability.
  • the storage unit 420 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 4201 and/or a cache storage unit 4202, and may further include a read-only storage unit (ROM) 4203.
  • RAM random access storage unit
  • ROM read-only storage unit
  • the storage unit 420 may also include a program/utility tool 4204 having a set of (at least one) program module 4205.
  • program module 4205 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
  • the bus 430 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
  • the electronic device 400 can also communicate with one or more external devices 500 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable a user to interact with the electronic device 400, and/or communicate with Any device (such as a router, modem, etc.) that enables the electronic device 400 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 450.
  • the electronic device 400 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 460.
  • networks for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet
  • the network adapter 460 communicates with other modules of the electronic device 400 through the bus 430. It should be understood that although not shown in the figure, other hardware and/or software modules can be used in conjunction with the electronic device 400, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
  • the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present disclosure.
  • a computing device which may be a personal computer, a server, a terminal device, or a network device, etc.
  • each aspect of the present application can also be implemented in the form of a program product, which includes program code.
  • the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification.
  • a program product 600 for implementing the above method according to an embodiment of the present application is described. It can adopt a portable compact disk read-only memory (CD-ROM) and include program code, and can be installed in a terminal device, For example, running on a personal computer.
  • CD-ROM compact disk read-only memory
  • the program product of this application is not limited to this.
  • the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or combined with an instruction execution system, device, or device.
  • the program product can use any combination of one or more readable media.
  • the readable medium may be a readable signal medium or a readable storage medium.
  • the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • the computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
  • the readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
  • the program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
  • the program code used to perform the operations of this application can be written in any combination of one or more programming languages.
  • the programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language-such as "C" language or similar programming language.
  • the program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on.
  • the remote computing device can be connected to a user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, using Internet service providers) Business to connect via the Internet).
  • LAN local area network
  • WAN wide area network
  • Internet service providers Internet service providers

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Disclosed are a method for automatically testing horizontal over-permission vulnerabilities and a related device, relating to the field of comparison testing. The method comprises: creating a first account and a second account with the same account operation permission list, wherein the account operation permission list shows all account operation permissions owned by a corresponding account (S100); using the first account to execute a reference test request for each of the account operation permissions, so as to obtain a corresponding reference test request URL (S110); based on the reference test request URL, using the second account to execute a contrast test request for each of the account operation permissions, so as to obtain a corresponding contrast test request result (S120); and based on the corresponding contrast test request result, determining whether there are horizontal over-permission vulnerabilities (S130). The method improves the efficiency for testing horizontal unauthorized vulnerabilities.

Description

针对水平越权漏洞自动进行测试的方法及相关设备Automatic testing method and related equipment for horizontal unauthorized vulnerability
本申请要求于2019年03月14日提交中国专利局、申请号为201910195290.2、申请名称为“针对水平越权漏洞自动进行测试的方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on March 14, 2019, the application number is 201910195290.2, and the application name is "Methods and related equipment for automatic testing of horizontal unauthorized vulnerabilities", the entire content of which is by reference Incorporated in this application.
技术领域Technical field
本申请涉及对比测试领域,特别是涉及针对水平越权漏洞自动进行测试的方法及相关设备。This application relates to the field of comparative testing, and particularly relates to a method and related equipment for automatic testing for horizontal unauthorized vulnerabilities.
背景技术Background technique
一个架构完善、规则安全的系统,应当做到对接收到的每条请求,先对发送该请求的用户进行权限判定,再对其进行相应的服务。而现实生活中,由于搭建系统的工程人员的疏漏,系统在某些权限上,并不会对针对该权限的请求的发送用户进行权限判定,而直接对发送请求的用户进行服务。从而导致没有该权限的用户也能使用该权限,即在该权限上发生了越权。在越权中,有一种越权是水平越权,即攻击者与被攻击者所属同一权限组,各人本应该只能对自身账号的内容进行操作,但实际上攻击者通过将向系统发送的请求中自己的身份标识修改为被攻击者的身份标识,从而成功对被攻击者的权限内容进行了操作。例如:用户A将自己向系统发生的请求中的身份标识修改为了用户B的身份标识,从而成功修改了用户B的密码,这种情况就是水平越权。A system with a complete structure and secure rules should first determine the authority of the user who sent the request for each request received, and then provide corresponding services to it. However, in real life, due to the omissions of the engineers who set up the system, the system does not determine the authority of the user who sends the request for the authority in certain permissions, but directly serves the user who sends the request. As a result, users who do not have the permission can also use the permission, that is, the permission is exceeded. In ultra vires, there is a kind of ultra vires that is horizontal, that is, the attacker and the attacked belong to the same authority group, and each person should only be able to operate the content of their own account, but in fact the attacker passes the request sent to the system The identity of the victim is modified to that of the attacked person, thus successfully operating the authority content of the attacked person. For example: User A changes his identity in the request to the system to the identity of user B, thereby successfully modifying the password of user B. This situation is an overreach.
在现有技术中,对水平越权漏洞进行的测试都是通过测试人员根据自身的经验,手动进行测试。在这个过程中,会出现人为遗漏、人为错误的情况,效率较低。In the prior art, the testing for horizontal unauthorized vulnerabilities is performed manually by testers based on their own experience. In this process, there will be human omissions and human errors, and the efficiency is low.
发明内容Summary of the invention
基于此,为解决相关技术中如何从技术层面上更加高效地针对水平越权漏洞自动进行测试所面临的技术问题,本申请提供了一种针对水平越权漏洞自动进行测试的方法及相关设备。Based on this, in order to solve the technical problem of how to automatically test for horizontal unauthorized vulnerabilities from a technical level in related technologies, this application provides a method and related equipment for automatically testing for horizontal unauthorized vulnerabilities.
第一方面,提供了一种针对水平越权漏洞自动进行测试的方法,包括:In the first aspect, it provides a method to automatically test for horizontal unauthorized vulnerabilities, including:
创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;Create a first account and a second account with the same account operation permission list, the account operation permission list displays all account operation permissions owned by the corresponding account;
使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;Use the first account to perform a reference test request for the operation authority of each account to obtain a corresponding reference test request URL;
基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;Based on the reference test request URL, use the second account to perform a comparison test request for each of the account operation permissions, and obtain a corresponding comparison test request result;
基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。Based on the result of the corresponding comparison test request, it is determined whether there is a horizontal overriding vulnerability.
根据本公开的第二方面,提供了一种针对水平越权漏洞自动进行测试的装置,包括:According to the second aspect of the present disclosure, there is provided a device for automatically testing against horizontal unauthorized vulnerabilities, including:
创建模块,用于创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;;The creation module is used to create a first account and a second account with the same account operation permission list, the account operation permission list displays all account operation permissions owned by the corresponding account;
参考测试请求模块,用于使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;The reference test request module is configured to use the first account to make a reference test request for the operation authority of each of the accounts to obtain the corresponding reference test request URL;
对照测试请求模块,用于基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;The control test request module is configured to use the second account to perform a control test request for the operation authority of each account based on the reference test request URL, and obtain a corresponding control test request result;
确定模块,用于基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。The determining module is used to determine whether there is a horizontal overreach vulnerability based on the corresponding comparison test request result.
根据本公开的第三方面,提供了一种针对水平越权漏洞自动进行测试的电子设备,包括:According to the third aspect of the present disclosure, there is provided an electronic device that automatically tests for horizontal unauthorized vulnerabilities, including:
存储器,配置为存储可执行指令;Memory, configured to store executable instructions;
处理器,配置为执行存储器中存储的可执行指令,以实现以上所述的方法。The processor is configured to execute executable instructions stored in the memory to implement the above-mentioned method.
根据本公开的第四方面,提供了一种计算机可读存储介质,其存储有计算机程序指令,当所述计算机指令被计算机执行时,使计算机执行以上所述的方法。可选的,该计算机可读存储介质可以为计算机非易失性可读存储介质。According to a fourth aspect of the present disclosure, there is provided a computer-readable storage medium, which stores computer program instructions, and when the computer instructions are executed by a computer, the computer executes the method described above. Optionally, the computer-readable storage medium may be a non-volatile computer-readable storage medium.
与传统技术中针对水平越权漏洞自动进行测试是通过测试人员手动进行相比,本公开的实施例通过自动创建第一账号和第二账号,使用第二账号对账号操作权限进行测试,提高了对水平越权漏洞进行测试的效率。Compared with the traditional technology that automatically tests for horizontal unauthorized vulnerabilities manually by testers, the embodiments of the present disclosure automatically create a first account and a second account, and use the second account to test account operation permissions, which improves the The level of efficiency of testing over vulnerabilities.
附图说明Description of the drawings
图1示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的流程图。Fig. 1 shows a flowchart of automatic testing for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
图2示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的装置的方框图。Fig. 2 shows a block diagram of an apparatus for automatically testing horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
图3示出根据本公开一示例实施方式的创建具有相同账号操作权限列表的第一账号和第二账号的详细流程图。Fig. 3 shows a detailed flow chart of creating a first account and a second account with the same account operation authority list according to an exemplary embodiment of the present disclosure.
图4示出根据本公开一示例实施方式的基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果的详细流程图。FIG. 4 shows a detailed flow chart of a comparison test request for each account operation authority based on the reference test request URL and the use of the second account according to an exemplary embodiment of the present disclosure to obtain the corresponding comparison test request result .
图5示出根据本公开一示例实施方式的对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL的详细流程图。Fig. 5 shows a detailed flow chart of determining the corresponding comparison test request URL based on the identification parameter value corresponding to the first account for each account operation authority according to an exemplary embodiment of the present disclosure.
图6示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的系统架构图。Fig. 6 shows a system architecture diagram for automatic testing of horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
图7示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的电子设备图。Fig. 7 shows a diagram of an electronic device that automatically tests for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
图8示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的计算机可读存储介质图。FIG. 8 shows a diagram of a computer-readable storage medium that automatically tests for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure.
具体实施方式detailed description
现在将参考附图更全面地描述示例实施方式。Example embodiments will now be described more fully with reference to the accompanying drawings.
附图中所示的一些方框图是功能实体,不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。Some of the block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in the form of software, or implemented in one or more hardware modules or integrated circuits, or implemented in different networks and/or processor devices and/or microcontroller devices.
