CN108512818B - Method and device for detecting vulnerability - Google Patents
Method and device for detecting vulnerability Download PDFInfo
- Publication number
- CN108512818B CN108512818B CN201710114753.9A CN201710114753A CN108512818B CN 108512818 B CN108512818 B CN 108512818B CN 201710114753 A CN201710114753 A CN 201710114753A CN 108512818 B CN108512818 B CN 108512818B
- Authority
- CN
- China
- Prior art keywords
- character data
- data
- character
- response data
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a device for detecting a vulnerability, and belongs to the technical field of networks. The method comprises the following steps: sending first character data to a server, wherein the first character data comprises optional characters when the code is executed; when first response data returned by a server is received, if the first response data does not comprise first character data, determining that no loophole exists; if the first response data comprises the first character data, determining the position of the first character data in the first response data; continuing vulnerability detection based on the position; wherein, the character data sent when the vulnerability detection is continuously carried out at different positions are different. According to the method, when the received first response data does not include the first character data, the server is determined to have no loophole; when the received first response data comprises the first character data, the detection is continued pertinently based on the position of the first character data in the first response data, the missing report is avoided, and the vulnerability detection mode is more reliable and accurate.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method and an apparatus for detecting vulnerabilities.
Background
With the development of network technology, networks are continuously enriching the lives of users. However, vulnerabilities exist in the network, such as the well-known XSS (Cross Site Scripting) vulnerability. The XSS vulnerability refers to a vulnerability that allows a malicious user to inject a malicious program into a website provided by a server, which may cause network security problems such as stealing of private data of a user accessing the server, illegal transfer of money, or forcing the user to send an email, and thus, vulnerability detection technologies are receiving much attention in the industry.
When detecting an XSS vulnerability, a large amount of character data for testing is generally prepared, each character data is different, for example, "ABCDE …", "script", and the scanner may sequentially send the character data to the server, after sending one character data, the scanner may receive response data returned by the server for the character data sent this time, and if a certain response data includes the character data sent this time, it is determined that the server is likely to allow injecting a malicious program, it is determined that the XSS vulnerability exists in the server, otherwise, it is determined that the XSS vulnerability does not exist.
In the process of implementing the invention, the inventor finds that the prior art has at least the following problems:
the vulnerability detection process determines that the logic is too simple only according to whether the sent character data is included in the response data, and because various vulnerabilities are generated, a large amount of character data are sent blindly and the vulnerability of the detected server is difficult to hit, so that the vulnerability of the server is missed and the accuracy and the reliability are poor.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for detecting a vulnerability. The technical scheme is as follows:
in one aspect, a method for detecting a vulnerability is provided, and the method includes:
sending first character data to a server, wherein the first character data comprises optional characters when the code executes;
when first response data returned by the server is received, if the first response data does not include the first character data, determining that no loophole exists;
if the first character data is included in the first response data, determining the position of the first character data in the first response data;
continuing vulnerability detection based on the location;
wherein, the character data sent when the vulnerability detection is continuously carried out at different positions are different.
In another aspect, an apparatus for detecting a vulnerability is provided, the apparatus comprising:
the sending module is used for sending first character data to a server, and the first character data comprises optional characters when the code is executed;
the determining module is used for determining that no loophole exists when first response data returned by the server is received and if the first response data does not include the first character data;
a determining module, configured to determine a position of the first character data in the first response data if the first character data is included in the first response data;
the detection module is used for continuously carrying out vulnerability detection based on the position;
wherein, the character data sent when the vulnerability detection is continuously carried out at different positions are different.
According to the embodiment of the invention, the first character data is sent to the server, the first character data comprises the optional characters when the code is executed, when the received first response data does not comprise the first character data, the server can be definitely determined not to inject the character data, and the server is also not allowed to inject the malicious program, so that the server is definitely determined not to have a bug; when the received first response data comprises the first character data, the injected position is related to the form of the malicious program, and therefore vulnerability detection is continued based on the position of the first character data in the first response data, different character data can be sent by combining the specific position of the injected first character data, whether the server has a vulnerability or not is detected in a targeted mode, missing report is avoided, and the vulnerability detection mode is more reliable and accurate.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an implementation environment for detecting a vulnerability according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for detecting a vulnerability according to an embodiment of the present invention;
fig. 3 is a block diagram of an apparatus for detecting a vulnerability according to an embodiment of the present invention;
fig. 4 is a block diagram of an apparatus 400 for detecting a vulnerability according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of an implementation environment for detecting vulnerabilities according to an embodiment of the present invention, and referring to fig. 1, the implementation environment includes a scanner 101 and a server 102. The scanner 101 is configured to detect whether the server 102 has an XSS vulnerability, and the scanner 101 may include an input/output module and a logic module. The input/output module is used for sending the character data sent by the logic module to the server 102, or sending the received response data of the server to the logic module; the logic module is used for determining the sent character data according to the configured judging logic and determining whether the response data comprises the current character data. The server 102 is used for providing services for users, such as but not limited to a search service, a social service, a game service, etc., and of course, the server 102 may also provide a user message service, a comment service, a log posting service, etc. There may be XSS vulnerabilities as the service provided by the server 102 may be used by users to enter character data themselves.
Fig. 2 is a flowchart of a method for detecting a vulnerability according to an embodiment of the present invention, which is applied to a scanner and specifically includes:
201. first character data is sent to a server, the first character data including optional characters when the code is executed.
The server is a server for detecting whether an XSS vulnerability (hereinafter referred to as vulnerability) exists or not. The code generally refers to a source file written by html language, javascript language and other languages, the optional characters during the code execution refer to characters which do not affect whether the code can be executed, and can be numbers, letters or underlines, and the characters need to be artificially defined in the code to be meaningful. The embodiment of the present invention does not specifically limit the specific characters and the number of characters included in the first character data. For example, the first character data is the character data that is not frequently appeared in the website of the server, and can be embodied as 4004e214326ee9fbc57856821bbf592_ 0.
It should be noted that the transmission form of the first character data is not limited in the embodiment of the present invention. For example, the first character data may be carried in a POST request.
202. When first response data returned by the server is received, determining whether the first response data comprises first character data, if not, determining that no loophole exists, and if so, executing step 203.
In the embodiment of the invention, when the server receives the POST request sent by the scanner, the html page (including the header and the body), that is, the first response data, can be generated based on the first character data in the POST request, and is returned to the scanner. Taking the server as an example, which can provide the user message service, the server may use the first character data as the user message, generate the first response data with the first character data, and return the first response data to the scanner.
When determining whether the first response data includes the first character data, it may be determined whether the first character data exists in the first response data, if the first character data is found, it is determined that the first response data includes the first character data, at this time, the server may have a bug, and step 203 is performed to continue detecting, and if the first character data is not found, it is determined that the first response data does not include the first character data.
The reason why the first character data is not included in the first response data is considered as follows:
reason 1, the server has filtered the first character data.
Reason 2, the server does not inject any received character data into the corresponding response data.
Since the first character data is not a necessary condition for forming an executable code, the server should not filter the first character data as a malicious program, and therefore, the reason that the first character data is not included in the first response data is 2, and further, even if the server receives the character data with the malicious program, the character data is not injected into the corresponding response data, so that it can be determined that the server does not have a bug.
203. If the first character data is included in the first response data, the position of the first character data in the first response data is determined.
In this step, the character data sent by the scanner is different when vulnerability detection is continued at different positions. For example, since the position range in the html tag may include a position range of a code executable position, and the position range of the code executable position may include a position range of a start position of a response body of the first response data, in order to detect a vulnerability more efficiently, the following determination steps one to three may be adopted, and vulnerability detection is performed from a smaller position range:
firstly, determining whether the first character data is at the initial position in the response body of the first response data, if so, executing step 204, and if not, executing step two.
In the first step, it may be determined whether the first six characters of the first character data are the first keyword according to the configured first keyword < body >, and if so, the start position of the first character data in the response body of the first response data may be determined. Wherein < body > is an identification of the body of the html page, i.e. of the response body of the first response data.
Secondly, whether the first character data is in the code executable position in the first response data is determined, if yes, step 206 is executed, and if not, step three is executed.
In the second step, it may be determined whether the first character data is between a pair of second keywords according to a pair of configured second keywords < script > and </script >; or the like, or, alternatively,
according to the configured fourth keyword javascript: determining whether the first eleven characters of the first character data are javascript: (ii) a Determining whether the first character data is in any event in the html according to at least one configured third keyword, wherein the third keyword comprises the name, the equal sign and an quotation mark of an event (hereinafter referred to as an on event) which starts with on in the html, and the third keyword is in the form of: the name of an on event is "", the name of an on event is, for example, onerror, onload, or onabort, etc.; or the like, or, alternatively,
according to the configured fourth keyword javascript: determining whether the first eleven characters of the first character data are javascript: (ii) a Or the like, or, alternatively,
and determining whether the first character data is in an expression which can be introduced to execute the javascript code, namely the expression () according to the configured fifth keyword expression ().
