CN104850789A - Remote code injection vulnerability detection method based on Web browser helper object - Google Patents
Remote code injection vulnerability detection method based on Web browser helper object Download PDFInfo
- Publication number
- CN104850789A CN104850789A CN201510148882.0A CN201510148882A CN104850789A CN 104850789 A CN104850789 A CN 104850789A CN 201510148882 A CN201510148882 A CN 201510148882A CN 104850789 A CN104850789 A CN 104850789A
- Authority
- CN
- China
- Prior art keywords
- web browser
- code injection
- remote code
- browser
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a remote code injection vulnerability detection method based on a Web browser helper object. The method comprises the following steps: building the browser helper object and deploying the built browser helper object on an object Web browser to be detected for executing an input address as a command line character string after decoding of character strings behind a trigger website when detection indicates that the header of the input address in the browser includes the trigger website; coding the command line character string CM, attaching the coded command line character string CM behind the trigger website for serving as a uniform resource locator L, and building a hypertext markup language file H; and lastly, accessing an address pointed by the uniform resource locator L in the H, and judging whether or not remote code injection vulnerability based on the Web browser helper object exists according to the execution or non-execution of remote code injection by the object Web server to be detected. The remote code injection vulnerability detection method has extremely high penetrability. The remote code injection vulnerability hidden deeply in the Web browser can be found, so that the security of the Web browser is enhanced.
Description
Technical field
The present invention relates to the Hole Detection technology in information security, particularly relate to a kind of remote code injection loophole detection method of sing on web browser helpful object.
Background technology
Along with Internet era arriving, world's overall salary strategy epoch also arrive thereupon.By with the advanced technology such as computing machine, internet, people more and more get used to acquisition information and acceptance service on various website, Web system, due to its highly compatible and user friendly, has become the system type of most main flow in internet information system instantly.Simultaneously, the security of Web system is also faced with stern challenge.
Web system is made up of Web browser and Web server two parts usually, uses HTML (Hypertext Markup Language) (Hyper Text Transfer Protocol, HTTP) to carry out information interaction between browser and server.Due to the opening of http protocol, assailant can simulate the response of Web server, malicious code performing is injected to the Web browser of client by constructing specific HTTP remote data, thus the security of harm client computer system, to realize the object such as information stealth, system abduction.This kind of attack is commonly called remote code injection attacks (Remote Code Injection), can the leak carrying out this type of attack be utilized to be called as remote code injection loophole (Remote Code Injection Exploit) by victim.
The security tools such as current most of network firewall, intruding detection system, for some remote code injection loophole, as cross site scripting (Cross-Site Script, XSS) etc., provide effective and detect and preventive means.But, the remote code utilizing third party's plug-in unit (Plug-in) of Web browser open interface to implement is injected, not yet causes the enough attention of relevant manufactures in Safety Industry at present.
Summary of the invention
Technical matters to be solved by this invention is for defect involved in background technology, a kind of remote code injection loophole detection method of sing on web browser helpful object is provided, whether there is potential remote code injection loophole in order to detect Web browser, thus strengthen the security of Web system.
The present invention is for solving the problems of the technologies described above by the following technical solutions:
A remote code injection loophole detection method for sing on web browser helpful object, comprises following steps:
Step 1), build browser helpful object, setting its coded format is E, and setting triggers network address, for detect the stem of Input Address in browser comprise trigger network address time, to the character string decoding of described Input Address after triggering network address after perform as command-line string;
Step 2), browser helpful object is deployed on Object Web browser to be detected;
Step 3), building command-line string CM is long-range injecting codes;
Step 4), calls corresponding encryption algorithm according to coded format E and encodes to command-line string CM;
Step 5), by the afterbody that the command-line string CM after coding is attached to described triggering network address, obtains character string L;
Step 6), structure HTML (Hypertext Markup Language) file H, using character string L as its URL(uniform resource locator);
Step 7), adopts Object Web browser to be detected to open HTML (Hypertext Markup Language) file H, and the address pointed by accessing united resource positioning symbol L;
Step 7.1), if browser performs command-line string CM, judge that Object Web browser to be detected exists the remote code injection loophole of sing on web browser helpful object;
Step 7.2), if browser does not have fill order line character string CM, judge that Object Web browser to be detected does not exist the remote code injection loophole of sing on web browser helpful object.
As the further prioritization scheme of remote code injection loophole detection method of a kind of sing on web of the present invention browser helpful object, in described step 1), the concrete execution step of browser helpful object is as follows:
Step 1.1), obtain the string length LD triggering network address;
Step 1.2), obtain the Input Address in browser, and obtain the string length LN of Input Address;
Step 1.3), check and trigger the true substring whether network address is Input Address, and trigger the stem that network address is in Input Address; If so, step 1.4 is performed); If not, stop performing;
Step 1.4), obtain the true substring C at LD to LN-1 place in Input Address;
Step 1.5), according to coded format E, call after corresponding decoding algorithm is decoded to true substring C and perform as command-line string.
As the further prioritization scheme of remote code injection loophole detection method of a kind of sing on web of the present invention browser helpful object, described Web server adopts rack-mount server.
As the further prioritization scheme of remote code injection loophole detection method of a kind of sing on web of the present invention browser helpful object, the model of described Web server is the perfectly sound R520 G7 of association.
As the further prioritization scheme of remote code injection loophole detection method of a kind of sing on web of the present invention browser helpful object, described Web server adopts tower server.
As the further prioritization scheme of remote code injection loophole detection method of a kind of sing on web of the present invention browser helpful object, the model of described Web server is the perfectly sound T260 G3 of association.
The present invention adopts above technical scheme compared with prior art, has following technique effect:
The present invention is based on Web browser helpful object technology, by writing specific browser helpful object (Browser Helper Object, BHO), remote code injection is implemented in the Hole Detection measure that can bypass Web browser end, there is high penetrability, the remote code injection loophole that the Web browser degree of depth is hidden can be found, and then strengthen the security of Web system.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of the remote code injection loophole detection method of a kind of sing on web browser of the present invention helpful object.
Embodiment
Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail:
As shown in Figure 1, a kind of remote code injection loophole detection method step of sing on web browser helpful object is disclosed in the present invention.
Step 101: write browser helpful object B, Integrated Development Environment is Microsoft Visual Studio .Net 2008, and use language is C#.In browser helpful object B, realize IObjectWithSite interface, and state SetSite method, in SetSite method, add process handle F to BeforeNavigate2 event, wherein F algorithm flow is as shown in step 102 to step 106:
Step 102: set and trigger network address as character string D, its value is " http://www.abc.com/ ", and its length LD is 19.If the value of coded format E is " base64 ".
Step 103: obtain the Input Address N in browser, N is character string, and its length is positive integer LN.
Step 104: check that whether character string D is the true substring of the Input Address N in browser, and D is in the stem of N.If so, step 105 is performed; If not, algorithm stops.
Step 105: the true substring getting LD to LN-1 place in the Input Address N in browser, namely in N, offset address 19, to closed interval, N end substring, is set to character string C.
Step 106: because the coded format E value in step 102 is " base64 ", therefore calls base64 decoding algorithm and performs as command-line string after character string C decodes.
Step 107: be deployed on detected object Web browser by the browser helpful object B write in step 101, browser used herein is Microsoft Internet Explorer 8, and operating system is windows 7.Perform regsvr32 order in an operating system with the browser helpful object B write in registration step 101, can deployment be completed.
Step 108: structure HTML (Hypertext Markup Language) file H, the content of H is as follows:
<html>
<body>
<a href="http://www.abc.com/Y21k"> http://www.abc.com/Y21k </a>
</body>
</html>
Wherein, URL(uniform resource locator) " http://www.abc.com/Y21k " is generated to step 110 by step 109:
Step 109: establish command-line string CM, its value is " cmd ", and its implication performs windows order line program, and this character string is long-range injecting codes.Because the coded format E value in step 102 is " base64 ", therefore call base64 encryption algorithm and CM is encoded to " Y21k ", be the value of character string C.
Step 110: the character string C obtained in step 109 is attached to the character string D afterbody in step 102, obtains character string " http://www.abc.com/Y21k ", i.e. URL(uniform resource locator) described in step 108.
Step 111: use detected object Web browser, namely the Microsoft Internet Explorer 8 described in step 107, the HTML (Hypertext Markup Language) file H of structure in opening steps 108, and the link shown by clicking in browser graphic interface, Web browser will automatically perform the command-line string in step 109, opens windows order line program window.Therefore, illustrate that this Web browser exists the remote code injection loophole of sing on web browser helpful object.
Described Web server can adopt rack-mount server, and preferential employing associates perfectly sound R520 G7.
Described Web server also can adopt tower server, and preferential employing associates perfectly sound T260 G3.
Those skilled in the art of the present technique are understandable that, unless otherwise defined, all terms used herein (comprising technical term and scientific terminology) have the meaning identical with the general understanding of the those of ordinary skill in field belonging to the present invention.Should also be understood that those terms defined in such as general dictionary should be understood to have the meaning consistent with the meaning in the context of prior art, unless and define as here, can not explain by idealized or too formal implication.
Above-described embodiment; object of the present invention, technical scheme and beneficial effect are further described; be understood that; the foregoing is only the specific embodiment of the present invention; be not limited to the present invention; within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (6)
1. a remote code injection loophole detection method for sing on web browser helpful object, is characterized in that, comprise following steps:
Step 1), build browser helpful object, setting its coded format is E, and setting triggers network address, for detect the stem of Input Address in browser comprise trigger network address time, to the character string decoding of described Input Address after triggering network address after perform as command-line string;
Step 2), browser helpful object is deployed on Object Web browser to be detected;
Step 3), building command-line string CM is long-range injecting codes;
Step 4), calls corresponding encryption algorithm according to coded format E and encodes to command-line string CM;
Step 5), by the afterbody that the command-line string CM after coding is attached to described triggering network address, obtains character string L;
Step 6), structure HTML (Hypertext Markup Language) file H, using character string L as its URL(uniform resource locator);
Step 7), adopts Object Web browser to be detected to open HTML (Hypertext Markup Language) file H, and the address pointed by accessing united resource positioning symbol L;
Step 7.1), if browser performs command-line string CM, judge that Object Web browser to be detected exists the remote code injection loophole of sing on web browser helpful object;
Step 7.2), if browser does not have fill order line character string CM, judge that Object Web browser to be detected does not exist the remote code injection loophole of sing on web browser helpful object.
2. the remote code injection loophole detection method of sing on web browser helpful object according to claim 1, is characterized in that, in described step 1), the concrete execution step of browser helpful object is as follows:
Step 1.1), obtain the string length LD triggering network address;
Step 1.2), obtain the Input Address in browser, and obtain the string length LN of Input Address;
Step 1.3), check and trigger the true substring whether network address is Input Address, and trigger the stem that network address is in Input Address; If so, step 1.4 is performed); If not, stop performing;
Step 1.4), obtain the true substring C at LD to LN-1 place in Input Address;
Step 1.5), according to coded format E, call after corresponding decoding algorithm is decoded to true substring C and perform as command-line string.
3. the remote code injection loophole detection method of sing on web browser helpful object according to claim 1, is characterized in that, described Web server adopts rack-mount server.
4. the remote code injection loophole detection method of sing on web browser helpful object according to claim 3, is characterized in that, the model of described Web server is the perfectly sound R520 G7 of association.
5. the remote code injection loophole detection method of sing on web browser helpful object according to claim 1, is characterized in that, described Web server adopts tower server.
6. the remote code injection loophole detection method of sing on web browser helpful object according to claim 5, is characterized in that, the model of described Web server is the perfectly sound T260 G3 of association.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510148882.0A CN104850789B (en) | 2015-04-01 | 2015-04-01 | A kind of remote code injection loophole detection method based on Web browser helpful object |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510148882.0A CN104850789B (en) | 2015-04-01 | 2015-04-01 | A kind of remote code injection loophole detection method based on Web browser helpful object |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104850789A true CN104850789A (en) | 2015-08-19 |
| CN104850789B CN104850789B (en) | 2017-10-27 |
Family
ID=53850427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510148882.0A Active CN104850789B (en) | 2015-04-01 | 2015-04-01 | A kind of remote code injection loophole detection method based on Web browser helpful object |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104850789B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107832622A (en) * | 2017-12-08 | 2018-03-23 | 平安科技(深圳)有限公司 | Leak detection method, device, computer equipment and storage medium |
| WO2018096505A1 (en) * | 2016-11-28 | 2018-05-31 | International Business Machines Corporation | Protecting a web server against an unauthorized client application |
| CN108874462A (en) * | 2017-12-28 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of browser behavior acquisition methods, device, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101816148A (en) * | 2007-08-06 | 2010-08-25 | 伯纳德·德莫森纳特 | System and method for authentication, data transfer and protection against phishing |
| WO2011073982A1 (en) * | 2009-12-15 | 2011-06-23 | Seeker Security Ltd. | Method and system of runtime analysis |
| CN102156832A (en) * | 2011-03-25 | 2011-08-17 | 天津大学 | Security defect detection method for Firefox expansion |
| CN103218561A (en) * | 2013-03-18 | 2013-07-24 | 珠海市君天电子科技有限公司 | Tamper-proof method and device for protecting browser |
-
2015
- 2015-04-01 CN CN201510148882.0A patent/CN104850789B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101816148A (en) * | 2007-08-06 | 2010-08-25 | 伯纳德·德莫森纳特 | System and method for authentication, data transfer and protection against phishing |
| WO2011073982A1 (en) * | 2009-12-15 | 2011-06-23 | Seeker Security Ltd. | Method and system of runtime analysis |
| CN102156832A (en) * | 2011-03-25 | 2011-08-17 | 天津大学 | Security defect detection method for Firefox expansion |
| CN103218561A (en) * | 2013-03-18 | 2013-07-24 | 珠海市君天电子科技有限公司 | Tamper-proof method and device for protecting browser |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018096505A1 (en) * | 2016-11-28 | 2018-05-31 | International Business Machines Corporation | Protecting a web server against an unauthorized client application |
| US10063533B2 (en) | 2016-11-28 | 2018-08-28 | International Business Machines Corporation | Protecting a web server against an unauthorized client application |
| GB2573422A (en) * | 2016-11-28 | 2019-11-06 | Ibm | Protecting a web server against an unauthorized client application |
| US10574642B2 (en) | 2016-11-28 | 2020-02-25 | International Business Machines Corporation | Protecting a web server against an unauthorized client application |
| GB2573422B (en) * | 2016-11-28 | 2020-04-01 | Ibm | Protecting a web server against an unauthorized client application |
| CN107832622A (en) * | 2017-12-08 | 2018-03-23 | 平安科技(深圳)有限公司 | Leak detection method, device, computer equipment and storage medium |
| CN108874462A (en) * | 2017-12-28 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of browser behavior acquisition methods, device, storage medium and electronic equipment |
| CN108874462B (en) * | 2017-12-28 | 2021-09-21 | 北京安天网络安全技术有限公司 | Browser behavior acquisition method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104850789B (en) | 2017-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101964025B (en) | XSS detection method and equipment | |
| JP6624771B2 (en) | Client-based local malware detection method | |
| US8819819B1 (en) | Method and system for automatically obtaining webpage content in the presence of javascript | |
| US8448241B1 (en) | Browser extension for checking website susceptibility to cross site scripting | |
| CN104601540B (en) | A kind of cross site scripting XSS attack defence method and Web server | |
| CN109413050B (en) | Access rate self-adaptive internet vulnerability information acquisition method and system | |
| CN102819710A (en) | Cross-site script vulnerability detection method based on percolation test | |
| CN101895516A (en) | Method and device for positioning cross-site scripting attack source | |
| CN102129528A (en) | WEB page tampering identification method and system | |
| CN104954372A (en) | Method and system for performing evidence acquisition and verification on phishing website | |
| CN104767747A (en) | Click jacking safety detection method and device | |
| CA2704863A1 (en) | Injection attack mitigation using context sensitive encoding of injected input | |
| CN102780684B (en) | XSS defensive system | |
| CN104850789A (en) | Remote code injection vulnerability detection method based on Web browser helper object | |
| CN104732144A (en) | Pseudo-protocol-based remote code injecting loophole detecting method | |
| CN105100065B (en) | Webshell attack detection methods, device and gateway based on cloud | |
| CN112287349A (en) | Security vulnerability detection method and server | |
| CN110708308A (en) | Cross-site script vulnerability mining method and system for cloud computing environment | |
| CN105160256A (en) | Web page vulnerability detection method and system | |
| CN106130979A (en) | Server system of defense based on mobile terminal APP and server defence method | |
| Hadpawat et al. | Analysis of prevention of XSS attacks at client side | |
| CN103413092A (en) | Method for forbidding malicious codes from being injected into network terminal | |
| CN114329459A (en) | Browser protection method and device | |
| Kumar et al. | Enhanced Intrusion Detection System for Input Validation Attacks in Web Application | |
| Mohamed | Complete Cross-site Scripting Walkthrough |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |