CN108512818A - Detect the method and device of loophole - Google Patents
Detect the method and device of loophole Download PDFInfo
- Publication number
- CN108512818A CN108512818A CN201710114753.9A CN201710114753A CN108512818A CN 108512818 A CN108512818 A CN 108512818A CN 201710114753 A CN201710114753 A CN 201710114753A CN 108512818 A CN108512818 A CN 108512818A
- Authority
- CN
- China
- Prior art keywords
- data
- character
- character data
- response
- response data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of method and devices of detection loophole, belong to network technique field.This method includes:The first character data is sent to server, the first character data includes optional character when code executes;When receiving the first response data of server return, if not including the first character data in the first response data, determines and loophole is not present;If the first response data includes the first character data, position of first character data in the first response data is determined;Continue Hole Detection based on position;Wherein, the character data transmitted when continuing Hole Detection on different location is different.The present invention is by when not including the first character data in the first response data received, determining that loophole is not present in server;When it includes the first character data to receive the first response data, the position based on the first character data in the first response data pointedly continues to detect, and avoids failing to report, and keeps the mode of detection loophole relatively reliable accurate.
Description
Technical field
The present invention relates to network technique field, more particularly to a kind of method and device of detection loophole.
Background technology
With the development of network technology, network is in the life for constantly enriching user.However, there is also leakages in network
Hole, for example, well-known XSS (Cross Site Scripting, cross-site scripting attack) loophole.XSS loopholes refer to allowing
Rogue program is injected into the loophole in website provided by the server by malicious user, may lead to the user for accessing the server
Private data be stolen, illegally transfer accounts or force user to send the network security problems such as Email, therefore, Hole Detection skill
Art receives industry concern.
When detecting XSS loopholes, it will usually prepare the character data for being largely used to test, each character data is different,
Such as, " ABCDE ... ", "<script>", scanner can send these character datas to server successively, send a character
After data, scanner can receive the response data that server is returned for the character data of this transmission, if a certain sound
It includes character data that this sends to answer in data, illustrates that server is likely to allow to inject rogue program, it is determined that service
There are XSS loopholes for device, otherwise determine and XSS loopholes are not present.
In the implementation of the present invention, the inventor finds that the existing technology has at least the following problems:
Whether above-mentioned Hole Detection process determines logic excessively only in accordance with including transmitted character data in response data
Simply, due to generation loophole there are many case where, and it is difficult the detected server of hit blindly to send a large amount of character datas
Loophole, and then lead to the loophole for failing to report the server, accuracy and reliability is poor.
Invention content
In order to solve problems in the prior art, an embodiment of the present invention provides a kind of method and devices of detection loophole.Institute
It is as follows to state technical solution:
On the one hand, a kind of method of detection loophole is provided, the method includes:
The first character data is sent to server, first character data includes optional character when code executes;
When receiving the first response data that the server returns, if in first response data not including institute
The first character data is stated, determines and loophole is not present;
If first response data includes first character data, determine first character data described
Position in first response data;
Continue Hole Detection based on the position;
Wherein, the character data transmitted when continuing Hole Detection on different location is different.
On the other hand, a kind of device of detection loophole is provided, described device includes:
Sending module, for sending the first character data to server, when first character data includes that code executes
Optional character;
Determining module, for when receiving the first response data that the server returns, if first response
Do not include first character data in data, determines and loophole is not present;
Determining module determines described first if including first character data for first response data
Position of the character data in first response data;
Detection module continues Hole Detection for being based on the position;
Wherein, the character data transmitted when continuing Hole Detection on different location is different.
The embodiment of the present invention to server by sending the first character data, when which includes that code executes
Optional character, when in the first response data received include the first character data when, clearly can determine server not
Allow to inject character data, would not also allow to inject rogue program, therefore clearly determines that loophole is not present in server;When connecing
When to receive the first response data include the first character data, since the position of injection and the form of rogue program are related,
Position based on the first character data in the first response data continues Hole Detection, can be in conjunction with the first number of characters of injection
According to specific location send different character datas, to pointedly detect the server whether there is loophole, avoid occurring
It fails to report so that the mode for detecting loophole is relatively reliable accurate.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, other are can also be obtained according to these attached drawings
Attached drawing.
Fig. 1 is a kind of implementation environment schematic diagram of detection loophole provided in an embodiment of the present invention;
Fig. 2 is a kind of method flow diagram of detection loophole provided in an embodiment of the present invention;
Fig. 3 is a kind of device block diagram of detection loophole provided in an embodiment of the present invention;
Fig. 4 is a kind of block diagram of the device 400 of detection loophole provided in an embodiment of the present invention.
Specific implementation mode
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Fig. 1 is a kind of implementation environment schematic diagram of detection loophole provided in an embodiment of the present invention, referring to Fig. 1, the implementation ring
Border includes scanner 101 and server 102.Wherein, which leaks for detection service device 102 with the presence or absence of XSS
Hole, which may include input/output module and logic module.What input/output module was used to send logic module
Character data is sent to server 102, or the response data of the server received is sent to logic module;The logic mould
Block is used to determine transmitted character data according to configured decision logic, and whether determine in response data includes this secondary word
Accord with data.Server 102 is used to provide service to the user, e.g., is not limited to search service, social interaction server or game services etc., when
So, which can also provide user's message service, comment service or daily record issuing service etc..Due to the server 102
The service provided can be for user's voluntarily input character data, it is thus possible to which there are XSS loopholes.
Fig. 2 is a kind of method flow diagram of detection loophole provided in an embodiment of the present invention, referring to Fig. 2, the embodiment application
In scanner, specifically include:
201, the first character data is sent to server, the first character data includes optional character when code executes.
The server refers to the server to be detected with the presence or absence of XSS loopholes (hereinafter referred to as loophole).Code refers to use
The source file that the language such as html language and javascript are write, whether optional character when code executes refers to can not to code
The character impacted is enough executed, can be number, letter or underscore, and these characters need artificially defined in code
It is just significant.Specific character and character quantity included by the first character data of the embodiment of the present invention pair are not specifically limited.
For example, first character data is the character data seldom occurred in the website of the server, can be specially
4004e214326ee9fbc57856821bbf592_0。
It should be noted that the transmission form of the first character data of the embodiment of the present invention pair does not limit.For example, this first
Character data can carry in publication (POST) request.
202, when receiving the first response data of server return, determine in the first response data whether include first
Loophole is not present if not, determining in character data, if so, executing step 203.
In the embodiment of the present invention, when server receives the POST request of scanner transmission, POST request can be based on
In the first character data, generate the html pages (including head and main body), that is to say the first response data, and return to scanning
Device.By taking the server can provide user's message service as an example, server may leave a message the first character data as user, raw
At the first response data with the first character data, and return to scanner.
When whether including the first digital data in determining the first response data, can be searched whether in the first response data
There are first character datas, if finding the first character data, determine that the first response data includes the first character data, this
When server there may be loopholes, and execute step 203 and continue to detect, if not finding the first character data, determine first
Response data does not include the first character data.
The reason of in view of not including the first character data in the first response data, is as follows:
Reason 1, server have filtered first character data.
Any character data received will not be injected into corresponding response data by reason 2, server.
It is not to constitute executable code since artificially the ability defined in code is significant for first character data needs
Necessary condition, therefore server ought to will not be filtered out using first character data as rogue program, also therefore illustrate this
The reason of not including the first character data in one response data is 2, further relates to receive with rogue program even if server
Character data, will not be injected into corresponding response data, thus can determine the server be not present loophole.
If 203, the first response data includes the first character data, determine the first character data in the first response data
In position.
In the step, the character data when continuing Hole Detection on different location transmitted by scanner is different.This
The detailed process of position of the inventive embodiments to determining first character data in the first response data does not limit, for example, by
In the position range in html labels may include code can perform position position range, and code can perform position position
Range may include the position range of the initial position of the response body of the first response data, therefore, in order to more efficiently detect leakage
Hole may be used step 1 identified below to three, Hole Detection proceeded by from smaller position range:
One, determine the first character data whether the first response data response body in initial position, if so, execute
Step 204, if not, executing step 2.
It, can be according to the first configured keyword in the step 1<body>, determining first character data, the first six is a
Whether character is first keyword, if so, determining starting of first character data in the response body of the first response data
Position.Wherein,<body>It is the mark of the main body of the html pages, that is to say the mark of the response body of the first response data.
Two, determine whether the code in the first response data can perform position to the first character data, if so, executing step
Rapid 206, if not, executing step 3.
It, can be according to configured the second keyword of a pair in the step 2<script>With</script>, determine this
One character data whether at this between the second keyword;Or,
According to the 4th configured keyword javascript:, determine that preceding 11 characters of first character data are
No is javascript:;According to configured at least one third keyword, determine whether first character data is in html
In any one event in, the third keyword include the event (hereinafter referred to as on events) started in html title, etc.
Number and a pair of of quotation marks, form be:The title=of on events " ", the title of on events such as, onerror, onload or onabort
Deng;Or,
According to the 4th configured keyword javascript:, determine that preceding 11 characters of first character data are
No is javascript:;Or,
According to the 5th configured keyword expression (), determines whether first character data is in introduce and hold
In the expression formula of row javascript codes, it is expression that this, which can introduce and execute the expression formula of javascript codes,
()。
The equal support code of keyword in four determination process in above step two directly executes, therefore, if above-mentioned
Any one definitive result in four determination process is yes, it is determined that the code of first character data in the first response data
Executable position executes step 206 and continues to execute step 3 if the definitive result in aforementioned four determination process is no.
Three, the first character data is determined whether in the first response data in any hypertext markup language html labels,
If so, step 208 is executed, if not, executing step 212.
It, can be according to configured the 6th keyword of a pair in the step 3<With>, whether determine first character data
At this between the 6th keyword, if it is, the first character data is determined in the html labels of the first response data, if
It is no, step 212 can be executed.
If 204, initial position of first character data in the response body of the first response data, and the first response data
In character code is not set, to server send the second character data, the second character data refers to 7 format transformation utf-7
The character data encoded.
The reason of step carries out is as follows:In actual scene, word of the server for the keyword of filtering fallacious program
Symbol coding is generally utf-8 (8-bit Unicode Transformation Format, 8 format transformations) codings, due to same
One character uses the character style after different character codes different, e.g., if the rogue program of transmitting terminal uses utf-7 (7-
Bit Unicode Transformation Format, 7 format transformations) coding, server is difficult by configured key
Word is successfully filtered, and then leads to the rogue program that utf-7 codings may be injected in the html pages.When the head of the html pages
It, can be from the master of the html pages when user browser accesses the html pages after injecting rogue program when character code is not arranged for portion
The character code that the original position of body uses is decoded, to execute rogue program.
In order to avoid the above situation, Hole Detection is accurately carried out, if the first character data is in the first response data
The initial position in body is responded, first can determine in the first response data whether character code is set, if character volume is not arranged
Code then sends the second character data, second character data such as +/v8ABCDEG, wherein +/v8 is used for conduct to server
The statement of utf-7 codings, to which whether detection service device allows the character data for injecting utf-7 codings.
In the step, if character code has been arranged in the first response data, step 203 can be executed again and carries out position
It determines, if code of first character data in the first response data can perform position, step 206 can be executed, it otherwise, can
To determine the first character data whether in the first response data in any hypertext markup language html labels, if so, holding
Row step 208, if not, step 212 is executed, to continue Hole Detection.
205, when receiving the second response data of server return, determine in the second response data whether include second
Character data, if so, determining that there are loopholes, if not, executing step 203.
In the step, whether it includes the second character data sent that scanner can determine in the second response data, such as
Fruit is the rogue program injection for illustrating the server and being likely to allow using utf-7 codings, it is determined that server there are loophole,
Otherwise, it executes step 203 and carries out location determination, if code of first character data in the first response data can perform position
Set, step 206 can be executed, otherwise, it may be determined that the first character data whether in the first response data any hypertext mark
Remember in language html labels, if so, step 208 is executed, if not, step 212 is executed, to continue Hole Detection.
If 206, code of first character data in the first response data can perform position or the first character data exists
Character code and the first number of characters have been set in initial position and the first response data in the response body of first response data
Can perform in position or the second response data according to the code in the first response data does not include the second character data and the first word
It accords with code of the data in the first response data and can perform position, third character data, third character data are sent to server
Necessary character when being executed including code.
In the step, if under the conditions of any execution in three execution conditions in this step, scanner can be to
Server sends third character data.Wherein, necessary character when code executes refers to that ought to be deposited in executable one section of code
Character, the necessary character when embodiment of the present invention executes code is not specifically limited.For example, for wrapping up html values
Necessary bracket (including braces and round bracket) in quotation marks (including single quotation marks and double quotation marks), javascript functions,
The function name of branch in javascript sentences or the back slash in html end-tags or common alert () function.
Therefore, which can be ' ") } top [' aler'+'t'] (tst_xss_test);//.Wherein, top [' aler'
+ ' t'] refer to that the combination of random order may be used to be combined into alert characters.Due to the original code in the html pages
It is likely to use above-mentioned character, therefore by (tst_xss_test) as indexing, to be in easy-to-look-up third response data
It is no that there are the third character datas.
207, when receiving the third response data of server return, determine in third response data whether include third
Loophole is not present if not, determining if so, determining that there are loopholes in character data.
In the step, if third response data includes third character data, illustrate that server allows to inject above-mentioned generation
Code execute when necessary character, and due to so that malicious user can be injected in the html pages when being executed with code must
The rogue program that character is write is wanted, therefore server can be accurately determined there are loopholes;If in third response data not
Including third character data, illustrate necessary character when server does not allow injecting codes to execute, and then does not also allow for injecting
Rogue program, it is thus determined that loophole is not present.
If 208, in any hypertext markup language html labels of first character data in the first response data and
In a pair of of quotation marks, the 4th character data is sent to server, the 4th character data includes quotation marks.
In the step, it is contemplated that utilization of the quotation marks in code generally in html labels, with form be generally:on
Event=" function " or attribute=" javascript:", therefore, in order to which whether detection service device allows to inject above-mentioned form
Whether code directly detection service device can allow to inject quotation marks.When detecting, if the first character data is in the first number of responses
In any hypertext markup language html labels in, whether scanner may further determine that first character data one
To in quotation marks, if it is, the 4th character data is sent to server, if not, step 210 can be executed.Wherein, the 4th
Character data includes quotation marks, and e.g., a single quotation marks or double quotation marks, the 4th character data can be specially " tst_xss_test.
It should be noted that since server may carry out character data reversion justice, reversion right way of conduct formula is not limited to html
Reversion justice or url (Uniform Resource Locator, uniform resource locator) reversion justice, then in order to avoid server connects
When receiving the quotation marks after escape, reversion justice is carried out, and injects the word quotation marks after reversion justice, drawing included by the 4th character data
It number can also be the quotation marks after escape, whether allow to inject quotation marks with detection service device.The embodiment of the present invention to escape mode and
Number does not limit.Such as, " that tst_xss_test is %22tst_xss_test after a url escape, is turned through url twice
It is %2522tst_xss_test after justice;" tst_xss_test is after a html escape;Tst_xss_tes, warp
It is %26quot%3Btst_xss_test after html escape and a url escape.
209, when receiving four response data of server return, determine in the 4th response data whether include the 4th
Character data, if so, determining that there are loopholes, if not, executing step 210.
In the step, if the 4th response data includes the 4th character data, illustrate that server allows in html labels
Quotation marks are injected in interior a pair of of quotation marks.Wherein, whether the 4th character data when no matter sending is quotation marks after escape, in determination
When whether including four character datas in the 4th response data, it is to look in the 4th response data whether including drawing for non-escape
Number.
If a certain character data is that " code of on events=" function " form, the form injected in html labels are " "
On events=" function " ", first quotation marks being successfully closed in html labels so that on events can be performed, explanation
The server allows injection to include the rogue program of on events, and to accurately determine server, there are loopholes.
If 210, in any html labels of first character data in the first response data and not in a pair of of quotation marks,
Or the 4th do not include the 4th character data in response data, determines whether the first character data is any category in the html labels
Property value, if so, to server send the 5th character data, the 5th character data include code execute when agreement character, such as
Fruit is no, executes step 212.
In the step, since html label forms can be<Tag types attribute 1=" attribute value 1 " attribute 2=" attributes
Value 2 ">If the first two character of first character data is equal sign and quotation marks, it is determined that the first character data is marked for the html
Any attribute value of label.Wherein, the tag types be not limited to img, object, embed, a, video, form, iframe,
Button, math or link label, the attribute are not limited to src, poster, href, data, action or formaction category
Property.
It should be noted that the agreement character that code executes refers to the word that html and javascript agreements provide to use
Symbol, generally javascript:, the on events such as onafterprint, onbeforeprint or onerror event title.With
The lower possibility situation that the 5th character data of condition stub will be executed for two in the step:
If the first character data is in any html labels in the first response data and not in a pair of of quotation marks,
The form that rogue program can be injected is:On events=" function ", or " javascript:", therefore, the 5th character data is wrapped
Agreement character when the code included executes is the title or " javascript of on events:", the 5th character data can have
Body is " javascript:”(tst_xss_test).
If not including the 4th character data in the 4th response data, illustrating server not allows injection quotation marks, but due to
The form injected the position of the first character data in quotation marks, therefore can inject rogue program is javascript:, then the 5th
Character data can be specially javascript:(tst_xss_test).
211, when receiving five response data of server return, determine in the 5th response data whether include the 5th
Loophole is not present if not, determining if so, determining that there are loopholes in character data.
In the step, if the 5th response data includes the 5th character data, illustrate that server allows injecting codes to hold
The rogue program of agreement character when row, therefore server can be accurately determined there are loophole, loophole is not present in otherwise determination.
If 212, in any html labels of first character data not in the first response data or the first character data
It is not any attribute value in html labels, sends the 6th character data to server, the 6th character data includes for constructing
The character of html labels.
In the step, in the case of the first response data is not in html labels, the necessary condition of rogue program injection
Include the character for constructing html labels, i.e. angle brackets for the rogue program<>, therefore the 6th character sent to server
Data include<>, e.g.,<tst_xss_test>.It should be noted that similarly with escape quotation marks, the angle brackets can also be through
Angle brackets after escape.
213, when receiving six response data of server return, determine in the 6th response data whether include the 6th
Loophole is not present if not, determining if so, determining that there are loopholes in character data.
In the step, if the 6th response data includes the 6th character data, illustrating that server allows to inject includes
Character rogue program for constructing html labels, therefore server can be accurately determined there are loophole, otherwise determination is not deposited
In loophole.
The embodiment of the present invention to server by sending the first character data, when which includes that code executes
Optional character, when in the first response data received include the first character data when, clearly can determine server not
Allow to inject character data, would not also allow to inject rogue program, therefore clearly determines that loophole is not present in server;When connecing
When to receive the first response data include the first character data, since the position of injection and the form of rogue program are related,
Position based on the first character data in the first response data continues Hole Detection, can be in conjunction with the first number of characters of injection
According to specific location send different character datas, to pointedly detect the server whether there is loophole, avoid occurring
It fails to report so that the mode for detecting loophole is relatively reliable accurate.
In addition, by determining position of first character data in the first response data, it may be determined that the server allows
The position for injecting character data, the malice journey that the position may be injected is derived according to the residing code context of each position
Sequence, it is true based on the response data received every time to pointedly send for detecting whether there are the character data of loophole
Determine whether server allows the dangerous very high character of injection, determines whether that there are loopholes, or be based further on the position
The definitive result at the place of setting continues Hole Detection, comprehensively considers the possibility that rogue program is injected at all positions,
So that the decision logic in detection process is rigorous, so that the accuracy and reliability higher of testing result.
In addition, the leak detection method of the embodiment of the present invention is at most related to the character data transmission process of ten orders of magnitude, just
It can obtain accurately testing result, and the prior art uses the character data for usually requiring to send hundred orders of magnitude, therefore the present invention
The detection process of embodiment is not only more succinct accurate, but also for detected server, and processing character data are born
Load is less, will not excessively influence the performance of server.Moreover, if server has filtered several characters, and existing existing skill
Art is used to detect the character data of loophole and only covers these types of character, can cause to fail to report, and the security risk of server is very high, and
The detection method of the embodiment of the present invention covers various character datas, so as to comprehensively carry out Hole Detection so that loophole is examined
Survey process is more reliable.
It should be noted that above-mentioned embodiment illustrated in fig. 2 comprehensively considers the first character data in the first response data
In position possibility situation, and accurately obtain testing result.In fact, the use of the embodiment of the present invention is above-mentioned at least one
Step can also realize Hole Detection process, and testing result is more accurate and reliable compared with prior art, such as three kinds following
Detection mode:
The first detection mode, in conjunction with above-mentioned steps 201-204, when scanner receives the second response of server return
When data, determine in the second response data whether include the second character data, if so, determining that there are loopholes, if not, determining
There is no loopholes.The detection mode can accurately detect whether server allows injection to include the malice journey of utf-7 codings
The loophole of sequence.
Second of detection mode, in conjunction with above-mentioned steps 201-203, if the first character data is in the first response data
Code can perform position, and scanner sends third character data to server, third character data include when code executes must
Want character;When receiving the third response data of server return, if third response data includes third character data,
It determines that there are loopholes, if not including third character data in third response data, determines and loophole is not present.The detection mode can
Accurately to detect whether server allows injection to include the loophole of the rogue program of necessary character when code executes.
The third detection mode, in conjunction with above-mentioned steps 201-203, if the first character data is in the first response data
In any hypertext markup language html labels and in a pair of of quotation marks, scanner sends the 4th character data to server, the
Four character datas include quotation marks;When receiving four response data of server return, if the 4th response data includes
4th character data determines that there are loopholes, if not including the 4th character data in the 4th response data, determines that there is no leakages
Hole.The detection mode can accurately detect that server allows the loophole for injecting the rogue program of on events.
Fig. 3 is a kind of device block diagram of detection loophole provided in an embodiment of the present invention.Referring to Fig. 3, which specifically includes:
Sending module 301, for sending the first character data to server, the first character data includes when code executes
Optional character;
Determining module 302, for when receive server return the first response data when, if in the first response data
Do not include the first character data, determines and loophole is not present;
Determining module 302 determines that the first character data exists if including the first character data for the first response data
Position in first response data;
Detection module 303 continues Hole Detection for being based on position;
Wherein, the character data transmitted when continuing Hole Detection on different location is different.
The embodiment of the present invention to server by sending the first character data, when which includes that code executes
Optional character, when in the first response data received include the first character data when, clearly can determine server not
Allow to inject character data, would not also allow to inject rogue program, therefore clearly determines that loophole is not present in server;When connecing
When to receive the first response data include the first character data, since the position of injection and the form of rogue program are related,
Position based on the first character data in the first response data continues Hole Detection, can be in conjunction with the first number of characters of injection
According to specific location send different character datas, to pointedly detect the server whether there is loophole, avoid occurring
It fails to report so that the mode for detecting loophole is relatively reliable accurate.
In a kind of possible realization method, the sending module 301, if for the first character data in the first response data
Response body in initial position, and character code is not set in the first response data, the second character data is sent to server,
Second character data refers to the character data of 7 format transformation utf-7 codings;
Determining module 302, for determining when receiving the second response data of server return, if the second number of responses
According to including the second character data, determine that there are loopholes.
In a kind of possible realization method, if code of first character data in the first response data can perform position
Set or initial position and first response data of first character data in the response body of the first response data in word has been set
Symbol coding and code of first character data in the first response data, which can perform in position or the second response data, does not include
The code of second character data and the first character data in the first response data can perform position,
Sending module 301, for sending third character data to server, third character data includes when code executes
Necessary character;
Determining module 302, for when receive server return third response data when, if in third response data
Including third character data, determine that there are loopholes;
If determining module 302 determines and loophole is not present for not including third character data in third response data.
In a kind of possible realization method, sending module 301, if for the first character data in the first response data
Any hypertext markup language html labels in and in a pair of of quotation marks, to server send the 4th character data, the 4th word
It includes quotation marks to accord with data;
Determining module 302, for when receive server return four response datas when, if in the 4th response data
Including the 4th character data, determine that there are loopholes.
In a kind of possible realization method, if the first character data is in any html labels in the first response data
And not in a pair of of quotation marks or in the 4th response data include the 4th character data,
Sending module 301 is sent if being any attribute value in html labels for the first character data to server
5th character data, the 5th character data include agreement character when code executes;
Determining module 302, for when receive server return five response datas when, if in the 5th response data
Including the 5th character data, determine that there are loopholes;
Determining module 303 determines and loophole is not present if for not including the 5th character data in the 5th response data.
In a kind of possible realization method, if any html label of first character data not in the first response data
Interior or the first character data is not any attribute value in html labels,
Sending module 301, for sending the 6th character data to server, the 6th character data includes for constructing html
The character of label;
Determining module 302, for when receive server return six response datas when, if in the 6th response data
Including the 6th character data, determine that there are loopholes;
Determining module 302 determines and loophole is not present if for not including the 6th character data in the 6th response data.
The alternative embodiment that any combination forms the present invention may be used, herein no longer in above-mentioned all optional technical solutions
It repeats one by one.
It should be noted that:The device for the detection loophole that above-described embodiment provides is when detecting loophole, only with above-mentioned each work(
Can module division progress for example, in practical application, can be as needed and by above-mentioned function distribution by different functions
Module is completed, i.e., the internal structure of device is divided into different function modules, described above all or part of to complete
Function.In addition, the device for the detection loophole that above-described embodiment provides and the embodiment of the method for detection loophole belong to same design,
Specific implementation process refers to embodiment of the method, and which is not described herein again.
Fig. 4 is a kind of block diagram of the device 400 of detection loophole provided in an embodiment of the present invention.For example, device 400 can be by
It is provided as scanner.With reference to Fig. 4, device 400 includes processing component 422, further comprises one or more processors, with
And by the memory resource representated by memory 432, for store can by the instruction of the execution of processing component 422, such as using
Program.The application program stored in memory 432 may include it is one or more each correspond to one group of instruction
Module.In addition, processing component 422 is configured as executing instruction, to execute the method for detecting loophole in above-mentioned Fig. 2 embodiments.
Device 400 can also include the power management that a power supply module 426 is configured as executive device 400, and one has
Line or radio network interface 450 are configured as device 400 being connected to network and input and output (I/O) interface 458.Dress
Setting 400 can operate based on the operating system for being stored in memory 432, such as Windows ServerTM, Mac OS XTM,
UnixTM, LinuxTM, FreeBSDTMOr it is similar.
In the exemplary embodiment, it includes the non-transitorycomputer readable storage medium instructed, example to additionally provide a kind of
Such as include the memory of instruction, above-metioned instruction can be executed by the processor in scanner to complete the leakage of the detection in above-described embodiment
The method in hole.For example, the non-transitorycomputer readable storage medium can be ROM, random access memory (RAM), CD-
ROM, tape, floppy disk and optical data storage devices etc..
One of ordinary skill in the art will appreciate that realizing that all or part of step of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
Claims (12)
1. a kind of method of detection loophole, which is characterized in that the method includes:
The first character data is sent to server, first character data includes optional character when code executes;
When receiving the first response data that the server returns, if not including described the in first response data
One character data determines and loophole is not present;
If first response data includes first character data, determine first character data described first
Position in response data;
Continue Hole Detection based on the position;
Wherein, the character data transmitted when continuing Hole Detection on different location is different.
2. according to the method described in claim 1, it is characterized in that, described continue Hole Detection based on the position, packet
It includes:
If initial position of first character data in the response body of the first response data, and first response data
In character code is not set, to the server send the second character data, second character data refer to 7 conversion lattice
The character data of formula utf-7 codings;
When receiving the second response data that the server returns, if second response data includes described second
Character data determines that there are loopholes.
3. according to the method described in claim 2, it is characterized in that, if first character data is in first number of responses
Code in can perform the start bit of position or first character data in the response body of first response data
It sets and character code has been set in first response data and first character data is in first response data
Code to can perform in position or second response data do not include second character data and first character data
Code in first response data can perform position, execute following step:
Third character data is sent to the server, the third character data includes necessary character when code executes;
When receiving the third response data that the server returns, if the third response data includes the third
Character data determines that there are loopholes;
If not including the third character data in the third response data, determines and loophole is not present.
4. according to the method described in claim 1, it is characterized in that, described continue Hole Detection based on the position, packet
It includes:
If first character data in any hypertext markup language html labels in first response data and
In a pair of of quotation marks, the 4th character data is sent to the server, the 4th character data includes the quotation marks;
When receiving four response data that the server returns, if the 4th response data includes the described 4th
Character data determines that there are loopholes.
5. according to the method described in claim 4, it is characterized in that, if first character data is in first number of responses
Do not include the 4th number of characters in any html labels in and not in a pair of of quotation marks or in the 4th response data
According to execution following step:
If first character data is any attribute value in the html labels, the 5th character is sent to the server
Data, the 5th character data include agreement character when code executes;
When receiving five response data that the server returns, if the 5th response data includes the described 5th
Character data determines that there are loopholes;
If not including the 5th character data in the 5th response data, determines and loophole is not present.
6. according to the method described in claim 5, it is characterized in that, if first character data is not in first response
In any html labels in data or first character data is not any attribute value in the html labels, is executed
Following step:
The 6th character data is sent to the server, the 6th character data includes the character for constructing html labels;
When receiving six response data that the server returns, if the 6th response data includes the described 6th
Character data determines that there are loopholes;
If not including the 6th character data in the 6th response data, determines and loophole is not present.
7. a kind of device of detection loophole, which is characterized in that described device includes:
Sending module, for server send the first character data, first character data include code execute when can
Word selection accords with;
Determining module, for when receiving the first response data that the server returns, if first response data
In include first character data, determine be not present loophole;
Determining module determines first character if including first character data for first response data
Position of the data in first response data;
Detection module continues Hole Detection for being based on the position;
Wherein, the character data transmitted when continuing Hole Detection on different location is different.
8. device according to claim 7, which is characterized in that
The sending module, if the initial position for first character data in the response body of the first response data,
And character code is not set in first response data, send the second character data, second character to the server
Data refer to the character data of 7 format transformation utf-7 codings;
The determining module, for determining when receiving the second response data that the server returns, if described second
Response data includes second character data, determines that there are loopholes.
9. device according to claim 8, which is characterized in that if first character data is in first number of responses
Code in can perform the start bit of position or first character data in the response body of first response data
It sets and character code has been set in first response data and first character data is in first response data
Code to can perform in position or second response data do not include second character data and first character data
Code in first response data can perform position,
The sending module, for sending third character data to the server, the third character data includes that code is held
Necessary character when row;
The determining module, for when receiving the third response data that the server returns, if the third responds
Data include the third character data, determine that there are loopholes;
The determining module, if for not including the third character data in the third response data, it is determining to be not present
Loophole.
10. device according to claim 7, which is characterized in that
The sending module, if being used for any hypertext markup of first character data in first response data
In language html labels and in a pair of of quotation marks, the 4th character data, the 4th character data packet are sent to the server
Include the quotation marks;
The determining module, for when receiving four response data that the server returns, if the 4th response
Data include the 4th character data, determine that there are loopholes.
11. device according to claim 10, which is characterized in that if first character data is in first response
Do not include the 4th character in any html labels in data and not in a pair of of quotation marks or in the 4th response data
Data,
The sending module, if being any attribute value in the html labels for first character data, to described
Server sends the 5th character data, and the 5th character data includes agreement character when code executes;
The determining module, for when receiving five response data that the server returns, if the 5th response
Data include the 5th character data, determine that there are loopholes;
The determining module, if for not including the 5th character data in the 5th response data, it is determining to be not present
Loophole.
12. according to the devices described in claim 11, which is characterized in that if first character data is not in first sound
It answers in any html labels in data or first character data is not any attribute value in the html labels,
The sending module, for sending the 6th character data to the server, the 6th character data includes being used for structure
Make the character of html labels;
The determining module, for when receiving six response data that the server returns, if the 6th response
Data include the 6th character data, determine that there are loopholes;
The determining module, if for not including the 6th character data in the 6th response data, it is determining to be not present
Loophole.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710114753.9A CN108512818B (en) | 2017-02-28 | 2017-02-28 | Method and device for detecting vulnerability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710114753.9A CN108512818B (en) | 2017-02-28 | 2017-02-28 | Method and device for detecting vulnerability |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108512818A true CN108512818A (en) | 2018-09-07 |
| CN108512818B CN108512818B (en) | 2020-09-04 |
Family
ID=63374277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710114753.9A Active CN108512818B (en) | 2017-02-28 | 2017-02-28 | Method and device for detecting vulnerability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108512818B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992623A (en) * | 2021-11-19 | 2022-01-28 | 四川大学 | Webpage mail XSS detection method based on mail content and source code information |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080184208A1 (en) * | 2007-01-30 | 2008-07-31 | Sreedhar Vugranam C | Method and apparatus for detecting vulnerabilities and bugs in software applications |
| CN101894237A (en) * | 2010-08-03 | 2010-11-24 | 南开大学 | A method for automatically generating XSS cross-site scripting vulnerability detection parameters using genetic algorithm |
| CN104794396A (en) * | 2014-01-16 | 2015-07-22 | 腾讯科技(深圳)有限公司 | Cross-site script vulnerability detection method and device |
| CN104836779A (en) * | 2014-02-12 | 2015-08-12 | 携程计算机技术(上海)有限公司 | XSS vulnerability detection method, system and Web server |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN106022135A (en) * | 2016-02-23 | 2016-10-12 | 北京工业大学 | Automatic detection system capable of dynamically determining XSS vulnerability |
-
2017
- 2017-02-28 CN CN201710114753.9A patent/CN108512818B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080184208A1 (en) * | 2007-01-30 | 2008-07-31 | Sreedhar Vugranam C | Method and apparatus for detecting vulnerabilities and bugs in software applications |
| CN101894237A (en) * | 2010-08-03 | 2010-11-24 | 南开大学 | A method for automatically generating XSS cross-site scripting vulnerability detection parameters using genetic algorithm |
| CN104794396A (en) * | 2014-01-16 | 2015-07-22 | 腾讯科技(深圳)有限公司 | Cross-site script vulnerability detection method and device |
| CN104836779A (en) * | 2014-02-12 | 2015-08-12 | 携程计算机技术(上海)有限公司 | XSS vulnerability detection method, system and Web server |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN106022135A (en) * | 2016-02-23 | 2016-10-12 | 北京工业大学 | Automatic detection system capable of dynamically determining XSS vulnerability |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992623A (en) * | 2021-11-19 | 2022-01-28 | 四川大学 | Webpage mail XSS detection method based on mail content and source code information |
| CN113992623B (en) * | 2021-11-19 | 2022-10-21 | 四川大学 | Web page mail cross-site scripting attack detection method based on content and source code |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108512818B (en) | 2020-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gupta et al. | XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code | |
| CN101964025B (en) | XSS detection method and equipment | |
| CA2840992C (en) | Syntactical fingerprinting | |
| US9521161B2 (en) | Method and apparatus for detecting computer fraud | |
| US9553865B2 (en) | Protecting websites from cross-site scripting | |
| US20110252475A1 (en) | Complementary Character Encoding for Preventing Input Injection in Web Applications | |
| CN106022135A (en) | Automatic detection system capable of dynamically determining XSS vulnerability | |
| CN107832622B (en) | Leak detection method, device, computer equipment and storage medium | |
| CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
| US8332821B2 (en) | Using encoding to detect security bugs | |
| US9923916B1 (en) | Adaptive web application vulnerability scanner | |
| Hou et al. | A dynamic detection technique for XSS vulnerabilities | |
| CN111770079B (en) | Method and device for detecting vulnerability injection of web framework | |
| CN117040804A (en) | Network attack detection method, device, equipment, medium and program product for website | |
| US11568130B1 (en) | Discovering contextualized placeholder variables in template code | |
| CN108512818A (en) | Detect the method and device of loophole | |
| Steinhauser et al. | DjangoChecker: Applying extended taint tracking and server side parsing for detection of context‐sensitive XSS flaws | |
| CN107222494A (en) | A kind of SQL injection attack defending component and method | |
| CN107026854A (en) | Validating vulnerability method and device | |
| JP2005092564A (en) | Filtering device | |
| CN108200191B (en) | Utilize the client dynamic URL associated script character string detection system of perturbation method | |
| CN116361793A (en) | Code detection method, device, electronic equipment and storage medium | |
| CN114157452B (en) | Method and system for detecting XXE loopholes based on HTTP connection platform | |
| Talib et al. | Assessment of dynamic open-source cross-site scripting filters for web application | |
| Dahse | Static detection of complex vulnerabilities in modern PHP applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |