[go: up one dir, main page]

CN108696490A - The recognition methods of account permission and device - Google Patents

The recognition methods of account permission and device Download PDF

Info

Publication number
CN108696490A
CN108696490A CN201710234539.7A CN201710234539A CN108696490A CN 108696490 A CN108696490 A CN 108696490A CN 201710234539 A CN201710234539 A CN 201710234539A CN 108696490 A CN108696490 A CN 108696490A
Authority
CN
China
Prior art keywords
account
website
tested
authority
response content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710234539.7A
Other languages
Chinese (zh)
Inventor
王放
胡珀
郑兴
郭晶
张强
范宇河
唐文韬
杨勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710234539.7A priority Critical patent/CN108696490A/en
Priority to PCT/CN2018/082355 priority patent/WO2018188558A1/en
Publication of CN108696490A publication Critical patent/CN108696490A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明实施例公开了一种账号权限的识别方法,包括:在待测网站上登录第一账号,获取第一账号的第一登录态信息;获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;根据第二账号在目标账号属性类型下的属性值修改所述第一登录态信息,得到第二登录态信息;使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。此外,本发明实施例还公开了一种账号权限的识别装置。采用本发明实施例,可提高账号越权的效率。

The embodiment of the present invention discloses a method for identifying account authority, including: logging in the first account on the website to be tested, obtaining the first login state information of the first account; obtaining preset scanning rules, the scanning rules include the The test address of the test website and the attribute type of the target account; modify the first login state information according to the attribute value of the second account under the attribute type of the target account to obtain the second login state information; use the second login state information to access all The website to be tested receives the first response content sent by the website to be tested; obtains the characteristic information of the first response content according to the matching rules defined in the scanning rules, and determines according to the characteristic information and the matching rules Whether the first account exceeds the authority. In addition, the embodiment of the present invention also discloses an account authority identification device. By adopting the embodiment of the present invention, the efficiency of account unauthorized authorization can be improved.

Description

账号权限的识别方法及装置Method and device for identifying account authority

技术领域technical field

本发明涉及互联网技术领域,尤其涉及一种账号权限的识别方法及装置。The present invention relates to the technical field of the Internet, in particular to an account authority identification method and device.

背景技术Background technique

随着互联网技术的不断发展,越来越多的应用或者功能时通过互联网实现的,也就是时候,互联网中的可能导致用户资料或者其他安全问题的漏洞都应该尽量避免。在目前存在的互联网漏洞中,越权漏洞是一个不可忽视的重要的漏洞。With the continuous development of Internet technology, more and more applications or functions are realized through the Internet, that is, loopholes in the Internet that may lead to user data or other security issues should be avoided as much as possible. Among the existing Internet loopholes, the unauthorized loophole is an important loophole that cannot be ignored.

越权漏洞是指网站对于权限划分不严格导致A用户可利用某些方法或手段访问B用户的权限控制体系,从而达到窃取信息、修改信息、添加信息、删除信息等其他敏感的操作。如通过URL(统一资源定位符,UniformResourceLocator)访问网页的情况下,由于web程序设计缺陷,利用URL传入参数的可猜测性,通过变更输入的参数值,就可能造成横向越权访问,拿到他人私有信息。Violation of authority vulnerability refers to the fact that the website does not strictly divide the authority, so that user A can use certain methods or means to access the authority control system of user B, so as to achieve other sensitive operations such as stealing information, modifying information, adding information, and deleting information. For example, when accessing a web page through a URL (Uniform Resource Locator, UniformResourceLocator), due to web program design flaws, using the guessability of URL incoming parameters and changing the input parameter values, it may cause horizontal unauthorized access and get others private information.

因为越权漏洞一旦存在,攻击者可以伪造他人身份进行交易、支付、修改密码、获取他人隐私信息等,会对用户的账号安全造成极大的隐患,因此,在测试阶段必须对待测网站中可能存在的漏洞进行检测。在目前常见的越权漏洞的检测方法中,对越权漏洞的检测主要是通过人工进行渗透性测试,然后由专业的渗透测试人员针对网站不同的帐号体系做权限识别,并通过技术手段检测网站是否真正有效区分了不同用户的权限。全凭人工对不同的账号体系进行权限识别,不仅效率较低,耗费人力物力,而且不能确保覆盖检测到测试范围内的账号,即不能保证检测到所有的漏洞。Because once the unauthorized vulnerability exists, the attacker can forge the identity of others to conduct transactions, pay, change passwords, obtain other people's private information, etc., which will cause great hidden dangers to the user's account security. vulnerabilities are detected. Among the current common detection methods for unauthorized vulnerabilities, the detection of unauthorized vulnerabilities is mainly through manual penetration testing, and then professional penetration testers conduct authority identification for different account systems of the website, and use technical means to detect whether the website is genuine or not. Effectively distinguish the permissions of different users. It is not only inefficient to manually identify the permissions of different account systems, but also consumes manpower and material resources, and it cannot ensure that the accounts within the test range are covered and detected, that is, it cannot be guaranteed to detect all vulnerabilities.

综上,现有的越权漏洞的检测方法因为人工检测导致耗时长、漏洞的检测不完全而存在检测的效率低下的问题。To sum up, the existing methods for detecting unauthorized vulnerabilities have the problem of low detection efficiency due to the long time-consuming and incomplete detection of vulnerabilities due to manual detection.

发明内容Contents of the invention

基于此,为解决现有技术中的越权漏洞的检测方法因为人工检测导致耗时长、漏洞的检测不完全而存在检测的效率低下的技术问题,特提出了一种账号权限的识别方法。Based on this, in order to solve the technical problems of time-consuming, incomplete vulnerability detection and low detection efficiency in the detection method of unauthorized vulnerability in the prior art, an identification method of account authority is proposed.

一种账号权限的识别方法,包括:A method for identifying account permissions, comprising:

在待测网站上登录第一账号,获取第一账号的第一登录态信息;Log in the first account on the website to be tested, and obtain the first login state information of the first account;

获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;Acquiring preset scanning rules, the scanning rules include the test address of the website to be tested and the attribute type of the target account;

根据第二账号在目标账号属性类型下的属性值修改所述第一登录态信息,得到第二登录态信息;Modifying the first login state information according to the attribute value of the second account under the attribute type of the target account to obtain the second login state information;

使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;accessing the website to be tested by using the second login state information, and receiving the first response content sent by the website to be tested;

根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。Obtain feature information of the first response content according to a matching rule defined in the scan rule, and determine whether the first account is unauthorized according to the feature information and the matching rule.

可选的,在一个实施例中,获取第一账号的第一登录态信息之后还包括:使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;在所述第二响应内容中包含所述第一账号的特征信息的情况下,执行所述获取预设的扫描规则。Optionally, in one embodiment, after obtaining the first login status information of the first account, the method further includes: using the login status information of the first account to access the website to be tested, and receiving the first login status information sent by the website to be tested. 2. Response content: if the second response content includes the feature information of the first account, execute the acquisition of the preset scanning rule.

可选的,在一个实施例中,根据所述特征信息和所述匹配规则确定所述第一账号是否越权为:在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。Optionally, in an embodiment, determining whether the first account exceeds the authority according to the characteristic information and the matching rule is: when the characteristic information of the second response content matches the first account , determining that the first account has not exceeded the authority; in the case that the characteristic information of the second response content matches the second account, determining that the first account has exceeded the authority.

可选的,在一个实施例中,接收所述待测网站发送的第二响应内容之后还包括:在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。Optionally, in an embodiment, after receiving the second response content sent by the website to be tested, it further includes: if the second response content does not contain the feature information of the first account, determining the The test address of the website to be tested does not have the identification function of account authority, and the test address of the website to be tested is switched.

可选的,在一个实施例中,登录态信息为UIN码、cookie或session ID。Optionally, in one embodiment, the login status information is UIN code, cookie or session ID.

此外,为解决现有技术中的越权漏洞的检测方法因为人工检测导致耗时长、漏洞的检测不完全而存在检测的效率低下的技术问题,还提出了一种账号权限的识别装置。In addition, in order to solve the technical problems of time-consuming and incomplete detection of loopholes in the detection method of unauthorized loopholes in the prior art, a device for identifying account permissions is also proposed.

一种账号权限的识别装置,包括:An identification device for account authority, comprising:

登录态信息获取模块,用于在待测网站上登录第一账号,获取第一账号的第一登录态信息;A login state information acquisition module, configured to log in the first account on the website to be tested, and obtain the first login state information of the first account;

扫描规则获取模块,用于获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;A scan rule acquiring module, configured to acquire preset scan rules, the scan rules including the test address of the website to be tested and the attribute type of the target account;

登录态信息修改模块,用于根据第二账号在目标账号属性类型下的属性值修改所述第一登录态信息,得到第二登录态信息;A login status information modifying module, configured to modify the first login status information according to the attribute value of the second account under the attribute type of the target account, to obtain the second login status information;

响应内容接收模块,用于使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;A response content receiving module, configured to use the second login state information to access the website to be tested, and receive the first response content sent by the website to be tested;

越权判断模块,用于根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。An unauthorized judging module, configured to acquire feature information of the first response content according to a matching rule defined in the scanning rule, and determine whether the first account is unauthorized according to the feature information and the matching rule.

可选的,在一个实施例中,上述装置还包括测试网站检测模块,用于使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;在所述第二响应内容中包含所述第一账号的特征信息的情况下,调用所述扫描规则获取模块。Optionally, in one embodiment, the above device further includes a test website detection module, configured to use the login status information of the first account to access the website to be tested, and receive the second response content sent by the website to be tested ; Invoking the scan rule acquisition module when the second response content contains the characteristic information of the first account.

可选的,在一个实施例中,越权判断模块还用于在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。Optionally, in an embodiment, the unauthorized judging module is further configured to determine that the first account has not exceeded the authorized account when the characteristic information of the second response content matches the first account; If the characteristic information of the content of the second response matches the second account, it is determined that the first account has exceeded the authority.

可选的,在一个实施例中,测试网站检测模块还用于在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。Optionally, in one embodiment, the test website detection module is further configured to determine that the test address of the website to be tested does not have The identification function of the account authority switches the test address of the website to be tested.

可选的,在一个实施例中,登录态信息为UIN码、cookie或session ID。Optionally, in one embodiment, the login status information is UIN code, cookie or session ID.

此外,为解决现有技术中的越权漏洞的检测方法因为人工检测导致耗时长、漏洞的检测不完全而存在检测的效率低下的技术问题,还提出了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行前述账号权限的识别方法。In addition, in order to solve the technical problem of low detection efficiency due to the long time-consuming manual detection and incomplete detection of vulnerabilities in the detection method of unauthorized vulnerabilities in the prior art, a computer-readable storage medium is also proposed. Instructions are stored in the readable storage medium, and when the instructions are run on the computer, the computer is made to execute the aforementioned method for identifying account authority.

实施本发明实施例,将具有如下有益效果:Implementing the embodiment of the present invention will have the following beneficial effects:

采用了上述账号权限的识别方法和装置之后,再需要对某一个待测网站是否存在账号越权漏洞进行检测时,可以根据预设的扫描规则,将第一账号对应的登录态信息中的身份信息修改为第二账号对应的身份信息,然后项待测网站请求数据,并根据扫描规则中定义的匹配规则来判断待测网站返回的数据中包含的账号特征信息是否发生了账号越权。也就是说,采用了本发明实施例之后,不需要检测人员手动的去对比和修改账号的身份识别参数,会自动根据扫描规则中确定的目标账号属性类型,自动的将目标账号属性类型下的第一账号的属性值修改为第二账号的属性值,也就是说,检测人员只需要定义扫描规则中的目标账号属性类型即可自动完成对账号是否存在越权漏洞进行检测,减少了账号越权检测所需要耗费的时间,提高了账号越权检测的效率。After adopting the identification method and device of the above-mentioned account authority, when it is necessary to detect whether there is an account unauthorized vulnerability in a certain website to be tested, the identity information in the login status information corresponding to the first account can be Change it to the identity information corresponding to the second account, then request data from the website to be tested, and judge whether the account feature information contained in the data returned by the website to be tested has account unauthorized according to the matching rules defined in the scanning rules. That is to say, after adopting the embodiment of the present invention, there is no need for inspectors to manually compare and modify the identification parameters of the account, and the target account attribute type determined in the scanning rules will automatically be automatically compared to the target account attribute type. The attribute value of the first account is changed to the attribute value of the second account. That is to say, the inspector only needs to define the attribute type of the target account in the scan rule to automatically detect whether there is an unauthorized account, which reduces the detection of account unauthorized The required time consumption improves the efficiency of account unauthorized detection.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

其中:in:

图1为一个实施例中一种账号权限的识别方法的流程示意图;Fig. 1 is a schematic flow chart of a method for identifying account authority in an embodiment;

图2为一个实施例中实现账号权限的识别方法的终端的各个模块之间的数据传输示意图;Fig. 2 is a schematic diagram of data transmission between various modules of the terminal implementing the identification method of account authority in an embodiment;

图3为现有技术中一种账号权限的识别方法的流程示意图;FIG. 3 is a schematic flowchart of a method for identifying account authority in the prior art;

图4为一个实施例中一种账号权限的识别方法的流程示意图;FIG. 4 is a schematic flowchart of a method for identifying account authority in an embodiment;

图5为一个实施例中一种账号权限的识别装置的结构示意图;Fig. 5 is a schematic structural diagram of an identification device for account authority in an embodiment;

图6为一个实施例中运行前述账号权限的识别方法的计算机设备的结构示意图。Fig. 6 is a schematic structural diagram of a computer device running the aforementioned identification method for account authority in an embodiment.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

为解决现有技术中的越权漏洞的检测方法因为人工检测导致耗时长、漏洞的检测不完全而存在检测的效率低下的技术问题,在本实施例中,特提出了一种账号权限的识别方法,该方法的实现可依赖于计算机程序,该计算机程序可运行于基于冯诺依曼体系的计算机系统之上,该计算机程序可以是账号越权漏洞的检测应用程序。该计算机系统可以是运行上述计算机程序的例如智能手机、平板电脑、个人电脑等服务器或终端。In order to solve the technical problem of low detection efficiency due to the time-consuming manual detection and incomplete detection of vulnerabilities in the detection method of unauthorized vulnerabilities in the prior art, in this embodiment, a method for identifying account permissions is proposed. The implementation of the method may depend on a computer program, which may run on a computer system based on the Von Neumann architecture, and the computer program may be an application program for detecting account unauthorized vulnerabilities. The computer system may be a server or a terminal such as a smart phone, a tablet computer, or a personal computer running the above-mentioned computer program.

具体的,如图1所示,上述账号权限的识别方法包括如下步骤S102-S110:Specifically, as shown in FIG. 1, the identification method of the above-mentioned account authority includes the following steps S102-S110:

步骤S102:在待测网站上登录第一账号,获取第一账号的第一登录态信息。Step S102: Log in the first account on the website to be tested, and obtain the first login state information of the first account.

账号越权的检测是针对某一个网站进行的,即待测网站。在本实施例中,需要对某一个包含了多个账号的网站进行越权漏洞检测时,该网站即为待测网站。The detection of account unauthorized is carried out for a certain website, that is, the website to be tested. In this embodiment, when a website containing multiple accounts needs to be detected for an unauthorized vulnerability, the website is the website to be tested.

在本实施例中,需要对某一个账号是否存在账号越权的现象进行检测,该账号即为第一账号。需要说明的是,在实施例中,若需要对网站上所包含的所有的账号是否存在账号越权的漏洞时,可以遍历所有的账号,并针对遍历到的每一个账号执行步骤S102-S110。In this embodiment, it is necessary to detect whether there is an account unauthorized phenomenon in a certain account, and this account is the first account. It should be noted that, in the embodiment, if it is necessary to check whether there is a loophole of account unauthorized access for all accounts included in the website, all accounts can be traversed, and steps S102-S110 can be executed for each traversed account.

