Interface permission test method and system, equipment and medium
A test method and test system technology, applied in the field of testing, can solve problems such as low test efficiency, undetectable horizontal violation of authority, and complicated detection of horizontal violation of authority, so as to achieve the effect of improving the degree of automation and coverage
Pending Publication Date: 2022-02-01
INSPUR SUZHOU INTELLIGENT TECH CO LTD
View PDF0 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
The consideration of horizontal unauthorized access is not limited to this point, but also whether users with different permissions have access to the same resource, so the detection of horizontal unauthorized access is more complicated
[0004] However, the existing interface authority detection method is only applicable to the problem of vertical authority violation, and it is almost impossible to detect the complex horizontal authority violation problem. Therefore, for the actual security evaluation, it can only help to cover the vertical authority part of the interface, and the remaining horizontal authority authority It still needs to be done manually by security evaluation engineers, and the test efficiency is low
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0065] In order to make the object, technical solution and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below in conjunction with specific embodiments and with reference to the accompanying drawings.
[0066] It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are to distinguish two entities with the same name but different parameters or parameters that are not the same, see "first" and "second" It is only for the convenience of expression, and should not be construed as a limitation on the embodiments of the present invention, which will not be described one by one in the subsequent embodiments.
[0067] In the embodiment of the present invention, interface overreach means that after an attacker obtains a low-privileged user account, he bypasses the permission check in some way, and can access or operate other users or higher-privileged users....
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses an interface permission test method, which comprises the following steps of: obtaining an interface permission table in which a plurality of test parameters of each to-be-tested interface are recorded; obtaining values corresponding to a plurality of parameters in the plurality of parameters of each to-be-tested interface; generating a request by using the plurality of parameters of each to-be-tested interface and the values corresponding to the plurality of parameters, and sending the request to the corresponding to-be-tested interface; and in response to the received response returned by the corresponding to-be-tested interface, obtaining a matching rule of the corresponding to-be-tested interface and an expected response, and verifying the response returned by the corresponding to-be-tested interface according to the matching rule and the expected response. The invention further discloses a system, computer equipment and a readable storage medium. According to the scheme provided by the invention, through interface request parameter customization and response matching rule customization, accurate detection of interface transverse and longitudinal unauthorized is realized, manual detection of a complex transverse unauthorized problem is replaced, and the automation degree and the detection efficiency of the interface unauthorized problem are improved.
Description
technical field [0001] The invention relates to the field of testing, in particular to an interface authority testing method, system, equipment and storage medium. Background technique [0002] Broken Access Control (BAC) is a common vulnerability in web applications. Due to its wide range of existence and great harm, it is listed as the second among the top ten security risks of web applications by OWASP. This vulnerability means that there is a flaw in the application's authorization check, which allows an attacker to use some methods to bypass the authorization check after obtaining a user account with low authorization, and access or operate other users or higher authorization. The main cause of the unauthorized access vulnerability is that the developer has too much confidence in the data requested by the client when adding, deleting, modifying, and querying data and neglects to determine the authority. Once the authority verification is insufficient, it is easy to caus...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Applications(China)
IPC IPC(8): G06F11/22G06F21/45
CPCG06F11/2273G06F11/2289G06F21/45G06F2221/2135
Inventor 李勇
Owner INSPUR SUZHOU INTELLIGENT TECH CO LTD