Dynamic detection method for cross-site forged request

A technology of forged requests and dynamic detection, applied in the field of CSRF vulnerabilities, can solve problems that affect the performance of web applications and are difficult to implement, and achieve high test efficiency, accuracy, and high efficiency

Inactive Publication Date: 2010-11-10
NANJING UNIV
View PDF2 Cites 35 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

These methods either seriously affect the performance of Web applicat

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Dynamic detection method for cross-site forged request
  • Dynamic detection method for cross-site forged request
  • Dynamic detection method for cross-site forged request

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0039] Such as figure 1As shown, the present invention is composed of five modules of HTTP request information collection module, CSRF suspicious request detection module, test case generation module, test case execution module and CSRF vulnerability detection module according to the "flow" system. The HTTP request information collected first is used for the next analysis; based on the collected information, it is possible to analyze whether a request is a CSRF suspect request, and which parameters in the request may be used in an attack. These parameters are called suspect parameters; The suspect parameter can generate several forged requests for each suspect request, and then generate test cases; when the conditions for generating suspect requests are met (the user browser has obtained the necessary authentication information), execute the test cases; Information, forged requests and execution information of forged requests can analyze whether CSRF vulnerabilities in web app...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a dynamic detection method for a cross-site forged request, which comprises the following steps: collecting HTTP request information; analyzing whether a request is a CSRF suspect request or not according to the collected information; generating a test case aiming at the suspect request and finding out all suspect parameters contained by the suspect request; using the suspect parameters to generate a plurality of forged requests and generating a test case for each forged request; when an environment in which the suspect request is generated recurs, executing the forged request corresponding to each test case; detecting CSRF vulnerabilities; and according to the suspect request, the execution information of the suspect request, the forged requests and the execution information of the forged requests, analyzing whether the forged requests find the CSRF vulnerabilities in Web application or not, forming a report and helping a Web application developer to repair the vulnerabilities. Since the dynamic detection method is used for detecting the CSRF vulnerabilities, the CSRF vulnerabilities in the Web application can be rapidly and accurately found out at low cost.

Description

technical field [0001] The present invention relates to the dynamic detection of cross-site request forgery (Cross-Site Request Forgery, CSRF) in the Web application safety test, particularly relate to by analyzing the corresponding relation between HTTP parameter and SQL statement operand to forge HTTP request, dynamic detection CSRF vulnerabilities in web applications. Background technique [0002] Certain operations in the web application require certain permissions, and such permissions are generally associated with the user's account. When the user performs these operations, the web application verifies whether the user account has the corresponding permissions. Obviously, users cannot be required to enter their accounts for verification every time they perform an operation. The current general practice is: after the user logs in, the user's browser saves the account information, and when the user continues to perform operations, the user's authority is verified with ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L12/26H04L29/06
Inventor 彭树深顾庆陈道蓄
Owner NANJING UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap