技术领域technical field
本发明涉及计算机安全技术领域,尤其涉及跨站脚本漏洞(XSS)检测的方法和系统。The invention relates to the technical field of computer security, in particular to a method and a system for detecting cross-site scripting vulnerabilities (XSS).
背景技术Background technique
目前在Web程序项目的安全测试工作中,安全测试人员除了要对程序进行安全测试,还要对程序的逻辑有充分的了解,才能尽可能对程序的安全测试进行覆盖。安全测试的覆盖率始终低于功能测试的覆盖率,导致不能测试所有可能的程序分支,出现线上安全漏洞。At present, in the security testing of Web program projects, security testers not only need to conduct security tests on the program, but also have a full understanding of the logic of the program in order to cover the security test of the program as much as possible. The coverage rate of security testing is always lower than that of functional testing, resulting in the inability to test all possible program branches and online security vulnerabilities.
现有技术一的技术方案如下:The technical scheme of prior art one is as follows:
获取目标页面的源代码并提取其中的脚本代码,遍历所有脚本代码,利用预先定义的脏数据入口获取脚本代码中所有脏数据入口及脏数据入口传递的变量;再次遍历所有脚本代码,获取所述脚本代码中的输出函数,并提取输出函数的参数与脏数据入口及脏数据入口传递的变量进行匹配,若能匹配,则确定有漏洞存在。Obtain the source code of the target page and extract the script code in it, traverse all the script codes, and use the predefined dirty data entry to obtain all the dirty data entries in the script code and the variables passed by the dirty data entry; traverse all the script codes again to obtain the The output function in the script code, and extract the parameters of the output function to match with the dirty data entry and the variables passed by the dirty data entry. If they can match, it is determined that there is a vulnerability.
现有技术一的缺点在于:The shortcoming of prior art one is:
现在Web2.0网站已成主流,大量的网页都是由脚本代码动态生成的网页,跨站脚本可能存在于网页的任何地方,仅仅通过源代码进行遍历是不能对目前的网页进行全部漏洞检测覆盖。Now that Web2.0 websites have become the mainstream, a large number of webpages are dynamically generated by script codes. Cross-site scripting may exist anywhere on the webpages. Only traversing through the source code cannot cover all the vulnerabilities of the current webpages. .
跨网站脚本XSS的防御技术在网络上五花八门,通过对输出脏数据进行简单的匹配是无法获得所有存在漏洞的网页,容易造成误报和漏报。XSS:跨网站脚本(Cross-sitescripting,通常简称为XSS或跨站脚本或跨站脚本攻击)是一种网站应用程序的安全漏洞攻击,是代码注入的一种。它允许恶意用户将代码注入到网页上,其他用户在观看网页时就会受到影响。这类攻击通常包含了HTML以及用户端脚本语言。Cross-site scripting XSS defense technologies are various on the Internet, and it is impossible to obtain all vulnerable web pages through simple matching of output dirty data, which is likely to cause false positives and false negatives. XSS: Cross-sitescripting (Cross-sitescripting, often referred to as XSS or cross-site scripting or cross-site scripting attack) is a security vulnerability attack of a website application, which is a type of code injection. It allows malicious users to inject code into web pages and other users will be affected while viewing the web pages. Such attacks usually involve HTML as well as client-side scripting languages.
现有技术二的技术方案如下:The technical scheme of prior art two is as follows:
基于爬虫方式抓取页面所有URL(统一资源定位符,Uniform Resource Locator)进行验证攻击测试。All URLs (Uniform Resource Locator, Uniform Resource Locator) of the page are crawled based on the crawler method for verification attack testing.
现有技术二的缺点在于:The shortcoming of prior art two is:
1、爬虫可能抓取大量无用的页面,且无法定制页面;这样,在拥有添加、删除、修改操作的功能点上,使用多个漏洞验证脚本会产生大量的垃圾数据,且会删除掉正常的内容;这不仅消耗大量的时间,而且会降低业务逻辑覆盖率。1. The crawler may grab a large number of useless pages, and the pages cannot be customized; in this way, using multiple vulnerability verification scripts will generate a large amount of garbage data and delete normal content; this not only consumes a lot of time, but also reduces business logic coverage.
2、爬虫的抓取率无法控制,并且现在很多Web 2.0的页面是需要经过浏览器解析或者需要交互才产生请求操作,这些URL是无法通过爬虫获取到的。2. The crawling rate of crawlers cannot be controlled, and many Web 2.0 pages now require browser parsing or interaction to generate request operations. These URLs cannot be obtained by crawlers.
3、综上,爬虫的测试覆盖率不能达到目前技术下的安全测试需求。3. To sum up, the test coverage rate of crawlers cannot meet the security testing requirements under the current technology.
发明内容Contents of the invention
本发明的目的在于,提供一种跨站脚本漏洞的线下检测方法和系统,以将功能测试与安全测试进行隔离,提升安全测试的覆盖率。The purpose of the present invention is to provide an off-line detection method and system for cross-site scripting vulnerabilities, so as to isolate functional testing from security testing and improve the coverage of security testing.
为达上述目的,本发明一方面提供了一种跨站脚本漏洞的线下检测方法,其包括:In order to achieve the above purpose, the present invention provides an offline detection method for cross-site scripting vulnerabilities on the one hand, which includes:
自动化检测系统前端控制装置接收安全测试指令,获取功能测试服务器的IP和功能测试项目虚拟化网址HOST;The front-end control device of the automatic detection system receives the safety test instruction, obtains the IP of the functional test server and the virtualized website HOST of the functional test project;
自动化测试环境资源隔离装置接受所述自动化检测系统前端控制装置的控制指令,将目标功能测试环境进行资源隔离,打包标准化的资源隔离镜像,部署到安全测试环境中;The automatic test environment resource isolation device accepts the control instructions of the front-end control device of the automatic detection system, isolates the resources of the target function test environment, packs standardized resource isolation images, and deploys them in the security test environment;
网络流量转发装置接收所述自动化检测系统前端控制装置的控制指令,部署在目标功能测试环境中,将符合功能测试项目的网络流量转发到分布式调度装置;The network traffic forwarding device receives the control instruction from the front-end control device of the automatic detection system, deploys it in the target function test environment, and forwards the network traffic conforming to the function test items to the distributed scheduling device;
所述分布式调度装置将各个目标功能测试环境上的网络流量转发装置转发的网络流量进行数据封装,并将封装后的数据包分发到跨站脚本漏洞安全测试装置;The distributed scheduling device encapsulates the network traffic forwarded by the network traffic forwarding device on each target function testing environment, and distributes the encapsulated data packets to the cross-site scripting vulnerability security testing device;
所述跨站脚本漏洞安全测试装置接收所述分布式调度装置分发过来的封装后的数据包,将所述封装后的数据包还原成所述符合功能测试项目的网络流量,发送携带所述符合功能测试项目的网络流量的安全测试请求至已被资源隔离的所述安全测试环境,然后将所述安全测试环境返回的页面进行解析后,找出跨站脚本安全漏洞,并将发现的安全漏洞发送到所述自动化检测系统前端控制装置;The cross-site scripting vulnerability security testing device receives the encapsulated data packet distributed by the distributed scheduling device, restores the encapsulated data packet to the network traffic of the conforming function test item, and sends the conforming The security test request of the network flow of the functional test project is sent to the security test environment that has been isolated by resources, and then the page returned by the security test environment is analyzed to find out the cross-site scripting security loopholes, and the security loopholes found Send to the front-end control device of the automatic detection system;
所述自动化检测系统前端控制装置根据所述功能测试服务器的IP和功能测试项目HOST,确定所述安全漏洞所归属的安全测试项目。The front-end control device of the automatic detection system determines the security test item to which the security vulnerability belongs according to the IP of the functional test server and the functional test item HOST.
为达上述目的,本发明另一方面提供了一种跨站脚本漏洞的线下检测系统,其包括:In order to achieve the above purpose, another aspect of the present invention provides an offline detection system for cross-site scripting vulnerabilities, which includes:
自动化检测系统前端控制装置,用于接收安全测试指令,获取功能测试服务器的IP和功能测试项目虚拟化网址HOST;The front-end control device of the automatic detection system is used to receive safety test instructions, obtain the IP of the functional test server and the virtualized website HOST of the functional test project;
自动化测试环境资源隔离装置,用于接收所述自动化检测系统前端控制装置的控制指令,将目标功能测试环境进行资源隔离,打包标准化的资源隔离镜像,部署到安全测试环境中;The automatic test environment resource isolation device is used to receive the control instructions of the front-end control device of the automatic detection system, isolate the target function test environment from resources, package standardized resource isolation images, and deploy them in the security test environment;
网络流量转发装置,用于接收所述自动化检测系统前端控制装置的控制指令,部署在目标功能测试环境中,将符合功能测试项目的网络流量转发到分布式调度装置;The network traffic forwarding device is used to receive the control instruction of the front-end control device of the automatic detection system, deploy it in the target function test environment, and forward the network traffic conforming to the function test items to the distributed scheduling device;
所述分布式调度装置,用于将各个目标功能测试环境上的网络流量转发装置转发的网络流量进行数据封装,并将封装后的数据包分发到跨站脚本漏洞安全测试装置;The distributed scheduling device is used to encapsulate the network traffic forwarded by the network traffic forwarding device on each target function testing environment, and distribute the encapsulated data packets to the cross-site scripting vulnerability security testing device;
所述跨站脚本漏洞安全测试装置,用于接收所述分布式调度装置分发过来的封装后的数据包,将所述封装后的数据包还原成所述符合功能测试项目的网络流量,发送携带所述符合功能测试项目的网络流量的安全测试请求至已被资源隔离的所述安全测试环境,然后将所述安全测试环境返回的页面进行解析后,找出跨站脚本安全漏洞,并将发现的跨站脚本安全漏洞发送到所述自动化检测系统前端控制装置;The cross-site scripting vulnerability security testing device is used to receive the encapsulated data packets distributed by the distributed scheduling device, restore the encapsulated data packets to the network traffic that meets the functional test items, and send the packets carrying The security test request of the network traffic conforming to the function test item is sent to the security test environment that has been isolated by resources, and then the page returned by the security test environment is analyzed to find out the cross-site scripting security vulnerability, and find The cross-site scripting security vulnerability is sent to the front-end control device of the automatic detection system;
所述自动化检测系统前端控制装置,还用于根据所述功能测试服务器的IP和功能测试项目HOST,确定所述安全漏洞所归属的安全测试项目。The front-end control device of the automatic detection system is further configured to determine the security test item to which the security vulnerability belongs according to the IP of the functional test server and the functional test item HOST.
本发明提供的上述技术方案的有益技术效果在于:由于采用了基于资源隔离的跨站脚本漏洞线下检测方法,使得线下跨级脚本安全测试实现了全部自动化操作,并且脏数据不对目标功能测试环境造成影响,可以使安全测试与功能测试同步进行,大大提高了安全测试的覆盖率和自动化程度。The beneficial technical effect of the above-mentioned technical solution provided by the present invention is that: due to the adoption of the resource isolation-based cross-site script vulnerability offline detection method, the offline cross-level script security test realizes all automatic operations, and the dirty data does not test the target function The impact of the environment can make security testing and functional testing synchronized, greatly improving the coverage and automation of security testing.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.
图1为本发明的实施例的一种基于资源隔离的跨站脚本漏洞的线下检测系统的功能框图;1 is a functional block diagram of an offline detection system for cross-site scripting vulnerabilities based on resource isolation according to an embodiment of the present invention;
图2为本发明的实施例的基于资源隔离的跨站脚本漏洞的线下检测方法的流程图。FIG. 2 is a flowchart of an offline detection method for cross-site scripting vulnerabilities based on resource isolation according to an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
本发明的实施例通过抓取功能测试人员的测试访问请求,将功能测试的覆盖率直接转移到安全测试,大大提升了安全测试的覆盖率。并通过测试环境的资源隔离,将功能测试与安全测试进行隔离,安全测试的脏数据不影响功能测试的环境,并且可以进一步降低安全测试所消耗的计算资源和人力资源。在功能测试的同时,进行安全测试,提升了安全测试的进度。以下将本发明的实施例中涉及的技术术语解释如下:The embodiment of the present invention directly transfers the coverage rate of the functional test to the security test by capturing the test access request of the functional tester, thereby greatly improving the coverage rate of the security test. And through the resource isolation of the test environment, the functional test is isolated from the security test. The dirty data of the security test does not affect the environment of the functional test, and the computing resources and human resources consumed by the security test can be further reduced. Security testing is performed at the same time as functional testing, which improves the progress of security testing. The technical terms involved in the embodiments of the present invention are explained as follows:
HOST:软件测试使用的虚拟化网址,通过IP和域名写入服务器的/etc/hosts实现。通过该服务器访问写入的域名,会指向/etc/hosts文件中与该域名绑定的IP。HOST: The virtualized URL used for software testing, implemented by writing the IP and domain name to /etc/hosts of the server. Accessing the written domain name through this server will point to the IP bound to the domain name in the /etc/hosts file.
资源隔离:资源隔离技术是使用LXC(Linux Container),基于进程容器(Processcontainer)的轻量级虚拟化解决方案。将各种应用程序和他们所依赖的运行环境打包成标准的container/image,进而发布到不同的平台上运行。Resource isolation: resource isolation technology is a lightweight virtualization solution based on process container (Process container) using LXC (Linux Container). Package various applications and the operating environment they depend on into a standard container/image, and then publish them to run on different platforms.
实施例一Embodiment one
图1为本发明的实施例的一种基于资源隔离的跨站脚本漏洞的线下检测系统的功能框图。如图1所示,该系统包括:自动化检测系统前端控制装置110、自动化测试环境资源隔离装置120、网络流量转发装置130、分布式调度装置140、跨站脚本漏洞安全测试装置150。FIG. 1 is a functional block diagram of an offline detection system for cross-site scripting vulnerabilities based on resource isolation according to an embodiment of the present invention. As shown in FIG. 1 , the system includes: an automated detection system front-end control device 110 , an automated testing environment resource isolation device 120 , a network traffic forwarding device 130 , a distributed scheduling device 140 , and a cross-site scripting vulnerability security testing device 150 .
自动化检测系统前端控制装置110,用于接收安全测试指令,获取功能测试服务器的IP和功能测试项目HOST(虚拟化网址)。具体实施时,自动化检测系统前端控制装置110接收安全测试人员的指令,输入功能测试服务器的IP和功能测试项目HOST、安全测试项目编号(可选)。该装置110即会发送特定控制指令,控制其他装置完成指定动作。并接收跨站脚本漏洞安全测试装置150发送来的漏洞数据,根据IP和HOST的唯一性,将漏洞信息指向到归属的安全测试项目中,实现全部自动化。其中,安全测试项目编号的作用是用于确定安全测试项目的具体内容。The front-end control device 110 of the automatic detection system is used to receive the security test instruction, and obtain the IP of the function test server and the function test item HOST (virtualized website). During specific implementation, the front-end control device 110 of the automated detection system receives instructions from safety testers, and inputs the IP of the function test server, function test item HOST, and safety test item number (optional). The device 110 will then send specific control commands to control other devices to complete specified actions. And receive the vulnerability data sent by the cross-site scripting vulnerability security testing device 150, and point the vulnerability information to the belonging security testing project according to the uniqueness of IP and HOST, so as to realize full automation. Wherein, the function of the security test item number is to determine the specific content of the security test item.
自动化测试环境资源隔离装置120,用于接受自动化检测系统前端控制装置110的控制指令,将目标功能测试环境进行资源隔离,打包标准化的资源隔离镜像,部署到安全测试环境中。通过在自动化检测系统前端控制装置110的控制下,将目标功能测试环境进行资源隔离和将目标功能测试环境进行标准化打包,发送到安全测试服务器上进行安装,从而实现了测试环境的资源隔离,安全测试不对功能测试造成数据污染。The automated test environment resource isolation device 120 is used to receive control instructions from the front-end control device 110 of the automated detection system, isolate the resources of the target functional test environment, package standardized resource isolation images, and deploy them in the security test environment. Under the control of the front-end control device 110 of the automated detection system, the resource isolation of the target function test environment and the standardized packaging of the target function test environment are sent to the security test server for installation, thereby realizing the resource isolation of the test environment and ensuring safety. Tests do not pollute functional tests.
网络流量转发装置130,用于接收自动化检测系统前端控制装置110的控制指令,部署在目标功能测试环境中(即部署到功能测试的服务器上),将符合功能测试项目的网络流量转发到分布式调度装置140。The network traffic forwarding device 130 is used to receive the control instruction from the front-end control device 110 of the automatic detection system, deploy it in the target function test environment (that is, deploy it on the server of the function test), and forward the network traffic meeting the function test items to the distributed Scheduling means 140 .
分布式调度装置140,用于将各个目标功能测试环境上的网络流量转发装置130转发的网络流量进行数据封装,并将封装后的测试数据分发到跨站脚本漏洞安全测试装置150(即分发测试请求)。这里的重新封装是指封装为符合跨站脚本漏洞安全测试装置150处理的数据模块。具体而言,封装是指将功能测试的http请求,按照一定规则封装成跨站脚本漏洞安全测试装置接口需要的数据包。跨站脚本漏洞安全测试装置150能够将该数据包重新还原成http请求,并通过安全测试请求发送至被资源隔离的安全测试环境。The distributed scheduling device 140 is used to encapsulate the network traffic forwarded by the network traffic forwarding device 130 on each target function testing environment, and distribute the encapsulated test data to the cross-site scripting vulnerability security testing device 150 (i.e., the distribution test ask). The re-encapsulation here refers to encapsulation to conform to the data module processed by the cross-site scripting vulnerability security testing device 150 . Specifically, encapsulation refers to encapsulating the http request of the functional test into data packets required by the interface of the cross-site scripting vulnerability security testing device according to certain rules. The cross-site scripting vulnerability security testing device 150 can restore the data packet into an http request, and send it to the resource-isolated security testing environment through the security testing request.
跨站脚本漏洞安全测试装置150,用于接收分布式调度装置140分发过来的封装后的数据包,将该封装后的数据包还原成符合功能测试项目的网络流量,发送携带该符合功能测试项目的网络流量的安全测试请求至已被资源隔离的安全测试环境,然后将安全测试环境返回的页面进行解析后,找出跨站脚本安全漏洞,将发现的跨站脚本安全漏洞发送到自动化检测系统前端控制装置110;即将漏洞的详细信息发送至自动化检测系统前端控制装置110。The cross-site scripting vulnerability security testing device 150 is used to receive the encapsulated data packets distributed by the distributed scheduling device 140, restore the encapsulated data packets into network traffic conforming to the functional test items, and send the packets carrying the conforming functional test items. The security test request of the network traffic is sent to the security test environment that has been isolated by resources, and then the page returned by the security test environment is analyzed to find out the cross-site scripting security vulnerability, and the found cross-site scripting security vulnerability is sent to the automatic detection system The front-end control device 110 ; sending the detailed information of the vulnerability to the front-end control device 110 of the automatic detection system.
自动化检测系统前端控制装置110,还用于根据功能测试服务器的IP和功能测试项目HOST,确定安全漏洞所归属的安全测试项目。具体地,该自动化检测系统前端控制装置110根据单测试环境IP下HOST唯一性,将漏洞直接定位到安全测试项目编号,并在前端页面上进行展示,等待人工进行查看。The front-end control device 110 of the automated detection system is further configured to determine the security test item to which the security vulnerability belongs according to the IP of the functional test server and the functional test item HOST. Specifically, the front-end control device 110 of the automated detection system directly locates the vulnerability to the security test item number according to the uniqueness of the HOST under the single test environment IP, and displays it on the front-end page, waiting for manual inspection.
进一步地,该自动化测试环境资源隔离装置120,具体可用于将目标功能测试环境进行容器虚拟化的资源隔离。具体实施时,自动化测试环境资源隔离装置120将目标功能测试环境进行虚拟化的资源隔离,并打包发送到安全测试的服务器上进行容器虚拟化部署,将目标功能测试环境完整复制到安全测试服务器。其中,上述目标功能测试环境可以是基于Linux系统搭建的测试环境。Further, the automated test environment resource isolation device 120 can specifically be used to implement container virtualization resource isolation for the target functional test environment. During specific implementation, the automated test environment resource isolation device 120 isolates the virtualized resources of the target functional test environment, packages and sends them to the security test server for container virtualization deployment, and completely copies the target functional test environment to the security test server. Wherein, the above-mentioned target function test environment may be a test environment built based on a Linux system.
进一步地,该跨站脚本漏洞安全测试装置150,具体可用于对安全测试环境返回的网页源码数据进行DOM(Document Object Model,文档对象模型)树检测,如果发现新增了安全测试的靶点DOM树,则判定/认为存在跨站脚本安全漏洞,否则,不存在跨站脚本安全漏洞。这种检测方式的优点在于检测速度快,准确度高,跨站脚本漏洞安全测试装置150包含的网页源码解析模块自带DOM树检测,能在解析完成后同时给出DOM树的检测结果。Further, the cross-site scripting vulnerability security testing device 150 can specifically be used to perform DOM (Document Object Model, Document Object Model) tree detection on the web page source code data returned by the security testing environment. tree, it is judged/deemed that there is a cross-site scripting security vulnerability, otherwise, there is no cross-site scripting security vulnerability. The advantage of this detection method is that the detection speed is fast and the accuracy is high. The webpage source code parsing module included in the cross-site scripting vulnerability security testing device 150 has its own DOM tree detection, which can give the detection result of the DOM tree at the same time after the parsing is completed.
进一步地,该跨站脚本漏洞安全测试装置150,还用于还原处理后得到的符合功能测试项目的网络流量进行安全测试数据拼接处理,并将拼接处理后的数据携带在安全测试请求中发送至被资源隔离的安全测试环境。在本实施例中,跨站脚本漏洞的检测方式是在http包的各处(URL,referer,cookie)等,拼接测试使用的安全测试数据(业内术语叫payload),通过在返回的页面中寻找是否存在相应的测试预期内容来判断是否存在跨站脚本漏洞。Further, the cross-site scripting vulnerability security testing device 150 is also used to restore and process the obtained network traffic conforming to the functional test items to perform security test data splicing, and carry the spliced data in the security test request and send it to A secure test environment isolated by resources. In this embodiment, the detection method of the cross-site scripting vulnerability is in various parts of the http package (URL, referer, cookie), etc., and the security test data (the industry term is called payload) used in the splicing test is searched for in the returned page. Whether there is a corresponding test expected content to determine whether there is a cross-site scripting vulnerability.
上述技术方案的有益技术效果在于:The beneficial technical effect of the above-mentioned technical scheme is:
由于采用了基于资源隔离的跨站脚本漏洞线下检测系统,使得线下跨级脚本安全测试实现了全部自动化操作,并且脏数据不对目标功能测试环境造成影响,可以使安全测试与功能测试同步进行,大大提高了安全测试的覆盖率和自动化程度。Due to the use of an offline detection system for cross-site scripting vulnerabilities based on resource isolation, the offline cross-level scripting security test has achieved full automation, and dirty data will not affect the target functional test environment, enabling security testing and functional testing to be performed simultaneously , greatly improving the coverage and automation of security testing.
实施例二Embodiment two
本发明的实施例提供了一种基于资源隔离的跨站脚本漏洞的线下检测方法,从而自动化地完成线下安全测试。Embodiments of the present invention provide an offline detection method for cross-site scripting vulnerabilities based on resource isolation, thereby automatically completing offline security testing.
图2为本发明的实施例的基于资源隔离的跨站脚本漏洞的线下检测方法的流程图。结合参阅图1和图2,该方法包括如下处理步骤:FIG. 2 is a flowchart of an offline detection method for cross-site scripting vulnerabilities based on resource isolation according to an embodiment of the present invention. Referring to Fig. 1 and Fig. 2 in combination, the method includes the following processing steps:
步骤210:自动化检测系统前端控制装置接收安全测试指令,获取功能测试服务器的IP和功能测试项目HOST(虚拟化网址);Step 210: the front-end control device of the automatic detection system receives the safety test instruction, and obtains the IP of the functional test server and the functional test item HOST (virtualized website);
具体地,在本步骤中,功能测试人员会将程序的功能测试的项目编号、测试环境的HOST和服务器IP输入到自动化检测系统前端控制装置中。Specifically, in this step, the function tester will input the item number of the function test of the program, the HOST of the test environment and the server IP into the front-end control device of the automatic detection system.
步骤220:自动化测试环境资源隔离装置接受自动化检测系统前端控制装置的控制指令,将目标功能测试环境进行资源隔离,打包标准化的资源隔离镜像,部署到安全测试环境中;Step 220: The automated test environment resource isolation device receives the control instruction from the front-end control device of the automated detection system, isolates the resources of the target function test environment, packs a standardized resource isolation image, and deploys it in the security test environment;
步骤230:网络流量转发装置接收自动化检测系统前端控制装置的控制指令,部署在目标功能测试环境中,将符合功能测试项目的网络流量转发到分布式调度装置;该目标功能测试环境包括基于Linux系统搭建的测试环境。Step 230: The network traffic forwarding device receives the control instruction from the front-end control device of the automatic detection system, deploys it in the target function test environment, and forwards the network traffic conforming to the function test items to the distributed scheduling device; the target function test environment includes Linux-based system The built test environment.
步骤240:分布式调度装置将各个目标功能测试环境上的网络流量转发装置转发的网络流量进行数据封装,并将封装后的数据包分发到跨站脚本漏洞安全测试装置;Step 240: the distributed scheduling device encapsulates the network traffic forwarded by the network traffic forwarding device on each target function testing environment, and distributes the encapsulated data packets to the cross-site scripting vulnerability security testing device;
步骤250:跨站脚本漏洞安全测试装置接收分布式调度装置分发过来的封装后的数据包,将该封装后的数据包还原成上述符合功能测试项目的网络流量,发送携带该符合功能测试项目的网络流量的安全测试请求至已被资源隔离的安全测试环境,然后将安全测试环境返回的页面进行解析后,找出跨站脚本安全漏洞,并将发现的安全漏洞发送到自动化检测系统前端控制装置;Step 250: The cross-site scripting vulnerability security testing device receives the encapsulated data packet distributed by the distributed scheduling device, restores the encapsulated data packet to the above-mentioned network traffic that meets the functional test item, and sends the traffic that carries the functional test item. The security test request of the network traffic is sent to the security test environment that has been isolated by resources, and then the page returned by the security test environment is analyzed to find out the cross-site scripting security vulnerability, and the security vulnerability found is sent to the front-end control device of the automatic detection system ;
步骤260:自动化检测系统前端控制装置根据功能测试服务器的IP和功能测试项目HOST,确定安全漏洞所归属的安全测试项目。系统还将安全测试结果发送到安全测试的前端页面。安全测试人员对自动化安全测试的结果进行再次检查,确认无误,将安全测试结果进行存档并进行修复。Step 260: The front-end control device of the automated detection system determines the security test item to which the security vulnerability belongs according to the IP of the functional test server and the functional test item HOST. The system also sends the security test results to the front-end page of the security test. Security testers re-check the results of automated security tests to confirm that they are correct, archive the results of the security tests and make repairs.
较佳地,在步骤220中,自动化测试环境资源隔离装置将目标功能测试环境进行资源隔离的处理包括:自动化测试环境资源隔离装置将目标功能测试环境进行容器虚拟化的资源隔离。也即在本步骤中使用资源隔离技术,将功能测试的环境进行容器虚拟化的资源隔离,并将打包的资源隔离镜像安装到安全测试环境。Preferably, in step 220, the resource isolation of the target function test environment by the automated test environment resource isolation device includes: the resource isolation of the target function test environment by the container virtualization resource isolation by the automated test environment resource isolation device. That is, in this step, the resource isolation technology is used to isolate the resource of the functional test environment by container virtualization, and the packaged resource isolation image is installed in the security test environment.
较佳地,步骤250的具体处理过程可包括:对安全测试环境返回的网页源码数据进行DOM树检测,如果发现新增了安全测试的靶点DOM树,则判定存在跨站脚本安全漏洞,否则,不存在跨站脚本安全漏洞。这种检测方式的优点在于检测速度快,准确度高。Preferably, the specific process of step 250 may include: performing DOM tree detection on the web page source code data returned by the security test environment, and if it is found that the target DOM tree of the security test has been newly added, then it is determined that there is a cross-site scripting security vulnerability, otherwise , there is no cross-site scripting security vulnerability. The advantage of this detection method is that the detection speed is fast and the accuracy is high.
进一步地,该方法还包括如下步骤:跨站脚本漏洞安全测试装置对还原后的上述符合功能测试项目的网络流量进行安全测试数据拼接处理,并将拼接处理后的数据携带在安全测试请求中发送至安全测试环境。Further, the method also includes the following steps: the cross-site scripting vulnerability security testing device performs security test data splicing processing on the restored network traffic conforming to the functional test items, and sends the spliced data in the security test request to a safe test environment.
上述技术方案的有益技术效果在于:The beneficial technical effect of the above-mentioned technical scheme is:
由于采用了基于资源隔离的跨站脚本漏洞线下检测方法,使得线下跨级脚本安全测试实现了全部自动化操作,并且脏数据不对目标功能测试环境造成影响,可以使安全测试与功能测试同步进行,大大提高了安全测试的覆盖率和自动化程度。Due to the adoption of the offline detection method of cross-site scripting vulnerabilities based on resource isolation, the offline cross-level scripting security test has realized all automatic operations, and dirty data does not affect the target functional test environment, so that the security test and functional test can be synchronized , greatly improving the coverage and automation of security testing.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,或者二者的结合来实施。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该软件模块或计算机软件产品可以存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。存储介质可以是随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质。Through the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general-purpose hardware platform, of course, can also be implemented by hardware, or a combination of the two. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of a software product, and the software module or computer software product can be stored in a storage medium, including several instructions It is used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in various embodiments of the present invention. The storage medium can be random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or known in the technical field any other form of storage media.
以上实施例仅用以说明本发明实施例的技术方案,而非对其限制;尽管参照前述实施例对本发明实施例进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明实施例各实施例技术方案的精神和范围。The above embodiments are only used to illustrate the technical solutions of the embodiments of the present invention, and are not intended to limit them; although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still understand the foregoing The technical solutions recorded in each embodiment are modified, or some of the technical features are replaced equivalently; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510144357.1ACN104765682B (en) | 2015-03-30 | 2015-03-30 | Detection method and system under the line of cross site scripting leak |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510144357.1ACN104765682B (en) | 2015-03-30 | 2015-03-30 | Detection method and system under the line of cross site scripting leak |
| Publication Number | Publication Date |
|---|---|
| CN104765682Atrue CN104765682A (en) | 2015-07-08 |
| CN104765682B CN104765682B (en) | 2017-08-25 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510144357.1AActiveCN104765682B (en) | 2015-03-30 | 2015-03-30 | Detection method and system under the line of cross site scripting leak |
| Country | Link |
|---|---|
| CN (1) | CN104765682B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105447088A (en)* | 2015-11-06 | 2016-03-30 | 杭州掘数科技有限公司 | Volunteer computing based multi-tenant professional cloud crawler |
| CN105740705A (en)* | 2015-12-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | LXC container-based host defense method and system |
| CN106469083A (en)* | 2015-08-19 | 2017-03-01 | 三星Sds株式会社 | Container mirror-image safety inspection method and its device |
| CN108182363A (en)* | 2017-12-25 | 2018-06-19 | 哈尔滨安天科技股份有限公司 | Detection method, system and the storage medium of embedded office documents |
| CN108667770A (en)* | 2017-03-29 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of loophole test method, server and the system of website |
| CN108875368A (en)* | 2017-05-10 | 2018-11-23 | 北京金山云网络技术有限公司 | A kind of safety detection method, apparatus and system |
| CN110266737A (en)* | 2019-07-30 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | Vulnerability detection method, device, equipment and medium for cross-domain resource sharing |
| CN111625824A (en)* | 2020-05-15 | 2020-09-04 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device, electronic device and storage medium |
| CN113485905A (en)* | 2021-02-26 | 2021-10-08 | 杜自然 | Test method, device, equipment and computer storage medium in data transaction |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901307A (en)* | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting whether database is attacked by cross-site script |
| CN101964025A (en)* | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
| US20120260344A1 (en)* | 2009-12-15 | 2012-10-11 | Ofer Maor | Method and system of runtime analysis |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901307A (en)* | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Method and device for detecting whether database is attacked by cross-site script |
| CN101964025A (en)* | 2009-07-23 | 2011-02-02 | 中联绿盟信息技术(北京)有限公司 | XSS (Cross Site Scripting) detection method and device |
| US20120260344A1 (en)* | 2009-12-15 | 2012-10-11 | Ofer Maor | Method and system of runtime analysis |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106469083A (en)* | 2015-08-19 | 2017-03-01 | 三星Sds株式会社 | Container mirror-image safety inspection method and its device |
| CN106469083B (en)* | 2015-08-19 | 2021-08-24 | 三星Sds株式会社 | Container image security inspection method and device |
| CN105447088B (en)* | 2015-11-06 | 2019-04-09 | 杭州掘数科技有限公司 | A kind of multi-tenant profession cloud crawler system based on volunteer computing mode |
| CN105447088A (en)* | 2015-11-06 | 2016-03-30 | 杭州掘数科技有限公司 | Volunteer computing based multi-tenant professional cloud crawler |
| CN105740705A (en)* | 2015-12-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | LXC container-based host defense method and system |
| CN108667770B (en)* | 2017-03-29 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Website vulnerability testing method, server and system |
| CN108667770A (en)* | 2017-03-29 | 2018-10-16 | 腾讯科技(深圳)有限公司 | A kind of loophole test method, server and the system of website |
| CN108875368A (en)* | 2017-05-10 | 2018-11-23 | 北京金山云网络技术有限公司 | A kind of safety detection method, apparatus and system |
| CN108182363A (en)* | 2017-12-25 | 2018-06-19 | 哈尔滨安天科技股份有限公司 | Detection method, system and the storage medium of embedded office documents |
| CN108182363B (en)* | 2017-12-25 | 2022-01-07 | 安天科技集团股份有限公司 | Detection method, system and storage medium of embedded office document |
| CN110266737A (en)* | 2019-07-30 | 2019-09-20 | 杭州安恒信息技术股份有限公司 | Vulnerability detection method, device, equipment and medium for cross-domain resource sharing |
| CN110266737B (en)* | 2019-07-30 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting vulnerability of cross-domain resource sharing |
| CN111625824A (en)* | 2020-05-15 | 2020-09-04 | 深圳开源互联网安全技术有限公司 | IAST-based security test method and device, electronic device and storage medium |
| CN113485905A (en)* | 2021-02-26 | 2021-10-08 | 杜自然 | Test method, device, equipment and computer storage medium in data transaction |
| CN113485905B (en)* | 2021-02-26 | 2023-09-05 | 杜自然 | Test method, device, equipment and computer storage medium in data transaction |
| Publication number | Publication date |
|---|---|
| CN104765682B (en) | 2017-08-25 |
| Publication | Publication Date | Title |
|---|---|---|
| CN104765682B (en) | Detection method and system under the line of cross site scripting leak | |
| US12120145B2 (en) | Threat intelligence system and method | |
| US9223977B2 (en) | Detection of DOM-based cross-site scripting vulnerabilities | |
| US11516246B2 (en) | Secure browsing via a transparent network proxy | |
| US9742796B1 (en) | Automatic repair of corrupt files for a detonation engine | |
| US20130212689A1 (en) | Managing network data | |
| US20150249678A1 (en) | Monitoring and mitigating client-side exploitation of application flaws | |
| CN107580703B (en) | Migration service method and module for software module | |
| CN105187430A (en) | Reverse proxy server, reverse proxy system and reverse proxy method | |
| CN102957705B (en) | A kind of method and device of webpage tamper protection | |
| WO2016040753A1 (en) | A cloud suffix proxy and methods thereof | |
| WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
| CN112287349A (en) | Security vulnerability detection method and server | |
| US9398041B2 (en) | Identifying stored vulnerabilities in a web service | |
| CN102446253B (en) | Webpage trojan detection method and system | |
| US20140208385A1 (en) | Method, apparatus and system for webpage access control | |
| Elsayed et al. | IFCaaS: information flow control as a service for cloud security | |
| US20230177166A1 (en) | Security Vulnerability Detection | |
| US11128646B1 (en) | Apparatus and method for cloud-based accelerated filtering and distributed available compute security processing | |
| Hirotomo et al. | Efficient method for analyzing malicious websites by using multi-environment analysis system | |
| Suguna et al. | Hunting pernicious attacks in web applications with xprober | |
| JP6498413B2 (en) | Information processing system, information processing apparatus, control server, generation server, operation control method, and operation control program | |
| HK40037805A (en) | Security vulnerability detection method and server |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |