EL expression injection vulnerability batch detection device and method

A technology of batch detection and detection device, which is applied in the direction of network data retrieval, other database retrieval, retrieval of Web data using information identifiers, etc. The effect of reducing labor time cost, improving detection coverage, and facilitating reference and use

Inactive Publication Date: 2019-03-08
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF4 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The technical problem solved by the present invention is that the prior art uses a manual method to detect EL expression injection vulnerabilities, which requires relatively high skills and experience for security test engineers, which takes a lot of time, high time cost, and insufficient coverage. Comprehensive, inefficient, unable to meet the needs of batch and efficient detection of the website environment, and then provide an optimized EL expression injection vulnerability batch detection device and detection method

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • EL expression injection vulnerability batch detection device and method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] The present invention will be described in further detail below in conjunction with the examples, but the protection scope of the present invention is not limited thereto.

[0027] The invention relates to a batch detection method for EL expression injection vulnerabilities. Based on the Scrapy framework, the problems of low efficiency, time-wasting and high requirements for safety testers are solved in testing EL expression injection vulnerabilities.

[0028] The method includes the following steps.

[0029] Step 1: Collect URL files.

[0030] In the step 1, the collected URLs include URL files containing keywords or files containing manually imported URLs to be detected.

[0031] The URL file containing keywords is obtained by using a search engine to collect URLs containing keywords after inputting keywords or manually importing a keyword file.

[0032] The file containing the manually imported URL to be detected is obtained by manually inputting the absolute path ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to an EL expression injection vulnerability batch detection device and method. A collection unit collects a URL file; a first response of a server is obtained based on a normal HTTP request; an HTTP request is sent based on an EL expression injection detection statement; a second response of the server is obtained; difference between the first response and the second responseis compared; and if the first response does not has an execution result of the detection statement and the second response exists, vulnerabilities exist, and a detection result is output and stored.According to the detection device and method, the requirement of batch vulnerability detection is met; the collection of a URL containing a keyword or the manual importing of files of URLs needing tobe detected is supported; the problems of low efficiency, time waste and high security tester requirements in testing the EL expression injection vulnerabilities are solved; the detection coverage rate is improved; the labor time cost is greatly reduced; the operation of a security tester is simplified; and the detection result is automatically generated for reference.

Description

technical field [0001] The present invention relates to the technical field of security devices for protecting computers, components, programs or data from unauthorized acts, and in particular to a batch detection device and detection method for EL expression injection vulnerabilities that improve detection coverage and reduce labor time costs . Background technique [0002] EL (Expression Language) provides a method to simplify expressions in JSP (Java Server Pages, java server pages), making it easier to write JSP. EL expressions are usually labels used to display data in the display layer in JSP. It can improve the coupling of pages. Because of its convenience and ease of use, it has been borrowed and developed by other frameworks. The two most common examples are OGNL (used by Struts) and SPEL (used by Spring). [0003] Because of the ease of use of EL expressions, EL expression injection vulnerabilities can also occur at any time. This vulnerability allows attackers to...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/08G06F16/955
CPCH04L63/1433H04L63/1466H04L67/02
Inventor 王梓嫱范渊
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap