[go: up one dir, main page]

CN115967551B - Method and device for detecting server request forgery vulnerability based on vulnerability information guidance - Google Patents

Method and device for detecting server request forgery vulnerability based on vulnerability information guidance Download PDF

Info

Publication number
CN115967551B
CN115967551B CN202211591624.6A CN202211591624A CN115967551B CN 115967551 B CN115967551 B CN 115967551B CN 202211591624 A CN202211591624 A CN 202211591624A CN 115967551 B CN115967551 B CN 115967551B
Authority
CN
China
Prior art keywords
vulnerability
request
input
character string
string
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211591624.6A
Other languages
Chinese (zh)
Other versions
CN115967551A (en
Inventor
解炜
王恩泽
王振华
高翼飞
伍林洁
王宝生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202211591624.6A priority Critical patent/CN115967551B/en
Publication of CN115967551A publication Critical patent/CN115967551A/en
Application granted granted Critical
Publication of CN115967551B publication Critical patent/CN115967551B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a device for detecting falsification vulnerability of a server request based on vulnerability information guidance, wherein the method comprises the following steps: s01, constructing a request for a Web application server and sending the request to the Web application server; s02, when a request for a Web application server is captured, analyzing the captured request; s03, judging whether a vulnerability exists by using a staged vulnerability judging method when a detection request sent to a Web server by a detection engine is received, and feeding back to a fuzzy tester if the vulnerability exists; s04, carrying out mutation on the vulnerability load according to the corresponding vulnerability type; and S05, monitoring whether the vulnerability is triggered in the sending process of the fuzzy test request, if so, judging that the vulnerability exists, and outputting vulnerability information. The invention can realize the detection of the falsification loopholes requested by the server, and has the advantages of simple realization method, high detection efficiency and precision, low false alarm rate and false alarm rate, and the like.

Description

基于漏洞信息引导的服务端请求伪造漏洞检测方法及装置Method and device for detecting server request forgery vulnerability based on vulnerability information guidance

技术领域Technical Field

本发明涉及漏洞检测技术领域,尤其涉及一种基于漏洞信息引导的服务端请求伪造漏洞检测方法及装置。The present invention relates to the technical field of vulnerability detection, and in particular to a method and device for detecting a server request forgery vulnerability based on vulnerability information guidance.

背景技术Background technique

获取由其他网络服务提供的外部资源已经成为现代Web应用的一个标准特点,然而,这些外部资源经常接受用户的输入控制。例如,Web应用程序经常加载用户输入的链接来预览图片和视频,或者在使用信息采集等功能时加载链接对应的资源。为了支持这些方便的功能,Web应用程序依赖于服务端请求,以及由服务端产生并在服务端之间通讯的HTTP请求,而这也会导致服务端请求功能面临着安全威胁。例如,当Web应用程序在没有验证用户提供的URL即发送请求并获得资源时,攻击者就可以伪造请求,让服务器向一个非预期的位置发出请求,进而进一步攻击目标系统,这种现象对应的安全问题即为服务端请求伪造(Server-side Request Forgery,简称SSRF)漏洞。Retrieving external resources provided by other network services has become a standard feature of modern web applications. However, these external resources are often controlled by user input. For example, web applications often load links entered by users to preview images and videos, or load the resources corresponding to the links when using functions such as information collection. In order to support these convenient functions, web applications rely on server-side requests and HTTP requests generated by and communicated between servers, which also exposes server-side request functions to security threats. For example, when a web application sends a request and obtains a resource without verifying the URL provided by the user, an attacker can forge a request and make the server send a request to an unexpected location, thereby further attacking the target system. The security issue corresponding to this phenomenon is the server-side request forgery (SSRF) vulnerability.

现有技术中对于PHP Web应用程序中SSRF漏洞检测的研究较少,目前的SSRF漏洞相关敏感函数集合也并不完全,不能覆盖所有的SSRF漏洞相关敏感函数,这会使得静态分析无法全面的分析和评估源代码中SSRF漏洞带来的安全风险。而传统动态应用程序安全测试方法由于是采用黑盒扫描的方式进行,虽然可以检测到SSRF漏洞但是会存在较高的漏报率。因此亟需一种SSRF漏洞检测方法,以使得能够在全面发掘SSRF漏洞相关敏感函数的基础上,降低SSRF漏洞的误报率以及漏报率。There are few studies on SSRF vulnerability detection in PHP Web applications in the prior art. The current set of sensitive functions related to SSRF vulnerabilities is not complete and cannot cover all sensitive functions related to SSRF vulnerabilities. This makes it impossible for static analysis to comprehensively analyze and evaluate the security risks brought by SSRF vulnerabilities in source code. The traditional dynamic application security testing method uses black box scanning. Although SSRF vulnerabilities can be detected, there is a high false negative rate. Therefore, there is an urgent need for a SSRF vulnerability detection method that can reduce the false positive rate and false negative rate of SSRF vulnerabilities on the basis of fully exploring sensitive functions related to SSRF vulnerabilities.

发明内容Summary of the invention

本发明要解决的技术问题就在于:针对现有技术存在的技术问题,本发明提供一种实现方法简单、检测效率与精度高以及误报率与漏报率低的基于漏洞信息引导的服务端请求伪造漏洞检测方法及装置,能够精准全面挖掘出服务端请求伪造漏洞,同时降低服务端请求伪造漏洞检测的误报率以及漏报率。The technical problem to be solved by the present invention is: in response to the technical problems existing in the prior art, the present invention provides a server request forgery vulnerability detection method and device based on vulnerability information guidance, which has a simple implementation method, high detection efficiency and accuracy, and low false alarm rate and missed alarm rate. The method and device can accurately and comprehensively mine server request forgery vulnerabilities, while reducing the false alarm rate and missed alarm rate of server request forgery vulnerability detection.

为解决上述技术问题,本发明提出的技术方案为:In order to solve the above technical problems, the technical solution proposed by the present invention is:

一种基于漏洞信息引导的服务端请求伪造漏洞检测方法,步骤包括:A method for detecting a server request forgery vulnerability based on vulnerability information guidance, comprising the following steps:

步骤S01.构造对Web应用服务端的请求并发送给Web服务端;Step S01. Construct a request to the Web application server and send it to the Web server;

步骤S02.捕获到所述对Web应用服务端的HTTP请求时,对捕获到的HTTP请求进行解析,解析出请求数据包中的输入点后发送给探测引擎;Step S02. When the HTTP request to the Web application server is captured, the captured HTTP request is parsed, and the input point in the request data packet is parsed and sent to the detection engine;

步骤S03.接收到探测引擎发送给Web服务端的HTTP探测请求时,根据输入源的字符串和污点处的字符串使用阶段化漏洞判别方法判断是否存在漏洞,如果判断出存在漏洞则将漏洞对应的数据包以及漏洞类型反馈给模糊测试器;Step S03. When receiving the HTTP detection request sent by the detection engine to the Web server, a phased vulnerability identification method is used to determine whether there is a vulnerability based on the string of the input source and the string at the taint. If a vulnerability is determined to exist, the corresponding data packet and vulnerability type are fed back to the fuzz tester;

步骤S04.模糊测试器根据对应的漏洞类型对漏洞载荷进行变异,将变异后的漏洞载荷发送给Web服务端以作为Web应用对应功能点的输入;Step S04. The fuzz tester mutates the vulnerability payload according to the corresponding vulnerability type, and sends the mutated vulnerability payload to the Web server as input for the corresponding function point of the Web application;

步骤S05.在模糊测试器向Web服务端发送模糊测试请求的发送过程中监测漏洞是否被触发,如果是则判定漏洞存在,并输出漏洞信息以及触发漏洞的请求信息;Step S05. During the process of the fuzz tester sending the fuzz test request to the Web server, monitor whether the vulnerability is triggered. If so, determine that the vulnerability exists, and output the vulnerability information and the request information that triggers the vulnerability;

所述阶段化漏洞判别方法通过对输入源的字符串和污点处的字符串依次执行子字符串判别、字符串相似度判别以及对比校验判别三个阶段判别出存在漏洞的情况,所述子字符串判别的阶段根据污点处的输入字符串是否是输入源的字符串的子串进行判别,所述字符串相似度的阶段判别字符串之间的相似度,如果满足相似度条件则转入执行所述对比校验判别的阶段,所述对比校验判别的阶段根据各参数值处的输入与污点处值的对比结果判别是否存在漏洞。The staged vulnerability identification method identifies the existence of vulnerabilities by sequentially performing substring identification, string similarity identification, and comparison verification identification on the input source string and the string at the stain. The substring identification stage determines whether the input string at the stain is a substring of the input source string. The string similarity stage determines the similarity between the strings. If the similarity condition is met, the comparison verification identification stage is entered. The comparison verification identification stage determines whether there is a vulnerability based on the comparison result between the input at each parameter value and the value at the stain.

进一步的,执行所述子字符串判别的阶段时,判断污点处的输入字符串是否是输入源处输入的字符串的子串,如果是子串并且匹配部分的长度大于预设阈值,则判定当前位置存在漏洞,以及判定对应的HTTP参数点可以输入有效的漏洞载荷;否则转入执行所述字符串相似度判别的阶段。Furthermore, when executing the substring determination stage, it is determined whether the input string at the taint is a substring of the string input at the input source. If it is a substring and the length of the matching part is greater than a preset threshold, it is determined that there is a vulnerability at the current position, and it is determined that the corresponding HTTP parameter point can input a valid vulnerability payload; otherwise, it proceeds to the stage of executing the string similarity determination.

进一步的,执行所述字符串相似度判别的阶段时,计算从输入源的字符串A到污点处的字符串B之间的距离,以评测从输入源的字符串A变化到污点处的字符串B所需要增加和删除的字符串数量是否满足阈值条件,如果满足阈值条件则判定输入源的字符串A与污点处的字符串B是相似的。Furthermore, when executing the stage of determining the similarity of the strings, the distance between the string A of the input source and the string B at the stain is calculated to evaluate whether the number of strings required to be added and deleted to change from the string A of the input source to the string B at the stain meets the threshold condition. If the threshold condition is met, it is determined that the string A of the input source is similar to the string B at the stain.

进一步的,执行所述对比校验判别阶段时,对数据包中的每个参数构造两个不同的输入,根据两个参数值处的两个输入对应的进入到污点处的值是否相同判定当前位置是否存在漏洞。Furthermore, when executing the comparison verification and judgment stage, two different inputs are constructed for each parameter in the data packet, and it is determined whether there is a vulnerability at the current position based on whether the values corresponding to the two inputs at the two parameter values entering the stain are the same.

进一步的,数据包中每个参数构造的两个输入分别为A1和A2,其中A2是通过对A1中的指定数量的字符进行随机修改得到,对比目标参数值处的输入A1和A2对应的进入到污点处的值B1和B2是否相同,如果是则判定目标参数位置处不存在漏洞,否则判定目标参数位置存在漏洞。Furthermore, the two inputs of each parameter construction in the data packet are A1 and A2 , respectively, where A2 is obtained by randomly modifying a specified number of characters in A1 . The values B1 and B2 corresponding to the inputs A1 and A2 at the target parameter value entering the taint are compared to see if they are the same. If so, it is determined that there is no vulnerability at the target parameter position, otherwise it is determined that there is a vulnerability at the target parameter position.

进一步的,所述步骤S04中根据对应的漏洞类型对漏洞载荷进行变异包括:先将所有的操作类型按照不同组合方式进行组合,得到所有的组合形式形成变异策略链L,再剔除掉其中无效的组合后,形成最终的变异策略链L。Furthermore, in step S04, mutating the vulnerability payload according to the corresponding vulnerability type includes: firstly combining all the operation types in different combinations to obtain all the combinations to form a mutation strategy chain L, and then eliminating invalid combinations to form a final mutation strategy chain L.

进一步的,其特征在于,所述步骤S01的步骤包括:Furthermore, it is characterized in that the steps of step S01 include:

步骤S101.采用静态分析从Web应用程序源代码中提取网站地图数据,构建一份初步的网站地图;Step S101. Use static analysis to extract site map data from the Web application source code and construct a preliminary site map;

步骤S102.以步骤S101构建的网站地图作为状态感知爬虫输入,根据网站地图与Web应用的每一个页面进行交互式爬虫,构造出对Web应用服务端有效的请求;Step S102. Using the website map constructed in step S101 as the state-aware crawler input, interactively crawling the website map and each page of the Web application to construct a valid request to the Web application server;

步骤S103.将步骤S102构造的请求发送给Web服务端。Step S103: Send the request constructed in step S102 to the Web server.

进一步的,所述步骤S02的步骤包括:Furthermore, the steps of step S02 include:

步骤S201.插桩器捕获发送给Web服务端的请求,并将捕获到的请求反馈给HTTP请求解析模块进行解析;Step S201. The plugger captures the request sent to the Web server, and feeds the captured request back to the HTTP request parsing module for parsing;

步骤S202.HTTP请求解析模块解析请求中参数对应的输入点,标记出请求数据包中的输入点后,将解析好的数据发送给探测引擎。Step S202: The HTTP request parsing module parses the input points corresponding to the parameters in the request, marks the input points in the request data packet, and then sends the parsed data to the detection engine.

一种基于漏洞信息引导的服务端请求伪造漏洞检测装置,包括:A server request forgery vulnerability detection device based on vulnerability information guidance, comprising:

请求构造模块,用于构造对Web应用服务端的请求并发送给Web服务端;A request construction module is used to construct a request to a Web application server and send it to the Web server;

HTTP请求解析模块,用于捕获到所述对Web应用服务端的请求时,对捕获到的请求进行解析,解析出请求数据包中的输入点后发送给探测引擎;An HTTP request parsing module is used to parse the captured request to the Web application server when capturing the request, parse out the input point in the request data packet and send it to the detection engine;

阶段化漏洞判别模块,用于接收到探测引擎发送给Web服务端的探测请求时,根据输入源的字符串和污点处的字符串使用阶段化漏洞判别方法判断是否存在漏洞,如果判断出存在漏洞则将漏洞对应的数据包以及漏洞类型反馈给模糊测试器;The phased vulnerability identification module is used to determine whether there is a vulnerability based on the input source string and the string at the taint when receiving the detection request sent by the detection engine to the Web server. If a vulnerability is determined to exist, the corresponding data packet and vulnerability type are fed back to the fuzz tester;

模糊测试器,用于根据对应的漏洞类型对漏洞载荷进行变异,将变异后的漏洞载荷发送给Web服务端以作为Web应用对应功能点的输入;The fuzz tester is used to mutate the vulnerability payload according to the corresponding vulnerability type and send the mutated vulnerability payload to the Web server as the input of the corresponding function point of the Web application;

漏洞检测模块,用于在模糊测试器向Web服务端发送模糊测试请求的发送过程中监测漏洞是否被触发,如果是则判定漏洞存在,输出漏洞信息以及触发漏洞的请求信息;The vulnerability detection module is used to monitor whether the vulnerability is triggered during the process of the fuzz tester sending the fuzz test request to the Web server. If so, it determines that the vulnerability exists and outputs the vulnerability information and the request information that triggers the vulnerability.

阶段化漏洞判别模块中所述阶段化漏洞判别方法通过对输入源的字符串和污点处的字符串依次执行子字符串判别、字符串相似度判别以及对比校验判别三个阶段判别出存在漏洞的情况,所述子字符串判别的阶段根据污点处的输入字符串是否是输入源的字符串的子串进行判别,所述字符串相似度的阶段判别字符串之间的相似度,如果满足相似度条件则转入执行所述对比校验判别的阶段,所述对比校验判别的阶段根据各参数值处的输入与污点处值的对比结果判别是否存在漏洞。The staged vulnerability identification method in the staged vulnerability identification module determines the existence of vulnerabilities by performing substring identification, string similarity identification and comparison verification identification in three stages on the input source string and the string at the stain in sequence. The substring identification stage determines whether the input string at the stain is a substring of the input source string. The string similarity stage determines the similarity between the strings. If the similarity condition is met, the comparison verification stage is entered. The comparison verification stage determines whether there is a vulnerability based on the comparison results of the input at each parameter value and the value at the stain.

一种存储有计算机程序的计算机可读存储介质,所述计算机程序执行时实现如上述方法。A computer-readable storage medium storing a computer program, wherein the computer program implements the above method when executed.

与现有技术相比,本发明的优点在于:本发明通过查找出所有相关的PHP敏感函数,然后使用轻量级的插桩方式采用阶段化漏洞判别方法进行漏洞判断,依次按照执子字符串判别、字符串相似度判别以及对比校验判别三个阶段判别出存在漏洞的情况,判断漏洞较大概率存在之后,对漏洞载荷进行变异并将变异后的漏洞载荷作为Web应用相应功能点的输入,同时持续监测判断SSRF漏洞是否可以被触发,以确定漏洞是否真的存在,能够精准、全面的挖掘出SSRF漏洞,同时结合阶段化漏洞判别方法,能够有效避免SSRF漏洞检测的误报以及漏报。Compared with the prior art, the advantages of the present invention are: the present invention finds out all relevant PHP sensitive functions, and then uses a lightweight plugging method to adopt a staged vulnerability identification method to perform vulnerability identification, and sequentially identifies the existence of vulnerabilities in three stages: substring identification, string similarity identification, and comparison verification identification. After determining that the vulnerability has a high probability of existing, the vulnerability payload is mutated and the mutated vulnerability payload is used as the input of the corresponding function point of the Web application. At the same time, continuous monitoring is performed to determine whether the SSRF vulnerability can be triggered to determine whether the vulnerability really exists. The SSRF vulnerability can be accurately and comprehensively excavated, and combined with the staged vulnerability identification method, the false positives and missed positives of the SSRF vulnerability detection can be effectively avoided.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本实施例基于漏洞信息引导的服务端请求伪造漏洞检测方法的实现流程示意图。FIG1 is a schematic diagram of the implementation flow of the method for detecting a server-side request forgery vulnerability guided by vulnerability information according to the present embodiment.

图2是本实施例中阶段化漏洞判别方法的实现流程示意图。FIG. 2 is a schematic diagram of the implementation flow of the phased vulnerability identification method in this embodiment.

具体实施方式Detailed ways

以下结合说明书附图和具体优选的实施例对本发明作进一步描述,但并不因此而限制本发明的保护范围。The present invention is further described below in conjunction with the accompanying drawings and specific preferred embodiments, but the protection scope of the present invention is not limited thereby.

如图1所示,本实施例基于漏洞信息引导的服务端请求伪造漏洞检测方法的步骤包括:As shown in FIG1 , the steps of the server request forgery vulnerability detection method based on vulnerability information guidance in this embodiment include:

步骤S01.构造对Web应用服务端的请求并发送给Web服务端;Step S01. Construct a request to the Web application server and send it to the Web server;

步骤S02.捕获到所述对Web应用服务端的HTTP请求时,对捕获到的HTTP请求进行解析,解析出请求数据包中的输入点后发送给探测引擎;Step S02. When the HTTP request to the Web application server is captured, the captured HTTP request is parsed, and the input point in the request data packet is parsed and sent to the detection engine;

步骤S03.接收到探测引擎发送给Web服务端的HTTP探测请求时,根据输入源的字符串和污点处的字符串使用阶段化漏洞判别方法判断是否存在漏洞,如果判断出存在漏洞则将漏洞对应的数据包以及漏洞类型反馈给模糊测试器;Step S03. When receiving the HTTP detection request sent by the detection engine to the Web server, a phased vulnerability identification method is used to determine whether there is a vulnerability based on the string of the input source and the string at the taint. If a vulnerability is determined to exist, the corresponding data packet and vulnerability type are fed back to the fuzz tester;

步骤S04.模糊测试器根据对应的漏洞类型对漏洞载荷进行变异,将变异后的漏洞载荷发送给Web服务端以作为Web应用对应功能点的输入;Step S04. The fuzz tester mutates the vulnerability payload according to the corresponding vulnerability type, and sends the mutated vulnerability payload to the Web server as input for the corresponding function point of the Web application;

步骤S05.在模糊测试器向Web服务端发送模糊测试请求的发送过程中监测漏洞是否被触发,如果是则判定漏洞存在,并输出漏洞信息以及触发漏洞的请求信息;Step S05. During the process of the fuzz tester sending the fuzz test request to the Web server, monitor whether the vulnerability is triggered. If so, determine that the vulnerability exists, and output the vulnerability information and the request information that triggers the vulnerability;

步骤S03中阶段化漏洞判别方法通过对输入源的字符串和污点处的字符串依次执行子字符串判别、字符串相似度判别以及对比校验判别三个阶段判别出存在漏洞的情况,子字符串判别的阶段根据污点处的输入字符串是否是输入源的字符串的子串进行判别,字符串相似度的阶段判别字符串之间的相似度,如果满足相似度条件则转入执行对比校验判别的阶段,对比校验判别的阶段根据各参数值处的输入与污点处值的对比结果判别是否存在漏洞。In step S03, the staged vulnerability identification method determines the existence of vulnerabilities by performing substring identification, string similarity identification and comparison verification identification on the input source string and the string at the stain in sequence. The substring identification stage determines whether the input string at the stain is a substring of the input source string. The string similarity stage determines the similarity between the strings. If the similarity condition is met, the comparison verification stage is entered. The comparison verification stage determines whether there is a vulnerability based on the comparison results of the input at each parameter value and the value at the stain.

本实施例针对于SSRF(服务端请求伪造)漏洞检测,首先通过查找出所有相关的PHP敏感函数,然后使用轻量级的插桩方式采用阶段化漏洞判别方法进行漏洞判断,依次按照执子字符串判别、字符串相似度判别以及对比校验判别三个阶段判别出存在漏洞的情况,判断漏洞较大概率存在之后,对漏洞载荷进行变异并将变异后的漏洞载荷作为Web应用相应功能点的输入,同时持续监测判断SSRF漏洞是否可以被触发,以确定漏洞是否真的存在,能够精准、全面的挖掘出SSRF漏洞,同时结合阶段化漏洞判别方法,能够有效避免SSRF漏洞检测的误报以及漏报。This embodiment is aimed at SSRF (Server-Side Request Forgery) vulnerability detection. First, all relevant PHP sensitive functions are found, and then a lightweight plug-in method is used to adopt a staged vulnerability identification method to perform vulnerability identification. The existence of vulnerabilities is identified in three stages: substring identification, string similarity identification, and comparison verification identification. After determining that the vulnerability is likely to exist, the vulnerability payload is mutated and the mutated vulnerability payload is used as the input of the corresponding function point of the Web application. At the same time, continuous monitoring is performed to determine whether the SSRF vulnerability can be triggered to determine whether the vulnerability really exists. The SSRF vulnerability can be accurately and comprehensively excavated. At the same time, combined with the staged vulnerability identification method, the false positives and missed positives of SSRF vulnerability detection can be effectively avoided.

本实施例中步骤S01的步骤包括:In this embodiment, step S01 includes:

步骤S101.采用静态分析从Web应用程序源代码中提取网站地图数据,构建一份初步的网站地图;Step S101. Use static analysis to extract site map data from the source code of the Web application and construct a preliminary site map;

步骤S102.以步骤S101构建的网站地图作为状态感知爬虫输入,根据网站地图与Web应用的每一个页面进行交互式爬虫,构造出对Web应用服务端有效的请求;Step S102. Using the website map constructed in step S101 as the state-aware crawler input, interactively crawling the website map and each page of the Web application to construct a valid request to the Web application server;

步骤S103.将步骤S102构造的请求发送给Web服务端。Step S103: Send the request constructed in step S102 to the Web server.

本实施例中,步骤S02的步骤包括:In this embodiment, step S02 includes:

步骤S201.插桩器捕获发送给Web服务端的请求,并将捕获到的请求反馈给HTTP请求解析模块进行解析;Step S201. The plugger captures the request sent to the Web server, and feeds the captured request back to the HTTP request parsing module for parsing;

步骤S202.HTTP请求解析模块解析请求中参数对应的输入点,标记出请求数据包中的输入点后,将解析好的数据发送给探测引擎。Step S202: The HTTP request parsing module parses the input points corresponding to the parameters in the request, marks the input points in the request data packet, and then sends the parsed data to the detection engine.

经过上述步骤,即可以首先查找出所有相关的PHP敏感函数,后续再进一步进行SSRF漏洞的判别与检测。After the above steps, you can first find all relevant PHP sensitive functions, and then further identify and detect SSRF vulnerabilities.

为了高效的发现与漏洞点相关联的HTTP请求字段中的输入,本实施例结合动态污点传播理论从内核层面对变量的传递进行标记,即通过对应源(source)和汇(sink)的标记,确定污点的输入位置。传统动态污点推理分析并不能准确判断漏洞点是否存在,这是由于在污点传播时,很难确定中间的过滤函数是否有效的对传播值做了有效的过滤,假设过滤不充分,如果在变量传递经过过滤函数之后将污点标记去除,那么就会造成漏报;如果过滤函数已经对数据做了很严格的过滤操作,还是将污点标记继续传播下去,那么也会导致漏报。In order to efficiently discover the input in the HTTP request field associated with the vulnerability point, this embodiment combines the dynamic taint propagation theory to mark the variable transfer from the kernel level, that is, through the corresponding source (source) and sink (sink) mark, determine the input position of the taint. Traditional dynamic taint reasoning analysis cannot accurately determine whether the vulnerability point exists. This is because when the taint propagates, it is difficult to determine whether the intermediate filter function effectively filters the propagated value. Assuming that the filtering is insufficient, if the taint mark is removed after the variable is passed through the filter function, it will cause missed reports; if the filter function has already performed a very strict filtering operation on the data, or the taint mark continues to propagate, it will also cause missed reports.

考虑到过滤函数的本质是对输入字符串的处理,也即是增加、删除和替换操作,因而只要经过过滤处理之后字符串的改变并不是很大即可以基本判断该sink位置很大可能存在漏洞。本实施例利用字符串过滤处理前后的上述特性,构建形成阶段化漏洞判别方法,以实现对漏洞是否可能存在进行判断,进而决定是否进行下一步的模糊测试,。如图2所示,本实施例阶段化漏洞判别方法共分为三个阶段,详细流程为:Considering that the essence of the filtering function is to process the input string, that is, to add, delete and replace operations, as long as the string does not change much after filtering, it can be basically judged that the sink position is likely to have a vulnerability. This embodiment uses the above characteristics before and after string filtering to construct a staged vulnerability identification method to determine whether a vulnerability may exist, and then decide whether to perform the next step of fuzzy testing. As shown in Figure 2, the staged vulnerability identification method of this embodiment is divided into three stages, and the detailed process is as follows:

A.子字符串判别阶段:判断污点处的输入字符串是否是输入源处输入的字符串的子串,如果是子串并且匹配部分的长度大于预设阈值,则直接判断当前位置存在漏洞,并且对应的HTTP参数点可以输入有效的漏洞载荷;否则转入执行字符串相似度判别阶段,即如果只是大致的匹配,例如字符串被替换或者增加,则还不能判断是否存在漏洞,需要进行下一阶段(字符串相似度判别阶段)判断。A. Substring determination stage: Determine whether the input string at the taint is a substring of the string input at the input source. If it is a substring and the length of the matching part is greater than the preset threshold, it is directly determined that there is a vulnerability at the current position, and the corresponding HTTP parameter point can input a valid vulnerability payload; otherwise, it proceeds to the string similarity determination stage. That is, if it is only a rough match, such as the string is replaced or added, it cannot be determined whether there is a vulnerability, and the next stage (string similarity determination stage) needs to be performed.

B.字符串相似度判别阶段:计算从输入源的字符串A到污点处的字符串B之间的距离(具体可采用莱文斯坦距离),以评测从输入源的字符串A变化到污点处的字符串B所需要增加和删除的字符串数量是否满足阈值条件,如果满足阈值条件则判定输入源的字符串A与污点处的字符串B是相似的。由于有可能存在过滤函数将存在危险操作的漏洞载荷替换成了固定的字符串,因而当判断到字符串相似后仍不能判断此处的漏洞存在,需要继续进入下阶段(对比校验判别阶段)的判断;B. String similarity judgment stage: Calculate the distance between the input source string A and the tainted string B (specifically, the Levenshtein distance can be used) to evaluate whether the number of strings required to change from the input source string A to the tainted string B meets the threshold condition. If the threshold condition is met, it is determined that the input source string A and the tainted string B are similar. Since there may be a filter function that replaces the vulnerability payload with a dangerous operation with a fixed string, it is still not possible to determine the existence of the vulnerability here after judging that the strings are similar, and it is necessary to continue to the next stage (comparison verification judgment stage) for judgment;

C.对比校验判别阶段:探测模块对数据包中每个参数构造的两个输入分别为A1和A2,其中A2是通过对A1中的指定数量的字符进行随机修改得到,对比目标参数值处的输入A1和A2对应的进入到污点处的值B1和B2是否相同,如果是则判定目标参数位置处不存在漏洞,否则判定目标参数位置存在漏洞。C. Comparison and verification stage: The detection module constructs two inputs for each parameter in the data packet, namely A1 and A2 , where A2 is obtained by randomly modifying a specified number of characters in A1 . The inputs A1 and A2 at the target parameter value are compared to see whether the values B1 and B2 corresponding to the entry into the stain are the same. If so, it is determined that there is no vulnerability at the target parameter position, otherwise it is determined that there is a vulnerability at the target parameter position.

上述对比校验判别阶段中,具体在同一个输入点构造两个相似的输入A1和A2,其中A2是将A1中指定数量的字符进行随机修改得到,对比两个参数值处的输入A1和A2对应的进入到污点处的值B1和B2是否相同,如果相同则说明其中遇到了比较严格的过滤,基本可以认为不存在漏洞,则判定不存在漏洞。如果不相同,则说明参数值处输入值的不同会对污点有影响,则基本可以认为此处存在漏洞,即判定存在漏洞。In the above comparison, verification and discrimination stage, two similar inputs A1 and A2 are constructed at the same input point, where A2 is obtained by randomly modifying the specified number of characters in A1 , and the values B1 and B2 corresponding to the inputs A1 and A2 at the two parameter values are compared to see if they are the same. If they are the same, it means that a relatively strict filtering is encountered, and it can be basically considered that there is no vulnerability, and it is determined that there is no vulnerability. If they are not the same, it means that the difference in the input value at the parameter value will affect the stain, and it can be basically considered that there is a vulnerability here, that is, it is determined that there is a vulnerability.

本实施例通过上述阶段化漏洞判别方法,对输入源的字符串和污点处的字符串依次进行子字符串判别、字符串相似度判别以及对比校验判别三个阶段的判断,可以充分挖掘过滤处理之后字符串的改变状态,实现对漏洞是否可能存在进行精准判断,不仅能够减少造成漏报的概率,还能够提升模糊测试的效率。This embodiment uses the above-mentioned phased vulnerability identification method to perform three-stage judgments on the string of the input source and the string at the taint in turn, namely, substring judgment, string similarity judgment, and comparison verification judgment. It can fully explore the change state of the string after filtering processing and realize accurate judgment on whether the vulnerability may exist. It can not only reduce the probability of missed reports, but also improve the efficiency of fuzz testing.

本实施例中步骤S03的步骤包括:In this embodiment, step S03 includes:

S301.模糊测试引擎会根据当前检测出的漏洞类型,采用针对性的链式变异策略进行种子生成,并将生成的种子发送给Web服务端;S301. The fuzz testing engine will use a targeted chain mutation strategy to generate seeds according to the currently detected vulnerability type, and send the generated seeds to the Web server;

S302.在模糊测试请求发送的这个过程中监测漏洞是否可以被触发,如果判断漏洞可以被触发并且漏洞存在,则输出漏洞信息和能触发漏洞的请求信息。S302. During the process of sending the fuzz test request, monitor whether the vulnerability can be triggered. If it is determined that the vulnerability can be triggered and the vulnerability exists, output the vulnerability information and the request information that can trigger the vulnerability.

本实施例步骤S04中根据对应的漏洞类型对漏洞载荷进行变异采用链式变异策略,具体对相应类型的漏洞,先将所有的操作类型按照不同组合方式进行组合,构成一系列变异操作的组合,从而完成对初始漏洞载荷的变异,得到一个变异策略链L,该变异策略链L是列表类型,由该列表包含了对应漏洞类型的所有突变操作组合,利用这些组合可以基于初始的漏洞载荷生成多样化的漏洞载荷,相比于只使用一种变异操作变异的漏洞载荷能够更大概率的绕过复杂的过滤条件,从而有效完成漏洞触发;在变异策略链L的基础上进一步剔除掉无效的变异组合,即可形成最终的变异策略链L。即本实施例中完善的变异策略链L的生成需要经过两步,首先先对所有的操作类型做一个组合,得到所有的组合形式,以表1中操作类型为例,初始形成的变异策略链Linit={S0,S1,S2,...,S1S2,S2S3,...,S10S11,S12S13,...S1S2S3,...};随后剔除掉无效的变异组合,例如表1中S1和S2组合为不必要组合且会存在重复,可以予以剔除,最终得到完善的变异策略链L。In step S04 of this embodiment, a chain mutation strategy is adopted to mutate the vulnerability payload according to the corresponding vulnerability type. Specifically, for the corresponding type of vulnerability, all operation types are first combined in different combinations to form a series of mutation operation combinations, thereby completing the mutation of the initial vulnerability payload and obtaining a mutation strategy chain L. The mutation strategy chain L is a list type, which includes all mutation operation combinations of the corresponding vulnerability type. These combinations can be used to generate diversified vulnerability payloads based on the initial vulnerability payload. Compared with the vulnerability payload mutated by only one mutation operation, it is more likely to bypass complex filtering conditions, thereby effectively completing the vulnerability triggering. On the basis of the mutation strategy chain L, invalid mutation combinations are further eliminated to form the final mutation strategy chain L. That is, the generation of the perfect mutation strategy chain L in this embodiment requires two steps. First, all the operation types are combined to obtain all the combination forms. Taking the operation types in Table 1 as an example, the initially formed mutation strategy chain Linit = {S0, S1, S2, ..., S1S2, S2S3, ..., S10S11, S12S13, ... S1S2S3, ...}; then, invalid mutation combinations are eliminated. For example, the combination of S1 and S2 in Table 1 is an unnecessary combination and there will be duplication, which can be eliminated, and finally a perfect mutation strategy chain L is obtained.

表1:链式变异策略中操作类型Table 1: Operation types in chain mutation strategy

本发明通过基于漏洞信息引导的灰盒模糊测试方式实现服务端请求伪造漏洞检测,使用分阶段的漏洞识别方法可以快速定位SSRF漏洞,使得在向用户反馈漏洞出现的同时,可以有效触发SSRF漏洞的PoC以及定位漏洞位于代码中的位置信息,从而帮助用户更好地理解安全问题。 The present invention realizes server-side request forgery vulnerability detection through a gray-box fuzz testing method guided by vulnerability information, and can quickly locate SSRF vulnerabilities using a phased vulnerability identification method, so that while feeding back the vulnerability to the user, the PoC of the SSRF vulnerability can be effectively triggered and the location information of the vulnerability in the code can be located, thereby helping users better understand security issues.

本实施例基于漏洞信息引导的服务端请求伪造漏洞检测装置,包括:The server-side request forgery vulnerability detection device guided by vulnerability information in this embodiment includes:

请求构造模块,用于构造对Web应用服务端的请求并发送给Web服务端;A request construction module is used to construct a request to a Web application server and send it to the Web server;

HTTP请求解析模块,用于捕获到所述对Web应用服务端的请求时,对捕获到的请求进行解析,解析出请求数据包中的输入点后发送给探测引擎;An HTTP request parsing module is used to parse the captured request to the Web application server when capturing the request, parse out the input point in the request data packet and send it to the detection engine;

阶段化漏洞判别模块,用于接收到探测引擎发送给Web服务端的探测请求时,根据输入源的字符串和污点处的字符串使用阶段化漏洞判别方法判断是否存在漏洞,如果判断出存在漏洞则将漏洞对应的数据包以及漏洞类型反馈给模糊测试器;The phased vulnerability identification module is used to determine whether there is a vulnerability based on the input source string and the string at the taint when receiving the detection request sent by the detection engine to the Web server. If a vulnerability is determined to exist, the corresponding data packet and vulnerability type are fed back to the fuzz tester;

模糊测试器,用于根据对应的漏洞类型对漏洞载荷进行变异,将变异后的漏洞载荷发送给Web服务端以作为Web应用对应功能点的输入;The fuzz tester is used to mutate the vulnerability payload according to the corresponding vulnerability type and send the mutated vulnerability payload to the Web server as the input of the corresponding function point of the Web application;

漏洞检测模块,用于在模糊测试器向Web服务端发送模糊测试请求的发送过程中监测漏洞是否被触发,如果是则判定漏洞存在,输出漏洞信息以及触发漏洞的请求信息;The vulnerability detection module is used to monitor whether the vulnerability is triggered during the process of the fuzz tester sending the fuzz test request to the Web server. If so, it determines that the vulnerability exists and outputs the vulnerability information and the request information that triggers the vulnerability.

阶段化漏洞判别模块中阶段化漏洞判别方法通过对输入源的字符串和污点处的字符串依次执行子字符串判别、字符串相似度判别以及对比校验判别三个阶段判别出存在漏洞的情况,子字符串判别的阶段根据污点处的输入字符串是否是输入源的字符串的子串进行判别,字符串相似度的阶段判别字符串之间的相似度,如果满足相似度条件则转入执行所述对比校验判别的阶段,对比校验判别的阶段根据各参数值处的输入与污点处值的对比结果判别是否存在漏洞。The staged vulnerability identification method in the staged vulnerability identification module determines the existence of vulnerabilities by performing substring identification, string similarity identification and comparison verification identification on the input source string and the string at the stain in sequence. The substring identification stage determines whether the input string at the stain is a substring of the input source string. The string similarity stage determines the similarity between the strings. If the similarity condition is met, the comparison verification identification stage is entered. The comparison verification identification stage determines whether there is a vulnerability based on the comparison results of the input at each parameter value and the value at the stain.

本实施例基于漏洞信息引导的服务端请求伪造漏洞检测装置与上述基于漏洞信息引导的服务端请求伪造漏洞检测方法为一一对应,在此不再一一赘述。The server-side request forgery vulnerability detection device based on vulnerability information guidance in this embodiment corresponds one to one with the above-mentioned server-side request forgery vulnerability detection method based on vulnerability information guidance, and will not be described one by one here.

本实施例还提供存储有计算机程序的计算机可读存储介质,计算机程序执行时实现如上述方法。This embodiment also provides a computer-readable storage medium storing a computer program, and the computer program implements the above method when executed.

上述只是本发明的较佳实施例,并非对本发明作任何形式上的限制。虽然本发明已以较佳实施例揭露如上,然而并非用以限定本发明。因此,凡是未脱离本发明技术方案的内容,依据本发明技术实质对以上实施例所做的任何简单修改、等同变化及修饰,均应落在本发明技术方案保护的范围内。The above is only a preferred embodiment of the present invention, and does not limit the present invention in any form. Although the present invention has been disclosed as a preferred embodiment, it is not intended to limit the present invention. Therefore, any simple modification, equivalent change and modification made to the above embodiment according to the technical essence of the present invention without departing from the content of the technical solution of the present invention shall fall within the scope of protection of the technical solution of the present invention.

Claims (8)

1. A server side request fake vulnerability detection method based on vulnerability information guidance is characterized by comprising the following steps:
S01, constructing a request for a Web application server and sending the request to the Web application server;
S02, when the HTTP request to the Web application server is captured, analyzing the captured HTTP request, analyzing an input point in a request data packet and then sending the input point to a detection engine;
S03, judging whether a vulnerability exists according to the character string of an input source and the character string at a stain by using a staged vulnerability judging method when an HTTP detection request sent to a Web server by a detection engine is received, and feeding back a data packet corresponding to the vulnerability and the vulnerability type to a fuzzy tester if the vulnerability exists;
S04, the fuzzy tester mutates the vulnerability load according to the corresponding vulnerability type, and the mutated vulnerability load is sent to the Web server to serve as input of the corresponding function point of the Web application;
S05, monitoring whether the vulnerability is triggered in the sending process of sending a fuzzy test request to the Web server by the fuzzy tester, if so, judging that the vulnerability exists, and outputting vulnerability information and request information for triggering the vulnerability;
The staged vulnerability distinguishing method judges the situation of the vulnerability through sequentially executing three stages of sub-string distinguishing, string similarity distinguishing and comparison checking distinguishing on the strings of the input source and the strings of the stain, wherein the stage of sub-string distinguishing judges whether the input strings of the stain are the sub-strings of the input source or not, the stage of string similarity distinguishing the similarity among the strings, and if the similarity condition is met, the stage of comparison checking distinguishing is shifted to the stage of comparison checking distinguishing, and the stage of comparison checking distinguishing judges whether the vulnerability exists or not according to the input of each parameter value and the comparison result of the stain value;
Judging whether the input character string at the stain is a sub-string of the character string input at the input source or not when the sub-string judging stage is executed, if so, judging that the current position has a loophole and judging that the corresponding HTTP parameter point inputs a valid loophole load; otherwise, switching to a stage of executing the character string similarity discrimination;
And when the character string similarity judging stage is executed, calculating the distance from the character string A of the input source to the character string B at the taint position to evaluate whether the number of character strings which are required to be added and deleted and are changed from the character string A of the input source to the character string B at the taint position meets the threshold condition, and judging that the character string A of the input source is similar to the character string B at the taint position if the number of character strings which are required to be added and deleted and are changed from the character string A of the input source to the character string B at the taint position meets the threshold condition.
2. The method for detecting a falsified vulnerability of a server-side request based on vulnerability information guidance according to claim 1, wherein when the comparison verification and discrimination stage is performed, two different inputs are constructed for each parameter in a data packet, and whether a vulnerability exists in a current position is determined according to whether values of two input corresponding to two input positions at two parameter values entering a stain position are the same.
3. The method for detecting the falsification vulnerability of the server side request based on the vulnerability information guidance according to claim 2, wherein two inputs of each parameter structure in the data packet are a 1 and a 2 respectively, wherein a 2 is obtained by randomly modifying a specified number of characters in a 1 , comparing whether values B1 and B2 of the input A1 and A2 at the target parameter value, which correspond to the input enter the stain, are the same, if yes, determining that the vulnerability does not exist at the target parameter position, otherwise determining that the vulnerability exists at the target parameter position.
4. The method for detecting the falsified vulnerability of the server request based on the vulnerability information guidance of claim 1, wherein the mutating the vulnerability load according to the corresponding vulnerability type in step S04 comprises: all operation types are combined according to different combination modes to obtain all combination modes to form a variation strategy chain L, and invalid combinations are removed to form a final variation strategy chain L.
5. The method for detecting falsification of a server request based on guidance of vulnerability information according to any one of claims 1 to 4, wherein the step S01 includes:
S101, extracting sitemap data from a Web application source code by adopting static analysis, and constructing a preliminary sitemap;
s102, taking the sitemap constructed in the step S101 as a state sensing crawler input, and carrying out interactive crawler according to the sitemap and each page of the Web application to construct an effective request for a Web application server;
and S103, sending the request constructed in the step S102 to the Web server.
6. The method for detecting falsification of a server request based on guidance of vulnerability information according to any one of claims 1 to 4, wherein the step S02 includes:
S201, capturing a request sent to a Web server by a stake pocket, and feeding the captured request back to an HTTP request analysis module for analysis;
And S202, the HTTP request analysis module analyzes the input points corresponding to the parameters in the request, marks the input points in the request data packet, and sends the analyzed data to the detection engine.
7. A server request fake vulnerability detection device based on vulnerability information guidance is characterized by comprising:
The request construction module is used for constructing a request for the Web application server and sending the request to the Web server;
The HTTP request analysis module is used for analyzing the captured request when the request to the Web application server is captured, analyzing an input point in a request data packet and sending the input point to the detection engine;
The staged vulnerability discrimination module is used for judging whether a vulnerability exists or not by using a staged vulnerability discrimination method according to the character string of the input source and the character string at the stain when a detection request sent to the Web server by the detection engine is received, and feeding back a data packet corresponding to the vulnerability and the vulnerability type to the fuzzy tester if the vulnerability exists;
the fuzzy tester is used for mutating the vulnerability load according to the corresponding vulnerability type and sending the mutated vulnerability load to the Web server to serve as the input of the corresponding function point of the Web application;
The vulnerability detection module is used for monitoring whether the vulnerability is triggered or not in the sending process of sending the fuzzy test request to the Web server by the fuzzy tester, if so, judging that the vulnerability exists, and outputting vulnerability information and request information for triggering the vulnerability;
The staged vulnerability distinguishing method in the staged vulnerability distinguishing module judges the situation of the vulnerability through sequentially executing three stages of sub-string distinguishing, string similarity distinguishing and comparison checking distinguishing on the strings of the input source and the strings of the stain, wherein the sub-string distinguishing stage judges whether the input strings of the stain are sub-strings of the input source or not, the string similarity distinguishing stage judges the similarity among the strings, and if the similarity condition is met, the comparison checking distinguishing stage is shifted to execute the comparison checking distinguishing stage, and the comparison checking distinguishing stage judges whether the vulnerability exists or not according to the comparison result of the input of each parameter value and the stain value; judging whether the input character string at the stain is a sub-string of the character string input at the input source or not when the sub-string judging stage is executed, if so, judging that the current position has a loophole and judging that the corresponding HTTP parameter point inputs a valid loophole load; otherwise, switching to a stage of executing the character string similarity discrimination; and when the character string similarity judging stage is executed, calculating the distance from the character string A of the input source to the character string B at the taint position to evaluate whether the number of character strings which are required to be added and deleted and are changed from the character string A of the input source to the character string B at the taint position meets the threshold condition, and judging that the character string A of the input source is similar to the character string B at the taint position if the number of character strings which are required to be added and deleted and are changed from the character string A of the input source to the character string B at the taint position meets the threshold condition.
8. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed, implements the method according to any one of claims 1-6.
CN202211591624.6A 2022-12-12 2022-12-12 Method and device for detecting server request forgery vulnerability based on vulnerability information guidance Active CN115967551B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211591624.6A CN115967551B (en) 2022-12-12 2022-12-12 Method and device for detecting server request forgery vulnerability based on vulnerability information guidance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211591624.6A CN115967551B (en) 2022-12-12 2022-12-12 Method and device for detecting server request forgery vulnerability based on vulnerability information guidance

Publications (2)

Publication Number Publication Date
CN115967551A CN115967551A (en) 2023-04-14
CN115967551B true CN115967551B (en) 2024-05-17

Family

ID=87353579

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211591624.6A Active CN115967551B (en) 2022-12-12 2022-12-12 Method and device for detecting server request forgery vulnerability based on vulnerability information guidance

Country Status (1)

Country Link
CN (1) CN115967551B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119172181B (en) * 2024-11-21 2025-02-07 广东励通信息技术有限公司 Artificial Intelligence Network Security Vulnerability Scanning System

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883024A (en) * 2010-06-23 2010-11-10 南京大学 A Dynamic Detection Method for Cross-Site Forgery Requests
CN106302481A (en) * 2016-08-19 2017-01-04 中国银联股份有限公司 The method and apparatus that detection WebSocket forges leak across station request
CN110401634A (en) * 2019-06-24 2019-11-01 北京墨云科技有限公司 A kind of web application hole detection regulation engine implementation method and terminal
CN112632561A (en) * 2020-12-28 2021-04-09 北京安全共识科技有限公司 Web application vulnerability detection method and related device
CN114386045A (en) * 2021-12-24 2022-04-22 深圳开源互联网安全技术有限公司 Web application program vulnerability detection method and device and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10503910B2 (en) * 2017-06-06 2019-12-10 Sap Se Security testing framework including virtualized server-side platform
CN111859375B (en) * 2020-07-20 2023-08-29 百度在线网络技术(北京)有限公司 Vulnerability detection method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883024A (en) * 2010-06-23 2010-11-10 南京大学 A Dynamic Detection Method for Cross-Site Forgery Requests
CN106302481A (en) * 2016-08-19 2017-01-04 中国银联股份有限公司 The method and apparatus that detection WebSocket forges leak across station request
CN110401634A (en) * 2019-06-24 2019-11-01 北京墨云科技有限公司 A kind of web application hole detection regulation engine implementation method and terminal
CN112632561A (en) * 2020-12-28 2021-04-09 北京安全共识科技有限公司 Web application vulnerability detection method and related device
CN114386045A (en) * 2021-12-24 2022-04-22 深圳开源互联网安全技术有限公司 Web application program vulnerability detection method and device and storage medium

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
Exploration of the Attacking Web Vectors;Tea Osmëni;《2021 International Conference on Computing, Networking, Telecommunications & Engineering Sciences Applications (CoNTESA)》;20211207;全文 *
SEEKER: A Root Cause Analysis Method Based on Deterministic Replay for Multi-Type Network Protocol Vulnerabilities;Runhao Liu;《2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)》;20221211;全文 *
Web应用常见注入式安全漏洞检测关键技术综述;王丹;赵文兵;丁治明;;北京工业大学学报;20161210(12);全文 *
Web应用的漏洞检测与防范技术研究;曹黎波;《中国优秀硕士学位论文全文数据库 信息科技辑》;20160315;全文 *
Wei Xie.Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices.《WWW '22: Proceedings of the ACM Web Conference 2022》.2022,全文. *
基于模糊测试的XSS漏洞挖掘技术研究;刘金辉;葛丽娜;张静;赵凯;;网络新媒体技术;20160115(01);全文 *
基于污点分析的Web安全检测系统的研究与实现;肖雯敏;《中国优秀硕士学位论文全文数据库 信息科技辑》;20190315;全文 *
采用图遍历算法的服务端请求伪造漏洞检测;印鸿吉;陈伟;;计算机工程与应用;20201031(19);全文 *

Also Published As

Publication number Publication date
CN115967551A (en) 2023-04-14

Similar Documents

Publication Publication Date Title
US8010685B2 (en) Method and apparatus for content classification
CN109145600B (en) System and method for detecting malicious files using static analysis elements
CN107241352B (en) Network security event classification and prediction method and system
US11483340B2 (en) System for malicious HTTP traffic detection with multi-field relation
CN112003870A (en) Network encryption traffic identification method and device based on deep learning
CN108763928A (en) A kind of open source software leak analysis method, apparatus and storage medium
Makiou et al. Improving Web Application Firewalls to detect advanced SQL injection attacks
CN113079150B (en) Intrusion detection method for power terminal equipment
CN109274632A (en) Method and device for identifying website
CN109922065B (en) Quick identification method for malicious website
CN104504335B (en) Fishing APP detection methods and system based on page feature and URL features
Naik et al. Fuzzy-import hashing: A static analysis technique for malware detection
CN113810408B (en) Network attack organization detection method, device, equipment and readable storage medium
CN106230772A (en) Industry internet Deviant Behavior excavates scheme
CN113591073B (en) Web API security threat detection method and device
CN107181726A (en) Cyberthreat case evaluating method and device
WO2018076697A1 (en) Method and apparatus for detecting zombie feature
CN115098151B (en) Fine-granularity intranet equipment firmware version detection method
CN111835777A (en) Abnormal flow detection method, device, equipment and medium
Jain et al. Detection of phishing attacks in financial and e-banking websites using link and visual similarity relation
CN104123501A (en) Online virus detection method based on assembly of multiple detectors
Naway et al. Using deep neural network for Android malware detection
CN115967551B (en) Method and device for detecting server request forgery vulnerability based on vulnerability information guidance
Rafsanjani et al. Enhancing malicious URL detection: A novel framework leveraging priority coefficient and feature evaluation
KR20210084204A (en) Malware Crawling Method and System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant