[go: up one dir, main page]

CN103942497B - Forensics type website vulnerability scanning method and system - Google Patents

Forensics type website vulnerability scanning method and system Download PDF

Info

Publication number
CN103942497B
CN103942497B CN201410185544.XA CN201410185544A CN103942497B CN 103942497 B CN103942497 B CN 103942497B CN 201410185544 A CN201410185544 A CN 201410185544A CN 103942497 B CN103942497 B CN 103942497B
Authority
CN
China
Prior art keywords
vulnerability
page
module
forensics
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410185544.XA
Other languages
Chinese (zh)
Other versions
CN103942497A (en
Inventor
林章峰
范渊
杨永清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201410185544.XA priority Critical patent/CN103942497B/en
Publication of CN103942497A publication Critical patent/CN103942497A/en
Application granted granted Critical
Publication of CN103942497B publication Critical patent/CN103942497B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention relates to the field of network application security, and aims to provide a forensics type website vulnerability scanning method and system. The method comprises the steps of page capturing, vulnerability scanning, automatic forensics, information collection and manual forensics. The system comprises a page capturing module, a vulnerability scanning module, an automatic forensics module, an information collection module, a manual forensics module, a task issuing and managing module, a scanning result displaying and managing module, a reporting module, a system database module and an item file managing module. According to the forensics type website vulnerability scanning method and system, vulnerabilities can be filtered out automatically, and therefore a user can get a copy of more reliable report when automatic scanning is over by the adoption of the method; with regards to the doubtful individual vulnerability, the 'manual forensics' step in the method can be adopted, so that the vulnerability is re-determined directly and quickly.

Description

一种取证式网站漏洞扫描方法和系统Method and system for forensic website vulnerability scanning

技术领域technical field

本发明属于网络应用安全领域,尤其涉及一种取证式网站漏洞扫描方法和系统。The invention belongs to the field of network application security, and in particular relates to a method and system for forensic website vulnerability scanning.

背景技术Background technique

随着互联网的发展,各种网络应用层出不穷,极大程度地满足了用户的各种需求。但是,网络应用开发过程中往往更加注重功能上的实现,却遗留下各种各样的安全问题,这一般是由于进度压力、程序员水平限制、设计不完善或一时疏忽导致的。常见网站安全问题包括:代码对输入数据的过滤不足导致的漏洞、服务器配置方面造成的漏洞、敏感信息泄露等。在应用开发过程中一般很难完全杜绝这些漏洞。因此采用网站漏洞扫描工具对网站进行安全评估是一个很好的选择。With the development of the Internet, various network applications emerge in an endless stream, which greatly meet the various needs of users. However, in the process of network application development, more attention is often paid to the realization of functions, but various security problems are left behind, which are generally caused by schedule pressure, programmer level limitations, imperfect design or temporary negligence. Common website security issues include: loopholes caused by insufficient filtering of input data by the code, loopholes caused by server configuration, and sensitive information disclosure. It is generally difficult to completely eliminate these vulnerabilities during the application development process. Therefore, it is a good choice to use a website vulnerability scanning tool to conduct a security assessment of a website.

网站漏洞扫描系统一般抓取网站所有页面,然后对抓取到的页面进行逐个分析,发现尽可能多的安全问题。然而几个因素导致这样的扫描方式非常容易造成误报,报告一些实际上并不存在的漏洞,对网站开发和维护人员造成时间和精力上的浪费。这些因素包括:1)很多网页的动态性,造成网站漏洞扫描系统判断错误;2)网站漏洞扫描系统本身的判断逻辑不完善;3)目前的应用环境非常复杂,网站漏洞扫描系统的判断逻辑往往无法覆盖所有可能出现的情况。The website vulnerability scanning system generally crawls all the pages of the website, and then analyzes the captured pages one by one to find as many security problems as possible. However, due to several factors, this scanning method is very easy to cause false positives, report some vulnerabilities that do not actually exist, and cause a waste of time and energy for website development and maintenance personnel. These factors include: 1) the dynamic nature of many webpages, resulting in wrong judgments of the website vulnerability scanning system; 2) the judgment logic of the website vulnerability scanning system itself is not perfect; 3) the current application environment is very complicated, and the judgment logic of the website vulnerability scanning system It is not possible to cover all possible situations.

在现有已知的技术中,与本方法较为接近的技术是一种名为“基于渗透技术的Web漏洞扫描方法”,其关键步骤是“包括扫描和分析两个阶段”。该技术主要实现了网站漏洞发现的方法。但如前面所述,这样的方法容易产生误报,但没有提供很好的过滤误报的方法。工作人员可以采用这种方法扫描到一些漏洞,但可能一部分是确实存在的,一部分是误报。他们只能选择容忍这些误报,或人工对漏洞再次逐个分析。Among the existing known technologies, a technology that is relatively close to this method is a method called "Web vulnerability scanning method based on penetration technology", and its key steps are "including two stages of scanning and analysis". This technology mainly realizes the method of website vulnerability discovery. But as mentioned earlier, such an approach is prone to false positives, but does not provide a good way to filter false positives. The staff can use this method to scan some vulnerabilities, but some of them may actually exist, and some of them may be false positives. They can only choose to tolerate these false positives, or manually analyze the vulnerabilities one by one again.

发明内容Contents of the invention

本发明的目的是弥补现有网站漏洞扫描方法的不足,提供一种漏洞扫描方法和扫描系统,采用自动和手工取证方法,提高网站漏洞扫描系统扫描的准确率,提交更加准确可信的网站漏洞扫描结果。The purpose of the present invention is to make up for the deficiencies of existing website vulnerability scanning methods, provide a vulnerability scanning method and scanning system, adopt automatic and manual evidence collection methods, improve the accuracy of website vulnerability scanning system scanning, and submit more accurate and credible website vulnerabilities scan results.

提供一种取证式网站漏洞扫描方法,用于对被扫描网站进行漏洞检测,包括以下步骤:A forensic website vulnerability scanning method is provided for performing vulnerability detection on scanned websites, including the following steps:

a)页面抓取:从被扫描网站的初始页面开始解析,获取被扫描网站的页面链接,然后将页面链接存入系统数据库模块,并保证相同页面链接不重复存入,再从系统数据库模块中提取已保存的并且未经过页面抓取步骤处理的页面链接,进行页面访问,并提取新的页面链接存入到系统数据库模块,直至抓取完被扫描网站的所有页面;a) Page crawling: start parsing from the initial page of the scanned website, obtain the page link of the scanned website, and then store the page link in the system database module, and ensure that the same page link is not repeatedly stored, and then from the system database module Extract the page links that have been saved and have not been processed by the page grabbing step, perform page access, and extract new page links and store them in the system database module until all pages of the scanned website are captured;

b)漏洞扫描:在步骤a抓取到的页面中,判断是否还有尚未进行漏洞检测的页面,若已没有尚未进行漏洞检测的页面,则转步骤e,否则执行:选择一个尚未进行漏洞检测的页面进行漏洞检测,针对这个页面,根据不同漏洞各自所对应的检测逻辑进行漏洞分析(漏洞的种类非常多,每种漏洞都有不同的检测方法,部分相关技术已属于业界公知),如果发现漏洞转步骤c,否则重复执行步骤b;b) Vulnerability scanning: Among the pages captured in step a, determine whether there are pages that have not yet been tested for vulnerabilities. If there are no pages that have not been tested for vulnerabilities, go to step e, otherwise execute: select a page that has not yet been tested for vulnerabilities Vulnerability detection for this page, according to the corresponding detection logic of different vulnerabilities for vulnerability analysis (there are many types of vulnerabilities, each vulnerability has a different detection method, and some related technologies are already known in the industry), if found Vulnerabilities go to step c, otherwise repeat step b;

c)自动取证:对步骤b中发现的漏洞,根据不同漏洞的取证逻辑进行自动取证,并自动过滤掉误报,获得能够证明该漏洞存在的取证结果;c) Automatic forensics: For the vulnerabilities found in step b, automatic forensics is performed according to the forensics logic of different vulnerabilities, and false positives are automatically filtered out to obtain forensic results that can prove the existence of the vulnerability;

d)信息收集:根据步骤b发现的漏洞,针对不同漏洞能采取的手工取证方法,自动收集手工取证方法所需要的取证信息并进行保存,完成后转步骤b对其他页面进行漏洞检测;d) Information collection: According to the loopholes found in step b, according to the manual evidence collection methods that can be taken for different vulnerabilities, automatically collect the evidence collection information required by the manual evidence collection method and save it, and then turn to step b to perform vulnerability detection on other pages;

e)手工取证:使用步骤d收集的取证信息,根据不同漏洞能采取的相应的手工取证方法进行手工取证,并获得用于确认漏洞的真实性的手工取证结果。e) Manual forensics: use the forensics information collected in step d, perform manual forensics according to the corresponding manual forensics methods that can be adopted for different vulnerabilities, and obtain manual forensics results for confirming the authenticity of the vulnerabilities.

