Unlock instant, AI-driven research and patent intelligence for your innovation.

Security diagnostic device and security diagnostic method

A diagnostic device and diagnostic method technology, applied in computer security devices, instruments, electrical digital data processing, etc., can solve the problems of unclear authority distribution and inability to judge whether there is authority management, etc.

Inactive Publication Date: 2020-04-10
MITSUBISHI ELECTRIC CORP
View PDF1 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] However, in Patent Document 1, there is a problem that it is impossible to determine whether there is a defect in authority management when the authority assignment to the object is unclear.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Security diagnostic device and security diagnostic method
  • Security diagnostic device and security diagnostic method
  • Security diagnostic device and security diagnostic method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment approach 1

[0048] First, the hardware configuration will be described.

[0049] figure 1 It is a block diagram showing an example of the hardware configuration of the safety diagnostic device (hereinafter referred to as diagnostic device) 200 according to the first embodiment.

[0050] Diagnosis device 200 includes: communication interface 101, which performs HTTP communication with a Web application as a diagnosis target; processor 102, which performs calculation processing for HTTP requests and HTTP responses; memory 103, which holds calculation results, etc.; input interface 104, It accepts input from the user; the auxiliary storage device 105 is used to store data; and the output interface 106 is used to display the result on the screen.

[0051] The processor 102 is realized by a processing circuit such as a CPU executing a program stored in a memory, or a system LSI (Large Scale Integration: Large Scale Integration). It is also possible that multiple processing circuits jointly c...

Embodiment approach 2

[0134] In Embodiment 1 above, the extraction unit 303 extracted fixed parameters that do not change every time a login is performed, but in this embodiment, it is shown that the combination of the transfer destination URL and parameters is the same and the extracted value changes every time a login is performed. Parameters and implementations that do not change parameters.

[0135] In addition, in this embodiment, the configuration further added to all the configurations described in Embodiment 1 will be described.

[0136] Figure 16 It is a diagram showing an example of the HTTP request / response table 442 according to the second embodiment.

[0137] Figure 17 It is a diagram showing an example of the parameter table 452 according to the second embodiment.

[0138] First, about Figure 11 The flow chart of FIG. 1 describes operations different from those in the first embodiment.

[0139] exist Figure 11 In step S103, the crawling implementation unit 302 performs crawl...

Embodiment approach 3

[0164] In the first embodiment above, whether the parameters of the HTTP request extracted by the extraction unit 303 are fixed or fluctuate is stored in the fixed parameter table 460 of the fixed parameter database 311, but in this embodiment, the HTTP request to the transfer data database 310 is shown. An implementation that saves the request / response table by adding a field.

[0165] Figure 24 It is an overall block diagram including an example of the functional configuration of the diagnostic device 210 according to the third embodiment. The difference from the diagnostic device 200 of Embodiment 1 is that the unique data database is deleted.

[0166] Figure 25 It is a flowchart showing the processing flow of the input unit 301 , the crawling implementation unit 302 , and the extraction unit 303 in the third embodiment. with Embodiment 1 Figure 11 The difference in the flow chart of is that the transfer data database 310 is output from step S105.

[0167] Figure ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

This security diagnostic device is provided with: an extraction unit which extracts, from among the parameters included in an HTTP request that was transmitted to a link destination URL using a privileged first account, a fixed parameter having the same value as a parameter included in an HTTP request that was transmitted to the link destination URL using a privileged second account; a request generation unit which, if the parameters of an HTTP request transmitted to the link destination URL using a general account includes the same fixed parameter as that extracted by the extraction unit, andthe value set for this fixed parameter is not a value for privileged accounts, then outputs an HTTP request including the same fixed parameter but with a set value for privileged accounts; a requesttransmission / reception unit which transmits the output HTTP request to the link destination URL using a general account and receives an HTTP response; and a determination unit which determines the vulnerability of the link destination URL on the basis of the HTTP response. Accordingly, the security diagnostic device can diagnose privilege management for defects without ascertaining each link destination URL in advance.

Description

technical field [0001] The invention relates to a safety diagnosis device for diagnosing defects in authority management. Background technique [0002] Vulnerabilities of web applications exposed on the Internet are discovered every day, and attacks by malicious attackers are one of the threats that must be guarded against. As a method of confirming the presence or absence of a vulnerability of a web application, there are a web application diagnosis tool and a security diagnosis service. These methods diagnose known vulnerabilities by implementing simulated attacks on web applications. [0003] One of the vulnerabilities of web applications is the flaw of permission management. A defect in authority management refers to a case where, when there are two accounts with different authorities, only one account can transfer pages or effective functions that can be transferred or executed by the other account. Conventionally, a person performing a diagnosis visually confirms a ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57
CPCG06F21/577G06F21/604H04L63/1433H04L63/08H04L63/168H04L63/20H04L67/02H04L67/146
Inventor 反町孝平
Owner MITSUBISHI ELECTRIC CORP