[go: up one dir, main page]

CN110765464A - Vulnerability detection method, device, device and computer storage medium - Google Patents

Vulnerability detection method, device, device and computer storage medium Download PDF

Info

Publication number
CN110765464A
CN110765464A CN201911063550.7A CN201911063550A CN110765464A CN 110765464 A CN110765464 A CN 110765464A CN 201911063550 A CN201911063550 A CN 201911063550A CN 110765464 A CN110765464 A CN 110765464A
Authority
CN
China
Prior art keywords
website
target
event
events
tested
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911063550.7A
Other languages
Chinese (zh)
Other versions
CN110765464B (en
Inventor
张强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WeBank Co Ltd
Original Assignee
WeBank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WeBank Co Ltd filed Critical WeBank Co Ltd
Priority to CN201911063550.7A priority Critical patent/CN110765464B/en
Publication of CN110765464A publication Critical patent/CN110765464A/en
Application granted granted Critical
Publication of CN110765464B publication Critical patent/CN110765464B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明涉及金融科技(Fintech)技术领域,并公开了一种漏洞检测方法,该方法包括:建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;若满足,则确定所述待测网站接口存在漏洞。本发明还公开了一种漏洞检测装置、设备和一种计算机存储介质。本发明提高了漏洞检测的效率。

The invention relates to the technical field of financial technology (Fintech), and discloses a vulnerability detection method. The method includes: establishing a test case corresponding to an interface of a website to be tested; The test parameters are integrated to obtain the target parameters; all process events in the website host are obtained according to the preset socket netlink and the target parameters, and each of the process events and the test cases are matched in turn; If there is a target process event matching the test case in the process event, it is detected whether the process chain corresponding to the target process event satisfies the preset condition; if so, it is determined that there is a loophole in the interface of the website to be tested. The invention also discloses a vulnerability detection device, equipment and a computer storage medium. The present invention improves the efficiency of vulnerability detection.

Description

漏洞检测方法、装置、设备及计算机存储介质Vulnerability detection method, device, device and computer storage medium

技术领域technical field

本发明涉及金融科技(Fintech)技术领域,尤其涉及漏洞检测方法、装置、设备及计算机存储介质。The present invention relates to the technical field of financial technology (Fintech), and in particular, to a method, apparatus, device and computer storage medium for vulnerability detection.

背景技术Background technique

随着计算机技术的发展,越来越多的技术(大数据、分布式、区块链Blockchain、人工智能等)应用在金融领域,传统金融业正在逐步向金融科技(Fintech)转变,但由于金融行业的安全性、实时性要求,也对技术提出了更高的要求。例如,目前常见的漏洞检测仅针对网站有显著状态响应包(例如状态码、返回的页面内容)的命令注入、代码执行漏洞识别有效,但是针对无回显的命令注入、代码执行,发现率低,误报率高,导致检测效果低下。并且,传统的无回显的命令注入、代码执行漏洞的检测用例设计,通常采用系统延时等待、网络请求等API函数,来增强检测点返回特征状态。但是上述检测方式一方面受限网络稳定性限制,另一方面可能对正常业务带来真实攻击影响,使得漏洞检测的效率很低。因此,如何提高漏洞检测的效率成为了目前亟待解决的技术问题。With the development of computer technology, more and more technologies (big data, distributed, blockchain, artificial intelligence, etc.) are applied in the financial field, and the traditional financial industry is gradually transforming into financial technology (Fintech). The security and real-time requirements of the industry also put forward higher requirements for technology. For example, the current common vulnerability detection is only effective for command injection and code execution vulnerability identification of websites with significant status response packets (such as status code, returned page content), but for command injection and code execution without echoes, the discovery rate is low. , the false positive rate is high, resulting in low detection effect. In addition, the traditional non-echo command injection and code execution vulnerability detection case design usually uses API functions such as system delay waiting and network request to enhance the feature status returned by the detection point. However, on the one hand, the above detection methods are limited by network stability restrictions, and on the other hand, they may bring real attacks to normal services, which makes vulnerability detection very inefficient. Therefore, how to improve the efficiency of vulnerability detection has become an urgent technical problem to be solved.

发明内容SUMMARY OF THE INVENTION

本发明的主要目的在于提出一种漏洞检测方法、装置、设备及计算机存储介质,旨在提高漏洞检测的效率。The main purpose of the present invention is to provide a vulnerability detection method, device, equipment and computer storage medium, aiming at improving the efficiency of vulnerability detection.

为实现上述目的,本发明提供一种漏洞检测方法,所述漏洞检测方法包括如下步骤:In order to achieve the above object, the present invention provides a vulnerability detection method, the vulnerability detection method comprises the following steps:

建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;establishing a test case corresponding to the interface of the website to be tested, and integrating the test case and the parameters to be tested of the interface of the website to be tested to obtain target parameters;

根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;Obtain all process events in the website host according to the preset socket netlink and the target parameters, and sequentially match each of the process events with the test case;

若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;If there is a target process event matching the test case in each of the process events, detecting whether the process chain corresponding to the target process event satisfies a preset condition;

若满足,则确定所述待测网站接口存在漏洞。If satisfied, it is determined that there is a loophole in the interface of the website to be tested.

可选地,所述根据预设的netlink和所述目标参数获取网站主机中的所有进程事件的步骤,包括:Optionally, the step of obtaining all process events in the website host according to the preset netlink and the target parameter, including:

基于所述目标参数对所述网站主机配置监控规则,并通过所述监控规则和预设的netlink获取所述网站主机中的所有进程事件。A monitoring rule is configured on the website host based on the target parameter, and all process events in the website host are acquired through the monitoring rule and a preset netlink.

可选地,所述基于所述目标参数对所述网站主机配置监控规则,并通过所述监控规则和预设的netlink获取所述网站主机中的所有进程事件的步骤,包括:Optionally, the step of configuring monitoring rules for the website host based on the target parameters, and obtaining all process events in the website host through the monitoring rules and a preset netlink, includes:

基于所述目标参数对所述网站主机中的应用态配置监控规则,并通过预设的netlink将所述监控规则传递至所述网站主机中的内核态;Based on the target parameters, monitoring rules are configured for the application state in the website host, and the monitoring rules are transmitted to the kernel state in the website host through a preset netlink;

通过所述内核态中的内核线程和所述监控规则获取所述网站主机中所有应用程序运行的系统调用事件,并基于各所述系统调用事件获取所述网站主机中的所有进程事件。Obtain system call events of all application programs running in the website host through the kernel thread in the kernel state and the monitoring rules, and obtain all process events in the website host based on the system call events.

可选地,所述基于各所述系统调用事件获取所述网站主机中的所有进程事件的步骤,包括:Optionally, the step of acquiring all process events in the website host based on each of the system call events includes:

将各所述系统调用事件从所述内核态反馈至所述应用态,并根据所述应用态中的网路控制协议对各所述系统调用事件进行解析,以确定各所述系统调用事件中是否存在符合预设检测要求的系统调用事件;Feedback each of the system call events from the kernel state to the application state, and parse each of the system call events according to the network control protocol in the application state, to determine the system call events in each of the system call events. Whether there is a system call event that meets the preset detection requirements;

若存在,则将符合预设检测要求的系统调用事件作为进程事件。If it exists, the system call event that meets the preset detection requirements will be regarded as the process event.

可选地,所述检测所述目标进程事件对应的进程链是否满足预设条件的步骤,包括:Optionally, the step of detecting whether the process chain corresponding to the target process event satisfies a preset condition includes:

获取所述目标进程事件对应的父进程,基于所述父进程确定所述目标进程事件对应的进程链,并检测所述进程链中是否存在所述网站主机的动态脚本解析进程信息;Obtain the parent process corresponding to the target process event, determine the process chain corresponding to the target process event based on the parent process, and detect whether there is dynamic script parsing process information of the website host in the process chain;

若不存在,则确定所述目标进程事件对应的进程链不满足预设条件。If it does not exist, it is determined that the process chain corresponding to the target process event does not satisfy the preset condition.

可选地,所述检测所述进程链中是否存在所述网站主机的动态脚本解析进程信息的步骤之后,包括:Optionally, after the step of detecting whether there is dynamic script parsing process information of the website host in the process chain, the process includes:

若存在,则获取所述网站主机中预存的白名单,并将所述目标进程事件依次和所述白名单中的所有历史记录进行匹配;If it exists, obtain the whitelist pre-stored in the website host, and sequentially match the target process event with all the historical records in the whitelist;

若在各所述历史记录中不存在和所述目标进程事件匹配的目标历史记录,则确定所述目标进程事件对应的进程链满足预设条件。If there is no target history record matching the target process event in each of the history records, it is determined that the process chain corresponding to the target process event satisfies a preset condition.

可选地,所述依次将各所述进程事件和所述测试用例匹配的步骤之后,包括:Optionally, after the step of sequentially matching each of the process events with the test case, it includes:

若在各所述进程事件中不存在和所述测试用例匹配的目标进程事件,则确定所述待测网站接口不存在漏洞。If there is no target process event matching the test case in each of the process events, it is determined that there is no loophole in the interface of the website to be tested.

此外,为实现上述目的,本发明还提供一种漏洞检测装置,所述漏洞检测装置包括:In addition, in order to achieve the above object, the present invention also provides a vulnerability detection device, the vulnerability detection device includes:

获取模块,用于建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;an acquisition module, used for establishing a test case corresponding to the interface of the website to be tested, and integrating the test case and the parameters to be tested of the interface of the website to be tested to obtain target parameters;

匹配模块,用于根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;a matching module, configured to obtain all process events in the website host according to the preset socket netlink and the target parameters, and sequentially match each of the process events with the test case;

检测模块,用于若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;a detection module, configured to detect whether a process chain corresponding to the target process event satisfies a preset condition if there is a target process event matching the test case in each of the process events;

确定模块,用于若满足,则确定所述待测网站接口存在漏洞。The determining module is used for determining that there is a loophole in the interface of the website to be tested if it is satisfied.

此外,为实现上述目的,本发明还提供一种漏洞检测设备,所述漏洞检测设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的漏洞检测程序,所述漏洞检测程序被所述处理器执行时实现如上所述的漏洞检测方法的步骤。In addition, in order to achieve the above object, the present invention also provides a vulnerability detection device, the vulnerability detection device includes: a memory, a processor and a vulnerability detection program stored on the memory and executable on the processor, When the vulnerability detection program is executed by the processor, the steps of the vulnerability detection method as described above are implemented.

此外,为实现上述目的,本发明还提供一种计算机存储介质,所述计算机存储介质上存储有漏洞检测程序,所述漏洞检测程序被处理器执行时实现如上所述的漏洞检测方法的步骤。In addition, in order to achieve the above object, the present invention also provides a computer storage medium, the computer storage medium stores a vulnerability detection program, and the vulnerability detection program implements the steps of the vulnerability detection method as described above when the vulnerability detection program is executed by a processor.

本发明通过建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;若满足,则确定所述待测网站接口存在漏洞。通过将测试用例和待测网站接口的待测参数进行整合,以获取目标参数,并根据netlink和目标参数获取网站主机中的所有进程事件,并在所有进程事件中确定目标进程事件,从而可以不需要确定网站主机是否存在有显著状态响应包,就可以获取到目标进程事件,提高了对待测网站接口的漏洞检测的效率,并且为了进一步地提高检测的准确性,还需要确定目标进程事件是否满足预设条件,若满足,则确定待测网站接口存在漏洞,从而也提高了漏洞检测的准确性。The present invention obtains target parameters by establishing a test case corresponding to the interface of the website to be tested, and integrating the test case and the parameters to be tested of the interface of the website to be tested; The target parameter obtains all process events in the website host, and sequentially matches each of the process events with the test case; if there is a target process event matching the test case in each of the process events, then detect the Whether the process chain corresponding to the target process event satisfies the preset condition; if so, it is determined that there is a loophole in the interface of the website to be tested. By integrating the test case and the parameters to be tested of the website interface to be tested, the target parameters are obtained, and all the process events in the website host are obtained according to the netlink and target parameters, and the target process events are determined in all the process events, so that the It is necessary to determine whether the website host has a significant status response packet, and then the target process event can be obtained, which improves the efficiency of vulnerability detection of the website interface to be tested. In order to further improve the detection accuracy, it is also necessary to determine whether the target process event meets the requirements. If the preset conditions are satisfied, it is determined that there is a vulnerability in the interface of the website to be tested, thereby improving the accuracy of vulnerability detection.

附图说明Description of drawings

图1是本发明实施例方案涉及的硬件运行环境的设备结构示意图;1 is a schematic diagram of a device structure of a hardware operating environment involved in an embodiment of the present invention;

图2为本发明漏洞检测方法第一实施例的流程示意图;FIG. 2 is a schematic flowchart of the first embodiment of the vulnerability detection method of the present invention;

图3为本发明漏洞检测装置的装置模块示意图;3 is a schematic diagram of a device module of the vulnerability detection device of the present invention;

图4为本发明漏洞检测方法中进程信息判定的流程示意图;4 is a schematic flowchart of process information determination in the vulnerability detection method of the present invention;

图5为本发明漏洞检测方法中的流程示意图;5 is a schematic flowchart of the vulnerability detection method of the present invention;

图6为本发明漏洞检测方法中主机应用态和内核态的交互示意图。FIG. 6 is a schematic diagram of the interaction between the host application state and the kernel state in the vulnerability detection method of the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics and advantages of the present invention will be further described with reference to the accompanying drawings in conjunction with the embodiments.

具体实施方式Detailed ways

应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

如图1所示,图1是本发明实施例方案涉及的硬件运行环境的设备结构示意图。As shown in FIG. 1 , FIG. 1 is a schematic diagram of a device structure of a hardware operating environment involved in an embodiment of the present invention.

本发明实施例漏洞检测设备可以是PC机或服务器设备,其上运行有Java虚拟机。The vulnerability detection device in the embodiment of the present invention may be a PC or a server device, on which a Java virtual machine runs.

如图1所示,该漏洞检测设备可以包括:处理器1001,例如CPU,网络接口1004,用户接口1003,存储器1005,通信总线1002。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1 , the vulnerability detection device may include: a processor 1001 , such as a CPU, a network interface 1004 , a user interface 1003 , a memory 1005 , and a communication bus 1002 . Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (eg, a WI-FI interface). The memory 1005 may be high-speed RAM memory, or may be non-volatile memory, such as disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .

本领域技术人员可以理解,图1中示出的设备结构并不构成对设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the device structure shown in FIG. 1 does not constitute a limitation on the device, and may include more or less components than the one shown, or combine some components, or arrange different components.

如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及漏洞检测程序。As shown in FIG. 1 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module and a vulnerability detection program.

在图1所示的设备中,网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;用户接口1003主要用于连接客户端(用户端),与客户端进行数据通信;而处理器1001可以用于调用存储器1005中存储的漏洞检测程序,并执行下述漏洞检测方法中的操作。In the device shown in FIG. 1 , the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server; the user interface 1003 is mainly used to connect to the client (client) and perform data communication with the client; and the processor 1001 can be used to call the vulnerability detection program stored in the memory 1005, and perform operations in the vulnerability detection method described below.

基于上述硬件结构,提出本发明漏洞检测方法实施例。Based on the above hardware structure, an embodiment of the vulnerability detection method of the present invention is proposed.

参照图2,图2为本发明漏洞检测方法第一实施例的流程示意图,所述方法包括:Referring to FIG. 2, FIG. 2 is a schematic flowchart of the first embodiment of the vulnerability detection method of the present invention, and the method includes:

步骤S10,建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;Step S10, establishing a test case corresponding to the interface of the website to be tested, and integrating the test case and the parameters to be tested of the interface of the website to be tested to obtain target parameters;

