CN115987638A

CN115987638A - Webpage vulnerability detection method, device, equipment and storage medium

Info

Publication number: CN115987638A
Application number: CN202211663405.4A
Authority: CN
Inventors: 丛巾婷; 周涛; 刘紫千
Original assignee: Tianyi Safety Technology Co Ltd
Current assignee: Tianyi Safety Technology Co Ltd
Priority date: 2022-12-23
Filing date: 2022-12-23
Publication date: 2023-04-18

Abstract

The application provides a webpage vulnerability detection method, device, equipment and storage medium, which relate to the technical field of computer security, in particular to the technical field of Web webpage security; in the application, a webpage access instruction is received, and response webpage resources of corresponding response pages are obtained; extracting a target script in the response webpage resource and extracting the target script characteristic of the target script; and matching the target script characteristics with the original script characteristics stored in the database, and detecting the webpage loophole of the response page based on the matching result. According to the webpage vulnerability detection method and device, the client java script interpreter and the Web application program do not need to be modified, and the webpage vulnerability can be detected only on the basis of the mode that the target script characteristics of the target script identified from the response webpage resources are matched with the original script characteristics, so that the operation is simple.

Description

Webpage vulnerability detection method, device, equipment and storage medium

Technical Field

The present application relates to the field of computer security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a webpage vulnerability.

Background

As Web technologies become more widespread, many applications are applied and deployed through a Web platform, and a scripting language is used at a client to improve the response time, interactivity, and overhead on a Web server of the application. But the large amount of user interaction may also pose certain risks to the system. If specific security protection is not performed on the script input/output interface, serious security risks such as XSS (Cross Site Scripting, cross Site Scripting vulnerability) and (Cross-Site Request forky, cross Site Request Forgery) may be caused, and security problems such as user session hijacking, client cookie stealing, phishing and the like are caused. Therefore, vulnerability detection needs to be performed on the web page, and problems are found and improved in time so as to reduce loss.

At present, when vulnerability detection is performed on a webpage, a penetration test method developed based on JavaScript is generally used. And the JavaScript-based XSS attack penetration test method suffers from many limitations, such as: the XSS attack detection method based on the client needs to modify a java script interpreter of the client for realization so as to only execute legal script codes; most methods require source code instrumentation, which means that web application implementations require modification, inserting some comments or delimiters to distinguish between benign and malicious JavaScript code.

Therefore, when webpage vulnerability detection is performed by using the penetration test method developed based on JavaScript, a client java script interpreter, a web application program source code and the like need to be modified, and the process is complicated and time-consuming.

Disclosure of Invention

The embodiment of the application provides a webpage vulnerability detection method, device, equipment and storage medium, which are used for quickly and conveniently detecting webpage vulnerabilities.

In a first aspect, an embodiment of the present application provides a method for detecting a webpage vulnerability, where the method includes:

receiving a webpage access instruction, and acquiring response webpage resources of a corresponding response page;

extracting a target script in the response webpage resource and extracting the target script characteristic of the target script;

and matching the target script characteristics with the original script characteristics stored in the database, and detecting the webpage loophole of the response page based on the matching result.

In a second aspect, an embodiment of the present application provides a device for detecting a webpage vulnerability, where the device includes:

the receiving unit is used for receiving the webpage access instruction and acquiring the response webpage resource of the corresponding response page;

the extraction unit is used for extracting the target script in the response webpage resource and extracting the target script characteristic of the target script;

and the matching detection unit is used for matching the target script characteristics with the original script characteristics stored in the database and detecting the webpage loopholes of the response page based on the matching result.

In a third aspect, an embodiment of the present application provides a computing device, including: a memory and a processor, wherein the memory is used for storing computer instructions; the processor is used for executing the computer instructions to implement the steps of the webpage vulnerability detection method provided by the embodiment of the application.

In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where computer instructions are stored, and when the computer instructions are executed by a processor, the steps of the web page vulnerability detection method provided in the embodiment of the present application are implemented.

In a fifth aspect, embodiments of the present application provide a computer program product, which includes computer instructions stored in a computer-readable storage medium; when the processor of the computing device reads the computer instructions from the computer-readable storage medium, the processor executes the computer instructions, so that the computing device executes the steps of the webpage vulnerability detection method provided by the embodiment of the present application.

The beneficial effects of this application are as follows:

the embodiment of the application provides a webpage vulnerability detection method, a device, equipment and a storage medium, which relate to the technical field of computer security, in particular to the technical field of Web webpage security; in the application, a webpage access instruction is received, and response webpage resources of corresponding response pages are obtained; extracting a target script in the response webpage resource and extracting the target script characteristic of the target script; and matching the target script characteristics with the original script characteristics stored in the database, and detecting the webpage loophole of the response page based on the matching result. The webpage vulnerability can be detected only based on the mode that the target script characteristic of the target script identified from the response webpage resource is matched with the original script characteristic without modifying a client java script interpreter and modifying a Web application program, and the method is simple to operate, convenient and fast.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.

Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;

fig. 2 is a flowchart of a method for detecting a webpage vulnerability provided in an embodiment of the present application;

fig. 3 is a schematic diagram illustrating detection of a webpage vulnerability provided in an embodiment of the present application;

fig. 4 is a schematic diagram of a web page resource template according to an embodiment of the present application;

fig. 5 is a flowchart of another specific implementation method for detecting a webpage vulnerability, provided in the embodiment of the present application;

fig. 6 is a structural diagram of a device for detecting a webpage vulnerability according to an embodiment of the present application;

fig. 7 is a block diagram of a computing device according to an embodiment of the present application.

Detailed Description

In order to make the purpose, technical solution and advantages of the present application more clearly and clearly understood, the technical solution in the embodiments of the present application will be described below in detail and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Some terms in the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.

XSS (Cross Site Scripting) is a computer security vulnerability that often occurs in Web applications and is also a mainstream attack way in Web. The XSS attack is to insert malicious JavaScript into a webpage by a special means, so that various attacks such as Cookie material stealing, session hijacking, phishing cheating and the like are launched to a user client when a user browses the webpage.

CRSF (Cross-site Request Forgery) is an attack method that enforces users performing unintended operations on currently logged-in Web applications.

DOM (Document Object Model) is a means for operating HTML, and can complete the operations of obtaining, accessing, setting tag attributes and styles of all elements in an HTML Document.

The following briefly introduces the design concept of the embodiments of the present application.

As Web technologies become more widespread, many applications are applied and deployed through Web platforms, and scripting languages are used at clients to increase the response time, interactivity of the applications and overhead on Web servers. But the large amount of user interaction also poses certain risks to the system. If specific security protection (including decoding, filtering, etc.) is not performed on the script input/output interface, serious security risks such as XSS and CSRF may be caused, and security problems such as user session hijacking, client cookie stealing, phishing, etc. may be caused. On the premise of no webpage security knowledge storage, network security holes of a web end are difficult to find, classify and improve. In addition, in the era of mobile internet, besides the traditional security problems of XSS, CSRF, etc., new security problems of network hijacking, illegal invocation of Hybrid API, etc. are often encountered. Certainly, the client itself is also evolving and developing continuously, and new technologies such as CSP, same-Site Cookies and the like are introduced continuously to enhance the security, but there are still many potential threats, and "missing and missing filling" needs to be performed continuously to overcome more and more hacking attacks.

The general website front-end penetration test is developed based on JavaScript, the function is single, the operation is complex, and the existing XSS attack penetration test method based on the JavaScript is limited by a plurality of limitations: firstly, the XSS attack detection method based on the client needs to modify the implementation of a java script interpreter of the client so as to only execute legal script codes. Second, most methods require source code instrumentation, which means that web application implementations need to modify, insert some comments or delimiters to distinguish between benign and malicious JavaScript code.

In view of this, according to the advantages of node.js with capabilities of DOM operation and I/O, file reading and writing, operating a database (server side), and the like in the web, the embodiment of the present application implements a method for detecting and attacking webpage vulnerabilities, which is simple to operate and is convenient and fast to perform webpage security vulnerability detection. The method can automatically crawl and store website resources; and defining a vulnerability detection method in the Node server according to vulnerability analysis rules, wherein the vulnerability detection method comprises a method for detecting and analyzing code vulnerabilities and classifying and grading the vulnerabilities by using a Hash algorithm based on node.js characteristics so as to generate a security test attack code and inject the code, and also comprises a method for performing security test exercise, returning information obtained by vulnerability detection to a log management component of the Node server, and analyzing a log file so as to analyze an attack result.

After introducing the design idea of the embodiment of the present application, an application scenario set by the present application is briefly described below. It should be noted that the following scenario is only used for illustrating the embodiments of the present application and is not limited thereto. In specific implementation, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.

Referring to fig. 1, fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application, where the application scenario includes a terminal device 110 and a server 120, and the terminal device 110 and the server 120 may communicate with each other through a communication network.

In an alternative embodiment, the communication network may be a wired network or a wireless network. Thus, terminal device 110 and server 120 may be directly or indirectly connected through wired or wireless communication. For example, the terminal device 110 may be indirectly connected to the server 120 through a wireless access point, or the terminal device 110 may be directly connected to the server 120 through the internet, which is not limited herein.

In the embodiment of the present application, the terminal device 110 includes, but is not limited to, a mobile phone, a tablet computer, a notebook computer, a desktop computer, an e-book reader, an intelligent voice interaction device, an intelligent household appliance, a vehicle-mounted terminal, and other devices; various clients can be installed on the terminal device, and the clients can be application programs (such as browsers, game software and the like) and also can be web pages, applets and the like;

the server 120 is a background server corresponding to the cloud desktop installed in the terminal device 110. The server 120 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), a big data and artificial intelligence platform, and the like.

It should be noted that fig. 1 is only an example, and the number of the terminal devices 110 and the servers 120 is not limited in practice, and is not specifically limited in the embodiment of the present application. When the number of the servers 120 is plural, the plural servers 120 may be grouped into a blockchain, and the servers 120 are nodes on the blockchain; various data related to the webpage vulnerability detection method disclosed by the embodiment of the application can be stored on the block chain.

The method for detecting the webpage vulnerability can be applied to main scenes such as a project web end security vulnerability testing system, front end security exercise protection, and network protection activity attack simulation.

The project web end security vulnerability testing system can scan and attack security vulnerabilities of web pages in existing projects through the web page vulnerability detection method provided by the embodiment of the application, automatically crawl web page resources, detect code vulnerabilities, generate attack codes and inject the attack codes, save time cost and learning cost for developers to write vulnerability testing scripts by themselves, and can automatically and efficiently scan, analyze and attack front end security vulnerabilities existing in the system.

By analyzing the attack characteristics of XSS and CSRF attacks and utilizing the high concurrency low delay characteristic of node.js based on the webpage vulnerability detection method provided by the embodiment of the application, a real-time security attack and defense drilling system of a web end can be designed in an extending way.

In a network protection activity attack simulation scene, the method for detecting the webpage vulnerability can simulate the attack behavior of the network protection activity, carry out self-test and self-check of the network security vulnerability on a group website, early warn in advance and repair the security vulnerability in time. Meanwhile, a protection module can be added in the future, and automatic detection and attack and defense are integrated.

In the specific implementation manner of the present application, the data related to the web page information, the user information, etc. need to be approved or agreed when the above embodiments of the present application are applied to specific products or technologies, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related countries and regions.

Based on the above application scenarios, the web page vulnerability detection method provided by the exemplary embodiment of the present application is described below with reference to the above application scenarios and according to the accompanying drawings, it should be noted that the above application scenarios are only shown for facilitating understanding of the spirit and principle of the present application, and the embodiments of the present application are not limited in this respect.

Referring to fig. 2, fig. 2 is a flowchart of a method for detecting a webpage vulnerability provided in an embodiment of the present application, including the following steps:

and step S200, receiving a webpage access instruction, and acquiring response webpage resources of a corresponding response page.

Step S201, extracting a target script in the response webpage resource and extracting the target script characteristic of the target script;

in the embodiment of the application, a first script Extractor (JavaScript Extractor) is used for extracting the target script from the response webpage resource, and a first feature Extractor (Features Extractor) is used for extracting the target script Features from the target script.

In one possible implementation manner, a hash algorithm is used to extract a first method definition and a first call signature contained in the target script, and the first method definition and the first call signature are used as target script characteristics.

Step S202, matching the target script characteristics with the original script characteristics stored in the database, and detecting the webpage loopholes of the response page based on the matching result.

Namely, deviation comparison is carried out on the target script characteristic of the response page and the original script characteristic stored in the database; the database comprises three tables, namely a page table, a script table and a characteristic table; the page table comprises all URL pages of the Web application program and the number of scripts in each page; the script table contains script identifier, script number and script loophole type, and its content page URL is also the type of the script; all original script properties extracted from the method definitions and call signatures of each script are contained in the property table. That is to say, in the embodiment of the present application, the database stores the corresponding relationship between the script number and the original script characteristic, the vulnerability type, and the vulnerability level.

In a possible implementation manner, based on a matching result, when detecting a page vulnerability of a response page: if the matching result is used for representing that the target script characteristics are matched with the original script characteristics, the target script of the response page is the same as the script number stored in the database, and the vulnerability type matched with the original script characteristics stored in the database is used as the target vulnerability type of the page vulnerability of the response page; generating vulnerability test codes corresponding to script vulnerabilities based on target vulnerability types, injecting vulnerabilities into the generated vulnerability test codes, testing the vulnerability of the embedded point when a target object accesses a target webpage to obtain test results, and storing the test results into a log management component of the Node server; and the test result comprises the running condition of the vulnerability test code and the target object information.

In the embodiment of the application, common storage type XSS injection can be adopted when the generated vulnerability testing code is subjected to vulnerability injection, and the vulnerability testing code can also be injected in an inline script.

When the inline script is injected, the following method can be adopted:

in the text embedded in HTML, a script tag is used for forming an injection vulnerability test code, and in the connected JavaScript, the spliced data breaks through the original limitation (character string, variable, method name and the like);

and injecting vulnerability test codes into the tag attributes by using other attributes or tags, wherein the vulnerability test codes contain quotation marks, so that the limit of the attribute values is broken through. Executable codes such as JavaScript are contained in attributes such as href and src of the tag;

injecting vulnerability testing codes in interaction events input or clicked by users, such as onload (), onerror (), onclick (), and the like;

injecting vulnerability testing codes into the style attribute and the label; code in the style attribute and tag that resembles background-image url ("JavaScript:.") can generate a CSRF attack because the src attribute of the image style can ignore the restrictions of the same source policy (new versions of clients can already guard against).

In the embodiment of the application, the embedded point is stored in the target client server, and a user logs in to access the target server and reads the test code, so that the user is attacked.

In a possible implementation manner, a Node server is deployed with a log management component, which is used for recording the running condition of a vulnerability test code and target object information, so as to analyze website vulnerabilities. Wherein:

the back-end joint debugging environment is configured, the MySQL database is configured to serve as a log management component, and the K/V key value pair is used for caching data, so that the efficiency is high, and the running speed is high.

And returning an attach-Time, an attach-Spot, a user cookie, get/post request contents (wherein the get request directly reads the URL, and the post request reads the body-Query) and the like which intercept the user request and return to the Node server and storing the contents into a log management component, and simultaneously detecting a log file and carrying out classification and hierarchical processing on the vulnerabilities existing in the website. Referring to fig. 3, fig. 3 is a schematic diagram of webpage vulnerability detection provided in the embodiment of the present application.

In another possible implementation manner, if the matching result is used for representing that the target script characteristics are not matched with the original script characteristics, it is indicated that the target script of the response page is different from the script numbers stored in the database, and it is determined that the response page has no page vulnerability.

It should be noted that, there may be a difference in script numbers caused by a new injected script, or a difference in script numbers caused by a new existing method call; therefore, in the case of determining that the script numbers are different, a method caller should be determined to distinguish between the original and the responding method callers to determine the reason for the difference in script numbers and to do further analysis.

In the embodiment of the application, in order to ensure the accuracy of webpage vulnerability detection, a training stage and a detection stage are set, wherein the training stage is an initialization stage of the detection stage and is used for determining the corresponding relation between the script number stored in a database and the original script characteristics, the vulnerability type and the vulnerability grade so as to be used in the detection stage; the detection stage is used for detecting the webpage bugs, and relates to the steps of characteristic extraction, bug classification, bug test code generation and injection, and the like, and the detection stage can be specifically referred to the contents shown in fig. 2 and fig. 3.

In order to implement the webpage vulnerability detection method, node server deployment is firstly carried out. Illustratively, the Node environment is configured, and a package management system API is used to download a related resource package, where the resource package includes: a crawler toolkit, a URL module resource package and a fs module resource package; that is, a crawler tool, a URL module and an fs module are configured in the Node server.

In the embodiment of the application, the web crawler uses puppeteer, which is a Node library for controlling the head class Chrome through a DevTools protocol and can simulate user behaviors to perform client operation. The URL module is a built-in Node resource library and can acquire, read and write the URL of the webpage. The fs module is a file read-write module of the Node. Therefore, asynchronous crawling and copying of resources are performed on the target website by using the puppeteer crawler package and the fs module.

In the embodiment of the application, a crawler tool is used for resource crawling of website resources and all webpage resources contained in a website, illustratively, async () function/await () function is used for asynchronous crawling of selected website resources, and APIs such as puppeter. Launch (), browser. Newpage (), browser. Close (), and the like are used for client side operation to obtain website resources. Selecting a specific href address by using a page () method, going to a specified website, directly acquiring corresponding webpage resources, or entering by using a page.

After acquiring the website resources and the webpage resources of the webpage under the website, storing the acquired resources into a file storage space created by fs.mkdir () in an fs module by adopting fs.writefile () write operation.

In the embodiment of the application, the crawler acquires the resources so as to detect and analyze common vulnerability types in the webpage, so that the vulnerability can be used in the detection stage.

Therefore, the fs module API of the Node is used for reading the webpage resources, and cyclic search is carried out through the regular form of the keywords to judge the vulnerability type.

Illustratively, a Spider component is used, a file directory stored in an fs module is traversed by fs.readfile (), a file is read, and a specified webpage resource corresponding to a URL of a webpage to be supervised and detected is selected, that is, an execution webpage resource crawled by a front end is extracted, as shown in fig. 4, which is a webpage resource template schematic diagram provided by the embodiment of the present application.

After the webpage resources are obtained, extracting a legal script from the specified webpage resources by using a second script Extractor (script Extractor), giving a script number to the legal script, analyzing a source code of the legal script, performing vulnerability detection on the source code of the legal script, and determining the vulnerability type; exemplarily, searching keywords such as textArea, contentdeditable, img and the like by adopting regular keyword matching, and determining a vulnerability type corresponding to a legal script based on a mapping relation between the keywords and the vulnerability type; the vulnerability types mainly include: inline script, local source insertion, remote source insertion, handler event processing, URL attributes.

After the vulnerability type is obtained, it is also necessary to determine which script the vulnerability type belongs to, or which script characteristic has the vulnerability type, so in the embodiment of the present application, a second feature Extractor (Features Extractor) is used to perform code feature extraction analysis, and the main function of this step is to extract the original script characteristic included in the legal script code by using a hash algorithm. Since the number of scripts on a page is not sufficient to determine whether or not there are injected scripts, there is no way to determine where the scripts appear on the page. To this end, the second method definition and the second call signature are extracted from the legitimate script as the original script characteristics of the legitimate script. Illustratively, the Node parser is utilized to extract the method name, parameters, hash code and parameters of its implementation. Wherein, the method definition is divided into three categories: user-defined naming functions, anonymous methods, and host object methods. The characteristics of each type of extraction are: the method name, the number of arguments and its arguments, and the hash of the code to be executed by the function. There are generally two types of calls to JavaScript functions: simple functions and nested functions; where a simple type is called when a function has an argument, a nested type means that the function parameter is another function. The object caller characteristics are added to solve the method call injection attack, so that the attack characteristics of different scripts are extracted.

And finally, determining the original script characteristics and the vulnerability types corresponding to the script numbers and storing the original script characteristics and the vulnerability types into a database based on the script numbers of the legal scripts, the vulnerability types of the legal scripts and the original script characteristics of the legal scripts.

Referring to fig. 5, fig. 5 is a flowchart of another specific implementation method for detecting a webpage vulnerability according to an embodiment of the present application; as can be seen from fig. 5:

in the training stage, firstly, a selected webpage resource is obtained by a crawler, then a legal script is extracted from the selected webpage resource obtained by the crawler by using a script Extractor, then the characteristics of the legal script are extracted by using a Features Extractor to obtain the characteristics of an original script, keywords in the legal script are analyzed to determine the vulnerability type, and finally the vulnerability type and the characteristics of the original script are stored in a database;

in the detection stage, a response page is obtained, a target script is extracted from the response page by using a Javascript Extractor, the characteristics of the target script are extracted by using a Features Extractor to obtain the characteristics of the target script, then the characteristics of the target script are compared with the characteristics of an original script stored in a database to judge whether deviation exists or not, if the deviation exists, vulnerability type analysis is carried out, vulnerability test codes are generated based on the vulnerability types to carry out vulnerability injection, and if the deviation does not exist, the server normally responds.

The application has the following effects:

1. the development of the traditional security vulnerability attack development system by using JavaScript is broken, the function is single, and the operation of the joint debugging database is complex. Js expands the function of JavaScript, so that the JavaScript has the characteristics of I/O, fs and the like which are unique to languages, and can simultaneously have the capabilities of DOM operation, I/O, file reading and writing, database (server side) operation and the like. Thus, there are unique advantages to using nodes in I/O intensive web development operations.

2. When the security test is carried out, generally, a developer writes a test script to detect the vulnerability, the process is complicated and time is consumed, the code is automatically crawled, detected, classified and attacked by designing a node.

3. The code detection stage is divided into a training stage and a detection stage, the training stage utilizes a Hash algorithm to define a vulnerability extraction function so as to detect and analyze code vulnerabilities and classify the code vulnerabilities, and whether vulnerabilities exist is determined by performing deviation comparison on extracted target script characteristics of a response page and original script characteristics stored in a database, so that the operation is simple.

4. The existing mainstream anti-attack method is to strictly check the user interaction component, and does not allow html tags, inline js statements and the like to be input.

Based on the same inventive concept, an embodiment of the present application further provides a web page vulnerability detection apparatus 600, as shown in fig. 6, the web page vulnerability detection apparatus 600 includes:

a receiving unit 601, configured to receive a web page access instruction, and obtain a response web page resource of a corresponding response page;

an extracting unit 602, configured to extract a target script in the response web resource, and extract a target script characteristic of the target script;

and the matching detection unit 603 is configured to match the target script characteristics with the original script characteristics stored in the database, and detect a webpage vulnerability of the response page based on a matching result.

In a possible implementation manner, the extracting unit 602 is specifically configured to:

and extracting the first method definition and the first call signature from the target script by using a hash algorithm, and taking the first method definition and the first call signature as target script characteristics.

In a possible implementation manner, the matching detection unit 603 is specifically configured to:

if the matching result is used for representing that the target script characteristics are matched with the original script characteristics, the vulnerability type which is stored in the database and is matched with the original script characteristics is used as the target vulnerability type of the page vulnerability of the response page;

and if the matching result is used for representing that the target script characteristics are not matched with the original script characteristics, determining that the response page has no page vulnerability.

In a possible implementation manner, the matching detection unit 603 is further configured to:

after the vulnerability type matched with the original script characteristics and stored in the database is used as a target vulnerability type of the page vulnerability of the response page, adopting configured vulnerability test codes to carry out vulnerability injection aiming at the target vulnerability type, and testing the buried point vulnerability of the response page to obtain a test result; the test result comprises the running condition of the vulnerability test code and target object information;

and storing the test result into a log management component of the Node server.

in a text embedded in a hypertext markup language (HTML), adopting a configured vulnerability test code to form vulnerability injection by a label; or

And in the input or clicked interactive event, adopting the configured vulnerability testing code to inject the vulnerability.

In one possible implementation manner, the database stores the script number, and the original script characteristic, the vulnerability type and the vulnerability grade corresponding to the script number.

In a possible implementation manner, the original script characteristics and the vulnerability types corresponding to the script numbers are determined in the following manner:

acquiring selected website resources through a crawler tool deployed in a Node server, wherein the selected website resources comprise website resources and specified webpage resources contained in a website;

selecting a designated webpage resource corresponding to the URL of the webpage to be monitored and detected from the selected website resources;

extracting a legal script from the selected specified webpage resource, and giving a script number to the legal script;

determining keywords contained in a legal script by adopting a regular keyword matching search mode, and determining a vulnerability type corresponding to the legal script based on a mapping relation between the keywords and the vulnerability type;

extracting a second method definition and a second calling signature from the legal script by using a Hash algorithm, and taking the second method definition and the second calling signature as the original script characteristics of the legal script;

and determining the original script characteristics and the vulnerability types corresponding to the script numbers based on the script numbers of the legal scripts, the vulnerability types of the legal scripts and the original script characteristics of the legal scripts.

For convenience of description, the above parts are separately described as units (or modules) according to functional division. Of course, the functionality of the various elements (or modules) may be implemented in the same one or more pieces of software or hardware in practicing the present application.

After introducing the method and apparatus for detecting webpage vulnerabilities according to the exemplary embodiments of the present application, a computing device according to another exemplary embodiment of the present application is introduced next.

As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

In one possible implementation, a computing device provided by an embodiment of the present application may include at least a processor and a memory. The memory stores program code, and when the program code is executed by the processor, the processor is enabled to execute any step of the webpage vulnerability detection method according to various exemplary embodiments of the present application.

In this embodiment, the structure of the computing device may be as shown in fig. 7, including: including memory 701, communications module 703, and one or more processors 702.

A memory 701 for storing a computer program executed by the processor 702. The memory 701 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, a program required for running an instant messaging function, and the like; the storage data area can store various instant messaging information, operation instruction sets and the like.

The memory 701 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 701 may also be a non-volatile memory (non-volatile memory), such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); or memory 701 is any other medium that can be used to carry or store a desired computer program in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. Memory 701 may be a combination of the above.

The processor 702 may include one or more Central Processing Units (CPUs), a digital processing unit, or the like. The processor 702 is configured to implement the above-described method for detecting a web page vulnerability when calling a computer program stored in the memory 701.

The communication module 703 is used for communicating with the terminal device and other servers.

In the embodiment of the present application, the specific connection medium among the memory 701, the communication module 703 and the processor 702 is not limited. In fig. 7, the memory 701 and the processor 702 are connected by a bus 704, the bus 704 is depicted by a thick line in fig. 7, and the connection manner between other components is merely illustrative and not limited. The bus 704 may be divided into an address bus, a data bus, a control bus, and the like. For ease of description, only one thick line is depicted in fig. 7, but not only one bus or one type of bus.

The memory 701 stores a computer storage medium, and the computer storage medium stores computer-executable instructions, which are used to implement the webpage vulnerability detection method according to the embodiment of the present application. The processor 702 is configured to execute the above-described webpage vulnerability detection method.

In some possible embodiments, the aspects of the web page vulnerability detection method provided by the present application may also be implemented in the form of a program product, which includes program code for causing a computer device to perform the steps of the web page vulnerability detection method according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product for detecting webpage bugs of the embodiments of the present application may employ a portable compact disk read-only memory (CD-ROM) and include program code, and may be run on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a command execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a command execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user computing device, partly on the user's equipment, as a stand-alone software package, partly on the user computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the scope of the present application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A webpage vulnerability detection method is characterized by comprising the following steps:

and matching the target script characteristics with the original script characteristics stored in a database, and detecting the webpage loophole of the response page based on the matching result.

2. The method of claim 1, wherein extracting object script characteristics of an object script comprises:

and extracting a first method definition and a first call signature from the target script by using a hash algorithm, and taking the first method definition and the first call signature as the target script characteristics.

3. The method of claim 1, wherein the detecting the page vulnerability of the response page based on the matching result comprises:

4. The method of claim 3, wherein after the using the vulnerability type stored in the database that matches the original script characteristics as a target vulnerability type of a page vulnerability of the response page, further comprises:

aiming at the target vulnerability type, adopting configured vulnerability testing codes to carry out vulnerability injection, and testing the buried point vulnerability of the response page to obtain a testing result; the test result comprises the running condition of the vulnerability test code and target object information;

and storing the test result into a log management component of the Node server.

5. The method of claim 4, wherein the vulnerability injection using the configured vulnerability test code comprises:

adopting the configured vulnerability testing code to form vulnerability injection by a label in a text embedded in a hypertext markup language (HTML); or

And in the input or clicked interaction event, adopting the configured vulnerability testing code to inject the vulnerability.

6. The method of claim 1, wherein the database stores script numbers, and original script characteristics, vulnerability types, and vulnerability grades corresponding to the script numbers.

7. The method of claim 6, wherein the original script property and vulnerability type corresponding to the script number are determined by:

selecting a specified webpage resource corresponding to the URL of the webpage to be monitored and detected from the selected website resources;

determining keywords contained in the legal script by adopting a regular keyword matching search mode, and determining the vulnerability type corresponding to the legal script based on the mapping relation between the keywords and the vulnerability type;

8. A webpage vulnerability detection device, the device comprising:

the extraction unit is used for extracting a target script in the response webpage resource and extracting the target script characteristic of the target script;

and the matching detection unit is used for matching the target script characteristics with the original script characteristics stored in the database and detecting the webpage loophole of the response page based on the matching result.

9. A computing device, comprising: a memory and a processor, wherein:

the memory for storing a computer program;

the processor, configured to execute the computer program, implements the steps of the method according to any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.

11. A computer program product comprising computer instructions which, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 7.