[0062] Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.
[0063] It should be clear that the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.
[0064] figure 1 It is a schematic flowchart of a method for scanning vulnerabilities according to an embodiment of the present invention. see figure 1 , the method includes:
[0065] Step 11, intercepting each vulnerability scanning request message that the client will send to the server;
[0066] In this step, when performing server vulnerability scanning, relevant technicians or maintenance personnel can call the application functions of the client in turn, and input the payload in the content input area of the called application function. The input payload generates a vulnerability scanning request message and submits it to the server. Among them, the payload is some special input data constructed during vulnerability scanning.
[0067] As an optional embodiment, the vulnerability scanning request message may be a service request message or a construction test message.
[0068] In the embodiment of the present invention, considering the vulnerability scanning request message generated by the client and submitted to the server, some of the request parameters are generated based on the attribute information of the client, therefore, the request parameters cannot be edited on the client, for example , the client ID contained in the vulnerability scanning request message, therefore, cannot be edited; furthermore, due to the vulnerability prevention mechanism preset by the client, the vulnerabilities existing in the server may be repaired in the client, for example, for the client In the case where the client requests to generate a verification code, the server will send the generated verification code to the client after receiving the vulnerability scanning request message containing the verification code generation request sent by the client, and after generating the verification code of the client, If the verification code generation request from the client is received again within the preset time, it is necessary to reject the verification code generation request, but due to the vulnerability prevention mechanism set by the client, the client sends a verification code generation request through the control button After that, the control button becomes invalid within the set time, so that the client avoids sending a verification code generation request to the server again. In this way, if the server receives the verification code generation request from the client again within the preset time, it is not set to reject the verification code generation request, so that the server has a verification code vulnerability, but the verification code generation request sent by the client cannot be verified. It is detected that the server has the verification code vulnerability. Therefore, the embodiments of the present invention can edit the request parameters in the intercepted vulnerability scanning request messages by intercepting the vulnerability scanning request messages to be sent from the client to the server, so as to avoid the above-mentioned technical defects.
[0069] In the embodiment of the present invention, as an optional embodiment, a script for intercepting the vulnerability scanning request message may be pre-written, and the written script may be injected into the client. Script writing is a well-known technology, and the detailed description is omitted here.
[0070] Step 12, from the intercepted vulnerability scanning request messages, filter out the vulnerability scanning request messages transmitted using a pre-set transport protocol;
[0071] In this step, as an optional embodiment, the preset transfer protocol is Hypertext Transfer Protocol (HTTP, HypertextTransferProtocol). Of course, in practical applications, the preset transfer protocol can also be other transfer protocols, for example, file transfer protocol (FTP, FileTransferProtocol), Real-time Transport Protocol (RTP, Real-timeTransportProtocol).
[0072] In the embodiment of the present invention, as an optional embodiment, filtering out the vulnerability scanning request message transmitted by using a preset transmission protocol includes:
[0073] Parsing the packet header of the intercepted vulnerability scanning request message, and storing the vulnerability scanning request message if the relevant fields contained in the parsed packet header are preset transmission protocol fields.
[0074] In the embodiment of the present invention, the existing flow is used to process the vulnerability scanning request message transmitted without using the preset transmission protocol.
[0075] As an optional embodiment, after the screening of the vulnerability scanning request message transmitted using a preset transport protocol, the method may further include:
[0076] The filtered vulnerability scanning request message is deduplicated according to the application function, and a vulnerability scanning request message corresponding to each application function is obtained and stored.
[0077] In this step, for the vulnerability scanning request message sent by multiple clients for the same application function, since the relevant request parameters in the vulnerability scanning request message can be edited later, for multiple vulnerability scanning request messages for the same application function For scanning request packets, just keep one of the vulnerability scanning request packets at random.
[0078] Step 13, analyzing the message body in the filtered vulnerability scanning request message, and editing the request parameter value in the parsed message body;
[0079] In this step, as an optional embodiment, the message body in the filtered vulnerability scanning request message is parsed, and the request parameter values in the parsed message body are edited to include:
[0080] Parse the extracted vulnerability scanning request message to obtain the parsed message header and message body, and judge the request-response mode between the client and the server according to the parsed message header:
[0081] If the request-response method between the client and the server is the get method, edit the request parameter value in the uniform resource locator of the message body;
[0082] If the method of request-response between the client and the server is the post method, edit the request parameter value in the packet of the message body.
[0083] In this step, the client is used to send the vulnerability scanning request message, and the server is used to receive the vulnerability scanning request message. The method of request-response between the client and the server includes: get method and post method, wherein the get method is used to request data from a specified resource (for example, server), and the post method is used to submit to the specified resource processed data.
[0084] In the embodiment of the present invention, as an optional embodiment, the message body includes: a Uniform Resource Locator (URL, UniformResourceLocator) and a package. For the get method, the request parameter and the request parameter value corresponding to the request parameter are included in the Uniform Resource Locator ; For the post method, the request parameter and the request parameter value corresponding to the request parameter are included in the package.
[0085] Take the get method as an example. For example, if a vulnerability scanning request message is parsed through the message body, it is http://1.1.1.1? id=123&method=getuserinfo, the request message means to obtain the user information of the specified user ID (id is 123), the request parameters include: id and method, wherein, the request parameter value corresponding to the request parameter id is 123, and the request parameter method corresponds to The request parameter value is getuserinfo.
[0086] As an optional embodiment, in the embodiment of the present invention, the request parameter value is edited, for example, by means of a script, the value of id=xxx is automatically replaced one by one to detect whether there is a user privacy leakage vulnerability at the server end, for example, if the Change the request parameter value to id=124. After subsequent encapsulation, the server can also return other user information, indicating that the server allows one user to request information of multiple users, indicating that there is a loophole in the server, indicating that an attacker can construct a large number of id, for example, use a script to poll all ids from 1-9999999, so that all user information can be obtained from the server, resulting in the leakage of user information.
[0087] In the embodiment of the present invention, by modifying the value of the request parameter, it is also possible to avoid the need to send the vulnerability scanning request message through different clients, which is cumbersome to generate the vulnerability scanning request message repeatedly and consumes a lot of manpower and material resources.
[0088] For another example, for a vulnerability scanning request message for obtaining SMS verification code, if the message body is parsed as: http://1.1.1.1? mobile=13311111111&method=chkcode, by setting it to automatically send every 5 seconds, if the server returns the SMS verification code after repeated requests N times, it means that the server does not limit the acquisition time, so that the attacker can repeat the request for a number any number of times, reaching The effect of SMS bombing.
[0089] Step 14, encapsulate the edited message body into a vulnerability scanning request message to be sent, send it to the server according to the preset time period, and receive a vulnerability scanning response message returned from the server to determine whether the server exists loophole.
[0090]In this step, for example, as mentioned above, if all the request parameter ids are polled from 1-9999999 and encapsulated into corresponding vulnerability scanning request messages to be sent, the vulnerabilities generated by polling can be sent every 5 seconds Scanning request message; for the vulnerability scanning request message for obtaining the SMS verification code, you can not edit the request parameter value, and send it repeatedly every 5 seconds, so that combined with the preset time period, you can detect more in the server. loopholes.
[0091] In the embodiment of the present invention, as an optional embodiment, if it is a service request message, what the server returns is a service response message, and if it is a construction test message, what the server returns is a response message. It is possible to extract the vulnerability scanning response message returned by the server, extract its characteristic words after parsing, and match them with the characteristic words in the pre-set vulnerability database to determine whether the server has vulnerabilities; or, extract the vulnerability returned by the server The scanning response message is matched with the standard request response message corresponding to the preset application function, so as to determine whether the server has a vulnerability. Determining whether there is a vulnerability in the server according to the result returned by the server is a known technology, and the detailed description is omitted here.
[0092] As can be seen from the above, the method for scanning vulnerabilities in the embodiment of the present invention intercepts each vulnerability scanning request message that the client will send to the server; Vulnerability scanning request message; analyze the message body in the filtered vulnerability scanning request message, edit the request parameter value in the parsed message body; encapsulate the edited message body into a vulnerability scanning request message to be sent, according to The preset time period is sent to the server, so as to analyze whether the server has vulnerabilities according to the received vulnerability scanning response message. In this way, by intercepting the vulnerability scanning request message and editing the request parameter value in the message body to realize the scanning of the server vulnerability, there is no need to construct a vulnerability scanning request message in different clients, which reduces the time required to realize the server vulnerability scanning , so as to improve the efficiency of vulnerability scanning; at the same time, sending encapsulated vulnerability scanning request messages to the server according to the preset time period can effectively avoid the situation that the vulnerabilities existing in the server are missed due to the vulnerability prevention mechanism preset by the client. Improved the accuracy of vulnerability scanning.
[0093] figure 2 It is a schematic structural diagram of a device for scanning vulnerabilities according to an embodiment of the present invention. see figure 2 , the device includes: interception module 21, extraction module 22, editing module 23 and vulnerability scanning module 24, wherein,
[0094] An intercepting module 21, configured to intercept each vulnerability scanning request message that the client will send to the server;
[0095] In the embodiment of the present invention, as an optional embodiment, a script for intercepting a vulnerability scanning request message can be pre-written, and the written script can be injected into the client to analyze the vulnerability scanning request message sent by the client. to intercept.
[0096] An extraction module 22, configured to filter out vulnerability scanning request messages transmitted using a pre-set transport protocol from the intercepted vulnerability scanning request messages;
[0097] In the embodiment of the present invention, as an optional embodiment, the preset transfer protocol is a hypertext transfer protocol.
[0098] In the embodiment of the present invention, the existing flow is used to process the vulnerability scanning request message transmitted without using the preset transmission protocol.
[0099] The editing module 23 is used to analyze the message body in the filtered vulnerability scanning request message, and edit the request parameter value in the parsed message body;
[0100] In the embodiment of the present invention, the request-response methods between the client and the server include: get method and post method. For the get method, the request parameter and the request parameter value corresponding to the request parameter are included in the uniform resource locator; for In the post mode, the request parameters and the corresponding request parameter values are included in the package.
[0101] The vulnerability scanning module 24 is used to encapsulate the edited message body into a vulnerability scanning request message to be sent, send it to the server according to the preset time period, and receive the vulnerability scanning response message returned from the server to determine the Whether the above server has any vulnerabilities.
[0102] In the embodiment of the present invention, as an optional embodiment, image 3 It is a schematic structural diagram of the extraction module of the embodiment of the present invention. see image 3 , the extraction module includes: a parsing unit 31, a field judging unit 32 and a storage unit 33, wherein,
[0103] Parsing unit 31, for parsing the message header of the intercepted vulnerability scanning request message;
[0104] The field judging unit 32 notifies the storage unit 33 if the relevant field contained in the header obtained by parsing is a preset transmission protocol field;
[0105] The storage unit 33 is configured to store the vulnerability scanning request message.
[0106] In the embodiment of the present invention, as another optional embodiment, the extraction module further includes:
[0107] The deduplication unit 34 is used to receive the notification output by the field judging unit 32, deduplicate the filtered vulnerability scanning request message according to the application function, obtain a vulnerability scanning request message corresponding to each application function, and output it to the storage unit 33 .
[0108] Figure 4 It is a structural diagram of the editing module of the embodiment of the present invention. see Figure 4 , the editing module includes: a message parsing unit 41, a request response mode judging unit 42, a request parameter first editing unit 43 and a request parameter second editing unit 44, wherein,
[0109] The message parsing unit 41 is used for parsing the extracted vulnerability scanning request message to obtain the parsed message header and message body;
[0110] The request-response mode judging unit 42 is configured to judge the mode of request-response between the client and the server according to the parsed message header:
[0111] If the mode of request-response between the client and the server is get mode, notify the request parameter first editing unit 43; if the mode of request-response between the client and the server is post mode, notify request parameter second editing unit 44;
[0112] The request parameter first editing unit 43 is used to receive the notification and edit the request parameter value in the uniform resource locator of the message body;
[0113] The request parameter second editing unit 44 is configured to receive the notification and edit the request parameter value in the packet of the message body.
[0114] Figure 5 It is a structural diagram of the vulnerability scanning module in the first embodiment of the present invention. see Figure 5 , the vulnerability scanning module includes: encapsulation unit 51, sending unit 52, feature extraction unit 53 and feature matching unit 54, wherein,
[0115] An encapsulation unit 51, configured to encapsulate the edited message body into a vulnerability scanning request message to be sent;
[0116] A sending unit 52, configured to send the vulnerability scanning request message to the server according to a preset time period;
[0117] The feature extraction unit 53 is used to extract the vulnerability scanning response message returned by the server, and extract the characteristic words after parsing the vulnerability scanning response message;
[0118] The feature matching unit 54 is configured to match the extracted feature words with the feature words in the pre-set vulnerability database, so as to determine whether there is a vulnerability in the server.
[0119] Image 6 It is a schematic structural diagram of the vulnerability scanning module according to the second embodiment of the present invention. see Image 6 , the vulnerability scanning module includes: encapsulation unit 51, sending unit 52 and message matching unit 63, wherein,
[0120] An encapsulation unit 51, configured to encapsulate the edited message body into a vulnerability scanning request message to be sent;
[0121] A sending unit 52, configured to send the vulnerability scanning request message to the server according to a preset time period;
[0122] The message matching unit 63 is configured to extract the vulnerability scanning response message returned by the server, and match it with the standard request response message corresponding to the preset application function, so as to determine whether the server has a vulnerability.
[0123] An embodiment of the present invention further provides an electronic device, the electronic device including the device described in any one of the foregoing embodiments.
[0124] Figure 7 It is a schematic structural diagram of an embodiment of the electronic device of the present invention, which can realize the present invention Figure 1-6 The flow of the illustrated embodiment, such as Figure 7 As shown, the above-mentioned electronic equipment may include: a housing 71, a processor 72, a memory 73, a circuit board 74 and a power supply circuit 75, wherein the circuit board 74 is arranged inside the space enclosed by the housing 71, and the processor 72 and the memory 73 Set on the circuit board 74; the power supply circuit 75 is used to supply power to the various circuits or devices of the above-mentioned electronic equipment; the memory 73 is used to store executable program codes; the processor 72 reads the executable program codes stored in the memory 73 to Running a program corresponding to the executable program code is used to execute the method for scanning vulnerabilities described in any one of the foregoing embodiments.
[0125] The specific execution process of the above-mentioned steps by the processor 72 and the steps further executed by the processor 72 by running executable program codes can be referred to in the present invention. Figure 1-6 The description of the illustrated embodiment will not be repeated here.
[0126] This electronic device exists in many forms, including but not limited to:
[0127] (1) Mobile communication equipment: This type of equipment is characterized by mobile communication functions, and its main goal is to provide voice and data communication. Such terminals include: smart phones (such as iPhone), multimedia phones, feature phones, and low-end phones.
[0128] (2) Ultra-mobile personal computer equipment: This type of equipment belongs to the category of personal computers, with computing and processing functions, and generally also has the characteristics of mobile Internet access. Such terminals include: PDA, MID and UMPC equipment, such as iPad.
[0129] (3) Portable entertainment equipment: This type of equipment can display and play multimedia content. Such devices include: audio and video players (such as iPod), handheld game consoles, e-books, as well as smart toys and portable car navigation devices.
[0130] (4) Server: A device that provides computing services. The composition of a server includes processors, hard disks, memory, and system buses. , Reliability, security, scalability, manageability and other aspects have high requirements.
[0131] (5) Other electronic devices with data interaction functions.
[0132]Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented through computer programs to instruct related hardware, and the programs can be stored in a computer-readable storage medium. During execution, it may include the processes of the embodiments of the above-mentioned methods. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM) or a random access memory (Random Access Memory, RAM) and the like.
[0133] The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. All should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.
