CN103116543B - The Web application safety detection method that white black box combines - Google Patents
The Web application safety detection method that white black box combines Download PDFInfo
- Publication number
- CN103116543B CN103116543B CN201310028848.0A CN201310028848A CN103116543B CN 103116543 B CN103116543 B CN 103116543B CN 201310028848 A CN201310028848 A CN 201310028848A CN 103116543 B CN103116543 B CN 103116543B
- Authority
- CN
- China
- Prior art keywords
- web application
- black
- white
- box testing
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides the Web application safety detection method that a kind of white black box combines, comprise the steps: (1). white-box testing is carried out to Web application system; (2). Black-box Testing is carried out to Web application system; (3). carry out file association by K; (4). carry out ff by S; (5). overall combination is tested.The Web application safety detection method that white black box provided by the invention combines, solves and carries out the high rate of false alarm of white-box testing and the problem cannot locating leak source code position of Black-box Testing to Web application system.
Description
Technical field
The invention belongs to information security field, be specifically related to the Web application safety detection method that a kind of white black box combines.
Background technology
Constantly bringing forth new ideas of internet, applications facilitates progress and the development of human civilization of society, one of major impetus becoming current social development with development pole the earth.The Tough questions had only before information and network safety is also faced with, network safety filed institute facing challenges is increasingly serious, and network security problem is also taken seriously day by day.
The biggest threat of the network security on ordinary meaning is the leak on web application, and current web application Hole Detection is mainly divided into Black-box Testing and this two large class of white-box testing.
The test carried out when Black-box Testing mainly runs web application, it detects and relies on external environment condition and test case, has certain uncertainty, but has the low advantage of rate of false alarm.When to the test of the daily life function of web application, security based on Black-box Testing, mainly to all types of safety problems needing to pay close attention to main in following Web platform test.
XSS cross-site scripting attack, XSS is CSS again, english abbreviation is CrossSiteScript, the Chinese meaning is cross-site scripting attack, particular content refers to malicious attacker in the Web application system page, inserts malice html code, when user browses this page, the html code embedded inside wherein Web can be performed, thus reach the specific purposes of malicious user.
SQL injects problem; in the code of Web application system; often there will be not to the situation that the legitimacy of user input data is verified; malicious user is allowed to have an opportunity to take advantage of like this; user can submit database statement fragment to; according to the result that program returns, or even abnormal information obtains the useful datas such as database information, and this is referred to as SQL and injects.
The mutual safety problem of service end, the general reason of this kind of problem is also do not carry out filtration treatment to the input of user to cause, and through this leak, assailant can perform any system command in service end, destroys Web application system.
White-box testing mainly refers to static father code analysis techniques, web application source code is analyzed line by line, use the various analysis such as lexical analysis, data-flow analysis, control flow analysis to find out code security defect, above-mentioned deficiency can be avoided, but there is the shortcoming of higher rate of false alarm.
The technology used when data-flow analysis is a compiling, it can from program code collection procedure semantic information and determined definition and the use of variable when compiling by the method for algebraically.Data-flow analysis is used to solve the problems such as compile optimization, program verification, debugging, test, parallel, vectorization and serial programming environment.
The basic skills of control flow analysis is the fundamental block of identification processes, and the digraph of structure reflection programmed control flow process, analyzes this digraph and obtain control structure information.Therefore, control flow analysis is based upon on two basic entities: fundamental block and controlling stream graph.
Lexical analysis not only refers to the grammatical analysis that can realize in compiler, also comprises simple syntax and semantics analysis.By carrying out lexical analysis to code, from property data base, then extracting interested content carry out simple contextual analysis, being reported to the police in problematic position.The function that mainly can produce safety problem that property data base comprises, such as gets, strcpy, printf/sprint/snprintf etc.For different objective functions, lexical analysis can be called the different parameter of process function to dangerous function and be analyzed.
