Ultra vires detection method and device

[0046] The following describes exemplary embodiments of the present invention with reference to the accompanying drawings, which include various details of the embodiments of the present invention to facilitate understanding, and should be regarded as merely exemplary. Therefore, those of ordinary skill in the art should realize that various changes and modifications can be made to the embodiments described herein without departing from the scope and spirit of the present invention. Likewise, for clarity and conciseness, descriptions of well-known functions and structures are omitted in the following description.

[0047] The words involved in the present invention are explained as follows:

[0048] White box testing is also called structural testing or logic-driven testing. It is based on the internal structure test procedure of the program to check whether the internal actions of the product are carried out normally according to the design specification, and whether each path in the procedure can be checked The preset requirements work correctly. This method regards the test object as an open box, and the tester designs or selects test cases based on the information related to the internal logic structure of the program, tests all the logic paths of the program, and determines the actual status by checking the status of the program at different points. Whether the status is consistent with the expected status.

[0049] White box testing is a method of designing test cases. The box refers to the software being tested, and the white box refers to the box being visible. You know what is inside the box and how it works. The "white box" method has a comprehensive understanding of the internal logical structure of the program and tests all logical paths. The "white box" method is an exhaustive path test. When using this scheme, the tester must check the internal structure of the program, starting from the logic of the check program, and get test data. The number of independent paths throughout the program is astronomical.

[0050] See figure 1 , Which shows the main flow chart of an unauthorized detection method provided by an embodiment of the present invention, including the following steps:

[0051] S101: preset to access the resource location address in the preset linear table based on the first account, generate a first request and send it to the server to receive the first message fed back by the server;

[0052] S102: Generate a second request based on the second account accessing the resource location address; wherein the second account and the first account have different permissions;

[0053] S103: Obtain the first cookie in the first request, replace the second cookie in the second request with the first cookie, and send the replaced second request to the server to receive the The second message fed back by the server;

[0054] S104: If the first message and the second message are the same, determine that in the resource location address, the second account has an unauthorized behavior on the first account.

[0055] In the foregoing embodiment, for step S101, this embodiment assumes that all URLs have unauthorized loopholes.

[0056] Prepare two test accounts A and B for the same application. These two accounts can be accounts that are unrelated and have different or same permissions; among them, different permissions correspond to vertical overrides, and the same permissions correspond to horizontal overrides, but even if horizontal overrides , The feature information of different accounts can also be different, here are summarized with different permissions.

[0057] Some website browsing requires account login, while some do not. If not, you can remove the login operation; if you need to log in, you can use selenium webdriver to simulate the operation in the browser, such as simulating click operations instead of manual clicks.

[0058] Take account A as an example, simulate account A to log in to the web browser to obtain the cookie corresponding to account A from the browser's local storage; among them, cookie is data stored on the user's local terminal, which means that the website conducts a session in order to identify the user Data (usually encrypted) stored on the user's local terminal for tracking.

[0059] For the preset linear meter (see the follow-up figure 2 The URL in the description) is traversed and clicked to generate an http request for a single URL link, and then send the http request to the server one by one, or assemble the obtained http request and send it to the server.

[0060] The server responds to the http request, returns a response message and saves it locally in the browser for subsequent data comparison; among them, the message is the data unit exchanged and transmitted in the network, that is, the data block to be sent by the site at one time, the message Contains the complete data information to be sent, its length is very inconsistent, the length is unlimited and variable.

[0061] Finally get the corresponding relationship:

[0062] ; Among them, the request parameter is the parameter of the first http request.

[0063] For step S102, also for account B, use selenium webdriver to simulate operations in the browser, for example, log in to account B, traverse the URLs in the linear table one by one, and generate a second http request.

[0064] For step S103, traverse all the http requests of account B, replace the second cookie in the second http request of account B with the first cookie in the first http request of account A (Cookie is part of the http request, only this part Replace), resend the second http request to the server, and then receive the second message fed back by the server.

[0065] It should be noted that the structure of the data in the message obtained according to account B should be the same as the structure of the data obtained from account A, and the corresponding relationship is finally obtained:

[0066] ; Among them, the request parameter is the parameter of the second http request.

[0067] For step S104, compare the second message obtained by account B with the first message of account A. If they are the same, it means that account B has unauthorized behavior on account A in the URL. If they are different, continue to the next one. Request analysis.

[0068] It should be noted that for the same URL, even if account B has unauthorized behavior on account A, the message data obtained may not be completely the same. In this case, key fields can be extracted to check whether they are the same.

[0069] The method provided in the above embodiment compares and automatically checks the response messages based on the account cookie replacement method, so as to check whether there is unauthorized behavior between accounts.

[0070] See figure 2 , Shows a schematic flowchart of an optional unauthorized detection method according to an embodiment of the present invention, including the following steps:

[0071] S201: Determine operation items in the application page, and obtain page elements corresponding to each operation item;

[0072] S202: Determine the resource location address according to the hypertext reference attribute in the page element;

[0073] S203: In response to a click operation on the resource location address, if the page jump is successful, store the resource location address in the linear table.

[0074] In the foregoing embodiment, for step S201, this embodiment is used to crawl all URLs in the application as input for unauthorized automatic verification.

[0075] Log in to the application page through Webdriver, and use API (Application Program Interface, application program interface) to obtain all page elements WebElement of the page; for example, the business homepage contains more operation menus, such as first-level menu and second-level menu, or you don’t need to use the homepage Just select a page randomly, because the pages are related.

[0076] For steps S202 and S203, get the tag in WebElement as

[0077] Further, some URLs may be blank pages and other links that do not have practical meaning. Therefore, before adding them to the linear table, you can traverse these URLs, simulate the browser clicking on each URL, and only save the clicked URLs in the linear table. In this way, a preset linear table used for ultra vires detection is obtained.

[0078] The method provided by the foregoing embodiment obtains all URLs associated with the current page based on the page elements of the page, so as to realize the crawling operation of the URL and expand the scope of obtaining the URL.

[0079] See image 3 , Shows a schematic flow chart of another optional unauthorized detection method according to an embodiment of the present invention, including the following steps:

[0080] S301: Determine operation items in the application page, and obtain page elements corresponding to each operation item;

[0081] S302: Determine the resource location address according to the hypertext reference attribute in the page element;

[0082] S303: In response to a click operation on the resource location address, if the page jump is successful, store the resource location address in the linear table;

[0083] S304: Determine a first operation item in the jump page, and use an element corresponding to the first operation item as a child element of the page element;

[0084] S305: Determine a first resource location address according to the hypertext reference attribute of the child element, and then store the first resource location address in the linear table;

[0085] S306: Repeat the above-mentioned page jump and child element acquisition operations, and stop until there is no child element corresponding to the current page element.

[0086] In the above embodiment, for steps S301 to S303, see figure 2 The description of steps S201 to S203 shown here will not be repeated here.

[0087] In the foregoing embodiment, for steps S304 to S306, in order to expand the scope of obtaining the URL, on the basis of the page element of the current page, the URL can be obtained further based on the sub-elements of the page element.

[0088] Specifically, the sub-element corresponding to the page element is obtained from the stored information of the page, and the URL is determined based on the sub-element and the herf attribute.

[0089] For example, the clickable page elements in the current page include , After clicking element E1, jump to a new page, all the clickable page elements in this new page are , The URL is determined based on the herf attribute in the new page element.

[0090] Whether the URL of the traversal child element can be clicked, if it can be clicked, save the URL in the linear table, and finally store all the obtained URLs in the linear table.

[0091] Repeat this operation until the page element has no child elements, that is, the current element is a leaf node, and the recursive method ends.

[0092] The method provided in the above embodiment adopts the algorithm ideas of UI automated testing, looping, and recursion. On the basis of the current page, a new URL is determined based on the sub-elements of its page elements, thereby expanding the scope of URL acquisition and realizing automatic Get the purpose of all requested URLs.

[0093] See Figure 4 , Shows a schematic diagram of main modules of an unauthorized detection device 400 provided by an embodiment of the present invention, including:

[0094] The address access module 401 is configured to preset access to the resource location address in the preset linear table based on the first account, generate a first request and send it to the server to receive the first message fed back by the server;

[0095] The request generation module 402 is configured to access the resource location address based on a second account to generate a second request; wherein, the second account and the first account have different permissions;

[0096] The information replacement module 403 is used to obtain the first cookie in the first request, replace the second cookie in the second request with the first cookie, and send the replaced second request to the server , To receive the second message fed back by the server;

[0097] The unauthorized determination module 404 is configured to determine that the second account has an unauthorized behavior on the first account if the first message and the second message are the same.

[0098] The implementation device of the present invention also includes an address determination module 405 (not shown in the figure) for:

[0099] Determine the operation items in the application page, and obtain the page elements corresponding to each operation item;

[0100] The resource location address is determined according to the hypertext reference attribute in the page element, and then the resource location address is stored in the linear table.

[0101] In the implementation device of the present invention, the address determining module 405 is further configured to: in response to a click operation on the resource location address, if the page jump is successful, store the resource location address in the linear table.

[0102] The implementation device of the present invention also includes an address expansion module 406 (not shown in the figure) for:

[0103] Determine the first operation item in the jump page, and use the element corresponding to the first operation item as the child element of the page element;

[0104] Determine the first resource location address according to the hypertext reference attribute of the sub-element, and then store the first resource location address in the linear table;

[0105] Repeat the above page jump and child element acquisition operations until there is no child element corresponding to the current page element and stop.

[0106] In addition, the specific implementation content of the device in the embodiment of the present invention has been described in detail in the method described above, so the repeated content will not be described here.

[0107] Figure 5 An exemplary system architecture 500 to which embodiments of the present invention can be applied is shown.

[0108] Such as Figure 5 As shown, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505 (just an example). The network 504 is used to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. The network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, and so on.

[0109] The user can use the terminal devices 501, 502, and 503 to interact with the server 505 via the network 504 to receive or send messages and so on. Various communication client applications may be installed on the terminal devices 501, 502, and 503.

[0110] The terminal devices 501, 502, and 503 may be various electronic devices that have a display screen and support web browsing, including but not limited to smart phones, tablet computers, laptop computers, desktop computers, and so on.

[0111] The server 505 may be a server that provides various services, for example, a back-end management server (just an example) that provides support for shopping websites browsed by users using the terminal devices 501, 502, and 503.

[0112] It should be noted that the method provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the device is generally set in the server 505.

[0113] Should understand, Figure 5 The numbers of terminal devices, networks, and servers in the are only indicative. According to implementation needs, there can be any number of terminal devices, networks and servers.

[0114] Reference below Image 6 , Which shows a schematic structural diagram of a computer system 600 suitable for implementing the terminal device of the embodiment of the present invention. Image 6 The terminal device shown is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present invention.

[0115] Such as Image 6 As shown, the computer system 600 includes a central processing unit (CPU) 601, which can execute various programs according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage part 608 to a random access memory (RAM) 603. Kind of appropriate actions and processing. In the RAM 603, various programs and data required for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to the bus 604.

[0116] The following components are connected to the I/O interface 605: an input part 606 including a keyboard, a mouse, etc.; an output part 607 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc. and speakers, etc.; a storage part 608 including a hard disk, etc. ; And a communication section 609 including a network interface card such as a LAN card, a modem, etc. The communication section 609 performs communication processing via a network such as the Internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 610 as needed, so that the computer program read from it is installed into the storage part 608 as needed.

[0117] In particular, according to the disclosed embodiments of the present invention, the process described above with reference to the flowchart can be implemented as a computer software program. For example, the disclosed embodiments of the present invention include a computer program product, which includes a computer program carried on a computer-readable medium, and the computer program contains program code for executing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network through the communication part 609, and/or installed from the removable medium 611. When the computer program is executed by the central processing unit (CPU) 601, the above-mentioned functions defined in the system of the present invention are executed.

[0118] It should be noted that the computer-readable medium shown in the present invention may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. The computer-readable storage medium may be, for example, but not limited to, an electric, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the above. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present invention, the computer-readable storage medium may be any tangible medium that contains or stores a program, and the program may be used by or in combination with an instruction execution system, apparatus, or device. In the present invention, a computer-readable signal medium may include a data signal propagated in a baseband or as a part of a carrier wave, and a computer-readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. The computer-readable signal medium may also be any computer-readable medium other than the computer-readable storage medium. The computer-readable medium may send, propagate, or transmit the program for use by or in combination with the instruction execution system, apparatus, or device . The program code contained on the computer-readable medium can be transmitted by any suitable medium, including but not limited to: wireless, wire, optical cable, RF, etc., or any suitable combination of the above.

[0119] The flowcharts and block diagrams in the accompanying drawings illustrate the possible implementation architecture, functions, and operations of the system, method, and computer program product according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagram may represent a module, program segment, or part of code, and the above-mentioned module, program segment, or part of code contains one or more for realizing the specified logical function Executable instructions. It should also be noted that, in some alternative implementations, the functions marked in the block may also occur in a different order from the order marked in the drawings. For example, two blocks shown in succession can actually be executed substantially in parallel, and they can sometimes be executed in the reverse order, depending on the functions involved. It should also be noted that each block in the block diagram or flowchart, and the combination of blocks in the block diagram or flowchart, can be implemented by a dedicated hardware-based system that performs the specified function or operation, or can be It is realized by a combination of dedicated hardware and computer instructions.

[0120] The modules involved in the embodiments described in the present invention can be implemented in software or hardware. The described module may also be provided in the processor. For example, it may be described as: a processor includes an address access module, a request generation module, an information replacement module, and an unauthorized determination module. Among them, the names of these modules do not constitute a limitation on the module itself under certain circumstances. For example, the unauthorized determination module can also be described as "account unauthorized determination module".

[0121] As another aspect, the present invention also provides a computer-readable medium. The computer-readable medium may be included in the device described in the foregoing embodiment; or it may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs. When the above-mentioned one or more programs are executed by a device, the device includes:

[0122] Preset based on the first account to access the resource location address in the preset linear table, generate a first request and send it to the server to receive the first message fed back by the server;

[0123] Generate a second request based on the second account accessing the resource location address; wherein the second account has different permissions from the first account;

[0124] Obtain the first cookie in the first request, replace the second cookie in the second request with the first cookie, and send the replaced second request to the server to receive the server The second message of feedback;

[0125] If the first message and the second message are the same, it is determined that the second account has an unauthorized act on the first account.

[0126] According to the technical solution of the embodiment of the present invention, for a page, multiple jump pages are determined based on the page elements of the page, and in each jump page, the jump page is determined based on the page elements, and so on, you can get All page URLs associated with the page realize the construction of the page association linear table; take the crawled URL as input, verify the http request response of different accounts, and identify whether the account and URL have unauthorized behavior.

[0127] The foregoing specific implementations do not constitute a limitation on the protection scope of the present invention. Those skilled in the art should understand that, depending on design requirements and other factors, various modifications, combinations, sub-combinations, and substitutions can occur. Any modifications, equivalent substitutions and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.