目前在进行漏洞检测时,一般是通过提供命令注入、代码执行各种测试用例,再向目标网站发送构造好的大量HTTP请求,分析页面返回的内容、以及网站响应时间,判断出网站接口处是否存在命令注入、代码执行漏洞。但是这样操作在针对无回显(网站没有显著状态响应包)的命令注入、代码执行时,发现率很低,且误报率高。因此在本实施例中通过自动化漏洞扫描器或手工测试时,对待测网站接口发送的测试请求,应该预先包含可能会被漏洞点执行的命令操作、网络操作行为的测试用例,并借用netlink内核态、应用态通信机制,实现网站疑似存在的注入点执行命令操作、网络连接的事件记录,如果审计过程中成功监控到用例执行,且遍历执行调用它的父进程是具有命令注入、代码执行的身份属性,则可确定待测网站接口存在漏洞。从而实现对有回显(网站有显著状态的响应包,如状态码、返回的页面内容等)和无回显的漏洞注入点均能有效发现的效果。并且在本实施例中应用态、内核态是Linux操作系统的体系架构划分。代码执行是通过调用服务器网站代码进行执行,而命令注入是调用操作系统命令进行执行。并且代码执行和命令注入的最终效果都会在目标集群执行外部恶意命令。Netlink是一组Linux核心接口,可用于进程间通信,Linux内核与用户空间的进程间、用户进程间的通讯。At present, when vulnerability detection is carried out, it is generally by providing command injection, code execution various test cases, and then sending a large number of constructed HTTP requests to the target website, analyzing the content returned by the page and the response time of the website, and determining whether the website interface is There are command injection and code execution vulnerabilities. However, when this operation is used for command injection and code execution without echo (the website has no significant status response packet), the discovery rate is very low, and the false positive rate is high. Therefore, in this embodiment, when testing through an automated vulnerability scanner or manual testing, the test request sent by the interface of the website to be tested should include in advance command operations that may be executed by the vulnerability point, test cases for network operation behaviors, and use the netlink kernel mode. 、Apply state communication mechanism to implement command operations and network connection event records at injection points suspected to exist on the website. If the use case execution is successfully monitored during the audit process, and the parent process that calls it through traversal execution has the identity of command injection and code execution attribute, it can be determined that there is a vulnerability in the interface of the website to be tested. In this way, the effect of effectively discovering loophole injection points with echoes (response packets with significant status of the website, such as status codes, returned page content, etc.) and without echoes can be realized. And in this embodiment, the application state and the kernel state are the system architecture divisions of the Linux operating system. Code execution is executed by invoking server website code, while command injection is executed by invoking operating system commands. And the final effect of code execution and command injection will execute external malicious commands on the target cluster. Netlink is a set of Linux kernel interfaces that can be used for inter-process communication, communication between the Linux kernel and user space processes, and between user processes.

在进行漏洞检测,并接收到待测网站接口发送的测试请求时,可以先通过测试用例构架模块来构建与待测网站接口对应的测试用例,也就是预先构架探测命令注入、代码执行的测试用例。并且常见的命令注入、代码执行漏洞触发点会在接口参数处,在本实施例中主要应用到系统原始命令操作、网络连接的函数,但不局限于这些,例如采用“sleep(Sleep函数可以使计算机程序(进程,任务或线程)进入休眠,使其在一段时间内处于非活动状态)”、“cat/etc/passwd(表示读取/etc/passwd文件中的内容到屏幕上)”、“curl(cURL是一个利用URL语法在命令行下工作的文件传输工具)”、“system(whoami)”等测试用例,并将构建好的测试用例和待测网站接口的待测参数进行整合(比如将测试用例替换、拼接到待测参数位置),以得到目标参数,并将此目标参数进行网络发包,即发送到网站主机中。其中,目标参数是待测网站接口中具有测试用例的待测参数。When performing vulnerability detection and receiving the test request sent by the interface of the website to be tested, the test case framework module can be used to construct the test case corresponding to the interface of the website to be tested, that is, the test case of pre-framed detection command injection and code execution. . And the common command injection and code execution vulnerability trigger point will be at the interface parameter. In this embodiment, it is mainly applied to the system original command operation and network connection functions, but is not limited to these. For example, using "sleep (Sleep function can make A computer program (process, task, or thread) goes to sleep, making it inactive for a period of time)", "cat /etc/passwd (means to read the contents of the /etc/passwd file to the screen)", " curl (cURL is a file transfer tool that uses URL syntax to work under the command line)", "system (whoami)" and other test cases, and integrate the constructed test cases with the parameters to be tested of the website interface to be tested (such as Replace and splice the test case to the parameter position to be tested) to obtain the target parameter, and send the target parameter to the network packet, that is, send it to the website host. The target parameter is the parameter to be tested with the test case in the interface of the website to be tested.

步骤S20,根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;Step S20, obtaining all process events in the website host according to the preset socket netlink and the target parameter, and sequentially matching each of the process events with the test case;

当获取到目标参数后,并将目标参数发送到网站主机后,还需要进行netlink(套接字)审计事件监控服务接入。并且由于Linux内核已经提供连接器模块与进程事件事件收集机制,同时Netlink协议支持NETLINK_AUDIT,提供了一个用户审计子系统的接口。因此只需在应用态借助NETLINK_AUDIT机制,实现轻量级自定义NCP(netlink connectorprocess)应用程序,及可截获主机所有的进程创建、网络连接事件。也就是根据提前设置的netlink和目标参数来获取网站主机中疑似存在的注入点执行命令操作、网络连接的事件记录,即进程事件。具体地,由于目标参数中的测试用例包括cat/etc/passwd、curl等命令函数,因此需要监控原生execve(执行文件)、socket(套接字)的系统调用。因此可以根据目标参数对网站主机中应用态的管理进程配置监控规则,并借助netlink通知到内核态。内核态的kauditd通过netlink获取到监控规则并加载完成后,由于主机所有的应用程序在进行系统调用、网络请求返回时,均会通过kauditd进程,因此可以通过监控规则将各个应用程序在进行系统调用、网络请求返回时对应的事件记录下来,并通过netlink回传给应用态的NCP应用程序。而NCP应用程序则会对这些事件进行解析,并在确定捕获到测试用例中的cat命令操作事件,且读取的文件参数为/etc/passwd,或捕捉到了进程网络请求事件,且对应的请求目标为qq.com,则可以认为疑似测试用例被存在漏洞的接口处执行了系统调用。也就是在获取到所有进程事件后,依次将各个进程事件和测试用例进行匹配,若存在目标进程事件和测试用例匹配,则可以认为疑似测试用例被存在漏洞的接口处执行了系统调用。其中,测试用例是指对一项特定的软件产品进行测试任务的描述,体现测试方案、方法、技术和策略。进程事件是具有网络连接、命令操作等的系统调用事件,而系统调用事件是应用程序在进行系统调用、网络请求返回时的事件记录。After obtaining the target parameters and sending the target parameters to the website host, you also need to access the netlink (socket) audit event monitoring service. And because the Linux kernel has provided a connector module and a process event event collection mechanism, and the Netlink protocol supports NETLINK_AUDIT, providing an interface for the user audit subsystem. Therefore, it is only necessary to use the NETLINK_AUDIT mechanism in the application mode to implement a lightweight custom NCP (netlink connector process) application, and to intercept all process creation and network connection events of the host. That is to say, according to the netlink and target parameters set in advance, the execution command operation and network connection event record of the suspected injection point in the website host, that is, the process event, are obtained. Specifically, since the test cases in the target parameters include command functions such as cat/etc/passwd and curl, it is necessary to monitor the system calls of native execve (execution file) and socket (socket). Therefore, monitoring rules can be configured for the management process of the application state in the website host according to the target parameters, and the kernel state can be notified by means of netlink. After the kernel-mode kauditd obtains the monitoring rules through netlink and loads them, all applications on the host will pass the kauditd process when making system calls and returning network requests, so each application can be called through the monitoring rules. , When the network request returns, the corresponding events are recorded and sent back to the NCP application in the application state through the netlink. The NCP application will parse these events, and determine to capture the cat command operation event in the test case, and the read file parameter is /etc/passwd, or capture the process network request event, and the corresponding request If the target is qq.com, it can be considered that the suspected test case was executed by the system call at the vulnerable interface. That is, after obtaining all process events, match each process event with the test case in turn. If there is a match between the target process event and the test case, it can be considered that the suspected test case was executed by the vulnerable interface. The system call. Among them, the test case refers to the description of the test task for a specific software product, and reflects the test plan, method, technology and strategy. Process events are system call events with network connections, command operations, etc., and system call events are event records when an application makes a system call and returns a network request.

步骤S30,若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;Step S30, if there is a target process event matching the test case in each of the process events, then detect whether the process chain corresponding to the target process event satisfies a preset condition;

当在各个进程事件中存在和测试用例匹配的目标进程事件时,还需要检测目标进程事件是否满足预设条件,也就是确定该目标进程事件是待测网站接口调用的,而不是其它接口调用的,以及确定该目标进程事件是否为白名单中的一种,再根据不同的确定结果执行不同的操作。因此当获取到目标进程事件,为了进一步提升检测的准确性,还需要对该目标进程事件进行身份属性判定。When there is a target process event matching the test case in each process event, it is also necessary to check whether the target process event satisfies the preset conditions, that is, it is determined that the target process event is called by the interface of the website to be tested, not by other interfaces. , and determine whether the target process event is one of the whitelists, and then perform different operations according to different determination results. Therefore, when the target process event is acquired, in order to further improve the detection accuracy, it is also necessary to determine the identity attribute of the target process event.

其中,进行身份属性判断的方式可以是获取网站服务webserver(网页服务器)启动的动态脚本解析进程信息,例如常见的php脚本网页解析引擎为php-fpm,jsp脚本网页解析引擎为tomcat,获取主机上对应进程的pid(即Linux、Unix标识当前运行进程的一种id号)。并不断遍历监控到的执行系统调用进程的父进程,直到systemd进程,从而得到目标进程对应的进程链,再判断此进程链中是否存在动态脚本解析进程信息,如php-fpm、tomcatjava进程,若有,则确定该目标进程事件是否为网站主机白名单中的一员,若是则确定待测网站接口存在漏洞。但是若进程链中不存在动态脚本信息,则确定待测网站接口不存在漏洞,检测停止。其中,动态脚本解析进程信息可以是网站网页通过待测网站接口开启后的总进程信息。Among them, the way to judge the identity attribute may be to obtain the dynamic script parsing process information started by the website service webserver (web server). The pid of the corresponding process (that is, an id number that identifies the currently running process in Linux and Unix). And keep traversing the monitored parent process of executing the system call process until the systemd process, so as to obtain the process chain corresponding to the target process, and then determine whether there is dynamic script parsing process information in this process chain, such as php-fpm, tomcatjava process, if If yes, then determine whether the target process event is a member of the website host whitelist, and if so, determine that there is a vulnerability in the interface of the website to be tested. However, if there is no dynamic script information in the process chain, it is determined that there is no loophole in the interface of the website to be tested, and the detection stops. Wherein, the dynamic script parsing process information may be total process information after the website webpage is opened through the interface of the website to be tested.

而根据进程链对目标进程事件进行检测,以确定待测网站接口是否存在漏洞,则可以根据如下表所示,也就是当cat/etc/passwd进程的进程pid为1123,其父进程为850,进程链为1123->850->…->62->1,并由于php-fpm动态解析引擎的进程pid为62,父进程为1,进程链为850->1,也就是可以明显地得到在cat/etc/passwd进程对应的进程链中存在php-fpm动态解析引擎的进程pid,因此可以认为cat/etc/passwd进程疑似存在漏洞,而对于其他应用进程例如:spp_bsp_offline_ctrl的进程pid为5891,父进程为1091,进程链为5891->1091->34->19->1则不予考虑,也就是认为不存在,进行忽略。The target process event is detected according to the process chain to determine whether there is a vulnerability in the interface of the website to be tested, as shown in the following table, that is, when the process pid of the cat/etc/passwd process is 1123, and its parent process is 850, The process chain is 1123->850->…->62->1, and since the process pid of the php-fpm dynamic parsing engine is 62, the parent process is 1, and the process chain is 850->1, it can be clearly obtained There is a process pid of the php-fpm dynamic parsing engine in the process chain corresponding to the cat/etc/passwd process, so it can be considered that the cat/etc/passwd process is suspected to have loopholes. For other application processes such as: spp_bsp_offline_ctrl The process pid is 5891, If the parent process is 1091, and the process chain is 5891->1091->34->19->1, it will not be considered, that is, it is considered that it does not exist and will be ignored.

Figure BDA0002253313710000081
Figure BDA0002253313710000081

另外为辅助理解对目标进程事件进行身份属性判定,下面进行举例说明。例如,如图4所示,在对待测网站接口进行漏洞检测时,当netlink监控到系统有执行cat/etc/passwd时,获取cat/etc/passwd进程信息,并遍历调用该进程信息的父进程,从而获取到该进程信息对应的进程链,并判断进程链中是否存在php-fpm进程pid:40(也就是主机运行的所有进程信息,如其他应用,内核进程,网站动态脚本解析进程,其他应用进程等),并在发现进程链中不存在php-fpm进程pid:40时,则确定未发现漏洞,但是若发现php-fpm进程pid:40存在进程链中时,则获取主机中的白名单,并确定白名单中是否存在cat/etc/passwd进程信息,若存在,则确定未发现漏洞,若不存在,则确定发现漏洞。In addition, in order to assist understanding in determining the identity attribute of the target process event, an example is given below. For example, as shown in Figure 4, during vulnerability detection on the interface of the website under test, when netlink monitors that the system executes cat/etc/passwd, it obtains the cat/etc/passwd process information, and traverses the parent process that calls the process information. , so as to obtain the process chain corresponding to the process information, and determine whether there is a php-fpm process pid: 40 in the process chain (that is, all process information running on the host, such as other applications, kernel processes, website dynamic script parsing processes, other Application process, etc.), and when it is found that the php-fpm process pid: 40 does not exist in the process chain, it is determined that no vulnerability has been found, but if it is found that the php-fpm process pid: 40 exists in the process chain, it is obtained. list, and determine whether the cat/etc/passwd process information exists in the whitelist. If it exists, it is determined that no vulnerability has been found. If it does not exist, it is determined that a vulnerability has been found.

步骤S40,若满足,则确定所述待测网站接口存在漏洞。Step S40, if satisfied, it is determined that there is a loophole in the interface of the website to be tested.

当经过判断发现目标进程事件满足预设条件时,则可以确定待测网站接口存在漏洞。但是当经过判断发现目标进程事件不满足预设条件时,则可以确定待测网站接口不存在漏洞。另外为辅助理解对待测网站接口进行漏洞检测的原理,下面进行举例说明。When it is determined that the target process event meets the preset condition, it can be determined that there is a vulnerability in the interface of the website to be tested. However, when it is determined that the target process event does not meet the preset conditions, it can be determined that there is no loophole in the interface of the website to be tested. In addition, in order to help understand the principle of vulnerability detection for the interface of the website to be tested, an example is given below.

例如,如图5所示,在确定需要进行漏洞检测的正常URL接口/?Id=1时,可以进行构造测试用例,如cat/etc/passwd;curl qq.com。并将测试用例拼接到待测URL接口中,即/?id=cat/etc/passwd;/?id=curl qq.com。在拼接完成后,形成数据包,并发送数据包到网站主机,网站主机再进行审计服务接入,即通过netlink事件记录模块对主机操作行为数据采集,以获取到系统所有的命令操作行为、网络连接事件,并在关联判定模块中通过将cat/etc/passwd;curl qq.com作为判定条件对这些命令操作行为、网络连接事件进行判定,若未匹配到预设监控的命令行为,则停止检测,并确定该URL接口无漏洞。但是若监控到cat/etc/passwd等用例执行,且遍历发现执行用例的父进程是网站webserver(网页服务器)启动的动态脚本解析进程信息,则可以确定发现id参数存在漏洞,即该URL接口存在漏洞。For example, as shown in Figure 5, after determining the normal URL interface /? When Id=1, you can construct test cases, such as cat/etc/passwd; curl qq.com. And splice the test case into the URL interface to be tested, ie /? id = cat /etc/passwd; /? id=curlqq.com. After the splicing is completed, a data packet is formed, and the data packet is sent to the website host, and then the website host accesses the audit service, that is, the operation behavior data of the host is collected through the netlink event recording module to obtain all the command operation behavior of the system, network Connect events, and use cat/etc/passwd; curl qq.com as the judgment condition to judge these command operation behaviors and network connection events in the correlation judgment module. If it does not match the preset monitoring command line behavior, stop the detection. , and make sure that the URL interface is free of vulnerabilities. However, if the execution of use cases such as cat/etc/passwd is monitored, and the parent process of executing the use case is found to be the dynamic script parsing process information started by the website webserver (web server), it can be determined that there is a loophole in the id parameter, that is, the URL interface exists. Vulnerability.

在本实施例中,通过建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;若符合,则确定所述待测网站接口存在漏洞。通过将测试用例和待测网站接口的待测参数进行整合,以获取目标参数,并根据netlink和目标参数获取网站主机中的所有进程事件,并在所有进程事件中确定目标进程事件,从而可以不需要确定网站主机是否存在有显著状态响应包,就可以获取到目标进程事件,提高了对待测网站接口的漏洞检测的效率,并且为了进一步地提高检测的准确性,还需要确定目标进程事件是否满足预设条件,若满足,则确定待测网站接口存在漏洞,从而也提高了漏洞检测的准确性。In this embodiment, a test case corresponding to the interface of the website to be tested is established, and the test case and the parameters to be tested of the interface of the website to be tested are integrated to obtain target parameters; netlink and the target parameter obtain all process events in the website host, and sequentially match each of the process events with the test case; if there is a target process event matching the test case in each of the process events, Then it is detected whether the process chain corresponding to the target process event satisfies the preset condition; if so, it is determined that there is a loophole in the interface of the website to be tested. By integrating the test case and the parameters to be tested of the website interface to be tested, the target parameters are obtained, and all the process events in the website host are obtained according to the netlink and target parameters, and the target process events are determined in all the process events, so that the It is necessary to determine whether the website host has a significant status response packet, and then the target process event can be obtained, which improves the efficiency of vulnerability detection of the website interface to be tested. In order to further improve the detection accuracy, it is also necessary to determine whether the target process event meets the requirements. If the preset conditions are satisfied, it is determined that there is a vulnerability in the interface of the website to be tested, thereby improving the accuracy of vulnerability detection.

进一步地,基于本发明漏洞检测方法第一实施例,提出本发明漏洞检测方法第二实施例。本实施例是本发明第一实施例的步骤S20,根据预设的netlink和所述目标参数获取网站主机中的所有进程事件的步骤的细化,包括:Further, based on the first embodiment of the vulnerability detection method of the present invention, a second embodiment of the vulnerability detection method of the present invention is proposed. This embodiment is the step S20 of the first embodiment of the present invention, the refinement of the steps of acquiring all the process events in the website host according to the preset netlink and the target parameter, including:

步骤a,基于所述目标参数对所述网站主机配置监控规则,并通过所述监控规则和预设的netlink获取所述网站主机中的所有进程事件。In step a, a monitoring rule is configured on the website host based on the target parameter, and all process events in the website host are acquired through the monitoring rule and a preset netlink.

当获取到目标参数,并将目标参数发送至网站主机后,由于目标参数包含测试用例,而测试用例包含有cat/etc/passwd、curl等命令函数,因此需要监控原生execve、socket的系统调用,也就是需要根据目标参数对网站主机中应用态的管理进程配置监控规则,并通过预设的netlink将此监控规则传递至网站主机中内核态,以便内核态根据此监控规则获取网站主机中所有应用程序在进行系统调用、网络请求返回时的事件记录,并将其传递到应用态,以便在应用态中对这些事件记录进行解析,获取网络连接、命令操作的进程事件。When the target parameters are obtained and sent to the website host, since the target parameters contain test cases, and the test cases contain command functions such as cat/etc/passwd and curl, it is necessary to monitor the system calls of native execve and socket. That is to say, it is necessary to configure monitoring rules for the management process of the application state in the website host according to the target parameters, and pass this monitoring rule to the kernel state of the website host through the preset netlink, so that the kernel state can obtain all applications in the website host according to this monitoring rule. The program records the event records when the system calls and network requests are returned, and passes them to the application state, so that these event records can be parsed in the application state, and the process events of network connections and command operations can be obtained.

在本实施例中,通过根据目标参数对网站主机配置监控规则,并通过监控规则获取网站主机中的所有进程事件,从而保障了获取到的进程事件的准确性。In this embodiment, monitoring rules are configured for the website host according to target parameters, and all process events in the website host are acquired through the monitoring rules, thereby ensuring the accuracy of the acquired process events.

具体地,基于所述目标参数对所述网站主机配置监控规则,并通过所述监控规则和预设的netlink获取所述网站主机中的所有进程事件的步骤,包括:Specifically, the steps of configuring monitoring rules for the website host based on the target parameters, and acquiring all process events in the website host through the monitoring rules and a preset netlink, include:

步骤b,基于所述目标参数对所述网站主机中的应用态配置监控规则,并通过预设的netlink将所述监控规则传递至所述网站主机中的内核态;Step b, based on the target parameter, configure monitoring rules for the application state in the website host, and transfer the monitoring rules to the kernel state in the website host through a preset netlink;

在根据目标参数对网站主机中的应用态配置监控规则后,还需要借助预设的netlink将监控规则传递至网站主机中的内核态,以便内核态根据监控规则获取网站主机中的各个进程事件。After configuring the monitoring rules for the application state in the website host according to the target parameters, it is also necessary to pass the monitoring rules to the kernel state in the website host by means of the preset netlink, so that the kernel state can obtain each process event in the website host according to the monitoring rules.

步骤c,通过所述内核态中的内核线程和所述监控规则获取所述网站主机中所有应用程序运行的系统调用事件,并基于各所述系统调用事件获取所述网站主机中的所有进程事件。Step c, obtain system call events of all application programs running in the website host through the kernel thread in the kernel state and the monitoring rules, and obtain all process events in the website host based on each of the system call events .

内核态中的kauditd(内核线程)通过netlink获取到应用态发送的监控规则并完成加载后,由于网站主机中所有的应用程序在运行(如进行系统调用、网络请求返回)时,均会通过kauditd进程,因此kauditd进程可以根据监控规则将对应的事件记录下来,以得到系统调用事件,并通过netlink将这些系统调用事件传递至应用态,以便应用态在这些系统调用事件中获取网站主机中的所有进程事件。After the kauditd (kernel thread) in the kernel state obtains the monitoring rules sent by the application state through netlink and completes the loading, since all applications in the website host are running (such as system calls, network request returns), they will pass kauditd. process, so the kauditd process can record the corresponding events according to the monitoring rules to obtain system call events, and pass these system call events to the application state through netlink, so that the application state can obtain all the website host in these system call events. Process events.

在本实施例中,通过在网站主机中的应用态配置监控规则,并将此监控规则传递至网站主机中的内核态,通过内核态获取网站主机的所有进程事件,从而避免漏掉某些进程事件,保障了获取到的进程事件的准确性。In this embodiment, the monitoring rules are configured in the application state in the website host, and the monitoring rules are transmitted to the kernel state in the website host, and all process events of the website host are obtained through the kernel state, so as to avoid missing some processes. events, ensuring the accuracy of the acquired process events.

具体地,基于各所述系统调用事件获取所述网站主机中的所有进程事件的步骤,包括:Specifically, the steps of acquiring all process events in the website host based on each of the system call events include:

步骤e,将各所述系统调用事件从所述内核态反馈至所述应用态,并根据所述应用态中的网路控制协议对各所述系统调用事件进行解析,以确定各所述系统调用事件中是否存在符合预设检测要求的系统调用事件;Step e, feedback each of the system call events from the kernel state to the application state, and analyze each of the system call events according to the network control protocol in the application state to determine each of the system call events Whether there is a system call event that meets the preset detection requirements in the call event;

将各个系统调用事件从内核态反馈至应用态后,即应用态中的NCP应用程序接收到各个系统调用户事件后,对这些系统调用事件进行解析,以确定这些系统调用事件中是否存在符合预设检测要求(如确定是否存在网络连接、命令操作的系统调用事件),并根据不同的确定结果执行不同的操作。After each system call event is fed back from the kernel state to the application state, that is, after the NCP application in the application state receives each system call user event, it parses these system call events to determine whether there are any system call events that meet the expectations. Set detection requirements (such as determining whether there is a network connection, system call events for command operations), and perform different operations according to different determination results.

步骤f,若存在,则将符合预设检测要求的系统调用事件作为进程事件。In step f, if it exists, the system call event that meets the preset detection requirements is used as the process event.

当经过判断发现在各个系统调用事件中存在符合预设检测要求的系统调用事件,则将此符合预设检测要求的系统调用事件作为进程事件。但是若在各个系统调用事件中不存在符合预设要求的系统调用事件,则继续进行检测,并获取新的系统调用事件。When it is determined that there is a system call event that meets the preset detection requirement in each system call event, the system call event that meets the preset detection requirement is regarded as a process event. However, if there is no system call event that meets the preset requirements in each system call event, the detection is continued, and a new system call event is acquired.

另外,为辅助理解对本实施例中在网络主机中获取进程事件的理解,下面进行举例说明。In addition, in order to assist the understanding of the process event acquired in the network host in this embodiment, an example is given below.

例如,如图6所示,对主机应用态和内核态进行分割,得到应用程序用户态和系统内核态,用户态中的网站业务接口执行cat/etc/paswd,curl qq.com系统函数,并进行系统调用,在系统内核态中根据audit netlink来对kauditd内核进程注册监控审计规则,由于主机中的网络、磁盘、执行进程的过程均会通过kauditd内核进程,因此可以根据kauditd内核进程获取系统调用/网络请求返回事件,并将其反馈给用户态,也就是应用程序用户态中的网络控制协议应用监控程序通过netlink获取进程事件,并通过netlink监控返回cat对应的系统调用事件。For example, as shown in Figure 6, the host application mode and the kernel mode are divided to obtain the application user mode and the system kernel mode. The website business interface in the user mode executes the cat/etc/paswd, curl qq.com system functions, and Make a system call, and register the monitoring audit rules for the kauditd kernel process according to the audit netlink in the system kernel mode. Since the network, disk, and process execution process in the host all pass through the kauditd kernel process, you can obtain system calls according to the kauditd kernel process. / The network request returns the event, and feeds it back to the user mode, that is, the network control protocol application monitoring program in the application user mode obtains the process event through netlink, and returns the system call event corresponding to cat through netlink monitoring.

在本实施例中,通过根据应用态中的网络控制协议对各个系统调用事件进行解析,以获取进程事件,从而保障了获取到进程事件的准确性。In this embodiment, each system call event is parsed according to the network control protocol in the application state to acquire the process event, thereby ensuring the accuracy of acquiring the process event.

进一步地,基于本发明漏洞检测方法第一至第二任意一个实施例的基础上,提出本发明漏洞检测方法第三实施例。本实施例是本发明第一实施例的步骤S30,检测所述目标进程事件对应的进程链是否满足预设条件的步骤的细化,包括:Further, based on any one of the first to second embodiments of the vulnerability detection method of the present invention, a third embodiment of the vulnerability detection method of the present invention is proposed. This embodiment is step S30 of the first embodiment of the present invention, and the step of detecting whether the process chain corresponding to the target process event satisfies the preset condition is refined, including:

步骤h,获取所述目标进程事件对应的父进程,基于所述父进程确定所述目标进程事件对应的进程链,并检测所述进程链中是否存在所述网站主机的动态脚本解析进程信息;Step h, obtaining the parent process corresponding to the target process event, determining a process chain corresponding to the target process event based on the parent process, and detecting whether there is dynamic script parsing process information of the website host in the process chain;

获取目标进程事件对应的父进程(即目标进程事件的上一个进程),再根据该父进程推算出目标进程事件对应的进程链,与此同时,还需要获取网站主机的动态脚本解析进程信息,并检测该进程链中是否存在网站主机的动态脚本解析进程信息,并基于不同的检测结果执行不同的操作。Obtain the parent process corresponding to the target process event (that is, the previous process of the target process event), and then calculate the process chain corresponding to the target process event according to the parent process. At the same time, it is also necessary to obtain the dynamic script parsing process information of the website host. And detect whether there is dynamic script parsing process information of the website host in the process chain, and perform different operations based on different detection results.

步骤k,若不存在,则确定所述目标进程事件对应的进程链不满足预设条件。In step k, if it does not exist, it is determined that the process chain corresponding to the target process event does not satisfy the preset condition.

当经过判断发现在进程链中存在网站主机的动态脚本解析进程信息时,还需要确定该目标进程事件是否为网站主机白名单中的一员,若不是,则确定目标进程事件对应的进程链满足预设条件,也就可以确定待测网站接口存在漏洞。但是若进程链中不存在网站主机的动态脚本解析进程信息,则确定目标进程事件对应的进程链不满足预设条件,也就可以确定待测网站接口不存在漏洞。When it is determined that there is a dynamic script parsing process information of the website host in the process chain, it is also necessary to determine whether the target process event is a member of the website host whitelist. If not, determine that the process chain corresponding to the target process event satisfies With preset conditions, it can be determined that there are loopholes in the interface of the website to be tested. However, if the dynamic script parsing process information of the website host does not exist in the process chain, it is determined that the process chain corresponding to the target process event does not meet the preset conditions, and it can also be determined that there is no loophole in the interface of the website to be tested.

在本实施例中,通过获取目标进程事件对应的进程链,并确定进程链中是否存在动态脚本解析进程信息,也就是确定该目标进程事件是否为待测网站接口进行调用的,从而提高了漏洞检测的准确性。In this embodiment, by obtaining the process chain corresponding to the target process event, and determining whether there is dynamic script parsing process information in the process chain, that is, determining whether the target process event is invoked by the website interface to be tested, the vulnerability is improved. detection accuracy.

具体地,检测所述进程链中是否存在所述网站主机的动态脚本解析进程信息的步骤之后,包括:Specifically, after the step of detecting whether there is a dynamic script parsing process information of the website host in the process chain, it includes:

步骤m,若存在,则获取所述网站主机中预存的白名单,并将所述目标进程事件依次和所述白名单中的所有历史记录进行匹配;Step m, if there is, then obtain the pre-stored whitelist in the website host, and sequentially match the target process event with all the historical records in the whitelist;

当经过判断发现进程链中存在动态脚本解析进程信息,则还需要获取网站主机中预存的白名单,由于白名单包含了历史网站业务对系统正常函数调用功能的记录,例如业务中就有调用“cat/etc/passwd”的正常操作,因此需要将此种情况进行筛选剔除,避免检测误报,只有未命中白名单的记录,才能确定发现待测网站接口存在命令注入、代码执行漏洞。也就是将目标进程事件和白名单中的所有历史记录(即历史网站业务对系统正常函数调用功能的记录)进行匹配,并根据匹配结果执行不同的操作。When it is judged that there is dynamic script parsing process information in the process chain, it is also necessary to obtain the whitelist pre-stored in the website host, because the whitelist contains the records of the normal function calls of the system by the historical website business, for example, there are calls in the business " cat/etc/passwd", so it is necessary to filter out this situation to avoid false positives. Only the records that do not hit the whitelist can be found to have command injection and code execution vulnerabilities in the interface of the website to be tested. That is, the target process event is matched with all the historical records in the whitelist (that is, the records of the historical website business on the normal function calling function of the system), and different operations are performed according to the matching results.

步骤n,若在各所述历史记录中不存在和所述目标进程事件匹配的目标历史记录,则确定所述目标进程事件对应的进程链满足预设条件。In step n, if there is no target history record matching the target process event in each of the history records, it is determined that the process chain corresponding to the target process event satisfies a preset condition.

当经过判断发现在各个历史记录中不存在和目标进程事件匹配的目标历史记录,则可以确定目标进程事件对应的进程链满足预设条件,也就是待测网站接口存在漏洞。但是,若在各个历史记录中存在和目标进程事件匹配的目标历史记录,则可以确定目标进程事件对应的进程链不满足预设条件,也就是待测网站接口不存在漏洞。When it is determined that there is no target history record matching the target process event in each history record, it can be determined that the process chain corresponding to the target process event satisfies the preset condition, that is, there is a loophole in the interface of the website to be tested. However, if there is a target history record matching the target process event in each history record, it can be determined that the process chain corresponding to the target process event does not meet the preset condition, that is, there is no loophole in the interface of the website to be tested.

在本实施例中,通过确定目标进程事件是否和白名单中的目标历史记录匹配,若不匹配,则确定目标进程事件对应的进程链满足预设条件,从而避免了检测误报的现象发生,提高了漏洞检测的准确性。In this embodiment, by determining whether the target process event matches the target history record in the whitelist, if not, it is determined that the process chain corresponding to the target process event satisfies the preset condition, thereby avoiding the occurrence of false positives in detection, Improves the accuracy of vulnerability detection.

进一步地,依次将各所述进程事件和所述测试用例匹配的步骤之后,包括:Further, after the steps of sequentially matching each of the process events with the test cases, include:

步骤x,若在各所述进程事件中不存在和所述测试用例匹配的目标进程事件,则确定所述待测网站接口不存在漏洞。Step x: If there is no target process event matching the test case in each of the process events, it is determined that there is no loophole in the interface of the website to be tested.

当经过判断发现在各个进程事件中不存在和测试用例匹配的目标进程事件时,则可以确定待测网站接口不存在漏洞,并停止对该待测网站接口的检测。When it is determined that there is no target process event matching the test case in each process event, it can be determined that there is no loophole in the interface of the website to be tested, and the detection of the interface of the website to be tested is stopped.

在本实施例中,通过在确定各个进程事件中不存在和测试用例匹配的目标进程事件时,确定待测网站接口不存在漏洞,从而提高了漏洞检测的准确性。In this embodiment, when it is determined that there is no target process event matching the test case in each process event, it is determined that there is no vulnerability in the interface of the website to be tested, thereby improving the accuracy of vulnerability detection.

本发明还提供一种漏洞检测装置,参照图3,所述漏洞检测装置包括:The present invention also provides a vulnerability detection device, referring to FIG. 3 , the vulnerability detection device includes:

获取模块,用于建立与待测网站接口对应的测试用例,并将所述测试用例和所述待测网站接口的待测参数进行整合,以获取目标参数;an acquisition module, used for establishing a test case corresponding to the interface of the website to be tested, and integrating the test case and the parameters to be tested of the interface of the website to be tested to obtain target parameters;

匹配模块,用于根据预设的套接字netlink和所述目标参数获取网站主机中的所有进程事件,并依次将各所述进程事件和所述测试用例匹配;a matching module, configured to obtain all process events in the website host according to the preset socket netlink and the target parameters, and sequentially match each of the process events with the test case;

检测模块,用于若在各所述进程事件中存在和所述测试用例匹配的目标进程事件,则检测所述目标进程事件对应的进程链是否满足预设条件;a detection module, configured to detect whether a process chain corresponding to the target process event satisfies a preset condition if there is a target process event matching the test case in each of the process events;

确定模块,用于若满足,则确定所述待测网站接口存在漏洞。The determining module is used for determining that there is a loophole in the interface of the website to be tested if it is satisfied.

可选地,所述匹配模块,还用于:Optionally, the matching module is also used for:

基于所述目标参数对所述网站主机配置监控规则,并通过所述监控规则和预设的netlink获取所述网站主机中的所有进程事件。A monitoring rule is configured on the website host based on the target parameter, and all process events in the website host are acquired through the monitoring rule and a preset netlink.

可选地,所述匹配模块,还用于:Optionally, the matching module is also used for:

基于所述目标参数对所述网站主机中的应用态配置监控规则,并通过预设的netlink将所述监控规则传递至所述网站主机中的内核态;Based on the target parameters, monitoring rules are configured for the application state in the website host, and the monitoring rules are transmitted to the kernel state in the website host through a preset netlink;

通过所述内核态中的内核线程和所述监控规则获取所述网站主机中所有应用程序运行的系统调用事件,并基于各所述系统调用事件获取所述网站主机中的所有进程事件。Obtain system call events of all application programs running in the website host through the kernel thread in the kernel state and the monitoring rules, and obtain all process events in the website host based on the system call events.

可选地,所述匹配模块,还用于:Optionally, the matching module is also used for:

将各所述系统调用事件从所述内核态反馈至所述应用态,并根据所述应用态中的网路控制协议对各所述系统调用事件进行解析,以确定各所述系统调用事件中是否存在符合预设检测要求的系统调用事件;Feedback each of the system call events from the kernel state to the application state, and parse each of the system call events according to the network control protocol in the application state, to determine the system call events in each of the system call events. Whether there is a system call event that meets the preset detection requirements;

若存在,则将符合预设检测要求的系统调用事件作为进程事件。If it exists, the system call event that meets the preset detection requirements will be regarded as the process event.

可选地,所述检测模块,还用于:Optionally, the detection module is also used for:

获取所述目标进程事件对应的父进程,基于所述父进程确定所述目标进程事件对应的进程链,并检测所述进程链中是否存在所述网站主机的动态脚本解析进程信息;Obtain the parent process corresponding to the target process event, determine the process chain corresponding to the target process event based on the parent process, and detect whether there is dynamic script parsing process information of the website host in the process chain;

若不存在,则确定所述目标进程事件对应的进程链不满足预设条件。If it does not exist, it is determined that the process chain corresponding to the target process event does not satisfy the preset condition.

可选地,所述检测模块,还用于:Optionally, the detection module is also used for:

若存在,则获取所述网站主机中预存的白名单,并将所述目标进程事件依次和所述白名单中的所有历史记录进行匹配;If it exists, obtain the whitelist pre-stored in the website host, and sequentially match the target process event with all the historical records in the whitelist;

若在各所述历史记录中不存在和所述目标进程事件匹配的目标历史记录,则确定所述目标进程事件对应的进程链满足预设条件。If there is no target history record matching the target process event in each of the history records, it is determined that the process chain corresponding to the target process event satisfies a preset condition.

可选地,所述漏洞检测装置,还包括:Optionally, the vulnerability detection device further includes:

若在各所述进程事件中不存在和所述测试用例匹配的目标进程事件,则确定所述待测网站接口不存在漏洞。If there is no target process event matching the test case in each of the process events, it is determined that there is no loophole in the interface of the website to be tested.

上述各程序模块所执行的方法可参照本发明漏洞检测方法各个实施例,此处不再赘述。For the methods executed by the above program modules, reference may be made to the various embodiments of the vulnerability detection method of the present invention, which will not be repeated here.

本发明还提供一种计算机存储介质。The present invention also provides a computer storage medium.

本发明计算机存储介质上存储有漏洞检测程序,所述漏洞检测程序被处理器执行时实现如上所述的漏洞检测方法的步骤。A vulnerability detection program is stored on the computer storage medium of the present invention, and the vulnerability detection program implements the steps of the vulnerability detection method as described above when the vulnerability detection program is executed by the processor.

其中,在所述处理器上运行的漏洞检测程序被执行时所实现的方法可参照本发明漏洞检测方法各个实施例,此处不再赘述。For the method implemented when the vulnerability detection program running on the processor is executed, reference may be made to the various embodiments of the vulnerability detection method of the present invention, which will not be repeated here.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or system comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or system. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system that includes the element.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages or disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本发明各个实施例所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation. Based on such understanding, the technical solutions of the present invention can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products are stored in a storage medium (such as ROM/RAM) as described above. , magnetic disk, optical disk), including several instructions to make a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present invention.

以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present invention, or directly or indirectly applied in other related technical fields , are similarly included in the scope of patent protection of the present invention.

Claims (10)

1. A vulnerability detection method is characterized by comprising the following steps:
establishing a test case corresponding to a website interface to be tested, and integrating the test case and parameters to be tested of the website interface to be tested to obtain target parameters;
acquiring all process events in a website host according to a preset socket netlink and the target parameters, and sequentially matching each process event with the test case;
if a target process event matched with the test case exists in each process event, detecting whether a process chain corresponding to the target process event meets a preset condition;
and if so, determining that the interface of the website to be tested has a bug.
2. The vulnerability detection method of claim 1, wherein the step of obtaining all process events in a website host according to a preset netlink and the target parameter comprises:
and configuring a monitoring rule for the website host based on the target parameter, and acquiring all process events in the website host through the monitoring rule and a preset netlink.
3. The vulnerability detection method of claim 2, wherein the step of configuring a monitoring rule for the website host based on the target parameter and acquiring all process events in the website host through the monitoring rule and a preset netlink comprises:
configuring a monitoring rule for an application state in the website host based on the target parameter, and transmitting the monitoring rule to a kernel state in the website host through a preset netlink;
and acquiring system calling events operated by all application programs in the website host through the kernel thread in the kernel state and the monitoring rule, and acquiring all process events in the website host based on the system calling events.
4. The vulnerability detection method of claim 3, wherein the step of obtaining all process events in the website host based on each of the system call events comprises:
feeding back each system calling event from the kernel state to the application state, and analyzing each system calling event according to a network control protocol in the application state to determine whether a system calling event meeting a preset detection requirement exists in each system calling event;
and if so, taking the system calling event meeting the preset detection requirement as a process event.
5. The vulnerability detection method of claim 1, wherein the step of detecting whether the process chain corresponding to the target process event meets a preset condition comprises:
acquiring a parent process corresponding to the target process event, determining a process chain corresponding to the target process event based on the parent process, and detecting whether dynamic script analysis process information of the website host exists in the process chain;
and if not, determining that the process chain corresponding to the target process event does not meet the preset condition.
6. The vulnerability detection method of claim 5, wherein after the step of detecting whether the dynamic script parsing process information of the website host exists in the process chain, the method comprises:
if yes, acquiring a white list prestored in the website host, and matching the target process event with all history records in the white list in sequence;
and if the target history record matched with the target process event does not exist in each history record, determining that the process chain corresponding to the target process event meets a preset condition.
7. The vulnerability detection method of any of claims 1-6, wherein the step of matching each of the process events to the test cases in sequence, after, comprises:
and if the target process event matched with the test case does not exist in the process events, determining that no vulnerability exists in the to-be-tested website interface.
8. A vulnerability detection apparatus, comprising:
the acquisition module is used for establishing a test case corresponding to a to-be-tested website interface and integrating the test case and to-be-tested parameters of the to-be-tested website interface to acquire target parameters;
the matching module is used for acquiring all process events in the website host according to a preset socket netlink and the target parameters and matching each process event with the test case in sequence;
the detection module is used for detecting whether a process chain corresponding to the target process event meets a preset condition or not if the target process event matched with the test case exists in each process event;
and the determining module is used for determining that the to-be-tested website interface has a bug if the to-be-tested website interface meets the requirement.
9. A vulnerability detection device, comprising: a memory, a processor and a vulnerability detection program stored on the memory and executable on the processor, the vulnerability detection program when executed by the processor implementing the steps of the vulnerability detection method according to any of claims 1 to 7.
10. A computer storage medium having stored thereon a vulnerability detection program which, when executed by a processor, implements the steps of the vulnerability detection method of any of claims 1-7.
CN201911063550.7A 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium Active CN110765464B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911063550.7A CN110765464B (en) 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911063550.7A CN110765464B (en) 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN110765464A true CN110765464A (en) 2020-02-07
CN110765464B CN110765464B (en) 2024-06-21

Family

ID=69335762

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911063550.7A Active CN110765464B (en) 2019-10-30 2019-10-30 Vulnerability detection method, device, equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN110765464B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111723380A (en) * 2020-06-22 2020-09-29 深圳前海微众银行股份有限公司 A method and device for detecting component vulnerabilities
CN111935121A (en) * 2020-07-31 2020-11-13 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN112019544A (en) * 2020-08-28 2020-12-01 支付宝(杭州)信息技术有限公司 Network interface security scanning method, device and system
CN112995236A (en) * 2021-05-20 2021-06-18 杭州海康威视数字技术股份有限公司 Internet of things equipment safety management and control method, device and system
CN113449298A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Detection method, device, equipment and medium for rebounding shell process
CN113536307A (en) * 2021-06-10 2021-10-22 安徽安恒数智信息技术有限公司 Identification method and system for credential scanning process
CN113779561A (en) * 2021-09-09 2021-12-10 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN114338240A (en) * 2022-03-07 2022-04-12 浙江网商银行股份有限公司 Vulnerability scanning method and device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231936A1 (en) * 2010-03-19 2011-09-22 Aspect Security Inc. Detection of vulnerabilities in computer systems
CN104168288A (en) * 2014-08-27 2014-11-26 中国科学院软件研究所 Automatic vulnerability discovery system and method based on protocol reverse parsing
US20150058680A1 (en) * 2011-12-16 2015-02-26 Codenomicon Oy Network-based testing service and method of testing in a network
CN105279435A (en) * 2014-06-11 2016-01-27 腾讯科技(深圳)有限公司 Webpage vulnerability detecting method and webpage vulnerability detecting device
CN105574416A (en) * 2015-12-16 2016-05-11 北京神州绿盟信息安全科技股份有限公司 Detection method and device of browser bug
CN106101145A (en) * 2016-08-10 2016-11-09 北京神州绿盟信息安全科技股份有限公司 A kind of website vulnerability detection method and device
CN107733837A (en) * 2016-08-11 2018-02-23 杭州迪普科技股份有限公司 Method for detecting abnormality and device based on application layer Network Abnormal message
CN107832617A (en) * 2017-09-15 2018-03-23 北京知道未来信息技术有限公司 A kind of PHP code performs the black box detection method and device of leak
US20190114436A1 (en) * 2017-10-13 2019-04-18 Korea Internet & Security Agency Method for automatically detecting security vulnerability based on hybrid fuzzing, and apparatus thereof
US20190205543A1 (en) * 2018-01-03 2019-07-04 Beijing Jingdong Shangke Information Technology Co., Ltd. System and method for java deserialization vulnerability detection
CN110213399A (en) * 2019-06-05 2019-09-06 武汉思创易控科技有限公司 Dynamic Host Configuration Protocol server detection method, storage medium and terminal based on NETFILTER mechanism

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231936A1 (en) * 2010-03-19 2011-09-22 Aspect Security Inc. Detection of vulnerabilities in computer systems
US20150058680A1 (en) * 2011-12-16 2015-02-26 Codenomicon Oy Network-based testing service and method of testing in a network
US20160337392A1 (en) * 2014-06-11 2016-11-17 Tencent Technology (Shenzhen) Company Limited Web page vulnerability detection method and apparatus
CN105279435A (en) * 2014-06-11 2016-01-27 腾讯科技(深圳)有限公司 Webpage vulnerability detecting method and webpage vulnerability detecting device
CN104168288A (en) * 2014-08-27 2014-11-26 中国科学院软件研究所 Automatic vulnerability discovery system and method based on protocol reverse parsing
CN105574416A (en) * 2015-12-16 2016-05-11 北京神州绿盟信息安全科技股份有限公司 Detection method and device of browser bug
CN106101145A (en) * 2016-08-10 2016-11-09 北京神州绿盟信息安全科技股份有限公司 A kind of website vulnerability detection method and device
CN107733837A (en) * 2016-08-11 2018-02-23 杭州迪普科技股份有限公司 Method for detecting abnormality and device based on application layer Network Abnormal message
CN107832617A (en) * 2017-09-15 2018-03-23 北京知道未来信息技术有限公司 A kind of PHP code performs the black box detection method and device of leak
US20190114436A1 (en) * 2017-10-13 2019-04-18 Korea Internet & Security Agency Method for automatically detecting security vulnerability based on hybrid fuzzing, and apparatus thereof
US20190205543A1 (en) * 2018-01-03 2019-07-04 Beijing Jingdong Shangke Information Technology Co., Ltd. System and method for java deserialization vulnerability detection
CN109992970A (en) * 2018-01-03 2019-07-09 北京京东尚科信息技术有限公司 JAVA unserializing leakage location and method
CN110213399A (en) * 2019-06-05 2019-09-06 武汉思创易控科技有限公司 Dynamic Host Configuration Protocol server detection method, storage medium and terminal based on NETFILTER mechanism

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GUNAWAN D ET AL.: "SSL/TLS Vulnerability Detection Using Black Box Approach", 2ND INTERNATIONAL CONFERENCE ON COMPUTING AND APPLIED INFORMATICS 2017, vol. 978, 16 March 2018 (2018-03-16) *
赵健;王瑞;李思其;: "基于污点分析的智能家居漏洞挖掘技术研究", 信息网络安全, no. 06, 10 June 2018 (2018-06-10) *
马凯;蔡皖东;姚烨;: "Web2.0环境下SQL注入漏洞注入点提取方法", 计算机技术与发展, no. 03, 10 March 2013 (2013-03-10) *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113449298A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Detection method, device, equipment and medium for rebounding shell process
CN113449298B (en) * 2020-03-24 2023-09-05 百度在线网络技术(北京)有限公司 Detection method, device, equipment and medium for rebound shell process
CN111723380B (en) * 2020-06-22 2022-12-16 深圳前海微众银行股份有限公司 A method and device for detecting component vulnerabilities
CN111723380A (en) * 2020-06-22 2020-09-29 深圳前海微众银行股份有限公司 A method and device for detecting component vulnerabilities
CN111935121A (en) * 2020-07-31 2020-11-13 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN111935121B (en) * 2020-07-31 2022-04-26 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN112019544A (en) * 2020-08-28 2020-12-01 支付宝(杭州)信息技术有限公司 Network interface security scanning method, device and system
CN112995236A (en) * 2021-05-20 2021-06-18 杭州海康威视数字技术股份有限公司 Internet of things equipment safety management and control method, device and system
CN113536307A (en) * 2021-06-10 2021-10-22 安徽安恒数智信息技术有限公司 Identification method and system for credential scanning process
CN113779561A (en) * 2021-09-09 2021-12-10 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN113779561B (en) * 2021-09-09 2024-03-01 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN114338240B (en) * 2022-03-07 2022-08-26 浙江网商银行股份有限公司 Vulnerability scanning method and device
CN114338240A (en) * 2022-03-07 2022-04-12 浙江网商银行股份有限公司 Vulnerability scanning method and device

Also Published As

Publication number Publication date
CN110765464B (en) 2024-06-21

Similar Documents

Publication Publication Date Title
CN110765464B (en) Vulnerability detection method, device, equipment and computer storage medium
US12050685B2 (en) Automated threat model generation
TWI603600B (en) Determine vulnerability using runtime agent and network sniffer
US10474826B2 (en) Methods and apparatuses for improved app security testing
US20130160130A1 (en) Application security testing
CN108664793B (en) Method and device for detecting vulnerability
CN103581185B (en) Resist the cloud checking and killing method of test free to kill, Apparatus and system
US12248563B1 (en) System and method for cybersecurity analyzer update and concurrent management system
US20150319221A1 (en) Tracing business transactions based on application frameworks
CN112685745B (en) Firmware detection method, device, equipment and storage medium
CN103780450B (en) The detection method and system of browser access network address
WO2021189257A1 (en) Malicious process detection method and apparatus, electronic device, and storage medium
US10701087B2 (en) Analysis apparatus, analysis method, and analysis program
WO2014018029A1 (en) Determining application vulnerabilities
US11977643B2 (en) Methods and systems of a software-based solution for autonomous application security testing of cloud-native applications
US9098704B2 (en) Method for function capture and maintaining parameter stack
GB2511329A (en) Web service black box testing
CN116881926A (en) A risk scanning method, system and computing device based on device code
CN112632534B (en) A method and device for detecting malicious behavior
CN110110524A (en) Vulnerability scanning and maintaining method for computing equipment system
CN103036895B (en) A kind of status tracking method and system
CN116842530A (en) A device code risk early warning method, software system and computing device
CN117349830A (en) Application safety monitoring system and method
CN115828256A (en) Unauthorized and unauthorized logic vulnerability detection method
CN115544513A (en) RASP-based IAST linkage real-time protection method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant