Cisco IOS-XE-oriented Web command injection vulnerability detection method

A technology of command injection and vulnerability detection, which is applied in the field of vulnerability detection, can solve the problems of inapplicability of simulation, easy false positives, and low efficiency of vulnerability detection, and achieve the effect of improving code coverage, efficiency, and vulnerability detection capabilities

Pending Publication Date: 2022-07-22
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
View PDF0 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] Aiming at the defects and problems that the current fuzzy testing method for the vulnerability detection of IOS-XE is easy to miss, the efficiency of vulnerability detection is low, and the emulation of devices such as relying on QEMU and other simulators cannot be applied to IOS-XE, the present invention provides a method for Web Command Injection Vulnerability Detection Method of Cisco IOS-XE

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Cisco IOS-XE-oriented Web command injection vulnerability detection method
  • Cisco IOS-XE-oriented Web command injection vulnerability detection method
  • Cisco IOS-XE-oriented Web command injection vulnerability detection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0053] Embodiment 1: This embodiment provides a Cisco IOS-XE-oriented Web command injection vulnerability detection method. The method uses the fuzzing framework CRFuzzer for Cisco IOS-XE system Web management services to perform vulnerability detection. The CRFuzzer system structure is as follows: figure 2 shown. The method mainly includes the following:

[0054] 1. Seed generation: extract API information from front-end web requests and back-end Lua programs, and combine command injection vulnerability features to find vulnerable code segments that may have vulnerabilities, and generate initial seeds for fuzz testing;

[0055] 1.1 API information extraction

[0056] (1) Extract the API from the front-end request:

[0057] Like some existing IoT fuzzing methods, CRFuzzer extracts API information from front-end requests. During the extraction process, CRFuzzer parses and stores the request header and parameter information. The URL in the header and its structure informati...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention belongs to the technical field of vulnerability detection, and particularly relates to a Cisco IOS-XE-oriented Web command injection vulnerability detection method. The method comprises the following steps: respectively generating an initial seed from a front-end request and a rear-end Lua program, optimizing a seed generation strategy, extracting relatively complete API information from the rear-end program, then performing parameter attribute marking on the seed, and applying a variation rule to generate a test case; and then simulating the Web UI to initiate a request to the routing equipment, receiving a response, monitoring the state of the routing equipment, and restoring the test environment after each test. According to the method, hidden APIs existing in a system can be found, fragile code screening is carried out based on basic features of two command injection vulnerabilities, and the efficiency of fuzzy testing is improved.

Description

technical field [0001] The invention belongs to the technical field of vulnerability detection, and in particular relates to a method for detecting vulnerability of Web command injection oriented to Cisco IOS-XE. Background technique [0002] Code injection is a common security vulnerability in web applications and one of the main threats to network security, ranking third in the top ten network security threats released by OWASP in 2021. Among them, command injection is the use of inappropriate processing of untrusted data by an attacker to insert maliciously constructed system commands into the input, resulting in unplanned execution behavior, resulting in Denial of Service (DoS) or permission escape. Wait. Command injection vulnerabilities exist not only in web applications hosted on servers, but also in network core devices and web management services for IoT devices. [0003] Cisco IOS-XE (IOS-XE for short) is one of Cisco's new operating systems (IOS-XE, IOS-XR and N...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F11/36G06F21/56
CPCG06F11/3684G06F11/3664G06F11/3688G06F21/566
Inventor 刘胜利何杰蔡瑞杰杨启超尹小康刘龙陆炫廷赵方方
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap