[go: up one dir, main page]

CN112446030B - Method and device for detecting file uploading vulnerability of webpage end - Google Patents

Method and device for detecting file uploading vulnerability of webpage end Download PDF

Info

Publication number
CN112446030B
CN112446030B CN202011148876.2A CN202011148876A CN112446030B CN 112446030 B CN112446030 B CN 112446030B CN 202011148876 A CN202011148876 A CN 202011148876A CN 112446030 B CN112446030 B CN 112446030B
Authority
CN
China
Prior art keywords
file
extension
request
uploading
upload
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011148876.2A
Other languages
Chinese (zh)
Other versions
CN112446030A (en
Inventor
赵淼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Metabrain Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202011148876.2A priority Critical patent/CN112446030B/en
Publication of CN112446030A publication Critical patent/CN112446030A/en
Application granted granted Critical
Publication of CN112446030B publication Critical patent/CN112446030B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明公开了一种网页端的文件上传漏洞检测方法和装置,方法包括:获取符合文件上传接口要求的第一文件扩展名;生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞。本发明能够大大提高安全测评工作效率和文件上传接口的覆盖度。

Figure 202011148876

The present invention discloses a method and device for detecting loopholes in file uploading on a web page. The method includes: obtaining a first file extension that meets the requirements of a file upload interface; generating a file with the first file extension so that the file can be uploaded to File upload interface, and use the packet capture tool to intercept the file upload request of the file upload interface; load the common file name extension library and select a second file extension different from the first file extension to replace the first file in the file upload request extension, re-upload the modified file upload request; in response to receiving the successful response information of the file upload request, send the file execution request based on the default file path corresponding to the file upload interface, and respond to the execution characteristics of the file execution request received information and determine that there is a file upload vulnerability. The invention can greatly improve the work efficiency of safety evaluation and the coverage of file upload interface.

Figure 202011148876

Description

一种网页端的文件上传漏洞检测方法和装置A method and device for detecting file upload vulnerabilities on a web page

技术领域technical field

本发明涉及安全领域,更具体地,特别是指一种网页端的文件上传漏洞检测方法和装置。The present invention relates to the field of security, and more specifically, to a method and device for detecting loopholes in file uploading on a web page.

背景技术Background technique

随着大数据、云计算和人工智能技术的发展,各大互联网企业研发的Web(网页端)应用经过不断的升级更新,功能不断完善。文件上传功能作为Web端的一个正常的业务需求和最基本的功能,也越来越多的用于Web应用的用户交互接口。然而文件上传功能一直以来都存在许多安全风险,通常是由于对上传文件的类型、内容没有进行严格的过滤、检查,使得攻击者可以通过上传恶意文件获取服务器权限,因此文件上传漏洞带来的危害常常是毁灭性的。文件上传漏洞的利用是有限制条件的,首先当然是要能够成功上传恶意文件,其次上传文件必须能够被执行。With the development of big data, cloud computing and artificial intelligence technology, the Web (web page) applications developed by major Internet companies have been continuously upgraded and updated, and their functions have been continuously improved. As a normal business requirement and the most basic function on the web side, the file upload function is increasingly used in user interaction interfaces of web applications. However, the file upload function has always had many security risks, usually because the type and content of uploaded files are not strictly filtered and checked, so that attackers can obtain server permissions by uploading malicious files, so the damage caused by file upload vulnerabilities Often devastating. There are restrictions on exploiting file upload vulnerabilities. First of all, malicious files must be able to be successfully uploaded, and secondly, uploaded files must be able to be executed.

传统的文件上传漏洞检测方法检测率低,无法覆盖至所有的Web应用的文件上传接口,并且有的文件上传接口在页面上明确说明没有对所上传的文件进行类型限制。Traditional file upload vulnerability detection methods have a low detection rate and cannot cover all file upload interfaces of web applications, and some file upload interfaces clearly indicate on the page that there is no type restriction on uploaded files.

针对现有技术中漏洞检测率低、文件上传接口覆盖少的问题,目前尚无有效的解决方案。Aiming at the problems of low vulnerability detection rate and less coverage of file upload interface in the prior art, there is no effective solution at present.

发明内容Contents of the invention

有鉴于此,本发明实施例的目的在于提出一种网页端的文件上传漏洞检测方法和装置,能够遍历所有文件上传接口自动化检验,大大提高安全测评工作效率和文件上传接口的覆盖度。In view of this, the purpose of the embodiments of the present invention is to propose a file upload vulnerability detection method and device on the webpage, which can traverse all file upload interfaces for automatic inspection, and greatly improve the security evaluation work efficiency and the coverage of file upload interfaces.

基于上述目的,本发明实施例的第一方面提供了一种网页端的文件上传漏洞检测方法,包括执行以下步骤:Based on the above purpose, the first aspect of the embodiment of the present invention provides a web page file upload vulnerability detection method, including the following steps:

基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;Based on the prompt information on the web page, use the page automation tool to determine the file upload interface that needs to perform file extension verification, and obtain the first file extension that meets the requirements of the file upload interface;

生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;Generate a file with the first file extension to upload the file to the file upload interface using the page automation tool, and intercept the file upload request of the file upload interface using the packet capture tool;

加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;Loading a common file name extension library and selecting a second file extension different from the first file extension to replace the first file extension in the file upload request, and re-uploading the modified file upload request;

响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞。In response to receiving the successful response information of the file upload request, the file execution request is sent based on the default file path corresponding to the file upload interface, and in response to receiving the execution feature information of the file execution request, it is determined that there is a file upload vulnerability.

在一些实施方式中,获取符合文件上传接口要求的第一文件扩展名包括:获取符合文件上传接口要求的文件类型,并基于文件类型确定一个或多个第一文件扩展名。In some implementations, acquiring the first file extensions that meet the requirements of the file upload interface includes: acquiring file types that meet the requirements of the file upload interface, and determining one or more first file extensions based on the file types.

在一些实施方式中,从常用文件名扩展库中选取不同于第一文件扩展名的第二文件扩展名包括:从常用文件名扩展库中移除一个或多个第一文件扩展名,并从剩余的扩展名中每次选定一个作为第二文件扩展名。In some embodiments, selecting a second file extension different from the first file extension from the commonly used file name extension library includes: removing one or more first file extensions from the common file name extension library, and selecting a second file extension from the common file name extension library. The remaining extensions are selected one at a time as the second file extension.

在一些实施方式中,使用第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求包括:分别以每次选定的第二文件扩展名替换文件上传请求中的第一文件扩展名,并分别针对每次选定的第二文件扩展名重新上传经过修改的文件上传请求,直到选定过的第二文件扩展名已经遍历剩余的扩展名为止。In some embodiments, the second file extension is used to replace the first file extension in the file upload request, and re-uploading the modified file upload request includes: replacing the file upload with the selected second file extension each time The first file extension in the request, and re-upload the modified file upload request for each selected second file extension, respectively, until the selected second file extension has traversed the remaining extensions.

在一些实施方式中,生成具有第一文件扩展名的文件包括:基于随机数发生器生成唯一标识信息,并将唯一标识信息写入文件;接收到文件执行请求的执行特征信息包括:接收到文件执行请求的执行响应信息,并且在执行响应信息中执行字符匹配获得了作为文件的执行特征的唯一标识信息。In some implementations, generating the file with the first file extension includes: generating unique identification information based on a random number generator, and writing the unique identification information into the file; receiving the execution characteristic information of the file execution request includes: receiving the file The execution response information of the execution request is executed, and character matching is performed in the execution response information to obtain the unique identification information as the execution characteristic of the file.

在一些实施方式中,随机数发生器配置为发生真随机数或伪随机数。In some embodiments, the random number generator is configured to generate true random numbers or pseudo-random numbers.

在一些实施方式中,文件上传请求和文件执行请求均为HTTP请求。In some embodiments, both the file upload request and the file execution request are HTTP requests.

本发明实施例的第二方面提供了一种网页端的文件上传漏洞检测装置,包括:The second aspect of the embodiment of the present invention provides a file upload vulnerability detection device on the web page, including:

处理器;和processor; and

存储器,存储有处理器可运行的程序代码,程序代码在被运行时执行以下步骤:The memory stores program code executable by the processor, and the program code performs the following steps when executed:

基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;Based on the prompt information on the web page, use the page automation tool to determine the file upload interface that needs to perform file extension verification, and obtain the first file extension that meets the requirements of the file upload interface;

生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;Generate a file with the first file extension to upload the file to the file upload interface using the page automation tool, and intercept the file upload request of the file upload interface using the packet capture tool;

加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;Loading a common file name extension library and selecting a second file extension different from the first file extension to replace the first file extension in the file upload request, and re-uploading the modified file upload request;

响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞。In response to receiving the successful response information of the file upload request, the file execution request is sent based on the default file path corresponding to the file upload interface, and in response to receiving the execution feature information of the file execution request, it is determined that there is a file upload vulnerability.

在一些实施方式中,从常用文件名扩展库中选取不同于第一文件扩展名的第二文件扩展名包括:从常用文件名扩展库中移除一个或多个第一文件扩展名,并从剩余的扩展名中每次选定一个作为第二文件扩展名。In some embodiments, selecting a second file extension different from the first file extension from the commonly used file name extension library includes: removing one or more first file extensions from the common file name extension library, and selecting a second file extension from the common file name extension library. The remaining extensions are selected one at a time as the second file extension.

使用第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求包括:分别以每次选定的第二文件扩展名替换文件上传请求中的第一文件扩展名,并分别针对每次选定的第二文件扩展名重新上传经过修改的文件上传请求,直到选定过的第二文件扩展名已经遍历剩余的扩展名为止。Replace the first file extension in the file upload request with a second file extension, re-uploading the modified file upload request includes replacing the first file in the file upload request with each selected second file extension extension, and re-upload the modified file upload request for each selected second file extension, respectively, until the selected second file extension has traversed the remaining extensions.

在一些实施方式中,生成具有第一文件扩展名的文件包括:基于随机数发生器生成唯一标识信息,并将唯一标识信息写入文件;接收到文件执行请求的执行特征信息包括:接收到文件执行请求的执行响应信息,并且在执行响应信息中执行字符匹配获得了作为文件的执行特征的唯一标识信息;其中随机数发生器配置为发生真随机数或伪随机数。In some implementations, generating the file with the first file extension includes: generating unique identification information based on a random number generator, and writing the unique identification information into the file; receiving the execution characteristic information of the file execution request includes: receiving the file Execute the execution response information of the request, and perform character matching in the execution response information to obtain the unique identification information as the execution characteristic of the file; wherein the random number generator is configured to generate true random numbers or pseudo-random numbers.

本发明具有以下有益技术效果:本发明实施例提供的网页端的文件上传漏洞检测方法和装置,通过基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞的技术方案,能够遍历所有文件上传接口自动化检验,大大提高安全测评工作效率和文件上传接口的覆盖度。The present invention has the following beneficial technical effects: the method and device for detecting file upload vulnerabilities at the webpage end provided by the embodiment of the present invention can determine the file upload interface that needs to perform file extension verification by using the page automation tool based on the prompt information on the webpage end, and obtain the The first file extension required by the file upload interface; generate a file with the first file extension to use the page automation tool to upload the file to the file upload interface, and use the packet capture tool to intercept the file upload request of the file upload interface; load common files name extension library and select a second file extension different from the first file extension therefrom to replace the first file extension in the file upload request, and re-upload the modified file upload request; in response to receiving the success of the file upload request The technical solution of sending a file execution request based on the default file path corresponding to the file upload interface in response to the information, and determining the existence of a file upload vulnerability in response to receiving the execution characteristic information of the file execution request, can traverse all file upload interfaces for automatic inspection, greatly greatly Improve security assessment work efficiency and coverage of file upload interface.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明提供的网页端的文件上传漏洞检测方法的流程示意图;FIG. 1 is a schematic flow diagram of a method for detecting file upload vulnerabilities at the webpage provided by the present invention;

图2为本发明提供的网页端的文件上传漏洞检测方法的详细流程图。FIG. 2 is a detailed flow chart of the method for detecting file upload vulnerabilities at the webpage provided by the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明实施例进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below in conjunction with specific embodiments and with reference to the accompanying drawings.

需要说明的是,本发明实施例中所有使用“第一”和“第二”的表述均是为了区分两个相同名称非相同的实体或者非相同的参量,可见“第一”“第二”仅为了表述的方便,不应理解为对本发明实施例的限定,后续实施例对此不再一一说明。It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are to distinguish two entities with the same name but different parameters or parameters that are not the same, see "first" and "second" It is only for the convenience of expression, and should not be construed as a limitation on the embodiments of the present invention, which will not be described one by one in the subsequent embodiments.

基于上述目的,本发明实施例的第一个方面,提出了一种遍历所有文件上传接口自动化检验的网页端的文件上传漏洞检测方法的一个实施例。图1示出的是本发明提供的网页端的文件上传漏洞检测方法的流程示意图。Based on the above purpose, the first aspect of the embodiments of the present invention proposes an embodiment of a method for detecting file upload vulnerabilities on the webpage side through automatic inspection of all file upload interfaces. FIG. 1 shows a schematic flowchart of a method for detecting file upload vulnerabilities at the webpage provided by the present invention.

所述的网页端的文件上传漏洞检测方法,如图1所示,包括执行以下步骤:The file upload vulnerability detection method on the web page, as shown in Figure 1, includes the following steps:

步骤S101,基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;Step S101, using the page automation tool to determine the file upload interface that needs to perform file extension verification based on the prompt information on the web page, and obtain the first file extension that meets the requirements of the file upload interface;

步骤S103,生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;Step S103, generating a file with a first file extension to upload the file to the file upload interface using the page automation tool, and intercepting the file upload request of the file upload interface using the packet capture tool;

步骤S105,加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;Step S105, loading the commonly used file name extension library and selecting a second file extension different from the first file extension to replace the first file extension in the file upload request, and re-uploading the modified file upload request;

步骤S107,响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞。Step S107, in response to receiving the successful response information of the file upload request, send the file execution request based on the default file path corresponding to the file upload interface, and determine that there is a file upload vulnerability in response to receiving the execution characteristic information of the file execution request.

本发明提供了一种基于Web应用安全的检测工具,遍历并读取Web应用安全的所有文件上传接口,抓取对应的HTTP请求,并将请求信息中的文件名称替换为其他未知类型的文件名称,再次发送并查看HTTP响应信息是否正常,如果文件成功上传,则还需要进一步进行漏洞利用验证,访问该恶意文件,最终判断被测Web应用是否存在文件上传漏洞。The invention provides a detection tool based on Web application security, traverses and reads all file upload interfaces of Web application security, grabs the corresponding HTTP request, and replaces the file name in the request information with other unknown file names , send it again and check whether the HTTP response information is normal. If the file is successfully uploaded, it is necessary to further verify the vulnerability utilization, access the malicious file, and finally determine whether there is a file upload vulnerability in the tested web application.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,可以通过计算机程序来指令相关硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(ROM)或随机存储记忆体(RAM)等。所述计算机程序的实施例,可以达到与之对应的前述任意方法实施例相同或者相类似的效果。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented through computer programs to instruct relevant hardware to complete. The program can be stored in a computer-readable storage medium, and the program can be executed when , may include the flow of the embodiments of the above-mentioned methods. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM) and the like. The computer program embodiments can achieve the same or similar effects as any of the corresponding foregoing method embodiments.

在一些实施方式中,获取符合文件上传接口要求的第一文件扩展名包括:获取符合文件上传接口要求的文件类型,并基于文件类型确定一个或多个第一文件扩展名。In some implementations, acquiring the first file extensions that meet the requirements of the file upload interface includes: acquiring file types that meet the requirements of the file upload interface, and determining one or more first file extensions based on the file types.

在一些实施方式中,从常用文件名扩展库中选取不同于第一文件扩展名的第二文件扩展名包括:从常用文件名扩展库中移除一个或多个第一文件扩展名,并从剩余的扩展名中每次选定一个作为第二文件扩展名。In some embodiments, selecting a second file extension different from the first file extension from the commonly used file name extension library includes: removing one or more first file extensions from the common file name extension library, and selecting a second file extension from the common file name extension library. The remaining extensions are selected one at a time as the second file extension.

在一些实施方式中,使用第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求包括:分别以每次选定的第二文件扩展名替换文件上传请求中的第一文件扩展名,并分别针对每次选定的第二文件扩展名重新上传经过修改的文件上传请求,直到选定过的第二文件扩展名已经遍历剩余的扩展名为止。In some embodiments, the second file extension is used to replace the first file extension in the file upload request, and re-uploading the modified file upload request includes: replacing the file upload with the selected second file extension each time The first file extension in the request, and re-upload the modified file upload request for each selected second file extension, respectively, until the selected second file extension has traversed the remaining extensions.

在一些实施方式中,生成具有第一文件扩展名的文件包括:基于随机数发生器生成唯一标识信息,并将唯一标识信息写入文件;接收到文件执行请求的执行特征信息包括:接收到文件执行请求的执行响应信息,并且在执行响应信息中执行字符匹配获得了作为文件的执行特征的唯一标识信息。In some implementations, generating the file with the first file extension includes: generating unique identification information based on a random number generator, and writing the unique identification information into the file; receiving the execution characteristic information of the file execution request includes: receiving the file The execution response information of the execution request is executed, and character matching is performed in the execution response information to obtain the unique identification information as the execution characteristic of the file.

在一些实施方式中,随机数发生器配置为发生真随机数或伪随机数。In some embodiments, the random number generator is configured to generate true random numbers or pseudo-random numbers.

在一些实施方式中,文件上传请求和文件执行请求均为HTTP请求。In some embodiments, both the file upload request and the file execution request are HTTP requests.

下面根据图2示出的具体实施例进一步阐述本发明的具体实施方式。The specific implementation manner of the present invention will be further described below according to the specific embodiment shown in FIG. 2 .

如图2所示,首先设计一个基于页面自动化工具的装置,能够以超级管理员的身份遍历被测Web应用的所有文件上传接口。页面自动化是一种可进行读入测试套件、执行测试和记录测试结果,模拟真实用户操作的工具,包括浏览页面、点击链接、输入文字、提交表单、触发鼠标事件等操作,并且能够对页面结果进行种种验证。也就是说,只要在测试用例中把预期的用户行为与结果都描述出来,就得到了一个可以自动化运行的功能测试套件。As shown in Figure 2, a device based on page automation tools is firstly designed, which can traverse all file upload interfaces of the tested Web application as a super administrator. Page automation is a tool that can read into test suites, execute tests and record test results, and simulate real user operations, including browsing pages, clicking links, entering text, submitting forms, triggering mouse events, etc. Perform various verifications. In other words, as long as the expected user behavior and results are described in the test case, a functional test suite that can be run automatically will be obtained.

根据页面前端的提示信息,筛选出需要进行文件类型校验的文件上传接口,并获取每个接口所规定的文件类型,即符合该接口要求的文件扩展名。文件扩展名也称为文件的后缀名,是操作系统用来标记文件类型的一种机制。扩展名是每个文件必不可少的一部分。如果一个文件没有扩展名,那么操作系统就无法处理这个文件,无法判别到底如何处理该文件。操作系统中的文件按照不同的格式和用途分很多种类,为便于管理和识别,在对文件命名时,是以扩展名加以区分的,即文件名格式为:“主文件名.扩展名”。这样就可以根据文件的扩展名,判定文件的种类,从而知道其格式和用途。According to the prompt information on the front end of the page, filter out the file upload interfaces that need to be verified by file type, and obtain the file type specified by each interface, that is, the file extension that meets the requirements of the interface. File extensions, also known as file extensions, are a mechanism used by the operating system to mark file types. Extensions are an integral part of every file. If a file doesn't have an extension, the operating system can't handle the file and can't figure out what to do with the file. Files in the operating system are divided into many types according to different formats and purposes. For the convenience of management and identification, when naming files, they are distinguished by extensions, that is, the format of file names is: "main file name. extension". In this way, the type of the file can be determined according to the extension of the file, so as to know its format and purpose.

生成符合第二步中不同文件上传接口的文件类型要求的文件,并上传至对应的文件上传接口。通过抓包工具,捕获每个文件上传接口的文件上传HTTP请求信息。抓包工具是拦截查看网络数据包内容的软件。通过对抓获的数据包进行分析,可以得到有用的信息。的计算机通过向网络上传和从网络下载一些数据包来实现数据在网络中的传播。抓包工具可以帮助将这些数据包保存下来,如果这些数据包是以明文形式进行传送或者能够知道其加密方法,那么就可以分析出这些数据包的内容以及它们的用途。Generate a file that meets the file type requirements of different file upload interfaces in the second step, and upload it to the corresponding file upload interface. Use the packet capture tool to capture the file upload HTTP request information of each file upload interface. A packet capture tool is a software that intercepts and views the content of network data packets. Useful information can be obtained by analyzing the captured data packets. The computer realizes the dissemination of data in the network by uploading and downloading some data packets to and from the network. Packet capture tools can help save these data packets. If these data packets are transmitted in plain text or their encryption method can be known, then the content of these data packets and their purpose can be analyzed.

加载常用文件扩展名库,根据第二步中获取的每个接口所规定的文件类型,判断常用文件扩展名库中不符合该接口所要求的文件扩展名,并将第三步中捕获的HTTP请求信息中的文件扩展名替换为这些不符合该接口所要求的文件扩展名。每替换一次,就尝试重新发送一次HTTP请求,直到遍历完所有不符合该接口所要求的文件扩展名为止。常用文件扩展名库收集了所有常用的文件类型所对应的文件扩展名,以计算机语言可识别的数据结构保存在数据库中,以便在计算机程序中使用。Load the commonly used file extension library, according to the file type specified by each interface obtained in the second step, determine the file extensions in the commonly used file extension library that do not meet the requirements of the interface, and use the HTTP captured in the third step File extensions in the request information are replaced with those file extensions that do not meet the requirements of this interface. Every time it is replaced, try to resend the HTTP request until all file extensions that do not meet the requirements of the interface are traversed. The commonly used file extension library collects file extensions corresponding to all commonly used file types, and saves them in the database in a data structure recognizable by computer language, so as to be used in computer programs.

判断第四步中重新发送HTTP请求后的HTTP响应信息,如果响应信息正常,则说明成功上传了不符合文件类型要求的恶意文件。Judge the HTTP response information after resending the HTTP request in step 4. If the response information is normal, it means that a malicious file that does not meet the file type requirements has been successfully uploaded.

仅仅成功上传了恶意文件还不够,还需要进一步进行漏洞利用验证。根据每个文件上传接口所对应的默认文件路径,尝试通过HTTP请求访问该恶意文件。这里预先使用了随机数发生器,并以此作为恶意文件的唯一性标识信息,发送文件访问的请求后,对返回的HTTP响应信息进行匹配,如果匹配到了该唯一性标识信息,则说明访问该恶意文件成功,存在文件上传漏洞。It is not enough to successfully upload a malicious file, further validation of the exploit is required. According to the default file path corresponding to each file upload interface, try to access the malicious file through HTTP request. Here, a random number generator is used in advance, and it is used as the unique identification information of the malicious file. After sending the file access request, the returned HTTP response information is matched. If the unique identification information is matched, it means that the access The malicious file is successful, and there is a file upload vulnerability.

其中,随机数发生器输出随机数。在统计学的不同技术中需要使用随机数。产生随机数有多种不同的方法。这些方法被称为随机数生成器。随机数最重要的特性是它在产生时后面的那个数与前面的那个数毫无关系。随机数分为真随机数和伪随机数,真随机数是使用物理现象产生的:比如掷钱币、骰子、转轮、使用电子元件的噪音、核裂变等等,这样的随机数发生器叫做物理性随机数发生器。伪随机数是通过一个固定的、可以重复的计算方法产生的。计算机或计算器产生的随机数有很长的周期性。它们不是真正地随机,因为它们实际上是可以计算出来的,但是它们具有类似于随机数的统计特征,这样的发生器叫做伪随机数发生器。Wherein, the random number generator outputs random numbers. Random numbers are used in different techniques of statistics. There are many different ways to generate random numbers. These methods are called random number generators. The most important feature of a random number is that the subsequent number has nothing to do with the previous number when it is generated. Random numbers are divided into true random numbers and pseudo-random numbers. True random numbers are generated using physical phenomena: such as throwing coins, dice, wheels, noise using electronic components, nuclear fission, etc. Such random number generators are called physical random number generator. Pseudo-random numbers are generated by a fixed, repeatable calculation method. Random numbers generated by computers or calculators have a long periodicity. They are not truly random, since they can actually be calculated, but they have statistical characteristics similar to random numbers, and such generators are called pseudo-random number generators.

本发明实施例大量地运用了自动化技术,通过页面自动化工具,模拟人工文件上传的操作,遍历被测Web应用所有文件上传接口,并根据页面前端的提示信息,判断哪些接口对所上传的文件的类型有限制,即哪些接口需要接受检测。随后通过抓包工具自动截获接口的请求信息,并将这些请求信息转化为计算机语言可识别的数据类型。随后导入常用文件扩展名库,只需简单的计算机循环语句结构就可以替换所有的恶意文件扩展名并遍历所有的待测接口进行自动化检验。大大提高了安全测评人员的工作效率,并提高了Web应用文件上传接口的覆盖度。The embodiment of the present invention utilizes a large number of automation technologies. Through the page automation tool, the operation of manual file upload is simulated, all file upload interfaces of the tested Web application are traversed, and according to the prompt information at the front end of the page, it is judged which interfaces are most suitable for the uploaded file. Types have restrictions on which interfaces need to be inspected. Then, the request information of the interface is automatically intercepted by the packet capture tool, and the request information is converted into a data type recognizable by the computer language. Then import the commonly used file extension library, and only need a simple computer cycle statement structure to replace all malicious file extensions and traverse all interfaces to be tested for automatic inspection. It greatly improves the work efficiency of the security evaluation personnel, and improves the coverage of the web application file upload interface.

从上述实施例可以看出,本发明实施例提供的网页端的文件上传漏洞检测方法,通过基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞的技术方案,能够遍历所有文件上传接口自动化检验,大大提高安全测评工作效率和文件上传接口的覆盖度。It can be seen from the above embodiments that the file upload vulnerability detection method on the web page provided by the embodiment of the present invention uses page automation tools to determine the file upload interface that needs to perform file extension verification by using the page automation tool based on the prompt information on the web page, and obtains the files that meet the file upload requirements. The first file extension required by the interface; generate a file with the first file extension to use the page automation tool to upload the file to the file upload interface, and use the packet capture tool to intercept the file upload request of the file upload interface; load common file name extensions The library selects a second file extension different from the first file extension to replace the first file extension in the file upload request, and re-uploads the modified file upload request; in response to receiving a successful response message for the file upload request The technical solution for sending a file execution request based on the default file path corresponding to the file upload interface, and judging the existence of a file upload vulnerability in response to receiving the execution feature information of the file execution request, can traverse all file upload interfaces for automatic inspection, greatly improving security Evaluate work efficiency and coverage of file upload interface.

需要特别指出的是,上述网页端的文件上传漏洞检测方法的各个实施例中的各个步骤均可以相互交叉、替换、增加、删减,因此,这些合理的排列组合变换之于网页端的文件上传漏洞检测方法也应当属于本发明的保护范围,并且不应将本发明的保护范围局限在所述实施例之上。It should be pointed out that the various steps in the various embodiments of the method for detecting file upload vulnerabilities at the webpage end can be crossed, replaced, added, and deleted. Methods should also belong to the protection scope of the present invention, and the protection scope of the present invention should not be limited to the examples.

基于上述目的,本发明实施例的第二个方面,提出了一种遍历所有文件上传接口自动化检验的网页端的文件上传漏洞检测装置的一个实施例。网页端的文件上传漏洞检测装置包括:Based on the above purpose, the second aspect of the embodiments of the present invention proposes an embodiment of a file upload vulnerability detection device at the web page that traverses all file upload interfaces for automatic inspection. The file upload vulnerability detection device on the web page includes:

处理器;和processor; and

存储器,存储有处理器可运行的程序代码,程序代码在被运行时执行以下步骤:The memory stores program code executable by the processor, and the program code performs the following steps when executed:

基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;Based on the prompt information on the web page, use the page automation tool to determine the file upload interface that needs to perform file extension verification, and obtain the first file extension that meets the requirements of the file upload interface;

生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;Generate a file with the first file extension to upload the file to the file upload interface using the page automation tool, and intercept the file upload request of the file upload interface using the packet capture tool;

加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;Loading a common file name extension library and selecting a second file extension different from the first file extension to replace the first file extension in the file upload request, and re-uploading the modified file upload request;

响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞。In response to receiving the successful response information of the file upload request, the file execution request is sent based on the default file path corresponding to the file upload interface, and in response to receiving the execution feature information of the file execution request, it is determined that there is a file upload vulnerability.

在一些实施方式中,从常用文件名扩展库中选取不同于第一文件扩展名的第二文件扩展名包括:从常用文件名扩展库中移除一个或多个第一文件扩展名,并从剩余的扩展名中每次选定一个作为第二文件扩展名。In some embodiments, selecting a second file extension different from the first file extension from the commonly used file name extension library includes: removing one or more first file extensions from the common file name extension library, and selecting a second file extension from the common file name extension library. The remaining extensions are selected one at a time as the second file extension.

使用第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求包括:分别以每次选定的第二文件扩展名替换文件上传请求中的第一文件扩展名,并分别针对每次选定的第二文件扩展名重新上传经过修改的文件上传请求,直到选定过的第二文件扩展名已经遍历剩余的扩展名为止。Replace the first file extension in the file upload request with a second file extension, re-uploading the modified file upload request includes replacing the first file in the file upload request with each selected second file extension extension, and re-upload the modified file upload request for each selected second file extension, respectively, until the selected second file extension has traversed the remaining extensions.

在一些实施方式中,生成具有第一文件扩展名的文件包括:基于随机数发生器生成唯一标识信息,并将唯一标识信息写入文件;接收到文件执行请求的执行特征信息包括:接收到文件执行请求的执行响应信息,并且在执行响应信息中执行字符匹配获得了作为文件的执行特征的唯一标识信息;其中随机数发生器配置为发生真随机数或伪随机数。In some implementations, generating the file with the first file extension includes: generating unique identification information based on a random number generator, and writing the unique identification information into the file; receiving the execution characteristic information of the file execution request includes: receiving the file Execute the execution response information of the request, and perform character matching in the execution response information to obtain the unique identification information as the execution characteristic of the file; wherein the random number generator is configured to generate true random numbers or pseudo-random numbers.

从上述实施例可以看出,本发明实施例提供的网页端的文件上传漏洞检测装置,通过基于网页端的提示信息使用页面自动化工具确定需要执行文件扩展名校验的文件上传接口,并获取符合文件上传接口要求的第一文件扩展名;生成具有第一文件扩展名的文件以使用页面自动化工具将文件上传到文件上传接口,并使用抓包工具截获文件上传接口的文件上传请求;加载常用文件名扩展库并从中选取不同于第一文件扩展名的第二文件扩展名来替换文件上传请求中的第一文件扩展名,重新上传经过修改的文件上传请求;响应于接收到文件上传请求的成功响应信息而基于文件上传接口所对应的默认文件路径发送文件执行请求,并响应于接收到文件执行请求的执行特征信息而判定存在文件上传漏洞的技术方案,能够遍历所有文件上传接口自动化检验,大大提高安全测评工作效率和文件上传接口的覆盖度。It can be seen from the above embodiments that the file upload vulnerability detection device on the web page provided by the embodiment of the present invention uses page automation tools to determine the file upload interface that needs to perform file extension verification by using the page automation tool based on the prompt information on the web page, and obtains the files that meet the requirements of file upload. The first file extension required by the interface; generate a file with the first file extension to use the page automation tool to upload the file to the file upload interface, and use the packet capture tool to intercept the file upload request of the file upload interface; load common file name extensions The library selects a second file extension different from the first file extension to replace the first file extension in the file upload request, and re-uploads the modified file upload request; in response to receiving a successful response message for the file upload request The technical solution for sending a file execution request based on the default file path corresponding to the file upload interface, and judging the existence of a file upload vulnerability in response to receiving the execution feature information of the file execution request, can traverse all file upload interfaces for automatic inspection, greatly improving security Evaluate work efficiency and coverage of file upload interface.

需要特别指出的是,上述网页端的文件上传漏洞检测装置的实施例采用了所述网页端的文件上传漏洞检测方法的实施例来具体说明各模块的工作过程,本领域技术人员能够很容易想到,将这些模块应用到所述网页端的文件上传漏洞检测方法的其他实施例中。当然,由于所述网页端的文件上传漏洞检测方法实施例中的各个步骤均可以相互交叉、替换、增加、删减,因此,这些合理的排列组合变换之于所述网页端的文件上传漏洞检测装置也应当属于本发明的保护范围,并且不应将本发明的保护范围局限在所述实施例之上。It should be pointed out that the above-mentioned embodiment of the file upload vulnerability detection device on the web page uses the embodiment of the file upload vulnerability detection method on the web page to specifically illustrate the working process of each module. Those skilled in the art can easily think of the following: These modules are applied to other embodiments of the file upload vulnerability detection method at the web page. Certainly, since each step in the embodiment of the file upload vulnerability detection method on the webpage can be crossed, replaced, added, and deleted, these reasonable permutations and combinations are also applicable to the file upload vulnerability detection device on the webpage. It should belong to the protection scope of the present invention, and should not limit the protection scope of the present invention to the embodiments.

以上是本发明公开的示例性实施例,但是应当注意,在不背离权利要求限定的本发明实施例公开的范围的前提下,可以进行多种改变和修改。根据这里描述的公开实施例的方法权利要求的功能、步骤和/或动作不需以任何特定顺序执行。此外,尽管本发明实施例公开的元素可以以个体形式描述或要求,但除非明确限制为单数,也可以理解为多个。The above are the exemplary embodiments disclosed in the present invention, but it should be noted that various changes and modifications can be made without departing from the scope of the disclosed embodiments of the present invention defined in the claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. In addition, although the elements disclosed in the embodiments of the present invention may be described or required in an individual form, they may also be understood as a plurality unless explicitly limited to a singular number.

所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本发明实施例公开的范围(包括权利要求)被限于这些例子;在本发明实施例的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,并存在如上所述的本发明实施例的不同方面的许多其它变化,为了简明它们没有在细节中提供。因此,凡在本发明实施例的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本发明实施例的保护范围之内。Those of ordinary skill in the art should understand that: the discussion of any of the above embodiments is exemplary only, and is not intended to imply that the scope (including claims) disclosed by the embodiments of the present invention is limited to these examples; under the idea of the embodiments of the present invention , technical features in the above embodiments or in different embodiments can also be combined, and there are many other changes in different aspects of the embodiments of the present invention as described above, which are not provided in details for the sake of brevity. Therefore, within the spirit and principle of the embodiments of the present invention, any omissions, modifications, equivalent replacements, improvements, etc., shall be included in the protection scope of the embodiments of the present invention.

Claims (9)

1. A method for detecting a file uploading vulnerability of a webpage end is characterized by comprising the following steps of:
determining a file uploading interface needing to execute file extension verification by using a page automation tool based on prompt information of a webpage end, and acquiring a first file extension meeting the requirements of the file uploading interface;
generating a file with the first file extension to upload the file to the file uploading interface by using the page automation tool, and intercepting a file uploading request of the file uploading interface by using a packet capturing tool;
loading a common file name extension library, selecting a second file extension different from the first file extension from the common file name extension library to replace the first file extension in the file uploading request, and uploading the modified file uploading request again;
responding to successful response information of the received file uploading request, sending a file execution request based on a default file path corresponding to the file uploading interface, and responding to execution characteristic information of the received file execution request to judge that a file uploading vulnerability exists;
wherein generating the file having the first file extension comprises: generating unique identification information based on a random number generator, and writing the unique identification information into the file;
the receiving of the execution characteristic information of the file execution request includes: execution response information of the file execution request is received, and performing character matching in the execution response information obtains the unique identification information that is an execution feature of the file.
2. The method of claim 1, wherein obtaining the first file extension meeting the requirements of the file upload interface comprises: and acquiring the file type meeting the requirements of the file uploading interface, and determining one or more first file extensions based on the file type.
3. The method of claim 1, wherein selecting a second file extension from the common filename extension repository that is different from the first file extension comprises: and removing one or more first file extensions from the common file name extension library, and selecting one of the rest of the file extensions as the second file extension at a time.
4. The method of claim 3, wherein replacing the first file extension in the file upload request with a second file extension, wherein re-uploading the modified file upload request comprises: and replacing the first file extension in the file uploading request with the second file extension selected each time respectively, and uploading the modified file uploading request again aiming at the second file extension selected each time respectively until the second file extension selected traverses the rest extensions.
5. The method of claim 1, wherein the random number generator is configured to generate true random numbers or pseudo random numbers.
6. The method of claim 1, wherein the file upload request and the file execution request are both HTTP requests.
7. The utility model provides a leak detection device is uploaded to file of webpage end which characterized in that includes:
a processor; and
a memory storing program code executable by the processor, the program code when executed performing the steps of:
determining a file uploading interface needing to execute file extension verification by using a page automation tool based on prompt information of a webpage end, and acquiring a first file extension meeting the requirements of the file uploading interface;
generating a file with the first file extension to upload the file to the file uploading interface by using the page automation tool, and intercepting a file uploading request of the file uploading interface by using a packet capturing tool;
loading a common file name extension library, selecting a second file extension different from the first file extension from the common file name extension library to replace the first file extension in the file uploading request, and uploading the modified file uploading request again;
responding to successful response information of the received file uploading request, sending a file execution request based on a default file path corresponding to the file uploading interface, and responding to execution characteristic information of the received file execution request to judge that a file uploading vulnerability exists;
wherein generating the file having the first file extension comprises: generating unique identification information based on a random number generator, and writing the unique identification information into the file;
the receiving of the execution characteristic information of the file execution request includes: execution response information of the file execution request is received, and performing character matching in the execution response information obtains the unique identification information as an execution feature of the file.
8. The apparatus of claim 7, wherein selecting a second file extension from the common filename extension library that is different from the first file extension comprises: removing one or more first file extensions from a common file name extension library, and selecting one of the remaining extensions as the second file extension at a time;
replacing the first file extension in the file upload request with a second file extension, the re-uploading the modified file upload request comprising: and replacing the first file extension in the file uploading request with the second file extension selected each time respectively, and uploading the modified file uploading request again aiming at the second file extension selected each time respectively until the second file extension selected traverses the rest extensions.
9. The apparatus of claim 7, wherein the random number generator is configured to generate a true random number or a pseudo random number.
CN202011148876.2A 2020-10-23 2020-10-23 Method and device for detecting file uploading vulnerability of webpage end Active CN112446030B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011148876.2A CN112446030B (en) 2020-10-23 2020-10-23 Method and device for detecting file uploading vulnerability of webpage end

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011148876.2A CN112446030B (en) 2020-10-23 2020-10-23 Method and device for detecting file uploading vulnerability of webpage end

Publications (2)

Publication Number Publication Date
CN112446030A CN112446030A (en) 2021-03-05
CN112446030B true CN112446030B (en) 2023-01-06

Family

ID=74736649

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011148876.2A Active CN112446030B (en) 2020-10-23 2020-10-23 Method and device for detecting file uploading vulnerability of webpage end

Country Status (1)

Country Link
CN (1) CN112446030B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113114680B (en) * 2021-04-13 2023-04-07 中国工商银行股份有限公司 Detection method and detection device for file uploading vulnerability

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105227387A (en) * 2014-06-16 2016-01-06 腾讯科技(深圳)有限公司 The detection method of webpage leak, Apparatus and system
CN108696488A (en) * 2017-04-11 2018-10-23 腾讯科技(深圳)有限公司 A kind of upload interface identification method, identification server and system
CN109412896A (en) * 2018-11-14 2019-03-01 中国平安人寿保险股份有限公司 Test method, device, computer equipment and the storage medium of upload function

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105227387A (en) * 2014-06-16 2016-01-06 腾讯科技(深圳)有限公司 The detection method of webpage leak, Apparatus and system
CN108696488A (en) * 2017-04-11 2018-10-23 腾讯科技(深圳)有限公司 A kind of upload interface identification method, identification server and system
CN109412896A (en) * 2018-11-14 2019-03-01 中国平安人寿保险股份有限公司 Test method, device, computer equipment and the storage medium of upload function

Also Published As

Publication number Publication date
CN112446030A (en) 2021-03-05

Similar Documents

Publication Publication Date Title
Gupta et al. PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications
Melicher et al. Riding out domsday: Towards detecting and preventing dom cross-site scripting
US11601462B2 (en) Systems and methods of intelligent and directed dynamic application security testing
CA2777434C (en) Verifying application security vulnerabilities
Fonseca et al. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks
Li et al. Block: a black-box approach for detection of state violation attacks towards web applications
Li et al. Sentinel: securing database from logic flaws in web applications
Li et al. LogicScope: Automatic discovery of logic vulnerabilities within web applications
Micskei et al. Robustness testing techniques and tools
CN114844689B (en) Website logic vulnerability detection method and system based on finite state machine
Wang et al. A combinatorial approach to detecting buffer overflow vulnerabilities
CN114528457A (en) Web fingerprint detection method and related equipment
Khodayari et al. The great request robbery: An empirical study of client-side request hijacking vulnerabilities on the web
GB2511329A (en) Web service black box testing
CN110502892A (en) A kind of the determination method, apparatus and system of abnormality test process
TWI626538B (en) Infrastructure rule generation technology
Du et al. Vulnerability-oriented Testing for {RESTful}{APIs}
CN112446030B (en) Method and device for detecting file uploading vulnerability of webpage end
CN114036526B (en) Vulnerability testing method, device, computer equipment and storage medium
Chen et al. A selenium-based web application automation test framework
Shahriar et al. Early detection of SQL injection attacks
Mostafa et al. Netdroid: Summarizing network behavior of android apps for network code maintenance
Cheng et al. MSLFuzzer: black-box fuzzing of SOHO router devices via message segment list inference
CN114003916A (en) Method, system, terminal and storage medium for testing WEB role longitudinal override vulnerability
Vimpari An evaluation of free fuzzing tools

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: Building 9, No.1, guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Wuzhong District, Suzhou City, Jiangsu Province

Patentee after: Suzhou Yuannao Intelligent Technology Co.,Ltd.

Country or region after: China

Address before: Building 9, No.1, guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Wuzhong District, Suzhou City, Jiangsu Province

Patentee before: SUZHOU LANGCHAO INTELLIGENT TECHNOLOGY Co.,Ltd.

Country or region before: China