Cross site scripting leak detection method and deviceTechnical field
The present invention relates to technical field of network security, in particular to a kind of cross site scripting leak detection method, across stationScript loophole detection device, electronic equipment and computer readable storage medium.
Background technique
With the high speed development of internet, the business of Internet is more and more, guarantees the safety of Internet serviceAlso more and more important.For example, being leaked in network application if there is XSS (Cross Site Scripting, cross site scripting)Hole, then malicious code may will be injected into the page by attacker by cross site scripting loophole;When client user's browsing shouldWhen the page, malicious code can be automatically parsed execution by browser, reach extension horse, go fishing, steal user Cookie, kidnap user it is clearLook at behavior the purpose of.Therefore, carrying out cross site scripting Hole Detection is very important.
In existing cross site scripting Hole Detection scheme, cross site scripting loophole is carried out generally by the mode of static analysisJudgement.This detection mode can carry out cross site scripting Hole Detection to the simple website of some logics, and obtain and can receiveTest effect.But it is increasingly complicated with net application technology, this detection mode starts to occur more and more reporting by mistake,Fail to report situation.
Accordingly, it is desirable to provide a kind of new cross site scripting leak detection method, to promote the standard of cross site scripting Hole DetectionTrue property, the case where effectively reducing loophole wrong report and fail to report.
It should be noted that information is only used for reinforcing the reason to background of the invention disclosed in above-mentioned background technology partSolution, therefore may include the information not constituted to the prior art known to persons of ordinary skill in the art.
Summary of the invention
The purpose of the present invention is to provide a kind of cross site scripting leak detection methods, cross site scripting Hole Detection device, electricitySub- equipment and computer readable storage medium, so overcome limitation and defect due to the relevant technologies at least to a certain extent andThe problem of caused cross site scripting loophole is reported by mistake and is failed to report.
According to the first aspect of the invention, a kind of cross site scripting leak detection method is provided, including:
Using the initial address of a targeted sites and address is derived from as address to be visited;
The address to be visited is loaded under browser simulated environment, obtains the first detection page;
The object element node in the first detection page is triggered by simulation browser behavior, obtains the second detection pageFace;
Obtain the decanting point in each first detection page and the second detection page;
Each decanting point is detected with the presence or absence of cross site scripting loophole.
In a kind of exemplary embodiment of the invention, the object element node includes having in the first detection pageThere is the node element of interaction attributes.
It is described that address packet to be visited is loaded under browser simulated environment in a kind of exemplary embodiment of the inventionIt includes:
The address to be visited is loaded by browser without a head.
In a kind of exemplary embodiment of the invention, the second detection page is that the first detection page executes pageThe page is obtained after the AJAX method in script or loading page in face.
It is described that the first detection page is triggered by simulation browser behavior in a kind of exemplary embodiment of the inventionObject element node in face, including:
It obtains the object element node in the first detection page and is added to node element list;
Judge in the node element list with the presence or absence of the node element not triggered;
If there is the node element not triggered in the node element list, the element section of triggering will not be crossed described in onePoint is used as node element to be triggered;And
The node element to be triggered is triggered by simulation browser behavior.
In a kind of exemplary embodiment of the invention, the method also includes:
Judge whether the second detection page new object element node occurs compared to the first detection page;
It, will be described new if the second detection page new destination node occurs compared to the first detection pageObject element node is added to the node element list.
In a kind of exemplary embodiment of the invention, it is described loaded under browser simulated environment it is described to be visitedlyLocation, including:
By the initial address of the targeted sites and derive from address addition address list;
Judge in the address list with the presence or absence of the address to be visited not loaded;
If there is the address to be visited that did not loaded in the address list, by one do not loaded it is described to be visitedlyLocation is as set address to be added;And
The set address to be added is loaded under browser simulated environment.
In a kind of exemplary embodiment of the invention, it is described by the initial address of the targeted sites and derive from addressAddress list is added, including:
The initial address of the targeted sites is added to the address list;And
It obtains the derivation address in the first detection page and is added to the address list.
In a kind of exemplary embodiment of the invention, it is described by the initial address of the targeted sites and derive from addressAddress list is added, including:
Judge whether the second detection page occurs page jump relative to the first detection page;
If relative to the first detection page page jump occurs for the second detection page, described second is detectedThe address of the page is added to the address list.
In a kind of exemplary embodiment of the invention, the method also includes:
Similar address duplicate removal processing is carried out to the address list.
In a kind of exemplary embodiment of the invention, each decanting point of detection is leaked with the presence or absence of cross site scriptingHole, including:
Obtain attack load;
The attack load is injected to the decanting point and constructs request data package, and the request data package is submittedTo predetermined server;And
Judge the decanting point with the presence or absence of cross site scripting loophole according to the feedback information of the predetermined server.
According to the second aspect of the invention, a kind of cross site scripting Hole Detection device is provided, including:
Address acquisition module, for using the initial address of a targeted sites and derivation address as address to be visited;
Page loading module obtains the first detection page for loading the address to be visited under browser simulated environmentFace;
Behavior modeling module, for triggering the object element section in the first detection page by simulation browser behaviorPoint obtains the second detection page;
Decanting point obtains module, for obtaining the decanting point in each first detection page and the second detection page;
Hole Detection module, for detecting each decanting point with the presence or absence of cross site scripting loophole.
In a kind of exemplary embodiment of the invention, the object element node includes having in the first detection pageThere is the node element of interaction attributes.
It is described that address packet to be visited is loaded under browser simulated environment in a kind of exemplary embodiment of the inventionIt includes:
The address to be visited is loaded by browser without a head.
In a kind of exemplary embodiment of the invention, the second detection page is that the first detection page executes pageThe page is obtained after the AJAX method in script or loading page in face.
In a kind of exemplary embodiment of the invention, the Behavior modeling module includes:
Node element acquiring unit, for obtaining the object element node in the first detection page and being added to elementNode listing;
Judging unit is triggered, when for there is the node element not triggered in the node element list, by an instituteIt states and does not cross the node element of triggering as node element to be triggered;And
Behavior modeling unit, for triggering the node element to be triggered by simulation browser behavior.
In a kind of exemplary embodiment of the invention, the node element acquiring unit is also used to, in second inspectionWhen the survey page new destination node occurs compared to the first detection page, the new object element node is added to instituteState node element list.
In a kind of exemplary embodiment of the invention, the page loading module includes:
Address acquisition unit, for address list to be added in the initial address of the targeted sites and derivation address;
Judging unit being accessed, when for there is the address to be visited not loaded in the address list, one not being addedThe address to be visited carried is as set address to be added;And
Page loading unit, for loading the set address to be added under browser simulated environment.
In a kind of exemplary embodiment of the invention, it is described by the initial address of the targeted sites and derive from addressAddress list is added, including:
The initial address of the targeted sites is added to the address list;And
It obtains the derivation address in the first detection page and is added to the address list.
In a kind of exemplary embodiment of the invention, it is described by the initial address of the targeted sites and derive from addressAddress list is added, including:
Judge whether the second detection page occurs page jump relative to the first detection page;
If relative to the first detection page page jump occurs for the second detection page, described second is detectedThe address of the page is added to the address list.
In a kind of exemplary embodiment of the invention, the page loading module further includes:
Data cleansing unit, for carrying out similar address duplicate removal processing to the address list.
In a kind of exemplary embodiment of the invention, the Hole Detection module includes:
Load acquiring unit is attacked, for obtaining attack load;
Load injection unit is attacked, for injecting the attack load to the decanting point and constructing request data package, withAnd the request data package is committed to predetermined server;And
Loophole judging unit, for according to the feedback information of the predetermined server judge the decanting point whether there is acrossIt stands script loophole.
According to the third aspect of the invention we, a kind of electronic equipment is provided, including:Processor;And memory, for storingThe executable instruction of the processor;Wherein, the processor is configured to above-mentioned to execute via the executable instruction is executedMethod described in any one.
According to the fourth aspect of the invention, a kind of computer readable storage medium is provided, computer program is stored thereon with,The computer program realizes method described in above-mentioned any one when being executed by processor.
Exemplary embodiment of the present can have following beneficial effect:
In the cross site scripting leak detection method of example embodiment of the present invention, after obtaining address to be visited, byAddress to be visited is loaded under browser simulated environment, obtains the first detection page, and pass through simulation browser behavior triggering firstThe object element node in the page with interaction attributes is detected, the second detection page is obtained.In this way, passing through the true browsing of simulationObject element node in device environment and browser behavior triggering the first detection page, available node element changeThe second detection page of the second detection page or generation page jump that become;It thus compared with the prior art can be furtherObtain new decanting point in the second detection page, and then the breadth and depth of cross site scripting Hole Detection can be improved, promoted acrossThe accuracy of script loophole of standing detection the case where effectively reducing the wrong report of cross site scripting loophole and fail to report, and then can promote networkThe safety of application.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, notIt can the limitation present invention.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows and meets implementation of the inventionExample, and be used to explain the principle of the present invention together with specification.It should be evident that the accompanying drawings in the following description is only the present inventionSome embodiments for those of ordinary skill in the art without creative efforts, can also basisThese attached drawings obtain other attached drawings.
Fig. 1 show can using the embodiment of the present invention a kind of cross site scripting leak detection method and device it is exemplaryThe schematic diagram of system architecture;
Fig. 2 shows the structural schematic diagrams of the computer system of the electronic equipment suitable for being used to realize the embodiment of the present invention;
Fig. 3 diagrammatically illustrates the flow chart of cross site scripting leak detection method according to an embodiment of the invention;
Fig. 4 diagrammatically illustrates the flow chart of the first detection of load page according to one embodiment of present invention;
Fig. 5 diagrammatically illustrates the flow chart of the second detection of triggering page according to one embodiment of present invention;
Fig. 6 diagrammatically illustrates the second inspection of the first detection page of load and triggering according to one embodiment of present inventionSurvey the overall flow figure of the page;
Fig. 7 diagrammatically illustrates the flow chart of decanting point detecting step according to the present invention;
Fig. 8 diagrammatically illustrates the flow chart of cross site scripting leak detection method according to an embodiment of the invention;
Fig. 9 diagrammatically illustrates the block diagram of cross site scripting Hole Detection device according to an embodiment of the invention;
Figure 10 diagrammatically illustrates the block diagram of Behavior modeling module according to an embodiment of the invention;
Figure 11 diagrammatically illustrates the block diagram of page loading module according to an embodiment of the invention;
Figure 12 diagrammatically illustrates the block diagram of Hole Detection module according to an embodiment of the invention.
Specific embodiment
Example embodiment is described more fully with reference to the drawings.However, example embodiment can be with a variety of shapesFormula is implemented, and is not understood as limited to example set forth herein;On the contrary, thesing embodiments are provided so that the present invention will moreFully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.Described feature, knotStructure or characteristic can be incorporated in any suitable manner in one or more embodiments.In the following description, it provides perhapsMore details fully understand embodiments of the present invention to provide.It will be appreciated, however, by one skilled in the art that canIt is omitted with practicing technical solution of the present invention one or more in the specific detail, or others side can be usedMethod, constituent element, device, step etc..In other cases, be not shown in detail or describe known solution to avoid a presumptuous guest usurps the role of the host andSo that each aspect of the present invention thickens.
In addition, attached drawing is only schematic illustrations of the invention, it is not necessarily drawn to scale.Identical attached drawing mark in figureNote indicates same or similar part, thus will omit repetition thereof.Some block diagrams shown in the drawings are functionEnergy entity, not necessarily must be corresponding with physically or logically independent entity.These function can be realized using software formEnergy entity, or these functional entitys are realized in one or more hardware modules or integrated circuit, or at heterogeneous networks and/or placeThese functional entitys are realized in reason device device and/or microcontroller device.
Fig. 1 show can using the embodiment of the present invention a kind of cross site scripting leak detection method and device it is exemplaryThe schematic diagram of the system architecture of application environment.
As shown in Figure 1, system architecture 100 may include one or more of terminal device 101,102,103, network104 and server 105.Network 104 between terminal device 101,102,103 and server 105 to provide communication linkMedium.Network 104 may include various connection types, such as wired, wireless communication link or fiber optic cables etc..Terminal is setStandby 101,102,103 can be the various electronic equipments with display screen, including but not limited to desktop computer, portable computingMachine, smart phone and tablet computer etc..It should be understood that the number of terminal device, network and server in Fig. 1 is only to showMeaning property.According to needs are realized, any number of terminal device, network and server can have.For example server 105 can be withIt is the server cluster etc. of multiple server compositions.
Cross site scripting leak detection method provided by the embodiment of the present invention is generally held by terminal device 101,102,103Row, correspondingly, cross site scripting Hole Detection device is generally positioned in terminal device 101,102,103.But those skilled in the artMember is it is easily understood that cross site scripting loophole method provided by the embodiment of the present invention can also be executed by server 105, accordingly, cross site scripting Hole Detection device also can be set in server 105, not do special limit in the present exemplary embodiment to thisIt is fixed.
Fig. 2 shows the structural schematic diagrams of the computer system of the electronic equipment suitable for being used to realize the embodiment of the present invention.
It should be noted that Fig. 2 shows the computer system 200 of electronic equipment be only an example, should not be to this hairThe function and use scope of bright embodiment bring any restrictions.
As shown in Fig. 2, computer system 200 includes central processing unit (CPU) 201, it can be read-only according to being stored inProgram in memory (ROM) 202 or be loaded into the program in random access storage device (RAM) 203 from storage section 208 andExecute various movements appropriate and processing.In RAM 203, it is also stored with various programs and data needed for system operatio.CPU201, ROM 202 and RAM 203 is connected with each other by bus 204.Input/output (I/O) interface 205 is also connected to bus204。
I/O interface 205 is connected to lower component:Importation 206 including keyboard, mouse etc.;It is penetrated including such as cathodeThe output par, c 207 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section 208 including hard disk etc.;And the communications portion 209 of the network interface card including LAN card, modem etc..Communications portion 209 via such as becauseThe network of spy's net executes communication process.Driver 210 is also connected to I/O interface 205 as needed.Detachable media 211, such asDisk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 210, in order to read from thereonComputer program be mounted into storage section 208 as needed.
Particularly, according to an embodiment of the invention, may be implemented as computer below with reference to the process of flow chart descriptionSoftware program.For example, the embodiment of the present invention includes a kind of computer program product comprising be carried on computer-readable mediumOn computer program, which includes the program code for method shown in execution flow chart.In such realityIt applies in example, which can be downloaded and installed from network by communications portion 209, and/or from detachable media211 are mounted.When the computer program is executed by central processing unit (CPU) 201, execute in the present processes and deviceThe various functions of limiting.
It should be noted that computer-readable medium shown in the present invention can be computer-readable signal media or meterCalculation machine readable storage medium storing program for executing either the two any combination.Computer readable storage medium for example can be --- but notBe limited to --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or any above combination.MeterThe more specific example of calculation machine readable storage medium storing program for executing can include but is not limited to:Electrical connection with one or more conducting wires, justTaking formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable type may be programmed read-only storageDevice (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device,Or above-mentioned any appropriate combination.In the present invention, computer readable storage medium can be it is any include or storage journeyThe tangible medium of sequence, the program can be commanded execution system, device or device use or in connection.And at thisIn invention, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal,Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including but unlimitedIn electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer canAny computer-readable medium other than storage medium is read, which can send, propagates or transmit and be used forBy the use of instruction execution system, device or device or program in connection.Include on computer-readable mediumProgram code can transmit with any suitable medium, including but not limited to:Wirelessly, electric wire, optical cable, RF etc. or above-mentionedAny appropriate combination.
Flow chart and block diagram in attached drawing are illustrated according to the system of various embodiments of the invention, method and computer journeyThe architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generationA part of one module, program segment or code of table, a part of above-mentioned module, program segment or code include one or moreExecutable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in boxThe function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practicalOn can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it wantsIt is noted that the combination of each box in block diagram or flow chart and the box in block diagram or flow chart, can use and execute ruleThe dedicated hardware based systems of fixed functions or operations is realized, or can use the group of specialized hardware and computer instructionIt closes to realize.
Being described in unit involved in the embodiment of the present invention can be realized by way of software, can also be by hardThe mode of part realizes that described unit also can be set in the processor.Wherein, the title of these units is in certain situationUnder do not constitute restriction to the unit itself.
As on the other hand, present invention also provides a kind of computer-readable medium, which be can beIncluded in electronic equipment described in above-described embodiment;It is also possible to individualism, and without in the supplying electronic equipment.Above-mentioned computer-readable medium carries one or more program, when the electronics is set by one for said one or multiple programsWhen standby execution, so that method described in electronic equipment realization as the following examples.For example, the electronic equipment can be realNow such as Fig. 3~each step shown in Fig. 7.
The technical solution of the embodiment of the present invention is described in detail below:
In the related technology, cross site scripting Hole Detection is carried out generally by the mode of static analysis.For example, obtaining firstThe bibliographic structure of targeted sites carries out static parsing to the source code of each page, and form information therein is extracted;SoAfter construct rule base, using rule to source code carry out text matches with achieve the purpose that find decanting point.Then, injection is foundAfter point, building attack load library, and attack load is taken when sending and requesting to server;After server returned data, lead toWhether the data for crossing Analysis server return meet certain rules to determine whether there are cross site scripting loopholes.But due to browserThe process rendered to the page is extremely complex, and full page is a dynamic environment, and the mode of static analysis is difficult to simulateTrue browser environment is very easy to omit the page to be detected, and then there is the case where a large amount of wrong reports are failed to report.
Based on the above issues, this example embodiment provides firstly a kind of cross site scripting leak detection method.With reference to Fig. 3Shown, this method may comprise steps of:
Step S310. is using the initial address of a targeted sites and derives from address as address to be visited.
In this example embodiment, targeted sites, that is, website to be detected;For dynamic network website, pass through visitIt asks its initial address, starting html page can be loaded;By analyzing the content of html page, can be found with related algorithmNew network address, these new network address derive from address;Meanwhile if the scripts such as subsequent triggers JavaScrip or addThe new network address that Ajax method obtains is carried, the derivation address of targeted sites is also belonged to.For example, www.xxx.c om is certainWebsite initial address, www.xxx.com/index.html are the derivation for directly parsing the corresponding page of www.xxx.co m and obtainingAddress, www.xxx.com/custom.jsp are obtained derivation address after the JavaScrip script triggered in first page.MeshThe initial address of labeling station point can directly obtain, and the derivation address of targeted sites can be obtained in conjunction with modes such as web crawlers, thisParticular determination is not done in exemplary embodiment to this.
Step S320. loads the address to be visited under browser simulated environment, obtains the first detection page.
For dynamic page, many contents need to press by user's operation as opened browser, clicking someButton carries out specifying interaction etc., and triggering browser resolves JavaScript or load Ajax method could generate.This example embodiment partyIn formula, the address to be visited is loaded under browser simulated environment, i.e. analog subscriber is opened described to be visited in a browserThe operation of address, and then obtain the first detection page.Since browser without a head can simulate true browser usage scenario, becauseThis, in this example embodiment, the browser simulated environment can be provided by browser without a head.Compared to true browsingDevice, browser execution speed without a head can run faster and in the server at no interface and test, simultaneously because there is no extraneous dryIt disturbs, it is also more stable;Further, it is also possible to which multiple browsers without a head of dry run on one device, facilitate carry out concurrent test.
Step S330. triggers the target element with interaction attributes in the first detection page by simulation browser behaviorPlain node obtains the second detection page.
It, can be with simulation browser behavior under above-mentioned browser simulated environment in this example embodiment.For example, being based onAbove-mentioned browser without a head, user can simulate execution as opened browser, clicking some button, progress by modes such as scriptsThe browser behaviors such as specified interaction.If there is the object element node with interaction attributes on the first detection page, pass through mouldIntend above-mentioned browser behavior and trigger above-mentioned object element node, then can trigger the script in the first detection page be performed orAJAX (Asynchronous JavaScript and XML, asynchronous JavaScript and XML) in triggering the first detection pageMethod is loaded.First detection the page in script be performed or first detection the page in AJAX method be loadedAfterwards, then jumping there may be the change of node element or the page, obtains the second detection page.
Step S340. obtains the decanting point in each first detection page and the second detection page.
In this example embodiment, decanting point refers to the place that can carry out code injection, i.e., usually loophole can benefitPlace.For example, when using browser browsing pages, the place that both user and page interact is mainly to existAmong the form list of the page.Mainly there are in input label, input label generally possesses 3 for the input of form listProperty parameters:Name, value and type.It in turn, can be by using modes such as regular expressions in the first detection page and theThe two detection pages search the above-mentioned property parameters of form list and form list as decanting point information;Certainly, this field skillArt personnel are it is easily understood that the decanting point may be other kinds of decanting point, and the mode of the decanting point of lookup is not yetIt is confined to regular expression, does not do particular determination to this in the present exemplary embodiment.In addition, can be in this example embodimentDecanting point therein is obtained after the first detection page and the second detection page load;It is also possible to by each stepObtain initial address and all derivation addresses and then in reloading the page that each address obtains of targeted sitesDecanting point is obtained, does not do particular determination equally to this in the present exemplary embodiment.
Step S350., which detects each decanting point, whether there is cross site scripting loophole.
After obtaining decanting point, then can be detected by the simulation modes such as cross-site scripting attack decanting point whether there is acrossIt stands script loophole.For example, request data package is constructed by the way that cut-and-dried attack load (Payload) is injected decanting point,After request data package construction complete, the get request or post that HTTP can be used are requested to predetermined server (i.e. targeted sites phaseAssociated server) send request.After having sent request, it will receive the response of predetermined server return, analyze this soundIt should be that can determine whether the decanting point with the presence or absence of cross site scripting loophole.It certainly, can also in other exemplary embodiment of the present inventionTo detect each decanting point by other means with the presence or absence of cross site scripting loophole, this also belongs to protection model of the inventionIt encloses.
In the cross site scripting leak detection method of example embodiment of the present invention, by simulate true browser environment withAnd browser behavior triggering first detection the page in object element node, available node element change secondIt detects the page or the second detection page of page jump occurs;It thus compared with the prior art can be further in the second inspectionIt surveys the page and obtains new decanting point, and then the breadth and depth of cross site scripting Hole Detection can be improved, promote cross site scripting leakageThe accuracy of hole detection the case where effectively reducing the wrong report of cross site scripting loophole and fail to report, and then can promote the peace of network applicationQuan Xing.
In the following, being described in more details in conjunction with above-mentioned steps of the Fig. 4 to Fig. 7 for this example embodiment.
Refering to what is shown in Fig. 4, above-mentioned steps 310 may include step S410 and step S450 in this example embodiment;Above-mentioned steps 320 may include step S420, step S430, step S440 and step S460;Specifically:
In step S410, the initial address of the targeted sites is added to address list.For example, targeted sites riseBeginning address is http://www.xxx.com, then by http://www.xxx.com is added to address list URL_List.
In the step s 420, judge in the address list with the presence or absence of the address to be visited not loaded.This example is realIt applies in mode, the address to be visited being loaded can be moved in another list, such as be moved to address list URL_List_Visit, consequently facilitating judging in the address list with the presence or absence of the address to be visited not loaded.It is of course also possible toBy other means with the presence or absence of the address to be visited not loaded in address list described in auxiliary judgment;Such as to address listIn the address to be visited that had been loaded be marked;Particular determination is not done in the present exemplary embodiment to this.
In step S430, if it is determined that there is the address to be visited not loaded in the address list, then not by oneThe address to be visited loaded is as set address to be added.For example, can be successively select not load it is described toAccess address as set address to be added, be also possible to random selection or according to other rule selections do not loaded described in wait visitAsk that address as set address to be added, does not do particular determination to this in the present exemplary embodiment.
In step S440, the set address to be added is loaded under browser simulated environment.As described in above-mentioned steps S320,In this example embodiment, the set address to be added can be loaded by browser without a head.Specifically, the browser without a headSuch as can be PhantomJS, Splash based on Webkit, the SlimerJS based on Gecko, based on Rhnio'sHtmlUnit, the TrifleJS etc. based on Trident, does not do particular determination to this in the present exemplary embodiment.
In step S450, obtains the derivation address in the first detection page and be added to the address list.
For example, after the set address to be added is loaded under browser simulated environment, in the first detection page of generationIn addition to that may have the derivation address of non-dynamic addition, it is also possible to have by the group of Networking script (such as JavaScript) dynamic additionRadix Rehmanniae location.By taking html page as an example, wherein<a>The href attribute of node element is used to store the opposite or exhausted of any effective documentTo URL;Therefore, above-mentioned derivation address is generally stored in<a>In the href attribute of node element.It in turn, can be by obtainingIt takes<a>Node element and correlation attribute information obtain the derivation address in the first detection page.For example, can pass throughDocument.getElementsByTagName method obtains all on the first detection page<a>Node element and<a>MemberThe href attribute of plain node.
In step S460, judge in the first detection page with the presence or absence of object element node.
In this example embodiment, object element node is there is the target element with interaction attributes on the first detection pagePlain node.In actual scene, the attribute of the object element node with interaction attributes is usually with " on " beginning;Such as:It hasOnClick (behaviors of user's clickable hyperlinks) attribute<a>Node element, with onAbort (process of download pictures by withThe behavior that family stops manually) attribute<img>Node element has onSubmit (pressing submitting button behavior) attribute<form>Node element has onUnload (behavior for exiting current page) attribute<body>Node element etc..Therefore,The all elements node in the first detection page can be traversed, the object element node that attribute is started with " on " is judged whether there is,And then judge in the first detection page with the presence or absence of destination node.
If it is determined that in the first detection page, there are object element nodes, then jump to following step S510;If it is determined thatObject element node is not present in the first detection page, then go to step S420, circulation is iterated, until in address listAddress to be visited be all loaded.
Refering to what is shown in Fig. 5, above-mentioned steps 330 may include step S510 to step S580 in this example embodiment.ToolFor body:
In step S510, obtains the object element node in the first detection page and be added to node element columnTable.For example, obtaining the object element node started with " on " detected in above-mentioned steps S460, and by these object element sectionsPoint is added to node element list Tag_List.
In step S520, judge in the node element list with the presence or absence of the node element not triggered.This exampleIn embodiment, the node element being triggered can be moved in another list, such as be moved to Tag_List_Visit,Consequently facilitating judging in the node element list with the presence or absence of the node element not triggered.It is of course also possible to pass through otherWith the presence or absence of the node element not triggered in node element list described in mode auxiliary judgment;Such as in node element listThe node element being triggered is marked;Particular determination is not done in the present exemplary embodiment to this.
In step S530, if it is determined that there is the node element not triggered in the node element list, by an instituteIt states and does not cross the node element of triggering as node element to be triggered.For example, it can be the element for successively selecting not triggerNode is as node element to be triggered, the node element for being also possible to random selection or not triggering according to other rule selectionsAs node element to be triggered, particular determination is not done to this in the present exemplary embodiment.In addition, opposite, if it is determined that describedThere is no the node elements that did not triggered in node element list, i.e., all object element nodes, which are all triggered, to be finished, then can be withAbove-mentioned steps S420 is jumped to, the load operation of next address to be visited is carried out.
In step S540, the node element to be triggered is triggered by simulation browser behavior, obtains the second detection pageFace.For example, the browser behavior type of the node element to be triggered is obtained first, then by simulating browser behavior triggeringThe node element to be triggered, and then the script (such as JavaScript) triggered in the first detection page is performed or triggersAJAX method in the first detection page is loaded.For example, for having onSubmit (pressing submitting button behavior) attribute's<form>Node element to be triggered can press the behavior of submitting button by simulating, trigger the submission of form.This example is realIt applies in mode, the Ghost.py in the library Beautiful Soup of calling dispatchEvent function or Python can be passed throughThe modes simulation browser behavior such as module does not do particular determination to this in the present exemplary embodiment.
In addition, the addEventListener function of browser without a head is mainly used for monitoring users behavior.This example is implementedIt can also modify in advance to addEventListener function in mode, so that after simulation browser behavior, after modificationAddEventListener function be able to record Imitating browser behavior effect object and behavior type, in order to rearContinuous analysis.Similar, the primary XMLHttpRequest object of browser without a head can also be modified in advance, so that clear by simulatingWhen device behavior of looking at triggering first detects page load AJAX method sending request, the available chain to the type, request requestedThe parameter for connecing and requesting, in order to subsequent analysis.
According to the difference of script or AJAX method in the first detection page, the script in the first detection page is heldAfter AJAX method in row or the first detection page is loaded, it is likely to be obtained the second detection page of three types:Second inspectionIt surveys the page and page jump occurs relative to the first detection page;The second detection page detects the page not relative to described firstPage jump occurs, but generates the change of node element;Relative to the first detection page page does not occur for the second detection pageFace jumps, and does not also generate the change of node element.These three situations are illustrated below with reference to step S550 to step S580:
In step S550, judge that the second detection page is jumped relative to whether the first detection page occurs the pageTurn.For example, if it is determined that the URL of the second detection page is changed relative to the URL of the first detection page, thenIt is considered that page jump has occurred relative to the first detection page in the second detection page.
In step S560, jumped if it is determined that relative to the first detection page the page occurs for the second detection pageTurn, then the address of the second detection page is added to address list, waiting is reloaded, i.e., the pending above-mentioned steps S420 such asAnd its subsequent step.Simultaneously as the relevant detection of the second detection page will re-execute (i.e. above-mentioned steps in subsequent processS420 and its subsequent step), therefore the S520 that gos to step at this time, carry out the triggering of next node element to be triggered.On the contrary, if it is determined that relative to the first detection page page jump does not occur for the second detection page, then go to following stepsRapid S570.
In step S570, judge whether the second detection page new mesh occurs compared to the first detection pageMark node element.The acquisition of object element node can refer to above-mentioned steps S460, therefore it is no longer repeated herein.If sentencedThe second detection page that breaks detects the page compared to described first and does not occur new object element node, then can jump to stepRapid S520 carries out the triggering of next node element to be triggered.Opposite, if it is determined that the second detection page is compared to instituteIt states the first detection page and new object element node occurs, then go to step S580.
In step S580, the new object element node is added to the node element list, and jump to stepRapid S520 carries out the triggering of next node element to be triggered.
Fig. 6 shows the flow chart by above-mentioned S410 to step S580 after comprehensive.In this example embodiment, stepS410 to step S580 can be realized in conjunction with web crawlers.Web crawlers can be the Beautiful Soup based on PythonLibrary, the library lxml or the library requests etc., can also Arachnid, Ex-Crawler, MetaSeeker etc. based on Java, thisParticular determination is not done in exemplary embodiment to this.Traditional web crawlers only with the general URL of regular expression matching shapeFormula is likely to omit the page to be detected in this way;And based on the above-mentioned steps S410 in this example embodiment to stepTargeted sites can be constantly in full swing by S580 by offer browser simulated environment and simulation browser behavior, intoAnd the breadth and depth for being subsequently implanted into a breadth and depth for detection and cross site scripting Hole Detection corresponding can be improved, haveThe case where effect reduces loophole wrong report and fails to report.
In addition, to a targeted sites, it is understood that there may be the group that many structure of web page are identical but the content that shows is differentRadix Rehmanniae location.In order to reduce the quantity of address to be visited, improving detection efficiency and reduce computing resource consumption, this example embodiment partyIn formula, it can also include the steps that carrying out similar address duplicate removal processing to the address list.For example, in address listDerive from address http://xx x.com/index.php?Id=1 and derivation address http://xxx.com/index.php?id=2, the structure of web page of the two is identical, is only that some digital parameters is different in web page interlinkage;For this kind of in address listAddress is derived from, can only retain one;So the number derived from address can be substituted for asterisk wildcard " d ", in this way, aboveTwo derivation addresses can all be modified to http://xxx.com/ind ex.php?Id=d, i.e., only remain one, realizeThe effect of similar address duplicate removal processing.Certainly, it in other exemplary embodiment of the present invention, can also be gone with passage pathWeight, file duplicate removal, request duplicate removal etc. other duplicate removal modes carry out similar address duplicate removal processing, in the present exemplary embodiment not to thisDo particular determination.
Refering to what is shown in Fig. 7, each decanting point of detection whether there is cross site scripting loophole in this example embodimentIt may include step S710 to step S730.Specifically:
In step S710, attack load (Payload) is obtained.Since the mode of cross-site scripting attack is varied, becauseThis needs to go construction attack load in view of enough scenes, to promote the comprehensive of Hole Detection when construction attacks loadAnd accuracy.Such as:
For can between html tag injecting codes scene, need cross-site scripting attack code injection in labelBetween.For example, for "<div>[input]</div>", cross-site scripting attack code can be injected at decanting point " [input] "In, the attack load of construction can for "<script>alert(/found_xss/)</script>".
For can within html tag injecting codes scene, need cross-site scripting attack code injection in labelWithin.For example, for "<A href=' [input] '>test</a>", cross-site scripting attack code can be injected in decanting pointIn " [input] ", the attack load of construction can be " #"0152">For can in Networking script such as JavaScript injecting codes scene, need cross-site scripting attack codeIt is infused within Networking script.For example, for "<script>Var test=' [input] ';</script>", cross site scriptingAttack code can be injected in decanting point " [input] ", the attack load of construction can for "</script><script>alert(/xss_found/)</script>”。
For the scene for needing to be injected around filtering rule:Sometimes being directly injected into attack load may be by targetWebsite filtering intercepts, and cross-site scripting attack is caused to fail, so the case where being needed when detecting in view of around these filterings.It liftsExample for, can by modification capital and small letter around filtering, such as construction attack load can for "<SCRipt>alert(/found_xss/)</sCrIPT>";Also it can use the priority of HTML element node around filtering, such as the attack load of constructionCan be "<textarea><A href="</textarea><Img src=a onerror=alert (' xss_found')//";Filtering can also be bypassed using wide byte environment, filtering is bypassed by pseudo- agreement or by modification suffixAround filtering etc., particular determination is not done in the present exemplary embodiment to this.
Certainly, those skilled in the art can also constitute the attack load of other forms according to other scenes, this same categoryIn protection scope of the present invention.
In step S720, the attack load is injected to the decanting point and constructs request data package, and will be describedRequest data package is committed to predetermined server.In this example embodiment, Networking script such as JavaScript script can useThe page where decanting point is dynamically edited, above-mentioned attack load is set by the value of decanting point and constructs request dataPacket;After constructing request data package, the get request or post that HTTP can be used, which request to send to predetermined server, is requested.
Step S730. judges that the decanting point is leaked with the presence or absence of cross site scripting according to the feedback information of the predetermined serverHole.After having sent request, the response of predetermined server return will receive, analyzing this response can determine whether that the decanting point isIt is no that there are cross site scripting loopholes.For example, in above-mentioned attack load have " alert (/found_xss/) " instruction, in this way ifAfter the response for receiving predetermined server return, dialog box has been popped up, and has contained " found_xss " in dialog box, then can be confirmedThere are cross site scripting loopholes for the decanting point.Certainly, in other exemplary embodiment of the present invention, its other party can also be passed throughFormula, which detects each decanting point, whether there is cross site scripting loophole, this also belongs to protection scope of the present invention.
In addition, for same decanting point, it may be necessary to be tested by multiple attack load, therefore can be with circular flowAbove-mentioned steps S720 and step S730 passes sequentially through each attack load and tests the decanting point.After detection,Can will test result storage in the database, so as to developer with reference to use, the database for example can for MySql,Oracle, DB2 etc., do not do particular determination to this in the present exemplary embodiment.
In a kind of exemplary embodiment, the process of the cross site scripting leak detection method in the present invention can be such as Fig. 8 instituteShow.For example, being inputted in step S810 using targeted sites (website i.e. to be detected) initial address as address to be visitedAfter browser (such as PhantomJS) without a head, under the browser simulated environment that browser without a head provides, load is to be visitedlyLocation obtains the first detection page.In step S820, being triggered in the first detection page by simulation browser behavior hasThe object element node of interaction attributes obtains the second detection page;For example, passing through simulation browser behavior triggering the first detection pageFace executes the script execution in the page or the AJAX method load in triggering the first detection page, obtains the second detection page.In step S830, the derivation address in the first detection page and the second detection page is obtained, and carry out similarly location duplicate removalAfter processing, it is added to address list.If there is the address to be visited not loaded in the address list, pass through stepS810, which is successively loaded, does not access the set address to be added, and executes subsequent step S820 and step S830, until the addressAddress in list, which is all loaded, to be finished.Meanwhile the page address deposit one for the page that browser without a head currently loads being disappearedQueue is ceased, message queue can be for example RabbitMQ etc..It, can the page be taken out from the message queue in step S840Location, and the decanting point in the corresponding page in page address for obtaining taking-up;After obtaining decanting point, then each injection can be directed toPoint carries out Hole Detection.After detection, result storage can be will test in the database, used so that developer refers to,The database can be for example MySql, Oracle, DB2 etc., not do particular determination in the present exemplary embodiment to this.
From the foregoing, it will be observed that in the cross site scripting leak detection method of example embodiment of the present invention, it is true clear by simulatingMore comprehensive expansion can be carried out to targeted sites by looking at device environment and browser behavior, and then corresponding can be improved subsequentThe breadth and depth of decanting point detection and the breadth and depth of cross site scripting Hole Detection, promote cross site scripting Hole DetectionAccuracy the case where effectively reducing loophole wrong report and fail to report, and then improves the safety of network application.
It should be noted that although describing each step of method in the present invention in the accompanying drawings with particular order, this is simultaneouslyUndesired or hint must execute these steps in this particular order, or have to carry out the ability of step shown in wholeRealize desired result.Additional or alternative, it is convenient to omit multiple steps are merged into a step and executed by certain steps,And/or a step is decomposed into execution of multiple steps etc..
Further, in this example embodiment, a kind of cross site scripting Hole Detection device is additionally provided.The cross site scriptingHole Detection device can be applied to a terminal device.Refering to what is shown in Fig. 9, the cross site scripting Hole Detection device 900 can wrapIt includes address acquisition module 910, page loading module 920, Behavior modeling module 930, decanting point and obtains module 940 and loophole inspectionSurvey module 950.Wherein:
Address acquisition module 910 can be used for the initial address of a targeted sites and derive from address as to be visitedlyLocation.
Page loading module 920 can be used under browser simulated environment loading the address to be visited, obtain firstDetect the page.
Behavior modeling module 930 can be used for triggering the target in the first detection page by simulation browser behaviorNode element obtains the second detection page.
Decanting point acquisition module 940 can be used for obtaining the injection in each first detection page and the second detection pagePoint.
Hole Detection module 950 can be used for detecting each decanting point with the presence or absence of cross site scripting loophole.
In this example embodiment, the object element node may include in the first detection page there is interaction to belong toThe node element of property.
It is described to load address to be visited under browser simulated environment and may include in this example embodiment:Pass through nothingHead browser loads the address to be visited.
In this example embodiment, the second detection page can execute the foot in the page for the first detection pageOriginally or after the AJAX method in loading page the page is obtained.
Refering to what is shown in Fig. 10, the Behavior modeling module 930 may include that node element obtains in this example embodimentUnit 1010, triggering judging unit 1020 and Behavior modeling unit 1030.Wherein:
Node element acquiring unit 1010 can be used for obtaining the object element node in the first detection page and addAdd to node element list.
When triggering judging unit 1020 can be used for having the node element not triggered in the node element list,The node element of triggering will not be crossed described in one as node element to be triggered.
Behavior modeling unit 1020 can be used for triggering the node element to be triggered by simulation browser behavior.
In this example embodiment, the node element acquiring unit 1010 be can be also used for, in the second detection pageWhen face new destination node occurs compared to the first detection page, the new object element node is added to the memberPlain node listing.
With reference to shown in Figure 11, in this example embodiment, the page loading module 920 may include address acquisition unit1110, judging unit 1120 and page loading unit 1130 are accessed.Wherein:
Address acquisition unit 1110 can be used for the initial address of the targeted sites and derive from address addition addressList.
It, will when access judging unit 1120 can be used for having the address to be visited not loaded in the address listOne address to be visited not loaded is as set address to be added.
Page loading unit 1130 can be used under browser simulated environment loading the set address to be added.
In this example embodiment, address acquisition unit 1110 specifically can be used for the initial address of the targeted sitesIt is added to the address list;And it obtains the derivation address in the first detection page and is added to the address list.
In this example embodiment, address acquisition unit 1110 can also judge the second detection page relative to instituteWhen stating first detection page generation page jump, the address of the second detection page is added to the address list.
In this example embodiment, the page loading module 920 can also include data cleansing unit.Data cleansing listMember can be used for carrying out similar address duplicate removal processing to the address list.
With reference to shown in Figure 12, in this example embodiment, the Hole Detection module 950 may include that attack load obtainsUnit 1210, attack load injection unit 1220 and loophole judging unit 1230.Wherein:
Attack load acquiring unit 1210 can be used for obtaining attack load.
Attack load injection unit 1220 can be used for injecting the attack load to the decanting point and construct number of requestPredetermined server is committed to according to packet, and by the request data package.
Loophole judging unit 1230 can be used for judging according to the feedback information of the predetermined server that the decanting point isIt is no that there are cross site scripting loopholes.
The detail of each module is examined in corresponding cross site scripting loophole in above-mentioned cross site scripting Hole Detection deviceIt is described in detail in survey method, therefore details are not described herein again.
It should be noted that although being referred to several modules or list for acting the equipment executed in the above detailed descriptionMember, but this division is not enforceable.In fact, embodiment according to the present invention, it is above-described two or moreModule or the feature and function of unit can embody in a module or unit.Conversely, an above-described mouldThe feature and function of block or unit can be to be embodied by multiple modules or unit with further division.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention itsIts embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes orPerson's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present inventionOr conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by followingClaim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, andAnd various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.