本公开的目的在于从技术方面针对水平越权漏洞自动进行测试,提供测试的效率。根据本公开一个实施例的针对水平越权漏洞自动进行测试的方法,包括:创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;基于 所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。与传统技术中针对水平越权漏洞自动进行测试是通过测试人员手动进行相比,本公开的实施例通过自动创建第一账号和第二账号,使用第二账号对账号操作权限进行测试,提高了对水平越权漏洞进行测试的效率。The purpose of the present disclosure is to automatically test against horizontal unauthorized vulnerabilities from the technical aspect, and to provide testing efficiency. According to an embodiment of the present disclosure, a method for automatically testing a horizontal unauthorized vulnerability includes: creating a first account and a second account with the same account operation permission list, the account operation permission list displays all accounts owned by the corresponding account Operation authority; use the first account to make a reference test request for the operation authority of each account to obtain the corresponding reference test request URL; based on the reference test request URL, use the second account to perform a reference test on each account The operation authority performs a comparison test request to obtain a corresponding comparison test request result; based on the corresponding comparison test request result, it is determined whether there is a horizontal override vulnerability. Compared with the traditional technology that automatically tests for horizontal unauthorized vulnerabilities manually by testers, the embodiments of the present disclosure automatically create a first account and a second account, and use the second account to test account operation permissions, which improves the The level of efficiency of testing over vulnerabilities.
图1示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的流程图:Fig. 1 shows a flowchart of automatic testing for horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure:
步骤S100:创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;;Step S100: Create a first account and a second account with the same account operation authority list, where the account operation authority list displays all account operation authority owned by the corresponding account;
步骤S110:使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;Step S110: Use the first account to make a reference test request for the operation authority of each account, and obtain a corresponding reference test request URL;
步骤S120:基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;Step S120: Based on the reference test request URL, use the second account to perform a comparison test request for the operation authority of each account, and obtain a corresponding comparison test request result;
步骤S130:基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。Step S130: Based on the corresponding comparison test request result, it is determined whether there is a horizontal unauthorized vulnerability.
下面,将结合附图对本示例实施方式中上述针对水平越权漏洞自动进行测试的各步骤进行详细的解释以及说明。In the following, detailed explanations and descriptions will be given of the above-mentioned steps of automatic testing for horizontal unauthorized vulnerabilities in this exemplary embodiment with reference to the accompanying drawings.
在步骤S100中,创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限。In step S100, a first account and a second account having the same account operation authority list are created, and the account operation authority list displays all account operation authority owned by the corresponding account.
通过这种方法,使得第一账号和第二账号对任一账号操作权限都有着对等的地位,从而能够进一步进行水平越权漏洞的测试。In this way, the first account and the second account have the same status as the operating authority of any account, so that the horizontal unauthorized vulnerability test can be further performed.
在一实施例中,如图3所示,步骤S100包括:In an embodiment, as shown in FIG. 3, step S100 includes:
步骤S1001:创建所述第一账号;Step S1001: Create the first account;
步骤S1002:创建所述第二账号;Step S1002: creating the second account;
步骤S1003:将汇总账号操作权限列表中的所有账号操作权限分配给所述第一账号及所述第二账号。Step S1003: Assign all account operation permissions in the summary account operation permission list to the first account and the second account.
在一实施例中,首先创建第一账号与第二账号。为了对尽量多的账号操作权限进行水平越权漏洞的测试,将汇总的账号操作权限开放给第一账号和第二 账号,使得服务器能够对汇总账号操作权限中的每一个账号操作权限进行水平越权漏洞的检测。In one embodiment, the first account and the second account are created first. In order to test as many account operation permissions as possible for horizontal unauthorized vulnerabilities, the aggregated account operating permissions are opened to the first account and the second account, so that the server can perform horizontal unauthorized vulnerabilities on each account operating authority in the aggregated account operating permissions. Detection.
在步骤S110中,使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL。In step S110, the first account is used to perform a reference test request for the operation authority of each account, and the corresponding reference test request URL is obtained.
参考测试请求URL是指由所述第一账号对待测试账号操作权限、向被测试系统发送的请求URL。The reference test request URL refers to the request URL sent by the first account to the system under test with the operating authority of the account to be tested.
通过使用第一账号进行参考测试请求,使得第二账号能参考所述参考测试请求URL,从而对账号操作权限进一步进行水平越权漏洞的检测。By using the first account to make a reference test request, the second account can refer to the reference test request URL, thereby further detecting the horizontal unauthorized vulnerability of the account operation authority.
在一实施例中,所述使用所述第一账号,对各所述账号操作权限进行参考测试请求,包括:对各所述账号操作权限,使用所述第一账号发送对应的合法请求URL,将所述合法请求URL确定为对应的所述参考测试请求URL。In an embodiment, the using the first account to perform a reference test request for the operating authority of each of the accounts includes: using the first account to send the corresponding legal request URL for the operating authority of each of the accounts, The legal request URL is determined as the corresponding reference test request URL.
合法请求URL是指账号以自己的身份、对自己的权限内容进行请求时所发送的请求URL。The legal request URL refers to the request URL sent by the account when it requests its own permission content with its own identity.
在步骤S120中,基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果。In step S120, based on the reference test request URL, the second account is used to perform a comparison test request for the operation authority of each account, and a corresponding comparison test request result is obtained.
对照测试请求URL是指参考所述参考测试请求URL,由所述第二账号向被测试系统发送的请求URL。The control test request URL refers to the request URL sent by the second account to the system under test with reference to the reference test request URL.
对照测试请求结果是指被测试系统响应于所述对照测试请求,返回的对应的响应报文。The control test request result refers to the corresponding response message returned by the system under test in response to the control test request.
通过所述第二账号进行对照测试请求,使得能够根据对应的对照测试请求的内容,判断对应的所述账号操作权限是否存在水平越权漏洞。Performing a comparison test request through the second account makes it possible to determine whether the corresponding account operation authority has a horizontal override vulnerability based on the content of the corresponding comparison test request.
在一实施例中,如图4所示,步骤S120包括:In an embodiment, as shown in FIG. 4, step S120 includes:
步骤S1201:从所述第一账号发送的参考测试请求URL中,确定所述参考测试请求URL中的各标识参数以及所述第一账号对应的标识参数值;Step S1201: Determine each identification parameter in the reference test request URL and the identification parameter value corresponding to the first account from the reference test request URL sent by the first account;
步骤S1202:对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL;Step S1202: For each account operation authority, determine a corresponding comparison test request URL based on the identification parameter value corresponding to the first account;
步骤S1203:对各所述账号操作权限,使用所述第二账号,发送所述对应的对照测试请求URL,将对应的返回报文确定为所述对应的对照测试请求结果。Step S1203: For each account operation authority, use the second account to send the corresponding comparison test request URL, and determine the corresponding return message as the corresponding comparison test request result.
标识参数是指由被测试系统预设的、根据独一无二的参数值来识别各账号身份或者某一项属性的参数,例如:“userID”对应着账号用户的身份标识,“addressID”对应着账号用户的地址标识。The identification parameter refers to the parameter that is preset by the tested system to identify the identity of each account or a certain attribute according to the unique parameter value, for example: "userID" corresponds to the identity of the account user, and "addressID" corresponds to the account user The address identification.
通过这种方法,使得所述第二账号能够使用所述第一账号的标识参数值伪装为所述第一账号,从而对所述第一账号的账号操作权限内容尝试进行操作。In this way, the second account can use the identification parameter value of the first account to pretend to be the first account, thereby attempting to perform operations on the account operation authority content of the first account.
在一实施例中,如图5所示,步骤S1202包括:In an embodiment, as shown in FIG. 5, step S1202 includes:
步骤S12021:对各所述账号操作权限,将所述第二账号对应的合法请求URL中的标识参数值替换为所述第一账号对应的标识参数值,得到对应的非法请求URL;Step S12021: For each account operation authority, replace the identification parameter value in the legal request URL corresponding to the second account with the identification parameter value corresponding to the first account to obtain the corresponding illegal request URL;
步骤S12022:将所述非法请求URL确定为所述对应的对照测试请求URL。Step S12022: Determine the illegal request URL as the corresponding comparison test request URL.
非法请求URL是指一账号伪装为其他账号、尝试对其他账号的权限内容进行请求时发送的请求URL。Illegal request URL refers to a request URL sent when an account pretends to be another account and tries to request permission content of another account.
通过使用所述第二账号进行所述对照测试请求,使得服务器能够根据被测试系统对所述对照测试请求的返回报文、判断出被测试系统是否识别出了所述对照测试请求是非法请求,从而确定被测试系统在对应的账号操作权限的配置上是否存在水平越权漏洞。By using the second account to perform the control test request, the server can determine whether the system under test recognizes that the control test request is an illegal request based on the return message of the control test request from the system under test. In this way, it is determined whether the system under test has horizontal overreach vulnerabilities in the configuration of the corresponding account operation authority.
在一实施例中,第一账号向被测试系统发送一系列合法请求URL,这里使用自然语言表述,例如:“我的userID是02,我的密码是xxx,我要登录账号”、“我要删除addressID为34的地址信息”、“我的userID是02,我要更改头像”……从中可确定,第一账号对标识参数“userID”的参数值为“02”,对标识参数“addressID”的参数值为“34”。In one embodiment, the first account sends a series of legal request URLs to the tested system, which are expressed in natural language, for example: "My userID is 02, my password is xxx, I want to log in to the account", "I want Delete the address information with addressID 34", "My userID is 02, I want to change the avatar"... It can be determined from this that the parameter value of the identification parameter "userID" of the first account is "02", and the identification parameter "addressID" is The parameter value is "34".
同时,第二账号对标识参数“userID”的参数值为“03”,对标识参数“addressID”的参数值为“57”。则对于“查看个人信息”这一账号操作权限,第二账号应向被测试系统发送的合法请求URL为:“我要查看userID为03的用户的个人信息。”要测试“查看个人信息”这一账号操作权限是否存在水平越权漏洞,第二账号需进行的对照测试请求应为:“我要查看userID为02的用户的个人信息。”同样,对于“更改收货地址”这一账号操作权限,第二账号应向被测试系统发送的合法请求URL为:“我要更改addressID为57的地址信息”,对应的对照测试请求应为:“我要更改addressID为34的地址信息”。At the same time, the parameter value of the identification parameter "userID" of the second account is "03", and the parameter value of the identification parameter "addressID" is "57". For the account operation permission of "View Personal Information", the legal request URL that the second account should send to the tested system is: "I want to view the personal information of the user whose userID is 03." To test the "View Personal Information" Whether there is a horizontal overreach vulnerability in the operation authority of the first account, the control test request for the second account should be: "I want to view the personal information of the user with userID 02." Similarly, for the account operation authority of "change delivery address" , The legal request URL that the second account should send to the tested system is: "I want to change the address information with addressID 57", and the corresponding control test request should be: "I want to change the address information with addressID 34".
在步骤S130中,基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。In step S130, based on the corresponding comparison test request result, it is determined whether there is a horizontal override vulnerability.
通过对被测试系统对所述对照测试请求的返回报文内容的判断,使得服务器能够确定被测试系统是否对所述对照测试请求的发送者进行了权限判定,从而确定在对应的账号操作权限上是否存在水平越权漏洞。By judging the content of the returned message of the control test request by the system under test, the server can determine whether the system under test has determined the authority of the sender of the control test request, thereby determining the operating authority of the corresponding account Is there a loophole in horizontal ultra vires?
在一实施例中,所述基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞,包括:对各所述账号操作权限,如果所述对应的对照测试请求结果、所对应的返回报文中确认了所述对照测试请求,则确定在所述账号操作权限上存在水平越权漏洞。In an embodiment, the determining whether there is a horizontal unauthorized vulnerability based on the corresponding control test request result includes: operating permissions for each of the accounts, if the corresponding control test request result, the corresponding return report If the control test request is confirmed in the article, it is determined that there is a horizontal overreach vulnerability in the account operation authority.
例如:第一账号对标识参数“userID”的参数值为“02”,第二账号对标识参数“userID”的参数值为“03”。对“查看个人信息”这一账号操作权限,第二账号发送的对照测试请求为:“我要查看userID为02的用户的个人信息。”如果被测试系统在“查看个人信息”这一账号操作权限上的配置安全完善的话,被测试系统会根据session表或者其它可靠的验证方式,验证所述第二账号的userID是不是确实是“02”,一经验证,被测试系统就会发现所述第二账号没有权限查看userID为“02”的账号的个人信息,被测试系统就会拒绝所述第二账号的对照测试请求,返回拒绝所述对照测试请求的信息。For example, the parameter value of the identification parameter "userID" of the first account is "02", and the parameter value of the identification parameter "userID" of the second account is "03". For the account operation authority of "View Personal Information", the control test request sent by the second account is: "I want to view the personal information of the user with userID 02." If the tested system operates on the account "View Personal Information" If the permission configuration is safe and complete, the tested system will verify whether the userID of the second account is indeed "02" according to the session table or other reliable verification methods. Once verified, the tested system will find the The second account does not have the authority to view the personal information of the account whose userID is "02", and the tested system will reject the comparison test request of the second account, and return information that rejects the comparison test request.
如果被测试系统在“查看个人信息”这一账号操作权限的配置上存在水平越权漏洞的话,被测试系统就不会对所述第二账号进行其userID是否确实为“02”的验证,而是直接确认所述第二账号的对照测试请求,并返回对应的第一账号的个人信息。因此,通过查看对照测试请求结果的内容,确定了被测试系统在对应的账号操作权限的配置上是否存在水平越权漏洞。If the tested system has a horizontal overreach vulnerability in the configuration of the account operation authority of "View personal information", the tested system will not verify whether the userID of the second account is indeed "02", but Directly confirm the comparison test request of the second account, and return the corresponding personal information of the first account. Therefore, by viewing the content of the result of the control test request, it is determined whether the system under test has a horizontal overreach vulnerability in the configuration of the corresponding account operation authority.
在一实施例中,基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞之后,包括:将所述存在水平越权漏洞的账号操作权限的信息发送给管理端。即,对一账号操作权限确定存在水平越权漏洞之后,向管理端发送所述账号操作权限存在水平越权漏洞的信息。In one embodiment, after determining whether there is a horizontal overreach vulnerability based on the corresponding comparison test request result, the method includes: sending the information of the account operation authority with the horizontal overreach vulnerability to the management terminal. That is, after it is determined that there is a horizontal overreach vulnerability in an account operation authority, the information that the account operation authority has a horizontal overreach vulnerability is sent to the management terminal.
在一实施例中,如图2所示,提供了一种针对水平越权漏洞自动进行测试的装置,具体包括:In an embodiment, as shown in FIG. 2, a device for automatically testing for horizontal unauthorized vulnerabilities is provided, which specifically includes:
创建模块210,用于创建具有相同账号操作权限列表的第一账号和第二账 号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;The creation module 210 is configured to create a first account and a second account with the same account operation authority list, and the account operation authority list displays all account operation authority owned by the corresponding account;
参考测试请求模块220,用于使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;The reference test request module 220 is configured to use the first account to make a reference test request for the operation authority of each account to obtain a corresponding reference test request URL;
对照测试请求模块230,用于基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;The comparison test request module 230 is configured to use the second account to perform a comparison test request for each account operation authority based on the reference test request URL, and obtain a corresponding comparison test request result;
确定模块240,用于基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。The determining module 240 is configured to determine whether there is a level unauthorized vulnerability based on the corresponding comparison test request result.
上述装置中各个模块的功能和作用的实现过程具体详见上述针对水平越权漏洞自动进行测试的方法中对应步骤的实现过程,在此不再赘述。For the implementation process of the functions and roles of each module in the above-mentioned device, please refer to the implementation process of corresponding steps in the above-mentioned method for automatically testing horizontal unauthorized vulnerabilities, which will not be repeated here.
应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本公开的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to the embodiments of the present disclosure, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of a module or unit described above can be further divided into multiple modules or units to be embodied.
此外,尽管在附图中以特定顺序描述了本公开中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。In addition, although the various steps of the method of the present disclosure are described in a specific order in the drawings, this does not require or imply that these steps must be performed in the specific order, or that all the steps shown must be performed to achieve the desired result. Additionally or alternatively, some steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the foregoing embodiments, those skilled in the art can easily understand that the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present disclosure.
图6示出根据本公开一示例实施方式的针对水平越权漏洞自动进行测试的系统架构图。该系统架构包括:待测试系统310、数据库320、第一虚拟客户端330、第二虚拟客户端340。其中,第一虚拟客户端330使用第一账号进行测试操作,第二虚拟客户端340使用第二账号进行测试操作。Fig. 6 shows a system architecture diagram for automatic testing of horizontal unauthorized vulnerabilities according to an exemplary embodiment of the present disclosure. The system architecture includes: a system to be tested 310, a database 320, a first virtual client 330, and a second virtual client 340. Among them, the first virtual client 330 uses the first account to perform the test operation, and the second virtual client 340 uses the second account to perform the test operation.
在一实施例中,第一虚拟客户端330向待测试系统310发送参考测试请求URL,数据库320将存储的所述参考测试请求URL发送给第二虚拟客户端340,第二虚拟客户端340将接收到的所述参考测试请求URL作为参考,对待测试系统310进行对照测试请求,并接收由待测试系统310返回的对照测试请求结果。In an embodiment, the first virtual client 330 sends a reference test request URL to the system under test 310, the database 320 sends the stored reference test request URL to the second virtual client 340, and the second virtual client 340 sends The received reference test request URL is used as a reference, the system to be tested 310 performs a comparison test request, and the result of the comparison test request returned by the system to be tested 310 is received.
通过以上对系统架构的描述,本领域的技术人员易于理解,这里描述的系统架构能够实现图2所示的针对水平越权漏洞自动进行测试的装置中各个模块的功能。Through the above description of the system architecture, those skilled in the art can easily understand that the system architecture described here can realize the functions of each module in the device for automatic testing for horizontal unauthorized vulnerabilities as shown in FIG. 2.
在本公开的示例性实施例中,还提供了一种能够实现上述方法的电子设备。In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
所属技术领域的技术人员能够理解,本申请的各个方面可以实现为系统、方法或程序产品。因此,本申请的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“系统”。Those skilled in the art can understand that various aspects of the present application can be implemented as a system, method, or program product. Therefore, each aspect of the present application can be specifically implemented in the following forms, namely: complete hardware implementation, complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as "Circuit", "Module" or "System".
下面参照图7来描述根据本申请的这种实施方式的电子设备400。图7显示的电子设备400仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。The electronic device 400 according to this embodiment of the present application will be described below with reference to FIG. 7. The electronic device 400 shown in FIG. 7 is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present application.
如图7所示,电子设备400以通用计算设备的形式表现。电子设备400的组件可以包括但不限于:上述至少一个处理单元410、上述至少一个存储单元420、连接不同系统组件(包括存储单元420和处理单元410)的总线430。As shown in FIG. 7, the electronic device 400 takes the form of a general-purpose computing device. The components of the electronic device 400 may include but are not limited to: the aforementioned at least one processing unit 410, the aforementioned at least one storage unit 420, and a bus 430 connecting different system components (including the storage unit 420 and the processing unit 410).
其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元410执行,使得所述处理单元410执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。例如,所述处理单元410可以执行如图1中所示步骤S100:创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;步骤S110:使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;步骤S120:基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;步骤S130:基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。Wherein, the storage unit stores program code, and the program code can be executed by the processing unit 410, so that the processing unit 410 executes the various exemplary methods described in the "Exemplary Method" section of this specification. Implementation steps. For example, the processing unit 410 may perform step S100 as shown in FIG. 1: create a first account and a second account with the same account operation authority list, the account operation authority list displays all account operations owned by the corresponding account Step S110: Use the first account to make a reference test request for each of the account operation permissions to obtain the corresponding reference test request URL; Step S120: Use the second account based on the reference test request URL, A comparison test request is performed on each of the account operation permissions to obtain a corresponding comparison test request result; Step S130: Based on the corresponding comparison test request result, it is determined whether there is a horizontal override vulnerability.
存储单元420可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)4201和/或高速缓存存储单元4202,还可以进一步包括只读存储单元(ROM)4203。The storage unit 420 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 4201 and/or a cache storage unit 4202, and may further include a read-only storage unit (ROM) 4203.
存储单元420还可以包括具有一组(至少一个)程序模块4205的程序/实用工具4204,这样的程序模块4205包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage unit 420 may also include a program/utility tool 4204 having a set of (at least one) program module 4205. Such program module 4205 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
总线430可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。The bus 430 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
电子设备400也可以与一个或多个外部设备500(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该电子设备400交互的设备通信,和/或与使得该电子设备400能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口450进行。并且,电子设备400还可以通过网络适配器460与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器460通过总线430与电子设备400的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备400使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The electronic device 400 can also communicate with one or more external devices 500 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable a user to interact with the electronic device 400, and/or communicate with Any device (such as a router, modem, etc.) that enables the electronic device 400 to communicate with one or more other computing devices. This communication can be performed through an input/output (I/O) interface 450. Moreover, the electronic device 400 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 460. As shown in the figure, the network adapter 460 communicates with other modules of the electronic device 400 through the bus 430. It should be understood that although not shown in the figure, other hardware and/or software modules can be used in conjunction with the electronic device 400, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the foregoing embodiments, those skilled in the art can easily understand that the exemplary embodiments described herein can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present disclosure.
在本公开的示例性实施例中,还提供了一种计算机可读存储介质,其上存储有能够实现本说明书上述方法的程序产品。在一些可能的实施方式中,本申请的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程 序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。In the exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium on which is stored a program product capable of implementing the above method in this specification. In some possible implementation manners, each aspect of the present application can also be implemented in the form of a program product, which includes program code. When the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification.
参考图8所示,描述了根据本申请的实施方式的用于实现上述方法的程序产品600,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在终端设备,例如个人电脑上运行。然而,本申请的程序产品不限于此,在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。Referring to FIG. 8, a program product 600 for implementing the above method according to an embodiment of the present application is described. It can adopt a portable compact disk read-only memory (CD-ROM) and include program code, and can be installed in a terminal device, For example, running on a personal computer. However, the program product of this application is not limited to this. In this document, the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or combined with an instruction execution system, device, or device.
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product can use any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。The computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。The program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the foregoing.
可以以一种或多种程序设计语言的任意组合来编写用于执行本申请操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务 提供商来通过因特网连接)。The program code used to perform the operations of this application can be written in any combination of one or more programming languages. The programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language-such as "C" language or similar programming language. The program code can be executed entirely on the user's computing device, partly on the user's device, executed as an independent software package, partly on the user's computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on. In the case of a remote computing device, the remote computing device can be connected to a user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, using Internet service providers) Business to connect via the Internet).
上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。The processing shown in the above drawings does not indicate or limit the time sequence of these processings. In addition, it is easy to understand that these processes can be executed synchronously or asynchronously in multiple modules, for example.
本申请旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。This application is intended to cover any variations, uses, or adaptive changes of the present disclosure, which follow the general principles of the present disclosure and include common knowledge or conventional technical means in the technical field not disclosed in the present disclosure .

Claims (20)

  1. 一种针对水平越权漏洞自动进行测试的方法,其特征在于,包括:A method for automatically testing against horizontal unauthorized vulnerabilities, which is characterized by including:
    创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;Creating a first account and a second account with the same account operation permission list, the account operation permission list displays all account operation permissions owned by the corresponding account;
    使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;Use the first account to perform a reference test request for the operation authority of each account to obtain a corresponding reference test request URL;
    基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;Based on the reference test request URL, use the second account to perform a comparison test request for each of the account operation permissions, and obtain a corresponding comparison test request result;
    基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。Based on the result of the corresponding comparison test request, it is determined whether there is a horizontal overriding vulnerability.
  2. 根据权利要求1所述的方法,其特征在于,所述创建具有相同账号操作权限列表的第一账号和第二账号,包括:The method according to claim 1, wherein the creating the first account and the second account with the same account operation authority list comprises:
    创建所述第一账号;Create the first account;
    创建所述第二账号;Create the second account;
    将汇总账号操作权限列表中的所有账号操作权限分配给所述第一账号及所述第二账号。Assign all account operation permissions in the summary account operation permission list to the first account and the second account.
  3. 根据权利要求1所述的方法,其特征在于,所述使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL,包括:The method according to claim 1, wherein said using said first account to perform a reference test request for the operating authority of each said account to obtain a corresponding reference test request URL, comprising:
    对各所述账号操作权限,使用所述第一账号发送对应的合法请求URL,将所述合法请求URL确定为对应的所述参考测试请求URL。For each account operation authority, use the first account to send a corresponding legal request URL, and determine the legal request URL as the corresponding reference test request URL.
  4. 根据权利要求1所述的方法,其特征在于,所述基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果,包括:The method according to claim 1, wherein the second account is used to perform a comparison test request for each of the account operation permissions based on the reference test request URL, to obtain a corresponding comparison test request result, include:
    从所述第一账号发送的参考测试请求URL中,确定所述参考测试请求URL中的各标识参数以及所述第一账号对应的标识参数值;Determining each identification parameter in the reference test request URL and the identification parameter value corresponding to the first account from the reference test request URL sent by the first account;
    对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL;For each account operation authority, determine a corresponding comparison test request URL based on the identification parameter value corresponding to the first account;
    对各所述账号操作权限,使用所述第二账号,发送所述对应的对照测试请求URL,将对应的返回报文确定为所述对应的对照测试请求结果。For each account operation authority, use the second account to send the corresponding comparison test request URL, and determine the corresponding return message as the corresponding comparison test request result.
  5. 根据权利要求4所述的方法,其特征在于,所述对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL,包括:The method according to claim 4, wherein the determining the corresponding control test request URL based on the identification parameter value corresponding to the first account for each of the account operation permissions comprises:
    对各所述账号操作权限,将所述第二账号对应的合法请求URL中的标识参数值替换为所述第一账号对应的标识参数值,得到对应的非法请求URL;For each account operation authority, replace the identification parameter value in the legal request URL corresponding to the second account with the identification parameter value corresponding to the first account to obtain the corresponding illegal request URL;
    将所述非法请求URL确定为所述对应的对照测试请求URL。The illegal request URL is determined as the corresponding control test request URL.
  6. 根据权利要求1所述的方法,其特征在于,所述基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞,包括:The method according to claim 1, wherein the determining whether there is a horizontal unauthorized vulnerability based on the corresponding control test request result comprises:
    对各所述账号操作权限,如果所述对应的对照测试请求结果、所对应的返回报文中确认了所述对照测试请求,则确定在所述账号操作权限上存在水平越权漏洞。For each account operation authority, if the corresponding comparison test request result and the corresponding return message confirm the comparison test request, it is determined that there is a horizontal overriding vulnerability in the account operation authority.
  7. 根据权利要求1所述的方法,其特征在于,所述基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞之后,包括:The method according to claim 1, characterized in that, after determining whether there is a horizontal override vulnerability based on the corresponding comparison test request result, the method comprises:
    将所述存在水平越权漏洞的账号操作权限的信息发送给管理端。The information of the operating authority of the account with the horizontal unauthorized vulnerability is sent to the management terminal.
  8. 一种针对水平越权漏洞自动进行测试的装置,其特征在于,包括:A device for automatically testing against horizontal unauthorized vulnerabilities, which is characterized in that it includes:
    创建模块,用于创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权限列表显示了对应的账号拥有的所有账号操作权限;The creation module is used to create a first account and a second account with the same account operation permission list, the account operation permission list displays all account operation permissions owned by the corresponding account;
    参考测试请求模块,用于使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;The reference test request module is configured to use the first account to make a reference test request for the operation authority of each of the accounts to obtain the corresponding reference test request URL;
    对照测试请求模块,用于基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;The control test request module is configured to use the second account to perform a control test request for the operation authority of each account based on the reference test request URL, and obtain a corresponding control test request result;
    确定模块,用于基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。The determining module is used to determine whether there is a horizontal overreach vulnerability based on the corresponding comparison test request result.
  9. 根据权利要求8所述的装置,其特征在于,所述创建模块具体用于:The device according to claim 8, wherein the creation module is specifically configured to:
    创建所述第一账号;Create the first account;
    创建所述第二账号;Create the second account;
    将汇总账号操作权限列表中的所有账号操作权限分配给所述第一账号及所述第二账号。Assign all account operation permissions in the summary account operation permission list to the first account and the second account.
  10. 根据权利要求8所述的装置,其特征在于,所述参考测试请求模块具 体用于:The device according to claim 8, wherein the reference test request module is specifically used for:
    对各所述账号操作权限,使用所述第一账号发送对应的合法请求URL,将所述合法请求URL确定为对应的所述参考测试请求URL。For each account operation authority, use the first account to send a corresponding legal request URL, and determine the legal request URL as the corresponding reference test request URL.
  11. 根据权利要求8所述的装置,其特征在于,所述对照测试请求模块具体用于:The device according to claim 8, wherein the comparison test request module is specifically configured to:
    从所述第一账号发送的参考测试请求URL中,确定所述参考测试请求URL中的各标识参数以及所述第一账号对应的标识参数值;Determining each identification parameter in the reference test request URL and the identification parameter value corresponding to the first account from the reference test request URL sent by the first account;
    对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL;For each account operation authority, determine a corresponding comparison test request URL based on the identification parameter value corresponding to the first account;
    对各所述账号操作权限,使用所述第二账号,发送所述对应的对照测试请求URL,将对应的返回报文确定为所述对应的对照测试请求结果。For each account operation authority, use the second account to send the corresponding comparison test request URL, and determine the corresponding return message as the corresponding comparison test request result.
  12. 根据权利要求11所述的装置,其特征在于,所述对照测试请求模块在对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL时,具体用于:The device according to claim 11, wherein the comparison test request module determines the corresponding comparison test request URL based on the identification parameter value corresponding to the first account based on the operation authority of each of the accounts. Used for:
    对各所述账号操作权限,将所述第二账号对应的合法请求URL中的标识参数值替换为所述第一账号对应的标识参数值,得到对应的非法请求URL;For each account operation authority, replace the identification parameter value in the legal request URL corresponding to the second account with the identification parameter value corresponding to the first account to obtain the corresponding illegal request URL;
    将所述非法请求URL确定为所述对应的对照测试请求URL。The illegal request URL is determined as the corresponding control test request URL.
  13. 根据权利要求8所述的装置,其特征在于,所述确定模块具体用于:The device according to claim 8, wherein the determining module is specifically configured to:
    对各所述账号操作权限,如果所述对应的对照测试请求结果、所对应的返回报文中确认了所述对照测试请求,则确定在所述账号操作权限上存在水平越权漏洞。For each account operation authority, if the corresponding comparison test request result and the corresponding return message confirm the comparison test request, it is determined that there is a horizontal overriding vulnerability in the account operation authority.
  14. 根据权利要求8所述的装置,其特征在于,The device according to claim 8, wherein:
    所述确定模块,还用于在所述基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞之后,将所述存在水平越权漏洞的账号操作权限的信息发送给管理端。The determining module is further configured to, after determining whether there is a horizontal override vulnerability based on the corresponding comparison test request result, send the information of the account operation authority with the horizontal override vulnerability to the management terminal.
  15. 一种针对水平越权漏洞自动进行测试的电子设备,其特征在于,包括:An electronic device that automatically tests for horizontal unauthorized vulnerabilities, which is characterized in that it includes:
    存储器,配置为存储可执行指令;Memory, configured to store executable instructions;
    处理器,配置为执行存储器中存储的可执行指令,以实现以下步骤:The processor is configured to execute executable instructions stored in the memory to implement the following steps:
    创建具有相同账号操作权限列表的第一账号和第二账号,所述账号操作权 限列表显示了对应的账号拥有的所有账号操作权限;Creating a first account and a second account with the same account operation permission list, the account operation permission list displays all account operation permissions owned by the corresponding account;
    使用所述第一账号,对各所述账号操作权限进行参考测试请求,得到对应的参考测试请求URL;Use the first account to perform a reference test request for the operation authority of each account to obtain a corresponding reference test request URL;
    基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果;Based on the reference test request URL, use the second account to perform a comparison test request for each of the account operation permissions, and obtain a corresponding comparison test request result;
    基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞。Based on the result of the corresponding comparison test request, it is determined whether there is a horizontal overriding vulnerability.
  16. 根据权利要求15所述的电子设备,其特征在于,所述处理器在执行所述创建具有相同账号操作权限列表的第一账号和第二账号时,具体执行以下步骤:The electronic device according to claim 15, wherein the processor specifically executes the following steps when executing the creation of the first account and the second account with the same account operation authority list:
    创建所述第一账号;Create the first account;
    创建所述第二账号;Create the second account;
    将汇总账号操作权限列表中的所有账号操作权限分配给所述第一账号及所述第二账号。Assign all account operation permissions in the summary account operation permission list to the first account and the second account.
  17. 根据权利要求15所述的电子设备,其特征在于,所述处理器在执行所述基于所述参考测试请求URL,使用所述第二账号,对各所述账号操作权限进行对照测试请求,得到对应的对照测试请求结果时,具体执行以下步骤:The electronic device according to claim 15, wherein the processor is executing the reference test request URL based on the reference test and uses the second account to perform a comparison test request for each of the account operation permissions to obtain When the corresponding control test request results, the following steps are specifically performed:
    从所述第一账号发送的参考测试请求URL中,确定所述参考测试请求URL中的各标识参数以及所述第一账号对应的标识参数值;Determining each identification parameter in the reference test request URL and the identification parameter value corresponding to the first account from the reference test request URL sent by the first account;
    对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL;For each account operation authority, determine a corresponding comparison test request URL based on the identification parameter value corresponding to the first account;
    对各所述账号操作权限,使用所述第二账号,发送所述对应的对照测试请求URL,将对应的返回报文确定为所述对应的对照测试请求结果。For each account operation authority, use the second account to send the corresponding comparison test request URL, and determine the corresponding return message as the corresponding comparison test request result.
  18. 根据权利要求17所述的电子设备,其特征在于,所述处理器在执行所述对各所述账号操作权限,基于所述第一账号对应的标识参数值,确定对应的对照测试请求URL时,具体执行以下步骤:The electronic device according to claim 17, wherein the processor determines the corresponding control test request URL based on the identification parameter value corresponding to the first account when executing the operation authority for each of the account , Perform the following steps:
    对各所述账号操作权限,将所述第二账号对应的合法请求URL中的标识参数值替换为所述第一账号对应的标识参数值,得到对应的非法请求URL;For each account operation authority, replace the identification parameter value in the legal request URL corresponding to the second account with the identification parameter value corresponding to the first account to obtain the corresponding illegal request URL;
    将所述非法请求URL确定为所述对应的对照测试请求URL。The illegal request URL is determined as the corresponding control test request URL.
  19. 根据权利要求15所述的电子设备,其特征在于,所述处理器在执行 所述基于所述对应的对照测试请求结果,确定是否存在水平越权漏洞时,具体执行以下步骤:The electronic device according to claim 15, wherein the processor specifically executes the following steps when determining whether there is a horizontal override vulnerability based on the corresponding comparison test request result:
    对各所述账号操作权限,如果所述对应的对照测试请求结果、所对应的返回报文中确认了所述对照测试请求,则确定在所述账号操作权限上存在水平越权漏洞。For each account operation authority, if the corresponding comparison test request result and the corresponding return message confirm the comparison test request, it is determined that there is a horizontal overriding vulnerability in the account operation authority.
  20. 一种计算机可读存储介质,其特征在于,其存储有计算机程序指令,当所述计算机指令被计算机执行时,使计算机执行根据权利要求1-7中任一所述的方法。A computer-readable storage medium, characterized in that it stores computer program instructions, and when the computer instructions are executed by a computer, the computer executes the method according to any one of claims 1-7.
PCT/CN2019/122940 2019-03-14 2019-12-04 Method for automatically testing horizontal over-permission vulnerabilities and related device WO2020181841A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910195290.2A CN110084044A (en) 2019-03-14 2019-03-14 For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission
CN201910195290.2 2019-03-14

Publications (1)

Publication Number Publication Date
WO2020181841A1 true WO2020181841A1 (en) 2020-09-17

Family

ID=67412442

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/122940 WO2020181841A1 (en) 2019-03-14 2019-12-04 Method for automatically testing horizontal over-permission vulnerabilities and related device

Country Status (2)

Country Link
CN (1) CN110084044A (en)
WO (1) WO2020181841A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084044A (en) * 2019-03-14 2019-08-02 深圳壹账通智能科技有限公司 For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission
CN110688659B (en) * 2019-09-10 2020-10-16 深圳开源互联网安全技术有限公司 Method and system for dynamically detecting horizontal override based on IAST test tool
CN110674507A (en) * 2019-09-19 2020-01-10 深圳开源互联网安全技术有限公司 Method and system for detecting web application override
CN111125713B (en) * 2019-12-18 2022-04-08 支付宝(杭州)信息技术有限公司 Method and device for detecting horizontal override vulnerability and electronic equipment
CN111767542A (en) * 2020-02-06 2020-10-13 北京沃东天骏信息技术有限公司 Unauthorized detection method and device
CN111416811B (en) * 2020-03-16 2022-07-22 携程旅游信息技术(上海)有限公司 Unauthorized vulnerability detection method, system, equipment and storage medium
CN113242257A (en) * 2021-05-26 2021-08-10 中国银行股份有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
CN113949578B (en) * 2021-10-20 2023-11-24 广州名控网络科技有限公司 Automatic detection method and device for unauthorized loopholes based on flow and computer equipment
CN116502202A (en) * 2023-06-25 2023-07-28 深圳开源互联网安全技术有限公司 Method and device for judging consistency of user permission model based on NLP technology

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060271491A1 (en) * 2005-05-26 2006-11-30 International Business Machines Corporation Apparatus and method for a software catalog having proxy entries
CN108696490A (en) * 2017-04-11 2018-10-23 腾讯科技(深圳)有限公司 The recognition methods of account permission and device
CN109302388A (en) * 2018-09-19 2019-02-01 平安科技(深圳)有限公司 Access authority filter method, system, computer equipment and storage medium
CN109902022A (en) * 2019-03-14 2019-06-18 深圳壹账通智能科技有限公司 The method and relevant device tested automatically for loophole of vertically going beyond one's commission
CN110084044A (en) * 2019-03-14 2019-08-02 深圳壹账通智能科技有限公司 For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060271491A1 (en) * 2005-05-26 2006-11-30 International Business Machines Corporation Apparatus and method for a software catalog having proxy entries
CN108696490A (en) * 2017-04-11 2018-10-23 腾讯科技(深圳)有限公司 The recognition methods of account permission and device
CN109302388A (en) * 2018-09-19 2019-02-01 平安科技(深圳)有限公司 Access authority filter method, system, computer equipment and storage medium
CN109902022A (en) * 2019-03-14 2019-06-18 深圳壹账通智能科技有限公司 The method and relevant device tested automatically for loophole of vertically going beyond one's commission
CN110084044A (en) * 2019-03-14 2019-08-02 深圳壹账通智能科技有限公司 For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission

Also Published As

Publication number Publication date
CN110084044A (en) 2019-08-02

Similar Documents

Publication Publication Date Title
WO2020181841A1 (en) Method for automatically testing horizontal over-permission vulnerabilities and related device
US9491182B2 (en) Methods and systems for secure internet access and services
JP6559694B2 (en) Automatic SDK acceptance
CN109922035B (en) Password resetting method, request terminal and verification terminal
US10165003B2 (en) Identifying an imposter account in a social network
WO2022121221A1 (en) Token-based application access method and apparatus, computer device, and medium
CN112187799B (en) Resource access policy generation method and device, storage medium and electronic equipment
US11290322B2 (en) Honeypot asset cloning
US9998439B2 (en) Mobile device identify factor for access control policies
US11140131B2 (en) Application signature authorization
WO2018133767A1 (en) Call control method, terminal apparatus, and data storage medium
WO2021159669A1 (en) Secure system login method and apparatus, computer device, and storage medium
CN113614718A (en) Abnormal user session detector
WO2019037521A1 (en) Security detection method, device, system, and server
CN110365634B (en) Abnormal data monitoring method, device, medium and electronic equipment
US20090193494A1 (en) Managing actions of virtual actors in a virtual environment
CN107196957A (en) A kind of distributed identity authentication method and system
CN116011590A (en) Federal learning method, device and system
CN106067881B (en) Data Access Security control method based on OS/400, apparatus and system
CN111131152B (en) Automatic verification method and system for cross-platform remote login protection system
CN109756403A (en) Access verification method, device, system and computer readable storage medium
CN110430211B (en) Virtualization cloud desktop system and operation method
CN115834252B (en) Service access method and system
US12028375B2 (en) Detecting and protecting against employee targeted phishing attacks
US20230283633A1 (en) Credential input detection and threat analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19919378

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 19.01.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19919378

Country of ref document: EP

Kind code of ref document: A1