WO2022143145A1 - Over-permission loophole detection method and apparatus - Google Patents

Over-permission loophole detection method and apparatus Download PDF

Info

Publication number
WO2022143145A1
WO2022143145A1 PCT/CN2021/137814 CN2021137814W WO2022143145A1 WO 2022143145 A1 WO2022143145 A1 WO 2022143145A1 CN 2021137814 W CN2021137814 W CN 2021137814W WO 2022143145 A1 WO2022143145 A1 WO 2022143145A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
access request
database
information
sensitive information
Prior art date
Application number
PCT/CN2021/137814
Other languages
French (fr)
Chinese (zh)
Inventor
王伟
张超
司琛芝
Original Assignee
北京沃东天骏信息技术有限公司
北京京东世纪贸易有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京沃东天骏信息技术有限公司, 北京京东世纪贸易有限公司 filed Critical 北京沃东天骏信息技术有限公司
Publication of WO2022143145A1 publication Critical patent/WO2022143145A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Definitions

  • the present disclosure relates to the field of network security, and in particular, to a method and device for detecting an unauthorized vulnerability.
  • the occurrence of unauthorized vulnerabilities is generally caused by the use of data or resources beyond the user's authority.
  • unauthorized vulnerabilities are detected by manual code review.
  • the efficiency of manual detection is low, and it is limited by the professional level of the testing personnel.
  • an unauthorized vulnerability is detected by simulating whether a low-privileged user (such as a common user) can access a URL (Uniform Resource Locator) of a high-privileged user (such as an administrator). Users with different permissions and different URLs need to be preset, and the results of the request need to be compared in a targeted manner, which has poor generality.
  • a low-privileged user such as a common user
  • URL Uniform Resource Locator
  • the purpose of the embodiments of the present disclosure is to propose a universal unauthorized vulnerability detection scheme capable of automatic detection.
  • An embodiment of the present disclosure proposes a method for detecting an unauthorized vulnerability, including:
  • capturing the access request of the web application includes:
  • the object of the access request is acquired, an instance of the access request is created based on the object of the access request, and the address of the instance of the access request is set as the address of a detector for unauthorized vulnerability detection.
  • collecting database access information involved in the access request includes:
  • the database metadata information is recorded based on the modified database connection function, wherein the modified database connection function inserts a database metadata information query command after the original database connection operation.
  • capturing an access response corresponding to the access request includes:
  • Identify and obtain the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request through the key-value pair identifier added to the header of the access request and the header of the access response;
  • the object of the access response is acquired, and an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of a detector for unauthorized vulnerability detection.
  • determining whether the access request, the access response and the database access information include preset sensitive information includes:
  • determining whether the data access process of the access request matches a preset compliance type includes:
  • determining whether there is an unauthorized loophole includes:
  • the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability
  • pre-set sensitive information If it includes pre-set sensitive information, or does not match pre-set compliance types, it is determined that there is a risk of an unauthorized vulnerability.
  • the database connection function is modified through the insertAfter operation of the hookMethod method.
  • a proxy provided in the web application system: capturing the access request of the web application; collecting the database access information involved in the access request; capturing the access response corresponding to the access request; detecting by unauthorized vulnerability detection Execution: judging whether the access request, the access response and the database access information include preset sensitive information, to obtain the first judgment result; judging whether the data access process of the access request complies with the preset regulations The model is matched to obtain a second judgment result; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
  • Some embodiments of the present disclosure provide an apparatus for detecting an unauthorized vulnerability, including:
  • the proxy set in the web application system is configured to capture the access request of the web application; collect the database access information involved in the access request; capture the access response corresponding to the access request;
  • a detector for unauthorized vulnerability detection is configured to judge whether the access request, the access response and the database access information include preset sensitive information, and obtain a first judgment result; judge the data access process of the access request Whether it matches the preset compliance type, a second judgment result is obtained; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
  • the agent is configured to:
  • Capturing the access request of the web application includes: acquiring the object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request to the address of the unauthorized vulnerability detection detector address;
  • the modified database connection function inserts a database metadata information query command after the original database connection operation
  • the access response corresponding to the access request includes: identifying and acquiring the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request through the key-value pair identifier added in the header of the access request and the header of the access response, and obtaining the The object of the access response, an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of the detector for unauthorized vulnerability detection.
  • the detector is configured to:
  • the method includes: associating the access request, the access response and the parameter list of the database access information with database metadata information, and associating the associated database metadata information with preset sensitive information Matching is performed, if it matches, it is determined that sensitive information is included, and the parameters associated with the database metadata information matching the preset sensitive information are output, and if it does not match, it is determined that sensitive information is not included;
  • the second judgment result including: judging whether the data access process of the access request conforms to the standard access process and the standard parameters that should be involved in the standard access process conforming to the size constraint, if all are met, determine the match, if any one If the item does not match, it is judged that it does not match;
  • determining whether there is an unauthorized vulnerability including: if the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability, if the preset sensitive information is not included, and the preset compliance type is not included. Scale type matching, it is determined that there is no unauthorized vulnerability. If the preset sensitive information is included or does not match the preset compliance type, it is determined that there is a risk of unauthorized vulnerability.
  • Some embodiments of the present disclosure provide an unauthorized vulnerability detection apparatus, including: a memory; and a processor coupled to the memory, the processor configured to execute any one of the embodiments based on instructions stored in the memory The method for detecting an unauthorized vulnerability is described.
  • Some embodiments of the present disclosure provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the steps of the method for detecting an unauthorized vulnerability described in any one of the embodiments.
  • the embodiment of the present disclosure automatically captures and collects relevant access information during the web application access process, and determines whether there is an unauthorized vulnerability in the web application access process according to the judgment result of whether the access information includes sensitive information and whether the access process matches the compliance type. Thereby, a universal unauthorized vulnerability detection scheme capable of automatic detection is realized.
  • FIG. 1 shows a schematic diagram of a deployment solution for unauthorized vulnerability detection according to some embodiments of the present disclosure.
  • FIG. 2 shows a schematic flowchart of an unauthorized vulnerability detection method according to some embodiments of the present disclosure.
  • FIG. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to some embodiments of the present disclosure.
  • FIG. 4 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to other embodiments of the present disclosure.
  • FIG. 1 shows a schematic diagram of a deployment solution for unauthorized vulnerability detection according to some embodiments of the present disclosure.
  • FIG. 1 there are web applications that can be accessed by users in a web (World Wide Web, global wide area network, also known as the World Wide Web) application system.
  • the web application system uses IAM (Identity and Access Management, identity recognition and access management) to identify and access users.
  • IAM Identity and Access Management, identity recognition and access management
  • the corresponding data or resources are provided through the database.
  • the hook function is set in the proxy.
  • the agent uses the hook function to automatically capture (hook) and collect the relevant access information in the process of the user accessing the web application in the system, and forward it to the detector.
  • the detector determines whether there is an unauthorized vulnerability in the access process of the web application according to the judgment result of whether the access information includes sensitive information and whether the access process matches the compliance type.
  • a universal unauthorized vulnerability detection scheme capable of automatic detection is realized.
  • a console can also be set, and administrators can control the task of unauthorized vulnerability detection through the console, for example, setting the number of access users for concurrent detection, and setting the unauthorized vulnerability detection for specific applications. Administrators can also view the results of unauthorized vulnerability detection through the console.
  • FIG. 2 shows a schematic flowchart of an unauthorized vulnerability detection method according to some embodiments of the present disclosure.
  • the method for detecting unauthorized vulnerability includes: steps 210-260.
  • the unauthorized vulnerability detection method is performed by, for example, an unauthorized vulnerability detection device, wherein steps 210-230 can be executed by a proxy provided in the web application system, and steps 240-260 can be executed by a detector for unauthorized vulnerability detection.
  • step 210 the access request of the web application is captured.
  • the proxy obtains the object of the access request through the hook function, creates an instance of the access request based on the object of the access request, and sets the address of the instance of the access request to the address of the detector for unauthorized vulnerability detection, so as to forward the instance of the access request to the detector.
  • the related methods of the access request are generally placed in the specified directory, such as org/apache/catalina/.
  • the hook function obtains the related methods of the access request from this directory, such as onInputStreamRead, ApplicationFilterChain, etc.
  • step 220 database access information related to the access request is collected.
  • the agent records database access information such as database operation command details, code execution context (caller, calling parameters, etc.) and return value details involved in the access request based on the hook technology, records database metadata information based on the modified database connection function, and sends it to the detection device.
  • the modified database connection function (such as connection) inserts database metadata information query commands (such as show tables) after the original database connection operation, and obtains the database metadata information in operation through these commands. For example, modify the database connection function through the insertAfter operation of the hookMethod method of Javassist.
  • the related methods of the access request are generally placed in the specified directory, such as com/mysql/jdbc.
  • the hook function obtains various database access information from this directory, such as connection, execute, executeQuery, executeUpdate, checkSqlQueryResult, etc.
  • step 230 an access response corresponding to the access request is captured.
  • a key-value pair identifier is added to the header of the access request and the header of the access response, and the access request and its corresponding access response are associated through the key-value pair identifier.
  • the proxy identifies and obtains the access response corresponding to the access request through the key-value pair identifier added to the header of the access request and the header of the access response, obtains the object of the access response, creates an instance of the access response based on the object of the access response, and accesses the response.
  • the address of the instance of is set to the address of the Detector for Override Vulnerability Detection so that the instance of the access response is forwarded to the detector.
  • the related methods of accessing the response are generally placed in the specified directory, such as org/apache/catalina/.
  • the hook function obtains access response related methods from this directory, such as OutputBuffer, sendRedirect, sendError, etc.
  • steps 240 and 250 may be performed in parallel, or step 240 may be performed first and then step 250 may be performed, or step 250 may be performed first and then step 240 may be performed.
  • step 240 it is judged whether the access request, the access response and the database access information include preset sensitive information, and a first judgment result is obtained.
  • Sensitive information includes, but is not limited to, mobile phone number, ID number, detailed address, order number, courier number, etc.
  • step 250 it is determined whether the data access process of the access request matches the preset compliance type, and a second determination result is obtained.
  • the conformity model constrains the standard access process of various access requests and the standard parameters that should be involved in the standard access process. For example, the data query function of a user accessing a certain page of an application involves a query operation on a certain table in the database. Then you need to determine the data operation statement corresponding to the operation and whether there are qualifications associated with the user identity (usually reflected by the where sub-statement of the sql statement).
  • step 260 it is determined whether there is an unauthorized loophole according to the first judgment result and the second judgment result.
  • the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability; if the preset sensitive information is not included, and it matches the preset compliance type, it is determined that there is no unauthorized vulnerability; if If it includes preset sensitive information or does not match the preset compliance type, it is determined that there is a risk of unauthorized vulnerability, which can be further determined in combination with other methods (such as manual detection or other automatic unauthorized vulnerability detection methods).
  • FIG. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to some embodiments of the present disclosure.
  • the apparatus 300 of this embodiment includes: a proxy 310 set in the web application system and a detector 320 for detecting unauthorized loopholes.
  • the detector 320 may be, for example, in the form of a plug-in implementation.
  • the proxy 310 set in the web application system is configured to capture the access request of the web application; collect the database access information involved in the access request; and capture the access response corresponding to the access request.
  • the unauthorized vulnerability detection detector 320 is configured to determine whether the access request, the access response and the database access information include preset sensitive information, and obtain a first determination result; determine the data access of the access request Whether the process matches the preset compliance type, a second judgment result is obtained; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
  • the proxy 310 is configured to: obtain the object of the access request, create an instance of the access request based on the object of the access request, and the address of the instance of the access request is set as the detection of unauthorized vulnerability detection address of the device.
  • the agent 310 is configured to: record the database operation command details, code execution context and return value details involved in the access request based on the hook technology, and record database metadata information based on the modified database connection function, wherein all The modified database connection function described above inserts database metadata information query commands after the original database connection operation.
  • the proxy 310 is configured to: identify and acquire the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request, and acquire the access response object, an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of a detector for unauthorized vulnerability detection.
  • the detector 320 is configured to associate a parameter list of the access request, the access response, and the database access information with database metadata information, and associate the associated database metadata information with the pre-defined database metadata information.
  • the preset sensitive information is matched. If it matches, it is determined that the sensitive information is included, and the parameters associated with the database metadata information matching the preset sensitive information are output. If it does not match, it is determined that the sensitive information is not included.
  • the detector 320 is configured to: determine whether the data access process of the access request conforms to the standard access process and the standard parameters that should be involved in the standard access process conforming to the size constraints, and if both conform, determine that it matches, if If any of the items do not match, it will be judged that they do not match.
  • the detector 320 is configured to: if the preset sensitive information is included and does not match the preset compliance type, determine that there is an unauthorized vulnerability, if the preset sensitive information is not included and does not match the preset compliance type It is determined that there is no unauthorized vulnerability. If the preset sensitive information is included, or it does not match the preset compliance model, it is determined that there is a risk of unauthorized vulnerability.
  • FIG. 4 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to other embodiments of the present disclosure.
  • the apparatus 400 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410 , the processor 420 is configured to execute any of the foregoing embodiments based on instructions stored in the memory 410 The method of overriding vulnerability detection.
  • the processor 420 captures the access request of the web application; collects the database access information involved in the access request; captures the access response corresponding to the access request; determines the access request, the access response and the database access information Whether the preset sensitive information is included, obtain a first judgment result; judge whether the data access process of the access request matches the preset compliance type, and obtain a second judgment result; according to the first judgment result and the first judgment result 2. Judging the results to determine whether there is an unauthorized loophole.
  • the memory 410 may include, for example, a system memory, a fixed non-volatile storage medium, and the like.
  • the system memory stores, for example, an operating system, an application program, a boot loader (Boot Loader), and other programs.
  • the apparatus 400 may also include an input-output interface 430, a network interface 440, a storage interface 450, and the like. These interfaces 430 , 440 , 450 and the memory 410 and the processor 420 can be connected, for example, through a bus 460 .
  • the input and output interface 430 provides a connection interface for input and output devices such as a display, a mouse, a keyboard, and a touch screen.
  • Network interface 440 provides a connection interface for various networked devices.
  • the storage interface 450 provides a connection interface for external storage devices such as SD cards and U disks.
  • An embodiment of the present disclosure provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, implements the steps of an unauthorized vulnerability detection method.
  • embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more non-transitory computer readable storage media having computer program code embodied therein, including but not limited to disk storage, CD-ROM, optical storage, etc. .
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

An over-permission loophole detection method and apparatus, which relate to the field of network security. The method comprises: capturing an access request of a web application; collecting database access information involved in the access request; capturing an access response corresponding to the access request; determining whether the access request, the access response and the database access information comprise pre-set sensitive information, so as to obtain a first determination result; determining whether a data access process of the access request matches a pre-set compliance model, so as to obtain a second determination result; and according to the first determination result and the second determination result, determining whether an over-permission loophole is present. During a web application access process, related access information is automatically captured and collected, and whether an over-permission loophole is present during the web application access process is determined according to a determination result indicating whether the access information comprises sensitive information and a determination result indicating whether the access process matches a compliance model, thereby realizing an over-permission loophole detection solution with good universality, by means of which automatic detection can be performed.

Description

越权漏洞检测方法和装置Ultraviolet vulnerability detection method and device
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请是以CN申请号为202110003407.X,申请日为2021年01月04日的申请为基础,并主张其优先权,该CN申请的公开内容在此作为整体引入本申请中。This application is based on the CN application number 202110003407.X and the filing date is January 4, 2021, and claims its priority, the disclosure content of this CN application is hereby incorporated into this application as a whole.
技术领域technical field
本公开涉及网络安全领域,特别涉及一种越权漏洞检测方法和装置。The present disclosure relates to the field of network security, and in particular, to a method and device for detecting an unauthorized vulnerability.
背景技术Background technique
越权漏洞的发生,一般是对数据或者资源的使用超出用户权限造成的。The occurrence of unauthorized vulnerabilities is generally caused by the use of data or resources beyond the user's authority.
在一些相关技术中,通过人工审查代码的方式检测越权漏洞。但是人工检测效率低,而且受检测人员业务水平的限制。In some related technologies, unauthorized vulnerabilities are detected by manual code review. However, the efficiency of manual detection is low, and it is limited by the professional level of the testing personnel.
在另一些相关技术中,通过模拟低权限用户(如普通用户)是否能访问高权限用户(如管理员)的URL(Uniform Resource Locator,统一资源定位器)检测越权漏洞。需要预设不同权限的用户和不同的URL,并且需要针对请求返回结果进行针对性对比,通用性差。In other related technologies, an unauthorized vulnerability is detected by simulating whether a low-privileged user (such as a common user) can access a URL (Uniform Resource Locator) of a high-privileged user (such as an administrator). Users with different permissions and different URLs need to be preset, and the results of the request need to be compared in a targeted manner, which has poor generality.
在另一些相关技术中,收集所有可访问的页面集以及访问受限的页面集,然后对这些页面进行模拟访问,通过比对模拟访问的结果与这些页面的实际访问权限检测越权漏洞。需要先对页面地址进行分类,并逐一的进行模拟访问,工作量大,通用性差。In other related technologies, all accessible page sets and page sets with limited access are collected, and then simulated access is performed on these pages, and unauthorized vulnerabilities are detected by comparing the simulated access results with the actual access rights of these pages. The page addresses need to be classified first, and simulated access is performed one by one, which requires a lot of work and poor versatility.
发明内容SUMMARY OF THE INVENTION
本公开实施例的目的是提出一种能够自动检测的通用性好的越权漏洞检测方案。The purpose of the embodiments of the present disclosure is to propose a universal unauthorized vulnerability detection scheme capable of automatic detection.
本公开实施例提出一种越权漏洞检测方法,包括:An embodiment of the present disclosure proposes a method for detecting an unauthorized vulnerability, including:
捕获web应用的访问请求;Capture web application access requests;
收集所述访问请求涉及的数据库访问信息;Collect database access information related to the access request;
捕获所述访问请求相应的访问响应;Capture the access response corresponding to the access request;
判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;Judging whether the access request, the access response and the database access information include preset sensitive information to obtain a first judgment result;
判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结 果;Judging whether the data access process of the access request matches the preset compliance model, and obtains the second judgment result;
根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。According to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
在一些实施例中,捕获web应用的访问请求包括:In some embodiments, capturing the access request of the web application includes:
获取所述访问请求的对象,基于所述访问请求的对象创建所述访问请求的实例,所述访问请求的实例的地址设置为越权漏洞检测的检测器的地址。The object of the access request is acquired, an instance of the access request is created based on the object of the access request, and the address of the instance of the access request is set as the address of a detector for unauthorized vulnerability detection.
在一些实施例中,收集所述访问请求涉及的数据库访问信息包括:In some embodiments, collecting database access information involved in the access request includes:
基于hook技术记录所述访问请求涉及的数据库操作命令详情、代码执行上下文和返回值详情;Record the database operation command details, code execution context and return value details involved in the access request based on the hook technology;
基于修改的数据库连接函数记录数据库元数据信息,其中,所述修改的数据库连接函数在原始数据库连接操作之后插入数据库元数据信息查询命令。The database metadata information is recorded based on the modified database connection function, wherein the modified database connection function inserts a database metadata information query command after the original database connection operation.
在一些实施例中,捕获所述访问请求相应的访问响应包括:In some embodiments, capturing an access response corresponding to the access request includes:
通过访问请求的头部和访问响应的头部增设的键值对标识,识别并获取获所述访问请求相应的访问响应;Identify and obtain the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request through the key-value pair identifier added to the header of the access request and the header of the access response;
获取所述访问响应的对象,基于所述访问响应的对象创建所述访问响应的实例,所述访问响应的实例的地址设置为越权漏洞检测的检测器的地址。The object of the access response is acquired, and an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of a detector for unauthorized vulnerability detection.
在一些实施例中,判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息包括:In some embodiments, determining whether the access request, the access response and the database access information include preset sensitive information includes:
将所述访问请求、所述访问响应和所述数据库访问信息的参数列表与数据库元数据信息相关联;associating a parameter list of the access request, the access response, and the database access information with database metadata information;
将相关联的数据库元数据信息与预设的敏感信息进行匹配,如果匹配,判定包括敏感信息,并输出与预设的敏感信息匹配的数据库元数据信息相关联的参数,如果不匹配,判定不包括敏感信息。Match the associated database metadata information with the preset sensitive information. If it matches, determine that the sensitive information is included, and output the parameters associated with the database metadata information that matches the preset sensitive information. If it does not match, determine that it does not. Include sensitive information.
在一些实施例中,判断所述访问请求的数据访问过程是否与预设的合规模型匹配包括:In some embodiments, determining whether the data access process of the access request matches a preset compliance type includes:
判断所述访问请求的数据访问过程是否符合合规模型约束的标准访问流程和标准访问流程应当涉及的标准参数;Judging whether the data access process of the access request conforms to the standard access process conforming to the size constraints and the standard parameters that should be involved in the standard access process;
如果均符合,判定所述访问请求的数据访问过程与合规模型匹配,如果任意一项不符合,判定所述访问请求的数据访问过程与合规模型不匹配。If all of them match, it is determined that the data access process of the access request matches the compliance model, and if any one of them does not match, it is determined that the data access process of the access request does not match the compliance model.
在一些实施例中,根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞包括:In some embodiments, according to the first judgment result and the second judgment result, determining whether there is an unauthorized loophole includes:
如果包括预设的敏感信息、且与预设的合规模型不匹配,确定存在越权漏洞;If the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability;
如果不包括预设的敏感信息、且与预设的合规模型匹配,确定不存在越权漏洞;If the preset sensitive information is not included and matches the preset compliance type, it is determined that there is no unauthorized vulnerability;
如果包括预设的敏感信息、或与预设的合规模型不匹配,确定存在越权漏洞的风险。If it includes pre-set sensitive information, or does not match pre-set compliance types, it is determined that there is a risk of an unauthorized vulnerability.
在一些实施例中,通过hookMethod方法的insertAfter操作修改数据库连接函数。In some embodiments, the database connection function is modified through the insertAfter operation of the hookMethod method.
在一些实施例中,由设置于web应用系统的代理执行:捕获web应用的访问请求;收集所述访问请求涉及的数据库访问信息;捕获所述访问请求相应的访问响应;由越权漏洞检测的检测器执行:判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果;根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。In some embodiments, it is performed by a proxy provided in the web application system: capturing the access request of the web application; collecting the database access information involved in the access request; capturing the access response corresponding to the access request; detecting by unauthorized vulnerability detection Execution: judging whether the access request, the access response and the database access information include preset sensitive information, to obtain the first judgment result; judging whether the data access process of the access request complies with the preset regulations The model is matched to obtain a second judgment result; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
本公开一些实施例提出一种越权漏洞检测装置,包括:Some embodiments of the present disclosure provide an apparatus for detecting an unauthorized vulnerability, including:
设置于web应用系统的代理,被配置为捕获web应用的访问请求;收集所述访问请求涉及的数据库访问信息;捕获所述访问请求相应的访问响应;The proxy set in the web application system is configured to capture the access request of the web application; collect the database access information involved in the access request; capture the access response corresponding to the access request;
越权漏洞检测的检测器,被配置为判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果;根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。A detector for unauthorized vulnerability detection is configured to judge whether the access request, the access response and the database access information include preset sensitive information, and obtain a first judgment result; judge the data access process of the access request Whether it matches the preset compliance type, a second judgment result is obtained; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
在一些实施例中,所述代理被配置为:In some embodiments, the agent is configured to:
针对捕获web应用的访问请求,包括:获取所述访问请求的对象,基于所述访问请求的对象创建所述访问请求的实例,所述访问请求的实例的地址设置为越权漏洞检测的检测器的地址;Capturing the access request of the web application includes: acquiring the object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request to the address of the unauthorized vulnerability detection detector address;
或者,针对收集所述访问请求涉及的数据库访问信息,包括:基于hook技术记录所述访问请求涉及的数据库操作命令详情、代码执行上下文和返回值详情,基于修改的数据库连接函数记录数据库元数据信息,其中,所述修改的数据库连接函数在原始数据库连接操作之后插入数据库元数据信息查询命令;Or, for collecting the database access information involved in the access request, including: recording the database operation command details, code execution context and return value details involved in the access request based on the hook technology, and recording database metadata information based on the modified database connection function , wherein the modified database connection function inserts a database metadata information query command after the original database connection operation;
或者,针对捕获所述访问请求相应的访问响应,包括:通过访问请求的头部和访问响应的头部增设的键值对标识,识别并获取获所述访问请求相应的访问响应,获取所述访问响应的对象,基于所述访问响应的对象创建所述访问响应的实例,所述访问 响应的实例的地址设置为越权漏洞检测的检测器的地址。Or, for capturing the access response corresponding to the access request, it includes: identifying and acquiring the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request through the key-value pair identifier added in the header of the access request and the header of the access response, and obtaining the The object of the access response, an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of the detector for unauthorized vulnerability detection.
在一些实施例中,所述检测器被配置为:In some embodiments, the detector is configured to:
针对得到第一判断结果,包括:将所述访问请求、所述访问响应和所述数据库访问信息的参数列表与数据库元数据信息相关联,将相关联的数据库元数据信息与预设的敏感信息进行匹配,如果匹配,判定包括敏感信息,并输出与预设的敏感信息匹配的数据库元数据信息相关联的参数,如果不匹配,判定不包括敏感信息;For obtaining the first judgment result, the method includes: associating the access request, the access response and the parameter list of the database access information with database metadata information, and associating the associated database metadata information with preset sensitive information Matching is performed, if it matches, it is determined that sensitive information is included, and the parameters associated with the database metadata information matching the preset sensitive information are output, and if it does not match, it is determined that sensitive information is not included;
或者,针对得到第二判断结果,包括:判断所述访问请求的数据访问过程是否符合合规模型约束的标准访问流程和标准访问流程应当涉及的标准参数,如果均符合,判定匹配,如果任意一项不符合,判定不匹配;Or, in order to obtain the second judgment result, including: judging whether the data access process of the access request conforms to the standard access process and the standard parameters that should be involved in the standard access process conforming to the size constraint, if all are met, determine the match, if any one If the item does not match, it is judged that it does not match;
或者,针对确定是否存在越权漏洞,包括:如果包括预设的敏感信息、且与预设的合规模型不匹配,确定存在越权漏洞,如果不包括预设的敏感信息、且与预设的合规模型匹配,确定不存在越权漏洞,如果包括预设的敏感信息、或与预设的合规模型不匹配,确定存在越权漏洞的风险。Or, for determining whether there is an unauthorized vulnerability, including: if the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability, if the preset sensitive information is not included, and the preset compliance type is not included. Scale type matching, it is determined that there is no unauthorized vulnerability. If the preset sensitive information is included or does not match the preset compliance type, it is determined that there is a risk of unauthorized vulnerability.
本公开一些实施例提出一种越权漏洞检测装置,包括:存储器;以及耦接至所述存储器的处理器,所述处理器被配置为基于存储在所述存储器中的指令,执行任一个实施例所述的越权漏洞检测方法。Some embodiments of the present disclosure provide an unauthorized vulnerability detection apparatus, including: a memory; and a processor coupled to the memory, the processor configured to execute any one of the embodiments based on instructions stored in the memory The method for detecting an unauthorized vulnerability is described.
本公开一些实施例提出一种非瞬时性计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现任一个实施例所述的越权漏洞检测方法的步骤。Some embodiments of the present disclosure provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the steps of the method for detecting an unauthorized vulnerability described in any one of the embodiments.
本公开实施例在web应用访问过程中,自动捕获和收集相关的访问信息,根据访问信息是否包括敏感信息和访问过程是否与合规模型匹配的判定结果,确定web应用访问过程是否存在越权漏洞,从而实现一种能够自动检测的通用性好的越权漏洞检测方案。The embodiment of the present disclosure automatically captures and collects relevant access information during the web application access process, and determines whether there is an unauthorized vulnerability in the web application access process according to the judgment result of whether the access information includes sensitive information and whether the access process matches the compliance type. Thereby, a universal unauthorized vulnerability detection scheme capable of automatic detection is realized.
附图说明Description of drawings
下面将对实施例或相关技术描述中所需要使用的附图作简单地介绍。根据下面参照附图的详细描述,可以更加清楚地理解本公开。The accompanying drawings that are required to be used in the description of the embodiments or related technologies will be briefly introduced below. The present disclosure will be more clearly understood from the following detailed description with reference to the accompanying drawings.
显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。Obviously, the drawings in the following description are only some embodiments of the present disclosure, and for those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.
图1示出本公开一些实施例的越权漏洞检测的部署方案示意图。FIG. 1 shows a schematic diagram of a deployment solution for unauthorized vulnerability detection according to some embodiments of the present disclosure.
图2示出本公开一些实施例的越权漏洞检测方法的流程示意图。FIG. 2 shows a schematic flowchart of an unauthorized vulnerability detection method according to some embodiments of the present disclosure.
图3为本公开一些实施例的越权漏洞检测装置的结构示意图。FIG. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to some embodiments of the present disclosure.
图4为本公开另一些实施例的越权漏洞检测装置的结构示意图。FIG. 4 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to other embodiments of the present disclosure.
具体实施方式Detailed ways
下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure.
除非特别说明,否则,本公开中的“第一”“第二”等描述用来区分不同的对象,并不用来表示大小或时序等含义。Unless otherwise specified, descriptions such as "first" and "second" in the present disclosure are used to distinguish different objects, and are not used to express meanings such as size or timing.
图1示出本公开一些实施例的越权漏洞检测的部署方案示意图。FIG. 1 shows a schematic diagram of a deployment solution for unauthorized vulnerability detection according to some embodiments of the present disclosure.
如图1所示,web(World Wide Web,全球广域网,也称为万维网)应用系统中有可供用户访问的web应用。web应用系统在用户访问web应用的过程中,通过IAM(Identity and Access Management,身份识别与访问管理)对用户进行身份识别和访问鉴权,鉴权通过后,通过数据库提供相应的数据或资源等。在web应用系统中部署代理,在web应用系统外部署越权漏洞检测的检测器。代理中设置了hook(钩子)函数。代理利用hook函数,在用户访问系统中的web应用的过程中,自动捕获(hook)和收集相关的访问信息,并转发给检测器。检测器根据访问信息是否包括敏感信息和访问过程是否与合规模型匹配的判定结果,确定web应用访问过程是否存在越权漏洞。从而实现一种能够自动检测的通用性好的越权漏洞检测方案。此外,还可以设置控制台,管理员通过控制台对越权漏洞检测任务进行控制,例如,设置并发检测的访问用户数量,设置对特定应用进行越权漏洞检测等。管理员通过控制台还可以查看越权漏洞检测结果。As shown in FIG. 1 , there are web applications that can be accessed by users in a web (World Wide Web, global wide area network, also known as the World Wide Web) application system. In the process of users accessing the web application, the web application system uses IAM (Identity and Access Management, identity recognition and access management) to identify and access users. After the authentication is passed, the corresponding data or resources are provided through the database. . Deploy an agent in the web application system, and deploy a detector for unauthorized vulnerability detection outside the web application system. The hook function is set in the proxy. The agent uses the hook function to automatically capture (hook) and collect the relevant access information in the process of the user accessing the web application in the system, and forward it to the detector. The detector determines whether there is an unauthorized vulnerability in the access process of the web application according to the judgment result of whether the access information includes sensitive information and whether the access process matches the compliance type. Thereby, a universal unauthorized vulnerability detection scheme capable of automatic detection is realized. In addition, a console can also be set, and administrators can control the task of unauthorized vulnerability detection through the console, for example, setting the number of access users for concurrent detection, and setting the unauthorized vulnerability detection for specific applications. Administrators can also view the results of unauthorized vulnerability detection through the console.
图2示出本公开一些实施例的越权漏洞检测方法的流程示意图。FIG. 2 shows a schematic flowchart of an unauthorized vulnerability detection method according to some embodiments of the present disclosure.
如图2所示,该越权漏洞检测方法包括:步骤210-260。该越权漏洞检测方法例如由越权漏洞检测装置执行,其中,步骤210-230可由设置于web应用系统的代理执行,步骤240-260可由越权漏洞检测的检测器执行。As shown in FIG. 2 , the method for detecting unauthorized vulnerability includes: steps 210-260. The unauthorized vulnerability detection method is performed by, for example, an unauthorized vulnerability detection device, wherein steps 210-230 can be executed by a proxy provided in the web application system, and steps 240-260 can be executed by a detector for unauthorized vulnerability detection.
在步骤210,捕获web应用的访问请求。In step 210, the access request of the web application is captured.
代理通过hook函数,获取访问请求的对象,基于访问请求的对象创建访问请求的实例,访问请求的实例的地址设置为越权漏洞检测的检测器的地址,以便将访问请求的实例转发给检测器。The proxy obtains the object of the access request through the hook function, creates an instance of the access request based on the object of the access request, and sets the address of the instance of the access request to the address of the detector for unauthorized vulnerability detection, so as to forward the instance of the access request to the detector.
访问请求的相关方法一般放在指定目录下,如org/apache/catalina/。hook函 数从该目录下获取访问请求的相关方法,如onInputStreamRead,ApplicationFilterChain等。The related methods of the access request are generally placed in the specified directory, such as org/apache/catalina/. The hook function obtains the related methods of the access request from this directory, such as onInputStreamRead, ApplicationFilterChain, etc.
在步骤220,收集访问请求涉及的数据库访问信息。At step 220, database access information related to the access request is collected.
代理基于hook技术记录访问请求涉及的数据库操作命令详情、代码执行上下文(调用者,调用参数等)和返回值详情等数据库访问信息,基于修改的数据库连接函数记录数据库元数据信息,并发送给检测器。修改的数据库连接函数(如connection)在原始数据库连接操作之后插入数据库元数据信息查询命令(如show tables),通过这些命令获取正在操作的数据库元数据信息。例如,通过Javassist的hookMethod方法的insertAfter操作修改数据库连接函数。The agent records database access information such as database operation command details, code execution context (caller, calling parameters, etc.) and return value details involved in the access request based on the hook technology, records database metadata information based on the modified database connection function, and sends it to the detection device. The modified database connection function (such as connection) inserts database metadata information query commands (such as show tables) after the original database connection operation, and obtains the database metadata information in operation through these commands. For example, modify the database connection function through the insertAfter operation of the hookMethod method of Javassist.
访问请求的相关方法一般放在指定目录下,如com/mysql/jdbc。hook函数从该目录下获取各种数据库访问信息,如connection,execute,executeQuery,executeUpdate,checkSqlQueryResult等。The related methods of the access request are generally placed in the specified directory, such as com/mysql/jdbc. The hook function obtains various database access information from this directory, such as connection, execute, executeQuery, executeUpdate, checkSqlQueryResult, etc.
在步骤230,捕获访问请求相应的访问响应。In step 230, an access response corresponding to the access request is captured.
访问请求的头部和访问响应的头部增设了键值对标识,通过键值对标识将访问请求及其相应的访问响应关联起来。A key-value pair identifier is added to the header of the access request and the header of the access response, and the access request and its corresponding access response are associated through the key-value pair identifier.
代理通过访问请求的头部和访问响应的头部增设的键值对标识,识别并获取获访问请求相应的访问响应,获取访问响应的对象,基于访问响应的对象创建访问响应的实例,访问响应的实例的地址设置为越权漏洞检测的检测器的地址,以便将访问响应的实例转发给检测器。The proxy identifies and obtains the access response corresponding to the access request through the key-value pair identifier added to the header of the access request and the header of the access response, obtains the object of the access response, creates an instance of the access response based on the object of the access response, and accesses the response. The address of the instance of is set to the address of the Detector for Override Vulnerability Detection so that the instance of the access response is forwarded to the detector.
访问响应的相关方法一般放在指定目录下,如org/apache/catalina/。hook函数从该目录下获取访问响应的相关方法,如,OutputBuffer,sendRedirect,sendError等。The related methods of accessing the response are generally placed in the specified directory, such as org/apache/catalina/. The hook function obtains access response related methods from this directory, such as OutputBuffer, sendRedirect, sendError, etc.
在步骤230之后,可以并行地分别执行步骤240和250,或者,也可以先执行步骤240再执行步骤250,或者,也可以先执行步骤250再执行步骤240。After step 230, steps 240 and 250 may be performed in parallel, or step 240 may be performed first and then step 250 may be performed, or step 250 may be performed first and then step 240 may be performed.
在步骤240,判断访问请求、访问响应和数据库访问信息中是否包括预设的敏感信息,得到第一判断结果。In step 240, it is judged whether the access request, the access response and the database access information include preset sensitive information, and a first judgment result is obtained.
将访问请求、访问响应和数据库访问信息的参数列表与数据库元数据信息相关联,将相关联的数据库元数据信息与预设的敏感信息进行匹配,如果匹配,判定包括敏感信息,并输出与预设的敏感信息匹配的数据库元数据信息相关联的参数,如果不匹配,判定不包括敏感信息。Associate the parameter list of the access request, the access response and the database access information with the database metadata information, and match the associated database metadata information with the preset sensitive information. The set sensitive information matches the parameters associated with the database metadata information. If it does not match, it is determined that the sensitive information is not included.
上诉相关联操作时,将访问请求/访问响应的参数字符串拆解成键值对的形式,例如,将get/post请求的参数字符串a=1&b=2,先用“&”切分,再分别用‘=’切分,最后得到{“a”=”1”,”b”=”2”}这种键值对。然后,利用键值对中的键与数据库元数据信息相关联。由于元数据(Metadata)是描述数据的数据(data about data),因此,通过与参数的键相关联的数据库元数据信息,明确参数的业务含义,方便与敏感信息进行匹配。When appealing the associated operation, disassemble the parameter string of the access request/access response into key-value pairs. For example, the parameter string a=1&b=2 of the get/post request is first divided by "&", and then separately Divide with '=', and finally get the key-value pair {"a"="1", "b"="2"}. Then, use the key in the key-value pair to associate with the database metadata information. Since Metadata is data about data, the business meaning of the parameter is clarified through the database metadata information associated with the key of the parameter, which facilitates matching with sensitive information.
敏感信息例如包括但不限于手机号,身份证号,详细地址,订单号码,快递号码等。Sensitive information includes, but is not limited to, mobile phone number, ID number, detailed address, order number, courier number, etc.
在步骤250,判断访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果。In step 250, it is determined whether the data access process of the access request matches the preset compliance type, and a second determination result is obtained.
合规模型约束了各种访问请求的标准访问流程和标准访问流程应当涉及的标准参数。例如,用户访问某个应用的某个页面的数据查询功能,涉及到对数据库的某个表的查询操作,合规模型为:需要先确定操作者的身份,然后需要确定该用户是否有该操作的权限,然后需要再确定该操作对应的数据操作语句,是否有与用户身份等关联的限定条件(一般是由sql语句的where子语句体现)。The conformity model constrains the standard access process of various access requests and the standard parameters that should be involved in the standard access process. For example, the data query function of a user accessing a certain page of an application involves a query operation on a certain table in the database. Then you need to determine the data operation statement corresponding to the operation and whether there are qualifications associated with the user identity (usually reflected by the where sub-statement of the sql statement).
上述匹配时,判断访问请求的数据访问过程是否符合合规模型约束的标准访问流程和标准访问流程应当涉及的标准参数,如果均符合,判定匹配,如果任意一项不符合,判定不匹配。When the above matches, it is judged whether the data access process of the access request conforms to the standard access process and the standard parameters that should be involved in the standard access process.
在步骤260,根据第一判断结果和第二判断结果,确定是否存在越权漏洞。In step 260, it is determined whether there is an unauthorized loophole according to the first judgment result and the second judgment result.
如果包括预设的敏感信息、且与预设的合规模型不匹配,确定存在越权漏洞;如果不包括预设的敏感信息、且与预设的合规模型匹配,确定不存在越权漏洞;如果包括预设的敏感信息、或与预设的合规模型不匹配,确定存在越权漏洞的风险,可以结合其他方法(如人工检测或其他自动越权漏洞检测方法)进一步判定。If the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability; if the preset sensitive information is not included, and it matches the preset compliance type, it is determined that there is no unauthorized vulnerability; if If it includes preset sensitive information or does not match the preset compliance type, it is determined that there is a risk of unauthorized vulnerability, which can be further determined in combination with other methods (such as manual detection or other automatic unauthorized vulnerability detection methods).
上述实施例,在web应用访问过程中,自动捕获和收集相关的访问信息,根据访问信息是否包括敏感信息和访问过程是否与合规模型匹配的判定结果,确定web应用访问过程是否存在越权漏洞,从而实现一种能够自动检测的通用性好的越权漏洞检测方案。并且,通过敏感信息检测实现了水平越权漏洞检测,通过合规模型匹配实现了垂直越权漏洞检测,越权漏洞检测全面,有利于提高越权漏洞检测的准确性。In the above embodiment, during the web application access process, relevant access information is automatically captured and collected, and whether there is an unauthorized vulnerability in the web application access process is determined according to the judgment result of whether the access information includes sensitive information and whether the access process matches the compliance type, Thereby, a universal unauthorized vulnerability detection scheme capable of automatic detection is realized. In addition, the detection of horizontal unauthorized vulnerability is realized through sensitive information detection, and the vertical unauthorized vulnerability detection is realized through conformity type matching. The comprehensive unauthorized vulnerability detection is beneficial to improve the accuracy of unauthorized vulnerability detection.
图3为本公开一些实施例的越权漏洞检测装置的结构示意图。FIG. 3 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to some embodiments of the present disclosure.
如图3所示,该实施例的装置300包括:设置于web应用系统的代理310和越 权漏洞检测的检测器320。检测器320例如可以是插件的实现形式。As shown in Fig. 3, the apparatus 300 of this embodiment includes: a proxy 310 set in the web application system and a detector 320 for detecting unauthorized loopholes. The detector 320 may be, for example, in the form of a plug-in implementation.
设置于web应用系统的代理310,被配置为捕获web应用的访问请求;收集所述访问请求涉及的数据库访问信息;捕获所述访问请求相应的访问响应。The proxy 310 set in the web application system is configured to capture the access request of the web application; collect the database access information involved in the access request; and capture the access response corresponding to the access request.
越权漏洞检测的检测器320,被配置为判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果;根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。The unauthorized vulnerability detection detector 320 is configured to determine whether the access request, the access response and the database access information include preset sensitive information, and obtain a first determination result; determine the data access of the access request Whether the process matches the preset compliance type, a second judgment result is obtained; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
在一些实施例中,代理310被配置为:获取所述访问请求的对象,基于所述访问请求的对象创建所述访问请求的实例,所述访问请求的实例的地址设置为越权漏洞检测的检测器的地址。In some embodiments, the proxy 310 is configured to: obtain the object of the access request, create an instance of the access request based on the object of the access request, and the address of the instance of the access request is set as the detection of unauthorized vulnerability detection address of the device.
在一些实施例中,代理310被配置为:基于hook技术记录所述访问请求涉及的数据库操作命令详情、代码执行上下文和返回值详情,基于修改的数据库连接函数记录数据库元数据信息,其中,所述修改的数据库连接函数在原始数据库连接操作之后插入数据库元数据信息查询命令。In some embodiments, the agent 310 is configured to: record the database operation command details, code execution context and return value details involved in the access request based on the hook technology, and record database metadata information based on the modified database connection function, wherein all The modified database connection function described above inserts database metadata information query commands after the original database connection operation.
在一些实施例中,代理310被配置为:通过访问请求的头部和访问响应的头部增设的键值对标识,识别并获取获所述访问请求相应的访问响应,获取所述访问响应的对象,基于所述访问响应的对象创建所述访问响应的实例,所述访问响应的实例的地址设置为越权漏洞检测的检测器的地址。In some embodiments, the proxy 310 is configured to: identify and acquire the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request, and acquire the access response object, an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of a detector for unauthorized vulnerability detection.
在一些实施例中,检测器320被配置为:将所述访问请求、所述访问响应和所述数据库访问信息的参数列表与数据库元数据信息相关联,将相关联的数据库元数据信息与预设的敏感信息进行匹配,如果匹配,判定包括敏感信息,并输出与预设的敏感信息匹配的数据库元数据信息相关联的参数,如果不匹配,判定不包括敏感信息。In some embodiments, the detector 320 is configured to associate a parameter list of the access request, the access response, and the database access information with database metadata information, and associate the associated database metadata information with the pre-defined database metadata information. The preset sensitive information is matched. If it matches, it is determined that the sensitive information is included, and the parameters associated with the database metadata information matching the preset sensitive information are output. If it does not match, it is determined that the sensitive information is not included.
在一些实施例中,检测器320被配置为:判断所述访问请求的数据访问过程是否符合合规模型约束的标准访问流程和标准访问流程应当涉及的标准参数,如果均符合,判定匹配,如果任意一项不符合,判定不匹配。In some embodiments, the detector 320 is configured to: determine whether the data access process of the access request conforms to the standard access process and the standard parameters that should be involved in the standard access process conforming to the size constraints, and if both conform, determine that it matches, if If any of the items do not match, it will be judged that they do not match.
在一些实施例中,检测器320被配置为:如果包括预设的敏感信息、且与预设的合规模型不匹配,确定存在越权漏洞,如果不包括预设的敏感信息、且与预设的合规模型匹配,确定不存在越权漏洞,如果包括预设的敏感信息、或与预设的合规模型不匹配,确定存在越权漏洞的风险。In some embodiments, the detector 320 is configured to: if the preset sensitive information is included and does not match the preset compliance type, determine that there is an unauthorized vulnerability, if the preset sensitive information is not included and does not match the preset compliance type It is determined that there is no unauthorized vulnerability. If the preset sensitive information is included, or it does not match the preset compliance model, it is determined that there is a risk of unauthorized vulnerability.
图4为本公开另一些实施例的越权漏洞检测装置的结构示意图。FIG. 4 is a schematic structural diagram of an unauthorized vulnerability detection apparatus according to other embodiments of the present disclosure.
如图4所示,该实施例的装置400包括:存储器410以及耦接至该存储器410的处理器420,处理器420被配置为基于存储在存储器410中的指令,执行前述任意一些实施例中的越权漏洞检测方法。As shown in FIG. 4 , the apparatus 400 of this embodiment includes: a memory 410 and a processor 420 coupled to the memory 410 , the processor 420 is configured to execute any of the foregoing embodiments based on instructions stored in the memory 410 The method of overriding vulnerability detection.
例如,处理器420捕获web应用的访问请求;收集所述访问请求涉及的数据库访问信息;捕获所述访问请求相应的访问响应;判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果;根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。For example, the processor 420 captures the access request of the web application; collects the database access information involved in the access request; captures the access response corresponding to the access request; determines the access request, the access response and the database access information Whether the preset sensitive information is included, obtain a first judgment result; judge whether the data access process of the access request matches the preset compliance type, and obtain a second judgment result; according to the first judgment result and the first judgment result 2. Judging the results to determine whether there is an unauthorized loophole.
其中,存储器410例如可以包括系统存储器、固定非易失性存储介质等。系统存储器例如存储有操作系统、应用程序、引导装载程序(Boot Loader)以及其他程序等。The memory 410 may include, for example, a system memory, a fixed non-volatile storage medium, and the like. The system memory stores, for example, an operating system, an application program, a boot loader (Boot Loader), and other programs.
装置400还可以包括输入输出接口430、网络接口440、存储接口450等。这些接口430,440,450以及存储器410和处理器420之间例如可以通过总线460连接。其中,输入输出接口430为显示器、鼠标、键盘、触摸屏等输入输出设备提供连接接口。网络接口440为各种联网设备提供连接接口。存储接口450为SD卡、U盘等外置存储设备提供连接接口。The apparatus 400 may also include an input-output interface 430, a network interface 440, a storage interface 450, and the like. These interfaces 430 , 440 , 450 and the memory 410 and the processor 420 can be connected, for example, through a bus 460 . The input and output interface 430 provides a connection interface for input and output devices such as a display, a mouse, a keyboard, and a touch screen. Network interface 440 provides a connection interface for various networked devices. The storage interface 450 provides a connection interface for external storage devices such as SD cards and U disks.
本公开实施例提出一种非瞬时性计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现越权漏洞检测方法的步骤。An embodiment of the present disclosure provides a non-transitory computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, implements the steps of an unauthorized vulnerability detection method.
本领域内的技术人员应当明白,本公开的实施例可提供为方法、系统、或计算机程序产品。因此,本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个其中包含有计算机程序代码的非瞬时性计算机可读存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more non-transitory computer readable storage media having computer program code embodied therein, including but not limited to disk storage, CD-ROM, optical storage, etc. .
本公开是参照根据本公开实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解为可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
以上所述仅为本公开的较佳实施例,并不用以限制本公开,凡在本公开的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本公开的保护范围之内。The above descriptions are only preferred embodiments of the present disclosure, and are not intended to limit the present disclosure. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present disclosure shall be included in the protection of the present disclosure. within the range.

Claims (14)

  1. 一种越权漏洞检测方法,包括:An unauthorized vulnerability detection method, comprising:
    捕获web应用的访问请求;Capture web application access requests;
    收集所述访问请求涉及的数据库访问信息;Collect database access information related to the access request;
    捕获所述访问请求相应的访问响应;Capture the access response corresponding to the access request;
    判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;Judging whether the access request, the access response and the database access information include preset sensitive information to obtain a first judgment result;
    判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果;Judging whether the data access process of the access request matches the preset compliance model, and obtains a second judgment result;
    根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。According to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
  2. 根据权利要求1所述的方法,其中,捕获web应用的访问请求包括:The method according to claim 1, wherein capturing the access request of the web application comprises:
    获取所述访问请求的对象,基于所述访问请求的对象创建所述访问请求的实例,所述访问请求的实例的地址设置为进行越权漏洞检测的检测器的地址。The object of the access request is acquired, an instance of the access request is created based on the object of the access request, and the address of the instance of the access request is set as the address of a detector that performs unauthorized vulnerability detection.
  3. 根据权利要求1所述的方法,其中,收集所述访问请求涉及的数据库访问信息包括:The method according to claim 1, wherein collecting the database access information involved in the access request comprises:
    基于hook技术记录所述访问请求涉及的数据库操作命令详情、代码执行上下文和返回值详情;Record the database operation command details, code execution context and return value details involved in the access request based on the hook technology;
    基于修改的数据库连接函数记录数据库元数据信息,其中,所述修改的数据库连接函数在原始数据库连接操作之后插入数据库元数据信息查询命令。The database metadata information is recorded based on the modified database connection function, wherein the modified database connection function inserts a database metadata information query command after the original database connection operation.
  4. 根据权利要求1所述的方法,其中,捕获所述访问请求相应的访问响应包括:The method of claim 1, wherein capturing an access response corresponding to the access request comprises:
    通过访问请求的头部和访问响应的头部增设的键值对标识,识别并获取获所述访问请求相应的访问响应;Identify and obtain the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request through the key-value pair identifier added to the header of the access request and the header of the access response;
    获取所述访问响应的对象,基于所述访问响应的对象创建所述访问响应的实例,所述访问响应的实例的地址设置为越权漏洞检测的检测器的地址。The object of the access response is acquired, and an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of a detector for unauthorized vulnerability detection.
  5. 根据权利要求1所述的方法,其中,判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息包括:The method according to claim 1, wherein determining whether the access request, the access response and the database access information include preset sensitive information comprises:
    将所述访问请求、所述访问响应和所述数据库访问信息的参数列表与数据库元数据信息相关联;associating a parameter list of the access request, the access response, and the database access information with database metadata information;
    将相关联的数据库元数据信息与预设的敏感信息进行匹配,如果匹配,判定包括敏感信息,并输出与预设的敏感信息匹配的数据库元数据信息相关联的参数,如果不匹配,判定不包括敏感信息。Match the associated database metadata information with the preset sensitive information. If it matches, determine that the sensitive information is included, and output the parameters associated with the database metadata information that matches the preset sensitive information. If it does not match, determine that it does not. Include sensitive information.
  6. 根据权利要求1所述的方法,其中,判断所述访问请求的数据访问过程是否与预设的合规模型匹配包括:The method according to claim 1, wherein judging whether the data access process of the access request matches a preset compliance type comprises:
    判断所述访问请求的数据访问过程是否符合合规模型约束的标准访问流程和标准访问流程应当涉及的标准参数;Judging whether the data access process of the access request conforms to the standard access process that conforms to the size constraints and the standard parameters that should be involved in the standard access process;
    如果均符合,判定所述访问请求的数据访问过程与合规模型匹配,如果任意一项不符合,判定所述访问请求的数据访问过程与合规模型不匹配。If all are in conformity, it is determined that the data access process of the access request matches the conformity model, and if any one of them is not conformed, it is determined that the data access process of the access request does not match the conformity model.
  7. 根据权利要求1所述的方法,其中,根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞包括:The method according to claim 1, wherein, according to the first judgment result and the second judgment result, determining whether there is an unauthorized loophole comprises:
    如果包括预设的敏感信息、且与预设的合规模型不匹配,确定存在越权漏洞;If the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability;
    如果不包括预设的敏感信息、且与预设的合规模型匹配,确定不存在越权漏洞;If the preset sensitive information is not included and matches the preset compliance type, it is determined that there is no unauthorized vulnerability;
    如果包括预设的敏感信息、或与预设的合规模型不匹配,确定存在越权漏洞的风险。If it includes pre-set sensitive information, or does not match pre-set compliance types, it is determined that there is a risk of an unauthorized vulnerability.
  8. 根据权利要求3所述的方法,其中,通过hookMethod方法的insertAfter操作修改数据库连接函数。The method according to claim 3, wherein the database connection function is modified through the insertAfter operation of the hookMethod method.
  9. 根据权利要求1-8任一项所述的方法,其中,The method according to any one of claims 1-8, wherein,
    由设置于web应用系统的代理执行:捕获web应用的访问请求;收集所述访问请求涉及的数据库访问信息;捕获所述访问请求相应的访问响应;Executed by the proxy set in the web application system: capturing the access request of the web application; collecting the database access information involved in the access request; capturing the access response corresponding to the access request;
    由越权漏洞检测的检测器执行:判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;判断所述访问请求的数据 访问过程是否与预设的合规模型匹配,得到第二判断结果;根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。Executed by a detector for unauthorized vulnerability detection: judging whether the access request, the access response and the database access information include preset sensitive information, and obtaining a first judgment result; judging whether the data access process of the access request is not Matching with a preset compliance type, a second judgment result is obtained; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
  10. 一种越权漏洞检测装置,包括:An unauthorized vulnerability detection device, comprising:
    设置于web应用系统的代理,被配置为捕获web应用的访问请求;收集所述访问请求涉及的数据库访问信息;捕获所述访问请求相应的访问响应;The proxy set in the web application system is configured to capture the access request of the web application; collect the database access information involved in the access request; capture the access response corresponding to the access request;
    越权漏洞检测的检测器,被配置为判断所述访问请求、所述访问响应和所述数据库访问信息中是否包括预设的敏感信息,得到第一判断结果;判断所述访问请求的数据访问过程是否与预设的合规模型匹配,得到第二判断结果;根据所述第一判断结果和所述第二判断结果,确定是否存在越权漏洞。A detector for unauthorized vulnerability detection is configured to determine whether the access request, the access response and the database access information include preset sensitive information, and obtain a first determination result; determine the data access process of the access request Whether it matches the preset compliance type, a second judgment result is obtained; according to the first judgment result and the second judgment result, it is determined whether there is an unauthorized loophole.
  11. 根据权利要求10所述的装置,其中,所述代理,被配置为:The apparatus of claim 10, wherein the agent is configured to:
    针对捕获web应用的访问请求,包括:获取所述访问请求的对象,基于所述访问请求的对象创建所述访问请求的实例,所述访问请求的实例的地址设置为越权漏洞检测的检测器的地址;For capturing the access request of the web application, the method includes: obtaining the object of the access request, creating an instance of the access request based on the object of the access request, and setting the address of the instance of the access request to the address of the unauthorized vulnerability detection detector. address;
    或者,针对收集所述访问请求涉及的数据库访问信息,包括:基于hook技术记录所述访问请求涉及的数据库操作命令详情、代码执行上下文和返回值详情,基于修改的数据库连接函数记录数据库元数据信息,其中,所述修改的数据库连接函数在原始数据库连接操作之后插入数据库元数据信息查询命令;Or, for collecting the database access information involved in the access request, including: recording the database operation command details, code execution context and return value details involved in the access request based on the hook technology, and recording database metadata information based on the modified database connection function , wherein the modified database connection function inserts a database metadata information query command after the original database connection operation;
    或者,针对捕获所述访问请求相应的访问响应,包括:通过访问请求的头部和访问响应的头部增设的键值对标识,识别并获取获所述访问请求相应的访问响应,获取所述访问响应的对象,基于所述访问响应的对象创建所述访问响应的实例,所述访问响应的实例的地址设置为越权漏洞检测的检测器的地址。Or, for capturing the access response corresponding to the access request, it includes: identifying and acquiring the access response corresponding to the access request by identifying and acquiring the access response corresponding to the access request through the added key-value pair identifier in the header of the access request and the header of the access response, and acquiring the The object of the access response, an instance of the access response is created based on the object of the access response, and the address of the instance of the access response is set as the address of the detector for unauthorized vulnerability detection.
  12. 根据权利要求10所述的装置,其中,所述检测器,被配置为:The apparatus of claim 10, wherein the detector is configured to:
    针对得到第一判断结果,包括:将所述访问请求、所述访问响应和所述数据库访问信息的参数列表与数据库元数据信息相关联,将相关联的数据库元数据信息与预设的敏感信息进行匹配,如果匹配,判定包括敏感信息,并输出与预设的敏感信息匹配的数据库元数据信息相关联的参数,如果不匹配,判定不包括敏感信息;For obtaining the first judgment result, the method includes: associating the access request, the access response and the parameter list of the database access information with database metadata information, and associating the associated database metadata information with preset sensitive information Matching is performed, if it matches, it is determined that sensitive information is included, and the parameters associated with the database metadata information matching the preset sensitive information are output, and if it does not match, it is determined that sensitive information is not included;
    或者,针对得到第二判断结果,包括:判断所述访问请求的数据访问过程是否符 合合规模型约束的标准访问流程和标准访问流程应当涉及的标准参数,如果均符合,判定匹配,如果任意一项不符合,判定不匹配;Or, in order to obtain the second judgment result, it includes: judging whether the data access process of the access request conforms to the standard access process and the standard parameters that should be involved in the standard access process conforming to the size constraints, if all are met, determine the match, if any one If the item does not match, it is judged that it does not match;
    或者,针对确定是否存在越权漏洞,包括:如果包括预设的敏感信息、且与预设的合规模型不匹配,确定存在越权漏洞,如果不包括预设的敏感信息、且与预设的合规模型匹配,确定不存在越权漏洞,如果包括预设的敏感信息、或与预设的合规模型不匹配,确定存在越权漏洞的风险。Or, for determining whether there is an unauthorized vulnerability, including: if the preset sensitive information is included and does not match the preset compliance type, it is determined that there is an unauthorized vulnerability, if the preset sensitive information is not included, and the preset compliance type is not included. Scale type matching, it is determined that there is no unauthorized vulnerability, if the preset sensitive information is included or does not match the preset compliance type, it is determined that there is a risk of unauthorized vulnerability.
  13. 一种越权漏洞检测装置,包括:An unauthorized vulnerability detection device, comprising:
    存储器;以及memory; and
    耦接至所述存储器的处理器,所述处理器被配置为基于存储在所述存储器中的指令,执行权利要求1-9中任一项所述的越权漏洞检测方法。A processor coupled to the memory, the processor configured to perform the unauthorized vulnerability detection method of any one of claims 1-9 based on instructions stored in the memory.
  14. 一种非瞬时性计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现权利要求1-9中任一项所述的越权漏洞检测方法的步骤。A non-transitory computer-readable storage medium on which a computer program is stored, when the program is executed by a processor, implements the steps of the method for detecting an unauthorized vulnerability according to any one of claims 1-9.
PCT/CN2021/137814 2021-01-04 2021-12-14 Over-permission loophole detection method and apparatus WO2022143145A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110003407.XA CN113779585B (en) 2021-01-04 2021-01-04 Unauthorized vulnerability detection method and device
CN202110003407.X 2021-01-04

Publications (1)

Publication Number Publication Date
WO2022143145A1 true WO2022143145A1 (en) 2022-07-07

Family

ID=78835381

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/137814 WO2022143145A1 (en) 2021-01-04 2021-12-14 Over-permission loophole detection method and apparatus

Country Status (2)

Country Link
CN (1) CN113779585B (en)
WO (1) WO2022143145A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529171A (en) * 2022-09-16 2022-12-27 浙江网商银行股份有限公司 Behavior detection method and device
CN116346488A (en) * 2023-04-13 2023-06-27 贝壳找房(北京)科技有限公司 Unauthorized access detection method, device and storage medium
CN117807575A (en) * 2024-01-02 2024-04-02 广州优加市场调研有限公司 Visitor management method and system based on cloud computing
CN118074992A (en) * 2024-03-05 2024-05-24 北京国舜科技股份有限公司 Method and device for identifying unauthorized loopholes

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779585B (en) * 2021-01-04 2024-06-14 北京沃东天骏信息技术有限公司 Unauthorized vulnerability detection method and device
CN113961940B (en) * 2021-12-21 2022-03-25 杭州海康威视数字技术股份有限公司 Override detection method and device based on authority dynamic update mechanism
CN114499960B (en) * 2021-12-24 2024-03-22 深圳开源互联网安全技术有限公司 CSRF vulnerability identification method, device and computer readable storage medium
CN115051824B (en) * 2022-03-30 2024-04-02 杭州默安科技有限公司 Vertical override detection method, system, equipment and storage medium
CN115828256B (en) * 2022-11-04 2023-08-29 杭州孝道科技有限公司 Unauthorized and unauthorized logic vulnerability detection method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107908959A (en) * 2017-11-10 2018-04-13 北京知道创宇信息技术有限公司 Site information detection method, device, electronic equipment and storage medium
US20190205045A1 (en) * 2017-12-29 2019-07-04 Gemalto Sa Method, first device, second device and system for managing access to data
CN111767573A (en) * 2020-06-28 2020-10-13 北京天融信网络安全技术有限公司 Database security management method and device, electronic equipment and readable storage medium
CN113779585A (en) * 2021-01-04 2021-12-10 北京沃东天骏信息技术有限公司 Unauthorized vulnerability detection method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241292B (en) * 2016-03-28 2021-01-22 阿里巴巴集团控股有限公司 Vulnerability detection method and device
CN109446819B (en) * 2018-10-30 2020-12-22 北京知道创宇信息技术股份有限公司 Unauthorized vulnerability detection method and device
CN110489966A (en) * 2019-08-12 2019-11-22 腾讯科技(深圳)有限公司 Parallel go beyond one's commission leak detection method, device, storage medium and electronic equipment
CN111125748A (en) * 2019-11-04 2020-05-08 广发银行股份有限公司 Judgment method and device for unauthorized query, computer equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107908959A (en) * 2017-11-10 2018-04-13 北京知道创宇信息技术有限公司 Site information detection method, device, electronic equipment and storage medium
US20190205045A1 (en) * 2017-12-29 2019-07-04 Gemalto Sa Method, first device, second device and system for managing access to data
CN111767573A (en) * 2020-06-28 2020-10-13 北京天融信网络安全技术有限公司 Database security management method and device, electronic equipment and readable storage medium
CN113779585A (en) * 2021-01-04 2021-12-10 北京沃东天骏信息技术有限公司 Unauthorized vulnerability detection method and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529171A (en) * 2022-09-16 2022-12-27 浙江网商银行股份有限公司 Behavior detection method and device
CN116346488A (en) * 2023-04-13 2023-06-27 贝壳找房(北京)科技有限公司 Unauthorized access detection method, device and storage medium
CN116346488B (en) * 2023-04-13 2024-05-17 贝壳找房(北京)科技有限公司 Unauthorized access detection method and device
CN117807575A (en) * 2024-01-02 2024-04-02 广州优加市场调研有限公司 Visitor management method and system based on cloud computing
CN118074992A (en) * 2024-03-05 2024-05-24 北京国舜科技股份有限公司 Method and device for identifying unauthorized loopholes

Also Published As

Publication number Publication date
CN113779585B (en) 2024-06-14
CN113779585A (en) 2021-12-10

Similar Documents

Publication Publication Date Title
WO2022143145A1 (en) Over-permission loophole detection method and apparatus
CN107688743B (en) Malicious program detection and analysis method and system
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
CN109190368B (en) SQL injection detection device and SQL injection detection method
CN108763951B (en) Data protection method and device
WO2009143742A1 (en) Analysis method and system for suspicious file
US20180248898A1 (en) Method and apparatus for identifying malicious website, and computer storage medium
CN111209565A (en) Horizontal override vulnerability detection method, equipment and computer readable storage medium
GB2615049A (en) Method and system for access control in versioned configuration of computing cluster
WO2020000716A1 (en) Big data analysis system, server, data processing method, program and storage medium
CN108900514A (en) Attack tracking of information source tracing method and device based on homogeneous assays
CN104881483B (en) Automatic detection evidence collecting method for the attack of Hadoop platform leaking data
CN113132311A (en) Abnormal access detection method, device and equipment
CN112035354A (en) Method, device and equipment for positioning risk code and storage medium
KR20210110765A (en) Method for providing ai-based big data de-identification solution
CN112905996A (en) Information security traceability system and method based on multi-dimensional data association analysis
CN113595975A (en) Detection method and device for Webshell of Java memory
CN112433936A (en) Test method, test device and storage medium
EP3108400B1 (en) Virus signature matching method and apparatus
KR101104300B1 (en) System of access management comprising exclusive tool for accessing of personal information database and method thereof
JP6258189B2 (en) Specific apparatus, specific method, and specific program
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application
CN111241547A (en) Detection method, device and system for unauthorized vulnerability
KR101933347B1 (en) System for deleting personal digital information by tracking trace
CN114416806A (en) Method and device for acquiring power safety knowledge data and computer equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21913886

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18.10.2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21913886

Country of ref document: EP

Kind code of ref document: A1