CN118051920B

CN118051920B - A method, device, equipment and storage medium for generating a vulnerability verification request package

Info

Publication number: CN118051920B
Application number: CN202410454890.7A
Authority: CN
Inventors: 王乐; 王瑞峰; 梁栋; 程进; 陈路; 聂万泉; 魏兴国; 汪利辉
Original assignee: Hangzhou Moan Technology Co ltd
Current assignee: Hangzhou Moan Technology Co ltd
Priority date: 2024-04-16
Filing date: 2024-04-16
Publication date: 2024-07-02
Anticipated expiration: 2044-04-16
Also published as: CN118051920A

Abstract

The present application discloses a method, device, equipment and storage medium for generating a vulnerability verification request packet, and relates to the field of network information security technology. The method comprises: using an interactive application security testing tool to detect an application to be tested to obtain vulnerability data in the application to be tested; classifying a taint tracking data stream, and filtering the taint tracking data stream according to the classification result; traversing the filtered taint tracking data stream to obtain a data stream that truly contains taint information, and determining target taint source information; using several large language models to train the information of the test request packet, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request packet; determining the final template of the vulnerability verification request packet, and inputting the information of the test request packet, the target taint source information and the vulnerability type into the final template to obtain the target vulnerability verification request packet. The present application improves the accuracy of automatic vulnerability verification and the efficiency of vulnerability verification to a certain extent.

Description

A method, device, equipment and storage medium for generating a vulnerability verification request package

技术领域Technical Field

本申请涉及网络信息安全技术领域，尤其涉及一种漏洞验证请求包生成方法、装置、设备及存储介质。The present application relates to the field of network information security technology, and in particular to a vulnerability verification request packet generation method, device, equipment and storage medium.

背景技术Background technique

IAST（Interactive Application Security Testing）是一种在应用自动化识别和诊断软件漏洞的技术，能够实时监控检测应用程序的运行状态，深入分析应用程序内部逻辑和数据流，帮助发现应用程序的潜在安全威胁。IAST (Interactive Application Security Testing) is a technology that automatically identifies and diagnoses software vulnerabilities in applications. It can monitor and detect the running status of applications in real time, deeply analyze the internal logic and data flow of applications, and help discover potential security threats to applications.

大语言模型则具有强大的文本生成和理解能力，可以根据上下文生成符合语法和语义规则的文本。The large language model has powerful text generation and understanding capabilities, and can generate text that conforms to grammatical and semantic rules based on the context.

但传统的漏洞验证方法通常依赖于手工编写验证请求包，这种方法存在效率低、易出错等问题。However, traditional vulnerability verification methods usually rely on manually written verification request packages, which has problems such as low efficiency and prone to errors.

发明内容Summary of the invention

本申请提供的一种漏洞验证请求包生成方法，旨在解决现有技术中手写验证请求包存在的效率低、易出错等问题。The present application provides a method for generating a vulnerability verification request package, which aims to solve the problems of low efficiency and easy errors in handwritten verification request packages in the prior art.

为实现上述目的，本申请采用以下技术方案：To achieve the above objectives, this application adopts the following technical solutions:

本申请的一种漏洞验证请求包生成方法，包括以下步骤：A vulnerability verification request packet generation method of the present application includes the following steps:

利用交互式应用安全测试工具检测待测应用，得到所述待测应用中的漏洞数据，所述漏洞数据包含污点跟踪数据流、测试请求包和漏洞类型；Using an interactive application security testing tool to detect the application to be tested, and obtaining vulnerability data in the application to be tested, wherein the vulnerability data includes a taint tracking data flow, a test request packet, and a vulnerability type;

根据污点与漏洞参数的相对关系对所述污点跟踪数据流进行分类，并根据分类结果对所述污点跟踪数据流进行过滤；Classifying the taint tracking data stream according to the relative relationship between the taint and the vulnerability parameter, and filtering the taint tracking data stream according to the classification result;

遍历过滤后的污点跟踪数据流得到真正含有污点信息的数据流，并据此确定目标污点源信息；Traverse the filtered taint tracking data stream to obtain the data stream that actually contains taint information, and determine the target taint source information based on it;

利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到漏洞验证请求包的多个备选模板；Using several large language models to respectively train the information of the test request package, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request package;

根据所述多个备选模板确定所述漏洞验证请求包的最终模板，并将所述测试请求包的信息、目标污点源信息和漏洞类型输入所述最终模板中，得到目标漏洞验证请求包。The final template of the vulnerability verification request package is determined according to the multiple candidate templates, and the information of the test request package, the target taint source information and the vulnerability type are input into the final template to obtain the target vulnerability verification request package.

作为优选，所述污点跟踪数据流包含污点源信息、污点传播信息和污点汇聚点信息；Preferably, the taint tracking data stream includes taint source information, taint propagation information and taint sink information;

所述污点源信息包含用于获取请求参数数值的执行方法、代码位置、漏洞参数和污点。The taint source information includes an execution method for obtaining a request parameter value, a code location, a vulnerability parameter, and a taint.

作为优选，所述根据污点与漏洞参数的相对关系对所述污点跟踪数据流进行分类，并根据分类结果对所述污点跟踪数据流进行过滤，包括：Preferably, the classifying the taint tracking data stream according to the relative relationship between the taint and the vulnerability parameter, and filtering the taint tracking data stream according to the classification result, comprises:

判断所述漏洞参数与污点是否为同一个值，于所述漏洞参数与污点为同一个值时，将所述污点源信息中的代码位置和漏洞参数删除；Determine whether the vulnerability parameter and the taint are the same value, and if the vulnerability parameter and the taint are the same value, delete the code position and the vulnerability parameter in the taint source information;

于所述漏洞参数与污点不为同一个值时，将所述污点源信息中的代码位置删除。When the vulnerability parameter and the taint are not the same value, the code position in the taint source information is deleted.

作为优选，所述遍历过滤后的污点跟踪数据流得到真正含有污点信息的数据流，并据此确定目标污点源信息，包括：Preferably, the traversing the filtered taint tracking data stream to obtain a data stream that actually contains taint information, and determining the target taint source information accordingly, includes:

通过执行函数数据签名的方式来获取过滤后的污点跟踪数据流中真正含有污点信息的数据流，并将其中第一个含有数据签名的污点传播信息或污点汇聚点信息作为目标污点源信息。The data stream that actually contains taint information in the filtered taint tracking data stream is obtained by executing the function data signature, and the first taint propagation information or taint convergence point information containing the data signature is used as the target taint source information.

作为优选，所述利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到漏洞验证请求包的多个备选模板，包括：Preferably, the method of using several large language models to respectively train the information of the test request packet, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request packet includes:

根据所述测试请求包的信息、目标污点源信息和漏洞类型编写漏洞验证请求包的基础模板；Write a basic template for a vulnerability verification request package according to the information of the test request package, the target taint source information and the vulnerability type;

基于所述基础模板，利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到所述漏洞验证请求包的多个备选模板。Based on the basic template, several large language models are used to train the information of the test request package, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request package.

作为优选，所述根据所述多个备选模板确定所述漏洞验证请求包的最终模板，包括：Preferably, the determining a final template of the vulnerability verification request packet according to the multiple candidate templates includes:

获取测试数据，将所述测试数据分别输入所述多个备选模板中得到若干输出结果，并将输出的结果最符合预设条件的备选模板作为所述漏洞验证请求包的最终模板。Acquire test data, input the test data into the multiple candidate templates respectively to obtain several output results, and use the candidate template whose output result best meets the preset conditions as the final template of the vulnerability verification request package.

一种漏洞验证请求包生成装置，包括：A vulnerability verification request packet generating device, comprising:

检测模块，用于利用交互式应用安全测试工具检测待测应用，得到所述待测应用中的漏洞数据，所述漏洞数据包含污点跟踪数据流、测试请求包和漏洞类型；A detection module, used to detect the application to be tested using an interactive application security testing tool to obtain vulnerability data in the application to be tested, wherein the vulnerability data includes a taint tracking data flow, a test request packet, and a vulnerability type;

预处理模块，用于根据污点与漏洞参数的相对关系对所述污点跟踪数据流进行分类，并根据分类结果对所述污点跟踪数据流进行过滤；A preprocessing module, used for classifying the taint tracking data stream according to the relative relationship between the taint and the vulnerability parameter, and filtering the taint tracking data stream according to the classification result;

遍历模块，用于遍历过滤后的污点跟踪数据流得到真正含有污点信息的数据流，并据此确定目标污点源信息；The traversal module is used to traverse the filtered taint tracking data stream to obtain the data stream that actually contains taint information, and determine the target taint source information accordingly;

训练模块，用于利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到漏洞验证请求包的多个备选模板；A training module, used to use several large language models to respectively train the information of the test request package, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request package;

输出模块，用于根据所述多个备选模板确定所述漏洞验证请求包的最终模板，并将所述测试请求包的信息、目标污点源信息和漏洞类型输入所述最终模板中，得到目标漏洞验证请求包。The output module is used to determine the final template of the vulnerability verification request package according to the multiple candidate templates, and input the information of the test request package, the target taint source information and the vulnerability type into the final template to obtain the target vulnerability verification request package.

作为优选，所述训练模块包括：Preferably, the training module comprises:

编写单元，用于根据所述测试请求包的信息、目标污点源信息和漏洞类型编写漏洞验证请求包的基础模板；A writing unit, used to write a basic template of a vulnerability verification request package according to the information of the test request package, the target taint source information and the vulnerability type;

训练单元，用于基于所述基础模板，利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到所述漏洞验证请求包的多个备选模板。The training unit is used to train the information of the test request package, the target taint source information and the vulnerability type based on the basic template using several large language models to obtain multiple candidate templates of the vulnerability verification request package.

一种电子设备，包括存储器和处理器，所述存储器用于存储一条或多条计算机指令，其中，所述一条或多条计算机指令被所述处理器执行以实现如上述中任一项所述的一种漏洞验证请求包生成方法。An electronic device comprises a memory and a processor, wherein the memory is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a vulnerability verification request packet generation method as described in any one of the above.

一种存储有计算机程序的计算机可读存储介质，所述计算机程序使计算机执行时实现如上述中任一项所述的一种漏洞验证请求包生成方法。A computer-readable storage medium storing a computer program, wherein the computer program enables a computer to implement a vulnerability verification request packet generation method as described in any one of the above when executed.

本发明具有如下有益效果：The present invention has the following beneficial effects:

本申请将IAST工具扫描得到的污点跟踪数据流和大语言模型结合，可以生成更加符合实际场景的漏洞验证请求包，通过这种综合利用不同技术手段的方法，软件开发团队可以更加快速的发现、验证及修复潜在的漏洞，在一定程度上提高了漏洞验证的准确性和效率，与此同时其也降低了代码修复的技术门槛，提高了整体工作效率。This application combines the taint tracking data stream obtained by scanning with the IAST tool and the large language model to generate a vulnerability verification request package that is more in line with the actual scenario. Through this method of comprehensive utilization of different technical means, the software development team can more quickly discover, verify and repair potential vulnerabilities, which improves the accuracy and efficiency of vulnerability verification to a certain extent. At the same time, it also lowers the technical threshold for code repair and improves overall work efficiency.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative labor.

图1是本申请一种漏洞验证请求包生成方法的示意图；FIG1 is a schematic diagram of a vulnerability verification request packet generation method of the present application;

图2是本申请一种漏洞验证请求包生成方法的流程图；FIG2 is a flow chart of a method for generating a vulnerability verification request packet in the present application;

图3是本申请一种漏洞验证请求包生成装置的示意图；FIG3 is a schematic diagram of a device for generating a vulnerability verification request packet according to the present application;

图4是本申请实现一种漏洞验证请求包生成方法的电子设备示意图。FIG4 is a schematic diagram of an electronic device implementing a method for generating a vulnerability verification request packet according to the present application.

具体实施方式Detailed ways

下面将结合附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。The following will be combined with the accompanying drawings to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those skilled in the art without creative work are within the scope of protection of the present application.

本申请的权利要求书和说明书的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序，应该理解这样使用的术语在适当情况下可以互换，这仅仅是描述本申请的实施例中对相同属性的对象在描述时所采用的区分方式，此外，术语“包括”和“具有”以及他们的任何变形，意图在于覆盖不排他的包含，以便包含一系列单元的过程、方法、系统、产品或设备不必限于那些单元，而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其他单元。The terms "first", "second", etc. in the claims and specification of the present application are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the terms used in this way are interchangeable under appropriate circumstances. This is merely a way of distinguishing objects with the same properties in the embodiments of the present application. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, so that a process, method, system, product or apparatus that includes a series of units is not necessarily limited to those units, but may include other units not expressly listed or inherent to these processes, methods, products or apparatuses.

实施例1Example 1

如图1和图2所示，一种漏洞验证请求包生成方法，包括以下步骤：As shown in FIG. 1 and FIG. 2, a method for generating a vulnerability verification request packet includes the following steps:

S110、利用交互式应用安全测试工具检测待测应用，得到所述待测应用中的漏洞数据，所述漏洞数据包含污点跟踪数据流、测试请求包和漏洞类型；S110, using an interactive application security testing tool to detect the application to be tested, and obtaining vulnerability data in the application to be tested, wherein the vulnerability data includes a taint tracking data flow, a test request packet, and a vulnerability type;

S120、根据污点与漏洞参数的相对关系对所述污点跟踪数据流进行分类，并根据分类结果对所述污点跟踪数据流进行过滤；S120, classifying the taint tracking data flow according to the relative relationship between the taint and the vulnerability parameter, and filtering the taint tracking data flow according to the classification result;

S130、遍历过滤后的污点跟踪数据流得到真正含有污点信息的数据流，并据此确定目标污点源信息；S130, traversing the filtered taint tracking data stream to obtain the data stream that actually contains taint information, and determining the target taint source information accordingly;

S140、利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到漏洞验证请求包的多个备选模板；S140, using several large language models to respectively train the information of the test request packet, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request packet;

S150、根据所述多个备选模板确定所述漏洞验证请求包的最终模板，并将所述测试请求包的信息、目标污点源信息和漏洞类型输入所述最终模板中，得到目标漏洞验证请求包。S150. Determine a final template of the vulnerability verification request package according to the multiple candidate templates, and input the information of the test request package, the target taint source information and the vulnerability type into the final template to obtain a target vulnerability verification request package.

在本实施例中，先启动待测应用，接着利用交互式应用安全测试工具即IAST工具检测该待测应用，当待测应用中存在漏洞时，就可得到该待测应用中的漏洞数据，其中，漏洞数据包括污点跟踪数据流、请求数据包、代码位置信息、漏洞参数和漏洞类型等数据，优选地，污点跟踪数据流包括污点源即source点信息、污点传播信息和污点汇聚点即sink点信息，source点信息则包括用于获取请求参数数值的执行方法、代码位置、漏洞参数和污点，污点跟踪数据流和source点信息的具体结构如下：In this embodiment, the application to be tested is first started, and then the interactive application security testing tool, i.e., the IAST tool, is used to detect the application to be tested. When there is a vulnerability in the application to be tested, the vulnerability data in the application to be tested can be obtained, wherein the vulnerability data includes data such as taint tracking data flow, request data packet, code location information, vulnerability parameters, and vulnerability type. Preferably, the taint tracking data flow includes taint source, i.e., source point information, taint propagation information, and taint sink point information. The source point information includes an execution method for obtaining a request parameter value, a code location, vulnerability parameters, and taints. The specific structure of the taint tracking data flow and the source point information is as follows:

污点跟踪数据流：[Taint tracking data flow:

source点信息，Source point information,

污点传播信息1，Taint propagation information 1,

………

污点传播信息N，Taint propagation information N,

sink点信息Sink point information

]]

source点信息：{Source point information: {

执行方法：具体的执行方法，如java.lang.String[] org.apache.catalina.connector.RequestFacade.getParameterValues(java.lang.String)，Execution method: Specific execution method, such as java.lang.String[] org.apache.catalina.connector.RequestFacade.getParameterValues(java.lang.String),

代码位置：污点源的具体代码位置，如getParameterValues()@ServletWebRequest.java:153，Code location: The specific code location of the taint source, such as getParameterValues()@ServletWebRequest.java:153,

漏洞参数：具体的漏洞参数，如：username=123，Vulnerability parameters: specific vulnerability parameters, such as username=123,

污点：具体的污点值，如：123Taint: Specific taint value, such as: 123

}}

其中，执行方法的作用则是获取请求参数的数值，在Web开发中，HTTP请求可以包含多个相同名称的参数，getParameterValues函数用于获取这些参数的数组值；它还可以用于处理同名参数的情况，例如在表单提交时，如果有多个具有相同名称的输入字段，那么这些值将作为一个数组传递给后端；也可用于定位污点在请求包的位置，即定位其是请求头还是url还是请求体。同时，污点跟踪数据流中的source点信息、污点传播信息和sink信息的数据结构与上述source点信息相同。The function of the execute method is to obtain the value of the request parameter. In Web development, HTTP requests can contain multiple parameters with the same name. The getParameterValues function is used to obtain the array values of these parameters. It can also be used to handle the case of parameters with the same name. For example, when a form is submitted, if there are multiple input fields with the same name, these values will be passed to the backend as an array. It can also be used to locate the position of the taint in the request packet, that is, to locate whether it is the request header, URL, or request body. At the same time, the data structure of the source point information, taint propagation information, and sink information in the taint tracking data flow is the same as the above source point information.

此处还需要指出的是，污点分析可以抽象成一个三元组〈sources, sinks,sanitizers〉的形式,其中, source即污点源,代表直接引入不受信任的数据或者机密数据到系统中；sink即污点汇聚点,代表直接产生安全敏感操作即违反数据完整性或者泄露隐私数据到外界即违反数据保密性；sanitizer即无害处理，指污点经过过滤或者参数经过校验,代表通过数据加密或者移除危害操作等手段使数据传播不再对软件系统的信息安全产生危害，而IAST获取到的污点跟踪数据流就是把污点分析的过程给记录下来，污点的发现、污点的传播以及污点的执行就像一个证据链一样一步一步记录下来，因此不管污点处于哪个阶段，都会有对应的代码以及漏洞参数信息。It should also be pointed out here that taint analysis can be abstracted into a triple form of 〈sources, sinks, sanitizers〉, where source is the taint source, which represents the direct introduction of untrusted data or confidential data into the system; sink is the taint sink, which represents the direct generation of security-sensitive operations, namely, violation of data integrity or leakage of private data to the outside world, namely, violation of data confidentiality; sanitizer is harmless processing, which means that the taint has been filtered or the parameters have been verified, which means that data propagation will no longer pose a threat to the information security of the software system through data encryption or removal of harmful operations. The taint tracking data stream obtained by IAST records the process of taint analysis. The discovery, propagation and execution of taint are recorded step by step like a chain of evidence. Therefore, no matter which stage the taint is in, there will be corresponding code and vulnerability parameter information.

接下来，根据污点与漏洞参数的相对关系对得到的污点跟踪数据流进行第一次预处理。Next, the obtained taint tracking data stream is preprocessed for the first time according to the relative relationship between the taint and the vulnerability parameters.

具体地，判断所述漏洞参数与污点是否为同一个值，于所述漏洞参数与污点为同一个值时，将所述污点源信息中的代码位置和漏洞参数删除；Specifically, determining whether the vulnerability parameter and the taint are the same value, and when the vulnerability parameter and the taint are the same value, deleting the code position and the vulnerability parameter in the taint source information;

第一次预处理是先判断该污点跟踪数据流source点信息中的漏洞参数与污点是否为同一个值，以此对该污点跟踪数据流进行分类，如果其source点信息中的漏洞参数与污点为同一个值，则直接将source点信息中的代码位置和漏洞参数删除，只保留执行方法和污点，预处理后的source点信息结构如下：The first preprocessing is to determine whether the vulnerability parameter in the source point information of the taint tracking data flow is the same as the taint, so as to classify the taint tracking data flow. If the vulnerability parameter in the source point information is the same as the taint, the code position and vulnerability parameter in the source point information are directly deleted, and only the execution method and taint are retained. The structure of the source point information after preprocessing is as follows:

source点信息：{Source point information: {

}}

如果其source点信息中的漏洞参数与污点不为同一个值，则代码位置属于干扰数据，就直接过滤掉source点信息中的代码位置，预处理后的source点信息结构如下：If the vulnerability parameter in the source point information is not the same as the taint value, the code position is considered interference data, and the code position in the source point information is directly filtered out. The structure of the source point information after preprocessing is as follows:

source点信息：{Source point information: {

}}

但由于污点跟踪数据流中source点的执行方法如getInputStream没有具体的污点信息，所以需要对整个污点跟踪数据流进行遍历以寻找真正的含有污点信息的数据流作为目标source点信息，getParameterValues和getInputStream都是source点的执行方法，此处以getInputStream为例是因为其在source点没有明确显示污点的具体信息，需要再传播信息或者sink点信息去寻找即进行第二次预处理。However, since the execution methods of the source point in the taint tracking data stream, such as getInputStream, do not have specific taint information, it is necessary to traverse the entire taint tracking data stream to find the data stream that actually contains taint information as the target source point information. getParameterValues and getInputStream are both execution methods of the source point. GetInputStream is used as an example here because it does not clearly display the specific information of the taint at the source point, and it is necessary to propagate information or sink point information to find it, that is, perform a second preprocessing.

具体地，通过执行函数数据签名的方式来获取过滤后的污点跟踪数据流中真正含有污点信息的数据流，并将其中第一个含有数据签名的污点传播信息或污点汇聚点信息作为目标污点源信息。Specifically, the data stream that actually contains taint information in the filtered taint tracking data stream is obtained by executing the function data signature, and the first taint propagation information or taint convergence point information containing the data signature is used as the target taint source information.

寻找真正污点信息的数据流可以使用执行函数数据签名的方式，如执行函数为“com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText”是指获取具体污点的函数，然后将真正含有污点信息的数据流中第一个含有数据签名的污点传播信息或sink点信息作为修正后的source点信息即目标source点信息，目标source点信息举例如下：To find the data stream with real tainted information, you can use the execution function data signature method. For example, the execution function "com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText" refers to the function for obtaining specific taints. Then, the first taint propagation information or sink point information containing the data signature in the data stream that actually contains tainted information is used as the corrected source point information, that is, the target source point information. The target source point information is exemplified as follows:

目标source点信息：{Target source point information: {

执行方法：特定数据签名的执行方法，如j com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText，Execution method: The execution method of a specific data signature, such as com.fasterxml.jackson.core.json.UTF8StreamJsonParser.getText,

漏洞参数：漏洞参数，如：username=123，Vulnerability parameters: Vulnerability parameters, such as username=123,

污点：污点值，如：123Taint: Taint value, such as: 123

}}

目标source点信息有助于定位污点在测试请求包中的位置，使得后续大语言模型生成的漏洞验证请求包可以直接使用。The target source point information helps to locate the position of the taint in the test request package, so that the vulnerability verification request package generated by the subsequent large language model can be used directly.

然后，基于大语言模型的文本生成和理解能力在目标source点信息和测试请求包信息的基础上构造特定漏洞类型的验证漏洞载荷（payload），形成定制化的漏洞验证请求包，用于漏洞的验证工作。Then, based on the text generation and understanding capabilities of the large language model, a verification vulnerability payload of a specific vulnerability type is constructed based on the target source point information and the test request package information to form a customized vulnerability verification request package for vulnerability verification.

具体地，根据所述测试请求包的信息、目标污点源信息和漏洞类型编写漏洞验证请求包的基础模板；Specifically, a basic template of a vulnerability verification request package is written according to the information of the test request package, the target taint source information and the vulnerability type;

先根据目标source点信息和测试请求包信息以及漏洞类型编写一个基础prompt即基础模板，如下：First, write a basic prompt or basic template according to the target source point information, test request package information and vulnerability type, as follows:

基础Prompt：“假设你是XX领域的专家，请你按照以下步骤完成任务：Basic Prompt: "Assuming you are an expert in XX field, please follow the steps below to complete the task:

根据测试请求包信息{req}和污点跟踪数据流中的真正污点源信息{source}确定payload在请求包的位置”；Determine the location of the payload in the request packet based on the test request packet information {req} and the real taint source information {source} in the taint tracking data stream";

结合执行方法和污点值的位置注入{type}漏洞验证的payload；Combine the execution method and the location of the tainted value to inject the {type} vulnerability verification payload;

严格按照以下json格式进行输出：Output strictly in the following json format:

‘‘‘json{‘‘‘json{

“请求包”:具体的漏洞验证的请求包"Request package": specific vulnerability verification request package

}}

’’’’’’

””

接下来，使用参数更多的大语言模型如chatgpt4和mistral8x7B等生成语义相同的多个备选prompt，然后，获取测试数据，将测试数据分别输入这多个备选prompt中得到输出结果，将输出的结果最符合预设要求的备选prompt作为漏洞验证请求包的最终prompt，最后，利用大语言模型的角色扮演能力，将目标source点信息和测试请求包信息以及漏洞类型都输入到最终prompt中，测试请求包信息是基础的保证可以测试的请求包，而目标source信息可以确定污点在测试请求包中的位置，有助于在污点的位置注入漏洞验证的payload，从而实现定制化的自动漏洞验证功能，并按照固定格式进行输出，即得到目标漏洞验证请求包。Next, use a large language model with more parameters such as chatgpt4 and mistral8x7B to generate multiple alternative prompts with the same semantics. Then, obtain test data and input the test data into these multiple alternative prompts to obtain the output results. The alternative prompt whose output results best meet the preset requirements is used as the final prompt of the vulnerability verification request package. Finally, use the role-playing ability of the large language model to input the target source point information, test request package information, and vulnerability type into the final prompt. The test request package information is the basic guarantee for the testable request package, and the target source information can determine the location of the taint in the test request package, which helps to inject the vulnerability verification payload at the location of the taint, thereby realizing a customized automatic vulnerability verification function and outputting it in a fixed format to obtain the target vulnerability verification request package.

与现有技术相比，本实施例可降低开发人员的漏洞验证门槛，在一定程度上提高自动化验证漏洞的准确性以及漏洞验证的效率，为大模型落地于网络安全领域提供一种新思路。Compared with the existing technology, this embodiment can lower the vulnerability verification threshold for developers, improve the accuracy of automated vulnerability verification and the efficiency of vulnerability verification to a certain extent, and provide a new idea for the implementation of large models in the field of network security.

实施例2Example 2

如图3所示，一种漏洞验证请求包生成装置，包括：As shown in FIG3 , a vulnerability verification request packet generating device includes:

检测模块10，用于利用交互式应用安全测试工具检测待测应用，得到所述待测应用中的漏洞数据，所述漏洞数据包含污点跟踪数据流、测试请求包和漏洞类型；The detection module 10 is used to detect the application to be tested by using an interactive application security testing tool to obtain vulnerability data in the application to be tested, wherein the vulnerability data includes a taint tracking data flow, a test request packet and a vulnerability type;

预处理模块20，用于根据污点与漏洞参数的相对关系对所述污点跟踪数据流进行分类，并根据分类结果对所述污点跟踪数据流进行过滤；A preprocessing module 20, for classifying the taint tracking data stream according to the relative relationship between the taint and the vulnerability parameter, and filtering the taint tracking data stream according to the classification result;

遍历模块30，用于遍历过滤后的污点跟踪数据流得到真正含有污点信息的数据流，并据此确定目标污点源信息；A traversal module 30 is used to traverse the filtered taint tracking data stream to obtain the data stream that actually contains taint information, and determine the target taint source information accordingly;

训练模块40，用于利用若干大语言模型分别对所述测试请求包的信息、目标污点源信息和漏洞类型进行训练得到漏洞验证请求包的多个备选模板；A training module 40 is used to use several large language models to train the information of the test request packet, the target taint source information and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request packet;

输出模块50，用于根据所述多个备选模板确定所述漏洞验证请求包的最终模板，并将所述测试请求包的信息、目标污点源信息和漏洞类型输入所述最终模板中，得到目标漏洞验证请求包。The output module 50 is used to determine the final template of the vulnerability verification request package according to the multiple candidate templates, and input the information of the test request package, the target taint source information and the vulnerability type into the final template to obtain the target vulnerability verification request package.

上述装置的一种实施方式可为：检测模块10利用交互式应用安全测试工具检测待测应用，得到所述待测应用中的漏洞数据，所述漏洞数据包含污点跟踪数据流、测试请求包和漏洞类型；预处理模块20根据污点与漏洞参数的相对关系对所述检测模块10得到的污点跟踪数据流进行分类，并根据分类结果对所述污点跟踪数据流进行过滤；遍历模块30遍历所述预处理模块20过滤后的污点跟踪数据流得到真正含有污点信息的数据流，并据此确定目标污点源信息；训练模块40利用若干大语言模型分别对所述测试请求包的信息、所述遍历模块30确定的目标污点源信息和所述漏洞类型进行训练得到漏洞验证请求包的多个备选模板；输出模块50根据所述训练模块40生成的多个备选模板确定所述漏洞验证请求包的最终模板，并将所述测试请求包的信息、目标污点源信息和漏洞类型输入所述最终模板中，得到目标漏洞验证请求包。An implementation of the above-mentioned device may be as follows: the detection module 10 uses an interactive application security testing tool to detect the application to be tested and obtains vulnerability data in the application to be tested, wherein the vulnerability data includes a taint tracking data stream, a test request packet and a vulnerability type; the preprocessing module 20 classifies the taint tracking data stream obtained by the detection module 10 according to the relative relationship between the taint and the vulnerability parameter, and filters the taint tracking data stream according to the classification result; the traversal module 30 traverses the taint tracking data stream filtered by the preprocessing module 20 to obtain a data stream that truly contains taint information, and determines the target taint source information accordingly; the training module 40 uses several large language models to train the information of the test request packet, the target taint source information determined by the traversal module 30 and the vulnerability type to obtain multiple candidate templates of the vulnerability verification request packet; the output module 50 determines the final template of the vulnerability verification request packet according to the multiple candidate templates generated by the training module 40, and inputs the information of the test request packet, the target taint source information and the vulnerability type into the final template to obtain the target vulnerability verification request packet.

具体地，一种漏洞验证请求包生成装置的训练模块40，还包括：Specifically, a training module 40 of a vulnerability verification request packet generating device further includes:

实施例3Example 3

如图4所示，一种电子设备，包括存储器401和处理器402，所述存储器401用于存储一条或多条计算机指令，其中，所述一条或多条计算机指令被所述处理器402执行以实现上述的一种漏洞验证请求包生成方法。As shown in FIG. 4 , an electronic device includes a memory 401 and a processor 402 , wherein the memory 401 is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 402 to implement the above-mentioned vulnerability verification request packet generation method.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的电子设备的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the electronic device described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.

一种存储有计算机程序的计算机可读存储介质，所述计算机程序使计算机执行时实现如上述的一种漏洞验证请求包生成方法。A computer-readable storage medium storing a computer program, wherein the computer program enables a computer to implement a vulnerability verification request packet generation method as described above when executed.

示例性的，计算机程序可以被分割成一个或多个模块/单元，一个或者多个模块/单元被存储在存储器401中，并由处理器402执行，并由输入接口405和输出接口406完成数据的I/O接口传输，以完成本发明,一个或多个模块/单元可以是能够完成特定功能的一系列计算机程序指令段，该指令段用于描述计算机程序在计算机设备中的执行过程。Exemplarily, the computer program may be divided into one or more modules/units, one or more modules/units are stored in the memory 401 and executed by the processor 402, and the I/O interface transmission of data is completed by the input interface 405 and the output interface 406 to complete the present invention. The one or more modules/units may be a series of computer program instruction segments that can complete specific functions, and the instruction segments are used to describe the execution process of the computer program in the computer device.

计算机设备可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。计算机设备可包括，但不仅限于，存储器401、处理器402,本领域技术人员可以理解，本实施例仅仅是计算机设备的示例，并不构成对计算机设备的限定，可以包括更多或更少的部件，或者组合某些部件，或者不同的部件，例如计算机设备还可以包括输入器407、网络接入设备、总线等。The computer device may be a computing device such as a desktop computer, a notebook, a PDA, a cloud server, etc. The computer device may include, but is not limited to, a memory 401 and a processor 402. Those skilled in the art may understand that this embodiment is only an example of a computer device and does not constitute a limitation on the computer device. The computer device may include more or fewer components, or a combination of certain components, or different components. For example, the computer device may also include an input device 407, a network access device, a bus, etc.

处理器402可以是中央处理单元(Central Processing Unit，CPU)，还可以是其他通用处理器402、数字信号处理器402(Digital Signal Processor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现成可编程门阵列(Field-Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器402可以是微处理器402或者该处理器402也可以是任何常规的处理器402等。The processor 402 may be a central processing unit (CPU), or other general-purpose processors 402, digital signal processors 402 (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor 402 may be a microprocessor 402 or the processor 402 may also be any conventional processor 402, etc.

存储器401可以是计算机设备的内部存储单元，例如计算机设备的硬盘或内存。存储器401也可以是计算机设备的外部存储设备，例如计算机设备上配备的插接式硬盘，智能存储卡（Smart Media Card,SMC），安全数字（Secure Digital,SD）卡，闪存卡（Flash Card）等,进一步地，存储器401还可以既包括计算机设备的内部存储单元也包括外部存储设备,存储器401用于存储计算机程序以及计算机设备所需的其他程序和数据,存储器401还可以用于暂时地存储在输出器408，而前述的存储介质包括U盘、移动硬盘、只读存储器ROM403、随机存储器RAM404、碟盘或光盘等各种可以存储程序代码的介质。The memory 401 may be an internal storage unit of a computer device, such as a hard disk or memory of the computer device. The memory 401 may also be an external storage device of the computer device, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card, a flash card, etc. equipped on the computer device. Furthermore, the memory 401 may include both an internal storage unit of the computer device and an external storage device. The memory 401 is used to store computer programs and other programs and data required by the computer device. The memory 401 may also be used to temporarily store in the output device 408. The aforementioned storage media include various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read-only memory ROM403, a random access memory RAM404, a disk or an optical disk.

以上所述，仅为本发明的具体实施方式，但本发明的保护范围并不局限于此，任何在本发明揭露的技术范围内的变化或替换，都应涵盖在本发明的保护范围之内。因此，本发明的保护范围应以所述权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any changes or substitutions within the technical scope disclosed by the present invention should be included in the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims

1. The vulnerability verification request packet generation method is characterized by comprising the following steps:

Detecting an application to be detected by using an interactive application security test tool to obtain vulnerability data in the application to be detected, wherein the vulnerability data comprises a stain tracking data stream, a test request packet and a vulnerability type, the stain tracking data stream comprises stain source information, stain propagation information and stain convergence point information, and the stain source information comprises an execution method, a code position, vulnerability parameters and stains for acquiring a request parameter value;

Judging whether the loophole parameter and the stain are the same value, and deleting the code position and the loophole parameter in the stain source information when the loophole parameter and the stain are the same value;

deleting the code position in the stain source information when the vulnerability parameter and the stain are not the same value;

classifying the stain tracking data stream according to the relative relation between the stain and the loophole parameters, and filtering the stain tracking data stream according to the classification result;

traversing the filtered stain tracking data stream to obtain a data stream truly containing stain information, and determining target stain source information according to the data stream;

Training the information of the test request packet, the target stain source information and the vulnerability type by using a plurality of large language models to obtain a plurality of alternative templates of the vulnerability verification request packet;

Determining a final template of the vulnerability verification request packet according to the multiple alternative templates, and inputting the information of the test request packet, the target stain source information and the vulnerability type into the final template to obtain the target vulnerability verification request packet.

2. The method of claim 1, wherein traversing the filtered dirty trace data stream to obtain a data stream that actually contains dirty information, and determining target dirty source information based on the data stream comprises:

And obtaining the data stream truly containing the taint information in the filtered taint tracking data stream by executing the function data signature mode, and taking the taint propagation information or the taint convergence point information of the first containing the data signature as the target taint point source information.

3. The method for generating a vulnerability verification request packet according to claim 1, wherein training the information of the test request packet, the target taint source information and the vulnerability type by using a plurality of large language models to obtain a plurality of alternative templates of the vulnerability verification request packet respectively comprises:

Compiling a basic template of a vulnerability verification request packet according to the information of the test request packet, the target pollution source information and the vulnerability type;

based on the basic template, training the information of the test request packet, the target stain source information and the vulnerability type by using a plurality of large language models to obtain a plurality of alternative templates of the vulnerability verification request packet.

4. The method of claim 1, wherein determining a final template of the vulnerability verification request package according to the plurality of candidate templates comprises:

And obtaining test data, respectively inputting the test data into the plurality of alternative templates to obtain a plurality of output results, and taking the alternative template with the output result most conforming to the preset condition as the final template of the vulnerability verification request packet.

5. A vulnerability verification request packet generation apparatus, comprising:

the detection module is used for detecting an application to be detected by using an interactive application security test tool to obtain vulnerability data in the application to be detected, wherein the vulnerability data comprises a stain tracking data stream, a test request packet and a vulnerability type, the stain tracking data stream comprises stain source information, stain propagation information and stain convergence point information, and the stain source information comprises an execution method, a code position, a vulnerability parameter and a stain for acquiring a request parameter value;

The preprocessing module is used for judging whether the loophole parameter and the stain are the same value, and deleting the code position and the loophole parameter in the stain source information when the loophole parameter and the stain are the same value;

the traversing module is used for traversing the filtered stain tracking data stream to obtain a data stream truly containing stain information, and determining target stain source information according to the data stream;

The training module is used for training the information of the test request packet, the target stain source information and the vulnerability type by utilizing a plurality of large language models to obtain a plurality of alternative templates of the vulnerability verification request packet;

The output module is used for determining a final template of the vulnerability verification request packet according to the plurality of alternative templates, and inputting the information of the test request packet, the target stain source information and the vulnerability type into the final template to obtain the target vulnerability verification request packet.

6. The vulnerability verification request packet generation apparatus of claim 5, wherein the training module comprises:

The compiling unit is used for compiling a basic template of the vulnerability verification request packet according to the information of the test request packet, the target pollution point source information and the vulnerability type;

The training unit is used for respectively training the information of the test request packet, the target stain source information and the vulnerability type by utilizing a plurality of large language models based on the basic template to obtain a plurality of alternative templates of the vulnerability verification request packet.

7. An electronic device comprising a memory and a processor, the memory to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a vulnerability verification request packet generation method of any one of claims 1-4.

8. A computer-readable storage medium storing a computer program, wherein the computer program causes a computer to execute a vulnerability verification request packet generation method according to any one of claims 1-4.