账号A是否越权是指在待测网站上,A用户是否可以通过某些方法或手段访问到B用户的权限控制体系,或者对于B用户的信息进行敬爱、删减、添加等操作。在本实施例中,即判断第一账号下是否可以访问第二账号下的相关数据。Whether account A exceeds authority refers to whether user A can access the authority control system of user B through certain methods or means on the website to be tested, or perform operations such as respecting, deleting, and adding information on user B. In this embodiment, it is judged whether the relevant data under the second account can be accessed under the first account.

首先在待测网站上,通过第一账号对应的账号、密码等身份验证信息来登录待测网站,也就是说,在终端的APP或者浏览器访问待测网站是通过登录的第一账号的身份信息进行访问的,也就是说,用户当前是否具备访问某一个数据的权限或者用户当前是否可以对访问到的数据进行修改等操作,均是由登录的第一账号是否具备相应的权限来确定的。First, on the website to be tested, log in to the website to be tested through the account number, password and other identity verification information corresponding to the first account. Information access, that is to say, whether the user currently has access to a certain data or whether the user can currently modify the accessed data is determined by whether the first account logged in has the corresponding authority. .

在第一账号登录成功之后,获取与第一账号的登录态信息,例如,登录态信息可以是与第一账号对应的UIN(Unique Identification Number,唯一识别码)码、或者cookies信息、或者Session ID等于第一账号的身份信息唯一对应的数据,可以用来验证当前账号的身份信息的唯一标识信息。After the first account login is successful, obtain the login state information with the first account, for example, the login state information can be the UIN (Unique Identification Number, unique identification code) code corresponding to the first account, or cookies information, or Session ID It is equal to the data uniquely corresponding to the identity information of the first account, and can be used to verify the unique identification information of the identity information of the current account.

具体的,UIN码是账号在注册的过程中,分配给注册者的身份验证码,并且,UIN码是永久和不能修改的,除非注册者身份变更导致UIN被删除。也就是说,与第一账号对应的UIN码是确定的,并且与其他用户的UIN码是不相同的。用UIN码可以唯一标识当前登录的第一账号,若登录的账号变更或者被篡改,其UIN码也会随之发生改变。Specifically, the UIN code is the identity verification code assigned to the registrant during the account registration process, and the UIN code is permanent and cannot be modified, unless the UIN is deleted due to the change of the registrant's identity. That is to say, the UIN code corresponding to the first account is definite and different from the UIN codes of other users. The UIN code can uniquely identify the first account currently logged in. If the logged-in account is changed or tampered with, its UIN code will also change accordingly.

Cookie(或cookies)是网站为了辨别用户身份而存储在用户本地终端上的数据(浏览器缓存),在访问网站时,可以在发送HTTP请求时一并将cookie发送给服务器,服务器根据cookie在数据库中查找与该cookie匹配的用户身份信息或者用户验证信息。也就是说,如果cookie发生了变化,服务器找到的与当前cookie匹配的用户身份信息也会发生变化。Cookie (or cookies) is the data (browser cache) stored on the user's local terminal by the website in order to identify the user's identity. When visiting the website, the cookie can be sent to the server together with the HTTP request. Find the user identity information or user verification information that matches the cookie. That is to say, if the cookie changes, the user identity information found by the server that matches the current cookie will also change.

Session ID是服务器为第一账号的请求创建session时生成的与该session对应的标识,session是为服务器中存储于第一账号对应的身份验证信息的数据块,通过Session ID可以在session列表中查找到与该Session ID对应的session,然后确定与Session ID对应的身份验证信息。也就是说,一旦Session ID更改或者被篡改,在查找用户身份验证信息时会出现查找不到或者查找到的用户身份验证信息也会发生变化的情况。Session ID is the identifier corresponding to the session generated by the server when creating a session for the request of the first account, and the session is a data block of authentication information corresponding to the first account stored in the server, and can be searched in the session list through the Session ID Go to the session corresponding to the Session ID, and then determine the authentication information corresponding to the Session ID. That is to say, once the Session ID is changed or tampered with, when the user authentication information is searched, it may not be found or the found user authentication information may also change.

综上,登录态信息可以唯一确定当前的账号,如果登录态信息变化,其对应的账号也会发生变化。在本实施例中,登录态信息可以是UIN码、cookies信息、Session ID以及其他可以标识用户身份信息的参数中的一个或者多个参数的组合。In summary, the login status information can uniquely determine the current account, and if the login status information changes, the corresponding account will also change. In this embodiment, the login state information may be a combination of one or more parameters among UIN code, cookies information, Session ID and other parameters that can identify user identity information.

在本实施例中,登录态信息的获取可以是通过登录态拉取接口函数来实现的。例如,通过登录态拉取接口函数获取第一账号登录以后的cookie。In this embodiment, the acquisition of the login state information may be realized through the interface function of pulling the login state. For example, the cookie after the first account is logged in is obtained through the pull interface function in the login state.

步骤S104:获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型。Step S104: Obtain a preset scanning rule, the scanning rule includes the test address of the website to be tested and the attribute type of the target account.

在本实施例中,在通过登录态拉取接口获取到第一账号的登录态信息之后,由扫描器将访问待测网站的访问发送给服务器,并根据网站返回的数据进行判断,判断第一账号是否发生账号越权。扫描器是一类自动检测本地或远程主机安全弱点的程序,它能够快速的准确的发现扫描目标存在的漏洞并提供给使用者扫描结果;工作原理是扫描器向目标计算机发送数据包,然后根据对方反馈的信息来判断对方的操作系统类型、开发端口、提供的服务等敏感信息。In this embodiment, after obtaining the login status information of the first account through the login status pull interface, the scanner sends the access to the website to be tested to the server, and judges according to the data returned by the website, and judges that the first account Whether the account has account unauthorized. A scanner is a program that automatically detects security weaknesses of local or remote hosts. It can quickly and accurately discover the vulnerabilities of the scanned target and provide the user with the scanning results; the working principle is that the scanner sends a data packet to the target computer, and then according to The information fed back by the other party is used to judge sensitive information such as the other party's operating system type, development port, and provided services.

具体的,在本实施例中,首先需要确定与待测网站对应的测试地址,即访问地址。Specifically, in this embodiment, it is first necessary to determine the test address corresponding to the website to be tested, that is, the access address.

进一步的,还需要确定当前扫描器在判断第一账号是否发生账号越权的过程中需要的目标账号属性类型。需要说明的是,目标账号属性类型为登录态信息中包含的至少一个属性项中的一个或者多个指定的属性项对用的属性项类型。例如,第一账号的登录态信息包含了第一账号的UIN码、以及账号标识、账号昵称的情况下,目标账号属性类型为UIN码、账号标识、账号昵称中的一个或者多个。Further, it is also necessary to determine the attribute type of the target account that the current scanner needs in the process of judging whether the first account has account unauthorized access. It should be noted that the attribute type of the target account is an attribute item type used by one or more specified attribute item pairs in at least one attribute item included in the login state information. For example, if the login state information of the first account includes the UIN code of the first account, as well as the account identifier and account nickname, the attribute type of the target account is one or more of the UIN code, account identifier and account nickname.

步骤S106:根据第二账号在目标账号属性类型下的属性值修改所述第一登录态信息,得到第二登录态信息。Step S106: Modify the first login state information according to the attribute value of the second account under the attribute type of the target account to obtain the second login state information.

如前所述,在本实施例中,需要判断第一账号是否可以越权访问第二账号下的数据或者进行某项功能操作。需要说明的是,在本实施例中,第二账号可以是与第一账号关联的关联账号,也可以是待测网站上的任意一个账号。As mentioned above, in this embodiment, it is necessary to determine whether the first account can access data under the second account without authorization or perform a certain functional operation. It should be noted that, in this embodiment, the second account may be an associated account associated with the first account, or any account on the website to be tested.

在目标账号属性类型确定之后,确定第二账号在目标账号属性类型下的属性值,并且,在第一账号对应的第一登录态信息中包含的多个属性项中,将与目标账号属性类型对应的属性项的属性值,修改为第二账号在目标账号属性类型下的属性值,从而得到第二登录态信息。After the attribute type of the target account is determined, the attribute value of the second account under the attribute type of the target account is determined, and among the multiple attribute items contained in the first login state information corresponding to the first account, the attribute value corresponding to the attribute type of the target account will be The attribute value of the corresponding attribute item is modified to the attribute value of the second account under the attribute type of the target account, so as to obtain the second login state information.

例如,在目标账号属性类型为UIN码的情况下,将第一登录态信息中的UIN码修改为第二账号对应的UIN码。For example, in the case that the attribute type of the target account is a UIN code, the UIN code in the first login state information is changed to the UIN code corresponding to the second account.

步骤S108:使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容。Step S108: Use the second login status information to access the website to be tested, and receive the first response content sent by the website to be tested.

在本实施例中,若使用第一登录态信息访问待测网站,即为通过第一账号对应的身份权限来访问待测网站,进行与第一账号的权限对应的操作。In this embodiment, if the first login status information is used to access the website to be tested, that is, to access the website to be tested through the identity authority corresponding to the first account, and perform operations corresponding to the authority of the first account.

而采用第二登录态信息访问待测网站,因为在第二登录态信息中仅将目标账号属性类型下的属性值修改为了第二账号在目标账号属性类型下的属性值,并未修改其他信息,并且,第二账号也并未登录待测网站。在此种情况下,使用包含了第二账号在目标账号属性类型下的属性值的第二登录态信息来访问待测网站,接收到待测网站的服务器返回的相应内容中,分为下面几种情况:However, the second login status information is used to access the website to be tested, because in the second login status information, only the attribute values under the attribute type of the target account are changed to the attribute values of the second account under the attribute type of the target account, and no other information is modified. , and the second account has not logged into the website to be tested. In this case, use the second login state information that includes the attribute value of the second account under the attribute type of the target account to access the website to be tested, and receive the corresponding content returned by the server of the website to be tested, which is divided into the following: Cases:

第一,因为服务器在接收到访问请求时,会对携带的第二登录态信息中包含的相关信息进行校验,例如,根据登录态信息中包含的UIN码进行身份校验,确定UIN码所对应的账号为第二账号,因此,返回的内容与第二账号相关;First, because when the server receives an access request, it will verify the relevant information contained in the second login state information carried, for example, perform identity verification according to the UIN code contained in the login state information to determine The corresponding account is the second account, therefore, the returned content is related to the second account;

第二,因为服务器在接收到访问请求时,没有对携带的第二登录态信息中包含的与目标账号属性类型下的属性值进行校验,因为服务器并不知道登录态信息与第二账号有关,因此,返回的内容与第二账号无关,也就是说,会继续按照第一账号的相关权限进行操作。Second, because the server did not verify the attribute value of the target account attribute type contained in the second login status information carried when receiving the access request, because the server does not know that the login status information is related to the second account , therefore, the returned content has nothing to do with the second account, that is, it will continue to operate according to the relevant permissions of the first account.

具体的,判断第一账号是否存在账号越权的过程即步骤S110:根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。Specifically, the process of judging whether there is an account unauthorized account in the first account is step S110: Acquire the characteristic information of the first response content according to the matching rules defined in the scanning rules, and determine the Whether the above-mentioned first account exceeds the authority.

因为在进行账号越权的检测过程中,需要对账号的各个属性进行全方位的检测,因此,在进行账号越权检测的过程中,根据实际检测的需要,确定扫描规则中的目标账号属性类型。Because in the process of detecting account unauthorized access, all attributes of the account need to be detected comprehensively. Therefore, in the process of account unauthorized detection, the attribute type of the target account in the scanning rule is determined according to the needs of actual detection.

另外,在扫描规则中,不仅包含了目标账号属性类型,还包括了在判断账号是否越权的具体过程中对服务器返回的响应内容进行分析的过程中用到的匹配规则。In addition, the scanning rules include not only the attribute type of the target account, but also the matching rules used in the process of analyzing the response content returned by the server in the specific process of judging whether the account exceeds the authority.

在本实施例中,并不对服务器返回的内容的全部进行比对和校验,而是仅对可以确定账号是否越权的部分内容进行比对和校验。例如,在一个具体的实施例中,在用户登录网站之后,会在网站的网页视图上展示与登录的账号对应的标识(例如,Hi,Apple!),从而用户可以通过该展示的账号标识来确定当前网页视图所对应的账号。在此种情况下,只需要对网页视图中展示的与登录的账号对应的账号标识进行判断,即可获知对与该网页视图对应的登录态信息中所随影的账号。In this embodiment, the comparison and verification are not performed on all the content returned by the server, but only on part of the content that can determine whether the account is unauthorized. For example, in a specific embodiment, after the user logs in to the website, the logo corresponding to the logged-in account (for example, Hi, Apple!) will be displayed on the web page view of the website, so that the user can use the displayed account logo to Determine the account corresponding to the current web view. In this case, it is only necessary to judge the account identifier corresponding to the logged-in account displayed in the webpage view to know the account accompanying the login status information corresponding to the webpage view.

在一个具体的实施例中,根据匹配规则所确定的需要获取的响应内容的特征信息,获取第一响应内容的特征信息,然后根据该特征信息和匹配规则确定第一账号是否越权。In a specific embodiment, the characteristic information of the first response content is acquired according to the characteristic information of the response content determined by the matching rule, and then it is determined whether the first account is unauthorized according to the characteristic information and the matching rule.

例如,上述确定第一账号是否越权的过程为:在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。For example, the above-mentioned process of determining whether the first account has exceeded the authority is: in the case that the characteristic information of the second response content matches the first account, determine that the first account has not exceeded the authority; In a case where the feature information matches the second account, it is determined that the first account is unauthorized.

也就是说,若通过第二登录态信息发起对待测网站的访问请求的情况下,若服务器返回的响应内容中的预设的特征信息与第一账号匹配,则第一账号未越权,若服务器返回的响应内容中的预设的特征信息与第一账号不匹配,例如,与第二账号是匹配的情况下,第一账号越权。That is to say, if an access request to the website to be tested is initiated through the second login state information, if the preset characteristic information in the response content returned by the server matches the first account, the first account has not exceeded the authority, and if the server The preset feature information in the returned response content does not match the first account, for example, if it matches the second account, the first account is out of authority.

例如,特征信息反映的是服务器在接收到HTTP请求之后判断HTTP请求的发起者的身份以及对应的权限的过程中,确定的发起者的身份信息,例如发起者的UIN码;若服务器返回的响应内容中的特征信息所包含的UIN码与第一账号对应,则确定特征信息与第一账号匹配,反之,若服务器返回的响应内容中的特征信息所包含的UIN码与第二账号对应,则确定特征信息与第二账号匹配。For example, the characteristic information reflects the identity information of the originator determined by the server in the process of judging the identity of the originator of the HTTP request and the corresponding authority after receiving the HTTP request, such as the UIN code of the originator; if the response returned by the server If the UIN code contained in the characteristic information in the content corresponds to the first account, it is determined that the characteristic information matches the first account; otherwise, if the UIN code contained in the characteristic information in the response content returned by the server corresponds to the second account, then It is determined that the feature information matches the second account.

如图2所示,图2展示了实现上述账号权限的识别方法的终端与待测网站(目标网站)之间的交互关系。在终端上通过已注册的第一账号登录待测网站之后,通过登录态拉取接口获取登录的第一账号的登录态信息并发送给扫描器;扫描器根据登录态信息以及待测网站的网址等有效数据(payload)进行封装生成相应的HTTP请求然后发送给待测网站对应的服务器,并接收由服务器返回的数据;扫描器针对接收到的数据进行分析,来判断是否存在越权漏洞,其中,扫描器生成HTTP请求的过程中的相关规则、以及对返回的数据进行分析的规则均为与扫描器对应的扫描规则,并且,扫描规则由于扫描器相连的规则引擎来提供和设置。As shown in FIG. 2 , FIG. 2 shows the interactive relationship between the terminal implementing the identification method of the above account authority and the website to be tested (target website). After logging in the website to be tested through the registered first account on the terminal, the login status information of the first account logged in is obtained through the login status pull interface and sent to the scanner; the scanner uses the login status information and the URL of the website to be tested Wait for the valid data (payload) to be encapsulated to generate a corresponding HTTP request and then sent to the server corresponding to the website to be tested, and receive the data returned by the server; the scanner analyzes the received data to determine whether there is an unauthorized vulnerability, among which, The relevant rules in the process of generating the HTTP request by the scanner and the rules for analyzing the returned data are scanning rules corresponding to the scanner, and the scanning rules are provided and set by the rule engine connected to the scanner.

进一步的,在本实施例中,在检测第一账号是否可以越权与第二账号对应的数据之前,还需要判断当前网站是否具备账号识别功能,例如,若待测网站上的所有用户均具备待测网站上的所有数据的访问权限或操作权限,或者,在任意账号发起对待测网站上的数据的访问请求或者操作请求时,并不对账号进行校验或者账号是否具备权限进行校验;在此种情况下,不存在账号是否越权的问题。Further, in this embodiment, before detecting whether the first account can override the data corresponding to the second account, it is also necessary to determine whether the current website has an account identification function. For example, if all users on the website to be tested have or, when any account initiates a data access request or operation request on the website to be tested, it does not verify the account or whether the account has permission; hereby In this case, there is no question of whether the account exceeds the authority.

如图3所示,图3展示了一种账号权限的识别方法的流程示意图,在对第一账号是否存在越权的判断之前,还需要判断测试网址是否支持账号越权的检测和判断。As shown in Fig. 3, Fig. 3 shows a schematic flow diagram of an identification method for account authority. Before judging whether the first account has unauthorized access, it is also necessary to determine whether the test website supports the detection and judgment of account unauthorized access.

具体的,在一个实施例中,获取第一账号的第一登录态信息之后还包括:使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;在所述第二响应内容中包含所述第一账号的特征信息的情况下,执行所述获取预设的扫描规则;在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。Specifically, in one embodiment, after obtaining the first login status information of the first account, it further includes: using the login status information of the first account to access the website to be tested, and receiving the second login status information sent by the website to be tested. Response content; if the second response content contains the characteristic information of the first account, execute the acquisition of the preset scanning rule; if the second response content does not contain the first account information In the case of feature information, it is determined that the test address of the website to be tested does not have the identification function of account authority, and the test address of the website to be tested is switched.

也就是说,如果待测网站中并不存在对账号进行权限判断的逻辑,也不存在后续的越权判断的逻辑,在使用第一账号的登录态信息访问待测网站时待测网站的服务器返回的响应内容中应该不包含任何与第一账号对应的相关数据。因此,在使用第一账号的登录态信息访问待测网站时,如果待测网站返回的响应内容中不包含有与第一账号对应的特征信息,则不需要继续对待测网站进行账号越权的检测,直接中止本方法的执行。That is to say, if there is no logic for judging the authority of the account in the website to be tested, and there is no logic for subsequent judgments beyond the authority, when the login status information of the first account is used to access the website to be tested, the server of the website to be tested returns The response content of should not contain any relevant data corresponding to the first account. Therefore, when using the login status information of the first account to access the website to be tested, if the response content returned by the website to be tested does not contain the characteristic information corresponding to the first account, there is no need to continue to detect the website to be tested for account violation , directly suspend the execution of this method.

在一个实施例中,待测网站为购物网站,步骤S104中确定的待测网站的测试地址为购物网站中的一个商品链接;一般来讲,购物网站的商品链接对应的地址,一般不需要对用户的身份进行验证。若在此种情况下服务器返回的响应信息中不包含有第一账号对应的特征信息,则认为该待测网站的测试地址不具备账号越权的检测功能,需要切换测试地址。例如,切换至该待测网站的账号登录地址或者支付链接等需要对用户身份进行校验的测试地址中,再次执行步骤S102-S110。In one embodiment, the website to be tested is a shopping website, and the test address of the website to be tested determined in step S104 is a product link in the shopping website; generally speaking, the address corresponding to the product link of the shopping website generally does not need to The user's identity is verified. In this case, if the response information returned by the server does not contain the characteristic information corresponding to the first account, it is considered that the test address of the website to be tested does not have the detection function of account unauthorized, and the test address needs to be switched. For example, switch to the account login address or payment link of the website to be tested, which needs to verify the user's identity, and execute steps S102-S110 again.

也就是说,待测网站的某一个测试地址不存在账号权限的检测功能的情况下,并不代表该待测网站的所有的测试地址都不具备账号权限的检测功能,为避免因为一个测试地址的检测结果而忽略其他地址下可能存在的账号越权漏洞的检测,需要切换至待测网站下其他测试地址进行账号越权的检测。In other words, if a certain test address of the website under test does not have the detection function of account authority, it does not mean that all the test addresses of the website under test do not have the detection function of account authority. The test results ignore the detection of possible account unauthorized vulnerabilities under other addresses, and it is necessary to switch to other test addresses under the website to be tested for account unauthorized detection.

反之,若在返回的响应内容中包含有与第一账号对应的特征信息,则说明待测网站中存在对账号的身份进行校验的逻辑,后续可以对是否越权进行进一步的判断,因此,执行步骤S104-S110来判断第一账号是否越权。Conversely, if the returned response content contains characteristic information corresponding to the first account, it means that there is logic to verify the identity of the account in the website to be tested, and further judgment can be made on whether the authority is exceeded. Therefore, execute Steps S104-S110 to determine whether the first account exceeds the authority.

在相关技术方案中,如图4所示,图4给出了相关技术方案中一种账号是否存在越权漏洞的检测过程的示意图。具体的,由检测人员登录A账号,然后发起数据操作请求并截断请求包,并将请求包中的与A对应的身份标识替换成B对应的身份请求,然后提交修改后的请求,根据网站返回的内容;来判断是否操作成功,若是,则标记漏洞,反之,则不存在漏洞。其中,需要检测人员人工对比A、B两个账号的身份识别参数,并确定A账号的数据操作请求中所有身份识别参数修改为B账号对应具体值,需要耗费大量的时间。In the related technical solution, as shown in FIG. 4 , FIG. 4 shows a schematic diagram of a detection process of whether there is an unauthorized account in an account in the related technical solution. Specifically, the inspector logs in to account A, then initiates a data operation request and truncates the request packet, replaces the identity identifier corresponding to A in the request packet with the identity request corresponding to B, then submits the modified request, and returns the request according to the website to determine whether the operation is successful, if so, mark the loophole, otherwise, there is no loophole. Among them, it is necessary for the inspector to manually compare the identification parameters of the two accounts A and B, and determine that all the identification parameters in the data operation request of the A account are changed to the specific values corresponding to the B account, which takes a lot of time.

而通过本发明实施例,不需要检测人员手动的去对比和修改账号的身份识别参数,会根据扫描规则中确定的目标账号属性类型,自动的将目标账号属性类型下的第一账号的属性值修改为第二账号的属性值,也就是说,检测人员只需要定义扫描规则中的目标账号属性类型即可自动完成对账号是否存在越权漏洞进行检测,减少了账号越权检测所耗费的时间,提高了账号越权检测的效率。However, through the embodiment of the present invention, there is no need for the detection personnel to manually compare and modify the identification parameters of the account, and the attribute value of the first account under the attribute type of the target account will be automatically calculated according to the attribute type of the target account determined in the scanning rule. Change it to the attribute value of the second account, that is to say, the inspector only needs to define the attribute type of the target account in the scan rule to automatically detect whether the account has an unauthorized vulnerability, which reduces the time spent on account unauthorized detection and improves Improve the efficiency of account unauthorized detection.

此外,为解决现有技术中的越权漏洞的检测方法因为人工检测导致耗时长、漏洞的检测不完全而存在检测的效率低下的技术问题,在一个实施例中,如图5所示,还提出了一种账号权限的识别装置,包括登录态信息获取模块102、扫描规则获取模块104、登录态信息修改模块106、响应内容接收模块108以及越权判断模块110,其中:In addition, in order to solve the technical problems of low detection efficiency due to the long time-consuming manual detection and incomplete detection of vulnerabilities in the detection method of the unauthorized vulnerability in the prior art, in one embodiment, as shown in Figure 5, it is also proposed An identification device for account authority is provided, including a login status information acquisition module 102, a scanning rule acquisition module 104, a login status information modification module 106, a response content receiving module 108 and an unauthorized judging module 110, wherein:

登录态信息获取模块102,用于在待测网站上登录第一账号,获取第一账号的第一登录态信息;The login state information acquisition module 102 is used to log in the first account on the website to be tested, and obtain the first login state information of the first account;

扫描规则获取模块104,用于获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;Scanning rule obtaining module 104, is used for obtaining preset scanning rule, and described scanning rule comprises the test address of website to be tested and target account attribute type;

登录态信息修改模块106,用于根据第二账号在目标账号属性类型下的属性值修改所述第一登录态信息,得到第二登录态信息;The login status information modification module 106 is configured to modify the first login status information according to the attribute value of the second account under the attribute type of the target account to obtain the second login status information;

响应内容接收模块108,用于使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;A response content receiving module 108, configured to use the second login status information to access the website to be tested, and receive the first response content sent by the website to be tested;

越权判断模块110,用于根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。The unauthorized judging module 110 is configured to obtain characteristic information of the first response content according to the matching rules defined in the scanning rules, and determine whether the first account is unauthorized according to the characteristic information and the matching rules.

可选的,在一个实施例中,如图5所示,上述装置还包括测试网站检测模块112,用于使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;在所述第二响应内容中包含所述第一账号的特征信息的情况下,调用所述扫描规则获取模块104。Optionally, in one embodiment, as shown in FIG. 5 , the above device further includes a testing website detection module 112, configured to use the login status information of the first account to access the website to be tested, and receive the website to be tested. The second response content sent by the website; in the case that the second response content includes the characteristic information of the first account, the scanning rule acquisition module 104 is invoked.

可选的,在一个实施例中,越权判断模块110还用于在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。Optionally, in one embodiment, the unauthorized judging module 110 is further configured to determine that the first account is not authorized when the characteristic information of the second response content matches the first account; If the feature information of the second response content matches the second account, it is determined that the first account is unauthorized.

可选的,在一个实施例中,测试网站检测模块112还用于在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。Optionally, in one embodiment, the test website detection module 112 is further configured to determine that the test address of the website to be tested is not With the identification function of account authority, the test address of the website to be tested is switched.

可选的,在一个实施例中,登录态信息为UIN码、cookie或session ID。Optionally, in one embodiment, the login status information is UIN code, cookie or session ID.

实施本发明实施例,将具有如下有益效果:Implementing the embodiment of the present invention will have the following beneficial effects:

采用了上述账号权限的识别方法和装置之后,再需要对某一个待测网站是否存在账号越权漏洞进行检测时,可以根据预设的扫描规则,将第一账号对应的登录态信息中的身份信息修改为第二账号对应的身份信息,然后项待测网站请求数据,并根据扫描规则中定义的匹配规则来判断待测网站返回的数据中包含的账号特征信息是否发生了账号越权。也就是说,采用了本发明实施例之后,不需要检测人员手动的去对比和修改账号的身份识别参数,会自动根据扫描规则中确定的目标账号属性类型,自动的将目标账号属性类型下的第一账号的属性值修改为第二账号的属性值,也就是说,检测人员只需要定义扫描规则中的目标账号属性类型即可自动完成对账号是否存在越权漏洞进行检测,减少了账号越权检测所需要耗费的时间,提高了账号越权检测的效率。After adopting the identification method and device of the above-mentioned account authority, when it is necessary to detect whether there is an account unauthorized vulnerability in a certain website to be tested, the identity information in the login status information corresponding to the first account can be Change it to the identity information corresponding to the second account, then request data from the website to be tested, and judge whether the account feature information contained in the data returned by the website to be tested has account unauthorized according to the matching rules defined in the scanning rules. That is to say, after adopting the embodiment of the present invention, there is no need for inspectors to manually compare and modify the identification parameters of the account, and the target account attribute type determined in the scanning rules will automatically be automatically compared to the target account attribute type. The attribute value of the first account is changed to the attribute value of the second account. That is to say, the inspector only needs to define the attribute type of the target account in the scan rule to automatically detect whether there is an unauthorized account, which reduces the detection of account unauthorized The required time consumption improves the efficiency of account unauthorized detection.

在一个实施例中,如图6所示,图6展示了一种运行上述账号权限的识别方法的基于冯诺依曼体系的计算机系统的终端。该计算机系统可以是智能手机、平板电脑、掌上电脑、笔记本电脑或个人电脑等终端设备。具体的,可包括通过系统总线连接的外部输入接口1001、处理器1002、存储器1003和输出接口1004。其中,外部输入接口1001可选的可至少包括网络接口10012。存储器1003可包括外存储器10032(例如硬盘、光盘或软盘等)和内存储器10034。输出接口1004可至少包括显示屏10042等设备。In one embodiment, as shown in FIG. 6 , FIG. 6 shows a terminal of a computer system based on the Von Neumann system running the above account authority identification method. The computer system can be a terminal device such as a smart phone, a tablet computer, a palmtop computer, a notebook computer or a personal computer. Specifically, it may include an external input interface 1001, a processor 1002, a memory 1003, and an output interface 1004 connected through a system bus. Wherein, the external input interface 1001 may optionally include at least a network interface 10012 . The memory 1003 may include an external memory 10032 (such as a hard disk, an optical disk, or a floppy disk, etc.) and an internal memory 10034 . The output interface 1004 may at least include devices such as a display screen 10042 .

在本实施例中,本方法的运行基于计算机程序,该计算机程序的程序文件存储于前述基于冯诺依曼体系的计算机系统的外存储器10032中,在运行时被加载到内存储器10034中,然后被编译为机器码之后传递至处理器1002中执行,从而使得基于冯诺依曼体系的计算机系统中形成逻辑上的登录态信息获取模块102、扫描规则获取模块104、登录态信息修改模块106、响应内容接收模块108、越权判断模块110以及测试网站检测模块112。且在上述账号权限的识别方法执行过程中,输入的参数均通过外部输入接口1001接收,并传递至存储器1003中缓存,然后输入到处理器1002中进行处理,处理的结果数据或缓存于存储器1003中进行后续地处理,或被传递至输出接口1004进行输出。In this embodiment, the operation of this method is based on a computer program, and the program file of the computer program is stored in the external memory 10032 of the aforementioned computer system based on the Von Neumann architecture, and is loaded into the internal memory 10034 during operation, and then After being compiled into machine code, it is delivered to the processor 1002 for execution, so that a logical login status information acquisition module 102, scanning rule acquisition module 104, login status information modification module 106, Response content receiving module 108 , unauthorized judging module 110 and testing website detecting module 112 . In addition, during the execution of the identification method of the above-mentioned account authority, the input parameters are all received through the external input interface 1001, and transmitted to the memory 1003 for buffering, and then input to the processor 1002 for processing, and the processed result data may be buffered in the memory 1003 Subsequent processing is carried out, or is transmitted to the output interface 1004 for output.

具体的,处理器1002用于执行如下操作:Specifically, the processor 1002 is configured to perform the following operations:

在待测网站上登录第一账号,获取第一账号的第一登录态信息;Log in the first account on the website to be tested, and obtain the first login state information of the first account;

获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;Acquiring preset scanning rules, the scanning rules include the test address of the website to be tested and the attribute type of the target account;

根据第二账号修改登录态信息,得到第二登录态信息;Modifying the login state information according to the second account to obtain the second login state information;

使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;accessing the website to be tested by using the second login state information, and receiving the first response content sent by the website to be tested;

根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。Obtain feature information of the first response content according to a matching rule defined in the scan rule, and determine whether the first account is unauthorized according to the feature information and the matching rule.

可选的,在一个实施例中,处理器1002还用于使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;在所述第二响应内容中包含所述第一账号的特征信息的情况下,执行所述获取预设的扫描规则。Optionally, in one embodiment, the processor 1002 is further configured to use the login status information of the first account to access the website to be tested, and receive the second response content sent by the website to be tested; Second, if the response content includes the characteristic information of the first account, execute the acquisition of the preset scanning rule.

可选的,在一个实施例中,处理器1002还用于在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。Optionally, in an embodiment, the processor 1002 is further configured to determine that the first account has not exceeded the authority when the characteristic information of the second response content matches the first account; If the characteristic information of the content of the second response matches the second account, it is determined that the first account has exceeded the authority.

可选的,在一个实施例中,处理器1002还用于在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。Optionally, in one embodiment, the processor 1002 is further configured to determine that the test address of the website to be tested does not have an account if the second response content does not contain the characteristic information of the first account. The permission identification function switches the test address of the website to be tested.

以上所揭露的仅为本发明较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。The above disclosures are only preferred embodiments of the present invention, and certainly cannot limit the scope of rights of the present invention. Therefore, equivalent changes made according to the claims of the present invention still fall within the scope of the present invention.

Claims (11)

1.一种账号权限的识别方法,其特征在于,包括:1. A method for identifying account authority, comprising: 在待测网站上登录第一账号,获取第一账号的第一登录态信息;Log in the first account on the website to be tested, and obtain the first login state information of the first account; 获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;Acquiring preset scanning rules, the scanning rules include the test address of the website to be tested and the attribute type of the target account; 根据第二账号修改登录态信息,得到第二登录态信息;Modifying the login state information according to the second account to obtain the second login state information; 使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;accessing the website to be tested by using the second login state information, and receiving the first response content sent by the website to be tested; 根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。Obtain feature information of the first response content according to a matching rule defined in the scan rule, and determine whether the first account is unauthorized according to the feature information and the matching rule. 2.根据权利要求1所述的账号权限的识别方法,其特征在于,所述获取第一账号的第一登录态信息之后还包括:2. The method for identifying account authority according to claim 1, characterized in that, after obtaining the first login status information of the first account, the method further includes: 使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;accessing the website to be tested by using the login status information of the first account, and receiving the second response content sent by the website to be tested; 在所述第二响应内容中包含所述第一账号的特征信息的情况下,执行所述获取预设的扫描规则。In a case where the second response content includes the characteristic information of the first account, the acquiring of the preset scanning rule is executed. 3.根据权利要求1所述的账号权限的识别方法,其特征在于,所述根据所述特征信息和所述匹配规则确定所述第一账号是否越权为:3. The method for identifying account authority according to claim 1, wherein the determining whether the first account exceeds authority according to the characteristic information and the matching rule is as follows: 在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;If the feature information of the second response content matches the first account, it is determined that the first account has not exceeded its authority; 在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。If the feature information of the second response content matches the second account, it is determined that the first account is unauthorized. 4.根据权利要求2所述的账号权限的识别方法,其特征在于,所述接收所述待测网站发送的第二响应内容之后还包括:4. The method for identifying account authority according to claim 2, characterized in that, after receiving the second response content sent by the website to be tested, the method further includes: 在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。If the second response content does not include the characteristic information of the first account, it is determined that the test address of the website to be tested does not have the identification function of account authority, and the test address of the website to be tested is switched. 5.根据权利要求1至4任一所述的账号权限的识别方法,其特征在于,所述登录态信息为UIN码、cookie或session ID。5. The method for identifying account authority according to any one of claims 1 to 4, wherein the login state information is UIN code, cookie or session ID. 6.一种账号权限的识别装置,其特征在于,包括:6. An identification device for account authority, characterized in that it comprises: 登录态信息获取模块,用于在待测网站上登录第一账号,获取第一账号的第一登录态信息;A login state information acquisition module, configured to log in the first account on the website to be tested, and obtain the first login state information of the first account; 扫描规则获取模块,用于获取预设的扫描规则,所述扫描规则包括待测网站的测试地址和目标账号属性类型;A scan rule acquiring module, configured to acquire preset scan rules, the scan rules including the test address of the website to be tested and the attribute type of the target account; 登录态信息修改模块,用于根据第二账号在目标账号属性类型下的属性值修改所述第一登录态信息,得到第二登录态信息;A login status information modifying module, configured to modify the first login status information according to the attribute value of the second account under the attribute type of the target account, to obtain the second login status information; 响应内容接收模块,用于使用所述第二登录态信息访问所述待测网站,接收所述待测网站发送的第一响应内容;A response content receiving module, configured to use the second login state information to access the website to be tested, and receive the first response content sent by the website to be tested; 越权判断模块,用于根据所述扫描规则中定义的匹配规则获取所述第一响应内容的特征信息,根据所述特征信息和所述匹配规则确定所述第一账号是否越权。An unauthorized judging module, configured to acquire feature information of the first response content according to a matching rule defined in the scanning rule, and determine whether the first account is unauthorized according to the feature information and the matching rule. 7.根据权利要求6所述的账号权限的识别装置,其特征在于,所述装置还包括测试网站检测模块,用于使用所述第一账号的登录态信息访问所述待测网站,接收所述待测网站发送的第二响应内容;在所述第二响应内容中包含所述第一账号的特征信息的情况下,调用所述扫描规则获取模块。7. The identification device of account authority according to claim 6, characterized in that, the device also includes a testing website detection module for using the login status information of the first account to access the website to be tested, and receiving the website to be tested. The second response content sent by the website to be tested; in the case that the second response content includes the characteristic information of the first account, the scanning rule acquisition module is invoked. 8.根据权利要求6所述的账号权限的识别装置,其特征在于,所述越权判断模块还用于在所述第二响应内容的特征信息与所述第一账号匹配的情况下,确定所述第一账号未越权;在所述第二响应内容的特征信息与所述第二账号匹配的情况下,确定所述第一账号越权。8. The device for identifying authority of an account according to claim 6, wherein the unauthorized judging module is further configured to determine if the characteristic information of the second response content matches the first account. The first account has not exceeded the authority; in the case that the feature information of the second response content matches the second account, it is determined that the first account has exceeded the authority. 9.根据权利要求7所述的账号权限的识别装置,其特征在于,所述测试网站检测模块还用于在所述第二响应内容中不包含所述第一账号的特征信息的情况下,确定所述待测网站的测试地址不具备账号权限的识别功能,切换所述待测网站的测试地址。9. The device for identifying account authority according to claim 7, wherein the test website detection module is further configured to, when the second response content does not include the feature information of the first account, It is determined that the test address of the website to be tested does not have the identification function of account authority, and the test address of the website to be tested is switched. 10.根据权利要求6至9任一所述的账号权限的识别装置,其特征在于,所述登录态信息为UIN码、cookie或session ID。10. The device for identifying account authority according to any one of claims 6 to 9, wherein the login state information is UIN code, cookie or session ID. 11.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述账号权限的识别方法。11. A computer-readable storage medium, wherein instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium is run on a computer, it causes the computer to execute the above method for identifying account authority.
CN201710234539.7A 2017-04-11 2017-04-11 The recognition methods of account permission and device Pending CN108696490A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201710234539.7A CN108696490A (en) 2017-04-11 2017-04-11 The recognition methods of account permission and device
PCT/CN2018/082355 WO2018188558A1 (en) 2017-04-11 2018-04-09 Method and apparatus for identifying account permission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710234539.7A CN108696490A (en) 2017-04-11 2017-04-11 The recognition methods of account permission and device

Publications (1)

Publication Number Publication Date
CN108696490A true CN108696490A (en) 2018-10-23

Family

ID=63793125

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710234539.7A Pending CN108696490A (en) 2017-04-11 2017-04-11 The recognition methods of account permission and device

Country Status (2)

Country Link
CN (1) CN108696490A (en)
WO (1) WO2018188558A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902022A (en) * 2019-03-14 2019-06-18 深圳壹账通智能科技有限公司 The method and relevant device tested automatically for loophole of vertically going beyond one's commission
CN110084044A (en) * 2019-03-14 2019-08-02 深圳壹账通智能科技有限公司 For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission
CN110572417A (en) * 2019-10-22 2019-12-13 腾讯科技(深圳)有限公司 Method, apparatus, server and storage medium for providing login ticket
CN110881032A (en) * 2019-11-06 2020-03-13 国网浙江武义县供电有限公司 Identification method and device for account unauthorized operation
CN111125718A (en) * 2019-12-24 2020-05-08 北京三快在线科技有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
CN111241547A (en) * 2018-11-28 2020-06-05 阿里巴巴集团控股有限公司 Detection method, device and system for unauthorized vulnerability
CN111324539A (en) * 2020-02-28 2020-06-23 深圳壹账通智能科技有限公司 Account switching test method and system
CN111683047A (en) * 2020-04-30 2020-09-18 中国平安财产保险股份有限公司 Unauthorized vulnerability detection method and device, computer equipment and medium
CN112257100A (en) * 2020-07-30 2021-01-22 北京沃东天骏信息技术有限公司 Method and device for detecting sensitive data protection effect and storage medium
CN113986956A (en) * 2021-12-29 2022-01-28 深圳红途科技有限公司 Data exception query analysis method and device, computer equipment and storage medium

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110287660A (en) * 2019-05-21 2019-09-27 深圳壹账通智能科技有限公司 Access right control method, device, equipment and storage medium
CN111414614B (en) * 2020-03-20 2024-04-05 上海中通吉网络技术有限公司 Override detection method and auxiliary device
CN112464250A (en) * 2020-12-15 2021-03-09 光通天下网络科技股份有限公司 Method, device and medium for automatically detecting unauthorized vulnerability
CN113014448B (en) * 2021-02-23 2022-09-30 深信服科技股份有限公司 Login state rule extraction method and device and electronic equipment
CN113590461B (en) * 2021-06-01 2024-04-23 的卢技术有限公司 Test method for realizing override of automobile user data based on fidder
CN115459959B (en) * 2022-08-17 2025-05-16 上海聚水潭网络科技有限公司 A method and system for scanning unauthorized vulnerabilities based on role account information
CN115460014B (en) * 2022-09-26 2025-07-11 建信金融科技有限责任公司 Horizontal overreach detection method and device
CN116546074A (en) * 2023-06-06 2023-08-04 中国联合网络通信集团有限公司 Login timeout duration setting method, device, computing equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020010855A1 (en) * 2000-03-03 2002-01-24 Eran Reshef System for determining web application vulnerabilities
CN101964025A (en) * 2009-07-23 2011-02-02 中联绿盟信息技术(北京)有限公司 XSS (Cross Site Scripting) detection method and device
US20140137228A1 (en) * 2012-11-15 2014-05-15 Qualys, Inc. Web application vulnerability scanning
CN104519070A (en) * 2014-12-31 2015-04-15 北京奇虎科技有限公司 Method and system for detecting website permission vulnerabilities
CN105357195A (en) * 2015-10-30 2016-02-24 深圳市深信服电子科技有限公司 Unauthorized web access vulnerability detecting method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8191117B2 (en) * 2007-10-25 2012-05-29 Anchorfree, Inc. Location-targeted online services
CN106470132B (en) * 2015-08-19 2019-09-17 阿里巴巴集团控股有限公司 Horizontal permission test method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020010855A1 (en) * 2000-03-03 2002-01-24 Eran Reshef System for determining web application vulnerabilities
CN101964025A (en) * 2009-07-23 2011-02-02 中联绿盟信息技术(北京)有限公司 XSS (Cross Site Scripting) detection method and device
US20140137228A1 (en) * 2012-11-15 2014-05-15 Qualys, Inc. Web application vulnerability scanning
CN104519070A (en) * 2014-12-31 2015-04-15 北京奇虎科技有限公司 Method and system for detecting website permission vulnerabilities
CN105357195A (en) * 2015-10-30 2016-02-24 深圳市深信服电子科技有限公司 Unauthorized web access vulnerability detecting method and device

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111241547A (en) * 2018-11-28 2020-06-05 阿里巴巴集团控股有限公司 Detection method, device and system for unauthorized vulnerability
CN111241547B (en) * 2018-11-28 2023-05-12 阿里巴巴集团控股有限公司 Method, device and system for detecting override vulnerability
CN110084044A (en) * 2019-03-14 2019-08-02 深圳壹账通智能科技有限公司 For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission
CN109902022A (en) * 2019-03-14 2019-06-18 深圳壹账通智能科技有限公司 The method and relevant device tested automatically for loophole of vertically going beyond one's commission
WO2020181841A1 (en) * 2019-03-14 2020-09-17 深圳壹账通智能科技有限公司 Method for automatically testing horizontal over-permission vulnerabilities and related device
CN110572417A (en) * 2019-10-22 2019-12-13 腾讯科技(深圳)有限公司 Method, apparatus, server and storage medium for providing login ticket
CN110881032B (en) * 2019-11-06 2022-02-22 国网浙江武义县供电有限公司 Identification method and device for unauthorized account operation
CN110881032A (en) * 2019-11-06 2020-03-13 国网浙江武义县供电有限公司 Identification method and device for account unauthorized operation
CN111125718A (en) * 2019-12-24 2020-05-08 北京三快在线科技有限公司 Unauthorized vulnerability detection method, device, equipment and storage medium
CN111324539A (en) * 2020-02-28 2020-06-23 深圳壹账通智能科技有限公司 Account switching test method and system
CN111683047A (en) * 2020-04-30 2020-09-18 中国平安财产保险股份有限公司 Unauthorized vulnerability detection method and device, computer equipment and medium
CN111683047B (en) * 2020-04-30 2023-05-30 中国平安财产保险股份有限公司 Unauthorized vulnerability detection method, device, computer equipment and medium
CN112257100A (en) * 2020-07-30 2021-01-22 北京沃东天骏信息技术有限公司 Method and device for detecting sensitive data protection effect and storage medium
CN113986956A (en) * 2021-12-29 2022-01-28 深圳红途科技有限公司 Data exception query analysis method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
WO2018188558A1 (en) 2018-10-18

Similar Documents

Publication Publication Date Title
CN108696490A (en) The recognition methods of account permission and device
US11570211B1 (en) Detection of phishing attacks using similarity analysis
US10601865B1 (en) Detection of credential spearphishing attacks using email analysis
CN109376078B (en) Mobile application testing method, terminal equipment and medium
CN111209565B (en) Horizontal override vulnerability detection method, equipment and computer readable storage medium
EP2447878B1 (en) Web based remote malware detection
US8087088B1 (en) Using fuzzy classification models to perform matching operations in a web application security scanner
JP6624771B2 (en) Client-based local malware detection method
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
CN107332804B (en) Method and device for detecting webpage bugs
WO2016122735A1 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
CN108259514B (en) Vulnerability detection method and device, computer equipment and storage medium
US8484742B2 (en) Rendered image collection of potentially malicious web pages
CN105631359A (en) Control method and device of webpage operation
CN107133516B (en) Authority control method and system
CN107800686B (en) Method and device for identifying phishing website
CN112671605B (en) Test method and device and electronic equipment
CN109547426B (en) Service response method and server
CN102789561A (en) Method and device for utilizing camera in browser
CN105404816B (en) Leak detection method based on content and device
CN105930726B (en) A kind of processing method and user terminal of malicious operation behavior
CN106487793A (en) application installation method and device
CN103488947A (en) Method and device for identifying instant messaging client-side account number stealing Trojan horse program
CN107896218A (en) A kind of method and system of automatic detection identifying code passback logic leak
CN112836213A (en) Anti-brush method and device based on API interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181023