Safety injection automation method and device, electronic equipment and storage medium

An automatic device and security injection technology, which is applied in the field of data security, can solve the problems of complex system controls, labor-intensive manual injection, and inability to analyze results in real time, so as to achieve the effect of improving efficiency and quality

Pending Publication Date: 2022-05-10
WINNING HEALTH TECHNOLOGY GROUP CO LTD
0 Cites 0 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0005] The technical problem to be solved by the present invention is to overcome the security injection monitoring of the C/S architecture in the prior art, which can only be manually injected at present. Due to the complexity and large amount of system contr...
View more

Method used

[0068] The method of this embodiment uses the security injection automation monitoring technology to test the security of the information system of the C/S architecture to achieve automatic execution and real-time feedback of results without manual intervention, which greatly saves the cost of testing labo...
View more

Abstract

The invention discloses a safety injection automation method and device, electronic equipment and a storage medium. The method comprises the following steps when a triggering condition is met: positioning a control of the information management system; starting an SQL (Structured Query Language) tracking tool, wherein the SQL tracking tool is used for tracking the database to view the data stream; inputting an SQL (Structured Query Language) injection statement, wherein the SQL injection statement is generated according to the value received by the control; the SQL tracking tool is closed; and analyzing the injection risk of the data stream according to a preset rule and obtaining an analysis result. Automatic testing in the field of C/S architecture information management system safety testing can be achieved, even if system controls are complex and large in quantity, manual intervention is not needed, automatic monitoring and tracking are completed, and the efficiency and quality of automatic safety testing are improved.

Application Domain

Digital data information retrievalSoftware testing/debugging +1

Technology Topic

System safetyData stream analysis +10

Image

  • Safety injection automation method and device, electronic equipment and storage medium
  • Safety injection automation method and device, electronic equipment and storage medium
  • Safety injection automation method and device, electronic equipment and storage medium

Examples

  • Experimental program(4)

Example Embodiment

[0044] Example 1
[0045] figure 1 A security injection automation method of an information management system based on a C/S architecture in this embodiment is shown. Wherein, the information management system may be any applied information management system, such as an information management system for personnel file management, an information management system for borrowing books in a library, and the like. Security injection automation methods include:
[0046] When the trigger condition is met, the trigger condition can be a timing trigger, and the following steps are performed:
[0047] Step 11: Locate the controls for the information management system. If the information management system is designed based on the Windows system, the controls can be classified into Windows standardized controls and Windows non-standardized controls. The positioning of Windows standardized controls is relatively simple and can be realized by using autoit. The positioning of Windows non-standardized controls is more complicated and can be realized by using RanorexStudio; of course, RanorexStudio can also be used to simultaneously locate the standardized controls and non-standardized controls of the information management system.
[0048] Step 12: Start the SQL trace tool, which is used to trace the database viewing data flow. In this embodiment, the SQL tracking tool is a SQL Profiler tracker, and of course other tools that can track the data flow of the database are also applicable to this method.
[0049] Step 13: Input the SQL injection statement, the SQL injection statement is generated according to the value received by the control. The value received by the control can be understood as generated by the user's operation on the control (possibly input, selection, etc.), and converted into an SQL injection statement through these operations. These SQL injection statements may be safe SQL statements or SQL statements concatenated with unsafe SQL statements.
[0050] Step 14: Turn off the SQL trace tool.
[0051] Step 15: Analyzing the injection risk of the data flow according to preset rules and obtaining the analysis result. Among them, the preset rules may include:
[0052] If the SQL injection statement includes a preset high-risk SQL statement, the obtained analysis result is a high-risk injection risk. High-risk SQL statements refer to SQL statements with high-risk injection risks. This high-risk SQL statement is likely to bypass application security measures and insert malicious SQL code into database queries, allowing attackers to completely control the database server and seriously threaten database security. Listed below Some possible high-risk SQL statements for reference:
[0053] Daily inquiries:
[0054] 'or 1like'1
[0055] 1'HAVING 1=1--
[0056] 1'GROUP BY CPOE_BRSYK.EMRXH HAVING 1=1--
[0057] 1'AND 1>(SELECT TOP 1HZXM FROM CPOE_BRSYK)--
[0058] 1'ORDER BY 13
[0059] Based on time delay:
[0060] kobe' and sleep(5)--
[0061] kobe'and if((substr(database(),1,1))='a',sleep(5),null)--
[0062] kobe'and if((substr(database(),1,1))='p',sleep(5),null)--
[0063] Brute force table and column names:
[0064] kobe'and exists(select*from aa)--
[0065] The preset rules may also include:
[0066] If the data belonging to the preset sensitive information is transmitted in clear text, the analysis result obtained is a high-risk injection risk. The sensitive information may include user name, password and other information. If the information is not encrypted during data transmission, it will likely lead to information leakage and malicious monitoring of the information. Therefore, there is also a high risk of injection.
[0067] Step 16: Send the analysis result to a preset mailbox by email. The preset mailbox can be set according to actual needs, for example, it can be set as a mailbox of a security manager, a mailbox of a system maintenance personnel, or other mailboxes.
[0068] The method of this embodiment realizes automatic execution and real-time feedback of results through security injection of automatic monitoring technology for information system security testing of C/S architecture, without manual intervention, which greatly saves testing labor costs.

Example Embodiment

[0069] Example 2
[0070] figure 2 It shows a security injection automation device for an information management system based on a C/S architecture in this embodiment. Wherein, the information management system may be any applied information management system, such as an information management system for personnel file management, an information management system for borrowing books in a library, and the like. The security injection automation device includes: a trigger module 21 , a location module 22 , a tracking module 23 , an input module 24 , an analysis module 25 and a notification module 26 .
[0071] The triggering module 21 is configured to invoke the positioning module 22 when a triggering condition is met. The trigger condition may be a timing trigger.
[0072] The locating module 22 is used to locate the control of the information management system, and then calls the tracking module 23 to start the SQL tracking tool, and the SQL tracking tool is used to track the database viewing data flow. If the information management system is designed based on the Windows system, the controls can be classified into Windows standardized controls and Windows non-standardized controls. The positioning of Windows standardized controls is relatively simple and can be realized by using autoit. The positioning of Windows non-standardized controls is more complicated and can be realized by using RanorexStudio; of course, RanorexStudio can also be used to simultaneously locate the standardized controls and non-standardized controls of the information management system.
[0073] The tracking module 23 calls the input module 24 after starting the SQL tracking tool; the input module 24 is used to input the SQL injection statement, the SQL injection statement is generated according to the value received by the control, and then calls the The trace module 23 closes the SQL trace tool. In this embodiment, the SQL tracking tool is a SQL Profiler tracker, and of course other tools that can track the database and view the data flow are also applicable to this device.
[0074] The tracking module 23 calls the analysis module 25 after closing the SQL tracking tool, and the analysis module 25 is used to analyze the injection risk of the data flow according to preset rules and obtain an analysis result, and then call the notification Module 26. Wherein, the preset rules include:
[0075] If the SQL injection statement includes a preset high-risk SQL statement, the analysis result obtained is a high-risk injection risk, where the high-risk SQL statement refers to a SQL statement with a high-risk injection risk, and this high-risk SQL statement is likely to bypass the application security measures Insert malicious sql code into database query, allowing attackers to completely control the database server, seriously threatening database security;
[0076] And/or, if the data belonging to the preset sensitive information is transmitted in clear text, the analysis result obtained is a high-risk injection risk, wherein the sensitive information may include information such as user names and passwords. Any encryption will likely lead to information leakage and malicious monitoring of information, so it also has a high risk of injection.
[0077] The notification module 26 is configured to send the analysis result to a preset mailbox by email. The preset mailbox can be set according to actual needs, for example, it can be set as a mailbox of a security manager, a mailbox of a system maintenance personnel, or other mailboxes.
[0078] The device in this embodiment implements security testing of the information system of the C/S framework through the security injection automation monitoring technology to achieve automatic execution and real-time feedback of results without manual intervention, which greatly saves the cost of testing labor.

Example Embodiment

[0079] Example 3
[0080] image 3 It is a schematic structural diagram of an electronic device provided by Embodiment 3 of the present invention. The electronic device includes a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor implements the method in Embodiment 1 when executing the program. image 3 The electronic device 40 shown is only an example, and should not impose any limitation on the functions and application scope of the embodiments of the present invention.
[0081] like image 3 As shown, electronic device 40 may take the form of a general-purpose computing device, which may be a server device, for example. Components of the electronic device 40 may include, but are not limited to: at least one processor 41 , at least one memory 42 , and a bus 43 connecting different system components (including the memory 42 and the processor 41 ).
[0082] The bus 43 includes a data bus, an address bus and a control bus.
[0083] The memory 42 may include a volatile memory, such as a random access memory (RAM) 421 and/or a cache memory 422 , and may further include a read only memory (ROM) 423 .
[0084] Memory 42 may also include programs/utilities 425 having a set (at least one) of program modules 424 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, which Each or some combination of the examples may include the implementation of a network environment.
[0085] The processor 41 executes various functional applications and data processing by running the computer program stored in the memory 42 , such as the method provided in Embodiment 1 of the present invention.
[0086] Electronic device 40 may also communicate with one or more external devices 44 (eg, keyboards, pointing devices, etc.). Such communication may occur through input/output (I/O) interface 45 . Also, the model generation device 40 can also communicate with one or more networks (eg, a local area network (LAN), a wide area network (WAN) and/or a public network, such as the Internet) via a network adapter 46 . like image 3 As shown, network adapter 46 communicates with other modules of model generation device 40 via bus 43 . It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the model generation device 40, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID (disk array) systems, tape drives, and data backup storage systems.
[0087] It should be noted that although several units/modules or subunits/modules of an electronic device are mentioned in the above detailed description, such division is only exemplary and not mandatory. Actually, according to the embodiment of the present invention, the features and functions of two or more units/modules described above may be embodied in one unit/module. Conversely, the features and functions of one unit/module described above can be further divided to be embodied by a plurality of units/modules.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Automatic classification package method and system of semiconductor device

ActiveCN109411390AReduce the risk of manual operationsImprove efficiency and quality
Owner:SHENZHEN STS MICROELECTRONICS

Classification and recommendation of technical efficacy words

Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products