Summary of the invention
For overcoming above-mentioned defect, the invention provides the Web application safety detection method that a kind of white black box combines, solving and the high rate of false alarm of white-box testing and the problem cannot locating leak source code position of Black-box Testing are carried out to Web application system.
For achieving the above object, the invention provides the Web application safety detection method that a kind of white black box combines, its improvements are, described method comprises the steps:
(1). white-box testing is carried out to Web application system;
(2). Black-box Testing is carried out to Web application system;
(3). carry out file association by K;
(4). carry out ff by S;
(5). overall combination is tested.
In optimal technical scheme provided by the invention, in described step 1, disposed by W, draw WS, wherein DUT is measurand.
In second optimal technical scheme provided by the invention, in described step 2, disposed by B, draw BS, wherein DUT is measurand.
In 3rd optimal technical scheme provided by the invention, in described step 3, use K to be associated by WS-nF and PF, obtain KF.
In 4th optimal technical scheme provided by the invention, in described step 4, in the result KF using S to associate at WS-nF and PF, search BS-nF file, judge whether successfully whole process by F.
In 5th optimal technical scheme provided by the invention, described step 5 comprises the steps:
(5-1). dispose DUT, by using W, scanning is carried out to DUT and draw WS, by using B, scanning is carried out to DUT and draw BS;
(5-2). use K to carry out file association to file WS-nF and PF taking out certain WS-n in WS and draw KF;
(5-3). use S in KF, to carry out super looking for the file BS-nF taking out certain BS-n in BS, obtain a result F, by judging that F determines that whether whole process is successful.
Compared with the prior art, the Web application safety detection method that a kind of white black box provided by the invention combines, can by certain testing process, and introduce file association matching technique K, realize the white Black-box Testing of Web application system to combine, solve and the high rate of false alarm of white-box testing and the problem cannot locating leak source code position of Black-box Testing are carried out to Web application system.
Accompanying drawing explanation
Fig. 1 is the logical diagram being carried out direct-detection by W.
Fig. 2 is the logical diagram being carried out direct-detection by B.
Fig. 3 is the results model figure being carried out direct-detection by W.
Fig. 4 is the results model figure being carried out direct-detection by B.
WS-nF and PF is carried out by K the procedural model figure that associates by Fig. 5.
Fig. 6 is by using S to search BS-nF document flow illustraton of model in KF.
Fig. 7 is the process flow diagram of the Web application safety detection method that white black box combines.
Embodiment
Carry out as given a definition to character:
W: white-box testing.
WT: the technology set that white-box testing uses, the WT-n (n=1,2,3.....) of certain technology wherein represents.
B: Black-box Testing.
P: testing process.
DUT: tested target Web application system.
C:Web application system source code.
The set of PF:Web application system source code file, the PF-n (n=1,2,3.....) of certain result wherein represents.
WS: the results set of white-box testing, the WS-n (n=1,2,3.....) of certain result wherein represents.
BS: the results set of Black-box Testing, the BS-n (n=1,2,3.....) of certain result wherein represents.
LS: leak set, the LS-n (n=1,2,3.....) of certain result wherein represents.
WS-nF: the file at certain the leak place in white-box testing result.
BS-nF: the file at certain the leak place in Black-box Testing result, this leak is identical with the leak type of WS-nF.
K: file association matching technique, associates with Black-box Testing result the gordian technique positioned in source code file Black-box Testing result by white box.
KF: the associated with set found out by K, the KF-n (n=1,2,3.....) of certain result wherein represents.
S: ff technology.
F: use S whether to find the mark of BS-nF in KF.
As shown in Figure 7, the Web application safety detection method that a kind of white black box combines, comprises the steps:
(1). white-box testing is carried out to Web application system;
(2). Black-box Testing is carried out to Web application system;
(3). carry out file association by K;
(4). carry out ff by S;
(5). overall combination is tested.
In described step 1, disposed by W, draw WS, wherein DUT is measurand.
In described step 2, disposed by B, draw BS, wherein DUT is measurand.
In described step 3, use K to be associated by WS-nF and PF, obtain KF.
In described step 4, in the result KF using S to associate at WS-nF and PF, search BS-nF file, judge whether successfully whole process by F.
Described step 5 comprises the steps:
(5-1). dispose DUT, by using W, scanning is carried out to DUT and draw WS, by using B, scanning is carried out to DUT and draw BS;
(5-2). use K to carry out file association to file WS-nF and PF taking out certain WS-n in WS and draw KF;
(5-3). use S in KF, to carry out super looking for the file BS-nF taking out certain BS-n in BS, obtain a result F, by judging that F determines that whether whole process is successful.
The Web application safety detection method combined by following examples dialogue black box is further explained.
The main treatment scheme of Web application system being carried out to white Black-box Testing combination technology is:
White-box testing is carried out to Web application system
Carry out the project organization of direct-detection model according to the W of Fig. 1, disposed by W, draw WS, wherein DUT is measurand.
Black-box Testing is carried out to Web application system
Carry out the project organization of direct-detection model according to the B of Fig. 2, disposed by B, draw BS, wherein DUT is measurand.
File association is carried out by K
According to the file association basic model of Fig. 5, use K to be associated by WS-nF and PF, obtain KF.
Ff is carried out by S
According to the ff basic model of Fig. 6, in the result KF using S to associate at WS-nF and PF, search BS-nF file, judge whether successfully whole process by F.
Overall combination is tested
According to the structure of Fig. 7, dispose DUT, first WS is drawn by using W to carry out scanning to DUT, BS is being drawn by using B to carry out scanning to DUT, then use K to carry out file association to file WS-nF and PF taking out certain WS-n in WS and draw KF, finally use S in KF, to carry out super looking for the file BS-nF taking out certain BS-n in BS, obtain a result F, by judging that F determines that whether whole process is successful.
It is to be understood that content of the present invention and embodiment are intended to the practical application proving technical scheme provided by the present invention, should not be construed as limiting the scope of the present invention.Those skilled in the art inspired by the spirit and principles of the present invention, can do various amendment, equivalent replacement or improve.But these changes or amendment are all in the protection domain that application is awaited the reply.
Claims (1)
1. a Web application safety detection method for white black box combination, it is characterized in that, described method comprises the steps:
(1). dispose DUT, by using W, scanning is carried out to DUT and draw WS, by using B, scanning is carried out to DUT and draw BS;
(2). use K to carry out file association to file WS-nF and PF taking out certain WS-n in WS and draw KF;
(3). use S to search in KF the file BS-nF taking out certain BS-n in BS, obtain a result F, by judging that F determines that whether whole process is successful;
Carry out as given a definition to character:
W: white-box testing;
B: Black-box Testing;
DUT: tested target Web application system;
The set of PF:Web application system source code file, certain result PF-n wherein represents, n=1,2,3......;
WS: the results set of white-box testing, certain result WS-n wherein represents, n=1,2,3
BS: the results set of Black-box Testing, certain result BS-n wherein represents, n=1,2,3
WS-nF: the file at certain the leak place in white-box testing result;
BS-nF: the file at certain the leak place in Black-box Testing result, this leak is identical with the leak type of WS-nF;
K: file association matching technique, associates with Black-box Testing result the gordian technique positioned in source code file Black-box Testing result by white box;
KF: the associated with set found out by K, certain result KF-n wherein represents, n=1,2,3
S: ff technology;
F: use S whether to find the mark of BS-nF in KF.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310028848.0A CN103116543B (en) | 2013-01-25 | 2013-01-25 | The Web application safety detection method that white black box combines |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310028848.0A CN103116543B (en) | 2013-01-25 | 2013-01-25 | The Web application safety detection method that white black box combines |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103116543A CN103116543A (en) | 2013-05-22 |
| CN103116543B true CN103116543B (en) | 2015-11-18 |
Family
ID=48414923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310028848.0A Active CN103116543B (en) | 2013-01-25 | 2013-01-25 | The Web application safety detection method that white black box combines |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103116543B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104346573A (en) * | 2013-07-31 | 2015-02-11 | 广州市品高软件开发有限公司 | Method and device for realizing WEB application system information security frame |
| CN110119616B (en) * | 2019-04-18 | 2021-05-28 | 广州市品高软件股份有限公司 | WEB application security protection system |
| CN110162980B (en) * | 2019-05-31 | 2023-04-18 | 上交所技术有限责任公司 | One-stop safety testing and managing method in software development process |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6249882B1 (en) * | 1998-06-15 | 2001-06-19 | Hewlett-Packard Company | Methods and systems for automated software testing |
| CN101241467A (en) * | 2008-03-05 | 2008-08-13 | 罗笑南 | Automatized white box test system and method facing to WEB application |
-
2013
- 2013-01-25 CN CN201310028848.0A patent/CN103116543B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6249882B1 (en) * | 1998-06-15 | 2001-06-19 | Hewlett-Packard Company | Methods and systems for automated software testing |
| CN101241467A (en) * | 2008-03-05 | 2008-08-13 | 罗笑南 | Automatized white box test system and method facing to WEB application |
Non-Patent Citations (1)
| Title |
|---|
| "基于AHP算法的WEB安全性测试工具的设计与实现;项颖;《中国优秀硕士学位论文全文数据库信息科技辑》;20120215(第2期);第22-45页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103116543A (en) | 2013-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Detecting software theft via system call based birthmarks | |
| Wang et al. | Behavior based software theft detection | |
| CN104765687B (en) | The J2EE bug detection methods analyzed based on Object tracking and stain | |
| Tian et al. | Software plagiarism detection with birthmarks based on dynamic key instruction sequences | |
| Xue et al. | Detection and classification of malicious JavaScript via attack behavior modelling | |
| CN103577323B (en) | Based on the software plagiarism detection method of dynamic keyword instruction sequence birthmark | |
| CN101159732A (en) | Data flow analysis based hostile attack detecting method | |
| CN104184728A (en) | Safety detection method and device for Web application system | |
| Tian et al. | DKISB: Dynamic key instruction sequence birthmark for software plagiarism detection | |
| CN103164331A (en) | Vulnerability detecting method and device of application program | |
| Masri et al. | Measuring the strength of information flows in programs | |
| Wressnegger et al. | Comprehensive analysis and detection of flash-based malware | |
| Beaman et al. | Fuzzing vulnerability discovery techniques: Survey, challenges and future directions | |
| Gauthier et al. | Extraction and comprehension of moodle's access control model: A case study | |
| CN103116543B (en) | The Web application safety detection method that white black box combines | |
| Li et al. | Large-scale third-party library detection in android markets | |
| Chen et al. | Fix the leaking tap: A survey of Trigger-Action Programming (TAP) security issues, detection techniques and solutions | |
| Zhang et al. | Common program similarity metric method for anti-obfuscation | |
| KR20110129020A (en) | Malicious code prevention system using code analysis technique and method for operating the system | |
| Zheng et al. | Research and implementation of web application system vulnerability location technology | |
| Al-Taharwa et al. | Drive-by disclosure: a large-scale detector of drive-by downloads based on latent behavior prediction | |
| Fan et al. | Research on combine White-box testing and Black-box testing of Web Applications security | |
| Yan et al. | Review of Firmware Homology Detection: a System Aspect | |
| Zhao et al. | Behavior decomposition: Aspect-level browser extension clustering and its security implications | |
| Xu et al. | A Survey on Binary Code Vulnerability Mining Technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160427 Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee after: China Electric Power Research Institute Patentee after: State Grid Smart Grid Institute Patentee after: State Grid Corporation of China Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee before: China Electric Power Research Institute Patentee before: State Grid Corporation of China |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee after: China Electric Power Research Institute Patentee after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE Patentee after: State Grid Corporation of China Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15 Patentee before: China Electric Power Research Institute Patentee before: State Grid Smart Grid Institute Patentee before: State Grid Corporation of China |