WO2022267343A1 - Vulnerability detection method and device, and readable storage medium - Google Patents
Vulnerability detection method and device, and readable storage medium Download PDFInfo
- Publication number
- WO2022267343A1 WO2022267343A1 PCT/CN2021/134316 CN2021134316W WO2022267343A1 WO 2022267343 A1 WO2022267343 A1 WO 2022267343A1 CN 2021134316 W CN2021134316 W CN 2021134316W WO 2022267343 A1 WO2022267343 A1 WO 2022267343A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- preset
- original
- request
- data
- vulnerability detection
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 171
- 230000006870 function Effects 0.000 claims abstract description 182
- 238000000034 method Methods 0.000 claims abstract description 50
- 230000002159 abnormal effect Effects 0.000 claims description 35
- 230000004044 response Effects 0.000 claims description 30
- 235000000332 black box Nutrition 0.000 claims description 17
- 238000012360 testing method Methods 0.000 claims description 14
- 238000001914 filtration Methods 0.000 claims description 12
- 238000007781 pre-processing Methods 0.000 claims description 11
- 230000002265 prevention Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 36
- 238000012545 processing Methods 0.000 description 13
- 239000003795 chemical substances by application Substances 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 4
- 238000012216 screening Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- GNFTZDOKVXKIBK-UHFFFAOYSA-N 3-(2-methoxyethoxy)benzohydrazide Chemical compound COCCOC1=CC=CC(C(=O)NN)=C1 GNFTZDOKVXKIBK-UHFFFAOYSA-N 0.000 description 1
- FGUUSXIOTUKUDN-IBGZPJMESA-N C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 Chemical compound C1(=CC=CC=C1)N1C2=C(NC([C@H](C1)NC=1OC(=NN=1)C1=CC=CC=C1)=O)C=CC=C2 FGUUSXIOTUKUDN-IBGZPJMESA-N 0.000 description 1
- YTAHJIFKAKIKAV-XNMGPUDCSA-N [(1R)-3-morpholin-4-yl-1-phenylpropyl] N-[(3S)-2-oxo-5-phenyl-1,3-dihydro-1,4-benzodiazepin-3-yl]carbamate Chemical compound O=C1[C@H](N=C(C2=C(N1)C=CC=C2)C1=CC=CC=C1)NC(O[C@H](CCN1CCOCC1)C1=CC=CC=C1)=O YTAHJIFKAKIKAV-XNMGPUDCSA-N 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3636—Software debugging by tracing the execution of the program
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/366—Software debugging using diagnostics
Definitions
- the present application relates to the field of information security technology of financial technology (Fintech), in particular to a vulnerability detection method, device and readable storage medium.
- the black box testing scheme is used to test whether the application program has any vulnerabilities. Specifically, during the testing process, the application program is regarded as a black box that cannot be opened. The internal structure of the program.
- black-box testing focuses on the external structure of the application, and only tests from the perspective of the user, starting from the corresponding relationship between input data and output data, without considering the internal structure of the application, resulting in the accuracy of the vulnerability detection of the application. not tall.
- the main purpose of this application is to provide a vulnerability detection method, device and readable storage medium, aiming at solving the existing technical problem of how to improve the accuracy of vulnerability detection for application programs.
- the acquiring the original tainted data corresponding to the preset user request includes:
- the preset hash algorithm is composed of a preset number of mutually independent hash algorithms
- the original taint data is a set of original taint data
- the pair based on the preset array and the preset hash algorithm The original taint data is deduplicated to obtain the target taint data, including:
- the total product is one, it is determined that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
- the function to be detected is a set of functions to be detected, and the comparison between the function to be detected and the preset dangerous function is used to obtain the detection result of the internal vulnerability of the program, including:
- the weight of the hit preset risk function in the preset weight list is obtained, and the detection intermediate result with an initial value of zero is obtained, and the detection is performed based on the weight
- the intermediate results are accumulated and updated to obtain an updated detection intermediate result, and the step of traversing the set of functions to be detected is returned until the traversal is completed, and the updated detection intermediate result is used as the internal detection result of the program;
- the vulnerability detection method further includes:
- a black-box vulnerability detection result is determined based on the filtered request parameters.
- the determining whether there is a WAF in the server corresponding to the URL includes:
- response status is response timeout, it is determined that there is a WAF in the server;
- the original request parameters are a set of original request parameters
- the filtering of the original request parameters in the preset user request includes:
- first similarity between the original page and the first result page is greater than or equal to the first preset similarity threshold, replace the original request parameter in the preset user request with a second random number to obtain the second A post-replacement request, and sending the second post-replacement request to the server to obtain a second result page fed back by the server, wherein the first random number is different from the second random number;
- the black-box vulnerability detection result after determining the black-box vulnerability detection result based on the filtered request parameters, it further includes:
- the present application also provides a vulnerability detection device, which includes a memory, a processor, and a vulnerability detection program stored in the memory and operable on the processor, the When the vulnerability detection program is executed by the processor, the above-mentioned steps of the vulnerability detection method are realized.
- the present application also provides a computer-readable storage medium, on which a vulnerability detection program is stored, and when the vulnerability detection program is executed by a processor, the above-mentioned vulnerability detection is realized. method steps.
- this application acquires the original tainted data corresponding to preset user requests; based on preset The array and the preset hash algorithm perform deduplication processing on the original tainted data to obtain the target tainted data; obtain the function call stack corresponding to the target tainted data, wherein the function call stack is the preset application program responding to the Presetting the record of the function called when the user requests; obtaining the function to be detected in the function call stack; comparing the function to be detected with the preset dangerous function to obtain the internal vulnerability detection result of the program, wherein the preset dangerous function It is used for performing vulnerability detection on the preset application program, so as to determine whether the preset application program has a vulnerability.
- This application realizes deduplication of the original tainted data through the preset array and the preset hash algorithm, obtains the target tainted data, and obtains the function call stack corresponding to the target tainted data.
- the function call stack is a preset application program responding to a preset user Call the record of the function when requesting, and compare the record with the preset dangerous function, so as to detect the vulnerability of the preset application program, and obtain the internal vulnerability detection result of the program, so as to determine whether the preset application program has a vulnerability, which is understandable , the process of the default application program responding to the preset user request is the process of processing the preset user request according to its own internal structure. Therefore, this application goes deep into the internal structure of the preset application program to obtain Vulnerability detection results inside the program, thereby improving the accuracy of vulnerability detection for preset applications.
- Fig. 1 is a schematic flow chart of the first embodiment of the vulnerability detection method of the present application
- Fig. 2 is a schematic diagram illustrating an example of an array in the embodiment of the present application.
- Fig. 3 is a schematic diagram illustrating the corresponding relationship between detected stain data and array elements in the embodiment of the present application
- Fig. 4 is a schematic diagram illustrating an example of identifying the target stain data x3 as the stain data that has been detected in the embodiment of the present application;
- FIG. 5 is a schematic structural diagram of the hardware operating environment involved in the solution of the embodiment of the present application.
- FIG. 1 is a schematic flowchart of a first embodiment of the vulnerability detection method of the present application.
- the embodiment of the present application provides an embodiment of the vulnerability detection method. It should be noted that although the logic sequence is shown in the flow chart, in some cases, the sequence shown or described can be executed in a different order than here. A step of.
- the vulnerability detection method can be applied to a program module of the server for detecting traffic. For the convenience of description, the steps of the execution subject describing the vulnerability detection method are omitted below.
- Vulnerability detection methods include:
- Step S10 acquiring the original taint data corresponding to the preset user request.
- the original taint data corresponding to the preset user request is obtained, and there is non-target taint data in the original taint data. It can be understood that the non-target taint data corresponds to repeated test results. Therefore, for the non-target taint data, keep Just one serving.
- Step a inserting the bytecode of the preset sensitive function to obtain the taint source data.
- instrumentation is performed at the bytecode of preset sensitive functions (functions with security vulnerabilities in preset applications, for example, the dangerous system call rm -rf is not intercepted), and the instrumentation action is determined by the above Assuming that the loading time of the class of the application is different, there are two methods of instrumentation. Among them, the difference in loading time is whether the class has been loaded by the classloader during the instrumentation. For the situation that the class is not loaded by the classloader during the instrumentation, the instrumentation operation is performed before the class is loaded, specifically, the bytecode of the class is loaded into the JVM (Java Virtual Machine, Java virtual machine) is converted through the transform method of the transformer to add a hook point.
- JVM Java Virtual Machine, Java virtual machine
- the function hooked by the hook point is the hook function list L1, and the hook function list L1 is the basis for judging whether there is a command execution vulnerability in this class; For the case where the class has been loaded by the classloader during instrumentation, the class loaded by the classloader will be instrumented through the transform method of the transformer. Specifically, add a hook point to the loaded class, and the function hooked by the hook point It is the hook function list L1.
- Step b removing non-user input taint data from the taint source data to obtain the original taint data.
- the taint source data includes user-controllable variables (user-input variables, such as variables (parameters) in preset user requests), and user-controllable variables represent direct introduction of untrusted data or secrets.
- data into the system taint source data also includes data not input by users, and this part of data does not affect the safe operation of preset applications. Therefore, this part of data is not detected, and this part of data is eliminated to improve detection efficiency.
- L1 is used to track the data flow direction corresponding to the variable in the preset user request, so as to obtain the original taint data, which includes the parameters in the preset user request, data flow related to The data generated by the function call, etc.
- Step S20 performing deduplication processing on the original tainted data based on a preset array and a preset hash algorithm to obtain target tainted data.
- deduplication processing is performed on the original tainted data, that is, non-target tainted data is not taken as a part of the target tainted data, so as to obtain target tainted data with no repeated tainted data.
- the original tainted data is mapped to a hash value based on a preset hash algorithm, wherein the preset hash algorithm includes MD5 (Message-Digest Algorithm 5, Information-Digest Algorithm 5) and SHA-1 (Secure Hash Algorithm 1, Secure Hash Algorithm 1), etc.
- MD5 Message-Digest Algorithm 5, Information-Digest Algorithm 5
- SHA-1 Secure Hash Algorithm 1, Secure Hash Algorithm 1
- the original tainted data is mapped to a hash value, which reduces the amount of data processing corresponding to deduplication processing, thereby simplifying the deduplication process and improving detection efficiency.
- the array elements of the preset array are obtained, wherein the preset array stores hash value information, and the value range of the hash value of each hash algorithm corresponds to the number of array elements, for example, the preset array The number of array elements is 8, and the value range of the hash value is 1-8, so as to ensure that the relationship between the preset array and the hash value is that the hash value corresponds to the index, for example, the hash value is 3, then Get the array element whose index is the third position in the default array.
- the original tainted data is deduplicated based on a preset array and a preset hash algorithm to obtain target tainted data.
- the preset hash algorithm is composed of a preset number of mutually independent hash algorithms, the original stain data is a collection of original stain data, and the original stain data is processed based on a preset array and a preset hash algorithm.
- Deduplication processing to obtain target taint data including:
- Step c traversing the original tainted data set.
- the original taint data set is traversed, that is, one original taint data is taken from the original taint data set at a time, and subsequent steps d-h are performed.
- Step d each time a piece of original tainted data is traversed, the original tainted data is calculated based on each of the hash algorithms to obtain the preset number of hash values.
- the preset hash algorithm used in the above process of mapping original taint data includes a preset number of mutually independent hash algorithms. It can be understood that the greater the number of mutually independent hash algorithms, the better the description of the original taint The more hash values of the data, the higher the description accuracy, which improves the accuracy of judging whether the tainted data is repeated.
- the original tainted data is calculated based on the preset number of hash algorithms to obtain a preset number of hash values.
- Step e obtaining the array element whose index is the same as the hash value in the preset array, and calculating the total product of the array elements;
- Step f judging whether the total product is zero
- Step g if the total product is zero, set the non-one array elements in each of the array elements to one, and use the one original taint data as the target taint data, and return the traversing the original taint data Data collection step;
- Step h if the total product is one, determine that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
- the preset array includes a bit array and a byte array.
- the preset array is an m-bit bit array A.
- the initial values of the array elements are all zero.
- k hash values can be obtained by mapping the original tainted data into hash values through the k hash algorithms, and through the index of k preset arrays that are the same as the k hash values , and then the k array elements in the bit array A can be obtained through the index.
- the embodiment of the byte array is basically the same as the embodiment of the bit array, which will not be repeated here.
- the original taint data is deduplicated to obtain the target taint data. Specifically, calculate the product of each array element, that is, calculate the total product of each array element, and judge whether the total product is zero. If the product is zero, it means that the original tainted data is not a repeated target tainted data, and needs to be detected , take the original tainted data as the target tainted data, and return to the above step of traversing the original tainted data set; if the product is one, determine that the original tainted data is non-target tainted data, and return to the above step of traversing the original tainted data set.
- the array elements corresponding to the original taint data x1 and x2 are both 1, that is, the product of each array element is 1, then the original taint data x1 and x2 represent the detected
- the tainted data of is non-target tainted data.
- x1 and x2 are the detected taint data.
- the original taint data x3 corresponds to There are zero array elements in each array element, then the product of each array element corresponding to the original taint data x3 is zero, thus it can be determined that the original taint data x3 is the target taint data, after determining the original taint data x3 is the target taint data , modifying the array element corresponding to the target taint data from zero to one, so as to identify the original taint data x3 as the detected taint data.
- the preset array is an m-bit bit array A, k hash algorithms H1, H2, ..., Hk that are independent of each other, and the result range of each hash algorithm is 1-m, and the bits of the bit array A The numbers correspond to each other, so that the result of each hash algorithm can be any index of A.
- the above k hash algorithms are used to map the original tainted data, and k hash results y1, y2, y3, y4, ..., yk are obtained to obtain the index
- k hash results y1, y2, y3, y4, ..., yk are obtained to obtain the index
- A[y1], A[y2], A[y3], A[y4], ..., A[yk] in A of y1, y2, y3, y4, ..., yk calculate the The product is the product result of the formula A[y1]*A[y2]*A[y3]*A[y4]*...*A[yk].
- the result of the product is zero, it means that the original tainted data has not been tested for vulnerabilities. All the array elements of one are set to one, and the vulnerability detection is performed on the original tainted data; if the product result is one, it means that the original tainted data has been subjected to vulnerability detection, and the original tainted data is no longer subjected to vulnerability detection.
- Step S30 obtaining a function call stack corresponding to the target taint data, wherein the function call stack is a record of calling a function when a preset application program responds to the preset user request.
- the function call stack corresponding to the target taint data is obtained, wherein the function call stack is the record of calling the function when the preset application program responds to the preset user request, that is, one or more of the preset functions are recorded in the function call stack. Let the data requested by the user flow to the corresponding function.
- the preset application program is a web application program installed on the server, that is, an application program.
- the application program is composed of classes, and the class is composed of functions.
- the process of the preset application program responding to the preset user request is the process of calling various related functions to process the preset user request. Specifically, when the class receives When the parameter corresponding to the user request is preset, an acquisition action of obtaining the function call stack corresponding to the preset user request will be triggered.
- the data corresponding to the preset user request includes at least the request parameters of the preset user request, and the preset user request is an http request, for example, the user's client requests the corresponding page from the server through the request parameters of the http request files (such as page files in html format); preset user requests also include intermediate parameters generated during the process of processing the request parameters and finally obtaining the corresponding page files after the preset application program receives the request parameters.
- the target taint data corresponding to the preset user request is obtained, wherein the target taint data has undergone the above selection and screening process; the corresponding function call stack is obtained through the target taint data , that is, to obtain the function call stack corresponding to the target taint data, thereby reducing the amount of data to be processed, thereby improving the detection efficiency.
- Step S40 obtaining the function to be detected in the function call stack
- Step S50 comparing the function to be detected with a preset risk function to obtain a program internal vulnerability detection result, wherein the preset risk function is used to perform vulnerability detection on the preset application program.
- the preset application program is tested for vulnerabilities based on the above-mentioned function call stack, and the internal vulnerability detection result of the program is obtained, that is, the function called by the preset application program is determined through the function call stack, so that according to the preset application program The function called determines whether the preset application is vulnerable.
- the function call involved in the above data flow is used for vulnerability detection, and the function call is recorded in the function call stack.
- obtain the function to be detected in the function call stack perform vulnerability detection on the function to be detected to determine whether there is a security hole in the preset application program, specifically, compare the function to be detected with the preset dangerous function (such as runtime( )) to obtain the program internal vulnerability detection result, wherein the preset dangerous function is used to perform vulnerability detection on the preset application program.
- the preset dangerous function such as runtime( )
- the function to be detected is a set of functions to be detected, and the comparison of the function to be detected and the preset dangerous function to obtain a program internal vulnerability detection result includes:
- Step i traversing the set of functions to be tested.
- the set of functions to be checked is traversed to obtain one function to be checked from the set of functions to be checked each time, and the following steps j-l are performed.
- Step j comparing the function to be detected with the preset risk function each time a function to be detected is traversed
- Step k when the function to be detected hits the preset risk function, obtain the weight of the hit preset risk function in the preset weight list, and obtain the detection intermediate result with an initial value of zero, based on the weight Accumulating and updating the detection intermediate results to obtain updated detection intermediate results, returning to the step of traversing the set of functions to be detected until the traversal is completed, and using the updated detection intermediate results as the internal detection results of the program;
- Step 1 when the function to be detected does not match the preset dangerous function, return to the step of traversing the set of functions to be detected.
- each time a function to be detected is traversed the function to be detected is compared with the preset dangerous function, and the preset dangerous function is recorded in the list of dangerous functions.
- a preset weight needs to be maintained list W, during the comparison process, each time the function to be detected hits a function in the dangerous function list, the weight of the function to be detected in the preset weight list W is obtained, and the detection intermediate result with an initial value of zero is obtained,
- the recording process is specifically to accumulate and update the detection intermediate result based on the weight to obtain the updated detection intermediate result, and then return to the step of traversing the set of functions to be detected until the end of the traversal, update
- the final detection intermediate result is used as the internal detection result of the program.
- the cumulative update is the weight corresponding to each round of traversal and the updated detection intermediate result obtained in the previous round; and in the comparison process, in the function to be detected When the preset dangerous function is not hit, directly return to the step of traversing the set of functions to be detected.
- the final detection intermediate result is obtained, that is, the program internal detection result.
- the program internal detection result is the total weight Q.
- the preset application program determines whether there is a vulnerability in the preset application program through the total weight Q, specifically, judge the size relationship between the total weight Q and the preset weight threshold P, if Q is greater than P, then the preset application program has security Vulnerabilities; if Q is less than or equal to P, it is considered that there may be vulnerabilities in the system, but it needs to be further detected by the black box scanner.
- the original taint data in the above vulnerability detection process is obtained based on the data flow tracking agent.
- the JDK Java Development Kit, Java Development Kit
- the Instrument API Application Programming Interface, application programming interface
- the context analyze the data flow according to the context and extract the called function call stack according to the data flow, and obtain the internal vulnerability detection result of the program to determine whether there is a vulnerability in the preset application program.
- the vulnerability detection method further includes:
- Step m obtaining the Uniform Resource Locator URL corresponding to the preset user request
- Step n preprocessing the URL based on a preset regular expression
- Step o after completing the preprocessing, determine whether there is a website application level intrusion prevention system WAF in the server corresponding to the URL;
- the black box scanner is first used to obtain the URL corresponding to the preset user request (Uniform Resource Locator, uniform resource locator), and then use the preset regular expression to judge whether the URL requested by the preset user is legal. If it is legal, it will perform subsequent processing; if it is not legal, it will end the vulnerability detection process .
- the preset regular expression is (http
- https)://[-A-Za-z0-9+&@#/%? ⁇ _
- !:,.;]+[-A-Za- z0-9+&@#/% ⁇ _
- the URL is https://www.baidu.com, which can be matched with the preset regular expression and is a legal URL, and the result of preprocessing is that the URL is legal; another example is that the URL is hjttps://www.baidu.com , which is an incorrect URL. It can be understood that for "hjttps", it is neither "http” nor "https”. Therefore, it cannot be matched with the preset regular expression, and it is an illegal URL. The result of preprocessing is The URL is invalid.
- bypass methods include: encoding bypass, capitalization bypass, space filtering bypass, and so on.
- the determining whether there is a WAF in the server corresponding to the URL includes:
- Step o1 constructing a normal request, and sending the normal request to the server corresponding to the URL to obtain the original page;
- Step o2 constructing an abnormal request, sending the abnormal request to the server, and determining the response status corresponding to the abnormal request;
- Step o3 if the response status is response timeout, then determine that there is a WAF in the server;
- Step o4 if the response status is that the response has not timed out, then obtain the abnormal page corresponding to the abnormal request;
- Step o5 comparing the original page and the abnormal page, if the original page is the same as the abnormal page, there is a WAF in the server.
- the method of determining whether there is a WAF in the server through the black box scanner is to determine whether there is a WAF by comparing the similarity between normal requested pages and abnormally requested pages. Specifically, first construct a normal request through the black box scanner and send the normal request to the server corresponding to the URL, and obtain the original page of the preset application program responding to the normal request; then construct an abnormal request corresponding to the normal request And send the abnormal request to the server, and determine the response status corresponding to the abnormal request. If the response status is response timeout, it means that there is a WAF in the server. If the response status is response timeout, get the default application An unusual page in response to the unusual request.
- step p if the WAF does not exist in the server, send a data test request to the server after the Domain Name System (DNS) resolves successfully.
- DNS Domain Name System
- the vulnerability detection is continued. This process is to detect the network stability to determine whether to end the vulnerability detection process or to perform the subsequent steps of the vulnerability detection. It can be understood , the black-box scanner detects vulnerabilities through input and output analysis, that is, after sending a request to the server, it receives the response fed back by the server, so as to detect the vulnerability of the server according to the request and response.
- the network stability detection process is to send a request to the destination URL (such as a URL corresponding to the server), and judge whether the network is stable according to the returned data packet corresponding to the request.
- DNS Domain Name System, Domain Name System
- analysis is performed on the URL to determine whether the DNS is successfully resolved. If the resolution fails, it means that the website cannot be connected; if the resolution is successful, that is, after the DNS is successfully resolved, a data test request is sent To the server, when the request is successful, the URL will return the corresponding return data packet.
- the database will be used to identify whether there is an error in the return data packet , if there is no error, it means that the website can be connected. If the above return value is http error or no return data packet, it means that the website cannot be connected.
- Step q If the preset return value fed back by the server is received, filter the original request parameters in the preset user request to obtain filtered request parameters.
- each parameter in the preset user request is checked for its repeatability and whether detection is required, Specifically, if a certain parameter is a repeated parameter or a parameter that does not need to be detected, the parameter is filtered; if a certain parameter is not a repeated parameter or a parameter that needs to be detected, the detection of the parameter is continued. It can be understood that by filtering parameters that do not need to be processed and repeated parameters in the preset user request, the workload of vulnerability detection is reduced, thereby improving the efficiency of vulnerability detection.
- its embodiment is basically the same as the embodiment of performing deduplication processing on original tainted data in the above vulnerability detection method, and will not be repeated here.
- the original request parameters are a set of original request parameters, and the filtering of the original request parameters in the preset user request includes:
- Step q1 traversing the original request parameter set
- Step q2 each time an original request parameter is traversed, send the preset user request to the server, obtain the original page fed back by the server, and replace the original request parameter in the preset user request with the first A random number, obtain the first request after replacement, and send the first request after replacement to the server, and obtain the first result page fed back by the server;
- Step q3 if the first similarity between the original page and the first result page is greater than or equal to a first preset similarity threshold, replace the original request parameter in the preset user request with a second random number, obtaining a second post-replacement request, and sending the second post-replacement request to the server, and obtaining a second result page fed back by the server, wherein the first random number is different from the second random number;
- Step q4 if the second similarity between the first result page and the second result page is greater than or equal to a second preset similarity threshold, then filter the original request parameters and return the traversing the original request Parameter collection step.
- the original request parameter set is traversed to obtain one original request parameter from the original request parameter set each time, and the following steps q2-q4 are performed; afterward, each time an original request parameter is traversed, Send the preset user request to the server through the black box scanner, get the original response returned by the server, that is, get the original page, then replace the original request parameter in the preset user request with the first random number, and get the first A post-replacement request, sending the first post-replacement request to the server to obtain the first result page R1 returned by the server; determining the first similarity between the original page and the first result page R1, if the first similarity If it is smaller than the first preset similarity threshold, it means that the parameter cannot be filtered.
- the similarity is greater than or equal to the preset similarity threshold, replace the original request parameter with a second random number different from the first random number, obtain a second replaced request, and send the second replaced request to the server , get the second result page R2 returned by the server, determine the second similarity between the first result page R1 and the second result page R2, if the second similarity is less than the second preset similarity threshold, it means that the The original request parameter cannot be filtered. If the third similarity is greater than or equal to the second preset similarity threshold, it means that the original request parameter can be filtered. After filtering the original request parameter, return to the above step of traversing the original request parameter set. To filter the new parameters in the original request parameters.
- Step r determining a black-box vulnerability detection result based on the filtered request parameters.
- the black-box vulnerability detection result after determining the black-box vulnerability detection result based on the filtered request parameters, it also includes:
- Step s obtaining the first score corresponding to the program internal vulnerability detection result
- Step t obtaining a second score corresponding to the black-box vulnerability detection result
- Step u calculating the sum of the first score and the second score to obtain the total score
- step v if the total score is greater than a preset score threshold, it is determined that there is a vulnerability in the preset application program.
- the preset application program it is determined whether the preset application program has a vulnerability according to the above-mentioned program internal vulnerability detection result and the black box vulnerability detection result. Specifically, the first score corresponding to the internal vulnerability detection result of the program is obtained; the second score corresponding to the black box vulnerability detection result is obtained. That is, through the internal vulnerability detection results of the program and the black box vulnerability detection results, the preset application program is scored for whether there are vulnerabilities, and the scoring result is obtained.
- the process of determining whether the preset application program has vulnerabilities based on the scoring results is: Calculating the internal vulnerabilities of the program The sum of the first score and the second score corresponding to the detection result and the black-box vulnerability detection result is used to obtain the total score, and it is judged whether the total score is greater than the preset score threshold. If it is greater, it is determined that the preset application has a vulnerability. equal to, it means that there is no vulnerability in the default application.
- the combination of the two increases the diversity of vulnerability detection. Vulnerability detection based on the detection results.
- the vulnerability detection after adding the black box scanner has a wider detection range for the preset application, so that the vulnerability is improved by combining the internal vulnerability detection results of the program and the black box vulnerability detection results. detection accuracy.
- dirty data will be generated during the detection process, and the dirty data will flow into the data generated during the normal operation of the preset application program, causing the data generated during the normal operation of the preset application program to be Dirty data pollution.
- the dirty data can also be intercepted by a data interception agent.
- the system command issued by the black box scanner is intercepted by the data interception agent, so as to prevent the preset application program from executing the system command.
- an interceptor is generated through the JDK (Java Development Kit, Java Development Kit) Instrument API (Application Programming Interface, application programming interface) to Modify the definition of this class before the program starts, and generate a data interception agent in the running preset application program, so as to intercept the system commands issued by the black box scanner to the preset application program through the data interception agent, that is, execute in this class Before the system command, it is intercepted, so as to achieve the effect that the test data will not affect the server.
- JDK Java Development Kit, Java Development Kit
- Instrument API Application Programming Interface, application programming interface
- this embodiment obtains the original tainted data corresponding to preset user requests;
- the array and the preset hash algorithm are used to deduplicate the original tainted data to obtain the target tainted data;
- the function call stack corresponding to the target tainted data is obtained, wherein the function call stack is the default application program response
- the record of the function called when the preset user requests obtain the function to be detected in the function call stack; compare the function to be detected with the preset dangerous function, and obtain the internal vulnerability detection result of the program, wherein the preset risk
- the function is used to perform vulnerability detection on the preset application program, so as to determine whether the preset application program has a vulnerability.
- This application realizes deduplication of the original tainted data through the preset array and the preset hash algorithm, obtains the target tainted data, and obtains the function call stack corresponding to the target tainted data.
- the function call stack is a preset application program responding to a preset user Call the record of the function when requesting, and compare the record with the preset dangerous function, so as to detect the vulnerability of the preset application program, and obtain the internal vulnerability detection result of the program, so as to determine whether the preset application program has a vulnerability, which is understandable , the process of the default application program responding to the preset user request is the process of processing the preset user request according to its own internal structure. Therefore, this application goes deep into the internal structure of the preset application program to obtain Vulnerability detection results inside the program, thereby improving the accuracy of vulnerability detection for preset applications.
- a vulnerability detection device which includes:
- the first obtaining module is used to obtain the original taint data corresponding to the preset user request
- a deduplication module configured to perform deduplication processing on the original tainted data based on a preset array and a preset hash algorithm to obtain target tainted data
- the second obtaining module is configured to obtain a function call stack corresponding to the target taint data, wherein the function call stack is a record of calling a function when a preset application program responds to the preset user request;
- the third obtaining module is used to obtain the function to be detected in the function call stack
- a comparison module configured to compare the function to be detected with a preset risk function to obtain a program internal vulnerability detection result, wherein the preset risk function is used to perform vulnerability detection on the preset application program to determine the Check if there are any vulnerabilities in the preset applications mentioned above.
- the first acquisition module is also used for:
- the deduplication module is also used for:
- the total product is one, it is determined that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
- the comparison module is also used for:
- the weight of the hit preset risk function in the preset weight list is obtained, and the detection intermediate result with an initial value of zero is obtained, and the detection is performed based on the weight
- the intermediate results are accumulated and updated to obtain an updated detection intermediate result, and the step of traversing the set of functions to be detected is returned until the traversal is completed, and the updated detection intermediate result is used as the internal detection result of the program;
- the vulnerability detection device further includes:
- a fourth obtaining module configured to obtain the URL corresponding to the preset user request
- a preprocessing module configured to preprocess the URL based on a preset regular expression
- the first determination module is used to determine whether there is a website application level intrusion prevention system WAF in the server corresponding to the URL after the preprocessing is completed;
- a sending module configured to send a data test request to the server after the domain name system DNS is successfully resolved if the WAF does not exist in the server;
- a filtering module configured to filter the original request parameters in the preset user request to obtain filtered request parameters if the preset return value fed back by the server is received;
- the second determining module is configured to determine a black-box vulnerability detection result based on the filtered request parameters.
- the first determining module is also used for:
- response status is response timeout, it is determined that there is a WAF in the server;
- the filtering module is also used for:
- first similarity between the original page and the first result page is greater than or equal to the first preset similarity threshold, replace the original request parameter in the preset user request with a second random number to obtain the second A post-replacement request, and sending the second post-replacement request to the server to obtain a second result page fed back by the server, wherein the first random number is different from the second random number;
- the vulnerability detection device further includes:
- the fifth obtaining module is used to obtain the first score corresponding to the program internal vulnerability detection result
- a sixth obtaining module configured to obtain a second score corresponding to the black-box vulnerability detection result
- a calculation module configured to calculate the sum of the first score and the second score to obtain a total score
- the third determining module is configured to determine that there is a vulnerability in the preset application program if the total score is greater than a preset score threshold.
- FIG. 5 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present application.
- FIG. 5 is a schematic structural diagram of a hardware operating environment of a vulnerability detection device.
- the vulnerability detection device may include: a processor 1001 , such as a CPU, a memory 1005 , a user interface 1003 , a network interface 1004 , and a communication bus 1002 .
- the communication bus 1002 is used to realize connection and communication between these components.
- the user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
- the network interface 1004 may include a standard wired interface and a wireless interface (such as a WI-FI interface).
- the memory 1005 may be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a disk memory.
- the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .
- the vulnerability detection device may also include RF (Radio Frequency, radio frequency) circuits, sensors, audio circuits, WiFi modules, etc.
- RF Radio Frequency, radio frequency
- the structure of the vulnerability detection device shown in Figure 5 does not constitute a limitation to the vulnerability detection device, and may include more or less components than those shown in the illustration, or combine certain components, or different components layout.
- the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a vulnerability detection program.
- the operating system is a program that manages and controls the hardware and software resources of the vulnerability detection device, and supports the operation of the vulnerability detection program and other software or programs.
- the user interface 1003 is mainly used to connect to the terminal and perform data communication with the terminal, such as receiving a request sent by the terminal;
- the network interface 1004 is mainly used for the background server to perform data communication with the background server;
- the device 1001 can be used to call the vulnerability detection program stored in the memory 1005, and execute the steps of the above-mentioned vulnerability detection method.
- the embodiment of the present application also proposes a computer-readable storage medium, on which a vulnerability detection program is stored, and when the vulnerability detection program is executed by a processor, the steps of the above-mentioned vulnerability detection method are implemented. .
Abstract
The present application discloses a vulnerability detection method and device, and a readable storage medium. The method comprises the steps of: obtaining original stain data corresponding to a preset user request; deduplicating the original stain data on the basis of a preset array and a preset hash algorithm to obtain target stain data; obtaining a function call stack corresponding to the target stain data, the function call stack being a record of calling functions when a preset application program responds to the preset user request; obtaining a function to be detected in the function call stack; and comparing said function to a preset dangerous function to obtain a vulnerability detection result inside the program, wherein the preset dangerous function is used for performing vulnerability detection on the preset application program so as to determine whether the preset application program has a vulnerability.
Description
本申请要求于2021年6月25日申请的、申请号为202110716702.X的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application with application number 202110716702.X filed on June 25, 2021, the entire contents of which are incorporated herein by reference.
本申请涉及金融科技(Fintech)的信息安全技术领域,尤其涉及一种漏洞检测方法、设备及可读存储介质。The present application relates to the field of information security technology of financial technology (Fintech), in particular to a vulnerability detection method, device and readable storage medium.
随着金融科技,尤其是互联网科技金融的不断发展,越来越多的技术(如分布式、人工智能等)应用在金融领域,但金融业也对技术提出了更高的要求,如对金融业的信息安全也有更高的要求。With the continuous development of financial technology, especially Internet technology finance, more and more technologies (such as distributed, artificial intelligence, etc.) The information security of the industry also has higher requirements.
当前通过黑盒测试的方案来测试应用程序是否存在漏洞,具体地,在测试过程中,应用程序被作为一个不能打开的黑盒子,该测试过程通过应用程序的程序接口进行测试,完全不考虑应用程序的内部结构。Currently, the black box testing scheme is used to test whether the application program has any vulnerabilities. Specifically, during the testing process, the application program is regarded as a black box that cannot be opened. The internal structure of the program.
即黑盒测试着眼于应用程序的外部结构,仅以用户的角度,从输入数据与输出数据的对应关系出发进行测试,而不考虑应用程序的内部结构,导致对应用程序进行漏洞检测的准确性不高。That is, black-box testing focuses on the external structure of the application, and only tests from the perspective of the user, starting from the corresponding relationship between input data and output data, without considering the internal structure of the application, resulting in the accuracy of the vulnerability detection of the application. not tall.
本申请的主要目的在于提供一种漏洞检测方法、设备及可读存储介质,旨在解决现有的如何提高对应用程序进行漏洞检测的准确性的技术问题。The main purpose of this application is to provide a vulnerability detection method, device and readable storage medium, aiming at solving the existing technical problem of how to improve the accuracy of vulnerability detection for application programs.
为实现上述目的,本申请提供一种漏洞检测方法,所述漏洞检测方法包括步骤:In order to achieve the above purpose, the application provides a vulnerability detection method, the vulnerability detection method includes the steps:
获取预设用户请求对应的原始污点数据;Obtain the original tainted data corresponding to the preset user request;
基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据;Deduplicating the original tainted data based on a preset array and a preset hash algorithm to obtain target tainted data;
获取所述目标污点数据对应的函数调用栈,其中,所述函数调用栈为预设应用程序响应所述预设用户请求时调用函数的记录;Obtaining a function call stack corresponding to the target taint data, wherein the function call stack is a record of calling a function when a preset application program responds to the preset user request;
获取所述函数调用栈中的待检测函数;Obtain the function to be detected in the function call stack;
比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,其中,所述预设危险函数用于对所述预设应用程序进行漏洞检测,以确定所述预设应用程序是否存在漏洞。Comparing the function to be detected with the preset dangerous function to obtain a program internal vulnerability detection result, wherein the preset dangerous function is used to perform vulnerability detection on the preset application program to determine whether the preset application program is There are loopholes.
在一实施例中,所述获取预设用户请求对应的原始污点数据,包括:In an embodiment, the acquiring the original tainted data corresponding to the preset user request includes:
对预设敏感函数的字节码进行插桩,得到污点源数据;Insert the bytecode of the preset sensitive function to obtain the taint source data;
剔除所述污点源数据中的非用户输入污点数据,得到所述原始污点数据。Eliminating non-user-input taint data from the taint source data to obtain the original taint data.
在一实施例中,所述预设哈希算法由预设数量个相互独立的哈希算法组成,所述原始污点数据为原始污点数据集合,所述基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据,包括:In one embodiment, the preset hash algorithm is composed of a preset number of mutually independent hash algorithms, the original taint data is a set of original taint data, and the pair based on the preset array and the preset hash algorithm The original taint data is deduplicated to obtain the target taint data, including:
遍历所述原始污点数据集合;traverse the original taint data set;
在每次遍历到一个原始污点数据时,基于各所述哈希算法分别对所述原始污点数据进行计算,得到所述预设数量的哈希值;When traversing to an original taint data each time, calculate the original taint data based on each of the hash algorithms to obtain the preset number of hash values;
获取所述预设数组中索引与所述哈希值相同的数组元素,并计算所述数组元素的总乘积;Obtain the array element whose index is the same as the hash value in the preset array, and calculate the total product of the array elements;
判断所述总乘积是否为零;judging whether the total product is zero;
若所述总乘积为零,则将各所述数组元素中不为一的数组元素置为一,并将所述一个原始污点数据作为目标污点数据,返回所述遍历所述原始污点数据集合步骤;If the total product is zero, set the array elements that are not one in each of the array elements to one, and use the one original stain data as the target stain data, and return to the step of traversing the original stain data set ;
若所述总乘积为一,则确定所述一个原始污点数据为非目标污点数据,返回所述遍历所述原始污点数据集合步骤。If the total product is one, it is determined that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
在一实施例中,所述待检测函数为待检测函数集合,所述比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,包括:In one embodiment, the function to be detected is a set of functions to be detected, and the comparison between the function to be detected and the preset dangerous function is used to obtain the detection result of the internal vulnerability of the program, including:
遍历所述待检测函数集合;Traversing the set of functions to be tested;
在每次遍历到一个待检测函数时,比对所述待检测函数和所述预设危险函数;When traversing to a function to be detected each time, comparing the function to be detected with the preset risk function;
在所述待检测函数命中所述预设危险函数时,获取命中的预设危险函数在预设权重列表中的权重,并获取初始值为零的检测中间结果,基于所述权重对所述检测中间结果进行累加更新,得到更新后的检测中间结果,返回所述遍历所述待检测函数集合步骤,直至结束遍历,将所述更新后的检测中间结果作为所述程序内部检测结果;When the function to be detected hits the preset risk function, the weight of the hit preset risk function in the preset weight list is obtained, and the detection intermediate result with an initial value of zero is obtained, and the detection is performed based on the weight The intermediate results are accumulated and updated to obtain an updated detection intermediate result, and the step of traversing the set of functions to be detected is returned until the traversal is completed, and the updated detection intermediate result is used as the internal detection result of the program;
在所述待检测函数未命中所述预设危险函数时,返回所述遍历所述待检测函数集合步骤。When the function to be detected does not match the preset dangerous function, return to the step of traversing the set of functions to be detected.
在一实施例中,所述漏洞检测方法还包括:In one embodiment, the vulnerability detection method further includes:
获取所述预设用户请求对应的统一资源定位符URL;Obtaining the Uniform Resource Locator URL corresponding to the preset user request;
基于预设正则表达式,对所述URL进行预处理;Preprocessing the URL based on a preset regular expression;
在完成所述预处理后,确定所述URL对应的服务器中是否存在网站应用级入侵防御系统WAF;After completing the preprocessing, determine whether there is a website application level intrusion prevention system WAF in the server corresponding to the URL;
若所述服务器中不存在所述WAF,则在域名系统DNS成功解析后,发送数据测试请求至所述服务器;If the WAF does not exist in the server, after the domain name system DNS is successfully resolved, send a data test request to the server;
若接收到所述服务器反馈的预设返回值,则过滤所述预设用户请求中的原始请求参数,得到过滤后请求参数;If the preset return value fed back by the server is received, filtering the original request parameters in the preset user request to obtain the filtered request parameters;
基于所述过滤后请求参数确定黑盒漏洞检测结果。A black-box vulnerability detection result is determined based on the filtered request parameters.
在一实施例中,所述确定所述URL对应的服务器中是否存在WAF,包括:In an embodiment, the determining whether there is a WAF in the server corresponding to the URL includes:
构造正常请求,并发送所述正常请求至所述URL对应的服务器,得到原始页面;constructing a normal request, and sending the normal request to the server corresponding to the URL to obtain the original page;
构造非正常请求,并发送所述非正常请求至所述服务器,确定所述非正常请求对应的响应状态;Constructing an abnormal request, sending the abnormal request to the server, and determining a response status corresponding to the abnormal request;
若所述响应状态为响应超时,则确定所述服务器中存在WAF;If the response status is response timeout, it is determined that there is a WAF in the server;
若所述响应状态为响应未超时,则获取所述非正常请求对应的非正常页面;If the response status is that the response has not timed out, then obtain the abnormal page corresponding to the abnormal request;
比对所述原始页面和所述非正常页面,若所述原始页面与所述非正常页面相同,则所述服务器中存在WAF。Comparing the original page and the abnormal page, if the original page is the same as the abnormal page, there is a WAF in the server.
在一实施例中,所述原始请求参数为原始请求参数集合,所述过滤所述预设用户请求中的原始请求参数,包括:In an embodiment, the original request parameters are a set of original request parameters, and the filtering of the original request parameters in the preset user request includes:
遍历所述原始请求参数集合;traverse the original request parameter set;
在每次遍历到一个原始请求参数时,发送所述预设用户请求至所述服务器,得到所述服务器反馈的原始页面,并替换所述预设用户请求中的原始请求参数为第一随机数,得到第一替换后请求,并发送所述第一替换后请求至所述服务器,得到所述服务器反馈的第一结果页面;Each time an original request parameter is traversed, send the preset user request to the server, obtain the original page fed back by the server, and replace the original request parameter in the preset user request with the first random number , obtaining a first post-replacement request, and sending the first post-replacement request to the server, and obtaining a first result page fed back by the server;
若所述原始页面与所述第一结果页面的第一相似度大于或等于第一预设相似度阈值,则替换所述预设用户请求中的原始请求参数为第二随机数,得到第二替换后请求,并发送所述第二替换后请求至所述服务器,得到所述服务器反馈的第二结果页面,其中,所述第一随机数与所述第二随机数不同;If the first similarity between the original page and the first result page is greater than or equal to the first preset similarity threshold, replace the original request parameter in the preset user request with a second random number to obtain the second A post-replacement request, and sending the second post-replacement request to the server to obtain a second result page fed back by the server, wherein the first random number is different from the second random number;
若所述第一结果页面与所述第二结果页面的第二相似度大于或等于第二预设相似度阈值,则过滤所述原始请求参数,并返回所述遍历所述原始请求参数集合步骤。If the second similarity between the first result page and the second result page is greater than or equal to a second preset similarity threshold, filter the original request parameters and return to the step of traversing the original request parameter set .
在一实施例中,所述基于所述过滤后请求参数确定黑盒漏洞检测结果之后,还包括:In one embodiment, after determining the black-box vulnerability detection result based on the filtered request parameters, it further includes:
获取所述程序内部漏洞检测结果对应的第一评分;Acquiring the first score corresponding to the program internal vulnerability detection result;
获取所述黑盒漏洞检测结果对应的第二评分;Obtaining a second score corresponding to the black-box vulnerability detection result;
计算所述第一评分与所述第二评分之和,得到总评分;calculating the sum of the first score and the second score to obtain a total score;
若所述总评分大于预设分数阈值,则确定所述预设应用程序存在漏洞。If the total score is greater than the preset score threshold, it is determined that the preset application program has a vulnerability.
此外,为实现上述目的,本申请还提供一种漏洞检测设备,所述漏洞检测设备包括存储器、处理器和存储在所述存储器上并可在所述处理器上运行的漏洞检测程序,所述漏洞检测程序被所述处理器执行时实现如上所述的漏洞检测方法的步骤。In addition, in order to achieve the above object, the present application also provides a vulnerability detection device, which includes a memory, a processor, and a vulnerability detection program stored in the memory and operable on the processor, the When the vulnerability detection program is executed by the processor, the above-mentioned steps of the vulnerability detection method are realized.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有漏洞检测程序,所述漏洞检测程序被处理器执行时实现如上所述的漏洞检测方法的步骤。In addition, in order to achieve the above object, the present application also provides a computer-readable storage medium, on which a vulnerability detection program is stored, and when the vulnerability detection program is executed by a processor, the above-mentioned vulnerability detection is realized. method steps.
与现有技术中,通过黑盒测试来对应用程序进行漏洞检测,致使对应用程序进行漏洞检测的准确性不高相比,本申请通过获取预设用户请求对应的原始污点数据;基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据;获取所述目标污点数据对应的函数调用栈,其中,所述函数调用栈为预设应用程序响应所述预设用户请求时调用函数的记录;获取所述函数调用栈中的待检测函数;比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,其中,所述预设危险函数用于对所述预设应用程序进行漏洞检测,以确定所述预设应用程序是否存在漏洞。本申请实现了通过预设数组和预设哈希算法对原始污点数据去重后,得到目标污点数据,获取目标污点数据对应的函数调用栈,该函数调用栈为预设应用程序响应预设用户请求时调用函数的记录,并将该记录与预设危险函数进行比对,从而对预设应用程序进行漏洞检测,得到程序内部漏洞检测结果,从而确定该预设应用程序是否存在漏洞,可以理解,预设应用程序响应预设用户请求的过程为根据自身内部结构来处理预设用户请求的过程,因此,本申请通过深入到预设应用程序内部,以通过预设应用程序的内部结构来得出程序内部漏洞检测结果,从而提高了对预设应用程序进行漏洞检测的准确性。Compared with the prior art, which uses black-box testing to detect vulnerabilities in applications, resulting in low accuracy of vulnerability detection in applications, this application acquires the original tainted data corresponding to preset user requests; based on preset The array and the preset hash algorithm perform deduplication processing on the original tainted data to obtain the target tainted data; obtain the function call stack corresponding to the target tainted data, wherein the function call stack is the preset application program responding to the Presetting the record of the function called when the user requests; obtaining the function to be detected in the function call stack; comparing the function to be detected with the preset dangerous function to obtain the internal vulnerability detection result of the program, wherein the preset dangerous function It is used for performing vulnerability detection on the preset application program, so as to determine whether the preset application program has a vulnerability. This application realizes deduplication of the original tainted data through the preset array and the preset hash algorithm, obtains the target tainted data, and obtains the function call stack corresponding to the target tainted data. The function call stack is a preset application program responding to a preset user Call the record of the function when requesting, and compare the record with the preset dangerous function, so as to detect the vulnerability of the preset application program, and obtain the internal vulnerability detection result of the program, so as to determine whether the preset application program has a vulnerability, which is understandable , the process of the default application program responding to the preset user request is the process of processing the preset user request according to its own internal structure. Therefore, this application goes deep into the internal structure of the preset application program to obtain Vulnerability detection results inside the program, thereby improving the accuracy of vulnerability detection for preset applications.
图1是本申请漏洞检测方法第一实施例的流程示意图;Fig. 1 is a schematic flow chart of the first embodiment of the vulnerability detection method of the present application;
图2是本申请实施例中数组的举例说明示意图;Fig. 2 is a schematic diagram illustrating an example of an array in the embodiment of the present application;
图3是本申请实施例中已检测过的污点数据与数组元素的对应关系的举例说明示意图;Fig. 3 is a schematic diagram illustrating the corresponding relationship between detected stain data and array elements in the embodiment of the present application;
图4是本申请实施例中标识目标污点数据x3为已检测过的污点数据的举例说明示意图;Fig. 4 is a schematic diagram illustrating an example of identifying the target stain data x3 as the stain data that has been detected in the embodiment of the present application;
图5是本申请实施例方案涉及的硬件运行环境的结构示意图。FIG. 5 is a schematic structural diagram of the hardware operating environment involved in the solution of the embodiment of the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional features and advantages of the present application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.
本申请提供一种漏洞检测方法,参照图1,图1为本申请漏洞检测方法第一实施例的流程示意图。The present application provides a vulnerability detection method. Referring to FIG. 1 , FIG. 1 is a schematic flowchart of a first embodiment of the vulnerability detection method of the present application.
本申请实施例提供了漏洞检测方法的实施例,需要说明的是,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。漏洞检测方法可应用于服务器的用于检测流量的程序模块中。为了便于描述,以下省略执行主体描述漏洞检测方法的各个步骤。漏洞检测方法包括:The embodiment of the present application provides an embodiment of the vulnerability detection method. It should be noted that although the logic sequence is shown in the flow chart, in some cases, the sequence shown or described can be executed in a different order than here. A step of. The vulnerability detection method can be applied to a program module of the server for detecting traffic. For the convenience of description, the steps of the execution subject describing the vulnerability detection method are omitted below. Vulnerability detection methods include:
步骤S10,获取预设用户请求对应的原始污点数据。Step S10, acquiring the original taint data corresponding to the preset user request.
在本实施例中,获取预设用户请求对应的原始污点数据,该原始污点数据中存在非目标污点数据,可以理解,非目标污点数据对应重复的测试结果,因此,对于非目标污点数据,保留一份即可。In this embodiment, the original taint data corresponding to the preset user request is obtained, and there is non-target taint data in the original taint data. It can be understood that the non-target taint data corresponds to repeated test results. Therefore, for the non-target taint data, keep Just one serving.
进一步地,所述获取预设用户请求对应的原始污点数据之前,包括:Further, before obtaining the original tainted data corresponding to the preset user request, it includes:
步骤a,对预设敏感函数的字节码进行插桩,得到污点源数据。Step a, inserting the bytecode of the preset sensitive function to obtain the taint source data.
在本实施例中,在预设敏感函数(预设应用程序存在安全漏洞的函数,例如危险的系统调用rm -rf没有被拦截)的字节码处进行插桩,该插桩动作由上述预设应用程序的类的加载时间的不同,分为两种插桩方式。其中,加载时间的不同为在插桩时,类是否已经被classloader加载。对于在插桩时类未被classloader加载的情况,在加载类之前进行插桩操作,具体地,在类的字节码加载进JVM(Java Virtual
Machine,Java虚拟机)之前先经过transformer的transform方法进行转换来添加hook点,该hook点所hook的函数为hook函数列表L1,该hook函数列表L1为判断该类是否存在命令执行漏洞的依据;对于在插桩时类已经被classloader加载的情况,则将通过classloader加载后的类通过transformer的transform方法进行插桩操作,具体地,对加载后的类添加hook点,该hook点所hook的函数为hook函数列表L1。In this embodiment, instrumentation is performed at the bytecode of preset sensitive functions (functions with security vulnerabilities in preset applications, for example, the dangerous system call rm -rf is not intercepted), and the instrumentation action is determined by the above Assuming that the loading time of the class of the application is different, there are two methods of instrumentation. Among them, the difference in loading time is whether the class has been loaded by the classloader during the instrumentation. For the situation that the class is not loaded by the classloader during the instrumentation, the instrumentation operation is performed before the class is loaded, specifically, the bytecode of the class is loaded into the JVM (Java Virtual
Machine, Java virtual machine) is converted through the transform method of the transformer to add a hook point. The function hooked by the hook point is the hook function list L1, and the hook function list L1 is the basis for judging whether there is a command execution vulnerability in this class; For the case where the class has been loaded by the classloader during instrumentation, the class loaded by the classloader will be instrumented through the transform method of the transformer. Specifically, add a hook point to the loaded class, and the function hooked by the hook point It is the hook function list L1.
其中,所有通过该类的数据均为有害输入,为污点源数据。Among them, all the data passing through this category are harmful inputs and tainted source data.
步骤b,剔除所述污点源数据中的非用户输入污点数据,得到所述原始污点数据。Step b, removing non-user input taint data from the taint source data to obtain the original taint data.
在本实施例中,污点源数据中包括用户可控的变量(用户输入的变量,例如预设用户请求中的变量(参数)),用户可控的变量表示直接引入不受信任的数据或机密数据到系统中;污点源数据还包括非用户输入的数据,该部分数据不影响预设应用程序的安全运行,因此,不对该部分数据进行检测,将该部分数据剔除,以提高检测效率。In this embodiment, the taint source data includes user-controllable variables (user-input variables, such as variables (parameters) in preset user requests), and user-controllable variables represent direct introduction of untrusted data or secrets. data into the system; taint source data also includes data not input by users, and this part of data does not affect the safe operation of preset applications. Therefore, this part of data is not detected, and this part of data is eliminated to improve detection efficiency.
具体地,在完成上述插桩操作后,通过L1来追踪上述预设用户请求中的变量对应的数据流向,从而得到原始污点数据,该原始污点数据包括预设用户请求中的参数、数据流向涉及的函数调用所产生的数据等。Specifically, after the above stub operation is completed, L1 is used to track the data flow direction corresponding to the variable in the preset user request, so as to obtain the original taint data, which includes the parameters in the preset user request, data flow related to The data generated by the function call, etc.
步骤S20,基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据。Step S20, performing deduplication processing on the original tainted data based on a preset array and a preset hash algorithm to obtain target tainted data.
在本实施例中,对该原始污点数据进行去重处理,即对于确定为非目标污点数据,不将其作为目标污点数据中的一部分,从而得到污点数据不重复的目标污点数据。In this embodiment, deduplication processing is performed on the original tainted data, that is, non-target tainted data is not taken as a part of the target tainted data, so as to obtain target tainted data with no repeated tainted data.
在对该原始污点数据进行去重处理前,一方面,基于预设哈希算法,映射原始污点数据为哈希值,其中该预设哈希算法包括MD5( Message-Digest
Algorithm 5,信息-摘要算法5)和SHA-1(Secure Hash Algorithm 1,安全散列算法1)等。具体地,原始污点数据通过预设哈希算法映射为数据量更小的哈希值,不同的原始污点数据的哈希值具有唯一性。Before performing deduplication processing on the original tainted data, on the one hand, the original tainted data is mapped to a hash value based on a preset hash algorithm, wherein the preset hash algorithm includes MD5 (Message-Digest
Algorithm 5, Information-Digest Algorithm 5) and SHA-1 (Secure Hash Algorithm 1, Secure Hash Algorithm 1), etc. Specifically, the original tainted data is mapped to a hash value with a smaller data volume through a preset hash algorithm, and the hash values of different original tainted data are unique.
可以理解,通过预设哈希算法,将原始污点数据映射为哈希值,降低了去重处理对应的数据处理量,从而简化了去重的过程,提高了检测效率。It can be understood that by defaulting the hash algorithm, the original tainted data is mapped to a hash value, which reduces the amount of data processing corresponding to deduplication processing, thereby simplifying the deduplication process and improving detection efficiency.
另一方面,获取预设数组的数组元素,其中,预设数组存储有哈希值的信息,各哈希算法的哈希值的取值范围与数组元素的数量相对应,例如预设数组的数组元素的数量为8,则哈希值的取值范围为1-8,从而保证预设数组与哈希值之间的关系为哈希值与索引相对应,例如哈希值为3,则获取预设数组中索引为第三个位置的数组元素。On the other hand, the array elements of the preset array are obtained, wherein the preset array stores hash value information, and the value range of the hash value of each hash algorithm corresponds to the number of array elements, for example, the preset array The number of array elements is 8, and the value range of the hash value is 1-8, so as to ensure that the relationship between the preset array and the hash value is that the hash value corresponds to the index, for example, the hash value is 3, then Get the array element whose index is the third position in the default array.
具体地,基于预设数组和预设哈希算法对该原始污点数据进行去重处理,得到目标污点数据。Specifically, the original tainted data is deduplicated based on a preset array and a preset hash algorithm to obtain target tainted data.
其中,该去重过程为:Among them, the deduplication process is:
所述预设哈希算法由预设数量个相互独立的哈希算法组成,所述原始污点数据为原始污点数据集合,所述基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据,包括:The preset hash algorithm is composed of a preset number of mutually independent hash algorithms, the original stain data is a collection of original stain data, and the original stain data is processed based on a preset array and a preset hash algorithm. Deduplication processing to obtain target taint data, including:
步骤c,遍历所述原始污点数据集合。Step c, traversing the original tainted data set.
在本实施例中,遍历原始污点数据集合,即一次从原始污点数据集合中拿出一个原始污点数据,并执行后续步骤d-h。In this embodiment, the original taint data set is traversed, that is, one original taint data is taken from the original taint data set at a time, and subsequent steps d-h are performed.
步骤d,在每次遍历到一个原始污点数据时,基于各所述哈希算法分别对所述原始污点数据进行计算,得到所述预设数量的哈希值。Step d, each time a piece of original tainted data is traversed, the original tainted data is calculated based on each of the hash algorithms to obtain the preset number of hash values.
在本实施例中,用于上述映射原始污点数据过程中的预设哈希算法包括预设数量个相互独立的哈希算法,可以理解,相互独立的哈希算法的数量越多,描述原始污点数据的哈希值越多,即描述准确性越高,从而提高了判断污点数据之间是否重复的准确性。In this embodiment, the preset hash algorithm used in the above process of mapping original taint data includes a preset number of mutually independent hash algorithms. It can be understood that the greater the number of mutually independent hash algorithms, the better the description of the original taint The more hash values of the data, the higher the description accuracy, which improves the accuracy of judging whether the tainted data is repeated.
需要说明的是,相互独立的哈希算法在执行时需要使用机器的硬件资源,而硬件资源是有限的,因此,在确定预设数量的具体数值时需要考虑该硬件资源。It should be noted that the execution of mutually independent hash algorithms requires the use of hardware resources of the machine, and the hardware resources are limited. Therefore, the hardware resources need to be considered when determining the specific value of the preset number.
具体地,在每次遍历到一个原始污点数据时,基于该预设数量个哈希算法分别对原始污点数据进行计算,得到预设数量个哈希值。Specifically, each time a piece of original tainted data is traversed, the original tainted data is calculated based on the preset number of hash algorithms to obtain a preset number of hash values.
步骤e,获取所述预设数组中索引与所述哈希值相同的数组元素,并计算所述数组元素的总乘积;Step e, obtaining the array element whose index is the same as the hash value in the preset array, and calculating the total product of the array elements;
步骤f,判断所述总乘积是否为零;Step f, judging whether the total product is zero;
步骤g,若所述总乘积为零,则将各所述数组元素中不为一的数组元素置为一,并将所述一个原始污点数据作为目标污点数据,返回所述遍历所述原始污点数据集合步骤;Step g, if the total product is zero, set the non-one array elements in each of the array elements to one, and use the one original taint data as the target taint data, and return the traversing the original taint data Data collection step;
步骤h,若所述总乘积为一,则确定所述一个原始污点数据为非目标污点数据,返回所述遍历所述原始污点数据集合步骤。Step h, if the total product is one, determine that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
在本实施例中,预设数组包括位数组和字节数组等,以位数组为例,预设数组为m比特的位数组A,参照图2,该数组元素的初始值均为零。假设哈希算法的数量为k,则通过该k个哈希算法映射原始污点数据为哈希值可以得到k个哈希值,通过与该k个哈希值相同的k个预设数组的索引,再通过该索引可以获取到位数组A中k个数组元素。需要说明的是,字节数组的实施例与该位数组的实施例基本相同,在此不再赘述。In this embodiment, the preset array includes a bit array and a byte array. Taking the bit array as an example, the preset array is an m-bit bit array A. Referring to FIG. 2 , the initial values of the array elements are all zero. Assuming that the number of hash algorithms is k, k hash values can be obtained by mapping the original tainted data into hash values through the k hash algorithms, and through the index of k preset arrays that are the same as the k hash values , and then the k array elements in the bit array A can be obtained through the index. It should be noted that the embodiment of the byte array is basically the same as the embodiment of the bit array, which will not be repeated here.
具体地,基于该数组元素,对原始污点数据进行去重处理,得到目标污点数据。具体地,计算各数组元素的乘积,即计算各数组元素的总乘积,并判断该总乘积是否为零,若该乘积为零,则说明该原始污点数据不为重复目标污点数据,需要进行检测,将该原始污点数据作为目标污点数据,并返回上述遍历原始污点数据集合步骤;若该乘积为一,则确定该原始污点数据为非目标污点数据,并返回上述遍历原始污点数据集合步骤。参照图3,以哈希算法的数量为3为例,原始污点数据x1和x2对应的数组元素均为1,即各数组元素的乘积均为1,则原始污点数据x1和x2代表已检测过的污点数据,为非目标污点数据。Specifically, based on the array elements, the original taint data is deduplicated to obtain the target taint data. Specifically, calculate the product of each array element, that is, calculate the total product of each array element, and judge whether the total product is zero. If the product is zero, it means that the original tainted data is not a repeated target tainted data, and needs to be detected , take the original tainted data as the target tainted data, and return to the above step of traversing the original tainted data set; if the product is one, determine that the original tainted data is non-target tainted data, and return to the above step of traversing the original tainted data set. Referring to Figure 3, taking the number of hash algorithms as 3 as an example, the array elements corresponding to the original taint data x1 and x2 are both 1, that is, the product of each array element is 1, then the original taint data x1 and x2 represent the detected The tainted data of is non-target tainted data.
需要说明的是,每发现一个目标污点数据,更新一次该位数组A,具体地,参照图4,x1和x2为已检测过的污点数据,对于原始污点数据x3,该原始污点数据x3对应的各数组元素中存在为零的数组元素,则原始污点数据x3对应的各数组元素的乘积为零,由此可确定原始污点数据x3为目标污点数据,在确定原始污点数据x3为目标污点数据后,将该目标污点数据对应的数组元素由零修改为一,以标识该原始污点数据x3为已检测过的污点数据。It should be noted that every time a target taint data is found, the bit array A is updated once. Specifically, referring to FIG. 4, x1 and x2 are the detected taint data. For the original taint data x3, the original taint data x3 corresponds to There are zero array elements in each array element, then the product of each array element corresponding to the original taint data x3 is zero, thus it can be determined that the original taint data x3 is the target taint data, after determining the original taint data x3 is the target taint data , modifying the array element corresponding to the target taint data from zero to one, so as to identify the original taint data x3 as the detected taint data.
具体地,例如预设数组为m比特的位数组A,相互独立的k个哈希算法H1、H2、…、Hk,各哈希算法的结果范围为1-m,以与位数组A的位数相对应,使得各哈希算法的结果可以为A的任意索引。在确定原始污点数据是否为已检测过的污点数据时,使用上述k个哈希算法对该原始污点数据进行映射,得到k个哈希结果y1、y2、y3、y4、…、yk,获取索引为y1、y2、y3、y4、…、yk的A中的数组元素A[y1]、A[y2]、A[y3]、A[y4]、…、A[yk],计算上述数组元素的乘积,即算式A[y1]*A[y2]*A[y3]*A[y4]*…*A[yk]的乘积结果。若该乘积结果为零,则说明该原始污点数据未进行漏洞检测,将数组元素A[y1]、A[y2]、A[y3]、A[y4]、…、A[yk]中不为一的数组元素全部置为一,并对该原始污点数据进行漏洞检测;若该乘积结果为一,则说明该原始污点数据已进行漏洞检测,则不再对该原始污点数据进行漏洞检测。Specifically, for example, the preset array is an m-bit bit array A, k hash algorithms H1, H2, ..., Hk that are independent of each other, and the result range of each hash algorithm is 1-m, and the bits of the bit array A The numbers correspond to each other, so that the result of each hash algorithm can be any index of A. When determining whether the original tainted data is the tainted data that has been detected, the above k hash algorithms are used to map the original tainted data, and k hash results y1, y2, y3, y4, ..., yk are obtained to obtain the index For the array elements A[y1], A[y2], A[y3], A[y4], ..., A[yk] in A of y1, y2, y3, y4, ..., yk, calculate the The product is the product result of the formula A[y1]*A[y2]*A[y3]*A[y4]*…*A[yk]. If the result of the product is zero, it means that the original tainted data has not been tested for vulnerabilities. All the array elements of one are set to one, and the vulnerability detection is performed on the original tainted data; if the product result is one, it means that the original tainted data has been subjected to vulnerability detection, and the original tainted data is no longer subjected to vulnerability detection.
步骤S30,获取所述目标污点数据对应的函数调用栈,其中,所述函数调用栈为预设应用程序响应所述预设用户请求时调用函数的记录。Step S30, obtaining a function call stack corresponding to the target taint data, wherein the function call stack is a record of calling a function when a preset application program responds to the preset user request.
在本实施例中,获取目标污点数据对应的函数调用栈,其中,函数调用栈为预设应用程序响应预设用户请求时调用函数的记录,即函数调用栈中记录有一个或多个该预设用户请求的数据流向对应的函数。In this embodiment, the function call stack corresponding to the target taint data is obtained, wherein the function call stack is the record of calling the function when the preset application program responds to the preset user request, that is, one or more of the preset functions are recorded in the function call stack. Let the data requested by the user flow to the corresponding function.
其中,该预设应用程序为安装于服务器的web应用程序,即应用程序。Wherein, the preset application program is a web application program installed on the server, that is, an application program.
需要说明的是,应用程序由类组成,而类又由函数组成,预设应用程序响应预设用户请求的过程为调用各相关函数处理该预设用户请求的过程,具体地,在类接收到预设用户请求对应的参数时,会触发获取预设用户请求对应的函数调用栈的获取动作。It should be noted that the application program is composed of classes, and the class is composed of functions. The process of the preset application program responding to the preset user request is the process of calling various related functions to process the preset user request. Specifically, when the class receives When the parameter corresponding to the user request is preset, an acquisition action of obtaining the function call stack corresponding to the preset user request will be triggered.
其中,在类接收到预设用户请求之前,需要对该类进行插桩,插桩的目的为在该类的代码中添加hook点,通过该hook点可以跟踪该预设用户请求对应的数据在该类中的流向,其中,所hook的函数为用于判断是否存在漏洞的依据的函数列表中的函数。可以理解,通过插桩实现了从代码层面深入预设应用程序内部的目的。Among them, before the class receives the preset user request, it needs to be inserted into the class. The purpose of the stub is to add a hook point in the code of the class. Through the hook point, the data corresponding to the preset user request can be tracked. The flow direction in this class, wherein the hooked function is a function in the function list used to judge whether there is a vulnerability. It can be understood that the purpose of going deep into the interior of the preset application program from the code level is achieved through instrumentation.
需要说明的是,该预设用户请求对应的数据至少包括预设用户请求的请求参数,该预设用户请求为http请求,例如用户的客户端通过http请求的请求参数来向服务器请求相应的页面文件(例如html格式的页面文件);预设用户请求还包括预设应用程序接收请求参数后,处理该请求参数并最终得到相应的页面文件的过程中产生的中间参数。It should be noted that the data corresponding to the preset user request includes at least the request parameters of the preset user request, and the preset user request is an http request, for example, the user's client requests the corresponding page from the server through the request parameters of the http request files (such as page files in html format); preset user requests also include intermediate parameters generated during the process of processing the request parameters and finally obtaining the corresponding page files after the preset application program receives the request parameters.
其中,在通过该hook点跟踪到的该预设用户请求对应的数据中,存在污点数据和非污点数据,在获取函数调用栈时,并非获取所有预设用户请求对应的数据对应的函数调用栈,对于污点数据也需要进行筛选过程从而最终得到需要获取函数调用栈的污点数据,通过上述选择和筛选的过程,实现了从大量的污点数据中选出少量的污点数据,之后对该少量的污点数据进行获取函数调用栈的操作,具体地,获取预设用户请求对应的目标污点数据,其中,该目标污点数据经过了上述选择和筛选的过程;通过该目标污点数据来获取相应的函数调用栈,即获取目标污点数据对应的函数调用栈,从而减少了需要处理的数据量,进而提高了检测效率。Among them, in the data corresponding to the preset user request traced through the hook point, there are tainted data and non-tainted data. When obtaining the function call stack, not all the function call stacks corresponding to the data corresponding to the preset user request are obtained. , the screening process is also required for the tainted data to finally obtain the tainted data that needs to obtain the function call stack. Through the above selection and screening process, a small amount of tainted data is selected from a large number of tainted data, and then the small amount of tainted data The data is used to obtain the function call stack. Specifically, the target taint data corresponding to the preset user request is obtained, wherein the target taint data has undergone the above selection and screening process; the corresponding function call stack is obtained through the target taint data , that is, to obtain the function call stack corresponding to the target taint data, thereby reducing the amount of data to be processed, thereby improving the detection efficiency.
步骤S40,获取所述函数调用栈中的待检测函数;Step S40, obtaining the function to be detected in the function call stack;
步骤S50,比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,其中,所述预设危险函数用于对所述预设应用程序进行漏洞检测。Step S50, comparing the function to be detected with a preset risk function to obtain a program internal vulnerability detection result, wherein the preset risk function is used to perform vulnerability detection on the preset application program.
在本实施例中,基于上述函数调用栈对预设应用程序进行漏洞检测,得到程序内部漏洞检测结果,即通过函数调用栈确定该预设应用程序所调用的函数,从而根据该预设应用程序所调用的函数确定该预设应用程序是否存在漏洞。In this embodiment, the preset application program is tested for vulnerabilities based on the above-mentioned function call stack, and the internal vulnerability detection result of the program is obtained, that is, the function called by the preset application program is determined through the function call stack, so that according to the preset application program The function called determines whether the preset application is vulnerable.
具体地,上述数据流向涉及的函数调用用于漏洞检测,该函数调用记录于函数调用栈。Specifically, the function call involved in the above data flow is used for vulnerability detection, and the function call is recorded in the function call stack.
具体地,获取函数调用栈中的待检测函数,对该待检测函数进行漏洞检测以确定预设应用程序是否存在安全漏洞,具体地,比对该待检测函数和预设危险函数(例如runtime()),得到程序内部漏洞检测结果,其中,该预设危险函数用于对预设应用程序进行漏洞检测。Specifically, obtain the function to be detected in the function call stack, perform vulnerability detection on the function to be detected to determine whether there is a security hole in the preset application program, specifically, compare the function to be detected with the preset dangerous function (such as runtime( )) to obtain the program internal vulnerability detection result, wherein the preset dangerous function is used to perform vulnerability detection on the preset application program.
进一步地,所述待检测函数为待检测函数集合,所述比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,包括:Further, the function to be detected is a set of functions to be detected, and the comparison of the function to be detected and the preset dangerous function to obtain a program internal vulnerability detection result includes:
步骤i,遍历所述待检测函数集合。Step i, traversing the set of functions to be tested.
在本实施例中,遍历该待检测函数集合,以每次从该待检测函数集合中获取一个待检测函数并执行下述步骤j-l。In this embodiment, the set of functions to be checked is traversed to obtain one function to be checked from the set of functions to be checked each time, and the following steps j-l are performed.
步骤j,在每次遍历到一个待检测函数时,比对所述待检测函数和所述预设危险函数;Step j, comparing the function to be detected with the preset risk function each time a function to be detected is traversed;
步骤k,在所述待检测函数命中所述预设危险函数时,获取命中的预设危险函数在预设权重列表中的权重,并获取初始值为零的检测中间结果,基于所述权重对所述检测中间结果进行累加更新,得到更新后的检测中间结果,返回所述遍历所述待检测函数集合步骤,直至结束遍历,将所述更新后的检测中间结果作为所述程序内部检测结果;Step k, when the function to be detected hits the preset risk function, obtain the weight of the hit preset risk function in the preset weight list, and obtain the detection intermediate result with an initial value of zero, based on the weight Accumulating and updating the detection intermediate results to obtain updated detection intermediate results, returning to the step of traversing the set of functions to be detected until the traversal is completed, and using the updated detection intermediate results as the internal detection results of the program;
步骤l,在所述待检测函数未命中所述预设危险函数时,返回所述遍历所述待检测函数集合步骤。Step 1, when the function to be detected does not match the preset dangerous function, return to the step of traversing the set of functions to be detected.
在本实施例中,在每次遍历到一个待检测函数时,比对该待检测函数和预设危险函数,该预设危险函数记录于危险函数列表中,此外,还需维护一个预设权重列表W,在比对过程中,待检测函数每命中一次危险函数列表中的函数,则获取该待检测函数在该预设权重列表W中的权重,并获取初始值为零的检测中间结果,以记录该权重至检测中间结果,该记录过程具体为基于该权重对检测中间结果进行累加更新,得到更新后的检测中间结果,之后返回遍历所述待检测函数集合步骤,直至结束遍历,将更新后的检测中间结果作为程序内部检测结果,可以理解,该累加更新为每轮遍历对应的权重与上一轮得到的更新后的检测中间结果进行相加;而在对比过程中,在待检测函数未命中预设危险函数时,直接返回遍历所述待检测函数集合步骤。In this embodiment, each time a function to be detected is traversed, the function to be detected is compared with the preset dangerous function, and the preset dangerous function is recorded in the list of dangerous functions. In addition, a preset weight needs to be maintained list W, during the comparison process, each time the function to be detected hits a function in the dangerous function list, the weight of the function to be detected in the preset weight list W is obtained, and the detection intermediate result with an initial value of zero is obtained, To record the weight to the detection intermediate result, the recording process is specifically to accumulate and update the detection intermediate result based on the weight to obtain the updated detection intermediate result, and then return to the step of traversing the set of functions to be detected until the end of the traversal, update The final detection intermediate result is used as the internal detection result of the program. It can be understood that the cumulative update is the weight corresponding to each round of traversal and the updated detection intermediate result obtained in the previous round; and in the comparison process, in the function to be detected When the preset dangerous function is not hit, directly return to the step of traversing the set of functions to be detected.
具体地,在完成整个函数调用栈中的待检测函数的遍历并比对后,得到最终的检测中间结果,即程序内部检测结果,可以理解,程序内部检测结果为总权重Q。Specifically, after traversing and comparing the functions to be detected in the entire function call stack, the final detection intermediate result is obtained, that is, the program internal detection result. It can be understood that the program internal detection result is the total weight Q.
具体地,通过该总权重Q确定该预设应用程序是否存在漏洞,具体地,判断总权重Q与预设权重阈值P之间的大小关系,若Q大于P,则该预设应用程序存在安全漏洞;若Q小于或等于P,则认为该系统可能存在漏洞,但还需要通过黑盒扫描器进行进一步检测。Specifically, determine whether there is a vulnerability in the preset application program through the total weight Q, specifically, judge the size relationship between the total weight Q and the preset weight threshold P, if Q is greater than P, then the preset application program has security Vulnerabilities; if Q is less than or equal to P, it is considered that there may be vulnerabilities in the system, but it needs to be further detected by the black box scanner.
其中,上述漏洞检测过程中的原始污点数据基于数据流向跟踪agent来获取,具体地,在预设应用程序的类加载进JVM之前,通过JDK(Java
Development Kit,Java开发工具包)
Instrument API(Application Programming Interface,应用程序接口)生成拦截器,以在程序启动前修改该类的定义,并在运行的应用中生成数据流向跟踪agent,以通过该数据流向跟踪agent获取预设应用程序的上下文,并根据该上下文分析数据流并根据该数据流提取所调用的函数调用栈,得到程序内部漏洞检测结果,以确定预设应用程序是否存在漏洞。Among them, the original taint data in the above vulnerability detection process is obtained based on the data flow tracking agent. Specifically, before the class of the preset application program is loaded into the JVM, the JDK (Java
Development Kit, Java Development Kit)
The Instrument API (Application Programming Interface, application programming interface) generates an interceptor to modify the definition of the class before the program starts, and generates a data flow tracking agent in the running application to obtain the preset application through the data flow tracking agent According to the context, analyze the data flow according to the context and extract the called function call stack according to the data flow, and obtain the internal vulnerability detection result of the program to determine whether there is a vulnerability in the preset application program.
进一步地,对于通过黑盒扫描器对漏洞检测的过程,具体地,所述漏洞检测方法还包括:Further, for the process of detecting vulnerabilities through a black box scanner, specifically, the vulnerability detection method further includes:
步骤m,获取所述预设用户请求对应的统一资源定位符URL;Step m, obtaining the Uniform Resource Locator URL corresponding to the preset user request;
步骤n,基于预设正则表达式,对所述URL进行预处理;Step n, preprocessing the URL based on a preset regular expression;
步骤o,在完成所述预处理后,确定所述URL对应的服务器中是否存在网站应用级入侵防御系统WAF;Step o, after completing the preprocessing, determine whether there is a website application level intrusion prevention system WAF in the server corresponding to the URL;
在本实施例中,先通过黑盒扫描器获取预设用户请求对应的URL(Uniform
Resource Locator,统一资源定位符),之后通过预设正则表达式来进行判断该预设用户请求的URL是否合法的预处理,若合法,则进行后续的处理;若不合法,则结束漏洞检测过程。其中,该预设正则表达式为(http|https)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]+[-A-Za-z0-9+&@#/%=~_|]。例如URL为https://www.baidu.com,其能够与预设正则表达式完成匹配,为合法的URL,预处理的结果为URL合法;再如URL为hjttps://www.baidu.com,其为错误的URL,可以理解,对于“hjttps”,其既非“http”又非“https”,因此,无法与预设正则表达式完成匹配,为不合法的URL,预处理的结果为URL不合法。In this embodiment, the black box scanner is first used to obtain the URL corresponding to the preset user request (Uniform
Resource Locator, uniform resource locator), and then use the preset regular expression to judge whether the URL requested by the preset user is legal. If it is legal, it will perform subsequent processing; if it is not legal, it will end the vulnerability detection process . Among them, the preset regular expression is (http|https)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]+[-A-Za- z0-9+&@#/%=~_|]. For example, the URL is https://www.baidu.com, which can be matched with the preset regular expression and is a legal URL, and the result of preprocessing is that the URL is legal; another example is that the URL is hjttps://www.baidu.com , which is an incorrect URL. It can be understood that for "hjttps", it is neither "http" nor "https". Therefore, it cannot be matched with the preset regular expression, and it is an illegal URL. The result of preprocessing is The URL is invalid.
在完成预处理,并确定的格式正确后,为确保后续的漏洞检测过程顺利地展开,需要通过黑盒扫描器先确定预设应用程序所在的服务器(即URL对应的服务器)中是否存在WAF(Web Application Firewall,网站应用级入侵防御系统),若存在,该WAF会拦截非正常请求,即无法通过黑盒扫描器进行后续的漏洞检测过程。因此,若服务器中存在该WAF,则需要绕开该WAF后进行后续的漏洞检测过程;若服务器中不存在该WAF,则直接进行后续的漏洞检测过程。其中,绕开方法包括:编码绕过、大小写绕过和空格过滤绕过等等。After completing the preprocessing and confirming that the format is correct, in order to ensure the smooth development of the subsequent vulnerability detection process, it is necessary to first determine whether there is a WAF ( Web Application Firewall, website application-level intrusion prevention system), if it exists, the WAF will intercept abnormal requests, that is, the subsequent vulnerability detection process cannot be performed through the black box scanner. Therefore, if the WAF exists in the server, the subsequent vulnerability detection process needs to be performed after bypassing the WAF; if the WAF does not exist in the server, the subsequent vulnerability detection process will be directly performed. Among them, bypass methods include: encoding bypass, capitalization bypass, space filtering bypass, and so on.
其中,所述确定所述URL对应的服务器中是否存在WAF,包括:Wherein, the determining whether there is a WAF in the server corresponding to the URL includes:
步骤o1,构造正常请求,并发送所述正常请求至所述URL对应的服务器,得到原始页面;Step o1, constructing a normal request, and sending the normal request to the server corresponding to the URL to obtain the original page;
步骤o2,构造非正常请求,并发送所述非正常请求至所述服务器,确定所述非正常请求对应的响应状态;Step o2, constructing an abnormal request, sending the abnormal request to the server, and determining the response status corresponding to the abnormal request;
步骤o3,若所述响应状态为响应超时,则确定所述服务器中存在WAF;Step o3, if the response status is response timeout, then determine that there is a WAF in the server;
步骤o4,若所述响应状态为响应未超时,则获取所述非正常请求对应的非正常页面;Step o4, if the response status is that the response has not timed out, then obtain the abnormal page corresponding to the abnormal request;
步骤o5,比对所述原始页面和所述非正常页面,若所述原始页面与所述非正常页面相同,则所述服务器中存在WAF。Step o5, comparing the original page and the abnormal page, if the original page is the same as the abnormal page, there is a WAF in the server.
在本实施例中,通过黑盒扫描器确定服务器中是否存在WAF的方法为通过对比正常请求的页面和非正常请求的页面之间的相似度来确定是否存在WAF。具体地,首先通过黑盒扫描器构造一个正常请求并发送该正常请求至该URL对应的服务器,得到预设应用程序响应该正常请求的原始页面;之后构造一个与该正常请求对应的非正常请求并发送该非正常请求至服务器,并确定该非正常请求对应的响应状态,若该响应状态为响应超时,则说明该服务器存在WAF,若该响应状态为响应未超时,则获取预设应用程序响应该非正常请求的非正常页面。In this embodiment, the method of determining whether there is a WAF in the server through the black box scanner is to determine whether there is a WAF by comparing the similarity between normal requested pages and abnormally requested pages. Specifically, first construct a normal request through the black box scanner and send the normal request to the server corresponding to the URL, and obtain the original page of the preset application program responding to the normal request; then construct an abnormal request corresponding to the normal request And send the abnormal request to the server, and determine the response status corresponding to the abnormal request. If the response status is response timeout, it means that there is a WAF in the server. If the response status is response timeout, get the default application An unusual page in response to the unusual request.
比对原始页面和非正常页面,若原始页面与非正常页面相同,则服务器中存在WAF;若原始页面与非正常页面不相同,则服务器中不存在WAF。Comparing the original page and the abnormal page, if the original page is the same as the abnormal page, there is a WAF in the server; if the original page is different from the abnormal page, there is no WAF in the server.
步骤p,若所述服务器中不存在所述WAF,则在域名系统DNS成功解析后,发送数据测试请求至所述服务器。In step p, if the WAF does not exist in the server, send a data test request to the server after the Domain Name System (DNS) resolves successfully.
在本实施例中,若确定服务器不存在WAF或绕开该WAF后,继续进行漏洞检测,该过程为检测网络稳定性检测,以确定是结束漏洞检测过程还是进行漏洞检测的后续步骤,可以理解,黑盒扫描器检测漏洞的方式为通过输入和输出进行分析,即向服务器发送请求后,接收该服务器反馈的响应,以根据该请求和响应对该服务器进行漏洞检测。In this embodiment, if it is determined that the server does not have a WAF or bypasses the WAF, the vulnerability detection is continued. This process is to detect the network stability to determine whether to end the vulnerability detection process or to perform the subsequent steps of the vulnerability detection. It can be understood , the black-box scanner detects vulnerabilities through input and output analysis, that is, after sending a request to the server, it receives the response fed back by the server, so as to detect the vulnerability of the server according to the request and response.
具体地,该网络稳定性检测过程为通过向目的URL(如服务器对应的一个URL)发送一个请求,并根据该请求对应的返回数据包判断网络是否稳定。具体地,对该URL进行DNS(Domain Name System,域名系统)解析,判断该DNS是否成功解析,若解析失败,则说明网站无法连通;若解析成功,即在DNS成功解析后,发送数据测试请求至服务器,在请求成功时,该URL会返回相应的返回数据包,若该返回数据包中的返回值为预设返回值,即不为http错误,则通过数据库识别该返回数据包是否存在错误,若不存在错误则说明网站可以连通,若上述返回值为http错误或无返回数据包,则说明网站无法连通。Specifically, the network stability detection process is to send a request to the destination URL (such as a URL corresponding to the server), and judge whether the network is stable according to the returned data packet corresponding to the request. Specifically, DNS (Domain Name System, Domain Name System) analysis is performed on the URL to determine whether the DNS is successfully resolved. If the resolution fails, it means that the website cannot be connected; if the resolution is successful, that is, after the DNS is successfully resolved, a data test request is sent To the server, when the request is successful, the URL will return the corresponding return data packet. If the return value in the return data packet is the default return value, that is, it is not an http error, then the database will be used to identify whether there is an error in the return data packet , if there is no error, it means that the website can be connected. If the above return value is http error or no return data packet, it means that the website cannot be connected.
步骤q,若接收到所述服务器反馈的预设返回值,则过滤所述预设用户请求中的原始请求参数,得到过滤后请求参数。Step q: If the preset return value fed back by the server is received, filter the original request parameters in the preset user request to obtain filtered request parameters.
在本实施例中,在接收到服务器反馈的预设返回值后,即在确定网络稳定性为网站可以连通后,对预设用户请求中的每个参数都检查其重复性以及是否需要检测,具体地,若某一参数为重复的参数或不需要检测的参数,则过滤该参数;若某一参数不为重复的参数或需要检测的参数,则继续对该参数进行检测。可以理解,通过过滤该预设用户请求中的不需要处理的参数和重复的参数,减轻了漏洞检测的任务量,从而提高了漏洞检测效率。In this embodiment, after receiving the preset return value fed back by the server, that is, after determining that the network stability is that the website can be connected, each parameter in the preset user request is checked for its repeatability and whether detection is required, Specifically, if a certain parameter is a repeated parameter or a parameter that does not need to be detected, the parameter is filtered; if a certain parameter is not a repeated parameter or a parameter that needs to be detected, the detection of the parameter is continued. It can be understood that by filtering parameters that do not need to be processed and repeated parameters in the preset user request, the workload of vulnerability detection is reduced, thereby improving the efficiency of vulnerability detection.
具体地,对于重复的参数,其实施例与上述漏洞检测方法中的对原始污点数据进行去重处理的实施例基本相同,在此不再赘述。Specifically, for repeated parameters, its embodiment is basically the same as the embodiment of performing deduplication processing on original tainted data in the above vulnerability detection method, and will not be repeated here.
进一步地,对于不重复的参数,其过滤过程具体为:Further, for non-repetitive parameters, the specific filtering process is as follows:
所述原始请求参数为原始请求参数集合,所述过滤所述预设用户请求中的原始请求参数,包括:The original request parameters are a set of original request parameters, and the filtering of the original request parameters in the preset user request includes:
步骤q1,遍历所述原始请求参数集合;Step q1, traversing the original request parameter set;
步骤q2,在每次遍历到一个原始请求参数时,发送所述预设用户请求至所述服务器,得到所述服务器反馈的原始页面,并替换所述预设用户请求中的原始请求参数为第一随机数,得到第一替换后请求,并发送所述第一替换后请求至所述服务器,得到所述服务器反馈的第一结果页面;Step q2, each time an original request parameter is traversed, send the preset user request to the server, obtain the original page fed back by the server, and replace the original request parameter in the preset user request with the first A random number, obtain the first request after replacement, and send the first request after replacement to the server, and obtain the first result page fed back by the server;
步骤q3,若所述原始页面与所述第一结果页面的第一相似度大于或等于第一预设相似度阈值,则替换所述预设用户请求中的原始请求参数为第二随机数,得到第二替换后请求,并发送所述第二替换后请求至所述服务器,得到所述服务器反馈的第二结果页面,其中,所述第一随机数与所述第二随机数不同;Step q3, if the first similarity between the original page and the first result page is greater than or equal to a first preset similarity threshold, replace the original request parameter in the preset user request with a second random number, obtaining a second post-replacement request, and sending the second post-replacement request to the server, and obtaining a second result page fed back by the server, wherein the first random number is different from the second random number;
步骤q4,若所述第一结果页面与所述第二结果页面的第二相似度大于或等于第二预设相似度阈值,则过滤所述原始请求参数,并返回所述遍历所述原始请求参数集合步骤。Step q4, if the second similarity between the first result page and the second result page is greater than or equal to a second preset similarity threshold, then filter the original request parameters and return the traversing the original request Parameter collection step.
在本实施例中,遍历该原始请求参数集合,以每次从该原始请求参数集合中获取一个原始请求参数,并执行下述步骤q2-q4;之后在每次遍历到一个原始请求参数时,通过黑盒扫描器发送该预设用户请求至该服务器,得到该服务器返回的原始响应,即得到原始页面,之后将该预设用户请求中的原始请求参数替换为第一随机数,得到第一替换后请求,发送该第一替换后请求至该服务器,得到该服务器返回的第一结果页面R1;确定该原始页面和第一结果页面R1之间的第一相似度,若该第一相似度小于第一预设相似度阈值,则说明该参数不可过滤。若该相似度大于或等于预设相似度阈值,则将该原始请求参数替换为不同于第一随机数的第二随机数,得到第二替换后请求,发送该第二替换后请求至该服务器,得到该服务器返回的第二结果页面R2,确定该第一结果页面R1和第二结果页面R2之间的第二相似度,若第二相似度小于第二预设相似度阈值,则说明该原始请求参数不可过滤,若第三相似度大于或等于第二预设相似度阈值,则说明该原始请求参数可过滤,过滤该原始请求参数后,返回至上述遍历所述原始请求参数集合步骤,以对原始请求参数中新的参数进行过滤处理。In this embodiment, the original request parameter set is traversed to obtain one original request parameter from the original request parameter set each time, and the following steps q2-q4 are performed; afterward, each time an original request parameter is traversed, Send the preset user request to the server through the black box scanner, get the original response returned by the server, that is, get the original page, then replace the original request parameter in the preset user request with the first random number, and get the first A post-replacement request, sending the first post-replacement request to the server to obtain the first result page R1 returned by the server; determining the first similarity between the original page and the first result page R1, if the first similarity If it is smaller than the first preset similarity threshold, it means that the parameter cannot be filtered. If the similarity is greater than or equal to the preset similarity threshold, replace the original request parameter with a second random number different from the first random number, obtain a second replaced request, and send the second replaced request to the server , get the second result page R2 returned by the server, determine the second similarity between the first result page R1 and the second result page R2, if the second similarity is less than the second preset similarity threshold, it means that the The original request parameter cannot be filtered. If the third similarity is greater than or equal to the second preset similarity threshold, it means that the original request parameter can be filtered. After filtering the original request parameter, return to the above step of traversing the original request parameter set. To filter the new parameters in the original request parameters.
步骤r,基于所述过滤后请求参数确定黑盒漏洞检测结果。Step r, determining a black-box vulnerability detection result based on the filtered request parameters.
在本实施例中,在经过上述参数过滤过程后,检查过滤后请求参数是否为动态参数,若该过滤后的参数为动态参数,则对该过滤后参数进行注入检测并记录检测结果,从而得到黑盒漏洞检测结果。In this embodiment, after the above parameter filtering process, check whether the filtered request parameter is a dynamic parameter, if the filtered parameter is a dynamic parameter, perform injection detection on the filtered parameter and record the detection result, thereby obtaining Black-box vulnerability detection results.
进一步地,所述基于所述过滤后请求参数确定黑盒漏洞检测结果之后,还包括:Further, after determining the black-box vulnerability detection result based on the filtered request parameters, it also includes:
步骤s,获取所述程序内部漏洞检测结果对应的第一评分;Step s, obtaining the first score corresponding to the program internal vulnerability detection result;
步骤t,获取所述黑盒漏洞检测结果对应的第二评分;Step t, obtaining a second score corresponding to the black-box vulnerability detection result;
步骤u,计算所述第一评分与所述第二评分之和,得到总评分;Step u, calculating the sum of the first score and the second score to obtain the total score;
步骤v,若所述总评分大于预设分数阈值,则确定所述预设应用程序存在漏洞。In step v, if the total score is greater than a preset score threshold, it is determined that there is a vulnerability in the preset application program.
在本实施例中,根据上述程序内部漏洞检测结果和黑盒漏洞检测结果共同确定预设应用程序是否存在漏洞。具体地,获取该程序内部漏洞检测结果对应的第一评分;获取黑盒漏洞检测结果对应的第二评分。即通过该程序内部漏洞检测结果和黑盒漏洞检测结果,为预设应用程序是否存在漏洞进行打分,得到评分结果,通过该评分结果确定预设应用程序是否存在漏洞的过程为:计算程序内部漏洞检测结果和黑盒漏洞检测结果对应的第一评分和第二评分之和,得到总评分,判断总评分是否大于预设分数阈值,若大于,则确定该预设应用程序存在漏洞,若小于或等于,则说明预设应用程序不存在漏洞。In this embodiment, it is determined whether the preset application program has a vulnerability according to the above-mentioned program internal vulnerability detection result and the black box vulnerability detection result. Specifically, the first score corresponding to the internal vulnerability detection result of the program is obtained; the second score corresponding to the black box vulnerability detection result is obtained. That is, through the internal vulnerability detection results of the program and the black box vulnerability detection results, the preset application program is scored for whether there are vulnerabilities, and the scoring result is obtained. The process of determining whether the preset application program has vulnerabilities based on the scoring results is: Calculating the internal vulnerabilities of the program The sum of the first score and the second score corresponding to the detection result and the black-box vulnerability detection result is used to obtain the total score, and it is judged whether the total score is greater than the preset score threshold. If it is greater, it is determined that the preset application has a vulnerability. equal to, it means that there is no vulnerability in the default application.
需要说明的是,通过黑盒扫描器来进行漏洞检测,相较于仅通过程序内部漏洞检测结果来进行漏洞检测,两者的结合增加了漏洞检测的多样性,即相对于只通过程序内部漏洞检测结果来进行漏洞检测,增加黑盒扫描器后的漏洞检测对该预设应用程序的检测面更广,从而在通过程序内部漏洞检测结果和黑盒漏洞检测结果结合的情况下,提高了漏洞检测的准确性。It should be noted that, compared with only using the internal program vulnerability detection results to perform vulnerability detection through the black box scanner, the combination of the two increases the diversity of vulnerability detection. Vulnerability detection based on the detection results. The vulnerability detection after adding the black box scanner has a wider detection range for the preset application, so that the vulnerability is improved by combining the internal vulnerability detection results of the program and the black box vulnerability detection results. detection accuracy.
其中,对于传统的黑盒检测手段,在检测过程中,会产生脏数据,该脏数据会流入预设应用程序正常运行时产生的数据中,造成预设应用程序正常运行时产生的数据被该脏数据污染。为避免预设应用程序正常运行时产生的数据被污染,还可通过数据拦截agent来对该脏数据进行拦截。Among them, for the traditional black box detection method, dirty data will be generated during the detection process, and the dirty data will flow into the data generated during the normal operation of the preset application program, causing the data generated during the normal operation of the preset application program to be Dirty data pollution. In order to prevent the data generated during the normal operation of the preset application program from being polluted, the dirty data can also be intercepted by a data interception agent.
具体地,通过数据拦截agent拦截黑盒扫描器发出的系统命令,以避免预设应用程序执行该系统命令。Specifically, the system command issued by the black box scanner is intercepted by the data interception agent, so as to prevent the preset application program from executing the system command.
具体地,类似于数据流向跟踪agent,在预设应用程序的类加载进JVM之前,通过JDK(Java Development Kit,Java开发工具包) Instrument API(Application Programming Interface,应用程序接口)生成拦截器,以在程序启动前修改该类的定义,并在运行的预设应用程序中生成数据拦截agent,以通过该数据拦截agent拦截黑盒扫描器向预设应用程序发出的系统命令,即在该类执行该系统命令之前,将其拦截,从而达到测试数据不对服务器造成影响的效果。Specifically, similar to the data flow tracking agent, before the preset application class is loaded into the JVM, an interceptor is generated through the JDK (Java Development Kit, Java Development Kit) Instrument API (Application Programming Interface, application programming interface) to Modify the definition of this class before the program starts, and generate a data interception agent in the running preset application program, so as to intercept the system commands issued by the black box scanner to the preset application program through the data interception agent, that is, execute in this class Before the system command, it is intercepted, so as to achieve the effect that the test data will not affect the server.
与现有技术中,通过黑盒测试来对应用程序进行漏洞检测,致使对应用程序进行漏洞检测的准确性不高相比,本实施例通过获取预设用户请求对应的原始污点数据;基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据;获取所述目标污点数据对应的函数调用栈,其中,所述函数调用栈为预设应用程序响应所述预设用户请求时调用函数的记录;获取所述函数调用栈中的待检测函数;比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,其中,所述预设危险函数用于对所述预设应用程序进行漏洞检测,以确定所述预设应用程序是否存在漏洞。本申请实现了通过预设数组和预设哈希算法对原始污点数据去重后,得到目标污点数据,获取目标污点数据对应的函数调用栈,该函数调用栈为预设应用程序响应预设用户请求时调用函数的记录,并将该记录与预设危险函数进行比对,从而对预设应用程序进行漏洞检测,得到程序内部漏洞检测结果,从而确定该预设应用程序是否存在漏洞,可以理解,预设应用程序响应预设用户请求的过程为根据自身内部结构来处理预设用户请求的过程,因此,本申请通过深入到预设应用程序内部,以通过预设应用程序的内部结构来得出程序内部漏洞检测结果,从而提高了对预设应用程序进行漏洞检测的准确性。Compared with the prior art, which uses black-box testing to detect vulnerabilities in applications, resulting in low accuracy in detecting vulnerabilities in applications, this embodiment obtains the original tainted data corresponding to preset user requests; The array and the preset hash algorithm are used to deduplicate the original tainted data to obtain the target tainted data; the function call stack corresponding to the target tainted data is obtained, wherein the function call stack is the default application program response The record of the function called when the preset user requests; obtain the function to be detected in the function call stack; compare the function to be detected with the preset dangerous function, and obtain the internal vulnerability detection result of the program, wherein the preset risk The function is used to perform vulnerability detection on the preset application program, so as to determine whether the preset application program has a vulnerability. This application realizes deduplication of the original tainted data through the preset array and the preset hash algorithm, obtains the target tainted data, and obtains the function call stack corresponding to the target tainted data. The function call stack is a preset application program responding to a preset user Call the record of the function when requesting, and compare the record with the preset dangerous function, so as to detect the vulnerability of the preset application program, and obtain the internal vulnerability detection result of the program, so as to determine whether the preset application program has a vulnerability, which is understandable , the process of the default application program responding to the preset user request is the process of processing the preset user request according to its own internal structure. Therefore, this application goes deep into the internal structure of the preset application program to obtain Vulnerability detection results inside the program, thereby improving the accuracy of vulnerability detection for preset applications.
此外,本申请还提供一种漏洞检测装置,所述漏洞检测装置包括:In addition, the present application also provides a vulnerability detection device, which includes:
第一获取模块,用于获取预设用户请求对应的原始污点数据;The first obtaining module is used to obtain the original taint data corresponding to the preset user request;
去重模块,用于基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据;A deduplication module, configured to perform deduplication processing on the original tainted data based on a preset array and a preset hash algorithm to obtain target tainted data;
第二获取模块,用于获取所述目标污点数据对应的函数调用栈,其中,所述函数调用栈为预设应用程序响应所述预设用户请求时调用函数的记录;The second obtaining module is configured to obtain a function call stack corresponding to the target taint data, wherein the function call stack is a record of calling a function when a preset application program responds to the preset user request;
第三获取模块,用于获取所述函数调用栈中的待检测函数;The third obtaining module is used to obtain the function to be detected in the function call stack;
比对模块,用于比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,其中,所述预设危险函数用于对所述预设应用程序进行漏洞检测,以确定所述预设应用程序是否存在漏洞。A comparison module, configured to compare the function to be detected with a preset risk function to obtain a program internal vulnerability detection result, wherein the preset risk function is used to perform vulnerability detection on the preset application program to determine the Check if there are any vulnerabilities in the preset applications mentioned above.
在一实施例中,所述第一获取模块还用于:In an embodiment, the first acquisition module is also used for:
对预设敏感函数的字节码进行插桩,得到污点源数据;Insert the bytecode of the preset sensitive function to obtain the taint source data;
剔除所述污点源数据中的非用户输入污点数据,得到所述原始污点数据。Eliminating non-user-input taint data from the taint source data to obtain the original taint data.
在一实施例中,所述去重模块还用于:In one embodiment, the deduplication module is also used for:
遍历所述原始污点数据集合;traverse the original taint data set;
在每次遍历到一个原始污点数据时,基于各所述哈希算法分别对所述原始污点数据进行计算,得到所述预设数量的哈希值;When traversing to an original taint data each time, calculate the original taint data based on each of the hash algorithms to obtain the preset number of hash values;
获取所述预设数组中索引与所述哈希值相同的数组元素,并计算所述数组元素的总乘积;Obtain the array element whose index is the same as the hash value in the preset array, and calculate the total product of the array elements;
判断所述总乘积是否为零;judging whether the total product is zero;
若所述总乘积为零,则将各所述数组元素中不为一的数组元素置为一,并将所述一个原始污点数据作为目标污点数据,返回所述遍历所述原始污点数据集合步骤;If the total product is zero, set the array elements that are not one in each of the array elements to one, and use the one original stain data as the target stain data, and return to the step of traversing the original stain data set ;
若所述总乘积为一,则确定所述一个原始污点数据为非目标污点数据,返回所述遍历所述原始污点数据集合步骤。If the total product is one, it is determined that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
在一实施例中,所述比对模块还用于:In one embodiment, the comparison module is also used for:
遍历所述待检测函数集合;Traversing the set of functions to be tested;
在每次遍历到一个待检测函数时,比对所述待检测函数和所述预设危险函数;When traversing to a function to be detected each time, comparing the function to be detected with the preset risk function;
在所述待检测函数命中所述预设危险函数时,获取命中的预设危险函数在预设权重列表中的权重,并获取初始值为零的检测中间结果,基于所述权重对所述检测中间结果进行累加更新,得到更新后的检测中间结果,返回所述遍历所述待检测函数集合步骤,直至结束遍历,将所述更新后的检测中间结果作为所述程序内部检测结果;When the function to be detected hits the preset risk function, the weight of the hit preset risk function in the preset weight list is obtained, and the detection intermediate result with an initial value of zero is obtained, and the detection is performed based on the weight The intermediate results are accumulated and updated to obtain an updated detection intermediate result, and the step of traversing the set of functions to be detected is returned until the traversal is completed, and the updated detection intermediate result is used as the internal detection result of the program;
在所述待检测函数未命中所述预设危险函数时,返回所述遍历所述待检测函数集合步骤。When the function to be detected does not match the preset dangerous function, return to the step of traversing the set of functions to be detected.
在一实施例中,所述漏洞检测装置还包括:In one embodiment, the vulnerability detection device further includes:
第四获取模块,用于获取所述预设用户请求对应的统一资源定位符URL;A fourth obtaining module, configured to obtain the URL corresponding to the preset user request;
预处理模块,用于基于预设正则表达式,对所述URL进行预处理;A preprocessing module, configured to preprocess the URL based on a preset regular expression;
第一确定模块,用于在完成所述预处理后,确定所述URL对应的服务器中是否存在网站应用级入侵防御系统WAF;The first determination module is used to determine whether there is a website application level intrusion prevention system WAF in the server corresponding to the URL after the preprocessing is completed;
发送模块,用于若所述服务器中不存在所述WAF,则在域名系统DNS成功解析后,发送数据测试请求至所述服务器;A sending module, configured to send a data test request to the server after the domain name system DNS is successfully resolved if the WAF does not exist in the server;
过滤模块,用于若接收到所述服务器反馈的预设返回值,则过滤所述预设用户请求中的原始请求参数,得到过滤后请求参数;A filtering module, configured to filter the original request parameters in the preset user request to obtain filtered request parameters if the preset return value fed back by the server is received;
第二确定模块,用于基于所述过滤后请求参数确定黑盒漏洞检测结果。The second determining module is configured to determine a black-box vulnerability detection result based on the filtered request parameters.
在一实施例中,所述第一确定模块还用于:In an embodiment, the first determining module is also used for:
构造正常请求,并发送所述正常请求至所述URL对应的服务器,得到原始页面;constructing a normal request, and sending the normal request to the server corresponding to the URL to obtain the original page;
构造非正常请求,并发送所述非正常请求至所述服务器,确定所述非正常请求对应的响应状态;Constructing an abnormal request, sending the abnormal request to the server, and determining a response status corresponding to the abnormal request;
若所述响应状态为响应超时,则确定所述服务器中存在WAF;If the response status is response timeout, it is determined that there is a WAF in the server;
若所述响应状态为响应未超时,则获取所述非正常请求对应的非正常页面;If the response status is that the response has not timed out, then obtain the abnormal page corresponding to the abnormal request;
比对所述原始页面和所述非正常页面,若所述原始页面与所述非正常页面相同,则所述服务器中存在WAF。Comparing the original page and the abnormal page, if the original page is the same as the abnormal page, there is a WAF in the server.
在一实施例中,所述过滤模块还用于:In one embodiment, the filtering module is also used for:
遍历所述原始请求参数集合;traverse the original request parameter set;
在每次遍历到一个原始请求参数时,发送所述预设用户请求至所述服务器,得到所述服务器反馈的原始页面,并替换所述预设用户请求中的原始请求参数为第一随机数,得到第一替换后请求,并发送所述第一替换后请求至所述服务器,得到所述服务器反馈的第一结果页面;Each time an original request parameter is traversed, send the preset user request to the server, obtain the original page fed back by the server, and replace the original request parameter in the preset user request with the first random number , obtaining a first post-replacement request, and sending the first post-replacement request to the server, and obtaining a first result page fed back by the server;
若所述原始页面与所述第一结果页面的第一相似度大于或等于第一预设相似度阈值,则替换所述预设用户请求中的原始请求参数为第二随机数,得到第二替换后请求,并发送所述第二替换后请求至所述服务器,得到所述服务器反馈的第二结果页面,其中,所述第一随机数与所述第二随机数不同;If the first similarity between the original page and the first result page is greater than or equal to the first preset similarity threshold, replace the original request parameter in the preset user request with a second random number to obtain the second A post-replacement request, and sending the second post-replacement request to the server to obtain a second result page fed back by the server, wherein the first random number is different from the second random number;
若所述第一结果页面与所述第二结果页面的第二相似度大于或等于第二预设相似度阈值,则过滤所述原始请求参数,并返回所述遍历所述原始请求参数集合步骤。If the second similarity between the first result page and the second result page is greater than or equal to a second preset similarity threshold, filter the original request parameters and return to the step of traversing the original request parameter set .
在一实施例中,所述漏洞检测装置包括还包括:In one embodiment, the vulnerability detection device further includes:
第五获取模块,用于获取所述程序内部漏洞检测结果对应的第一评分;The fifth obtaining module is used to obtain the first score corresponding to the program internal vulnerability detection result;
第六获取模块,用于获取所述黑盒漏洞检测结果对应的第二评分;A sixth obtaining module, configured to obtain a second score corresponding to the black-box vulnerability detection result;
计算模块,用于计算所述第一评分与所述第二评分之和,得到总评分;a calculation module, configured to calculate the sum of the first score and the second score to obtain a total score;
第三确定模块,用于若所述总评分大于预设分数阈值,则确定所述预设应用程序存在漏洞。The third determining module is configured to determine that there is a vulnerability in the preset application program if the total score is greater than a preset score threshold.
本申请漏洞检测装置具体实施方式与上述漏洞检测方法各实施例基本相同,在此不再赘述。The specific implementation manners of the vulnerability detection device of the present application are basically the same as the above-mentioned embodiments of the vulnerability detection method, and will not be repeated here.
此外,本申请还提供一种漏洞检测设备。如图5所示,图5是本申请实施例方案涉及的硬件运行环境的结构示意图。In addition, the present application also provides a vulnerability detection device. As shown in FIG. 5 , FIG. 5 is a schematic structural diagram of a hardware operating environment involved in the solution of the embodiment of the present application.
需要说明的是,图5即可为漏洞检测设备的硬件运行环境的结构示意图。It should be noted that FIG. 5 is a schematic structural diagram of a hardware operating environment of a vulnerability detection device.
如图5所示,该漏洞检测设备可以包括:处理器1001,例如CPU,存储器1005,用户接口1003,网络接口1004,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 5 , the vulnerability detection device may include: a processor 1001 , such as a CPU, a memory 1005 , a user interface 1003 , a network interface 1004 , and a communication bus 1002 . Wherein, the communication bus 1002 is used to realize connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .
在一实施例中,漏洞检测设备还可以包括RF(Radio
Frequency,射频)电路,传感器、音频电路、WiFi模块等等。In one embodiment, the vulnerability detection device may also include RF (Radio
Frequency, radio frequency) circuits, sensors, audio circuits, WiFi modules, etc.
本领域技术人员可以理解,图5中示出的漏洞检测设备结构并不构成对漏洞检测设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure of the vulnerability detection device shown in Figure 5 does not constitute a limitation to the vulnerability detection device, and may include more or less components than those shown in the illustration, or combine certain components, or different components layout.
如图5所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及漏洞检测程序。其中,操作系统是管理和控制漏洞检测设备硬件和软件资源的程序,支持漏洞检测程序以及其它软件或程序的运行。As shown in FIG. 5 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a vulnerability detection program. Wherein, the operating system is a program that manages and controls the hardware and software resources of the vulnerability detection device, and supports the operation of the vulnerability detection program and other software or programs.
在图5所示的漏洞检测设备中,用户接口1003主要用于连接终端,与终端进行数据通信,如接收终端发送的请求;网络接口1004主要用于后台服务器,与后台服务器进行数据通信;处理器1001可以用于调用存储器1005中存储的漏洞检测程序,并执行如上所述的漏洞检测方法的步骤。In the vulnerability detection device shown in Figure 5, the user interface 1003 is mainly used to connect to the terminal and perform data communication with the terminal, such as receiving a request sent by the terminal; the network interface 1004 is mainly used for the background server to perform data communication with the background server; The device 1001 can be used to call the vulnerability detection program stored in the memory 1005, and execute the steps of the above-mentioned vulnerability detection method.
本申请漏洞检测设备具体实施方式与上述漏洞检测方法各实施例基本相同,在此不再赘述。The specific implementation manners of the vulnerability detection device of the present application are basically the same as the embodiments of the above vulnerability detection method, and will not be repeated here.
此外,本申请实施例还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有漏洞检测程序,所述漏洞检测程序被处理器执行时实现如上所述的漏洞检测方法的步骤。In addition, the embodiment of the present application also proposes a computer-readable storage medium, on which a vulnerability detection program is stored, and when the vulnerability detection program is executed by a processor, the steps of the above-mentioned vulnerability detection method are implemented. .
本申请计算机可读存储介质具体实施方式与上述漏洞检测方法各实施例基本相同,在此不再赘述。The specific implementation manners of the computer-readable storage medium of the present application are basically the same as the above-mentioned embodiments of the vulnerability detection method, and will not be repeated here.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,设备,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on this understanding, the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products are stored in a storage medium (such as ROM/RAM, disk, CD-ROM), including several instructions to enable a terminal device (which may be a mobile phone, computer, server, device, or network device, etc.) to execute the methods described in various embodiments of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of the present application, and are not intended to limit the patent scope of the present application. All equivalent structures or equivalent process transformations made by using the contents of the specification and drawings of this application, or directly or indirectly used in other related technical fields , are all included in the patent protection scope of the present application in the same way.
Claims (10)
- 一种漏洞检测方法,其中,所述漏洞检测方法包括以下步骤:A vulnerability detection method, wherein, the vulnerability detection method comprises the following steps:获取预设用户请求对应的原始污点数据;Obtain the original tainted data corresponding to the preset user request;基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据;Deduplicating the original tainted data based on a preset array and a preset hash algorithm to obtain target tainted data;获取所述目标污点数据对应的函数调用栈,其中,所述函数调用栈为预设应用程序响应所述预设用户请求时调用函数的记录;Obtaining a function call stack corresponding to the target taint data, wherein the function call stack is a record of calling a function when a preset application program responds to the preset user request;获取所述函数调用栈中的待检测函数;Obtain the function to be detected in the function call stack;比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,其中,所述预设危险函数用于对所述预设应用程序进行漏洞检测,以确定所述预设应用程序是否存在漏洞。Comparing the function to be detected with the preset dangerous function to obtain a program internal vulnerability detection result, wherein the preset dangerous function is used to perform vulnerability detection on the preset application program to determine whether the preset application program is There are loopholes.
- 如权利要求1所述的漏洞检测方法,其中,所述获取预设用户请求对应的原始污点数据,包括:The vulnerability detection method according to claim 1, wherein said acquiring the original tainted data corresponding to the preset user request comprises:对预设敏感函数的字节码进行插桩,得到污点源数据;Insert the bytecode of the preset sensitive function to obtain the taint source data;剔除所述污点源数据中的非用户输入污点数据,得到所述原始污点数据。Eliminating non-user-input taint data from the taint source data to obtain the original taint data.
- 如权利要求1所述的漏洞检测方法,其中,所述预设哈希算法由预设数量个相互独立的哈希算法组成,所述原始污点数据为原始污点数据集合,所述基于预设数组和预设哈希算法对所述原始污点数据进行去重处理,得到目标污点数据,包括:The vulnerability detection method according to claim 1, wherein the preset hash algorithm is composed of a preset number of mutually independent hash algorithms, the original taint data is a set of original taint data, and the preset array based and the preset hash algorithm to deduplicate the original tainted data to obtain the target tainted data, including:遍历所述原始污点数据集合;traverse the original taint data set;在每次遍历到一个原始污点数据时,基于各所述哈希算法分别对所述原始污点数据进行计算,得到所述预设数量的哈希值;When traversing to an original taint data each time, calculate the original taint data based on each of the hash algorithms to obtain the preset number of hash values;获取所述预设数组中索引与所述哈希值相同的数组元素,并计算所述数组元素的总乘积;Obtain the array element whose index is the same as the hash value in the preset array, and calculate the total product of the array elements;判断所述总乘积是否为零;judging whether the total product is zero;若所述总乘积为零,则将各所述数组元素中不为一的数组元素置为一,并将所述一个原始污点数据作为目标污点数据,返回所述遍历所述原始污点数据集合步骤;If the total product is zero, set the array elements that are not one in each of the array elements to one, and use the one original stain data as the target stain data, and return to the step of traversing the original stain data set ;若所述总乘积为一,则确定所述一个原始污点数据为非目标污点数据,返回所述遍历所述原始污点数据集合步骤。If the total product is one, it is determined that the one original taint data is non-target taint data, and return to the step of traversing the original taint data set.
- 如权利要求1所述的漏洞检测方法,其中,所述待检测函数为待检测函数集合,所述比对所述待检测函数和预设危险函数,得到程序内部漏洞检测结果,包括:The vulnerability detection method according to claim 1, wherein the function to be detected is a set of functions to be detected, and the comparison of the function to be detected and a preset dangerous function to obtain a program internal vulnerability detection result includes:遍历所述待检测函数集合;Traversing the set of functions to be tested;在每次遍历到一个待检测函数时,比对所述待检测函数和所述预设危险函数;When traversing to a function to be detected each time, comparing the function to be detected with the preset risk function;在所述待检测函数命中所述预设危险函数时,获取命中的预设危险函数在预设权重列表中的权重,并获取初始值为零的检测中间结果,基于所述权重对所述检测中间结果进行累加更新,得到更新后的检测中间结果,返回所述遍历所述待检测函数集合步骤,直至结束遍历,将所述更新后的检测中间结果作为所述程序内部检测结果;When the function to be detected hits the preset risk function, the weight of the hit preset risk function in the preset weight list is obtained, and the detection intermediate result with an initial value of zero is obtained, and the detection is performed based on the weight The intermediate results are accumulated and updated to obtain an updated detection intermediate result, and the step of traversing the set of functions to be detected is returned until the traversal is completed, and the updated detection intermediate result is used as the internal detection result of the program;在所述待检测函数未命中所述预设危险函数时,返回所述遍历所述待检测函数集合步骤。When the function to be detected does not match the preset dangerous function, return to the step of traversing the set of functions to be detected.
- 如权利要求1所述的漏洞检测方法,其中,所述漏洞检测方法还包括:The vulnerability detection method according to claim 1, wherein the vulnerability detection method further comprises:获取所述预设用户请求对应的统一资源定位符URL;Obtaining the Uniform Resource Locator URL corresponding to the preset user request;基于预设正则表达式,对所述URL进行预处理;Preprocessing the URL based on a preset regular expression;在完成所述预处理后,确定所述URL对应的服务器中是否存在网站应用级入侵防御系统WAF;After completing the preprocessing, determine whether there is a website application level intrusion prevention system WAF in the server corresponding to the URL;若所述服务器中不存在所述WAF,则在域名系统DNS成功解析后,发送数据测试请求至所述服务器;If the WAF does not exist in the server, after the domain name system DNS is successfully resolved, send a data test request to the server;若接收到所述服务器反馈的预设返回值,则过滤所述预设用户请求中的原始请求参数,得到过滤后请求参数;If the preset return value fed back by the server is received, filtering the original request parameters in the preset user request to obtain the filtered request parameters;基于所述过滤后请求参数确定黑盒漏洞检测结果。A black-box vulnerability detection result is determined based on the filtered request parameters.
- 如权利要求5所述的漏洞检测方法,其中,所述确定所述URL对应的服务器中是否存在WAF,包括:The vulnerability detection method according to claim 5, wherein said determining whether there is a WAF in the server corresponding to the URL comprises:构造正常请求,并发送所述正常请求至所述URL对应的服务器,得到原始页面;constructing a normal request, and sending the normal request to the server corresponding to the URL to obtain the original page;构造非正常请求,并发送所述非正常请求至所述服务器,确定所述非正常请求对应的响应状态;Constructing an abnormal request, sending the abnormal request to the server, and determining a response status corresponding to the abnormal request;若所述响应状态为响应超时,则确定所述服务器中存在WAF;If the response status is response timeout, it is determined that there is a WAF in the server;若所述响应状态为响应未超时,则获取所述非正常请求对应的非正常页面;If the response status is that the response has not timed out, then obtain the abnormal page corresponding to the abnormal request;比对所述原始页面和所述非正常页面,若所述原始页面与所述非正常页面相同,则所述服务器中存在WAF。Comparing the original page and the abnormal page, if the original page is the same as the abnormal page, there is a WAF in the server.
- 如权利要求5所述的漏洞检测方法,其中,所述原始请求参数为原始请求参数集合,所述过滤所述预设用户请求中的原始请求参数,包括:The vulnerability detection method according to claim 5, wherein the original request parameters are a set of original request parameters, and the filtering of the original request parameters in the preset user request includes:遍历所述原始请求参数集合;traverse the original request parameter set;在每次遍历到一个原始请求参数时,发送所述预设用户请求至所述服务器,得到所述服务器反馈的原始页面,并替换所述预设用户请求中的原始请求参数为第一随机数,得到第一替换后请求,并发送所述第一替换后请求至所述服务器,得到所述服务器反馈的第一结果页面;Each time an original request parameter is traversed, send the preset user request to the server, obtain the original page fed back by the server, and replace the original request parameter in the preset user request with the first random number , obtaining a first post-replacement request, and sending the first post-replacement request to the server, and obtaining a first result page fed back by the server;若所述原始页面与所述第一结果页面的第一相似度大于或等于第一预设相似度阈值,则替换所述预设用户请求中的原始请求参数为第二随机数,得到第二替换后请求,并发送所述第二替换后请求至所述服务器,得到所述服务器反馈的第二结果页面,其中,所述第一随机数与所述第二随机数不同;If the first similarity between the original page and the first result page is greater than or equal to the first preset similarity threshold, replace the original request parameter in the preset user request with a second random number to obtain the second A post-replacement request, and sending the second post-replacement request to the server to obtain a second result page fed back by the server, wherein the first random number is different from the second random number;若所述第一结果页面与所述第二结果页面的第二相似度大于或等于第二预设相似度阈值,则过滤所述原始请求参数,并返回所述遍历所述原始请求参数集合步骤。If the second similarity between the first result page and the second result page is greater than or equal to a second preset similarity threshold, filter the original request parameters and return to the step of traversing the original request parameter set .
- 如权利要求5-7中任一项所述的漏洞检测方法,其中,所述基于所述过滤后请求参数确定黑盒漏洞检测结果之后,还包括:The vulnerability detection method according to any one of claims 5-7, wherein, after determining the black-box vulnerability detection result based on the filtered request parameters, further comprising:获取所述程序内部漏洞检测结果对应的第一评分;Acquiring the first score corresponding to the program internal vulnerability detection result;获取所述黑盒漏洞检测结果对应的第二评分;Acquiring a second score corresponding to the black-box vulnerability detection result;计算所述第一评分与所述第二评分之和,得到总评分;calculating the sum of the first score and the second score to obtain a total score;若所述总评分大于预设分数阈值,则确定所述预设应用程序存在漏洞。If the total score is greater than the preset score threshold, it is determined that the preset application program has a vulnerability.
- 一种漏洞检测设备,其中,所述漏洞检测设备包括存储器、处理器和存储在所述存储器上并可在所述处理器上运行的漏洞检测程序,所述漏洞检测程序被所述处理器执行时实现如权利要求1至8中任一项所述的漏洞检测方法的步骤。A vulnerability detection device, wherein the vulnerability detection device includes a memory, a processor, and a vulnerability detection program stored in the memory and operable on the processor, and the vulnerability detection program is executed by the processor When implementing the steps of the vulnerability detection method as described in any one of claims 1 to 8.
- 一种计算机可读存储介质,其中,所述计算机可读存储介质上存储有漏洞检测程序,所述漏洞检测程序被处理器执行时实现如权利要求1至8中任一项所述的漏洞检测方法的步骤。A computer-readable storage medium, wherein a vulnerability detection program is stored on the computer-readable storage medium, and when the vulnerability detection program is executed by a processor, the vulnerability detection according to any one of claims 1 to 8 is realized method steps.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110716702.X | 2021-06-25 | ||
| CN202110716702.XA CN113342673A (en) | 2021-06-25 | 2021-06-25 | Vulnerability detection method, device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2022267343A1 true WO2022267343A1 (en) | 2022-12-29 |
Family
ID=77479091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2021/134316 WO2022267343A1 (en) | 2021-06-25 | 2021-11-30 | Vulnerability detection method and device, and readable storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113342673A (en) |
| WO (1) | WO2022267343A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116467712A (en) * | 2023-04-23 | 2023-07-21 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related taint propagation analysis system |
| CN117195241A (en) * | 2023-11-08 | 2023-12-08 | 蔚来汽车科技(安徽)有限公司 | Firmware vulnerability detection method, device and medium |
| CN117610009A (en) * | 2023-11-23 | 2024-02-27 | 北京安普诺信息技术有限公司 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113342673A (en) * | 2021-06-25 | 2021-09-03 | 深圳前海微众银行股份有限公司 | Vulnerability detection method, device and readable storage medium |
| CN113885958B (en) * | 2021-09-30 | 2023-10-31 | 杭州默安科技有限公司 | Method and system for intercepting dirty data |
| CN114968826B (en) * | 2022-07-28 | 2022-11-22 | 深圳开源互联网安全技术有限公司 | Application program bug fixing verification method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663058A (en) * | 2012-03-30 | 2012-09-12 | 华中科技大学 | URL duplication removing method in distributed network crawler system |
| WO2018086292A1 (en) * | 2016-11-14 | 2018-05-17 | 平安科技(深圳)有限公司 | Method and system for detecting security hole of application software, device, and storage medium |
| CN108664793A (en) * | 2017-03-30 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of detection loophole |
| CN110363004A (en) * | 2018-04-10 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of code vulnerabilities detection method, device, medium and equipment |
| CN111581637A (en) * | 2020-05-20 | 2020-08-25 | 深圳前海微众银行股份有限公司 | SQL injection detection method, device, equipment and computer storage medium |
| US20210026947A1 (en) * | 2019-07-22 | 2021-01-28 | Cloud Linux Software Inc. | Intrusion detection and prevention for unknown software vulnerabilities using live patching |
| CN112632560A (en) * | 2020-12-25 | 2021-04-09 | 苏州浪潮智能科技有限公司 | Web vulnerability confirmation method and device |
| CN113342673A (en) * | 2021-06-25 | 2021-09-03 | 深圳前海微众银行股份有限公司 | Vulnerability detection method, device and readable storage medium |
-
2021
- 2021-06-25 CN CN202110716702.XA patent/CN113342673A/en active Pending
- 2021-11-30 WO PCT/CN2021/134316 patent/WO2022267343A1/en unknown
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663058A (en) * | 2012-03-30 | 2012-09-12 | 华中科技大学 | URL duplication removing method in distributed network crawler system |
| WO2018086292A1 (en) * | 2016-11-14 | 2018-05-17 | 平安科技(深圳)有限公司 | Method and system for detecting security hole of application software, device, and storage medium |
| CN108664793A (en) * | 2017-03-30 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of detection loophole |
| CN110363004A (en) * | 2018-04-10 | 2019-10-22 | 腾讯科技(深圳)有限公司 | A kind of code vulnerabilities detection method, device, medium and equipment |
| US20210026947A1 (en) * | 2019-07-22 | 2021-01-28 | Cloud Linux Software Inc. | Intrusion detection and prevention for unknown software vulnerabilities using live patching |
| CN111581637A (en) * | 2020-05-20 | 2020-08-25 | 深圳前海微众银行股份有限公司 | SQL injection detection method, device, equipment and computer storage medium |
| CN112632560A (en) * | 2020-12-25 | 2021-04-09 | 苏州浪潮智能科技有限公司 | Web vulnerability confirmation method and device |
| CN113342673A (en) * | 2021-06-25 | 2021-09-03 | 深圳前海微众银行股份有限公司 | Vulnerability detection method, device and readable storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116467712A (en) * | 2023-04-23 | 2023-07-21 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related taint propagation analysis system |
| CN116467712B (en) * | 2023-04-23 | 2023-12-01 | 北京安普诺信息技术有限公司 | Dynamic taint tracking method, device and related taint propagation analysis system |
| CN117195241A (en) * | 2023-11-08 | 2023-12-08 | 蔚来汽车科技(安徽)有限公司 | Firmware vulnerability detection method, device and medium |
| CN117195241B (en) * | 2023-11-08 | 2024-02-02 | 蔚来汽车科技(安徽)有限公司 | Firmware vulnerability detection method, device and medium |
| CN117610009A (en) * | 2023-11-23 | 2024-02-27 | 北京安普诺信息技术有限公司 | Cross-thread vulnerability repairing method and device based on code vaccine RASP probe |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113342673A (en) | 2021-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022267343A1 (en) | Vulnerability detection method and device, and readable storage medium | |
| WO2021109669A1 (en) | Method and device for detecting malicious domain name access, and computer readable storage medium | |
| WO2020233022A1 (en) | Vulnerability detection method and apparatus, computer device, and storage medium | |
| RU2551820C2 (en) | Method and apparatus for detecting viruses in file system | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| US7613918B2 (en) | System and method for enforcing a security context on a downloadable | |
| US8677493B2 (en) | Dynamic cleaning for malware using cloud technology | |
| US8955121B2 (en) | System, method, and computer program product for dynamically adjusting a level of security applied to a system | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| US8869272B2 (en) | System, method, and computer program product for preventing a modification to a domain name system setting | |
| CN108989355B (en) | Vulnerability detection method and device | |
| US9614866B2 (en) | System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature | |
| JP5920169B2 (en) | Unauthorized connection detection method, network monitoring apparatus and program | |
| CN110888838B (en) | Request processing method, device, equipment and storage medium based on object storage | |
| KR20160140316A (en) | Method and system for detecting a malicious code | |
| TWI622894B (en) | Electronic device and method for detecting malicious file | |
| CN111756724A (en) | Detection method, device and equipment for phishing website and computer readable storage medium | |
| CN108028843B (en) | Method, system and computing device for securing delivery of computer-implemented functionality | |
| US20130246352A1 (en) | System, method, and computer program product for generating a file signature based on file characteristics | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| KR101572239B1 (en) | Apparatus and system for detection and execution prevention for malicious script in user browser level | |
| CN115098151A (en) | Fine-grained intranet equipment firmware version detection method | |
| KR101725399B1 (en) | Apparatus and method for detection and execution prevention for malicious script based on host level | |
| US20130097707A1 (en) | Terminal and method for terminal to determine file distributor | |
| CN111832023B (en) | SQL injection detection method and device based on C/S architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21946821 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |