Background technique
With the development of internet technology, the type of business that the scene of mobile terminal H5 (HTML5) application program is coveredIt is more and more abundant.For better supporting business, the server device of H5 application program can shift to an earlier date to be issued to mobile end equipmentThe offline H5 application program for completing exploitation can be by the appearance in mobile end equipment after the operation of user's triggering part business scenarioDevice assembly loads complete H5 application program.The advantages of such executive mode, is, offline H5 application journey can be downloaded in advanceSequence improves container loading velocity so as to reduce network overhead when load.
Whether but such executive mode also brings along some safety problems: due to depositing to detection application program at presentWhen XSS (Cross Site Scripting, cross site scripting) attacks loophole, need by security scanners simulation applicationClient is initiated to request to server device.And move the container of end equipment to offline H5 application program have customization configuration andIt supports, security scanners is thus caused to be difficult to simulate the environment of mobile terminal equipment container when simulating request, it can not be to perceptionSuch H5 application program whether there is XSS attack loophole.
It therefore, is at present using automation UI to the detection scheme of the XSS attack loophole of such mobile terminal H5 application programTesting tool controls prototype equipment, and when detecting the destination application of prototype equipment can be implanted into test code in advance, by fromDynamicization UI testing tool monitors the system message of mobile end equipment to judge the test result of XSS attack loophole.But such sideFormula has the following problems:
1, prototype equipment is due to battery etc., may exist temperature it is too low when automatic shutdown make prototype equipment can notWith causing testing process to interrupt.
2, prototype equipment in the process of running may automatic Recommendation System update, and these update can interrupt automation UIThe testing process of testing tool.
3, the link of automation UI testing tool control prototype equipment is too long, therefore the link controlled in link can also increaseAdd, therefore the probability that problem occurs for entire control link can also be got higher, and cause the failure rate of integrated testability process higher, stabilityIt is bad.
It is 4, larger to the intrusion of application program due to the implantation test code in the destination application of mobile end equipment,Since the code of implantation may conflict with the part logic in destination application, stability, the compatibility of test are also resulted inDecline.
Apply for content
The purpose of the application is to provide a kind of cross-site scripting attack Hole Detection, to solve in existing detection schemeThe bad problem of stability.
The embodiment of the present application provides a kind of cross-site scripting attack leak detection method, which comprises
The simulator of mobile end equipment is created, and destination application to be tested is installed on the simulator;
Perform script, to make the target by the destination application implementation of test cases in Script controlling simulatorApplication program and server device carry out data interaction;
The data that the destination application is interacted with server device are obtained, and according to the destination application and clothesThe data of end equipment of being engaged in interaction, detect cross-site scripting attack loophole.
The embodiment of the present application also provides a kind of cross-site scripting attack vulnerability detection equipment, the equipment includes:
Analog module for creating the simulator of mobile end equipment, and installs target to be tested on the simulatorApplication program;
Script controlling module is used for perform script, to execute survey by the destination application in Script controlling simulatorExample on probation makes the destination application and server device carry out data interaction;
Detection module, the data interacted for obtaining the destination application with server device, and according to the meshThe data that mark application program is interacted with server device, detect cross-site scripting attack loophole.
In addition, some embodiments of the present application additionally provide a kind of calculating equipment, which includes for storing computerThe memory of program instruction and processor for executing computer program instructions, wherein when the computer program instructions are by thisWhen processor executes, triggers the equipment and execute the cross-site scripting attack leak detection method.
Other embodiments of the application additionally provide a kind of computer-readable medium, are stored thereon with computer program and refer toIt enables, the computer-readable instruction can be executed by processor to realize the cross-site scripting attack leak detection method.
In scheme provided by the embodiments of the present application, the simulator of mobile end equipment is created first, and on the simulatorDestination application to be tested is installed, then perform script, to hold by the destination application in Script controlling simulatorRow test case makes the destination application and server device carry out data interaction, obtain the destination application withThe data of server device interaction, and the data interacted according to the destination application with server device, detection is across station footThis attack loophole.Due to having used simulator to substitute original prototype equipment, prototype equipment automatic shutdown is avoided, update causesThe problem of testing process interrupts, and due to avoiding because automating the control of UI testing tool without using automating UI testing toolLink too long the problem of causing stability to decline of prototype equipment processed, while the control to simulator is realized by script, it is not necessarily toImplantation test code, avoids the problem of code conflicts cause stability to decline in destination application.
Specific embodiment
The application is described in further detail with reference to the accompanying drawing.
In a typical configuration of this application, terminal, the equipment of service network include one or more processors(CPU), input/output interface, network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/orThe forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable mediumExample.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media, can be by any sideMethod or technology realize that information stores.Information can be the device or other numbers of computer readable instructions, data structure, programAccording to.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory(SRAM), dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory(ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory techniques, CD-ROM (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storagesEquipment or any other non-transmission medium, can be used for storage can be accessed by a computing device information.
The embodiment of the present application provides cross-site scripting attack leak detection method, answers for realizing the H5 in mobile end equipmentWith the cross-site scripting attack Hole Detection of program, wherein the mobile terminal equipment refers to all kinds of mobile terminal devices, such as mobile phone,Tablet computer, intelligent wearable device etc..The method use simulators to substitute original prototype equipment, avoids prototype equipment certainlyDynamic shutdown updates the problem of causing testing process to interrupt, and due to avoiding because automatic without using automating UI testing toolChange link too long the problem of causing stability to decline of UI testing tool control prototype equipment, while by script realization to simulationThe control of device avoids the problem of code conflicts cause stability to decline without the implantation test code in destination application.
In actual scene, the detection device for executing this method can be user equipment, the network equipment or user equipmentConstituted equipment is integrated by network with the network equipment.Wherein, the user equipment includes but is not limited to personal computer(PC) etc. terminal devices, the network equipment include but is not limited to such as network host, single network server, multiple network servicesDevice collection or the set of computers based on cloud computing etc. are realized, can be used to implement part processing function when setting alarm clock.Here,Cloud is made of a large amount of hosts or network server for being based on cloud computing (Cloud Computing), wherein cloud computing is distributedOne kind of calculating, a virtual machine consisting of a loosely coupled set of computers.
Fig. 1 shows a kind of process flow of cross-site scripting attack leak detection method provided by the embodiments of the present application, untilLess include following processing step:
Step S101, creates the simulator of mobile end equipment, and target application to be tested is installed on the simulatorProgram.Wherein, the simulator is the virtual mobile end equipment run in other running environment, for different operating systemMobile end equipment corresponding virtual machine can be created using corresponding Integrated Development Tool.
Correspondence is created by Integrated Development Tool Xcode on PC for example, can be for the smart phone of iOS systemIn the simulator of the smart phone.After the simulator completes creation, it is equivalent to and has run a virtual iOS system on PCSmart phone.Destination application to be tested can be installed on the simulator at this time, the destination application can be withIt is to issue off-line content to mobile end equipment in advance and needing to be the H5 application program loaded, furthermore also can be applied to itThe cross-site scripting attack Hole Detection of its 5 application program of conventional H.Due to having used simulator to substitute original prototype equipment, keep awayPrototype equipment automatic shutdown is exempted from, has updated the problem of causing testing process to interrupt, while purchase can also be reduced, safeguard that prototype is setStandby required cost.
Step S102, perform script, to make by the destination application implementation of test cases in Script controlling simulatorThe destination application and server device carry out data interaction.It is needed to be implemented in the script (script) comprising a series ofOperation executable command, by perform script can make realize this method equipment execute corresponding operation.For example, thisApplication embodiment scheme create on PC move end equipment simulator, at this time can on PC perform script, to controlDestination application implementation of test cases in simulator on PC, counts the destination application with server deviceAccording to interaction.
In some implementations of the application, pass through the destination application implementation of test cases in Script controlling simulatorWhen, processing below can be included at least: firstly, obtaining test assignment and being pre-processed, obtain the test phase of test assignmentParameter is closed, according to the test relevant parameter, executes the target application journey in the system command control simulator of mobile end equipmentSequence implementation of test cases.
Wherein, the test assignment, which refers to, needs to control all and leakage that the destination application in mobile end equipment executesRelevant sequence of operations is detected in hole, and the related test phase with the test assignment can be extracted by pre-processing to test assignmentClose parameter.Queue, sequence, number of test case that the test relevant parameter needs to be implemented when including Hole Detection etc. and surveyThe relevant parameter of example implementation procedure on probation.According to the test relevant parameter, the system command of mobile end equipment can be simulated,The destination application in simulator is controlled by executing the system command and executes test case in test assignment in sequence.During implementation of test cases, the destination application run on simulator can be with the server-side of the destination applicationIt will do it data interaction between equipment.
It due to having used simulator to substitute prototype equipment, and is that simulator is controlled by script, there is no need to useUI testing tool is automated, without the implantation test code in destination application, avoids and avoids because of automation UI testThe problem of link is too long and stability is caused to decline for the reasons such as code conflicts of tool control prototype equipment.
Step S103 obtains the data that the destination application is interacted with server device, and is answered according to the targetThe data interacted with program with server device detect cross-site scripting attack loophole.In the present embodiment, detection cross site scripting is attackedThe principle for hitting loophole can be according to whether having interacted the uneasiness that should not be interacted between destination application and server deviceTotal evidence is to determine whether there are cross-site scripting attack loopholes.It is interacted getting the destination application with server deviceData after, which is checked, check wherein whether contain the dangerous data that should not be interacted, if so,There are cross-site scripting attack loopholes for expression, and then can notify the risk of user.
It, can be by the log of automation rule monitoring service end equipment, to obtain in some embodiments of the present applicationThe data that the destination application is interacted with server device, to detect cross-site scripting attack loophole.Service can be obtainedThe log of end equipment, the data interacted according to destination application described in the log with server device.Due to being wrapped in logThe record for having contained operation performed by server device can determine destination application by the log of analysis service end equipmentThe data interacted with server device, and then judge whether there is cross-site scripting attack loophole.
In actual scene, the number that destination application is interacted with server device can be acquired by the way of burying a littleAccording to that is, acquisition server device buries point data acquired in point mode by burying.Wherein, the point data of burying is server deviceThe data acquired from the data that the destination application is interacted with server device by burying point mode.Correspondingly, in mouldIt can be carried on target with pre-set certain characteristic information, these characteristic informations in the test case that quasi- device executes and answerWith in the dangerous data that should not be interacted between program and server device.By checking bury in point data whether carry spyReference breath, can determine dangerous data whether have been interacted between destination application and server device, it is possible thereby to judgeWith the presence or absence of cross-site scripting attack loophole.Characteristic information is detected in point data in described bury, if detecting the characteristic information,Cross-site scripting attack loophole is then confirmly detected, otherwise, it determines cross-site scripting attack loophole is not detected.
Such as in the embodiment of the present application, the characteristic information for including in test case can be a specific character combination" XXXX ", when cross-site scripting attack loophole is not present, the destination application of simulator executes after the test case will not be toServer device sends the dangerous data comprising " XXXX ";And when there are cross-site scripting attack loophole, server device meetingReceive the dangerous data comprising " XXXX " that the destination application of simulator is sent.Mould can be acquired by way of burying a littleThe destination application of quasi- device is to all data transmitted by server device, if wherein presence includes the data of " XXXX ",The dangerous data interacted between destination application and server device are then indicated, it is possible thereby to determine that there are cross site scriptingsAttack loophole.
Fig. 2 shows attacked using the XSS of automation UI testing tool control prototype equipment detection mobile terminal H5 application programHit the testing process of the scheme of loophole.In the program, after prototype equipment is connected to detection device, certainly by test equipment startingDynamicization UI testing tool loads automatic test script, controls prototype according to automatic test script by automation UI testing toolEquipment.Firstly, automation UI testing tool can be implanted into test code to destination application, and installation should in prototype equipmentIt is implanted with the destination application of test code.Then, automation UI testing tool obtains test case, and controls prototype equipmentImplementation of test cases, while the system message in prototype equipment is monitored, test whether that there are XSS attack leakages by system messageHole.If being successfully tested, that is, when there is XSS attack loophole, risk notice is sent to user.
In the program, may cause the test factors of instability and include at least following several points: 1, prototype equipment is due to batteryEtc. reasons, may exist temperature it is too low when automatic shutdown make prototype equipment unavailable, cause testing process to interrupt.2, prototypeEquipment in the process of running may automatic Recommendation System update, and these update can interrupt automation UI testing tool testProcess.3, the link of automation UI testing tool control prototype equipment is too long, therefore the link controlled in link also will increase, becauseThe probability that problem occurs for this entire control link can also be got higher.4, it is surveyed due to being implanted into the destination application of mobile end equipmentCode is tried, it is larger to the intrusion of application program, it may fail during code implant, or the code of implantation may be answered with targetWith the part logic conflict in program.
On the basis of the program, if desired scheme is improved, needs to optimize at following aspect: 1, improving certainlyStability in dynamicization UI test process needs to improve task touching and reduces mission failure rate up to rate, implementation rate, and to taskFailure rate has task Restart mechanisms, thus alleviates the problem of Quality Initiative passes by long caused stability decline.2, it needs for prototypeStable voltage is provided and the temperature of test environment is rationally controlled, reduces the possibility that prototype equipment is abnormal, andAnd Realtime Alerts monitoring is carried out to the abnormal conditions of prototype equipment, in order to be solved as early as possible after being abnormal.
Fig. 3 shows detection scheme provided by the embodiments of the present application and using automation UI testing tool control prototype equipmentDetection scheme between distinctive points.It is by being created on detection device in detection scheme provided by the embodiments of the present applicationFor simulator instead of prototype equipment, simulator is more stable relative to prototype equipment, will not lead to equipment not because of all kinds of reasonsIt can use, and be invaded without code, destination application is more stable in dry run.In addition, test process does not need automaticallyChange UI testing tool to control prototype equipment, but is correspondingly being felt by the implementation of test cases of Script controlling simulatorIt is also to be detected by burying point data when knowing loophole.Therefore, too long control link is not present in detection process, has evaded certainlyDynamicization UI testing tool passes by long caused risk to prototype equipment Quality Initiative, thus but also detection process is more stable.
Based on the same inventive concept, a kind of cross-site scripting attack vulnerability detection equipment is additionally provided in the embodiment of the present application,The corresponding method of the equipment is cross-site scripting attack leak detection method in previous embodiment, and its principle for solving the problems, such asIt is similar to this method.
Cross-site scripting attack vulnerability detection equipment provided by the embodiments of the present application is answered for realizing the H5 in mobile end equipmentWith the cross-site scripting attack Hole Detection of program, wherein the mobile terminal equipment refers to all kinds of mobile terminal devices, such as mobile phone,Tablet computer, intelligent wearable device etc..The detection device when being detected, has used simulator to substitute original prototype and has setIt is standby, it avoids prototype equipment automatic shutdown, update the problem of causing testing process to interrupt, and due to without using automating UITesting tool avoids the problem that causing stability to decline because the link of automation UI testing tool control prototype equipment is too long, togetherWhen control to simulator realized by script, without the implantation test code in destination application, avoid code conflictsThe problem of causing stability to decline.
In actual scene, the detection device can be user equipment, the network equipment or user equipment and network is setIt is standby that constituted equipment is integrated by network.Wherein, the user equipment includes but is not limited to that personal computer (PC) etc. is wholeEnd equipment, the network equipment include but is not limited to such as network host, single network server, multiple network server collection or baseIt is realized in set of computers of cloud computing etc., can be used to implement part processing function when setting alarm clock.Here, cloud is by being based onThe a large amount of hosts or network server of cloud computing (Cloud Computing) are constituted, wherein cloud computing is the one of distributed computingKind, a virtual machine consisting of a loosely coupled set of computers.
Fig. 4 shows a kind of structure of cross-site scripting attack vulnerability detection equipment provided by the embodiments of the present application, the detectionEquipment includes at least analog module 410, Script controlling module 420 and detection module 430.Wherein, the analog module 410 is usedIn the simulator of the mobile end equipment of creation, and destination application to be tested is installed on the simulator.Wherein, the mouldQuasi- device is the virtual mobile end equipment run in other running environment, can be with for the mobile end equipment of different operating systemCorresponding virtual machine is created using corresponding Integrated Development Tool.
Correspondence is created by Integrated Development Tool Xcode on PC for example, can be for the smart phone of iOS systemIn the simulator of the smart phone.After the simulator completes creation, it is equivalent to and has run a virtual iOS system on PCSmart phone.Destination application to be tested can be installed on the simulator at this time, the destination application can be withIt is to issue off-line content to mobile end equipment in advance and needing to be the H5 application program loaded, furthermore also can be applied to itThe cross-site scripting attack Hole Detection of its 5 application program of conventional H.Due to having used simulator to substitute original prototype equipment, keep awayPrototype equipment automatic shutdown is exempted from, has updated the problem of causing testing process to interrupt, while purchase can also be reduced, safeguard that prototype is setStandby required cost.
Script controlling module 420 is used for perform script, to be executed by the destination application in Script controlling simulatorTest case makes the destination application and server device carry out data interaction.It include one in the script (script)The executable command for the operation that series needs to be implemented can make the equipment for realizing this method execute corresponding by perform scriptOperation.For example, the scheme of the embodiment of the present application creates the simulator of mobile end equipment on PC, foot can be executed on PC at this timeThis makes the destination application and service to control the destination application implementation of test cases in the simulator on PCEnd equipment carries out data interaction.
In some implementations of the application, Script controlling module 420 passes through the target application journey in Script controlling simulatorWhen sequence implementation of test cases, processing below can be included at least: firstly, obtaining test assignment and being pre-processed, obtain and surveyThe test relevant parameter of trial business, according to the test relevant parameter, the system command for executing mobile end equipment controls simulatorIn destination application implementation of test cases.
Wherein, the test assignment, which refers to, needs to control all and leakage that the destination application in mobile end equipment executesRelevant sequence of operations is detected in hole, and the related test phase with the test assignment can be extracted by pre-processing to test assignmentClose parameter.Queue, sequence, number of test case that the test relevant parameter needs to be implemented when including Hole Detection etc. and surveyThe relevant parameter of example implementation procedure on probation.According to the test relevant parameter, the system command of mobile end equipment can be simulated,The destination application in simulator is controlled by executing the system command and executes test case in test assignment in sequence.During implementation of test cases, the destination application run on simulator can be with the server-side of the destination applicationIt will do it data interaction between equipment.
It due to having used simulator to substitute prototype equipment, and is that simulator is controlled by script, there is no need to useUI testing tool is automated, without the implantation test code in destination application, avoids and avoids because of automation UI testThe problem of link is too long and stability is caused to decline for the reasons such as code conflicts of tool control prototype equipment.
Detection module 430 is used to obtain the data that the destination application is interacted with server device, and according to describedThe data that destination application is interacted with server device detect cross-site scripting attack loophole.In the present embodiment, detection is across stationWhether the principle of script attack loophole can be according to having interacted and should not interact between destination application and server deviceDangerous data to determine whether there are cross-site scripting attack loopholes.It is set getting the destination application with server-sideAfter the data of standby interaction, which is checked, checks wherein whether contain the dangerous data that should not be interacted, ifIt is, then it represents that there are cross-site scripting attack loopholes, and then can notify the risk of user.
In some embodiments of the present application, detection module can pass through the day of automation rule monitoring service end equipmentWill, to obtain the data that the destination application is interacted with server device, to detect cross-site scripting attack loophole.DetectThe log of the available server device of module, the number interacted according to destination application described in the log with server deviceAccording to.It, can be with by the log of analysis service end equipment as containing the record of operation performed by server device in logIt determines the data that destination application was interacted with server device, and then judges whether there is cross-site scripting attack loophole.
In actual scene, detection module 430 can acquire destination application by the way of burying a little and set with server-sideThe data of standby interaction, i.e. acquisition server device bury point data acquired in point mode by burying.Wherein, the point data of burying isThe data that server device is acquired from the data that the destination application is interacted with server device by burying point mode.PhaseYing Di can be taken in the test case that simulator executes with pre-set certain characteristic information, these characteristic informationsIn the dangerous data that band should not interact between destination application and server device.Detection module 430 passes through inspectionIt buries in point data and whether carries characteristic information, can determine whether interacted not between destination application and server deviceSecure data, it is possible thereby to judge whether there is cross-site scripting attack loophole.Characteristic information is detected in point data in described bury,If detecting the characteristic information, it is determined that detect cross-site scripting attack loophole, attacked otherwise, it determines cross site scripting is not detectedHit loophole.
Such as in the embodiment of the present application, the characteristic information for including in test case can be a specific character combination" XXXX ", when cross-site scripting attack loophole is not present, the destination application of simulator executes after the test case will not be toServer device sends the dangerous data comprising " XXXX ";And when there are cross-site scripting attack loophole, server device meetingReceive the dangerous data comprising " XXXX " that the destination application of simulator is sent.Mould can be acquired by way of burying a littleThe destination application of quasi- device is to all data transmitted by server device, if wherein presence includes the data of " XXXX ",The dangerous data interacted between destination application and server device are then indicated, it is possible thereby to determine that there are cross site scriptingsAttack loophole.
In conclusion detection scheme provided by the embodiments of the present application is set due to having used simulator to substitute original prototypeIt is standby, it avoids prototype equipment automatic shutdown, update the problem of causing testing process to interrupt, and due to without using automating UITesting tool avoids the problem that causing stability to decline because the link of automation UI testing tool control prototype equipment is too long, togetherWhen control to simulator realized by script, without the implantation test code in destination application, avoid code conflictsThe problem of causing stability to decline.
In addition, a part of the application can be applied to computer program product, such as computer program instructions, when its quiltWhen computer executes, by the operation of the computer, it can call or provide according to the present processes and/or technical solution.And the program instruction of the present processes is called, it is possibly stored in fixed or moveable recording medium, and/or pass throughBroadcast or the data flow in other signal-bearing mediums and transmitted, and/or be stored according to program instruction run calculatingIn the working storage of machine equipment.Here, include a calculating equipment as shown in Figure 5 according to some embodiments of the present application,The equipment includes being stored with one or more memories 510 of computer-readable instruction and for executing computer-readable instructionProcessor 520, wherein when the computer-readable instruction is executed by the processor, so that the equipment, which executes, is based on aforementionedThe method and/or technology scheme of multiple embodiments of application.
In addition, some embodiments of the present application additionally provide a kind of computer-readable medium, it is stored thereon with computer journeySequence instruction, the computer-readable instruction can be executed by processor with the method for realizing multiple embodiments of aforementioned the application and/Or technical solution.
It should be noted that the application can be carried out in the assembly of software and/or software and hardware, for example, can adoptWith specific integrated circuit (ASIC), general purpose computer or any other realized similar to hardware device.In some embodimentsIn, the software program of the application can be executed by processor to realize above step or function.Similarly, the software of the applicationProgram (including relevant data structure) can be stored in computer readable recording medium, for example, RAM memory, magnetic orCD-ROM driver or floppy disc and similar devices.In addition, hardware can be used to realize in some steps or function of the application, for example,As the circuit cooperated with processor thereby executing each step or function.
It is obvious to a person skilled in the art that the application is not limited to the details of above-mentioned exemplary embodiment, Er QieIn the case where without departing substantially from spirit herein or essential characteristic, the application can be realized in other specific forms.Therefore, no matterFrom the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and scope of the present application is by appended powerBenefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claimsVariation is included in the application.Any reference signs in the claims should not be construed as limiting the involved claims.ThisOutside, it is clear that one word of " comprising " does not exclude other units or steps, and odd number is not excluded for plural number.That states in device claim is multipleUnit or device can also be implemented through software or hardware by a unit or device.The first, the second equal words are used to tableShow title, and does not indicate any particular order.