[go: up one dir, main page]

CN114003916A - Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability - Google Patents

Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability Download PDF

Info

Publication number
CN114003916A
CN114003916A CN202111203376.9A CN202111203376A CN114003916A CN 114003916 A CN114003916 A CN 114003916A CN 202111203376 A CN202111203376 A CN 202111203376A CN 114003916 A CN114003916 A CN 114003916A
Authority
CN
China
Prior art keywords
interface
request
user
role
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202111203376.9A
Other languages
Chinese (zh)
Inventor
周广跃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202111203376.9A priority Critical patent/CN114003916A/en
Publication of CN114003916A publication Critical patent/CN114003916A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/951Indexing; Web crawling techniques
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method, a system, a terminal and a storage medium for testing a WEB role longitudinal override vulnerability, wherein the method comprises the following steps: the method comprises the steps that a role user logs in WEB, an operable interface of the role user is positioned from a source code file of the WEB, and operable elements in the operable interface are positioned; executing the operable elements through the automation tool to send an interface request to a WEB back end, capturing a response message of the back end to the interface request through a packet capturing tool, and storing the interface request and the corresponding response message to a user file; generating an unauthorized operation list of the role user by comparing the user file with the request and response file of the administrator, wherein the unauthorized operation list stores an interface without execution authority of the role user; and generating a test request based on the authentication information of the role user, accessing an interface in the unauthorized operation list by the test request, and passing the test if the access result is matched with the authentication information. The invention realizes a full-automatic testing method for longitudinal override of a multi-role system.

Description

Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability
Technical Field
The invention relates to the technical field of WEB security maintenance, in particular to a method, a system, a terminal and a storage medium for testing a WEB role longitudinal override vulnerability.
Background
With the continuous development of software systems, the demands of multi-role users are also realized on more and more software systems, and then more and more web security holes appear, wherein longitudinal unauthorized holes are security problems concerned by developers and testers. For example, a general user may directly access the resources of the administrator's rights by analyzing the interface.
Currently, there are longitudinal override test methods: the first is a manual test, that is, an interface is grabbed through a browser interface, then authentication information in a request is modified (the authentication information of an administrator is modified into authentication information of a common user), the request is sent, and whether the interface has an unauthorized vulnerability is judged. The testing method is very complicated, needs a large amount of manpower input, is particularly easy to cause the phenomenon of missing testing, causes the unauthorized vulnerability not to be discovered, and influences the product safety.
The second is semi-automatic test, collect all interfaces through the manual test, then pass the authentication information of the modification request, compare the request response before and after modifying, judge whether there is the unauthorized. This approach has disadvantages in several respects: the test can not be completely automated, a large amount of mobile phone API (application program interface) is required to be tested manually, and the test efficiency is greatly reduced; the test depends on an API manual document, the prerequisite condition that xx API interface xx roles have permission needs to be known, and the test depends on the document, so that the automation range and efficiency are greatly controlled.
Disclosure of Invention
In view of the above disadvantages in the prior art, the present invention provides a method, a system, a terminal and a storage medium for testing a longitudinal unauthorized vulnerability of a WEB role, so as to solve the above technical problems.
In a first aspect, the present invention provides a method for testing a WEB role longitudinal override vulnerability, including:
the method comprises the steps that a role user logs in WEB, an operable interface of the role user is positioned from a source code file of the WEB, and operable elements in the operable interface are positioned;
executing the operable elements through the automation tool to send an interface request to a WEB back end, capturing a response message of the back end to the interface request through a packet capturing tool, and storing the interface request and the corresponding response message to a user file;
generating an unauthorized operation list of the role user by comparing the user file with the request and response file of the administrator, wherein the unauthorized operation list stores an interface without execution authority of the role user;
and generating a test request based on the authentication information of the role user, wherein the test request accesses an interface in the unauthorized operation list, and if the access result is matched with the authentication information, the test is passed.
Furthermore, the steps of positioning an operable interface of the role user from a source code file of the WEB and positioning an operable element in the operable interface by logging in the WEB by the role user include:
randomly selecting a target role user from all role users until all role users are traversed;
simulating a target role user to log in WEB by using an automatic tool, traversing all accessible front-end source code files of the WEB, and positioning an operable interface of the target role user with operation authority;
locating operable elements within an operable interface by parsing a front-end source code file, the operable elements including block elements, row elements, keys, and input boxes.
Further, executing the operable element by the automation tool to send the interface request to the WEB backend, capturing a response message of the backend to the interface request by the capture tool, and saving the interface request and the corresponding response message to the user file, includes:
the automatic tool carries out display inspection on the operable elements, the normally displayed operable elements form wildcards, and operation positioning and execution are carried out through the wildcards;
interface request and send times and response messages and response times are maintained to the user file.
Further, by comparing the user file with the request and response file of the administrator, an unauthorized operation list of the role user is generated, where the unauthorized operation list stores an interface of the role user without execution authority, and includes:
logging in WEB by using an administrator user, sending an interface request according to a front-end source code file and an automatic tool execution interface request, and storing the interface request and a corresponding response message into a request and response file of the administrator;
comparing the consistency of the user file and the request and response file of the administrator, and screening the interface request which does not exist in the user file and is in the request and response file as a target interface request;
and analyzing the interface information from the target interface request, and storing the interface information into an unauthorized operation list.
Further, generating a test request based on the authentication information of the role user, wherein the test request accesses an interface in the unauthorized operation list, and if the access result is matched with the authentication information, the test is passed, including:
obtaining the authentication information of the response through the login of the request library, and storing the authentication information to the head of the request;
sending an interface request to an interface in the unauthorized operation list based on a request header carrying authentication information;
and acquiring the state code of the response and the interface request, judging whether the state code is matched with the authentication information, and judging that the test is passed if the state code is matched with the authentication information.
In a second aspect, the present invention provides a system for testing a longitudinal unauthorized vulnerability of a WEB role, including:
the information analysis unit is used for logging in WEB through a role user, positioning an operable interface of the role user from a source code file of the WEB and positioning an operable element in the operable interface;
the operation execution unit is used for executing the operable elements through the automation tool to send the interface request to the WEB back end, grabbing a response message of the back end to the interface request through the packet grabbing tool, and storing the interface request and the corresponding response message to the user file;
the file comparison unit is used for generating an unauthorized operation list of the role user by comparing the user file with the request and response file of the administrator, and the unauthorized operation list stores an interface without execution authority of the role user;
and the permission verification unit is used for generating a test request based on the authentication information of the role user, accessing the interface in the permission-free operation list by the test request, and passing the test if the access result is matched with the authentication information.
Further, the information parsing unit is configured to:
randomly selecting a target role user from all role users until all role users are traversed;
simulating a target role user to log in WEB by using an automatic tool, traversing all accessible front-end source code files of the WEB, and positioning an operable interface of the target role user with operation authority;
locating operable elements within an operable interface by parsing a front-end source code file, the operable elements including block elements, row elements, keys, and input boxes.
Further, the operation execution unit is configured to:
the automatic tool carries out display inspection on the operable elements, the normally displayed operable elements form wildcards, and operation positioning and execution are carried out through the wildcards;
interface request and send times and response messages and response times are maintained to the user file.
Further, the file comparison unit is configured to:
logging in WEB by using an administrator user, sending an interface request according to a front-end source code file and an automatic tool execution interface request, and storing the interface request and a corresponding response message into a request and response file of the administrator;
comparing the consistency of the user file and the request and response file of the administrator, and screening the interface request which does not exist in the user file and is in the request and response file as a target interface request;
and analyzing the interface information from the target interface request, and storing the interface information into an unauthorized operation list.
Further, the right verification unit is configured to:
obtaining the authentication information of the response through the login of the request library, and storing the authentication information to the head of the request;
sending an interface request to an interface in the unauthorized operation list based on a request header carrying authentication information;
and acquiring the state code of the response and the interface request, judging whether the state code is matched with the authentication information, and judging that the test is passed if the state code is matched with the authentication information.
In a third aspect, a terminal is provided, including:
a processor, a memory, wherein,
the memory is used for storing a computer program which,
the processor is used for calling and running the computer program from the memory so as to make the terminal execute the method of the terminal.
In a fourth aspect, a computer storage medium is provided having stored therein instructions that, when executed on a computer, cause the computer to perform the method of the above aspects.
The method, the system, the terminal and the storage medium for testing the WEB role longitudinal override vulnerability provided by the invention have the beneficial effects that whether the current user has the right to access the corresponding page is judged by traversing all html source code files through the selenium; identifying all page elements by analyzing the html file, and collecting all api request information files by using a selnium operation element; and identifying corresponding unauthorized access api lists of different roles by reading the api request information files of different roles so as to test the longitudinal unauthorized. The invention realizes the full-automatic longitudinal override test method of the multi-role system, greatly improves the test efficiency, reduces a large amount of override test manpower input, improves the override test coverage, avoids the undetected override safety problem and improves the system safety.
In addition, the invention has reliable design principle, simple structure and very wide application prospect.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention.
FIG. 2 is a schematic block diagram of a system of one embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following explains key terms appearing in the present invention.
WEB, also known as the world Wide Web (WEB sites begin at www), is a generic term for a network use environment. From the perspective of the network use environment, the Web is a webpage browsed when a browser is used to access the internet. From the technical point of view, the Web technology includes related technologies such as layout design, code writing, database establishment, and network platform of Web pages of a website.
FIG. 1 is a schematic flow diagram of a method of one embodiment of the invention. The execution subject in fig. 1 may be a test system for a longitudinal unauthorized vulnerability of a WEB role.
As shown in fig. 1, the method includes:
step 110, logging in WEB through a role user, positioning an operable interface of the role user from a source code file of the WEB, and positioning an operable element in the operable interface;
step 120, executing the operable elements through the automation tool to send an interface request to the WEB backend, capturing a response message of the backend to the interface request through a capture tool, and storing the interface request and the corresponding response message to a user file;
step 130, generating an unauthorized operation list of the role user by comparing the user file with the request and response file of the administrator, wherein the unauthorized operation list stores the interface of the role user without execution authority;
step 140, generating a test request based on the authentication information of the role user, wherein the test request accesses the interface in the unauthorized operation list, and if the access result is matched with the authentication information, the test is passed.
In order to facilitate understanding of the invention, the following description is further made on the testing method of the longitudinal unauthorized vulnerability of the WEB role provided by the invention by using the principle of the testing method of the longitudinal unauthorized vulnerability of the WEB role and combining the process of testing the longitudinal unauthorized vulnerability of the WEB role in the embodiment.
Specifically, the method for testing the longitudinal unauthorized vulnerability of the WEB role comprises the following steps:
s1, logging in WEB through the role user, positioning the operable interface of the role user from the source code file of the WEB, and positioning the operable elements in the operable interface.
Randomly selecting a target role user from all role users until all role users are traversed; simulating a target role user to log in WEB by using an automatic tool, traversing all accessible front-end source code files of the WEB, and positioning an operable interface of the target role user with operation authority; locating operable elements within an operable interface by parsing a front-end source code file, the operable elements including block elements, row elements, keys, and input boxes.
For example, a user uses a selenium tool to simulate a user to log in a system, an html page is opened (the action of selenium opening html is equivalent to jumping to a front page corresponding to html), a page which the user has a right to access can be opened, and the opening fails if the user has no right. And opening the successful page, analyzing the html, and obtaining all the operability elements corresponding to the current html. Such as block element div, line element span, button, input box, etc.
S2, the operable elements are executed through the automation tool to send the interface request to the WEB back end, the response message of the back end to the interface request is grabbed through the packet grabbing tool, and the interface request and the corresponding response message are stored in the user file.
The automatic tool carries out display inspection on the operable elements, the normally displayed operable elements are combined into wildcards, and operation positioning and execution are carried out through the wildcards; interface request and send times and response messages and response times are maintained to the user file.
The Selenium checks the operable elements, checks whether to display, and whether to grayout, and judges whether the current elements can be operated. And performing operations on the positioned operable elements through a selenium tool, such as page exchange, data submission, data deletion and the like. And the method for operating the page element by the Selenium forms an xpath (wildcard) through the element analyzed in the step two, performs positioning through the xpath, and performs click (mouse click) and other operations. Responsive http/https messages are crawled locally by a capture tool (e.g., tcpdump, etc.) and stored to a file. And traversing all the front-end html source code files to generate a file for recording the request and the response of the api of the role.
S3 generates an unauthorized operation list of the character user by comparing the user file with the request and response file of the administrator, the unauthorized operation list storing an interface of the character user, which has no execution authority.
Logging in WEB by using an administrator user, sending an interface request according to a front-end source code file and an automatic tool execution interface request, and storing the interface request and a corresponding response message into a request and response file of the administrator; comparing the consistency of the user file and the request and response file of the administrator, and screening the interface request which does not exist in the user file and is in the request and response file as a target interface request; and analyzing the interface information from the target interface request, and storing the interface information into an unauthorized operation list.
And generating a file for recording requests and responses of the api of the corresponding role by using the users of each role. And comparing and analyzing files of different roles, and generating an API list which is not accessed by each role. And comparing the files of the role 1 and the administrator role, and finding that a certain api exists in the file of the administrator role but does not exist in the file of the role 1, so that the current api is the api which the role 1 does not have access to. And analyzing all the files in sequence to generate an API list which corresponds to all the roles and has no access authority.
S4, generating a test request based on the authentication information of the role user, wherein the test request accesses the interface in the no-authority operation list, and if the access result is matched with the authentication information, the test is passed.
Obtaining the authentication information of the response through the login of the request library, and storing the authentication information to the head of the request; sending an interface request to an interface in the unauthorized operation list based on a request header carrying authentication information; and acquiring the state code of the response and the interface request, judging whether the state code is matched with the authentication information, and judging that the test is passed if the state code is matched with the authentication information.
And logging in by using a request library of python, acquiring authentication information such as token and the like in a response, and storing the authentication information into the header so as to use the session and the header to carry out subsequent request message sending. After logging in, sequentially sending request messages to the api list without the authority of the role. Checking whether the status code of the request response is expected (403forbidden) or whether the data in the response is expected, thereby testing the longitudinal override condition of the current role.
As shown in fig. 2, the system 200 includes:
the information analysis unit 210 is configured to log in a WEB through a role user, locate an operable interface of the role user from a source code file of the WEB, and locate an operable element in the operable interface;
the operation execution unit 220 is configured to execute the operable element through the automation tool to send an interface request to the WEB backend, capture a response message of the backend to the interface request through a capture tool, and store the interface request and the corresponding response message to the user file;
a file comparison unit 230, configured to generate an unauthorized operation list of the role user by comparing the user file with the request and response file of the administrator, where the unauthorized operation list stores an interface of the role user that does not have an execution authority;
and the authority verification unit 240 is configured to generate a test request based on the authentication information of the role user, where the test request accesses an interface in the unauthorized operation list, and passes the test if the access result matches the authentication information.
Optionally, as an embodiment of the present invention, the information parsing unit is configured to:
randomly selecting a target role user from all role users until all role users are traversed;
simulating a target role user to log in WEB by using an automatic tool, traversing all accessible front-end source code files of the WEB, and positioning an operable interface of the target role user with operation authority;
locating operable elements within an operable interface by parsing a front-end source code file, the operable elements including block elements, row elements, keys, and input boxes.
Optionally, as an embodiment of the present invention, the operation execution unit is configured to:
the automatic tool carries out display inspection on the operable elements, the normally displayed operable elements form wildcards, and operation positioning and execution are carried out through the wildcards;
interface request and send times and response messages and response times are maintained to the user file.
Optionally, as an embodiment of the present invention, the file comparing unit is configured to:
logging in WEB by using an administrator user, sending an interface request according to a front-end source code file and an automatic tool execution interface request, and storing the interface request and a corresponding response message into a request and response file of the administrator;
comparing the consistency of the user file and the request and response file of the administrator, and screening the interface request which does not exist in the user file and is in the request and response file as a target interface request;
and analyzing the interface information from the target interface request, and storing the interface information into an unauthorized operation list.
Optionally, as an embodiment of the present invention, the right verifying unit is configured to:
obtaining the authentication information of the response through the login of the request library, and storing the authentication information to the head of the request;
sending an interface request to an interface in the unauthorized operation list based on a request header carrying authentication information;
and acquiring the state code of the response and the interface request, judging whether the state code is matched with the authentication information, and judging that the test is passed if the state code is matched with the authentication information.
Fig. 3 is a schematic structural diagram of a terminal 300 according to an embodiment of the present invention, where the terminal 300 may be used to execute a method for testing a WEB role longitudinal unauthorized vulnerability according to the embodiment of the present invention.
Among them, the terminal 300 may include: a processor 310, a memory 320, and a communication unit 330. The components communicate via one or more buses, and those skilled in the art will appreciate that the architecture of the servers shown in the figures is not intended to be limiting, and may be a bus architecture, a star architecture, a combination of more or less components than those shown, or a different arrangement of components.
The memory 320 may be used for storing instructions executed by the processor 310, and the memory 320 may be implemented by any type of volatile or non-volatile storage terminal or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk or optical disk. The executable instructions in memory 320, when executed by processor 310, enable terminal 300 to perform some or all of the steps in the method embodiments described below.
The processor 310 is a control center of the storage terminal, connects various parts of the entire electronic terminal using various interfaces and lines, and performs various functions of the electronic terminal and/or processes data by operating or executing software programs and/or modules stored in the memory 320 and calling data stored in the memory. The processor may be composed of an Integrated Circuit (IC), for example, a single packaged IC, or a plurality of packaged ICs connected with the same or different functions. For example, the processor 310 may include only a Central Processing Unit (CPU). In the embodiment of the present invention, the CPU may be a single operation core, or may include multiple operation cores.
A communication unit 330, configured to establish a communication channel so that the storage terminal can communicate with other terminals. And receiving user data sent by other terminals or sending the user data to other terminals.
The present invention also provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Therefore, the method and the device judge whether the current user has the right to access the corresponding page by traversing all html source code files through the selenium; identifying all page elements by analyzing the html file, and collecting all api request information files by using a selnium operation element; and identifying corresponding unauthorized access api lists of different roles by reading the api request information files of different roles so as to test the longitudinal unauthorized. The invention realizes the full-automatic testing method of the longitudinal override of the multi-role system, greatly improves the testing efficiency, reduces a large amount of labor input of the override test, simultaneously improves the coverage of the override test, avoids the undiscovered override safety problem and improves the safety of the system.
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, where the computer software product is stored in a storage medium, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like, and the storage medium can store program codes, and includes instructions for enabling a computer terminal (which may be a personal computer, a server, or a second terminal, a network terminal, and the like) to perform all or part of the steps of the method in the embodiments of the present invention.
The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant points can be referred to the description in the method embodiment.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, systems or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Although the present invention has been described in detail by referring to the drawings in connection with the preferred embodiments, the present invention is not limited thereto. Various equivalent modifications or substitutions can be made on the embodiments of the present invention by those skilled in the art without departing from the spirit and scope of the present invention, and these modifications or substitutions are within the scope of the present invention/any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1.一种WEB角色纵向越权漏洞的测试方法,其特征在于,包括:1. a test method for WEB role vertical ultra vires, is characterized in that, comprises: 通过角色用户登录WEB,从WEB的源码文件中定位角色用户的可操作界面,并定位所述可操作界面中的可操作元素;Log in to the WEB through the role user, locate the operable interface of the role user from the source code file of the WEB, and locate the operable elements in the operable interface; 通过自动化工具执行可操作元素以向WEB后端发送接口请求,通过抓包工具抓取后端对所述接口请求的响应消息,将接口请求和相应的响应消息保存至用户文件;Execute the actionable element through the automation tool to send the interface request to the WEB backend, capture the response message of the backend to the interface request through the packet capture tool, and save the interface request and the corresponding response message to the user file; 通过比对用户文件和管理员的请求与响应文件,生成角色用户的无权限操作列表,所述无权限操作列表存储角色用户的没有执行权限的接口;By comparing the user file and the administrator's request and response file, an unauthorized operation list of the role user is generated, and the unauthorized operation list stores the interface without execution authorization of the role user; 基于角色用户的鉴权信息生成测试请求,所述测试请求访问所述无权限操作列表中的接口,如果访问结果与鉴权信息匹配则通过测试。A test request is generated based on the authentication information of the role user, the test request accesses the interface in the unauthorized operation list, and the test is passed if the access result matches the authentication information. 2.根据权利要求1所述的方法,其特征在于,通过角色用户登录WEB,从WEB的源码文件中定位角色用户的可操作界面,并定位所述可操作界面中的可操作元素,包括:2. The method according to claim 1, characterized in that, logging in WEB by role user, locating the operable interface of the role user from the source code file of the WEB, and locating the operable elements in the operable interface, comprising: 从所有角色用户中随机选取目标角色用户,直至遍历所有角色用户;Randomly select target role users from all role users until all role users are traversed; 利用自动化工具模拟目标角色用户登录WEB,遍历WEB的所有可访问的前端源码文件,定位目标角色用户具有操作权限的可操作界面;Use automated tools to simulate the target role user to log in to the WEB, traverse all the accessible front-end source code files of the WEB, and locate the operable interface that the target role user has the operating authority; 通过解析前端源码文件定位可操作界面内的可操作元素,所述可操作元素包括块元素、行元素、按键和输入框。The operable elements in the operable interface are located by parsing the front-end source code file, and the operable elements include block elements, line elements, buttons and input boxes. 3.根据权利要求1所述的方法,其特征在于,通过自动化工具执行可操作元素以向WEB后端发送接口请求,通过抓包工具抓取后端对所述接口请求的响应消息,将接口请求和相应的响应消息保存至用户文件,包括:3. The method according to claim 1, wherein the operable element is executed by an automated tool to send an interface request to the WEB back end, the back end is grabbed by a packet capture tool to the response message of the interface request, and the interface is The request and corresponding response messages are saved to the user file, including: 所述自动化工具对可操作元素进行显示检验,将正常显示的可操作性元素组成通配符,通过通配符进行操作定位和执行;The automated tool performs display inspection on the operable elements, forms wildcards of normally displayed operable elements, and performs operation positioning and execution through the wildcards; 将接口请求及发送时间和响应消息及响应时间保持至用户文件。Keep interface request and send time and response message and response time to user file. 4.根据权利要求1所述的方法,其特征在于,通过比对用户文件和管理员的请求与响应文件,生成角色用户的无权限操作列表,所述无权限操作列表存储角色用户的没有执行权限的接口,包括:4. The method according to claim 1, characterized in that, by comparing the user file and the administrator's request and response file, an unauthorized operation list of the role user is generated, and the unauthorized operation list stores the unauthorized operation list of the role user. Permission interfaces, including: 利用管理员用户登录WEB,并根据前端源码文件和自动化工具执行接口请求发送,将接口请求和相应的响应消息保存至管理员的请求与响应文件;Use the administrator user to log in to the WEB, and execute the interface request sending according to the front-end source code files and automation tools, and save the interface request and the corresponding response message to the administrator's request and response file; 比对用户文件与管理员的请求与响应文件的一致性,将用户文件中不存在的,请求与响应文件中的接口请求作为目标接口请求筛选出来;Compare the consistency between the user file and the administrator's request and response file, and filter out the interface requests in the request and response files that do not exist in the user file as the target interface request; 从目标接口请求解析出接口信息,将接口信息保存至无权限操作列表。Request to parse out the interface information from the target interface, and save the interface information to the unauthorized operation list. 5.根据权利要求1所述的方法,其特征在于,基于角色用户的鉴权信息生成测试请求,所述测试请求访问所述无权限操作列表中的接口,如果访问结果与鉴权信息匹配则通过测试,包括:5. method according to claim 1, is characterized in that, based on the authentication information of role user to generate test request, described test request accesses the interface in described unauthorized operation list, if access result matches with authentication information then Pass tests, including: 通过请求库登录获取响应的鉴权信息,将鉴权信息保存至请求头部;Log in to the request library to obtain the authentication information of the response, and save the authentication information to the request header; 基于携带鉴权信息的请求头部向无权限操作列表中的接口发送接口请求;Send an interface request to the interface in the unauthorized operation list based on the request header carrying the authentication information; 获取响应与接口请求的状态码,判断所述状态码是否与鉴权信息匹配,如果两者匹配则判定测试通过。Obtain the status code of the response and the interface request, determine whether the status code matches the authentication information, and determine that the test is passed if the two match. 6.一种WEB角色纵向越权漏洞的测试系统,其特征在于,包括:6. A test system for a vertical unauthorized loophole of WEB role, characterized in that, comprising: 信息解析单元,用于通过角色用户登录WEB,从WEB的源码文件中定位角色用户的可操作界面,并定位所述可操作界面中的可操作元素;The information analysis unit is used to log in to the WEB through the role user, locate the operable interface of the role user from the source code file of the WEB, and locate the operable elements in the operable interface; 操作执行单元,用于通过自动化工具执行可操作元素以向WEB后端发送接口请求,通过抓包工具抓取后端对所述接口请求的响应消息,将接口请求和相应的响应消息保存至用户文件;The operation execution unit is used to execute the operable elements through the automation tool to send the interface request to the WEB backend, capture the response message of the backend to the interface request through the packet capture tool, and save the interface request and the corresponding response message to the user document; 文件比对单元,用于通过比对用户文件和管理员的请求与响应文件,生成角色用户的无权限操作列表,所述无权限操作列表存储角色用户的没有执行权限的接口;A file comparison unit for generating an unauthorized operation list of the role user by comparing the user file and the administrator's request and response file, and the unauthorized operation list stores the interface without the execution authorization of the role user; 权限验证单元,用于基于角色用户的鉴权信息生成测试请求,所述测试请求访问所述无权限操作列表中的接口,如果访问结果与鉴权信息匹配则通过测试。The authority verification unit is configured to generate a test request based on the authentication information of the role user, the test request accesses the interface in the unauthorized operation list, and the test is passed if the access result matches the authentication information. 7.根据权利要求6所述的系统,其特征在于,所述信息解析单元用于:7. The system according to claim 6, wherein the information parsing unit is used for: 从所有角色用户中随机选取目标角色用户,直至遍历所有角色用户;Randomly select target role users from all role users until all role users are traversed; 利用自动化工具模拟目标角色用户登录WEB,遍历WEB的所有可访问的前端源码文件,定位目标角色用户具有操作权限的可操作界面;Use automated tools to simulate the target role user to log in to the WEB, traverse all the accessible front-end source code files of the WEB, and locate the operable interface that the target role user has the operating authority; 通过解析前端源码文件定位可操作界面内的可操作元素,所述可操作元素包括块元素、行元素、按键和输入框。The operable elements in the operable interface are located by parsing the front-end source code file, and the operable elements include block elements, line elements, buttons and input boxes. 8.根据权利要求6所述的系统,其特征在于,所述操作执行单元用于:8. The system according to claim 6, wherein the operation execution unit is configured to: 所述自动化工具对可操作元素进行显示检验,将正常显示的可操作性元素组成通配符,通过通配符进行操作定位和执行;The automated tool performs display inspection on the operable elements, forms wildcards of normally displayed operable elements, and performs operation positioning and execution through the wildcards; 将接口请求及发送时间和响应消息及响应时间保持至用户文件。Keep interface request and send time and response message and response time to user file. 9.一种终端,其特征在于,包括:9. A terminal, characterized in that, comprising: 处理器;processor; 用于存储处理器的执行指令的存储器;memory for storing instructions for execution of the processor; 其中,所述处理器被配置为执行权利要求1-5任一项所述的方法。wherein the processor is configured to perform the method of any one of claims 1-5. 10.一种存储有计算机程序的计算机可读存储介质,其特征在于,该程序被处理器执行时实现如权利要求1-5中任一项所述的方法。10. A computer-readable storage medium storing a computer program, characterized in that, when the program is executed by a processor, the method according to any one of claims 1-5 is implemented.
CN202111203376.9A 2021-10-15 2021-10-15 Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability Withdrawn CN114003916A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111203376.9A CN114003916A (en) 2021-10-15 2021-10-15 Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111203376.9A CN114003916A (en) 2021-10-15 2021-10-15 Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability

Publications (1)

Publication Number Publication Date
CN114003916A true CN114003916A (en) 2022-02-01

Family

ID=79923085

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111203376.9A Withdrawn CN114003916A (en) 2021-10-15 2021-10-15 Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability

Country Status (1)

Country Link
CN (1) CN114003916A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116821968A (en) * 2023-08-31 2023-09-29 北京亿赛通科技发展有限责任公司 File authority management and control method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116821968A (en) * 2023-08-31 2023-09-29 北京亿赛通科技发展有限责任公司 File authority management and control method and device
CN116821968B (en) * 2023-08-31 2023-11-07 北京亿赛通科技发展有限责任公司 File authority management and control method and device

Similar Documents

Publication Publication Date Title
US10769228B2 (en) Systems and methods for web analytics testing and web development
Li et al. Block: a black-box approach for detection of state violation attacks towards web applications
Fonseca et al. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks
US9846781B2 (en) Unused parameters of application under test
EP2715600A1 (en) Automated security testing
US10884911B2 (en) System and method for use in regression testing of electronic document hyperlinks
Li et al. LogicScope: Automatic discovery of logic vulnerabilities within web applications
CN117493188A (en) Interface testing methods and devices, electronic equipment and storage media
Du et al. Vulnerability-oriented Testing for {RESTful}{APIs}
CN110287700A (en) An iOS application security analysis method and device
Rautenstrauch et al. To auth or not to auth? a comparative analysis of the pre-and post-login security landscape
CN114003916A (en) Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability
CN117834265A (en) Abnormal network request testing method and system
CN115270139B (en) IoT equipment network service automatic vulnerability analysis method and system
CN112446030B (en) Method and device for detecting file uploading vulnerability of webpage end
CN115935310A (en) Detection method, device, equipment and storage medium of weak password in login page
CN115438348A (en) Page data acquisition method and device
Kilaru Improving techniques for SQL injection defenses
Kim et al. Automatic monitoring of service reliability for web applications: a simulation‐based approach
CN112417328B (en) Webpage monitoring method and device
CN115941250A (en) Web application verification vulnerability detection method, device, terminal and storage medium
CN120090819A (en) Unauthorized detection method, device, equipment and medium
Pan et al. Trailblazer: Practical End-to-end Web API Fuzzing (Registered Report)
CN119396699A (en) Interface request replay method, device, medium and electronic device
CN119807058A (en) A method and system for automatically generating and managing test cases

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220201