CN112231711B

CN112231711B - Vulnerability detection method and device, computer equipment and storage medium

Info

Publication number: CN112231711B
Application number: CN202011124781.7A
Authority: CN
Inventors: 周雨阳; 李相垚
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-10-20
Filing date: 2020-10-20
Publication date: 2024-08-02
Anticipated expiration: 2040-10-20
Also published as: CN112231711A

Abstract

The embodiment of the application discloses a vulnerability detection method, a vulnerability detection device, computer equipment and a storage medium, wherein the embodiment of the application can receive a page acquisition request carrying an object to be detected, which is sent by a terminal; acquiring an object identifier of the object to be detected; filling placeholders in a target test case template according to the object identifiers to obtain a vulnerability test case; processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case; feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request so as to instruct the terminal to display a page corresponding to the page display instruction; when the browse operation event in the page triggers the vulnerability test case, determining that the object to be detected has a vulnerability. The accuracy and the reliability of vulnerability detection are improved, the vulnerability is repaired in time, the leakage of private information is avoided, and the information security is improved.

Description

Vulnerability detection method and device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer security technologies, and in particular, to a vulnerability detection method, a vulnerability detection device, a computer device, and a storage medium.

Background

The Cross script (Cross SITE SCRIPT, XSS) attack is that a malicious attacker adds malicious codes into a webpage and induces a user to access, and when the visitor browses the webpage, the malicious codes can be executed on a user terminal, so that the malicious attacker steals user information (such as leakage of user authentication credentials), or the Trojan horse attack is mounted on the user terminal and the control right (namely operation hijacking) of the user terminal is obtained remotely, and the use safety of the user terminal is seriously influenced. Among them, storage type cross-site scripting (also referred to as resident cross-site scripting) attack is one of cross-site scripting attack (i.e. cross-site scripting vulnerability), which allows storing malicious code in a web server, and when a user accesses a web page of the web server, the web page pulls and executes the malicious code from the web server, which is extremely harmful.

In the prior art, the method for detecting the vulnerability of the storage type cross-site script is that a hypertext transfer protocol (HyperText Transfer Protocol, HTTP) request is completed at a time, and specifically includes: firstly, constructing a detection HTTP packet, sending an HTTP request carrying the detection HTTP packet to a server, and then judging whether a vulnerability exists or not by the server according to response characteristics such as response time length, response code, response content and the like based on the HTTP request. For example, if the response characteristics of the response time length, the response code, the response content and the like are matched with the pre-stored attack characteristics, judging that the vulnerability exists in the storage type cross-site script.

Because the attack mode of the storage XSS vulnerability is quite hidden, and the direct back display characteristic may not exist in the attack webpage, the storage type XSS vulnerability cannot be accurately detected based on the response characteristic, and under the condition that the writing point and the output point generated by the storage type XSS vulnerability are separated, the page where the writing content can be output cannot be determined. Therefore, whether the storage type XSS loopholes exist in one HTTP request cannot be accurately judged, so that a great amount of missed reports can be generated by the loophole detection result, the accuracy and the reliability of the loophole detection are reduced, and the network security and the reliability of the user terminal are reduced.

Disclosure of Invention

The embodiment of the application provides a vulnerability detection method, a vulnerability detection device, computer equipment and a storage medium, which can detect the accuracy and reliability of vulnerability.

In order to solve the technical problems, the embodiment of the application provides the following technical scheme:

the embodiment of the application provides a vulnerability detection method, which comprises the following steps:

acquiring an object identifier of an object to be detected;

filling placeholders in a target test case template according to the object identifiers to obtain a vulnerability test case;

Processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;

Feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction;

when the browse operation event in the page triggers the vulnerability test case, determining that the object to be detected has a vulnerability.

According to an aspect of the present application, there is also provided a vulnerability detection apparatus, including:

The receiving unit is used for receiving a page acquisition request carrying an object to be detected, which is sent by the terminal;

An obtaining unit, configured to obtain an object identifier of the object to be detected;

the filling unit is used for filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case;

The splicing unit is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;

The feedback unit is used for feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction;

and the determining unit is used for determining that the object to be detected has the loopholes when the loophole test case is triggered by the browse operation event in the page.

In one embodiment, the acquisition unit includes:

the analysis subunit is used for analyzing the object to be detected to obtain object parameters corresponding to the object to be detected;

And the generation subunit is used for generating the object identification of the object to be detected based on the object parameters.

In an embodiment, the object to be detected includes a web address, and the object parameter includes a transmission protocol, a domain name, a port number, a request path name, and a query parameter of the web address;

the generating subunit is specifically configured to:

Carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name and the query parameter to obtain a hash value;

And determining the object identification of the object to be detected based on the hash value.

In an embodiment, the generating subunit is specifically configured to:

Acquiring template identification information of the target test case template;

Carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value;

In one embodiment, the filling unit is specifically configured to:

Identifying placeholders in the target test case template;

And when the identified placeholder is a preset placeholder, writing the object identifier into the position of the preset placeholder to obtain the vulnerability test case.

In one embodiment, the splicing unit is specifically configured to:

determining the position of test case identification information carried in the object to be detected;

and splicing the vulnerability test cases based on the positions to obtain a target detection object.

In an embodiment, the determining unit is specifically configured to:

based on a browsing operation event in the page, receiving a vulnerability detection request sent by the terminal, wherein the vulnerability detection request carries a request source, the vulnerability test case and the object identifier;

And determining that the object to be detected has a storage type cross-site scripting vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning a page with the storage type cross-site scripting vulnerability based on the request source.

In an embodiment, the vulnerability detection device further includes:

and the association storage unit is used for storing the page with the loopholes and the object to be detected in association based on the object identification.

In one embodiment, the association storage unit is specifically configured to:

Querying a first database storing object information of the target detection object and querying a second database storing page information of the page at preset intervals;

And generating a vulnerability generating chain based on the queried field storing the object identification in the first database and the field storing the object identification in the second database so as to associate the page and the object to be detected.

In an embodiment, the vulnerability detection device further includes:

the generating unit is used for acquiring the vulnerability information and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected;

And the output unit is used for outputting the alarm information.

According to one aspect of the present application, there is further provided a vulnerability detection system, where the vulnerability detection system includes a server and a terminal, where the terminal is configured to send a page acquisition request carrying an object to be detected to the server;

the server is used for acquiring the object identification of the object to be detected, and filling placeholders in the target test case template according to the object identification to obtain a vulnerability test case;

The server is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case;

The server is used for feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request;

the terminal is used for displaying a page corresponding to the page display instruction;

And the server is used for determining that the object to be detected has the loopholes when the loophole test case is triggered by the browse operation event in the page.