And the keywords in the four determination processes in the second step support direct code execution, so that if any determination result in the four determination processes is yes, the code executable position of the first character data in the first response data is determined, step 206 is executed, and if the determination results in the four determination processes are no, step three is continuously executed.
And thirdly, determining whether the first character data is in any hypertext markup language html tag in the first response data, if so, executing step 208, and if not, executing step 212.
In step three, it may be determined whether the first character data is between the pair of sixth keywords according to the configured pair of sixth keywords < and >, and if so, it is determined that the first character data is within the html tag of the first response data, and if not, step 212 may be performed.
204. And if the first character data is at the initial position in the response body of the first response data and the character code is not set in the first response data, sending second character data to the server, wherein the second character data refers to the character data coded in the 7-bit conversion format utf-7.
This step is performed for the following reasons: in an actual scene, the character codes of the keywords used by the server for filtering the malicious program are generally utf-8(8-bit Unicode Transformation Format) codes, and because the same character adopts different character codes and has different character forms, for example, if the malicious program at the sending end adopts the utf-7(7-bit Unicode Transformation Format, 7-bit Transformation Format) code, the server is difficult to successfully filter through the configured keywords, and further the malicious program with the utf-7 code may be injected into the html page. When the head of the html page is not provided with the character codes, when the user browser accesses the html page injected with the malicious program, the character codes adopted at the initial position of the main body of the html page are decoded, and therefore the malicious program is executed.
In order to avoid the above situation, to accurately perform vulnerability detection, if the first character data is at the initial position in the response body of the first response data, it may be determined whether a character code is set in the first response data, and if the character code is not set, second character data, such as +/v8ABCDEG, is sent to the server, where +/v8 is used as a declaration of the utf-7 code, so as to detect whether the server allows the injection of the utf-7 coded character data.
In this step, if the character code is set in the first response data, step 203 may be executed again to perform position determination, if the code executable position of the first character data in the first response data is present, step 206 may be executed, otherwise, it may be determined whether the first character data is present in any html tag of the hypertext markup language in the first response data, if so, step 208 is executed, if not, step 212 is executed to continue vulnerability detection.
205. When second response data returned by the server is received, determining whether the second response data comprises second character data, if so, determining that a bug exists, and if not, executing step 203.
In this step, the scanner may determine whether the second response data includes the sent second character data, if so, it is determined that the server is likely to allow injection of a malicious program encoded by utf-7, and if not, execute step 203 to perform location determination, if the first character data is at a code executable location in the first response data, may execute step 206, otherwise, may determine whether the first character data is in any html tag in the first response data, and if so, execute step 208, and if not, execute step 212 to continue vulnerability detection.
206. And if the code executable position of the first character data in the first response data or the initial position of the first character data in the response body of the first response data and the character code is set in the first response data and the code executable position of the first character data in the first response data or the code executable position of the second response data which does not comprise the second character data and the first character data in the first response data, sending third character data to the server, wherein the third character data comprises necessary characters when the codes are executed.
In this step, the scanner may transmit the third character data to the server if in any one of the three execution conditions in this step. The necessary characters in the code execution are the characters that should exist in an executable code segment, and the necessary characters in the code execution are not specifically limited in the embodiments of the present invention. For example, quotation marks (including single quotation marks and double quotation marks) for wrapping html values, brackets (including big brackets and small brackets) necessary in javascript functions, a semicolon in javascript statements, or a backslash in html end tags, or a function name of a commonly used alert () function. Thus, the third character data may be ' ") } top [ ' ale ' +'t ' ] (tst _ xss _ test); //. Wherein, top [ 'aler' +'t' ] means that alert characters can be spelled in a combination way in any order. Since the original code in the html page is also likely to use the above characters, (tst _ xss _ test) is used as an index, thereby facilitating the search for the third character data in the third response data.
207. When third response data returned by the server is received, determining whether the third response data comprises third character data, if so, determining that a bug exists, and if not, determining that the bug does not exist.
In this step, if the third response data includes third character data, it indicates that the server allows injecting the necessary characters for the code execution, and further, a malicious user can inject a malicious program written with the necessary characters for the code execution into the html page, so that it can be accurately determined that the server has a bug; if the third response data does not include the third character data, the server is not allowed to inject necessary characters when the code is executed, and further is not allowed to inject the malicious program, so that the fact that the vulnerability does not exist is determined.
208. And if the first character data is in any hypertext markup language html tag in the first response data and is in a quotation mark, sending fourth character data to the server, wherein the fourth character data comprises the quotation mark.
In this step, considering that the application of quotation marks in the code is generally in the html tag, the application form is generally as follows: on event is "function", or attribute is "javascript: therefore, in order to detect whether the server allows the injection of the code in the above form, it is possible to directly detect whether the server allows the injection of the quotation marks. Upon detection, if the first character data is within any hypertext markup language html tag in the first response data, the scanner may further determine whether the first character data is within an quotation mark, and if so, send fourth character data to the server, and if not, may perform step 210. The fourth character data includes quotation marks, such as a single quotation mark or a double quotation mark, and the fourth character data may be specifically "tst _ xss _ test".
It should be noted that, since the server may perform reverse escape on the character data, the reverse escape manner is not limited to html reverse escape or url (Uniform Resource Locator), in order to avoid performing reverse escape when the server receives the escaped quotation marks and inject the reversed quotation marks, the quotation mark included in the fourth character data may also be the escaped quotation mark to detect whether the server allows to inject the quotation marks. The embodiment of the invention does not limit the meaning mode and the times. For example, "tst _ xss _ test is% 22tst _ xss _ test after one url escape, and is% 2522tst _ xss _ test after two url escape; "tst _ xss _ test after one html escape" tst _ xss _ tes, after one html escape and one url escape,% 26 quot% 3Btst _ xss _ test.
209. When fourth response data returned by the server is received, determining whether the fourth response data comprises fourth character data, if so, determining that a bug exists, and if not, executing step 210.
In this step, if the fourth character data is included in the fourth response data, the caption server allows the quotation marks to be injected in a pair of quotation marks in the html tag. Whether the fourth character data is the escape quotation marks or not during sending is searched for whether the fourth response data comprises the escape quotation marks or not when determining whether the fourth response data comprises the fourth character data.
If a certain character data is a code in the form of "on event ═ function", the code injected into the html tag is in the form of "on event ═ function", and the first quotation mark in the html tag is successfully closed, so that the on event can be executed, and the server is allowed to inject a malicious program comprising the on event, and the server is accurately determined to have a vulnerability.
210. If the first character data is in any html tag in the first response data and not in an quotation mark, or the fourth response data does not include the fourth character data, determining whether the first character data is any attribute value in the html tag, if so, sending fifth character data to the server, wherein the fifth character data comprises a protocol character in code execution, and if not, executing step 212.
In this step, since the html tag may be in the form of < tag type attribute 1 ═ attribute value 1 ═ attribute 2 ═ attribute value 2 >, if the first two characters of the first character data are equal sign and quotation mark, it is determined that the first character data is any attribute value of the html tag. The tag type is not limited to img, object, embed, a, video, form, iframe, button, math, or link tag, but is not limited to src, post, href, data, action, or format attribute.
It should be noted that the protocol characters executed by the code refer to characters used in html and javascript protocol specifications, and are generally javascript: event name of on event such as onafterprint, onbeforereprint or onerror. The following will explain possible cases of the fifth character data for two execution conditions in this step:
if the first character data is within any html tag in the first response data and not within an quotation mark, then the malicious program can be injected in the form of: on event "function", or "javascript: "therefore, the protocol character of the code included in the fifth character data when executed is the name of an on event or" javascript: ", the fifth character data may be embodied as" javascript: "(tst _ xss _ test).
If the fourth response data does not include the fourth character data, the server does not allow the quotation marks to be injected, but because the position of the first character data is injected in the quotation marks, the malicious program can be injected in the form of javascript: then the fifth character data may be embodied as javascript (tst _ xss _ test).
211. When fifth response data returned by the server is received, determining whether the fifth response data comprises fifth character data, if so, determining that a bug exists, and if not, determining that the bug does not exist.
In this step, if the fifth response data includes the fifth character data, it indicates that the server allows injecting a malicious program of the protocol character when the code is executed, so that it can be accurately determined that the server has a bug, otherwise, it is determined that the server does not have a bug.
212. And if the first character data is not in any html tag in the first response data or the first character data is not any attribute value in the html tag, sending sixth character data to the server, wherein the sixth character data comprises characters used for constructing the html tag.
In this step, for the case where the first response data is not within the html tag, the requirement for malicious program injection is that the malicious program includes the characters used to construct the html tag, i.e., the angle brackets < >, and therefore the sixth character data sent to the server includes < >, e.g., < tst _ xss _ test >. The same reason as the escape quotation mark is that the parentheses may be the escaped ones.
213. When sixth response data returned by the server is received, whether the sixth response data comprises sixth character data is determined, if yes, the vulnerability is determined, and if not, the vulnerability is determined not to exist.
In this step, if the sixth response data includes the sixth character data, it indicates that the server allows injecting a character malware including a tag for constructing html, so that it can be accurately determined that a vulnerability exists in the server, otherwise, it is determined that the vulnerability does not exist.
According to the embodiment of the invention, the first character data is sent to the server, the first character data comprises the optional characters when the code is executed, when the received first response data does not comprise the first character data, the server can be definitely determined not to inject the character data, and the server is also not allowed to inject the malicious program, so that the server is definitely determined not to have a bug; when the received first response data comprises the first character data, the injected position is related to the form of the malicious program, and therefore vulnerability detection is continued based on the position of the first character data in the first response data, different character data can be sent by combining the specific position of the injected first character data, whether the server has a vulnerability or not is detected in a targeted mode, missing report is avoided, and the vulnerability detection mode is more reliable and accurate.
In addition, by determining the position of the first character data in the first response data, the position of the server, which is allowed to inject the character data, can be determined, a malicious program which may be injected at the position can be deduced according to the code environment of each position, so that the character data for detecting whether a vulnerability exists is sent in a targeted manner, whether the server is allowed to inject characters with high risk is determined based on the received response data each time, so that whether the vulnerability exists is determined, or further, vulnerability detection is continued based on the determination result at the position, the possibility of injecting the malicious program at all positions is comprehensively considered, so that the judgment logic in the detection process is strict, and the accuracy and reliability of the detection result are higher.
In addition, the vulnerability detection method of the embodiment of the invention relates to a ten-order character data sending process at most, and can obtain an accurate detection result, and the prior art adopts the character data which needs to be sent by hundreds of orders of magnitude, so that the detection process of the embodiment of the invention is simpler and more accurate, the load of processing the character data is less for the detected server, and the performance of the server is not influenced too much. Moreover, if the server filters several characters, the character data for detecting the vulnerability in the prior art only covers the several characters, which leads to report omission and high potential safety hazard of the server, and the detection method of the embodiment of the invention covers various character data, so that vulnerability detection can be carried out comprehensively, and the vulnerability detection process is more reliable.
It should be noted that, the embodiment shown in fig. 2 fully considers the possible situation of the position of the first character data in the first response data, and accurately obtains the detection result. In fact, the vulnerability detection process can be realized by adopting at least one step in the embodiment of the present invention, and the detection result is more accurate and reliable than the prior art, for example, the following three detection methods:
in the first detection manner, in combination with the step 201 and the step 204, when the scanner receives the second response data returned by the server, it is determined whether the second response data includes the second character data, if so, it is determined that a bug exists, and if not, it is determined that no bug exists. The detection mode can accurately detect whether the server allows the vulnerability of the malicious program comprising the utf-7 code to be injected or not.
In the second detection manner, in combination with the step 201 and 203, if the first character data is at the executable position of the code in the first response data, the scanner sends third character data to the server, where the third character data includes the necessary character for executing the code; and when third response data returned by the server is received, if the third response data comprises third character data, determining that the bug exists, and if the third response data does not comprise the third character data, determining that the bug does not exist. The detection mode can accurately detect whether the server allows the vulnerability of the malicious program which comprises necessary characters when the code is executed.
In a third detection manner, in combination with the step 201 and 203, if the first character data is in any html tag of the hypertext markup language in the first response data and is in an quotation mark, the scanner sends fourth character data to the server, where the fourth character data includes the quotation mark; when fourth response data returned by the server is received, if the fourth response data comprises fourth character data, the vulnerability is determined to exist, and if the fourth response data does not comprise the fourth character data, the vulnerability is determined not to exist. The detection mode can accurately detect the vulnerability of the malicious program which is allowed to be injected into the on event by the server.
Fig. 3 is a block diagram of an apparatus for detecting a vulnerability according to an embodiment of the present invention. Referring to fig. 3, the apparatus specifically includes:
a sending module 301, configured to send first character data to a server, where the first character data includes selectable characters when a code is executed;
a determining module 302, configured to, when first response data returned by the server is received, determine that a vulnerability does not exist if the first response data does not include the first character data;
a determining module 302, configured to determine a position of the first character data in the first response data if the first character data is included in the first response data;
a detection module 303, configured to continue vulnerability detection based on the location;
wherein, the character data sent when the vulnerability detection is continuously carried out at different positions are different.
According to the embodiment of the invention, the first character data is sent to the server, the first character data comprises the optional characters when the code is executed, when the received first response data does not comprise the first character data, the server can be definitely determined not to inject the character data, and the server is also not allowed to inject the malicious program, so that the server is definitely determined not to have a bug; when the received first response data comprises the first character data, the injected position is related to the form of the malicious program, and therefore vulnerability detection is continued based on the position of the first character data in the first response data, different character data can be sent by combining the specific position of the injected first character data, whether the server has a vulnerability or not is detected in a targeted mode, missing report is avoided, and the vulnerability detection mode is more reliable and accurate.
In a possible implementation manner, the sending module 301 is configured to send, to the server, second character data if the first character data is at a starting position in a response body of the first response data and a character code is not set in the first response data, where the second character data refers to character data encoded in a 7-bit conversion format utf-7;
the determining module 302 is configured to determine that, when second response data returned by the server is received, if the second response data includes second character data, it is determined that a vulnerability exists.
In one possible implementation, if the code executable location of the first character data in the first response data, or the starting location of the first character data in the response body of the first response data, and the character code has been set in the first response data, and the code executable location of the first character data in the first response data, or the code executable location of the second character data not included in the second response data and the first character data in the first response data,
a sending module 301, configured to send third character data to the server, where the third character data includes necessary characters when the code is executed;
a determining module 302, configured to determine that a bug exists if third response data includes third character data when third response data returned by the server is received;
a determining module 302, configured to determine that a bug does not exist if the third character data is not included in the third response data.
In a possible implementation manner, the sending module 301 is configured to send fourth character data to the server if the first character data is in any html tag of the hypertext markup language in the first response data and is in a quotation mark, where the fourth character data includes the quotation mark;
the determining module 302 is configured to, when fourth response data returned by the server is received, determine that a bug exists if the fourth response data includes fourth character data.
In one possible implementation, if the first character data is within any html tag in the first response data and not within an quotation mark, or the fourth character data is not included in the fourth response data,
a sending module 301, configured to send fifth character data to the server if the first character data is any attribute value in the html tag, where the fifth character data includes a protocol character when the code is executed;
a determining module 302, configured to, when fifth response data returned by the server is received, determine that a vulnerability exists if the fifth response data includes fifth character data;
a determining module 303, configured to determine that a bug does not exist if the fifth character data is not included in the fifth response data.
In one possible implementation, if the first character data is not within any html tag in the first response data, or the first character data is not any attribute value in the html tag,
a sending module 301, configured to send sixth character data to the server, where the sixth character data includes characters used for constructing an html tag;
a determining module 302, configured to, when sixth response data returned by the server is received, determine that a bug exists if the sixth response data includes sixth character data;
a determining module 302, configured to determine that a bug does not exist if the sixth response data does not include the sixth character data.
All the above-mentioned optional technical solutions can be combined arbitrarily to form the optional embodiments of the present invention, and are not described herein again.
It should be noted that: in the apparatus for detecting a vulnerability, when detecting a vulnerability, the division of each functional module is merely used for illustration, and in practical applications, the function distribution may be completed by different functional modules as needed, that is, the internal structure of the apparatus is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus for detecting a vulnerability and the method for detecting a vulnerability provided by the embodiments belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiments and are not described herein again.
Fig. 4 is a block diagram of an apparatus 400 for detecting a vulnerability according to an embodiment of the present invention. For example, the apparatus 400 may be provided as a scanner. Referring to fig. 4, apparatus 400 includes a processing component 422 that further includes one or more processors and memory resources, represented by memory 432, for storing instructions, such as applications, that are executable by processing component 422. The application programs stored in memory 432 may include one or more modules that each correspond to a set of instructions. Further, the processing component 422 is configured to execute instructions to perform the method for detecting vulnerabilities in the embodiment of fig. 2 described above.
The apparatus 400 may also include a power component 426 configured to perform power management of the apparatus 400, a wired or wireless network interface 450 configured to connect the apparatus 400 to a network, and an input output (I/O) interface 458. The apparatus 400 may operate based on an operating system, such as Windows Server, stored in the memory 432TM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMOr the like.
In an exemplary embodiment, a non-transitory computer-readable storage medium, such as a memory, including instructions executable by a processor in a scanner to perform the method of detecting vulnerabilities of the above embodiments is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (12)
1. A method for detecting vulnerabilities, the method comprising:
sending first character data to a server, wherein the first character data comprises optional characters when the code executes;
when first response data returned by the server is received, if the first response data does not include the first character data, determining that no loophole exists;
if the first character data is included in the first response data, determining the position of the first character data in the first response data;
continuing vulnerability detection based on the location; the character data sent when vulnerability detection is continuously carried out at different positions are different;
continuing vulnerability detection based on the location, including: if the first character data is at the initial position in the response body of the first response data and the character code is not set in the first response data, sending second character data to the server, wherein the second character data refers to the character data coded in the 7-bit conversion format utf-7; and when second response data returned by the server is received, if the second response data comprises the second character data, determining that a bug exists.
2. The method according to claim 1, wherein if the first character data is not at a start position of a response body of the first response data and the first character data is at a code executable position in the first response data, or the first character data is at a start position in a response body of the first response data and a character code is set in the first response data and the first character data is at a code executable position in the first response data, or the second character data is not included in the second response data and the first character data is at a code executable position in the first response data, the following steps are performed:
transmitting third character data to the server, the third character data including characters necessary for code execution;
when third response data returned by the server is received, if the third response data comprises the third character data, determining that a bug exists;
and if the third response data does not comprise the third character data, determining that no vulnerability exists.
3. The method of claim 1, wherein continuing vulnerability detection based on the location comprises:
if the first character data is in any hypertext markup language html tag in the first response data and is in an quotation mark, sending fourth character data to the server, wherein the fourth character data comprises the quotation mark;
and when fourth response data returned by the server is received, if the fourth response data comprises the fourth character data, determining that a vulnerability exists.
4. The method of claim 3, wherein if the first character data is in any html tag in the first response data and not in an quotation mark, or the fourth character data is not included in the fourth response data, performing the following steps:
if the first character data is any attribute value in the html tag, sending fifth character data to the server, wherein the fifth character data comprises a protocol character when a code is executed;
when fifth response data returned by the server is received, if the fifth response data comprises the fifth character data, determining that a vulnerability exists;
and if the fifth response data does not comprise the fifth character data, determining that no vulnerability exists.
5. The method according to claim 4, wherein if the first character data is not in any html tag in the first response data, or the first character data is not any attribute value in the html tag, performing the following steps:
sending sixth character data to the server, wherein the sixth character data comprises characters used for constructing an html tag;
when sixth response data returned by the server is received, if the sixth response data comprises the sixth character data, determining that a bug exists;
and if the sixth response data does not comprise the sixth character data, determining that no vulnerability exists.
6. An apparatus for detecting vulnerabilities, the apparatus comprising:
the sending module is used for sending first character data to a server, and the first character data comprises optional characters when the code is executed;
the determining module is used for determining that no loophole exists when first response data returned by the server is received and if the first response data does not include the first character data;
a determining module, configured to determine a position of the first character data in the first response data if the first character data is included in the first response data;
the detection module is used for continuously carrying out vulnerability detection based on the position; the character data sent when vulnerability detection is continuously carried out at different positions are different;
the sending module is configured to send second character data to the server if the first character data is at an initial position in a response body of the first response data and a character code is not set in the first response data, where the second character data is character data encoded in a 7-bit conversion format utf-7;
the determining module is configured to determine that a bug exists if the second response data includes the second character data when the second response data returned by the server is received.
7. The apparatus according to claim 6, wherein if the first character data is not at a start position of the response body of the first response data and the first character data is at a code executable position in the first response data, or the first character data is at a start position in the response body of the first response data and a character code is set in the first response data and the first character data is at a code executable position in the first response data, or the second character data is not included in the second response data and the first character data is at a code executable position in the first response data,
the sending module is used for sending third character data to the server, and the third character data comprises necessary characters during code execution;
the determining module is configured to determine that a bug exists if third response data includes the third character data when the third response data returned by the server is received;
the determining module is configured to determine that a bug does not exist if the third character data is not included in the third response data.
8. The apparatus of claim 6,
the sending module is configured to send fourth character data to the server if the first character data is in any html tag of the hypertext markup language in the first response data and is in a quotation mark, where the fourth character data includes the quotation mark;
and the determining module is used for determining that a bug exists if the fourth response data comprises the fourth character data when the fourth response data returned by the server is received.
9. The apparatus of claim 8, wherein if the first character data is within any html tag in the first response data and not within an quotation mark, or the fourth character data is not included in the fourth response data,
the sending module is configured to send fifth character data to the server if the first character data is any attribute value in the html tag, where the fifth character data includes a protocol character when a code is executed;
the determining module is configured to determine that a bug exists if fifth response data includes the fifth character data when the fifth response data returned by the server is received;
the determining module is configured to determine that a bug does not exist if the fifth response data does not include the fifth character data.
10. The apparatus of claim 9, wherein if the first character data is not within any html tag in the first response data, or the first character data is not any attribute value in the html tag,
the sending module is used for sending sixth character data to the server, wherein the sixth character data comprises characters used for constructing an html tag;
the determining module is configured to determine that a bug exists if sixth response data includes the sixth character data when the sixth response data returned by the server is received;
the determining module is configured to determine that a bug does not exist if the sixth response data does not include the sixth character data.
11. An apparatus for detecting vulnerabilities, the apparatus comprising one or more processors and a memory storing one or more instructions, the one or more instructions being executed by the one or more processors to implement the operations performed by the method of detecting vulnerabilities of any of claims 1 to 5.
12. A computer-readable storage medium comprising instructions for execution by a processor to perform operations performed by the method of detecting vulnerabilities of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710114753.9A CN108512818B (en) | 2017-02-28 | 2017-02-28 | Method and device for detecting vulnerability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710114753.9A CN108512818B (en) | 2017-02-28 | 2017-02-28 | Method and device for detecting vulnerability |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108512818A CN108512818A (en) | 2018-09-07 |
| CN108512818B true CN108512818B (en) | 2020-09-04 |
Family
ID=63374277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710114753.9A Active CN108512818B (en) | 2017-02-28 | 2017-02-28 | Method and device for detecting vulnerability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108512818B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992623B (en) * | 2021-11-19 | 2022-10-21 | 四川大学 | Web page mail cross-site scripting attack detection method based on content and source code |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894237A (en) * | 2010-08-03 | 2010-11-24 | 南开大学 | Method for automatically generating cross site script (XSS) vulnerability detection parameter by using genetic algorithm |
| CN104794396A (en) * | 2014-01-16 | 2015-07-22 | 腾讯科技(深圳)有限公司 | Cross-site script vulnerability detection method and device |
| CN104836779A (en) * | 2014-02-12 | 2015-08-12 | 携程计算机技术(上海)有限公司 | XSS vulnerability detection method, system and Web server |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN106022135A (en) * | 2016-02-23 | 2016-10-12 | 北京工业大学 | Automatic detection system capable of dynamically determining XSS vulnerability |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080184208A1 (en) * | 2007-01-30 | 2008-07-31 | Sreedhar Vugranam C | Method and apparatus for detecting vulnerabilities and bugs in software applications |
-
2017
- 2017-02-28 CN CN201710114753.9A patent/CN108512818B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894237A (en) * | 2010-08-03 | 2010-11-24 | 南开大学 | Method for automatically generating cross site script (XSS) vulnerability detection parameter by using genetic algorithm |
| CN104794396A (en) * | 2014-01-16 | 2015-07-22 | 腾讯科技(深圳)有限公司 | Cross-site script vulnerability detection method and device |
| CN104836779A (en) * | 2014-02-12 | 2015-08-12 | 携程计算机技术(上海)有限公司 | XSS vulnerability detection method, system and Web server |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN106022135A (en) * | 2016-02-23 | 2016-10-12 | 北京工业大学 | Automatic detection system capable of dynamically determining XSS vulnerability |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108512818A (en) | 2018-09-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8474048B2 (en) | Website content regulation | |
| US10148689B2 (en) | Method and apparatus for monitoring malicious link injection into website source code | |
| EP1420562A2 (en) | Automated detection of cross site scripting vulnerabilities | |
| CN107209831B (en) | System and method for identifying network attacks | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| Barua et al. | Server side detection of content sniffing attacks | |
| CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
| US9838418B1 (en) | Detecting malware in mixed content files | |
| EP3637292B1 (en) | Determination device, determination method, and determination program | |
| CN101895516A (en) | Method and device for positioning cross-site scripting attack source | |
| CN106713318B (en) | WEB site safety protection method and system | |
| US20140150099A1 (en) | Method and device for detecting malicious code on web pages | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| US9923916B1 (en) | Adaptive web application vulnerability scanner | |
| CN111770079B (en) | Method and device for detecting vulnerability injection of web framework | |
| CN103390129B (en) | Detect the method and apparatus of security of uniform resource locator | |
| CN108512818B (en) | Method and device for detecting vulnerability | |
| CN114626061A (en) | Webpage Trojan horse detection method and device, electronic equipment and medium | |
| CN114760078B (en) | Method and system for preventing malicious tampering of page request parameters | |
| Hadpawat et al. | Analysis of prevention of XSS attacks at client side | |
| CN110209959B (en) | Information processing method and device | |
| CN114157452B (en) | Method and system for detecting XXE loopholes based on HTTP connection platform | |
| CN108427763B (en) | Webpage display device | |
| KR20210076455A (en) | Method and apparatus for automated verifying of xss attack | |
| CN114168950B (en) | Method, device, equipment and product for repairing cross-site scripting attack vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |