CN115987638A - A webpage vulnerability detection method, device, equipment and storage medium - Google Patents

Abstract

The application provides a webpage vulnerability detection method, device, equipment and storage medium, which relate to the technical field of computer security, in particular to the technical field of Web webpage security; in the application, a webpage access instruction is received, and response webpage resources of corresponding response pages are obtained; extracting a target script in the response webpage resource and extracting the target script characteristic of the target script; and matching the target script characteristics with the original script characteristics stored in the database, and detecting the webpage loophole of the response page based on the matching result. According to the webpage vulnerability detection method and device, the client java script interpreter and the Web application program do not need to be modified, and the webpage vulnerability can be detected only on the basis of the mode that the target script characteristics of the target script identified from the response webpage resources are matched with the original script characteristics, so that the operation is simple.

Description

A webpage vulnerability detection method, device, equipment and storage medium

Background technique

As Web technology becomes more and more widespread, many applications are applied and deployed through the Web platform, and scripting languages are used on the client side to improve the application response time, interactivity and overhead on the Web server. However, a large number of user interaction behaviors will also bring certain risks to the system. If there is no specific security protection for script input and output interfaces, serious security risks such as XSS (Cross Site Scripting, cross-site scripting vulnerability) and (Cross-site Request Forgery, cross-site request forgery) may result, resulting in user session hijacking, customer End cookie theft, phishing and other security issues. Therefore, it is necessary to conduct vulnerability detection for web pages, find problems in time and improve them to reduce losses.

At present, when performing vulnerability detection on web pages, a penetration testing method developed based on JavaScript is generally used. And the XSS attack penetration testing method based on JavaScript is subject to many restrictions, for example: the client-based XSS attack detection method needs to modify the client-side java script interpreter to implement, so that only legal script codes are executed; most methods require source code insertion, This means that the web application implementation needs to be modified to insert some comments or separators to distinguish between benign and malicious JavaScript code.

It can be seen that when using the JavaScript-based penetration testing method to detect web page vulnerabilities, it is necessary to modify the client-side java script interpreter, modify the source code of the web application, etc., and the process is cumbersome and time-consuming.

Contents of the invention

Embodiments of the present application provide a web page vulnerability detection method, device, equipment and storage medium for fast and convenient web page vulnerability detection.

In the first aspect, the embodiment of the present application provides a webpage vulnerability detection method, the method comprising:

Receive a webpage access instruction, and obtain a response webpage resource of a corresponding response page;

Extracting the target script in the response webpage resource, and extracting the target script characteristic of the target script;

Match the target script feature with the original script feature stored in the database, and based on the matching result, detect the web page vulnerability of the response page.

In a second aspect, the embodiment of the present application provides a webpage vulnerability detection device, the device comprising:

a receiving unit, configured to receive a webpage access instruction, and obtain a response webpage resource of a corresponding response page;

An extracting unit, configured to extract the target script in the response web resource, and extract the target script characteristics of the target script;

The matching detection unit is configured to match the characteristics of the target script with the characteristics of the original script stored in the database, and detect webpage vulnerabilities of the response page based on the matching result.

In a third aspect, an embodiment of the present application provides a computing device, including: a memory and a processor, wherein the memory is used to store computer instructions; the processor is used to execute computer instructions to implement the web page vulnerability detection provided by the embodiment of the application method steps.

In a fourth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores computer instructions, and when the computer instructions are executed by a processor, the steps of the web page vulnerability detection method provided in the embodiment of the present application are implemented.

In the fifth aspect, the embodiment of the present application provides a computer program product, which includes computer instructions, and the computer instructions are stored in a computer-readable storage medium; when the processor of the computing device reads the computer instructions from the computer-readable storage medium, the processing The computer executes computer instructions, so that the computing device executes the steps of the web page vulnerability detection method provided by the embodiment of the present application.

The beneficial effects of this application are as follows:

The embodiment of the present application provides a web page vulnerability detection method, device, equipment and storage medium, which relate to the field of computer security technology, especially the field of Web page security technology; resource; extract the target script in the response web resource, and extract the target script characteristic of the target script; match the target script characteristic with the original script characteristic stored in the database, and detect the webpage vulnerability of the response page based on the matching result. No need to modify the client java script interpreter, and no need to modify the web application, just based on the way of matching the target script characteristics of the target script identified from the response web resources with the original script characteristics, it can detect web page vulnerabilities, easy to operate and convenient fast.

Additional features and advantages of the application will be set forth in the description which follows, and, in part, will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For Those skilled in the art can also obtain other drawings based on these drawings without any creative effort.

FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application;

Fig. 2 is a flow chart of a web page vulnerability detection method provided by the embodiment of the present application;

FIG. 3 is a schematic diagram of a web page vulnerability detection provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of a web page resource template provided by an embodiment of the present application;

FIG. 5 is a flow chart of another specific implementation method for web page vulnerability detection provided by the embodiment of the present application;

FIG. 6 is a structural diagram of a web page vulnerability detection device provided by an embodiment of the present application;

FIG. 7 is a structural diagram of a computing device provided by an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solutions and beneficial effects of the application clearer, the technical solutions in the embodiments of the application will be clearly and completely described below in conjunction with the drawings in the embodiments of the application. Obviously, the described embodiments It is only a part of the embodiments of the present application, not all the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

Part of the terms used in the embodiments of the present application are explained below to facilitate the understanding of those skilled in the art.

XSS (Cross Site Scripting, cross-site scripting vulnerability) is a computer security vulnerability that often appears in Web applications, and it is also a mainstream attack method on the Web. XSS attacks refer to inserting malicious JavaScript scripts into web pages through special means, so that when users browse web pages, various attacks such as cookie data theft, session hijacking, phishing and deception are launched on user clients.

CRSF (Cross-site Request Forgery, cross-site request forgery) is an attack method that coerces users to perform unintended operations on the currently logged-in web application.

DOM (Document Object Model, file object model) is a means of operating HTML, which can complete the acquisition, access, label attributes and style setting operations of all elements in HTML documents.

The following briefly introduces the design idea of the embodiment of the present application.

As web technology becomes more and more widespread, many applications are applied and deployed through the web platform, and scripting languages are used on the client side to improve the response time, interactivity and overhead of the web server of the application. However, a large number of user interaction behaviors will also bring certain risks to the system. If there is no specific security protection (including decoding, filtering, etc.) for script input and output interfaces, it may lead to serious security risks such as XSS and CSRF, and cause security problems such as user session hijacking, client cookie theft, and phishing. It is difficult to find network security vulnerabilities on the web side without a reserve of web security knowledge, and to classify and improve them. In addition, in the mobile Internet era, in addition to traditional security issues such as XSS and CSRF, new security issues such as network hijacking and illegal calls to Hybrid APIs are often encountered. Of course, the client itself is also constantly evolving and developing, and new technologies such as CSP and Same-Site Cookies are constantly being introduced to enhance security. Lots of hacking.

General website front-end penetration testing is developed based on JavaScript, which has single functions and complex operations, and the existing JavaScript-based XSS attack penetration testing methods are subject to many limitations: First, the client-based XSS attack detection method needs to modify the client-side java script The interpreter is implemented to only execute legal script code. Second, most methods require source code instrumentation, which means that the web application implementation needs to be modified to insert some comments or delimiters to distinguish between benign and malicious JavaScript code.

In view of this, the embodiment of the present application implements a webpage vulnerability detection and attack based on the advantages of Node. The method is easy to operate, convenient and quick to detect webpage security vulnerabilities. And this method can automatically crawl and store website resources; and according to the vulnerability analysis rules, define a vulnerability detection method on the Node server. The vulnerability detection method includes using a hash algorithm to define a vulnerability extraction function based on Node.js characteristics to detect and analyze code vulnerabilities And classify and classify the vulnerabilities, so as to generate security test attack codes and perform code injection. It also includes conducting security test drills, returning the information obtained by vulnerability detection to the log management component of the Node server, and analyzing log files to analyze the attack results. , which has the advantages of integrated vulnerability attack, strong flexibility, low latency and low coupling, etc., can quickly adapt to the target webpage, detect security vulnerabilities, and remind the administrator of the loopholes in the system.

After introducing the design idea of the embodiment of the present application, the following briefly describes the application scenarios set in the present application. It should be noted that the following scenarios are only used to illustrate the embodiments of the present application rather than limit them. During specific implementation, the technical solutions provided by the embodiments of the present application may be flexibly applied according to actual needs.

Referring to FIG. 1, FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application. The application scenario includes a terminal device 110 and a server 120, and the terminal device 110 and the server 120 can communicate through a communication network.

In an optional implementation manner, the communication network may be a wired network or a wireless network. Therefore, the terminal device 110 and the server 120 may be directly or indirectly connected through wired or wireless communication. For example, the terminal device 110 may be indirectly connected to the server 120 through a wireless access point, or the terminal device 110 may be directly connected to the server 120 through the Internet, which is not limited in this application.

In this embodiment of the application, the terminal device 110 includes but is not limited to mobile phones, tablet computers, notebook computers, desktop computers, e-book readers, intelligent voice interaction devices, smart home appliances, vehicle-mounted terminals and other devices; various A kind of client, this client can be application program (such as browser, game software etc.), also can be webpage, applet etc.;

The server 120 is a background server corresponding to the cloud desktop installed in the terminal device 110 . The server 120 can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, and can also provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, Cloud servers for basic cloud computing services such as middleware services, domain name services, security services, content delivery network (Content Delivery Network, CDN), and big data and artificial intelligence platforms.

It should be noted that what is shown in FIG. 1 is only an example, and actually the number of terminal devices 110 and servers 120 is not limited, and is not specifically limited in this embodiment of the present application. When the number of servers 120 is multiple, multiple servers 120 can form a block chain, and the server 120 is a node on the block chain; Data can be stored on the blockchain.

The webpage vulnerability detection method provided by the embodiment of the present application can be applied to main scenarios such as project web-side security vulnerability testing system, front-end security drill protection, and network protection activity attack simulation.

Among them, the project web-side security vulnerability testing system can scan and attack the web pages in the existing project through the webpage vulnerability detection method provided by the embodiment of this application, automatically crawl webpage resources, detect code loopholes, and generate attack Code injection saves the time cost and learning cost for developers to write their own vulnerability test scripts, and can automatically and efficiently scan, analyze and attack the front-end security vulnerabilities existing in the system.

By analyzing the attack characteristics of XSS and CSRF attacks, and using the high concurrency and low delay characteristics of Node.js based on the web page vulnerability detection method provided by the embodiment of the present application, a real-time security attack and defense exercise system on the web side can be extended and designed.

In the network protection activity attack simulation scenario, the method for web page vulnerability detection provided by the embodiment of this application can simulate the attack behavior of the network protection activity, conduct self-test and self-examination of network security vulnerabilities on the group website, early warning, and timely repair of security vulnerabilities. At the same time, it can be extended to add a protection module in the future, combining automatic detection with attack and defense integration.

In the specific implementation of this application, data related to webpage information, user information, etc. are involved. When the above embodiments of this application are applied to specific products or technologies, permission or consent must be obtained, and the collection, use and Processing needs to comply with relevant laws, regulations and standards of relevant countries and regions.

Based on the above application scenarios, the web page vulnerability detection method provided by the exemplary embodiments of the present application will be described below in combination with the above described application scenarios according to the accompanying drawings. It should be noted that the above application scenarios are only for the convenience of understanding the spirit and principle of the present application Rather, the embodiments of the present application are not limited in any way in this respect.

Referring to Fig. 2, Fig. 2 is a flow chart of a web page vulnerability detection method provided by the embodiment of the present application, including the following steps:

Step S200, receiving a webpage access instruction, and obtaining a response webpage resource of a corresponding response page.

Step S201, extracting the target script in the response web resource, and extracting the target script characteristics of the target script;

In the embodiment of the present application, the first script extractor (JavaScript Extractor) is used to extract the target script from the response webpage resource, and the first feature extractor (Features Extractor) is used to extract the target script features from the target script.

In a possible implementation manner, a hash algorithm is used to extract the first method definition and the first calling signature included in the target script, and the first method definition and the first calling signature are used as characteristics of the target script.

Step S202, matching the target script characteristics with the original script characteristics stored in the database, and based on the matching result, detecting webpage vulnerabilities of the response page.

That is, compare the target script characteristics of the response page with the original script characteristics stored in the database; wherein, the database consists of three tables, which are page table, script table and feature table; among them, the page table contains Web application All URL pages and the number of scripts in each page; the script table contains the script identifier, script number, script vulnerability type, and its content page URL is also the type of the script; the feature table contains the method definition from each script and all original script properties extracted from the call signature. That is to say, in the embodiment of the present application, the database stores the corresponding relationship between the script number and the original script characteristic, vulnerability type and vulnerability level.

In a possible implementation, based on the matching result, when detecting the page vulnerability of the response page: if the matching result is used to indicate that the target script feature matches the original script feature, then it indicates that the target script of the response page matches the script number stored in the database Similarly, the vulnerability type stored in the database that matches the characteristics of the original script is used as the target vulnerability type of the page vulnerability in the response page; and the vulnerability test code corresponding to the script vulnerability is generated based on the target vulnerability type, and the generated vulnerability test code is used for vulnerability injection. , when the target object visits the target webpage, test the buried vulnerability, obtain the test result, and store the test result in the log management component of the Node server; wherein, the test result includes the running status of the vulnerability test code and the target object information.

In the embodiment of the present application, the common stored XSS injection can be used for vulnerability injection of the generated vulnerability test code, or it can be injected in an inline script.

When injecting in an inline script, the following methods can be used:

In the text embedded in HTML, the injection vulnerability test code is formed by the script tag, and in the inline JavaScript, the spliced data breaks through the original limit (string, variable, method name, etc.);

In the tag attribute, inject the vulnerability test code with other attributes or tags, and the vulnerability test code contains quotation marks, so as to break through the limitation of the attribute value. Include executable code such as JavaScript in the href, src and other attributes of the tag;

Inject the vulnerability test code in the interactive events of user input or click such as onload(), onerror(), onclick();

Inject the vulnerability test code into the style attribute and label; the style attribute and label contain code similar to background-image:url("JavaScript:..."), which can generate CSRF attacks, because the src attribute of the image style can ignore the same Restriction of the source policy (the new version of the client can already prevent it).

In the embodiment of this application, the buried point is stored in the target client server, and the user logs in to access the target server and reads the test code, thereby being attacked.

In a possible implementation, a log management component is deployed on the Node server to record the running status of the vulnerability test code and target object information, so as to analyze the website vulnerability. in:

Configure the back-end joint debugging environment, configure the MySQL database as the log management component, and use K/V key-value pairs to cache data, which is efficient and fast.

Return the Attack-Time, Attack-Spot, user cookie and get/post request content (where the get request directly reads the URL, and the post request reads the body-Query) to the Node server and store them in the log The management component detects log files at the same time, and classifies and grades the vulnerabilities existing in the website. Referring to FIG. 3 , FIG. 3 is a schematic diagram of web page vulnerability detection provided by an embodiment of the present application.

In another possible implementation, if the matching result is used to indicate that the characteristics of the target script do not match the characteristics of the original script, it means that the target script of the response page is different from the script number stored in the database, and it is determined that there is no page in the response page loophole.

It should be noted that the script number may be different due to a new injected script, or the script number may be different due to a new existing method call; therefore, when the script number is determined to be different, the method caller should be determined to distinguish between the original and the responding method callers to determine the cause of the different script numbers for further analysis.

In the embodiment of the present application, in order to ensure the accuracy of web page vulnerability detection, a training phase and a detection phase are set. The training phase is the initialization phase of the detection phase, and is used to determine the script number stored in the database and the characteristics of the original script, the type of the vulnerability, and the vulnerability The corresponding relationship between levels is used in the detection stage; the detection stage is used for web page vulnerability detection, which involves steps such as feature extraction, vulnerability classification, and vulnerability test code generation and injection. For details, see Figure 2 and Figure 3.

In order to realize the web page vulnerability detection method of the present application, Node server deployment is firstly performed. Exemplary, configure the Node environment, and use the package management system API to download related resource packages, wherein the resource packages include: crawler toolkit, URL module resource package, fs module resource package; that is, configure the crawler tool, URL module and fs module.

In the embodiment of this application, the web crawler uses puppeteer, which is a Node library that controls headless Chrome through the DevTools protocol, and can imitate user behavior for client operations. The URL module is a built-in Node resource library, which can obtain, read and write web page URLs. The fs module is Node's file read and write module. Therefore, use the puppeteer crawler package and the fs module to asynchronously crawl and copy the resources of the target website.

In the embodiment of this application, the crawler tool is used to crawl the resources of the website resources and all the webpage resources contained in the website. Exemplarily, the async()/await() function is used to crawl the selected website resources asynchronously. APIs such as puppeteer.Launch(), browser.newPage(), browser.close() perform client operations to obtain website resources. Use the page() method to select a specific href address, go to the specified website, and directly obtain the corresponding webpage resource, or use the page.goto method again to enter, and then call page.evaluate() to process the logic to obtain the webpage under the specified website resource.

After obtaining the website resources and the webpage resources of the webpages under the website, use the fs.writeFile() write operation to store the obtained resources into the file storage space created by fs.mkdir() in the fs module.

In the embodiment of the present application, the crawler acquires resources to detect and analyze common types of vulnerabilities in web pages, so as to be used in the detection stage.

Therefore, use Node's fs module API to read webpage resources, and use the regularization of keywords to search in a loop to determine the type of vulnerability.

Exemplarily, use the Spider component, use fs.readFile() to traverse the file directory stored in the fs module, read the file, select the specified webpage resource corresponding to the URL of the webpage to be supervised and detected, that is, extract the execution webpage resource crawled by the front end, such as FIG. 4 is a schematic diagram of a webpage resource template provided by the embodiment of the present application.

After obtaining the webpage resource, use the second script extractor (script Extractor) to extract the legal script from the specified webpage resource, and assign the script number to the legal script, and analyze the source code of the legal script, and find out the source code of the legal script. Detect and determine the vulnerability type; for example, use regular keyword matching to find keywords such as textArea, contenteditable, img, etc., and determine the vulnerability type corresponding to the legal script based on the mapping relationship between the keyword and the vulnerability type; the vulnerability types mainly include: Linked scripts, local source insertion, remote source insertion, handler event processing, URL attributes.

After obtaining the vulnerability type, it is also necessary to determine which script the vulnerability type belongs to, or which script characteristic has the vulnerability type. Therefore, in the embodiment of the present application, the second feature extractor (Features Extractor) is used to extract and analyze the code features. The main function of this step is to use the hash algorithm to extract the original script characteristics contained in the legal script code. Since the amount of scripts on the page is insufficient to determine whether a script has been injected, it is also impossible to determine where the script appears on the page. To this end, the second method definition and the second call signature are extracted from the legal script as original script characteristics of the legal script. Exemplarily, a Node parser is used to extract method names, parameters, hash codes of its implementation, and parameters. Among them, method definitions are divided into three categories: user-defined named functions, anonymous methods, and host object method overrides. The features extracted for each type are: the method name, the number of formal parameters and its actual parameters, and a hash of the code to be executed by the function. There are usually two types of calling JavaScript functions: simple functions and nested functions; among them, the simple type is called when the function has an argument, and the nested type means that the function parameter is another function. Added object caller feature to address method call injection attacks to extract attack features from different scripts.

Finally, based on the script number of the legal script, the vulnerability type of the legal script, and the original script characteristics of the legal script, the original script characteristics and vulnerability types corresponding to the script number are determined and stored in the database.

Referring to Fig. 5, Fig. 5 is a flow chart of another specific implementation method of webpage vulnerability detection provided by the embodiment of the present application; as can be seen from Fig. 5:

In the training phase, the crawler first obtains the selected webpage resources, and then uses the script Extractor to extract legal scripts from the selected webpage resources obtained by the crawler, and then uses the Features Extractor to extract the features of the legal scripts to obtain the original script features, and analyzes the legal scripts. Keywords to determine the type of vulnerability, and finally store the type of vulnerability and the characteristics of the original script in the database;

In the detection phase, obtain the response page, use Javascript Extractor to extract the target script from the response page, use Features Extractor to extract the characteristics of the target script to obtain the characteristics of the target script, and then compare the characteristics of the target script with the characteristics of the original script stored in the database to judge Whether there is a deviation, if there is a deviation, analyze the type of vulnerability, and generate a vulnerability test code based on the type of vulnerability for vulnerability injection, if there is no deviation, the server responds normally.

This application has the following effects:

1. Breaking the traditional security vulnerability attack development system uses JavaScript for development, which has a single function, and the joint debugging database operation is complicated. Node.js expands the functions of JavaScript, so that it has I/O, fs and other features that are unique to languages, and can simultaneously have DOM operations and I/O, file reading and writing, and database (server-side) operations. Therefore, in I/O-intensive web development operations, using node has unique advantages.

2. When conducting security testing, developers usually write test scripts to detect vulnerabilities. The process is cumbersome and time-consuming. By designing a Node.js-based webpage vulnerability detection method, code crawling, detection, classification, and attacks are automatically performed. , to realize the integration of detection and attack, and has a log management system to collect and store vulnerability attack logs in real time, so as to conduct comprehensive website security vulnerability detection.

3. The code detection stage is divided into two stages: training and detection. In the training stage, the hash algorithm is used to define the vulnerability extraction function to detect, analyze and classify code vulnerabilities. By comparing the extracted target script characteristics of the response page with the original script characteristics stored in the database Deviation comparison, to determine whether there are loopholes, easy to operate.

4. The existing mainstream anti-attack method is to strictly verify the user interaction components, and does not allow the input of html tags and inline js statements. The website is attacked.

Based on the same inventive concept, the embodiment of the present application also provides a webpage vulnerability detection device 600, as shown in Figure 6, the webpage vulnerability detection device 600 includes:

The receiving unit 601 is configured to receive a webpage access instruction, and obtain a response webpage resource of a corresponding response page;

An extracting unit 602, configured to extract the target script in the response web resource, and extract the target script characteristics of the target script;

The matching detection unit 603 is configured to match the characteristics of the target script with the characteristics of the original script stored in the database, and detect webpage vulnerabilities of the response page based on the matching result.

In a possible implementation manner, the extracting unit 602 is specifically configured to:

The hash algorithm is used to extract the first method definition and the first calling signature from the target script, and use the first method definition and the first calling signature as the characteristics of the target script.

In a possible implementation manner, the matching detection unit 603 is specifically configured to:

If the matching result is used to indicate that the target script feature matches the original script feature, the vulnerability type stored in the database that matches the original script feature is used as the target vulnerability type of the page vulnerability of the response page;

If the matching result is used to indicate that the characteristics of the target script do not match the characteristics of the original script, it is determined that there is no page vulnerability in the response page.

In a possible implementation manner, the matching detection unit 603 is also configured to:

After the vulnerability type stored in the database that matches the characteristics of the original script is used as the target vulnerability type of the page vulnerability of the response page, according to the target vulnerability type, the configured vulnerability test code is used to perform vulnerability injection to test the embedded vulnerability of the response page , to obtain test results; wherein, the test results include the running status of the vulnerability test code and target object information;

Store the test results in the log management component of the Node server.

In a possible implementation manner, the matching detection unit 603 is specifically configured to:

In the text embedded in the hypertext markup language HTML, using the configured vulnerability test code to form a vulnerability injection as a tag; or

In the input or click interaction event, the configured vulnerability test code is used for vulnerability injection.

In a possible implementation manner, the script number, and the original script characteristic, vulnerability type and vulnerability level corresponding to the script number are stored in the database.

In a possible implementation, the original script characteristics and vulnerability types corresponding to the script number are determined in the following manner:

Obtain selected website resources through the crawler tool deployed in the Node server, where the selected website resources include website resources and specified webpage resources contained under the website;

From the selected website resources, select the specified web resource corresponding to the URL of the web page to be supervised and detected;

Extract legal scripts from the selected specified web resources, and assign script numbers to the legal scripts;

Use the regular keyword matching search method to determine the keywords contained in the legal script, and determine the corresponding vulnerability type of the legal script based on the mapping relationship between the keyword and the vulnerability type;

Extracting the second method definition and the second call signature from the legal script by using a hash algorithm, and using the second method definition and the second call signature as original script characteristics of the legal script;

Based on the script number of the legal script, the vulnerability type of the legal script, and the original script characteristics of the legal script, determine the original script characteristic and vulnerability type corresponding to the script number.

For the convenience of description, the above parts are divided into units (or modules) according to their functions and described separately. Of course, the functions of each unit (or module) can be implemented in one or more pieces of software or hardware when implementing the present application.

After introducing the web page vulnerability detection method and device of the exemplary embodiment of the present application, another exemplary embodiment of the present application is introduced next, the computing device.

Those skilled in the art can understand that various aspects of the present application can be implemented as a system, method or program product. Therefore, various aspects of the present application can be specifically implemented in the following forms, that is: a complete hardware implementation, a complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as "circuit", "module" or "system".

In a possible implementation manner, the computing device provided in the embodiment of the present application may at least include a processor and a memory. Wherein, the memory stores program codes, and when the program codes are executed by the processor, the processor is made to execute any step in the method for detecting web page vulnerabilities in various exemplary embodiments of the present application.

In this embodiment, the structure of the computing device may be as shown in FIG. 7 , including: a memory 701 , a communication module 703 and one or more processors 702 .

The memory 701 is used for storing computer programs executed by the processor 702 . The memory 701 may mainly include a program storage area and a data storage area, wherein the program storage area may store operating systems and programs required for running instant messaging functions, etc.; the data storage area may store various instant messaging information and operating instruction sets, etc.

The memory 701 can be a volatile memory (volatile memory), such as a random-access memory (random-access memory, RAM); the memory 701 can also be a non-volatile memory (non-volatile memory), such as a read-only memory, a flash memory (flash memory), hard disk (hard disk drive, HDD) or solid-state drive (solid-state drive, SSD); or the memory 701 can be used to carry or store the desired computer program in the form of instructions or data structures and can be used by the computer Any other medium accessed, but not limited to. The memory 701 may be a combination of the above-mentioned memories.

The processor 702 may include one or more central processing units (central processing unit, CPU) or be a digital processing unit or the like. The processor 702 is configured to implement the above webpage vulnerability detection method when calling the computer program stored in the memory 701 .

The communication module 703 is used for communicating with terminal devices and other servers.

The embodiment of the present application does not limit the specific connection medium among the memory 701 , the communication module 703 and the processor 702 . In the embodiment of the present application, in FIG. 7, the memory 701 and the processor 702 are connected through the bus 704. The bus 704 is described in bold lines in FIG. As far as possible. The bus 704 can be divided into address bus, data bus, control bus and so on. For ease of description, only one thick line is used in FIG. 7 , but only one bus or one type of bus is not described.

A computer storage medium is stored in the memory 701, and computer-executable instructions are stored in the computer-storage medium, and the computer-executable instructions are used to implement the web page vulnerability detection method of the embodiment of the present application. The processor 702 is configured to execute the above webpage vulnerability detection method.

In some possible implementations, various aspects of the web page vulnerability detection method provided in this application can also be implemented in the form of a program product, which includes program code. When the program product runs on a computer device, the program code is used to use The computer device executes the steps in the method for detecting web page vulnerabilities according to various exemplary embodiments of the present application described above in this specification.

A program product may take the form of any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of readable storage media include: electrical connection with one or more conductors, portable disk, hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

The program product for web page vulnerability detection according to the embodiment of the present application may adopt a portable compact disc read-only memory (CD-ROM) and include program codes, and may run on a computing device. However, the program product of the present application is not limited thereto. In this document, a readable storage medium may be any tangible medium containing or storing a program, and the program may be used by or in combination with a command execution system, device or device.

A readable signal medium may include a data signal carrying readable program code in baseband or as part of a carrier wave. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium, other than a readable storage medium, that can transmit, propagate, or transport a program for use by or in conjunction with a command execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program codes for performing the operations of the present application can be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming Language - such as "C" or similar programming language. The program code may execute entirely on the user computing device, partly on the user device, as a stand-alone software package, partly on the user computing device and partly on a remote computing device, or entirely on the remote computing device or server to execute. In cases involving a remote computing device, the remote computing device may be connected to the user computing device via any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (e.g., using an Internet service provider to connected via the Internet).

It should be noted that although several units or subunits of the apparatus are mentioned in the above detailed description, this division is only exemplary and not mandatory. Actually, according to the embodiment of the present application, the features and functions of two or more units described above may be embodied in one unit. Conversely, the features and functions of one unit described above may be further divided to be embodied by a plurality of units.

In addition, while operations of the methods of the present application are depicted in the figures in a particular order, there is no requirement or implication that these operations must be performed in that particular order, or that all illustrated operations must be performed to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution.

Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program commands. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a machine An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising command means, the order The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, whereby the The commands provide steps for implementing the functions specified in the flowchart flow or flow and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, the appended claims are intended to be construed to cover the preferred embodiment and all changes and modifications which fall within the scope of the application.

Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

Claims (11)

1. A webpage vulnerability detection method is characterized by comprising the following steps:

receiving a webpage access instruction, and acquiring response webpage resources of a corresponding response page;

extracting a target script in the response webpage resource and extracting the target script characteristic of the target script;

and matching the target script characteristics with the original script characteristics stored in a database, and detecting the webpage loophole of the response page based on the matching result.

2. The method of claim 1, wherein extracting object script characteristics of an object script comprises:

and extracting a first method definition and a first call signature from the target script by using a hash algorithm, and taking the first method definition and the first call signature as the target script characteristics.

3. The method of claim 1, wherein the detecting the page vulnerability of the response page based on the matching result comprises:

if the matching result is used for representing that the target script characteristics are matched with the original script characteristics, the vulnerability type which is stored in the database and is matched with the original script characteristics is used as the target vulnerability type of the page vulnerability of the response page;

and if the matching result is used for representing that the target script characteristics are not matched with the original script characteristics, determining that the response page has no page vulnerability.

4. The method of claim 3, wherein after the using the vulnerability type stored in the database that matches the original script characteristics as a target vulnerability type of a page vulnerability of the response page, further comprises:

aiming at the target vulnerability type, adopting configured vulnerability testing codes to carry out vulnerability injection, and testing the buried point vulnerability of the response page to obtain a testing result; the test result comprises the running condition of the vulnerability test code and target object information;

and storing the test result into a log management component of the Node server.

5. The method of claim 4, wherein the vulnerability injection using the configured vulnerability test code comprises:

adopting the configured vulnerability testing code to form vulnerability injection by a label in a text embedded in a hypertext markup language (HTML); or

And in the input or clicked interaction event, adopting the configured vulnerability testing code to inject the vulnerability.

6. The method of claim 1, wherein the database stores script numbers, and original script characteristics, vulnerability types, and vulnerability grades corresponding to the script numbers.

7. The method of claim 6, wherein the original script property and vulnerability type corresponding to the script number are determined by:

acquiring selected website resources through a crawler tool deployed in a Node server, wherein the selected website resources comprise website resources and specified webpage resources contained in a website;

selecting a specified webpage resource corresponding to the URL of the webpage to be monitored and detected from the selected website resources;

extracting a legal script from the selected specified webpage resource, and giving a script number to the legal script;

determining keywords contained in the legal script by adopting a regular keyword matching search mode, and determining the vulnerability type corresponding to the legal script based on the mapping relation between the keywords and the vulnerability type;

extracting a second method definition and a second calling signature from the legal script by using a hash algorithm, and taking the second method definition and the second calling signature as the original script characteristics of the legal script;

and determining the original script characteristics and the vulnerability types corresponding to the script numbers based on the script numbers of the legal scripts, the vulnerability types of the legal scripts and the original script characteristics of the legal scripts.

8. A webpage vulnerability detection device, the device comprising:

the receiving unit is used for receiving the webpage access instruction and acquiring the response webpage resource of the corresponding response page;

the extraction unit is used for extracting a target script in the response webpage resource and extracting the target script characteristic of the target script;

and the matching detection unit is used for matching the target script characteristics with the original script characteristics stored in the database and detecting the webpage loophole of the response page based on the matching result.

9. A computing device, comprising: a memory and a processor, wherein:

the memory for storing a computer program;

the processor, configured to execute the computer program, implements the steps of the method according to any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.

11. A computer program product comprising computer instructions which, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 7.

Images