According to an aspect of the present application, there is also provided a computer device, including a processor and a memory, where the memory stores a computer program, and when the processor invokes the computer program in the memory, any one of the vulnerability detection methods provided by the embodiments of the present application is executed.

According to an aspect of the present application, there is also provided a storage medium for storing a computer program, the computer program being loaded by a processor to perform any one of the vulnerability detection methods provided by the embodiments of the present application.

The embodiment of the application can receive the page acquisition request carrying the object to be detected, which is sent by the terminal, and acquire the object identification of the object to be detected, and fill the placeholder in the target test case template according to the object identification to obtain the vulnerability test case; then, the vulnerability test case and the object to be detected can be processed to obtain a target detection object containing the vulnerability test case; at the moment, a page display instruction carrying a target detection object can be fed back to the terminal based on the page acquisition request so as to instruct the terminal to display a page corresponding to the page display instruction; when the browse operation event in the page triggers the vulnerability test case, determining that the object to be detected has the vulnerability. According to the method, the target test object is generated based on the vulnerability test case, and when the terminal triggers the vulnerability test case based on the received browse operation event in the page displayed by the page display instruction carrying the target test object, the vulnerability of the object to be detected is determined, so that the accuracy and reliability of vulnerability detection are improved, the vulnerability can be repaired in time, information leakage is avoided, and information safety is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic view of a vulnerability detection system provided in an embodiment of the present application;

FIG. 2 is a schematic flow chart of a vulnerability detection method according to an embodiment of the present application;

FIG. 3 is another schematic flow chart of a vulnerability detection method according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a server architecture according to an embodiment of the present application;

FIG. 5 is another schematic flow chart of a vulnerability detection method according to an embodiment of the present application;

FIG. 6 is another schematic flow chart of a vulnerability detection method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of storage fields in a detection record database and a vulnerability processing record database according to an embodiment of the present application;

Fig. 8 is a schematic diagram of a terminal architecture and a server architecture provided by an embodiment of the present application;

FIG. 9 is a schematic diagram of a leak detection apparatus according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a server according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.

The embodiment of the application provides a vulnerability detection method, a vulnerability detection device, computer equipment and a storage medium.

Referring to fig. 1, fig. 1 is a schematic view of a scenario of a vulnerability detection system provided by an embodiment of the present application, where the vulnerability detection system may include a server 10 and a terminal 20, where a vulnerability detection device may be integrated in the server 10, where the server 10 may be an independent physical server, may be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content distribution networks (Content Delivery Network, CDN), and big data and artificial intelligent platforms, but is not limited thereto.

The Database (Database), which may be referred to as an electronic filing cabinet, is a place where electronic files are stored, and a user may perform operations such as adding, querying, updating, deleting, etc. on data in the files. A "database" is a collection of data stored together in a manner that can be shared with multiple users, with as little redundancy as possible, independent of the application.

Cloud computing (clouding) is a computing model that distributes computing tasks across a large pool of computers, enabling various application systems to acquire computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed.

Cloud storage (cloud storage) is a new concept that extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside.

The server 10 may be directly or indirectly connected to the terminal 20 through wired or wireless communication, and the present application is not limited thereto. The terminal 20 may be a cell phone, tablet computer, notebook computer, desktop computer, smart television, wearable device, or the like.

The terminal 20 may be configured to send a page acquisition request carrying an object to be detected to the server. The server 10 may be configured to obtain an object identifier of an object to be detected, and fill placeholders in a target test case template according to the object identifier, so as to obtain a vulnerability test case. The server 10 may be configured to process the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case. The server 10 may be configured to feed back a page display instruction carrying the target detection object to the terminal based on the page acquisition request. The terminal 20 may be configured to display a page corresponding to the page display instruction. The server 10 may be configured to determine that the object to be detected has a vulnerability when a browse operation event in the page triggers a vulnerability test case.

Specifically, the server 10 may receive a page acquisition request carrying an object to be detected sent by the terminal 20, analyze the object to be detected (for example, a web address) to obtain an object parameter corresponding to the object to be detected, generate an object identifier of the object to be detected based on the object parameter, and fill placeholders in a target test case template according to the object identifier to obtain a vulnerability test case; then, the vulnerability test case and the object to be detected can be processed (for example, spliced) to obtain a target detection object containing the vulnerability test case. At this time, the server 10 may feed back a page display instruction carrying the target detection object to the 20 terminal based on the page acquisition request, and the 20 terminal may display a page corresponding to the page display instruction. When a browse operation event such as a sliding operation or a clicking operation is received in a page and the browse operation event triggers a vulnerability test case, the existence of a vulnerability of an object to be detected (such as a storage type cross-site script vulnerability) can be determined, the page with the vulnerability and the object to be detected can be stored in an associated mode based on the object identification, the page with the vulnerability can be accurately positioned based on the request source, and accuracy and reliability of vulnerability detection are improved. The server 10 may also generate alert information corresponding to the vulnerability, and send the alert information to the 20 terminal for display, or send the alert information to a specified mailbox or instant messaging account, etc. So as to repair loopholes in time, avoid information leakage and improve information security and cloud security.

Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, and secure Cloud platforms based on Cloud computing business model applications. Cloud security merges emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of software behaviors in the network by a large number of netlike clients, sends the latest information to a server (namely a server 10) for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client (namely the client on a terminal 20).

It should be noted that, the schematic view of the scenario of the vulnerability detection system shown in fig. 1 is only an example, and the vulnerability detection system and the scenario described in the embodiment of the present application are for more clearly describing the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided by the embodiment of the present application, and as a person of ordinary skill in the art can know that, along with the evolution of the vulnerability detection system and the appearance of a new service scenario, the technical solution provided by the embodiment of the present application is equally applicable to similar technical problems.

The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.

In this embodiment, a description will be given from the perspective of a vulnerability detection apparatus, which may be specifically integrated in a computer device such as a server.

Referring to fig. 2, fig. 2 is a flowchart illustrating a vulnerability detection method according to an embodiment of the application. The vulnerability detection method may include:

s101, receiving a page acquisition request carrying an object to be detected, which is sent by a terminal.

S102, obtaining an object identification of an object to be detected.

The object to be detected may include a web address or a web loading path, where the web address may be a uniform resource locator (Uniform Resource Identifier, URL), for example, the object to be detected may be http:// www.XXX.coma =1, and it should be noted that, to protect privacy, the specific web address is replaced by "XXX", where the specific content of the "XXX" may be flexibly set according to the actual needs, and is not limited herein. When the terminal needs to display the page, a page acquisition request carrying an object to be detected, which is sent by the terminal, can be received.

The object identifier is used for uniquely identifying the object to be detected, a mapping relation can be established between the object identifier and the object to be detected, and the object to be detected can be accurately positioned through the object identifier. The object identifier may be composed of any one or more of numbers, letters, text symbols, characters and the like, and specific content may be flexibly set according to actual needs, for example, the object identifier may be a hash value generated based on object parameters of the object to be detected, or an index value generated based on object parameters of the object to be detected, and the like.

In an embodiment, obtaining the object identifier of the object to be detected may include: analyzing the object to be detected to obtain object parameters corresponding to the object to be detected; an object identification of the object to be detected is generated based on the object parameters.

Where the object to be detected may include a web address, the object parameters may include a transmission protocol of the web address (e.g., URL), a domain name, a port number, a request path name, and a query parameter, which may include a GET/POST parameter. For example, for http:// www.XXX.coma =1, the transport protocol may be hypertext transport protocol (Hypertext transfer protocol, HTTP), the domain name may be xxx.com, the port number may be www, the request path name may be www.XXX.com, and the query parameter may be a=1.

In order to improve accuracy of object identification acquisition, object identification may be generated based on object parameters corresponding to the object to be detected. Specifically, the object to be detected may be acquired first, and in an embodiment, in order to improve the reliability of the acquisition of the object to be detected, the object to be detected may be input manually. For example, an edit instruction input by a user in an edit text box displayed by the terminal may be received, and an object to be detected is input based on the edit instruction, and at this time, a page acquisition request carrying the object to be detected sent by the terminal may be received. In another embodiment, in order to improve the convenience and flexibility of the object to be detected in acquiring, the object to be detected may be automatically loaded. For example, the object to be detected may be loaded from a database storing the object to be detected.

It should be noted that, in order to facilitate the subsequent detection of the object to be detected, when the object to be detected is obtained, a login state of the object to be detected may also be obtained, where the login state may include Cookies or special response header, where Cookies refer to data stored on a local terminal of a user for distinguishing the identity of the user, and by using Cookies, the login state of the user may be determined, so that the user is prevented from directly entering some pages without login, or entering some pages without permission, and so on.

After the object to be detected is obtained, the object to be detected can be analyzed to obtain object parameters corresponding to the object to be detected, for example, when the object parameters of the object to be detected are URL webpage addresses, the object parameters obtained by decomposing the URL can include a transmission protocol, a domain name, a port number, a request path name, a query parameter and the like of the URL.

An object identification of the object to be detected may then be generated based on the object parameters. In an embodiment, generating the object identification of the object to be detected based on the object parameters may include: carrying out hash value operation on a transmission protocol, a domain name, a port number, a request path name and a query parameter to obtain a hash value; an object identification of the object to be detected is determined based on the hash value.

In order to improve accuracy and reliability of object identification acquisition, hash value operation can be performed on a transmission protocol, a domain name, a port number, a request path name and a query parameter to obtain a hash value. In an embodiment, performing a hash value operation on the transmission protocol, the domain name, the port number, the request path name, and the query parameter, and obtaining the hash value may include: acquiring template identification information of a target test case template; and carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value.

The target test case template can be flexibly set according to actual needs, can be obtained from a template library, or is input by a user, and the like, and then template identification information of the target test case template can be obtained.

The template identification information of the target test case template may include a target parameter name of the target test case template, a test case number, and the like, for example, for http:// www.XXX.coma =1, the target parameter name may be a, and the test case number may be test case 1, test case 2, and the like.

At this time, hash value operation can be performed on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm, so as to obtain a hash value. The specific type of the message digest algorithm can be flexibly set according to actual needs, for example, the message digest algorithm can comprise a message digest (MESSAGE DIGEST, MD), a secure hash (Secure Hash Algorithm, SHA), a message authentication code (Message Authentication Code, MAC) and the like. Wherein MD may include MD2, MD4, MD5, etc., and SHA may include SHA-1, SHA-2, etc.

For example, the hash value operation may be: hash value=message digest algorithm (transport protocol+domain name+port number+request path name+query parameter+target parameter name+test case number), at this time, the object identifier of the object to be detected may be determined based on the hash value, and for example, the hash value may be used as the object identifier of the object to be detected.

After obtaining the hash value, the hash value and the object to be detected (e.g., URL) may be stored in a detection record Database (DB), which may be a first Database for storing object information of the target detection object, for use in subsequent association. The object information may include, among other things, a transport protocol, a domain name, a port number, a request path name, and an object identification (e.g., hash value) of the object to be detected.

S103, filling placeholders in the target test case template according to the object identification to obtain the vulnerability test case.

The target test case template can be flexibly set according to actual needs, for example, the target test case template can be a test case template for vulnerability detection, and a placeholder for filling object identifiers can be arranged in the target test case template. After the object identifier is obtained, the placeholder in the target test case template may be filled with the object identifier, so that a vulnerability test case (may be referred to as a Payload) may be obtained, where the vulnerability test case may be a hypertext markup language (Hyper Text Markup Language, HTML) tag.

It should be noted that, the target test case template may include one or more, and when the target test case template may include one, filling placeholders in the target test case template with object identifiers to obtain a vulnerability test case; when the target test case templates can comprise a plurality of target test case templates, filling placeholders in each target test case template by using the object identifiers, so that a plurality of vulnerability test cases, such as vulnerability test case 1, vulnerability test case 2, vulnerability test case 3 and the like, can be obtained.

In an embodiment, filling placeholders in the target test case template according to the object identifier, and obtaining the vulnerability test case may include: identifying placeholders in the target test case template; and when the identified placeholder is the preset placeholder, writing the object identifier into the position where the preset placeholder is positioned, and obtaining the vulnerability test case.

In order to improve the efficiency and flexibility of obtaining the vulnerability test case, in the process of filling the placeholders in the target test case template by using the object identifiers, the placeholders in the target test case template can be identified first. For example, when the following are included in the target test case template:

< img src= "// XXX hostname/_ < hash value placeholder > _"/>

< IFRAME SRC = "// XXX hostname/_ < hash value placeholder > _" >/iframe >

Placeholders of < hash value placeholder > in the target test case template may be identified. When the identified placeholder is a preset placeholder (such as a hash value placeholder), the object identifier (such as a hash value) can be written into the position where the preset placeholder is located, so as to obtain the vulnerability test case.

It should be noted that, in order to facilitate the generation of the subsequent browsing operation event, a mouse event attribute that is easy to be triggered may be added to the target test case template, a JavaScript script is executed, and adding special style attributes (including mouse movement or clicking operation and other attributes) to increase the triggering probability of browsing operation events, wherein the specific content can be as follows:

" = document. Src='// XXX hostname/_< hash value placeholder >_';document.body.appendChild(z);\"style＝\"width:100％;height:100％;position:fixed;left:0px;top:0px;\"

The obtained hash value can be utilized to dynamically replace a preset placeholder (namely_ < hash value placeholder > _) in the target test case template, so that a unique test case (namely, a vulnerability test case) bound with the current vulnerability detection is generated.

S104, processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case.

After the vulnerability test cases are obtained, the vulnerability test cases and the objects to be detected can be processed, wherein the splicing processing mode can comprise splicing processing, for example, the vulnerability test cases can be spliced at the tail parts of the objects to be detected, or the vulnerability test cases can be spliced at the head parts of the objects to be detected, or the vulnerability test cases can be spliced at preset positions (the preset positions can be flexibly set according to actual needs) between the head parts and the tail parts of the objects to be detected, and the like, so that the target detection objects containing the vulnerability test cases can be obtained.

In an embodiment, processing the vulnerability test case and the object to be detected to obtain the target detection object including the vulnerability test case may include: determining the position of test case identification information carried in an object to be detected; and splicing the vulnerability test cases based on the positions to obtain the target detection object.

In order to improve flexibility and convenience of splicing, test case identification information carried in an object to be detected can be identified, the test case identification information can be a test case parameter name or a query parameter and the like, the position of the test case identification information in the object to be detected is determined, and then a vulnerability test case can be spliced to the tail of the position of the test case identification information to obtain a target detection object. For example, for the to-be-detected object http:// www.XXX.coma =1 and the vulnerability test case payload, the target detection object may be spliced to be http:// www.XXX.coma =1 < payload >. Or the vulnerability test case can be spliced to the position of the test case identification information to obtain the target detection object. For example, for the object to be detected http:// www.XXX.coma =1 and the vulnerability test case payload, the target detection object may be spliced to be http:// www.XXX.coma = < payload >1. Or alternatively. And replacing the position of the test case identification information with the vulnerability test case to obtain a target detection object. For example, for the object to be detected http:// www.XXX.coma =1 and the vulnerability test case payload, the target detection object may be spliced to be http:// www.XXX.coma = < payload >.

S105, feeding back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction.

After the target detection object is obtained, a page display instruction carrying the target detection object can be generated, the page display instruction can be an HTTP request, and then the page display instruction carrying the target detection object can be fed back to the terminal based on the page acquisition request, so that the terminal can display a page corresponding to the page display instruction.

It should be noted that, in order to determine the login state of the terminal conveniently, the page display instruction may carry the login state, so as to determine the login state of the terminal through the login state, control the terminal to enter some pages through login, and so on.

S106, when the browse operation event in the page triggers the vulnerability test case, determining that the object to be detected has the vulnerability.

The browsing operation event may include a movement operation (or a sliding operation) within the displayed page, a clicking operation within the displayed page, and the like. For example, the browsing operation event may be generated by a mouse moving or clicking operation within a display page of a terminal (e.g., a computer), or the browsing operation event may be generated by a finger or a stylus moving or clicking operation within a display page of a terminal (e.g., a mobile phone).

After the terminal displays the page corresponding to the page display instruction, if the object to be detected has a bug, when a browsing operation event is generated by browsing the page by using a client such as a browser, for example, the bug test case is implanted into a data source of the page, at this time, it can be determined that the object to be detected has the bug, and the bug types can include reflection type XSS, storage type XSS, XSS based on a document object model (Document Objeet Model, DOM) and the like. When the browse operation event in the page does not trigger the vulnerability test case, determining that the object to be detected does not have the vulnerability.

In an embodiment, determining that the object to be detected has the vulnerability may include: based on a browsing operation event in a page, receiving a vulnerability detection request sent by a terminal, wherein the vulnerability detection request carries a request source, a vulnerability test case and an object identifier; and determining that the object to be detected has the storage type cross-site script loopholes based on the loophole test cases and the object identifiers in the loophole detection requests, and positioning pages with the storage type cross-site script loopholes based on request sources.

The vulnerability detection request may be an HTTP request, where the vulnerability detection request may carry information such as a request source, a vulnerability test case, and an object identifier, where the request source is used to indicate a page link to which the vulnerability detection request belongs, and the request source may be carried in a header field header of the vulnerability detection request.

Because the vulnerability test case can be an HTML tag, the terminal can use the client output page, can passively trigger implantation of the vulnerability test case, and can send a vulnerability detection request to the vulnerability detection device. The vulnerability detection device can detect a request log in real time, when a browse operation event is generated in a page displayed by the terminal, can receive a vulnerability detection request sent by the terminal, record the vulnerability detection request with a vulnerability test case Payload, extract a request source (refer) in the vulnerability detection request, the vulnerability test case and an object identifier (such as a hash value) and store the request source, the vulnerability test case and the object identifier in a database DB for subsequent association use. At this time, it may be determined that the object to be detected has a storage type cross-site scripting vulnerability based on the vulnerability test case and the object identifier in the vulnerability detection request, and a page where the storage type cross-site scripting vulnerability exists may be accurately located based on the request source. According to the principle of storage type XSS loopholes, the method can write the loopholes into a database through the loopholes test cases of the interfaces to be detected, and output the loopholes by pages, and when a user uses a client on a terminal to browse the output pages, the implantation of the loopholes test cases Payload can be passively triggered, so that judgment of whether loopholes risk exists, alarm notification of the loopholes risk and the like are asynchronously realized.

For example, the vulnerability test case may be: < img src= "http:// vulnerability detection device. XXX. Com/xxx/hash"/>, the vulnerability test case is triggered, i.e. the vulnerability test case is rendered and displayed in the page, which means that there is a storage type XSS vulnerability. The terminal renders and displays < img src= "http:// vulnerability detection device. XXX.com/xxx/hash value"/>, when the page is accessed in the background, the resource (such as the vulnerability detection device) pointed by the URL corresponding to the "http:// vulnerability detection device. XXX.com/xxx/hash value" is detected by the vulnerability detection device, and the vulnerability detection request of the "http:// vulnerability detection device. XXX.com/xxx/hash value" is detected by the vulnerability detection device. And then determining that the object to be detected has storage type XSS based on the vulnerability test case and the object identification in the vulnerability detection request, and accurately positioning the page with the storage type cross-site script vulnerability based on the request source. The method and the device realize automatic detection of the loopholes, improve the accuracy of storage type XSS loopholes detection and reduce the detection cost.

In an embodiment, after determining that the object to be detected has the vulnerability, the vulnerability detection method may further include: and storing the page with the loopholes and the object to be detected in an associated mode based on the object identification.

In order to improve the accuracy of the vulnerability detection result, relevant responsible persons can take measures to repair the vulnerability quickly, and the pages with the vulnerability can be associated with the object to be detected. For example, with the object identifier (such as a hash value) as a primary key, the page with the vulnerability and the object to be detected (such as a URL) can be associated and stored based on the object identifier, and the URL and the page for generating the storage type XSS vulnerability can be accurately associated and positioned, so that the URL and the page for generating the storage type XSS vulnerability can be connected in series, and a complete vulnerability generation chain can be obtained.

According to the embodiment, an asynchronous detection mode is adopted, object parameters of an object to be detected (such as a URL) are extracted, an object identification (such as a hash value) is obtained by operating the object parameters based on a message digest algorithm, a vulnerability test case is generated based on the object identification, and the vulnerability test case is carried to send detection (such as a page display instruction). And receiving report of the existence state of the vulnerability (such as a vulnerability detection request), analyzing an object identifier, taking the object identifier as a main key, and automatically associating the object to be detected with the page, wherein the vulnerability exists, thereby improving the accuracy of the vulnerability detection result.

In an embodiment, storing the page with the vulnerability and the object to be detected in association based on the object identification may include: querying a first database for storing object information of a target detection object and a second database for querying page information of a storage page at preset time intervals; and generating a vulnerability generating chain based on the fields of the object identifiers stored in the first database and the fields of the object identifiers stored in the second database, so as to correlate the page and the object to be detected.

The preset time can be flexibly set according to actual needs, the object information can include a transmission protocol, a domain name, a request source, an object identifier, a port number, a request path name and the like of the target detection object, and the page information can include the request source, the object identifier and the like. In the process of vulnerability detection, object information of the detected target detection object can be stored in time to a first database, and page information of a page can be stored in time to a second database.

In order to improve the convenience of association between the page and the object to be detected, the first database and the second database can be queried at preset time intervals, and a vulnerability generating chain is generated by taking the object identification in the fields as a main key based on the fields of the object identification stored in the queried first database and the fields of the object identification stored in the second database so as to associate the page and the object to be detected.

In an embodiment, after determining that the object to be detected has the vulnerability, the vulnerability detection method may further include: acquiring vulnerability information, and generating alarm information based on the vulnerability information, a page with the vulnerability and an object to be detected; and outputting alarm information.

The vulnerability information may include information of a responsible person related to vulnerability repair, an object identifier, and the like, so that in order to timely notify a relevant responsible person of a vulnerability detection result, so as to timely repair the vulnerability, alarm information may be automatically sent. For example, pre-stored vulnerability information such as responsible person information can be queried, alarm information is generated based on the vulnerability information, a page with the vulnerability and an object to be detected, and the type of the alarm information can be flexibly set according to actual needs.

At this time, the warning information may be output, for example, the warning information may be transmitted to the terminal so that the terminal displays the warning information in the display interface. For another example, the responsible person may be notified in time by sending an alarm message to the mail of the responsible person based on the responsible person information. For another example, alert information may be sent to a designated instant messaging account to indicate that a vulnerability exists. Therefore, judgment of whether the vulnerability risk exists, alarm notification of the vulnerability risk and the like are asynchronously realized, accurate and rich vulnerability detection results are provided, and quick processing and closed loop of the vulnerability risk are facilitated.

The embodiment of the application can acquire the object identification of the object to be detected, and fill the placeholder in the target test case template according to the object identification to obtain the vulnerability test case; then, the vulnerability test case and the object to be detected can be processed to obtain a target detection object containing the vulnerability test case; at the moment, a page display instruction carrying a target detection object can be fed back to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction; when the browse operation event in the page triggers the vulnerability test case, determining that the object to be detected has the vulnerability. According to the method, the target test object is generated based on the vulnerability test case, and when the terminal triggers the vulnerability test case based on the received browse operation event in the page displayed by the page display instruction carrying the target test object, the vulnerability of the object to be detected is determined, so that the accuracy and reliability of vulnerability detection are improved, the vulnerability can be repaired in time, information leakage is avoided, and information safety is improved.

The method described in the above embodiments is described in further detail below by way of example.

In this embodiment, the vulnerability detection device is integrated in the server, and the object to be detected is a URL, and the object identifier is a hash value, as shown in fig. 3, fig. 3 is a flow chart of the vulnerability detection method according to the embodiment of the present application. The method flow may include:

S201, the server acquires the URL of the object to be detected.

The server may receive the URL sent by the terminal or load the URL from a database.

S202, the server analyzes the URL, calculates a hash value based on the analyzed URL, and stores object information of the URL.

The server analyzes the URL to obtain the object parameters of the URL, where the object parameters may include a transmission protocol, a domain name, a port number, a request path name, a query parameter, and the like of the URL. Then, hash value operation can be performed on object parameters such as a transmission protocol, a domain name, a port number, a request path name, a query parameter and the like through a message digest algorithm to obtain a hash value. And may store the object information of the URL to a first database (i.e., a detection record database). The object information may include a transmission protocol of URL, a domain name, a port number, a request path name, a hash value, and the like.

S203, the server generates a vulnerability detection test case based on the hash value.

The server can fill placeholders in the target test case template by utilizing the hash value to obtain the vulnerability test case.

S204, the server splices the vulnerability detection test case and the URL to obtain a target URL containing the vulnerability detection test case.

For example, the server may splice the vulnerability detection test cases at the tail of the URL to obtain the target URL containing the vulnerability detection test cases.

S205, the server sends a page display instruction carrying the target URL to the terminal, and the page is displayed on the terminal based on the page display instruction.

The page display instruction may be an HTTP request.

S206, when the vulnerability detection test case is triggered in the displayed page, the server determines that the URL exists with storage type XSS.

For example, when a browse operation event is generated by a mouse movement or a click operation or the like within a terminal display page, and the browse operation event triggers a vulnerability detection test case, the server may determine that a URL exists in a storage type XSS.

S207, the server stores page information of the page.

The page information may include a request source of the page, a hash value, and the like.

S208, the server associates the URL with the page with the vulnerability.

The server may associate URLs with pages for which vulnerabilities exist based on the hash value.

S209, the server outputs alarm information related to the vulnerability detection result.

For example, alert information may be sent to the terminal such that the terminal displays the alert information within the display interface. For another example, an alert message may be sent to a designated mail to timely notify the associated responsible person. For another example, alert information or the like may be sent to a designated instant messaging account.

In the foregoing embodiments, the descriptions of the embodiments are focused on, and the portions of an embodiment that are not described in detail in the foregoing embodiments may be referred to the detailed description of the vulnerability detection method, which is not repeated herein.

In order to better implement vulnerability detection, improve convenience and flexibility of vulnerability detection and improve efficiency of asynchronous detection, the server may be divided into a plurality of modules for collaborative detection, for example, the server may include a detection module, a vulnerability processing module, a detection record database, a vulnerability processing record database, an association module, and the like.

As shown in fig. 4, the detection module may be connected to the detection record database, the vulnerability processing module may be connected to the vulnerability processing record database, the association module may be connected to the detection record database and the vulnerability processing record database, and the detection module and the vulnerability processing module may be respectively connected to the terminal.

The detection module can be used for analyzing the URL of the detection object, calculating a hash value, generating a vulnerability test case, splicing target URLs, sending a page display instruction to the terminal and the like.

The vulnerability processing module may be configured to determine whether a vulnerability exists, generate and send alert information, and the like.

The detection record database may be used to store object information for URLs.

The vulnerability processing record database may be used to store page information for pages.

The association module may be used to associate URLs with pages where vulnerabilities exist.

Referring to fig. 5, fig. 5 is a flowchart illustrating a vulnerability detection method according to an embodiment of the present application. The method flow may include:

s20, the detection module receives a page acquisition request carrying the URL of the object to be detected, which is sent by the terminal.

For example, as shown in fig. 6, the URL of the object to be detected, which is carried in the page acquisition request sent by the terminal, may be sent to the detection module.

S21, the detection module acquires the URL of the object to be detected from the page acquisition request.

For example, as shown in fig. 6, the detection module may receive an incoming URL, and in order to facilitate subsequent detection of the object to be detected, the page acquisition request may further carry a login state of the object to be detected, where the login state may include Cookies or a special response header.

S22, analyzing the URL by the detection module, and calculating a hash value based on the analyzed URL.

The detection module can analyze the URL and obtain object parameters such as a transmission protocol, a domain name, a port number, a request path name, a query parameter and the like of the URL. Then, hash value operation can be performed on object parameters such as a transmission protocol, a domain name, a port number, a request path name, a query parameter and the like through a message digest algorithm to obtain a hash value.

S23, the detection module sends the object information of the URL to a detection record database, and the detection record database stores the object information.

The object information may include a transmission protocol of URL, a domain name, a port number, a request path name, a hash value, and the like. The object information may be referred to as URL information, and for example, as shown in fig. 6, the URL information may be stored in a detection record database (may be referred to as detection record DB).

S24, the detection module generates a vulnerability test case based on the hash value.

The detection module can fill placeholders in the target test case template by utilizing the hash value to obtain the vulnerability test case Payload.

And S25, the detection module splices the vulnerability test case and the URL to obtain a target URL containing the vulnerability test case.

For example, as shown in fig. 6, the detection module may splice the vulnerability detection test case at the tail of the URL, so as to splice a target URL containing the Payload of the vulnerability detection test case.

S26, the detection module sends a page display instruction carrying the target URL to the terminal.

The page display instruction may be an HTTP request, for example, because the target URL includes a Payload, and the page display instruction carries the target URL, the detection module in fig. 6 may send the HTTP request including the Payload to the terminal.

And S27, the terminal displays the page based on the page display instruction.

S28, the terminal receives a browse operation event generated in the page and monitors whether the browse operation event triggers the vulnerability test case.

And S29, when the browse operation event triggers the vulnerability test case, the terminal sends a vulnerability detection request to the vulnerability processing module.

The vulnerability detection request may be an HTTP request carrying a hash value, a vulnerability test case, a request source, and the like. For example, as shown in fig. 6, a browse operation event in a displayed page may trigger a vulnerability test case Payload, and the vulnerability processing module may detect a Web Server request log (i.e., a log of vulnerability detection requests), record a request with a Payload feature, and extract a hash value in the vulnerability detection request.

S30, extracting hash values, vulnerability test cases and the like from the vulnerability detection request by the vulnerability processing module, and determining that storage type XSS exists.

S31, the loophole processing module sends page information of the page to a loophole processing record database (namely a loophole processing record DB in FIG. 6), and the loophole processing record database stores the page information. The page information may include a request source of the page, a hash value, and the like.

S32, the association module reads the hash value field in the detection record database and receives the hash value sent by the detection record database.

S33, the association module reads the hash value field in the vulnerability processing record database and receives the hash value sent by the vulnerability processing record database.

And S34, the association module associates the URL with the page with the vulnerability based on the hash value.

For example, as shown in fig. 6, the URL where the vulnerability exists and the page may be associated based on the URL information in the detection record DB and the page information in the vulnerability processing record DB.

For example, as shown in fig. 7, the detection record database may include fields such as a transmission protocol, a domain name, a request source, a hash value, a port number, and a request path name, and the vulnerability processing record database may include fields such as a request source and a hash value, where the hash value stored in the hash value field in the detection record database is related to the hash value stored in the hash value field in the vulnerability processing record database, and the URL and the page of the vulnerability.

S35, the vulnerability processing module generates alarm information related to the vulnerability detection result.

For example, as shown in fig. 6, the vulnerability processing module may combine URL information in the detection record DB and page information in the vulnerability processing record DB to obtain combined information, and generate alarm information related to the vulnerability detection result based on the combined information, so as to send the alarm information to the terminal.

S36, the vulnerability processing module sends the alarm information to the terminal.

S37, the terminal outputs alarm information.

For example, the terminal may display the alert information in the display interface, or may send the alert information to a specified mail, or may send the alert information to a specified instant messaging account, or the like.

The server of the embodiment of the application can generate the vulnerability test case based on the hash value corresponding to the URL, and splice the vulnerability test case and the URL to obtain the target URL containing the vulnerability test case; and then a page display instruction carrying the target URL can be sent to the terminal so as to display a page corresponding to the page display instruction in the terminal. When a browsing operation event in the page triggers the vulnerability test case, determining that the URL has the vulnerability, and outputting alarm information related to the vulnerability detection result. The accuracy and the reliability of vulnerability detection are improved, so that the vulnerability can be repaired in time, information leakage is avoided, and the information security is improved.

It should be noted that, the detection module may be disposed on the terminal, at this time, the server may include a vulnerability processing module, a detection record database, a vulnerability processing record database, and an association module, where, as shown in fig. 8, the detection module may be connected to the detection record database, the vulnerability processing module may be connected to the vulnerability processing record database, the association module may be connected to the detection record database and the vulnerability processing record database, and the vulnerability processing module may be connected to the terminal. At this time, the flow of the vulnerability detection method provided by the embodiment of the application may include:

The detection module on the terminal can receive the user input URL, and generate a page acquisition request carrying the URL of the object to be detected based on the URL so as to send the page acquisition request to the server. Then, the detection module may parse the URL, calculate a hash value based on the parsed URL, and transmit object information of the URL to a detection record database of the server, the detection record database storing the object information. The detection module can generate a vulnerability test case based on the hash value, and splice the vulnerability test case and the URL to obtain a target URL containing the vulnerability test case. At this time, the terminal may display the page based on the target URL, and receive a browse operation event generated in the page, and monitor whether the browse operation event triggers the vulnerability test case. When the browse operation event triggers the vulnerability test case, the terminal sends a vulnerability detection request to the vulnerability processing module. The vulnerability processing module extracts hash values, vulnerability test cases and the like from the vulnerability detection request, and determines that storage type XSS exists. And then the loophole processing module can send the page information of the page to a loophole processing record database, and the loophole processing record database stores the page information. The association module reads the hash value field in the detection record database, receives the hash value sent by the detection record database, reads the hash value field in the vulnerability processing record database, receives the hash value sent by the vulnerability processing record database, and associates the URL with the page with the vulnerability based on the hash value. At this time, the vulnerability processing module generates alarm information related to the vulnerability detection result, and sends the alarm information to the terminal, and the terminal can output the alarm information.

In order to facilitate better implementation of the vulnerability detection method provided by the embodiment of the application, the embodiment of the application also provides a device based on the vulnerability detection method. The meaning of the nouns is the same as that of the vulnerability detection method, and specific implementation details can refer to the description of the method embodiment.

Referring to fig. 9, fig. 9 is a schematic structural diagram of a leak detection apparatus according to an embodiment of the present application, where the leak detection apparatus may include a receiving unit 301, an obtaining unit 302, a filling unit 303, a splicing unit 304, a feedback unit 305, a determining unit 306, and the like.

The receiving unit 301 is configured to receive a page acquisition request carrying an object to be detected sent by a terminal.

An obtaining unit 302, configured to obtain an object identifier of an object to be detected.

And the filling unit 303 is configured to fill placeholders in the target test case template according to the object identifier, so as to obtain a vulnerability test case.

And the splicing unit 304 is used for processing the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case.

The feedback unit 305 is configured to feed back, based on the page acquisition request, a page display instruction carrying the target detection object to the terminal, where the page display instruction is used to instruct the terminal to display a page corresponding to the page display instruction.

The determining unit 306 is configured to determine that the object to be detected has a vulnerability when the browse operation event in the page triggers the vulnerability test case.

In an embodiment, the obtaining unit 302 may include:

and the generating subunit is used for generating the object identification of the object to be detected based on the object parameters.

In one embodiment, the object to be detected includes a web address, and the object parameters include a transmission protocol, a domain name, a port number, a request path name, and a query parameter of the web address;

the generating subunit is specifically configured to: carrying out hash value operation on a transmission protocol, a domain name, a port number, a request path name and a query parameter to obtain a hash value; an object identification of the object to be detected is determined based on the hash value.

In one embodiment, the generating subunit is specifically configured to: acquiring template identification information of a target test case template; carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value; an object identification of the object to be detected is determined based on the hash value.

In one embodiment, the filling unit 303 is specifically configured to: identifying placeholders in the target test case template; and when the identified placeholder is the preset placeholder, writing the object identifier into the position where the preset placeholder is positioned, and obtaining the vulnerability test case.

In one embodiment, the stitching unit 304 is specifically configured to: determining the position of test case identification information carried in an object to be detected; and splicing the vulnerability test cases based on the positions to obtain the target detection object.

In an embodiment, the determining unit 306 is specifically configured to: based on a browsing operation event in a page, receiving a vulnerability detection request sent by a terminal, wherein the vulnerability detection request carries a request source, a vulnerability test case and an object identifier; and determining that the object to be detected has the storage type cross-site script loopholes based on the loophole test cases and the object identifiers in the loophole detection requests, and positioning pages with the storage type cross-site script loopholes based on request sources.

In an embodiment, the vulnerability detection apparatus may further include:

In one embodiment, the association storage unit is specifically configured to: querying a first database for storing object information of a target detection object and a second database for querying page information of a storage page at preset time intervals; and generating a vulnerability generating chain based on the fields of the object identifiers stored in the first database and the fields of the object identifiers stored in the second database, so as to correlate the page and the object to be detected.

In an embodiment, the vulnerability detection apparatus may further include:

the generating unit is used for acquiring the vulnerability information and generating alarm information based on the vulnerability information, the pages with the vulnerabilities and the objects to be detected;

and the output unit is used for outputting alarm information.

According to the embodiment of the application, the acquisition unit 302 can acquire the object identifier of the object to be detected, and the filling unit 303 fills the placeholder in the target test case template according to the object identifier to obtain the vulnerability test case; then, the splicing unit 304 can process the vulnerability test case and the object to be detected to obtain a target detection object containing the vulnerability test case; at this time, the feedback unit 305 may feed back a page display instruction carrying the target detection object to the terminal based on the page acquisition request, where the page display instruction is used to instruct the terminal to display a page corresponding to the page display instruction; when the browse operation event in the page triggers the vulnerability test case, the determining unit 306 may determine that the object to be detected has a vulnerability. According to the method, the target test object is generated based on the vulnerability test case, and when the vulnerability test case is triggered by the received browsing operation event in the page displayed by the terminal based on the page display instruction carrying the target test object, the vulnerability of the object to be detected is determined, so that accuracy and reliability of vulnerability detection are improved.

The embodiment of the application also provides a computer device, which may be a server, as shown in fig. 10, which shows a schematic structural diagram of the server according to the embodiment of the application, specifically:

The server may include one or more processors 401 of a processing core, memory 402 of one or more computer readable storage media, a power supply 403, and an input unit 404, among other components. Those skilled in the art will appreciate that the server architecture shown in fig. 10 is not limiting of the server and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

Wherein:

The processor 401 is a control center of the server, connects respective portions of the entire server using various interfaces and lines, and performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 402, and calling data stored in the memory 402. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 401.

The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by executing the software programs and modules stored in the memory 402. The memory 402 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the server, etc. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 with access to the memory 402.

The server also includes a power supply 403 for powering the various components, and preferably, the power supply 403 may be logically connected to the processor 401 by a power management system so as to implement functions such as charge, discharge, and power consumption management by the power management system. The power supply 403 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

The server may also include an input unit 404, which input unit 404 may be used to receive entered numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the server may further include a display unit or the like, which is not described herein. In this embodiment, the processor 401 in the server loads executable files corresponding to the processes of one or more application programs into the memory 402 according to the following instructions, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions as follows:

Receiving a page acquisition request carrying an object to be detected sent by a terminal, acquiring an object identifier of the object to be detected, and filling placeholders in a target test case template according to the object identifier to obtain a vulnerability test case; processing the vulnerability test cases and the objects to be detected to obtain target detection objects containing the vulnerability test cases; feeding back a page display instruction carrying a target detection object to the terminal based on the page acquisition request, wherein the page display instruction is used for indicating the terminal to display a page corresponding to the page display instruction; when the browse operation event in the page triggers the vulnerability test case, determining that the object to be detected has the vulnerability.

In an embodiment, when acquiring the object identifier of the object to be detected, the processor 401 is configured to perform: analyzing the object to be detected to obtain object parameters corresponding to the object to be detected; an object identification of the object to be detected is generated based on the object parameters.

In one embodiment, the object to be detected includes a web address, and the object parameters include a transmission protocol, a domain name, a port number, a request path name, and a query parameter of the web address; in generating an object identification of an object to be detected based on the object parameters, the processor 401 is configured to perform: carrying out hash value operation on a transmission protocol, a domain name, a port number, a request path name and a query parameter to obtain a hash value; an object identification of the object to be detected is determined based on the hash value.

In one embodiment, when performing a hash value operation on the transmission protocol, the domain name, the port number, the request path name, and the query parameter to obtain the hash value, the processor 401 is configured to perform: acquiring template identification information of a target test case template; and carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value.

In one embodiment, when filling placeholders in the target test case template according to the object identifier to obtain the vulnerability test case, the processor 401 is configured to execute: identifying placeholders in the target test case template; and when the identified placeholder is the preset placeholder, writing the object identifier into the position where the preset placeholder is positioned, and obtaining the vulnerability test case.

In an embodiment, when the vulnerability test case and the object to be detected are processed to obtain the target detection object including the vulnerability test case, the processor 401 is configured to execute: determining the position of test case identification information carried in an object to be detected; and splicing the vulnerability test cases based on the positions to obtain the target detection object.

In an embodiment, when determining that the object to be detected has a vulnerability, the processor 401 is configured to perform: based on a browsing operation event in a page, receiving a vulnerability detection request sent by a terminal, wherein the vulnerability detection request carries a request source, a vulnerability test case and an object identifier; and determining that the object to be detected has the storage type cross-site script loopholes based on the loophole test cases and the object identifiers in the loophole detection requests, and positioning pages with the storage type cross-site script loopholes based on request sources.

In an embodiment, after determining that the object to be detected has a vulnerability, the processor 401 is configured to perform: and storing the page with the loopholes and the object to be detected in an associated mode based on the object identification.

In an embodiment, when storing a page with a vulnerability and an object to be detected in association based on an object identification, the processor 401 is configured to perform: querying a first database for storing object information of a target detection object and a second database for querying page information of a storage page at preset time intervals; and generating a vulnerability generating chain based on the fields of the object identifiers stored in the first database and the fields of the object identifiers stored in the second database, so as to correlate the page and the object to be detected.

In an embodiment, after determining that the object to be detected has a vulnerability, the processor 401 is configured to perform: acquiring vulnerability information, and generating alarm information based on the vulnerability information, a page with the vulnerability and an object to be detected; and outputting alarm information.

According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the methods provided in the various alternative implementations of the above embodiments.

Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by computer instructions, or by control of associated hardware, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, an embodiment of the present application provides a storage medium, which may be a computer storage medium, in which a computer program is stored, where the computer program includes computer instructions, where the computer program can be loaded by a processor to perform any of the vulnerability detection methods provided by the embodiments of the present application.

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.

The steps in any vulnerability detection method provided by the embodiment of the present application can be executed by the computer instructions stored in the storage medium, so that the beneficial effects that any vulnerability detection method provided by the embodiment of the present application can achieve can be achieved, and detailed descriptions of the previous embodiments are omitted here.

The above describes in detail a vulnerability detection method, device, computer equipment and storage medium provided by the embodiments of the present application, and specific examples are applied to illustrate the principles and implementation of the present application, where the above description of the embodiments is only for helping to understand the method and core idea of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, the present description should not be construed as limiting the present application.

Claims

1. A vulnerability detection method, comprising:

Receiving a page acquisition request carrying an object to be detected sent by a terminal;

acquiring an object identifier of the object to be detected;

When the browse operation event in the page triggers the vulnerability test case, receiving a vulnerability detection request sent by the terminal based on the browse operation event in the page, wherein the vulnerability detection request carries a request source, the vulnerability test case and the object identifier;

2. The vulnerability detection method of claim 1, wherein the obtaining the object identifier of the object to be detected comprises:

Analyzing the object to be detected to obtain object parameters corresponding to the object to be detected;

And generating an object identifier of the object to be detected based on the object parameter.

3. The vulnerability detection method of claim 2, wherein the object to be detected comprises a web address, the object parameters comprising a transmission protocol of the web address, a domain name, a port number, a request path name, and a query parameter;

generating the object identification of the object to be detected based on the object parameters comprises:

4. The vulnerability detection method of claim 3, wherein performing hash value operation on the transmission protocol, domain name, port number, request path name, and query parameter to obtain hash value comprises:

Acquiring template identification information of the target test case template;

And carrying out hash value operation on the transmission protocol, the domain name, the port number, the request path name, the query parameter and the template identification information through a message digest algorithm to obtain a hash value.

5. The vulnerability detection method of claim 1, wherein the filling placeholders in a target test case template according to the object identifier to obtain a vulnerability test case comprises:

Identifying placeholders in the target test case template;

6. The vulnerability detection method of claim 1, wherein the processing the vulnerability test case and the object to be detected to obtain a target detection object comprising the vulnerability test case comprises:

7. The vulnerability detection method according to any one of claims 1 to 6, wherein after determining that the object to be detected has a vulnerability, the vulnerability detection method further comprises:

and storing the page with the loopholes and the object to be detected in an associated mode based on the object identification.

8. The vulnerability detection method of claim 7, wherein the storing the page with the vulnerability and the object to be detected in association based on the object identification comprises:

9. The vulnerability detection method according to any one of claims 1 to 6, wherein after determining that the object to be detected has a vulnerability, the vulnerability detection method further comprises:

Obtaining vulnerability information, and generating alarm information based on the vulnerability information, the page with the vulnerability and the object to be detected;

And outputting the alarm information.

10. A vulnerability detection apparatus, comprising:

the determining unit is used for determining that the object to be detected has a vulnerability when the browse operation event in the page triggers the vulnerability test case;

Wherein, the determining unit is specifically configured to:

11. The vulnerability detection system is characterized by comprising a server and a terminal, wherein the terminal is used for sending a page acquisition request carrying an object to be detected to the server;

The server is configured to receive, when the browse operation event in the page triggers the vulnerability test case, a vulnerability detection request sent by the terminal based on the browse operation event in the page, where the vulnerability detection request carries a request source, the vulnerability test case, and the object identifier;

The server is used for determining that the object to be detected has a storage type cross-site scripting vulnerability based on the vulnerability test case and the object identification in the vulnerability detection request, and positioning a page with the storage type cross-site scripting vulnerability based on the request source.

12. A computer device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the vulnerability detection method of any one of claims 1 to 9 when calling the computer program in the memory.

13. A storage medium storing a computer program to be loaded by a processor to perform the vulnerability detection method of any one of claims 1 to 9.