在本发明中,根据不同类型的网站漏洞,所述步骤c和步骤e中的取证结果包括以下数据:页面长度、HTTP响应码、页面请求响应时间、页面请求过程收发的报文、HTTP头、会话及Cookie、页面内容、多个页面请求之间的差异性(如页面响应码的差异、页面长度的差异、内容的差异等)、页面在浏览器中的实际显示效果及其截图(部分漏洞可以使用浏览器进行取证,不同的漏洞在浏览器中输入是不一样的,比如“跨站脚本”可以修改界面的标题或弹出一个对话框,“目录浏览”的显示效果则是在浏览器中显示一个目录下的所有子目录和子文件,不同的情况还有很多,不再一一列举)。In the present invention, according to different types of website vulnerabilities, the evidence collection results in step c and step e include the following data: page length, HTTP response code, page request response time, messages sent and received during page request process, HTTP header, Sessions and cookies, page content, differences between multiple page requests (such as differences in page response codes, differences in page length, differences in content, etc.), the actual display effect of the page in the browser and its screenshots (some vulnerabilities Browsers can be used for forensics. Different vulnerabilities are entered differently in the browser. For example, "cross-site scripting" can modify the title of the interface or pop up a dialog box, and the display effect of "directory browsing" is in the browser. Display all subdirectories and subfiles in a directory, there are many different situations, so I won’t list them one by one).

在本发明中,所述步骤d中的取证信息包括以下数据:自动构造的用于进一步取证的URL、HTTP头、会话及Cookie、表单提交数据、HTTP请求数据包、HTTP响应数据包。In the present invention, the evidence collection information in step d includes the following data: automatically constructed URL for further evidence collection, HTTP header, session and Cookie, form submission data, HTTP request data packet, HTTP response data packet.

在本发明中,所述步骤c中的自动取证包括以下方法:In the present invention, the automatic evidence collection in the step c includes the following methods:

1)直接将漏洞所在页面的响应内容长度、响应码、响应时间、报文、页面内容作为取证结果,并以此判断漏洞是否存在;1) Directly use the response content length, response code, response time, message, and page content of the page where the vulnerability is located as the evidence collection result, and use this to determine whether the vulnerability exists;

2)在原始页面请求的基础上进行修改,自动构造至少一个新的http请求,并对这些不同请求的数据(包括响应内容长度、响应码、响应时间、报文、页面内容)进行对比,把对比获得的差异性作为取证结果,并以此判断漏洞是否存在;2) Make modifications on the basis of the original page request, automatically construct at least one new http request, and compare the data of these different requests (including response content length, response code, response time, message, page content), and put Compare the difference obtained as the result of forensics, and use this to judge whether the vulnerability exists;

3)在漏洞所在页面的返回内容中匹配符合特征的文本,将匹配到的内容作为取证结果,并以此判断漏洞是否存在;3) Match the text that meets the characteristics in the returned content of the page where the vulnerability is located, and use the matched content as the forensic result to determine whether the vulnerability exists;

4)自动模拟表单提交并获取请求结果,并以此判断漏洞是否存在;4) Automatically simulate form submission and obtain request results, and use this to determine whether a vulnerability exists;

5)使用浏览器内核及浏览器对页面的内容进行解析和排版,执行页面内容中的脚本,将解析和排版的输出结果作为取证的结果,并以此判断漏洞是否存在。5) Use the browser kernel and browser to analyze and typesetting the content of the page, execute the script in the page content, and use the output result of the analysis and typesetting as the result of forensics, and judge whether the vulnerability exists.

在本发明中,所述步骤e的手工取证是可选的,能够根据需要选择性地执行步骤e(手工取证在人的参与下,能够比自动取证更准确);所述手工取证包括以下方法:In the present invention, the manual evidence collection of step e is optional, and step e can be selectively performed as required (manual evidence collection can be more accurate than automatic evidence collection under the participation of people); the manual evidence collection includes the following methods :

1)使用步骤d中获取的自动构造的用于进一步取证的URL,在浏览器中访问,查看实际的URL执行和显示结果,结合漏洞的特征,判断漏洞是否存在,且能将显示结果截图保存;1) Use the automatically constructed URL obtained in step d for further forensics, access it in a browser, view the actual URL execution and display results, combine the characteristics of the vulnerability, determine whether the vulnerability exists, and save the screenshot of the display result ;

2)使用HTTP模拟发包器,将用于进一步取证的URL,以及步骤d中获取的HTTP头、会话及Cookie、表单提交数据信息,填入HTTP模拟发包器中,并发送HTTP请求,查看返回的页面内容,结合漏洞的特征,判断漏洞是否存在;2) Use the HTTP simulation packet sender to fill in the URL used for further evidence collection, as well as the HTTP header, session and cookie, and form submission data information obtained in step d, into the HTTP simulation packet sender, and send an HTTP request to view the returned The content of the page, combined with the characteristics of the vulnerability, determines whether the vulnerability exists;

3)在浏览器中,将步骤d中获取的表单提交数据,填入漏洞所在页面的表单中,并提交表单,查看提交表单后的页面显示结果,结合漏洞的特征,判断漏洞是否存在;3) In the browser, fill in the form submission data obtained in step d into the form on the page where the vulnerability is located, and submit the form, check the page display results after submitting the form, and determine whether the vulnerability exists based on the characteristics of the vulnerability;

4)利用专用工具,所述专用工具是指漏洞取证或渗透测试的工具,将进一步取证的URL、步骤d中获取的HTTP头、会话及Cookie、表单提交数据信息,填入专用工具中进一步取证或渗透,并查看结果,结合漏洞的特征,判断漏洞是否存在;4) Utilize special-purpose tool, and described special-purpose tool refers to the tool of vulnerability evidence collection or penetration test, the HTTP header that obtains in the URL of further evidence collection, step d, session and Cookie, form submit data information, fills in special-purpose tool and further evidence collection Or penetration, and check the results, combined with the characteristics of the vulnerability, to determine whether the vulnerability exists;

5)将步骤d中获取的HTTP请求数据包和HTTP响应数据包显示在用户界面上,并使用高亮、字体加粗方法将重要内容突出显示,结合漏洞的特征,人工判断漏洞是否存在。5) Display the HTTP request data packet and HTTP response data packet obtained in step d on the user interface, and use the method of highlighting and bolding the font to highlight the important content, and combine the characteristics of the vulnerability to manually judge whether the vulnerability exists.

在本发明中,能将网站漏洞和取证结果同时显示在程序或系统的用户界面中,或同时输出到报表中;用户根据这些信息判断漏洞是否存在,以及漏洞的性质和危害性。In the present invention, website loopholes and forensics results can be simultaneously displayed on the user interface of the program or system, or output to reports; users can judge whether loopholes exist, as well as the nature and harmfulness of loopholes based on these information.

在本发明中,所述一种取证式网站漏洞扫描方法具有学习功能:用户判断漏洞是否误报,系统对用户的判断结果进行记录,在后续的扫描中再次出现相同漏洞时,根据记录中的用户判断结果过滤掉误报的漏洞,即实现步骤c中的自动过滤掉误报。In the present invention, the above-mentioned forensic website vulnerability scanning method has a learning function: the user judges whether the vulnerability is misreported, and the system records the user's judgment result, and when the same vulnerability reappears in subsequent scans, according to the The user judges the result to filter out false positive vulnerabilities, that is, realizes the automatic filtering of false positives in step c.

提供基于所述扫描方法的取证式网站漏洞扫描系统,包括页面抓取模块、漏洞扫描模块、自动取证模块、信息收集模块、手工取证模块、任务下发及管理模块、扫描结果显示及管理模块、报表模块、系统数据库模块、项目文件管理模块;Provide a forensic website vulnerability scanning system based on the scanning method, including a page grabbing module, a vulnerability scanning module, an automatic forensics module, an information collection module, a manual forensics module, a task delivery and management module, a scanning result display and management module, Report module, system database module, project file management module;

所述页面抓取模块用于从被扫描网站的初始页面或者系统数据库模块保存的页面链接中,解析获取新的页面链接,然后将获取的页面链接存入系统数据库模块中,并保证相同页面链接不重复存入(页面抓取模块中的系统数据库模块也能用项目文件来代替);The page crawling module is used to analyze and obtain new page links from the initial page of the scanned website or the page links saved by the system database module, and then store the obtained page links in the system database module, and ensure that the same page links Do not store repeatedly (the system database module in the page crawling module can also be replaced by the project file);

所述漏洞扫描模块用于判断页面是否有经过漏洞检测,并对未经过漏洞检测的页面进行检测;The vulnerability scanning module is used to judge whether the page has passed the vulnerability detection, and detects the pages that have not passed the vulnerability detection;

所述自动取证模块用于对漏洞扫描模块中发现的漏洞进行自动取证,并自动过滤掉误报,获得能够证明该漏洞存在的取证结果;The automatic forensics module is used to automatically collect evidence for the vulnerabilities found in the vulnerability scanning module, and automatically filter out false positives to obtain evidence collection results that can prove the existence of the vulnerabilities;

所述信息收集模块用于对漏洞扫描模块中发现的漏洞,自动收集并保存用于手工取证的取证信息;The information collection module is used to automatically collect and save the evidence collection information for manual evidence collection for the vulnerabilities found in the vulnerability scanning module;

所述手工取证模块用于利用信息收集模块收集的取证信息,进行手工取证,并获得用于确认漏洞的真实性的手工取证结果;The manual evidence collection module is used to use the evidence collection information collected by the information collection module to perform manual evidence collection, and obtain manual evidence collection results for confirming the authenticity of the loophole;

所述任务下发及管理模块用于提供给用户启动扫描网站过程的操作手段,达到漏洞发现和取证的最终目的,通过支持用户在用户操作界面上下发扫描任务,并对其进行管理,包括暂停、停止、删除、配置;The task delivery and management module is used to provide the user with an operation means to start the process of scanning the website, to achieve the ultimate goal of vulnerability discovery and evidence collection, by supporting the user to send and receive scanning tasks on the user interface, and to manage them, including suspending , stop, delete, configure;

所述扫描结果显示及管理模块用于在扫描过程中以及扫描完成后,将扫描数据显示在界面上,并支持用户对扫描数据、手工取证结果和输出报告进行查看,扫描数据包括发现的漏洞、相应网站的页面链接、手工取证信息;The scanning result display and management module is used to display the scanning data on the interface during the scanning process and after the scanning is completed, and supports users to view the scanning data, manual evidence collection results and output reports. The scanning data includes discovered vulnerabilities, The page link of the corresponding website, manual evidence collection information;

所述报表模块用于将漏洞检测的结果输出到独立文件中,独立文件作为工作人员之间的交流、存档或作为改进网站系统的依据,独立文件能被导入到第三方系统中作进一步的处理;The report module is used to output the results of the vulnerability detection into an independent file, and the independent file is used as a communication between staff, archived or as a basis for improving the website system, and the independent file can be imported into a third-party system for further processing ;

所述系统数据库模块用于存储系统的配置信息、网站的漏洞、页面链接,系统的配置信息包括账号和日志信息;The system database module is used to store configuration information of the system, vulnerabilities of the website, and page links, and the configuration information of the system includes account and log information;

所述项目文件管理模块用于对项目文件进行管理,包括创建、删除、写入数据;项目文件是指能存储页面链接和漏洞数据的文件,每个任务下发及管理模块所下发的任务,都有一个对应的项目文件。The project file management module is used to manage project files, including creating, deleting, and writing data; project files refer to files that can store page links and vulnerability data, and each task is issued and the tasks issued by the management module , has a corresponding project file.

本发明的原理是:在扫描到漏洞后,利用漏洞本身的特征以及页面的返回数据,对该漏洞进行再次或多次的验证,排除误报的漏洞。The principle of the present invention is: after a loophole is scanned, the loophole itself is used to verify the loophole again or multiple times by using the characteristics of the loophole itself and the returned data of the page, so as to eliminate the loophole that is falsely reported.

与现有技术相比,本发明的有益效果是:Compared with prior art, the beneficial effect of the present invention is:

本发明提供了一种准确率更高的网站漏洞扫描方法,让工作人员可以轻松地产生一份更加可信的网站漏洞报告,无需再使用其他手段来判断漏洞的真实性,可以很大程度上提高工作效率。The present invention provides a website vulnerability scanning method with higher accuracy, so that the staff can easily generate a more credible website vulnerability report without using other means to judge the authenticity of the vulnerability, which can largely Improve work efficiency.

取证式扫描方法可以自动地对漏洞进行过滤。采用这种方法,用户可以在自动扫描结束时就拿到一份更加可信的报告。对于个别依然存在疑点的漏洞,可以采用本方法中所述的“手工取证”步骤,直接快速地对漏洞进行再次确认。Forensic scanning methods can automatically filter for vulnerabilities. With this approach, users get a more reliable report at the end of the automated scan. For individual vulnerabilities that still have doubts, the steps of "manual evidence collection" described in this method can be used to directly and quickly reconfirm the vulnerabilities.

附图说明Description of drawings

图1是本发明中的取证式网站漏洞扫描系统的主要模块结构图。Fig. 1 is a structural diagram of the main modules of the forensic website vulnerability scanning system in the present invention.

图2是本发明中的取证式网站漏洞扫描方法的流程。Fig. 2 is a flow chart of the forensic website vulnerability scanning method in the present invention.

具体实施方式detailed description

首先需要说明的是,本发明涉及Web和数据库技术,是计算机技术在信息安全技术领域的一种应用。在本发明的实现过程中,会涉及到多个软件功能模块的应用。申请人认为,如在仔细阅读申请文件、准确理解本发明的实现原理和发明目的以后,在结合现有公知技术的情况下,本领域技术人员完全可以运用其掌握的软件编程技能实现本发明。前述软件功能模块包括但不限于:页面抓取模块、漏洞扫描模块、自动取证模块、信息收集模块、手工取证模块、任务下发及管理模块、扫描结果显示及管理模块、报表模块、系统数据库模块、项目文件管理模块等,凡本发明申请文件提及的均属此范畴,申请人不再一一列举。First of all, it needs to be explained that the present invention relates to Web and database technology, and is an application of computer technology in the field of information security technology. During the implementation of the present invention, the application of multiple software function modules will be involved. The applicant believes that, after carefully reading the application documents and accurately understanding the realization principle and purpose of the present invention, combined with existing known technologies, those skilled in the art can fully implement the present invention by using their software programming skills. The aforementioned software function modules include but are not limited to: page crawling module, vulnerability scanning module, automatic forensics module, information collection module, manual forensics module, task delivery and management module, scan result display and management module, report module, system database module , project file management module, etc., all mentioned in the application documents of the present invention belong to this category, and the applicant will not list them one by one.

本发明的目的是提供一种准确率更高的网站漏洞扫描方法。通过取证的方法,过滤误报的漏洞。取证主要包含自动取证和手工取证两个步骤,其中自动取证是在扫描过程中自动完成的。The purpose of the present invention is to provide a website vulnerability scanning method with higher accuracy. Through the method of forensics, false positive vulnerabilities are filtered. Forensics mainly includes two steps: automatic forensics and manual forensics, in which automatic forensics is automatically completed during the scanning process.

取证式网站漏洞扫描方法具体包括以下步骤:The forensic website vulnerability scanning method specifically includes the following steps:

a)页面抓取:从被扫描网站的初始页面开始解析,获取被扫描网站的页面链接,然后将页面链接存入系统数据库模块,并保证相同页面链接不重复存入,再从系统数据库模块中提取已保存的并且未经过页面抓取步骤处理的页面链接,进行页面访问,并提取新的页面链接存入到系统数据库模块,直至抓取完被扫描网站的所有页面。可以采用网络爬虫、正则表达式、模拟解析等多种方式,或多种方式相结合来进行,也可以采用目前现有开源的网络爬虫,如Labin、Nurch等都是知名度较高的开源网络爬虫项目。a) Page crawling: start parsing from the initial page of the scanned website, obtain the page link of the scanned website, and then store the page link in the system database module, and ensure that the same page link is not repeatedly stored, and then from the system database module Extract the page links that have been saved and have not been processed by the page crawling step, perform page access, and extract new page links and store them in the system database module until all pages of the scanned website are crawled. It can be carried out in various ways such as web crawler, regular expression, simulation analysis, etc., or a combination of various methods, or the existing open source web crawler, such as Labin, Nurch, etc. are well-known open source web crawlers project.

b)漏洞扫描:在步骤a抓取到的页面中,判断是否还有尚未进行漏洞检测的页面,若已没有尚未进行漏洞检测的页面,则转步骤e,否则执行:选择一个尚未进行漏洞检测的页面进行漏洞检测,针对这个页面,根据不同漏洞各自所对应的检测逻辑进行漏洞分析(漏洞的种类非常多,每种漏洞都有不同的检测方法,部分相关技术已属于业界公知),如果发现漏洞转步骤c,否则重复执行步骤b。由于漏洞的多样性,本发明采用策略库实现漏洞检测逻辑的编写,策略库提供统一的漏洞检测框架,将每条漏洞分别编写成策略库中的一条策略。用户下发任务时,可以选择要执行策略库中的哪些策略。扫描过程中,对于每个页面,都会执行一遍用户所选择的所有策略。在本发明中,当前步骤应该尽可能多地发现漏洞,减少漏报。网站漏洞方法中误报和漏报往往是一对矛盾,需要在扫描策略中做出平衡。但在这一步骤中,需要优先考虑的是减少漏报率。b) Vulnerability scanning: Among the pages captured in step a, determine whether there are pages that have not yet been tested for vulnerabilities. If there are no pages that have not been tested for vulnerabilities, go to step e, otherwise execute: select a page that has not yet been tested for vulnerabilities Vulnerability detection for this page, according to the corresponding detection logic of different vulnerabilities for vulnerability analysis (there are many types of vulnerabilities, each vulnerability has a different detection method, and some related technologies are already known in the industry), if found If there is a bug, go to step c, otherwise, repeat step b. Due to the diversity of loopholes, the present invention uses a policy library to realize the writing of loophole detection logic. The policy library provides a unified loophole detection framework, and each loophole is written as a strategy in the strategy library. When users deliver tasks, they can choose which policies in the policy library to execute. During the scanning process, for each page, all policies selected by the user will be executed. In the present invention, the current step should find as many loopholes as possible to reduce false positives. False positives and false negatives in the website vulnerability method are often a pair of contradictions, which need to be balanced in the scanning strategy. But in this step, the priority is to reduce the false negative rate.

c)自动取证:对步骤b中发现的漏洞,根据不同漏洞的取证逻辑进行自动取证,并自动过滤掉误报,获得能够证明该漏洞存在的取证结果。自动取证是在扫描过程中自动完成的,在所述的策略库中的每条策略执行完成后,如果发现可能存在的漏洞,就开始自动过滤和取证的过程,如果判断为误报,该结果自动被丢弃,否则存入数据库中。自动取证的依据和结果可能包括但不限于以下信息:页面长度、HTTP响应码、页面请求响应时间、页面请求过程收发的报文、HTTP头、会话及Cookie、页面内容等,另外还可以包括多个页面请求之间的差异性,如页面响应码的差异、页面长度的差异和内容的差异等。除了数据化的内容外,取证结果还可以包括页面在浏览器中的实际显示效果及其截图,部分漏洞可以使用浏览器进行取证,不同的漏洞在浏览器中输入是不一样的,比如“跨站脚本”可以修改界面的标题或弹出一个对话框,“目录浏览”的显示效果则是在浏览器中显示一个目录下的所有子目录和子文件,不同的情况还有很多,不再一一列举。自动取证包括但不限于以下方法:1)直接将漏洞所在页面的响应内容长度、响应码、响应时间、报文、页面内容作为取证结果,并以此判断漏洞是否存在;2)在原始页面请求的基础上进行修改,自动构造一个或多个新的http请求,并对这些不同请求的响应内容长度、响应码、响应时间、报文、页面内容等数据进行对比,把对比获得的差异性作为取证结果,并以此判断漏洞是否存在;3)在漏洞所在页面的返回内容中匹配符合特征的文本,将匹配到的内容作为取证结果,并以此判断漏洞是否存在;4)自动模拟表单提交并获取请求结果,并以此判断漏洞是否存在。5)使用浏览器内核及浏览器对页面的内容进行解析和排版,执行页面内容中的脚本。将解析和排版的输出结果作为取证的结果,并以此判断漏洞是否存在。c) Automatic forensics: For the vulnerabilities found in step b, automatic forensics is performed according to the forensics logic of different vulnerabilities, and false positives are automatically filtered out to obtain forensic results that can prove the existence of the vulnerability. Automatic forensics is automatically completed during the scanning process. After each policy in the policy library is executed, if possible vulnerabilities are found, the process of automatic filtering and forensics will start. If it is judged as a false positive, the result Automatically discarded, otherwise stored in the database. The basis and results of automatic forensics may include but not limited to the following information: page length, HTTP response code, page request response time, messages sent and received during page request process, HTTP header, session and cookie, page content, etc. Differences between individual page requests, such as differences in page response codes, differences in page length, and differences in content. In addition to the data-based content, the forensic results can also include the actual display effect of the page in the browser and its screenshots. Some vulnerabilities can be forensically obtained using the browser. Different vulnerabilities can be entered differently in the browser, such as "cross- "Station Script" can modify the title of the interface or pop up a dialog box, and the display effect of "Directory Browse" is to display all subdirectories and subfiles in a directory in the browser. There are many different situations, so I won't list them one by one. . Automatic forensics includes but is not limited to the following methods: 1) Directly use the response content length, response code, response time, message, and page content of the page where the vulnerability is located as the forensics result, and use this to determine whether the vulnerability exists; 2) request the vulnerability on the original page Modify on the basis of , automatically construct one or more new http requests, and compare the response content length, response code, response time, message, page content and other data of these different requests, and use the difference obtained by comparison as 3) Match the text that meets the characteristics in the returned content of the page where the vulnerability is located, and use the matched content as the forensic result to determine whether the vulnerability exists; 4) Automatically simulate form submission And get the request result, and use it to judge whether the vulnerability exists. 5) Use the browser kernel and the browser to analyze and format the content of the page, and execute the script in the page content. Use the output of parsing and typesetting as the result of forensics, and use this to determine whether a vulnerability exists.

d)信息收集:根据步骤b发现的漏洞,针对该漏洞可以采取的相应的手工取证方法,将所需要的取证信息收集并保存,完成后转步骤b对其他页面进行漏洞检测。相关的数据来源可以来自于页面本身,收发的HTTP数据包以及程序自动分析的结果。对于已经发现的可能存在的漏洞,经过自动过滤后,由于检测技术的复杂性,依然不能完全保证准确率,因此可能存在需要人工辅助来判断。所述的漏洞检测策略完成后,相关的信息被自动收集,这些信息将会被作为手工取证的来源和依据。用户在需要的时候,可以依据这些信息来判断漏洞的真实性,并将判断结果存储或输出。可能被收集的信息包括但不限于:自动构造的用于进一步取证的URL、HTTP头、会话及Cookie、表单提交数据、HTTP请求数据包、HTTP响应数据包等。d) Information collection: According to the vulnerability found in step b, the corresponding manual evidence collection method can be adopted for the vulnerability, and the required evidence collection information is collected and saved. After completion, turn to step b to perform vulnerability detection on other pages. Relevant data sources can come from the page itself, the HTTP data packets sent and received, and the results of automatic analysis of the program. For the possible vulnerabilities that have been discovered, after automatic filtering, due to the complexity of the detection technology, the accuracy rate cannot be fully guaranteed, so there may be human assistance to judge. After the vulnerability detection strategy is completed, relevant information is automatically collected, and this information will be used as a source and basis for manual evidence collection. When needed, the user can judge the authenticity of the vulnerability based on this information, and store or output the judgment result. The information that may be collected includes, but is not limited to: automatically constructed URLs for further forensics, HTTP headers, sessions and cookies, form submission data, HTTP request packets, HTTP response packets, etc.

e)手工取证:使用步骤d收集的取证信息,根据该漏洞可以采取的相应的手工取证方法进行手工取证,并获得用于确认漏洞的真实性的手工取证结果。手工取证主要是用于手工操作,肉眼观察为主,因此除了所述的步骤d中获取的信息,本发明的系统中还应该包含一些工具,方便用户人工操作,如:浏览器、基于HTTP协议的模拟发包器、漏洞验证工具、Web应用渗透测试工具、网络数据包抓取和解析工具等。还应该将相关信息显示在用户界面上,便于用户查看。根据不同类型的漏洞,手工取证也应当使用不同的方法。可以使用的方法包括但不限于:1)使用步骤d中获取的自动构造的用于进一步取证的URL,在浏览器中访问,查看实际的URL执行和显示结果,结合漏洞的特征,判断漏洞是否存在。同时可以将显示结果截图保存;2)使用HTTP模拟发包器,将用于进一步取证的URL,以及步骤d中获取的HTTP头、会话及Cookie、表单提交数据等信息,填入HTTP模拟发包器中,并发送HTTP请求,查看返回的页面内容,结合漏洞的特征,判断漏洞是否存在;3)在浏览器中,将步骤d中获取的表单提交数据,填入漏洞所在页面的表单中,并提交表单,查看提交表单后的页面显示结果,结合漏洞的特征,判断漏洞是否存在;4)利用其他专用的漏洞取证或渗透测试工具,用于进一步取证的URL,以及步骤d中获取的HTTP头、会话及Cookie、表单提交数据等信息,填入专用工具中进一步取证或渗透,并查看结果,结合漏洞的特征,判断漏洞是否存在;5)将步骤d中获取的HTTP请求数据包和HTTP响应数据包显示在用户界面上,并使用高亮、字体加粗等方法将重要内容突出显示,结合漏洞的特征,人工判断漏洞是否存在。e) Manual forensics: use the forensics information collected in step d, perform manual forensics according to the corresponding manual forensics methods that can be adopted for the vulnerability, and obtain the manual forensics results for confirming the authenticity of the vulnerability. Manual forensics is mainly used for manual operations, mainly for visual observation, so in addition to the information obtained in the step d, the system of the present invention should also include some tools to facilitate manual operations by users, such as: browsers, HTTP protocol-based Simulated packet sender, vulnerability verification tool, web application penetration testing tool, network packet capture and analysis tool, etc. Relevant information should also be displayed on the user interface for easy viewing by the user. According to different types of vulnerabilities, manual forensics should also use different methods. Methods that can be used include but are not limited to: 1) Use the automatically constructed URL obtained in step d for further forensics, access it in a browser, check the actual URL execution and display results, and determine whether the vulnerability is exist. At the same time, you can save the screenshot of the display result; 2) Use the HTTP simulation packet sender to fill in the URL used for further evidence collection, as well as the HTTP header, session and cookie, form submission data and other information obtained in step d into the HTTP simulation packet sender , and send an HTTP request, check the returned page content, and combine the characteristics of the vulnerability to determine whether the vulnerability exists; 3) In the browser, fill in the form submission data obtained in step d into the form on the page where the vulnerability is located, and submit Form, check the page display results after submitting the form, and judge whether the vulnerability exists based on the characteristics of the vulnerability; 4) Use other dedicated vulnerability forensics or penetration testing tools, the URL used for further forensics, and the HTTP header obtained in step d, Fill in information such as sessions, cookies, and form submission data into special tools for further evidence collection or penetration, and check the results, and combine the characteristics of the vulnerability to determine whether the vulnerability exists; 5) The HTTP request packet and HTTP response data obtained in step d The package is displayed on the user interface, and important content is highlighted using methods such as highlighting and bold fonts. Combined with the characteristics of the vulnerability, it is manually judged whether the vulnerability exists.

步骤e的手工取证是可选的,如果用户依然对报表中所报告的漏洞信心不足,可以根据需要选择执行步骤e。Manual forensics in step e is optional. If the user is still not confident about the vulnerabilities reported in the report, he can choose to execute step e as needed.

取证式网站漏洞扫描方法,可以将网站漏洞和取证结果同时显示在程序或系统的用户界面中,或同时输出到报表中;用户根据这些信息判断漏洞是否存在,以及判断漏洞的性质和危害性。取证式网站漏洞扫描方法,还具有学习功能:用户判断漏洞是否误报,系统对用户的判断结果进行记录,在后续的扫描中再次出现相同漏洞时,根据记录中的用户判断结果过滤掉误报的漏洞。The forensic website vulnerability scanning method can simultaneously display website vulnerabilities and forensic results in the user interface of the program or system, or output them into reports at the same time; users can judge whether a vulnerability exists, and judge the nature and harmfulness of the vulnerability based on this information. The forensic website vulnerability scanning method also has a learning function: the user judges whether the vulnerability is a false positive, and the system records the user's judgment result. When the same vulnerability reappears in subsequent scans, the false positive is filtered out according to the user judgment result in the record loopholes.

基于所述扫描方法的取证式网站漏洞扫描系统,可以包括但不限于以下模块:页面抓取模块、漏洞扫描模块、自动取证模块、信息收集模块、手工取证模块、任务下发及管理模块、扫描结果显示及管理模块、报表模块、系统数据库模块、项目文件管理模块等。The forensic website vulnerability scanning system based on the scanning method may include but not limited to the following modules: page crawling module, vulnerability scanning module, automatic forensics module, information collection module, manual forensics module, task delivery and management module, scanning Result display and management module, report module, system database module, project file management module, etc.

以下对各模块进一步说明:The following is a further description of each module:

1)页面抓取模块用于从被扫描网站的初始页面或者系统数据库模块保存的页面链接中,解析获取新的页面链接,然后将获取的页面链接存入系统数据库模块中,并保证相同页面链接不重复存入,这里所述的数据库也可以用项目文件来代替。1) The page grabbing module is used to analyze and obtain new page links from the initial page of the scanned website or the page links saved by the system database module, and then store the obtained page links in the system database module, and ensure the same page links The database described here can also be replaced by a project file without repeated storage.

2)漏洞扫描模块用于判断页面是否有经过漏洞检测,并对未经过漏洞检测的页面进行检测,不同的漏洞有不同的检测方法。2) The vulnerability scanning module is used to judge whether a page has been tested for vulnerabilities, and to detect pages that have not been tested for vulnerabilities. Different vulnerabilities have different detection methods.

3)自动取证模块用于对漏洞扫描模块中发现的漏洞进行自动取证,并自动过滤掉误报,获得能够证明该漏洞存在的取证结果。3) The automatic forensics module is used for automatic forensics of the vulnerabilities found in the vulnerability scanning module, and automatically filters out false positives, and obtains forensics results that can prove the existence of the vulnerabilities.

4)信息收集模块用于对漏洞扫描模块中发现的漏洞,自动收集并保存用于手工取证的取证信息。4) The information collection module is used to automatically collect and save the evidence collection information for manual evidence collection for the vulnerabilities found in the vulnerability scanning module.

5)手工取证模块用于利用信息收集模块收集的取证信息,进行手工取证,并获得用于确认漏洞的真实性的手工取证结果。关于这个模块的操作,用户是可选的,可以根据需要进行。5) The manual forensics module is used to use the forensics information collected by the information collection module to perform manual forensics and obtain manual forensics results for confirming the authenticity of vulnerabilities. The operation of this module is optional for the user and can be performed as needed.

6)任务下发及管理模块是指用户在用户操作界面上下发扫描任务,并对其进行管理,如暂停、停止、删除、配置等。其目的是提供给用户启动扫描网站过程的操作手段,达到漏洞发现和取证的最终目的。6) Task delivery and management module refers to the user sending and receiving scanning tasks on the user interface and managing them, such as pausing, stopping, deleting, configuring, etc. Its purpose is to provide users with the operation means to start the process of scanning websites, so as to achieve the ultimate goal of vulnerability discovery and evidence collection.

7)扫描结果显示及管理模块是指在扫描过程中以及扫描完成后,将发现的漏洞、相应网站的页面链接、手工取证信息等内容,显示在界面上。用户可以查看相关数据,手工取证以及输出报告。7) The scanning result display and management module refers to displaying the found vulnerabilities, page links of corresponding websites, manual evidence collection information and other content on the interface during and after the scanning is completed. Users can view relevant data, manually collect evidence and output reports.

8)报表模块是指将漏洞检测的结果输出到独立的文件中,用于工作人员之间的交流、存档或作为改进网站系统的依据,输出的文件也可以被导入到第三方系统中用于进一步的处理。8) The report module refers to outputting the results of vulnerability detection into independent files, which are used for communication between staff, archiving or as a basis for improving the website system. The output files can also be imported into third-party systems for further processing.

9)系统数据库模块用于存储系统的配置信息,账号和日志信息等,也可以存储网站的漏洞和页面链接等信息。9) The system database module is used to store system configuration information, account and log information, etc., and can also store information such as website vulnerabilities and page links.

10)项目文件管理模块,其中项目文件是指可以存储页面链接和漏洞等数据的文件,每个任务下发及管理模块所下发的任务,都可以有一个对应的项目文件。所述的项目文件管理模块是指对项目文件进行管理的模块,如创建、删除、写入数据等。10) The project file management module, wherein the project file refers to a file that can store data such as page links and vulnerabilities, and each task issued and task issued by the management module can have a corresponding project file. The project file management module refers to a module for managing project files, such as creating, deleting, and writing data.

在系统中,用户的扫描过程如下:用户首先下发任务并等待扫描完成。扫描过程中或扫描结束后,用户可以查看扫描结果,进行手工取证。最后根据需要将扫描结果和取证结果输出到报表。In the system, the scanning process of the user is as follows: the user first sends a task and waits for the scanning to be completed. During or after scanning, users can view the scanning results and perform manual forensics. Finally, scan results and forensics results are output to reports as required.

通过取证式网站漏洞扫描方法在取证式网站漏洞扫描系统中加以实现,便可以完成取证式网站漏洞扫描的功能。By implementing the forensic website vulnerability scanning method in the forensic website vulnerability scanning system, the function of forensic website vulnerability scanning can be completed.

最后,需要注意的是,以上列举的仅是本发明的具体实施例。显然,本发明不限于以上实施例,还可以有很多变形。本领域的普通技术人员能从本发明公开的内容中直接导出或联想到的所有变形,均应认为是本发明的保护范围。Finally, it should be noted that what is listed above are only specific embodiments of the present invention. Obviously, the present invention is not limited to the above embodiments, and many modifications are possible. All deformations that can be directly derived or associated by those skilled in the art from the content disclosed in the present invention should be considered as the protection scope of the present invention.

Claims (7)

1.一种取证式网站漏洞扫描方法,用于对被扫描网站进行漏洞检测,其特征在于,包括以下步骤:1. A method for scanning the vulnerability of a forensic website, used to detect the vulnerability of the scanned website, is characterized in that, comprising the following steps: a)页面抓取:从被扫描网站的初始页面开始解析,获取被扫描网站的页面链接,然后将页面链接存入系统数据库模块,并保证相同页面链接不重复存入,再从系统数据库模块中提取已保存的并且未经过页面抓取步骤处理的页面链接,进行页面访问,并提取新的页面链接存入到系统数据库模块,直至抓取完被扫描网站的所有页面;a) Page crawling: start parsing from the initial page of the scanned website, obtain the page link of the scanned website, and then store the page link in the system database module, and ensure that the same page link is not repeatedly stored, and then from the system database module Extract the page links that have been saved and have not been processed by the page grabbing step, perform page access, and extract new page links and store them in the system database module until all pages of the scanned website are captured; b)漏洞扫描:在步骤a抓取到的页面中,判断是否还有尚未进行漏洞检测的页面,若已没有尚未进行漏洞检测的页面,则转步骤e,否则执行:选择一个尚未进行漏洞检测的页面进行漏洞检测,针对这个页面,根据不同漏洞各自所对应的检测逻辑进行漏洞分析,如果发现漏洞转步骤c,否则重复执行步骤b;b) Vulnerability scanning: Among the pages captured in step a, determine whether there are pages that have not yet been tested for vulnerabilities. If there are no pages that have not been tested for vulnerabilities, go to step e, otherwise execute: select a page that has not yet been tested for vulnerabilities Vulnerability detection is performed on the page. For this page, the vulnerability analysis is performed according to the detection logic corresponding to different vulnerabilities. If a vulnerability is found, go to step c, otherwise repeat step b; c)自动取证:对步骤b中发现的漏洞,根据不同漏洞的取证逻辑进行自动取证,并自动过滤掉误报,获得能够证明该漏洞存在的取证结果;c) Automatic forensics: For the vulnerabilities found in step b, automatic forensics is performed according to the forensics logic of different vulnerabilities, and false positives are automatically filtered out to obtain forensic results that can prove the existence of the vulnerability; 自动取证包括下述方法:1)直接将漏洞所在页面的响应内容长度、响应码、响应时间、报文、页面内容作为取证结果,并以此判断漏洞是否存在;2)在原始页面请求的基础上进行修改,自动构造至少一个新的http请求,并对这些不同请求的数据进行对比,把对比获得的差异性作为取证结果,并以此判断漏洞是否存在;所述不同请求的数据包括响应内容长度、响应码、响应时间、报文、页面内容;3)在漏洞所在页面的返回内容中匹配符合特征的文本,将匹配到的内容作为取证结果,并以此判断漏洞是否存在;4)自动模拟表单提交并获取请求结果,并以此判断漏洞是否存在;5)使用浏览器内核及浏览器对页面的内容进行解析和排版,执行页面内容中的脚本,将解析和排版的输出结果作为取证的结果,并以此判断漏洞是否存在;Automatic forensics includes the following methods: 1) directly use the response content length, response code, response time, message, and page content of the page where the vulnerability is located as the forensics result, and use this to determine whether the vulnerability exists; 2) based on the original page request Modify the above, automatically construct at least one new http request, and compare the data of these different requests, and use the difference obtained by the comparison as the result of forensics, and use this to determine whether the vulnerability exists; the data of the different requests includes the response content Length, response code, response time, message, and page content; 3) Match the text that meets the characteristics in the returned content of the page where the vulnerability is located, and use the matched content as the forensic result to determine whether the vulnerability exists; 4) Automatically Simulate form submission and obtain request results, and use this to determine whether the vulnerability exists; 5) Use the browser kernel and browser to analyze and typesetting the content of the page, execute the script in the page content, and use the output results of the analysis and typesetting as evidence , and use this to determine whether the vulnerability exists; d)信息收集:根据步骤b发现的漏洞,针对不同漏洞能采取的手工取证方法,自动收集手工取证方法所需要的取证信息并进行保存,完成后转步骤b对其他页面进行漏洞检测;d) Information collection: According to the loopholes found in step b, according to the manual evidence collection methods that can be taken for different vulnerabilities, automatically collect the evidence collection information required by the manual evidence collection method and save it, and then turn to step b to perform vulnerability detection on other pages; e)手工取证:使用步骤d收集的取证信息,根据不同漏洞能采取的相应的手工取证方法进行手工取证,并获得用于确认漏洞的真实性的手工取证结果。e) Manual forensics: use the forensics information collected in step d, perform manual forensics according to the corresponding manual forensics methods that can be adopted for different vulnerabilities, and obtain manual forensics results for confirming the authenticity of the vulnerabilities. 2.根据权利要求1所述的一种取证式网站漏洞扫描方法,其特征在于,根据不同类型的网站漏洞,所述步骤c和步骤e中的取证结果包括以下数据:页面长度、HTTP响应码、页面请求响应时间、页面请求过程收发的报文、HTTP头、会话及Cookie、页面内容、多个页面请求之间的差异性、页面在浏览器中的实际显示效果及其截图。2. A method for forensic website vulnerability scanning according to claim 1, characterized in that, according to different types of website vulnerabilities, the forensic results in step c and step e include the following data: page length, HTTP response code , page request response time, messages sent and received during the page request process, HTTP headers, sessions and cookies, page content, differences between multiple page requests, the actual display effect of the page in the browser and its screenshots. 3.根据权利要求1所述的一种取证式网站漏洞扫描方法,其特征在于,所述步骤d中的取证信息包括以下数据:自动构造的用于进一步取证的URL、HTTP头、会话及Cookie、表单提交数据、HTTP请求数据包、HTTP响应数据包。3. a kind of forensic type website vulnerability scanning method according to claim 1, is characterized in that, the forensic information in the described step d comprises the following data: automatically constructed URL, HTTP header, session and Cookie for further evidence collection , form submission data, HTTP request data packet, HTTP response data packet. 4.根据权利要求3所述的一种取证式网站漏洞扫描方法,其特征在于,所述步骤e的手工取证是可选的,能够根据需要选择性地执行步骤e;所述手工取证包括以下方法:4. a kind of forensic type website vulnerability scanning method according to claim 3, is characterized in that, the manual forensics of described step e is optional, can selectively execute step e as needed; Described manual forensics comprises the following method: 1)使用步骤d中获取的自动构造的用于进一步取证的URL,在浏览器中访问,查看实际的URL执行和显示结果,结合漏洞的特征,判断漏洞是否存在,且能将显示结果截图保存;1) Use the automatically constructed URL obtained in step d for further forensics, access it in a browser, view the actual URL execution and display results, combine the characteristics of the vulnerability, determine whether the vulnerability exists, and save the screenshot of the display result ; 2)使用HTTP模拟发包器,将用于进一步取证的URL,以及步骤d中获取的HTTP头、会话及Cookie、表单提交数据信息,填入HTTP模拟发包器中,并发送HTTP请求,查看返回的页面内容,结合漏洞的特征,判断漏洞是否存在;2) Use the HTTP simulation packet sender to fill in the URL used for further evidence collection, as well as the HTTP header, session and cookie, and form submission data information obtained in step d, into the HTTP simulation packet sender, and send an HTTP request to view the returned The content of the page, combined with the characteristics of the vulnerability, determines whether the vulnerability exists; 3)在浏览器中,将步骤d中获取的表单提交数据,填入漏洞所在页面的表单中,并提交表单,查看提交表单后的页面显示结果,结合漏洞的特征,判断漏洞是否存在;3) In the browser, fill in the form submission data obtained in step d into the form on the page where the vulnerability is located, and submit the form, check the page display results after submitting the form, and determine whether the vulnerability exists based on the characteristics of the vulnerability; 4)利用专用工具,所述专用工具是指漏洞取证或渗透测试的工具,将进一步取证的URL、步骤d中获取的HTTP头、会话及Cookie、表单提交数据信息,填入专用工具中进一步取证或渗透,并查看结果,结合漏洞的特征,判断漏洞是否存在;4) Utilize special-purpose tool, and described special-purpose tool refers to the tool of vulnerability evidence collection or penetration test, the HTTP header that obtains in the URL of further evidence collection, step d, session and Cookie, form submit data information, fills in special-purpose tool and further evidence collection Or penetration, and check the results, combined with the characteristics of the vulnerability, to determine whether the vulnerability exists; 5)将步骤d中获取的HTTP请求数据包和HTTP响应数据包显示在用户界面上,并使用高亮、字体加粗方法将重要内容突出显示,结合漏洞的特征,人工判断漏洞是否存在。5) Display the HTTP request data packet and HTTP response data packet obtained in step d on the user interface, and use the method of highlighting and bolding the font to highlight the important content, and combine the characteristics of the vulnerability to manually judge whether the vulnerability exists. 5.根据权利要求1所述的一种取证式网站漏洞扫描方法,其特征在于,能将网站漏洞和取证结果同时显示在程序或系统的用户界面中,或同时输出到报表中;用户根据这些信息判断漏洞是否存在,以及漏洞的性质和危害性。5. A method for scanning forensic website vulnerabilities according to claim 1, characterized in that website vulnerabilities and forensic results can be simultaneously displayed in the user interface of the program or system, or output to the report at the same time; the user according to these The information determines whether a vulnerability exists, as well as the nature and harmfulness of the vulnerability. 6.根据权利要求1所述的一种取证式网站漏洞扫描方法,其特征在于,所述一种取证式网站漏洞扫描方法具有学习功能:用户判断漏洞是否误报,系统对用户的判断结果进行记录,在后续的扫描中再次出现相同漏洞时,根据记录中的用户判断结果过滤掉误报的漏洞,即实现步骤c中的自动过滤掉误报。6. A kind of forensic type website vulnerability scanning method according to claim 1, characterized in that, said a kind of forensic type website vulnerability scanning method has a learning function: the user judges whether the vulnerability is misreported, and the system checks the user's judgment result Record, when the same vulnerability reappears in subsequent scans, filter out false positives according to the user judgment results in the records, that is, automatically filter out false positives in step c. 7.基于权利要求1所述扫描方法的取证式网站漏洞扫描系统,其特征在于,包括页面抓取模块、漏洞扫描模块、自动取证模块、信息收集模块、手工取证模块、任务下发及管理模块、扫描结果显示及管理模块、报表模块、系统数据库模块、项目文件管理模块;7. The forensic type website vulnerability scanning system based on the scanning method of claim 1, characterized in that it includes a page grabbing module, a vulnerability scanning module, an automatic forensics module, an information collection module, a manual forensics module, a task distribution and management module , scan result display and management module, report module, system database module, project file management module; 所述页面抓取模块用于从被扫描网站的初始页面或者系统数据库模块保存的页面链接中,解析获取新的页面链接,然后将获取的页面链接存入系统数据库模块中,并保证相同页面链接不重复存入;The page crawling module is used to analyze and obtain new page links from the initial page of the scanned website or the page links saved by the system database module, and then store the obtained page links in the system database module, and ensure that the same page links Do not deposit repeatedly; 所述漏洞扫描模块用于判断页面是否有经过漏洞检测,并对未经过漏洞检测的页面进行检测;The vulnerability scanning module is used to judge whether the page has passed the vulnerability detection, and detects the pages that have not passed the vulnerability detection; 所述自动取证模块用于对漏洞扫描模块中发现的漏洞进行自动取证,并自动过滤掉误报,获得能够证明该漏洞存在的取证结果;The automatic forensics module is used to automatically collect evidence for the vulnerabilities found in the vulnerability scanning module, and automatically filter out false positives to obtain evidence collection results that can prove the existence of the vulnerabilities; 所述信息收集模块用于对漏洞扫描模块中发现的漏洞,自动收集并保存用于手工取证的取证信息;The information collection module is used to automatically collect and save the evidence collection information for manual evidence collection for the vulnerabilities found in the vulnerability scanning module; 所述手工取证模块用于利用信息收集模块收集的取证信息,进行手工取证,并获得用于确认漏洞的真实性的手工取证结果;The manual evidence collection module is used to use the evidence collection information collected by the information collection module to perform manual evidence collection, and obtain manual evidence collection results for confirming the authenticity of the loophole; 所述任务下发及管理模块用于提供给用户启动扫描网站过程的操作手段,达到漏洞发现和取证的最终目的,通过支持用户在用户操作界面上下发扫描任务,并对其进行管理,包括暂停、停止、删除、配置;The task delivery and management module is used to provide the user with an operation means to start the process of scanning the website, to achieve the ultimate goal of vulnerability discovery and evidence collection, by supporting the user to send and receive scanning tasks on the user interface, and to manage them, including suspending , stop, delete, configure; 所述扫描结果显示及管理模块用于在扫描过程中以及扫描完成后,将扫描数据显示在界面上,并支持用户对扫描数据、手工取证结果和输出报告进行查看,扫描数据包括发现的漏洞、相应网站的页面链接、手工取证信息;The scanning result display and management module is used to display the scanning data on the interface during the scanning process and after the scanning is completed, and supports users to view the scanning data, manual evidence collection results and output reports. The scanning data includes discovered vulnerabilities, The page link of the corresponding website, manual evidence collection information; 所述报表模块用于将漏洞检测的结果输出到独立文件中,独立文件作为工作人员之间的交流、存档或作为改进网站系统的依据,独立文件能被导入到第三方系统中作进一步的处理;The report module is used to output the results of the vulnerability detection into an independent file, and the independent file is used as a communication between staff, archived or as a basis for improving the website system, and the independent file can be imported into a third-party system for further processing ; 所述系统数据库模块用于存储系统的配置信息、网站的漏洞、页面链接,系统的配置信息包括账号和日志信息;The system database module is used to store configuration information of the system, vulnerabilities of the website, and page links, and the configuration information of the system includes account and log information; 所述项目文件管理模块用于对项目文件进行管理,包括创建、删除、写入数据;项目文件是指能存储页面链接和漏洞数据的文件,每个任务下发及管理模块所下发的任务,都有一个对应的项目文件。The project file management module is used to manage project files, including creating, deleting, and writing data; project files refer to files that can store page links and vulnerability data, and each task is issued and the tasks issued by the management module , has a corresponding project file.
CN201410185544.XA 2013-09-11 2014-04-30 Forensics type website vulnerability scanning method and system Active CN103942497B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410185544.XA CN103942497B (en) 2013-09-11 2014-04-30 Forensics type website vulnerability scanning method and system

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201310414211.5 2013-09-11
CN2013104142115 2013-09-11
CN201310414211 2013-09-11
CN201410185544.XA CN103942497B (en) 2013-09-11 2014-04-30 Forensics type website vulnerability scanning method and system

Publications (2)

Publication Number Publication Date
CN103942497A CN103942497A (en) 2014-07-23
CN103942497B true CN103942497B (en) 2017-05-03

Family

ID=51190164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410185544.XA Active CN103942497B (en) 2013-09-11 2014-04-30 Forensics type website vulnerability scanning method and system

Country Status (1)

Country Link
CN (1) CN103942497B (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104200166B (en) * 2014-08-05 2017-05-03 杭州安恒信息技术有限公司 Script-based website vulnerability scanning method and system
CN105512559B (en) * 2014-10-17 2019-09-17 阿里巴巴集团控股有限公司 It is a kind of for providing the method and apparatus of accession page
CN105488400A (en) * 2014-12-13 2016-04-13 哈尔滨安天科技股份有限公司 Comprehensive detection method and system of malicious webpage
CN104618177A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug examination method and device
CN104954372B (en) * 2015-06-12 2018-07-24 中国科学院信息工程研究所 A kind of evidence obtaining of fishing website and verification method and system
CN106878345A (en) * 2017-04-25 2017-06-20 杭州迪普科技股份有限公司 A kind of method and device for distorting protection
CN107276852B (en) * 2017-06-27 2020-02-21 福建省天奕网络科技有限公司 Data security detection method and terminal
CN107277063B (en) * 2017-08-09 2020-09-25 四川长虹电器股份有限公司 Vulnerability scanning precision-based judgment and test method
CN107908959B (en) * 2017-11-10 2020-02-14 北京知道创宇信息技术股份有限公司 Website information detection method and device, electronic equipment and storage medium
CN108449319A (en) * 2018-02-09 2018-08-24 秦玉海 A kind of method and device of identification swindle website and the evidence obtaining of long-range wooden horse
CN108848115B (en) * 2018-09-03 2021-03-16 杭州安恒信息技术股份有限公司 A method, apparatus, device and computer-readable storage medium for scanning a website
CN111277555B (en) * 2018-12-05 2022-03-11 中国移动通信集团河南有限公司 Vulnerability false alarm screening method and device
CN109729078A (en) * 2018-12-20 2019-05-07 国网北京市电力公司 Operational vulnerability detection method, device, storage medium and electronic device
CN110175058B (en) * 2019-04-10 2022-04-05 创新先进技术有限公司 Method, module, system and medium for fast retention based on data exception information
CN110753047B (en) * 2019-10-16 2022-02-11 杭州安恒信息技术股份有限公司 A method to reduce false positives in vulnerability scanning
CN111447224A (en) * 2020-03-26 2020-07-24 江苏亨通工控安全研究院有限公司 Web vulnerability scanning method and vulnerability scanner
CN111541693B (en) * 2020-04-23 2022-04-15 北京凌云信安科技有限公司 Automatic penetration test and data evidence obtaining system for multiple types of systems
CN111291384B (en) * 2020-04-28 2020-09-08 杭州海康威视数字技术股份有限公司 Vulnerability scanning method and device and electronic equipment
CN113742731A (en) * 2020-05-27 2021-12-03 南京大学 Data collection method for code vulnerability intelligent detection
CN112100626B (en) * 2020-09-24 2023-06-09 成都信息工程大学 Development method for improving source code audit vulnerability hit rate
CN113422759B (en) * 2021-06-10 2023-04-18 杭州安恒信息技术股份有限公司 Vulnerability scanning method, electronic device and storage medium
CN117040801B (en) * 2023-07-14 2024-10-15 华能信息技术有限公司 Vulnerability detection method based on web middleware

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6584569B2 (en) * 2000-03-03 2003-06-24 Sanctum Ltd. System for determining web application vulnerabilities
CN1866817A (en) * 2006-06-15 2006-11-22 北京华景中天信息技术有限公司 Website safety risk estimating method and system
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6584569B2 (en) * 2000-03-03 2003-06-24 Sanctum Ltd. System for determining web application vulnerabilities
CN1866817A (en) * 2006-06-15 2006-11-22 北京华景中天信息技术有限公司 Website safety risk estimating method and system
CN102104601A (en) * 2011-01-14 2011-06-22 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology

Also Published As

Publication number Publication date
CN103942497A (en) 2014-07-23

Similar Documents

Publication Publication Date Title
CN103942497B (en) Forensics type website vulnerability scanning method and system
US20210382949A1 (en) Systems and methods for web content inspection
CN105068925B (en) Software Security Defect Discovery System
US20100218256A1 (en) System and method of integrating and managing information system assessments
CN106411578A (en) Website monitoring system and method applicable to power industry
US10362086B2 (en) Method and system for automating submission of issue reports
US20130238980A1 (en) Method and Apparatus for Processing World Wide Web Page
CN103647678A (en) Method and device for online verification of website vulnerabilities
CN106230809B (en) A method and system for monitoring mobile Internet public opinion based on URL
CN105740135B (en) A kind of code audit method and apparatus
CN110768977A (en) Method and system for capturing security vulnerability information
CN111314292A (en) Data security inspection method based on sensitive data identification
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
Tang et al. L-WMxD: Lexical based webmail XSS discoverer
CN107769958A (en) Server network security event automated analysis method and system based on daily record
CN114491560A (en) A vulnerability detection method, device, storage medium and electronic device
Qu Research on password detection technology of iot equipment based on wide area network
CN118740675A (en) Network supportability testing method, device, equipment, medium and program product
CN119204979A (en) Engine-based order processing method, device, computer equipment and storage medium
KR101115003B1 (en) Plagiarism check system by using intergrated viewer
CN112446030B (en) Method and device for detecting file uploading vulnerability of webpage end
CN115437953A (en) Test data generation method and device
CN111131223B (en) Test method and device for click hijacking
CN114329466A (en) Cross-site script vulnerability attack detection method and system
Hlyne et al. SCAP benchmark for Cisco router security configuration compliance

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15

Patentee after: Dbappsecurity Co.,Ltd.

Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building

Patentee before: Dbappsecurity Co.,ltd.

CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Patentee after: Dbappsecurity Co.,Ltd.

Address before: Zhejiang Zhongcai Building No. 68 Hangzhou 310051 Zhejiang province Binjiang District Tong Road 15

Patentee before: Dbappsecurity Co.,Ltd.

EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20140723

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043370

Denomination of invention: A forensic website vulnerability scanning method and system

Granted publication date: 20170503

License type: Common License

Record date: 20241231