Test method and device of web application, electronic equipment and medium
By enabling automated encryption and decryption and transparent display of plaintext in the Burp Suite plugin, the security testing problem of existing technologies being unable to visualize and edit encrypted messages is solved, thereby improving the testing efficiency and vulnerability discovery capabilities of web applications.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA FINANCIAL CERTIFICATION AUTHORITY
- Filing Date
- 2026-01-29
- Publication Date
- 2026-06-16
AI Technical Summary
Existing technologies cannot perform visual and editable security testing of encrypted messages in a single proxy tool, resulting in inefficient security testing of web applications.
This software utilizes a Burp Suite plugin to automate encryption and decryption, transparently displaying plaintext and supporting real-time tampering and replay testing. It leverages browser developer tools to obtain front-end code, analyze encryption and decryption functions and message encoding rules, and achieve automated decryption and encryption of messages.
It enables visualized and editable security testing of encrypted messages in proxy tools such as Burp Suite, improving testing efficiency and vulnerability discovery capabilities.
Smart Images

Figure CN122226314A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of web application security testing technology, and in particular to a web application testing method, apparatus, electronic device, and medium. Background Technology
[0002] In security testing, packet capture of web applications is a necessary step. However, most web applications with relatively high security levels now use application-layer encryption for data packets, meaning that packet capture by proxy tools yields ciphertext, making it impossible to directly see the specific content of the communication packets or directly tamper with them.
[0003] One existing method involves hooking JavaScript in the browser to obtain plaintext. However, this method is difficult to fuzz through data packet replay testing, and modifying the packet often requires setting breakpoints in the front-end script or modifying the hook script, resulting in low efficiency. Another existing method involves adding upstream and downstream proxies to the proxy tool for encryption and decryption, so that the data in the intermediate proxies is presented in plaintext. This method is equivalent to using a three-layer proxy for the web application, which is cumbersome to configure and impacts performance. Summary of the Invention
[0004] This invention provides a testing method, apparatus, electronic device, and medium for web applications, which addresses the shortcomings of existing technologies that cannot directly perform visual and editable security testing of encrypted messages in a single proxy tool. It achieves the technical effects of automated encryption and decryption, transparent display of plaintext, and support for real-time tampering and replay testing in proxy tools such as Burp Suite.
[0005] This invention provides a method for testing web applications, comprising: Obtain the encrypted first communication data packet between the web application and the server; Decrypt the ciphertext of the first communication data packet to obtain the plaintext of the first communication data packet; The first communication data packet is modified for security testing, and the modified first communication data packet is encrypted to obtain the second communication data packet ciphertext. Send the second encrypted communication data message to the server and receive the encrypted response communication data message from the server. The encrypted response communication data message is decrypted to obtain the second communication data message. The security test results of the web application are determined based on the second communication data packet.
[0006] In one possible implementation, the method further includes: Obtain the front-end code of the web application using browser developer tools or debugging tools; Analyze the encryption / decryption functions, key generation logic, and message construction methods in the aforementioned front-end code; By using dynamic debugging or breakpoint tracing, the encryption algorithm, decryption algorithm, and message encoding rules of the web application can be reconstructed. Based on the encryption algorithm, decryption algorithm, and message encoding rules of the web application, the target decryption algorithm, target encryption algorithm, and target message encoding rules in the Burp Suite plugin API are determined.
[0007] In one possible implementation, the method further includes: The Burp Suite plugin calls the target decryption algorithm in its API to decrypt the ciphertext of the first communication data packet, obtaining the plaintext of the first communication data packet, which is then displayed as editable in the Burp Suite agent interface.
[0008] In one possible implementation, the method further includes: The security testing modifications include at least one of parameter tampering, replay attacks, fuzzing, and logic vulnerability detection. Based on the target message encoding rules, the first communication data message is modified for security testing. By calling the target encryption algorithm in the Burp Suite API through the Burp Suite plugin, the first communication data packet text modified for security testing is encrypted to obtain the second communication data packet ciphertext. The algorithm, key and message format used in the encryption process are consistent with the encryption logic of the web application front end.
[0009] In one possible implementation, the method further includes: The Burp Suite plugin calls the target decryption algorithm in its API to decrypt the ciphertext of the response communication data packet, obtaining the second communication data packet text, which is then displayed as viewable in the Burp Suite agent interface.
[0010] In one possible implementation, the method further includes: Analyze the response status code, response time, response content, and error message of the second communication data message; Based on the response status code and the response content, determine whether the web application has at least one of the following: a logical vulnerability, an unauthorized access vulnerability, or a data tampering vulnerability. When the response time exceeds a preset threshold, it is determined that the web application has a performance abnormality or denial-of-service risk. When the second communication data message contains unexpected error information or abnormal data structure, it is determined that the web application has a security flaw.
[0011] In one possible implementation, the method further includes: Based on the encryption algorithm and message encoding rules corresponding to the web application, the second communication data message is encrypted using the response encryption method in the Burp Suite plugin to obtain the third communication data message ciphertext. The encrypted third communication data message is sent to the web application front end.
[0012] The present invention also provides a testing device for web applications, comprising the following modules: The acquisition module is used to acquire the ciphertext of the first communication data packet between the web application and the server. The decryption module is used to decrypt the ciphertext of the first communication data packet to obtain the ciphertext of the first communication data packet. The testing module is used to perform security testing on the first communication data packet text and encrypt the modified first communication data packet text to obtain the second communication data packet ciphertext. The receiving module is used to send the encrypted second communication data message to the server and receive the encrypted response communication data message from the server. The decryption module is also used to decrypt the ciphertext of the response communication data message to obtain the second communication data message. The determination module is used to determine the security test result of the web application based on the text of the second communication data packet.
[0013] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement a testing method for a Web application as described above.
[0014] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements a test method for a Web application as described above.
[0015] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements a testing method for a Web application as described above.
[0016] The present invention provides a web application testing method, apparatus, electronic device, and medium that obtains a first encrypted communication data packet between the web application and a server; decrypts the first encrypted communication data packet to obtain a first unencrypted communication data packet; modifies the first unencrypted communication data packet for security testing, and encrypts the modified first unencrypted communication data packet to obtain a second encrypted communication data packet; sends the second unencrypted communication data packet to the server and receives a response encrypted communication data packet from the server; decrypts the response encrypted communication data packet to obtain the second unencrypted communication data packet; and determines the security test result of the web application based on the second unencrypted communication data packet. Compared to the shortcomings of existing technologies that cannot directly visualize and edit encrypted packets in a single proxy tool, this solution achieves automated encryption and decryption, transparent display of plaintext, and support for real-time tampering and replay testing in proxy tools such as Burp Suite. Attached Figure Description
[0017] To more clearly illustrate the technical solutions in this invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0018] Figure 1 This is one of the flowcharts illustrating the testing method for Web applications provided by this invention.
[0019] Figure 2 This is the second flowchart illustrating the testing method for Web applications provided by this invention.
[0020] Figure 3 This is a schematic diagram of the structure of the testing device for Web applications provided by the present invention.
[0021] Figure 4 This is a schematic diagram of the structure of the electronic device provided by the present invention. Detailed Implementation
[0022] To make the objectives, technical solutions, and advantages of this invention clearer, the technical solutions of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this invention. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without creative effort are within the scope of protection of this invention.
[0023] To facilitate understanding of the embodiments of the present invention, further explanations and descriptions will be provided below with reference to the accompanying drawings and specific embodiments. These embodiments do not constitute a limitation on the embodiments of the present invention.
[0024] Figure 1 This is one of the flowcharts illustrating the testing method for web applications provided by this invention, such as... Figure 1 As shown, the method includes the following: S11. Obtain the encrypted first communication data packet between the web application and the server.
[0025] In this embodiment of the invention, the web application includes at least one of web pages, mobile apps, API interfaces, and mini-programs. A proxy tool (such as Burp Suite) is used to intercept communication traffic between the client (such as a browser or mobile application) and the server in a man-in-the-middle manner. Because the target web application has applied-layer encryption to the communication content, the obtained messages are in ciphertext form (first communication data message ciphertext), and their content cannot be directly read or parsed. The obtained ciphertext typically includes the body of HTTP / HTTPS requests and responses, and may also include some encrypted headers or parameters.
[0026] S12. Decrypt the ciphertext of the first communication data packet to obtain the ciphertext of the first communication data packet.
[0027] After obtaining the ciphertext of the first communication data packet, the ciphertext is decrypted using a decryption algorithm (such as AES, RSA, etc.) and corresponding key obtained through reverse engineering from the web application frontend. The decryption process is typically completed automatically within the Burp Suite plugin by calling the corresponding API (such as handleHttpResponseReceived or a custom decryption function). After decryption, the originally unreadable ciphertext is restored to structured plaintext data, such as JSON, XML, or form data, which can be directly displayed in a readable and editable state within the proxy tool's interface.
[0028] S13. Perform security testing on the first communication data packet text and encrypt the modified first communication data packet text to obtain the second communication data packet ciphertext.
[0029] After obtaining the plaintext, testers can modify the message content for security testing purposes, such as tampering with parameter values, inserting malicious payloads, repeatedly submitting data, or traversing parameter boundaries. After modification, the tampered plaintext must be re-encrypted using the same encryption algorithm and key as the web application frontend to generate new ciphertext (i.e., the second communication data message ciphertext). This step ensures that the message sent to the server is completely consistent with a normal request in terms of format, algorithm, and structure, thereby achieving transparent testing of encrypted communication.
[0030] S14. Send the second communication data message ciphertext to the server and receive the response communication data message ciphertext from the server.
[0031] The re-encrypted message is sent normally to the target server through the proxy tool. After receiving the message, the server will decrypt, process, and generate a response according to its own business logic and encryption mechanism. The response data is usually also encrypted, so the proxy tool still receives the ciphertext response message.
[0032] S15. Decrypt the ciphertext of the response communication data message to obtain the second communication data message.
[0033] Upon receiving the encrypted response, the same decryption algorithm and key are used again to decrypt the ciphertext, yielding a readable plaintext response. This response reflects the server's processing of the tampered request and is a crucial indicator of whether an application has security vulnerabilities.
[0034] S16. Determine the security test result of the web application based on the second communication data message.
[0035] By analyzing the decrypted response content, it's possible to determine if a web application has security vulnerabilities. Analysis dimensions may include: whether the response status code is abnormal, whether the response content contains sensitive or error information, whether business logic has been bypassed, and whether unauthorized access has occurred. For example, if modifying a user ID still allows access to others' data, it indicates an unauthorized access vulnerability; if the response contains SQL error messages, it may indicate an SQL injection risk.
[0036] The web application testing method provided by this invention involves: obtaining the encrypted first communication data packet between the web application and the server; decrypting the encrypted first communication data packet to obtain the plaintext first communication data packet; modifying the plaintext first communication data packet for security testing and encrypting the modified plaintext first communication data packet to obtain the encrypted second communication data packet; sending the encrypted second communication data packet to the server and receiving the encrypted response communication data packet from the server; decrypting the encrypted response communication data packet to obtain the plaintext second communication data packet; and determining the security test result of the web application based on the encrypted second communication data packet. Compared to the shortcomings of existing technologies that cannot directly visualize and edit encrypted packets in a single proxy tool, this solution achieves automated encryption and decryption, transparent display of plaintext, and support for real-time tampering and replay testing in proxy tools such as Burp Suite.
[0037] Figure 2This is the second flowchart illustrating the testing method for Web applications provided by this invention, as shown below. Figure 2 As shown, before conducting security testing, it is necessary to reverse engineer the front-end logic of the target web application. This can be done using browser-built-in developer tools (such as Chrome DevTools) or third-party debugging tools (such as Fiddler and Charles) to obtain the front-end JavaScript code. By analyzing the encryption and decryption functions (such as CryptoJS, Web Crypto API calls, etc.), key generation logic (such as fixed keys, dynamic key negotiation, key derivation methods, etc.), and message construction methods (such as JSON serialization, Base64 encoding, custom data concatenation, etc.), the complete encryption algorithm (such as AES-128-CBC, RSA-OAEP, etc.), decryption algorithm, and message encoding rules can be reconstructed. If necessary, dynamic debugging or setting breakpoints can be used to trace the code execution path to ensure the accuracy and completeness of the algorithm reconstruction.
[0038] Furthermore, after completing the algorithm restoration, the corresponding Burp Suite plugin is developed or configured. This plugin achieves automatic message encryption / decryption and interface control by calling relevant methods in the Burp Suite Extender API. When the proxy intercepts a request, the plugin calls the handleRequestToBeSent method to decrypt the ciphertext of the request, and displays the decrypted plaintext in Burp Suite's "Proxy → HTTP history" and sets it to editable status; Testers can directly modify request parameters in the interface. After modification, the plugin calls handleHttpRequestToBeSent or a custom encryption function to re-encrypt the modified plaintext and send it to the server. After receiving the server's response, the plugin calls the handleHttpResponseReceived method to decrypt the ciphertext of the response and displays the plaintext response in the proxy history; Furthermore, the plugin calls the handleResponseReceived method to re-encrypt the plaintext response before returning it to the client, in order to maintain the integrity and transparency of the communication.
[0039] Furthermore, after decrypting and obtaining the plaintext response from the server, its content can be observed, analyzed, and modified automatically or manually to determine if a security vulnerability exists. Specific judgment logic includes, but is not limited to: Status code analysis: If the response status code is abnormal (such as returning an error message under the 200 status code, or exposing system information under the 500 status code), there may be a logic or information leakage vulnerability. Response content comparison: Compare the differences in response content before and after the modification request. If unauthorized data, unauthorized operation results, or leakage of sensitive information are found, it is determined that there is a risk of access control or data leakage. Response time monitoring: If the response time of a certain type of request is significantly higher than the baseline value, it may indicate a denial-of-service (DoS) vulnerability or performance bottleneck. Error message identification: If the response contains sensitive information such as database errors, stack traces, and system paths, it can be determined that there is an information leakage or injection vulnerability; Business logic verification: Verify whether the business logic can be bypassed by replaying multiple times, traversing parameters, and performing boundary value tests, such as order amount tampering or unauthorized access.
[0040] Verification mechanism bypass: By modifying data related to verification status, user identity, etc., attempts can be made to verify whether the verification mechanism can be bypassed, such as SMS verification code bypass or identity theft.
[0041] Based on the above analysis results, the system can automatically generate or the testers can compile and output a security test report. The report content may include: Vulnerability types (such as unauthorized access, SQL injection, logical flaws, etc.); Vulnerability levels (high, medium, low); Scope of impact (functional modules, user groups); Reproducing steps (request message, parameter modification, expected and actual response); Recommended fixes (code hardening, input validation, access control, etc.).
[0042] Through the above-described refined process, this invention achieves automated, visual, and editable security testing of encrypted communication web applications, significantly improving testing efficiency and vulnerability discovery capabilities.
[0043] The testing apparatus for web applications provided by the present invention will be described below. The testing apparatus for web applications described below can be referred to in correspondence with the testing method for web applications described above.
[0044] Figure 3 This is a schematic diagram of the structure of the web application testing device provided by the present invention, specifically including: The acquisition module 301 is used to acquire the encrypted first communication data packet between the web application and the server. For detailed explanations, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0045] The decryption module 302 is used to decrypt the ciphertext of the first communication data packet to obtain the plaintext of the first communication data packet. For detailed explanation, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0046] The test module 303 is used to perform security testing modifications on the first communication data packet text, and encrypt the modified first communication data packet text to obtain the second communication data packet ciphertext. For detailed explanations, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0047] The receiving module 304 is used to send the encrypted second communication data packet to the server and receive the encrypted response communication data packet from the server. For detailed explanations, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0048] The decryption module 302 is further configured to decrypt the ciphertext of the response communication data packet to obtain the second communication data packet text. For detailed explanations, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0049] The determining module 305 is used to determine the security test result of the web application based on the text of the second communication data packet. For detailed explanation, please refer to the relevant descriptions in the above method embodiments; they will not be repeated here.
[0050] Figure 4 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 4 As shown, the electronic device may include: a processor 410, a communications interface 420, a memory 430, and a communication bus 440, wherein the processor 410, the communications interface 420, and the memory 430 communicate with each other through the communication bus 440. The processor 410 can call logical instructions in the memory 430 to execute a test method for a web application. This method includes: obtaining a first encrypted communication data packet between the web application and the server; decrypting the first encrypted communication data packet to obtain a first encrypted communication data packet; modifying the first encrypted communication data packet for security testing and encrypting the modified first encrypted communication data packet to obtain a second encrypted communication data packet; sending the second encrypted communication data packet to the server and receiving a response encrypted communication data packet from the server; decrypting the response encrypted communication data packet to obtain the second encrypted communication data packet; and determining the security test result of the web application based on the second encrypted communication data packet.
[0051] Furthermore, the logical instructions in the aforementioned memory 430 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0052] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the web application testing method provided by the above methods. The method includes: obtaining a first communication data packet ciphertext between the web application and the server; decrypting the first communication data packet ciphertext to obtain a first communication data packet plaintext; modifying the first communication data packet plaintext for security testing and encrypting the modified first communication data packet plaintext to obtain a second communication data packet ciphertext; sending the second communication data packet ciphertext to the server and receiving a response communication data packet ciphertext from the server; decrypting the response communication data packet ciphertext to obtain the second communication data packet plaintext; and determining the security test result of the web application based on the second communication data packet plaintext.
[0053] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon. When executed by a processor, the computer program implements a testing method for a web application provided by the methods described above. This method includes: obtaining a first encrypted communication data packet between the web application and a server; decrypting the first encrypted communication data packet to obtain a first encrypted communication data packet; modifying the first encrypted communication data packet for security testing and encrypting the modified first encrypted communication data packet to obtain a second encrypted communication data packet; sending the second encrypted communication data packet to the server and receiving a response encrypted communication data packet from the server; decrypting the response encrypted communication data packet to obtain the second encrypted communication data packet; and determining the security test result of the web application based on the second encrypted communication data packet.
[0054] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0055] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0056] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims
1. A testing method for a web application, characterized in that, include: Obtain the encrypted first communication data packet between the web application and the server; Decrypt the ciphertext of the first communication data packet to obtain the plaintext of the first communication data packet; The first communication data packet is modified for security testing, and the modified first communication data packet is encrypted to obtain the second communication data packet ciphertext. Send the second encrypted communication data message to the server and receive the encrypted response communication data message from the server. The encrypted response communication data message is decrypted to obtain the second communication data message. The security test results of the web application are determined based on the second communication data packet.
2. The method according to claim 1, characterized in that, Before obtaining the ciphertext of the first communication data packet between the web application and the server, the following steps are included: Obtain the front-end code of the web application using browser developer tools or debugging tools; Analyze the encryption / decryption functions, key generation logic, and message construction methods in the aforementioned front-end code; By using dynamic debugging or breakpoint tracing, the encryption algorithm, decryption algorithm, and message encoding rules of the web application can be reconstructed. Based on the encryption algorithm, decryption algorithm, and message encoding rules of the web application, the target decryption algorithm, target encryption algorithm, and target message encoding rules in the Burp Suite plugin API are determined.
3. The method according to claim 1 or 2, characterized in that, The step of decrypting the ciphertext of the first communication data packet to obtain the ciphertext of the first communication data packet includes: The Burp Suite plugin calls the target decryption algorithm in its API to decrypt the ciphertext of the first communication data packet, obtaining the plaintext of the first communication data packet, which is then displayed as editable in the Burp Suite agent interface.
4. The method according to claim 3, characterized in that, The security testing modifications include at least one of parameter tampering, replay attacks, fuzzing, and logic vulnerability detection. The step of performing security testing and modification on the first communication data packet, and encrypting the modified first communication data packet to obtain the second communication data packet ciphertext, includes: Based on the target message encoding rules, the first communication data message is modified for security testing. By calling the target encryption algorithm in the Burp Suite API through the Burp Suite plugin, the first communication data packet text modified for security testing is encrypted to obtain the second communication data packet ciphertext. The algorithm, key and message format used in the encryption process are consistent with the encryption logic of the web application front end.
5. The method according to claim 4, characterized in that, The step of decrypting the ciphertext of the response communication data message to obtain the second communication data message includes: The Burp Suite plugin calls the target decryption algorithm in its API to decrypt the ciphertext of the response communication data packet, obtaining the second communication data packet text, which is then displayed as viewable in the Burp Suite agent interface.
6. The method according to claim 1, characterized in that, The step of determining the security test result of the web application based on the second communication data packet text includes: Analyze the response status code, response time, response content, and error message of the second communication data message; Based on the response status code and the response content, determine whether the web application has at least one of the following: a logical vulnerability, an unauthorized access vulnerability, or a data tampering vulnerability. When the response time exceeds a preset threshold, it is determined that the web application has a performance abnormality or denial-of-service risk. When the second communication data message contains unexpected error information or abnormal data structure, it is determined that the web application has a security flaw.
7. The method according to claim 1, characterized in that, The method further includes: Based on the encryption algorithm and message encoding rules corresponding to the web application, the second communication data message is encrypted using the response encryption method in the Burp Suite plugin to obtain the third communication data message ciphertext. The encrypted third communication data message is sent to the web application front end.
8. A testing device for a web application, characterized in that, include: The acquisition module is used to acquire the ciphertext of the first communication data packet between the web application and the server. The decryption module is used to decrypt the ciphertext of the first communication data packet to obtain the ciphertext of the first communication data packet. The testing module is used to perform security testing on the first communication data packet text and encrypt the modified first communication data packet text to obtain the second communication data packet ciphertext. The receiving module is used to send the encrypted second communication data message to the server and receive the encrypted response communication data message from the server. The decryption module is also used to decrypt the ciphertext of the response communication data message to obtain the second communication data message. The determination module is used to determine the security test result of the web application based on the text of the second communication data packet.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, When the processor executes the computer program, it implements the testing method for the Web application as described in any one of claims 1 to 7.
10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the testing method for the Web application as described in any one of claims 1 to 7.