CN103634280B - A kind of web portal security scan method and device - Google Patents
A kind of web portal security scan method and device Download PDFInfo
- Publication number
- CN103634280B CN103634280B CN201210303263.0A CN201210303263A CN103634280B CN 103634280 B CN103634280 B CN 103634280B CN 201210303263 A CN201210303263 A CN 201210303263A CN 103634280 B CN103634280 B CN 103634280B
- Authority
- CN
- China
- Prior art keywords
- user
- scanning
- interface
- token
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000013507 mapping Methods 0.000 claims abstract description 46
- 238000012360 testing method Methods 0.000 claims abstract description 30
- 238000012545 processing Methods 0.000 claims description 65
- 230000004913 activation Effects 0.000 claims description 36
- 230000003213 activating effect Effects 0.000 claims description 5
- 230000004044 response Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The present invention provides a kind of web portal security scan methods, including:API server is to user's issuing web site security sweep service interface;When receiving the request of user's calling web portal security scan service interface, the API server calls backstage resource to carry out corresponding security sweep service to system under test (SUT) according to preset mapping ruler;The present invention also provides a kind of web portal security scanning means.According to technical solution provided by the invention, the efficiency of web portal security scanning can be improved, local device resource is saved.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to a security testing technology in the field of internet, in particular to a website security scanning method and a website security scanning device.
[ background of the invention ]
Currently, the following two methods are mainly used for security scanning of websites: the first method is realized by performing security scanning on the website by a special security tester. In the safety scanning process, safety testers need to obtain a link list of a website by manually clicking a recording mode by using a packet capturing tool, and then a scanning event is constructed for each link in the link list, so that the safety scanning of the website is finally realized; the second method is that the security tester uses some security scanning tools to perform security scanning on the website.
For the first method, since the security scan of the website depends on the manual operation of the security tester, the website needs to wait for the schedule of the security tester to scan, and a large amount of manual operations are required, the efficiency of the security scan of the website is very low. For the second method, when the security tester uses the security scanning tool to perform security scanning on the website, all programs required for the security scanning need to be installed locally, so that more device resources are occupied.
[ summary of the invention ]
The invention provides a website security scanning method and device, which can improve the efficiency of website security scanning and save local equipment resources.
The specific technical scheme of the invention is as follows:
the invention provides a website security scanning method.A programming interface (API) server of an application program issues a website security scanning service interface to a user; further comprising:
and when a request of calling a website security scanning service interface by a user is received, the API server calls background resources to perform corresponding security scanning service on the system to be tested according to a preset mapping rule.
In the above method, the method further comprises: when receiving a token request of a user, the API server provides the token for the user and stores the token in a background database of the background resource;
the request for calling the website security scanning service interface by the user comprises a token of the user;
the method comprises the following steps that before the API server calls background resources to perform corresponding security scanning service on a tested system according to a preset mapping rule, the method further comprises the following steps: and the background database inquires whether the token of the user is valid, if so, the step of calling background resources to perform corresponding security scanning service on the system to be tested according to the preset mapping rule is continuously executed.
In the above method, the interface for the API server to issue the website security scanning service to the user is:
setting a website security scanning service interface, a webpage address and a mapping rule between an API server and background resources, wherein the mapping rule is a mapping relation between the webpage address and a network security scanning server interface of the background resources; and the API server provides the URL set formed by the webpage addresses to the user.
In the method, the website security scanning service interface includes a token application interface, a token activation interface, a scanning start interface, a scanning progress information acquisition interface, a real-time information acquisition interface, a scanning stop interface, or a scanning result acquisition interface.
In the method, when an API server receives a request of a user for calling a token application interface, a background database in background resources is called, whether the user applies for a token or not is judged, and a token activation mail is sent to a user mailbox when the user does not apply for the token;
and when receiving a request for calling an activation token interface sent by a user through clicking the token activation mail, the API server activates the token and sends the activated token to the user.
In the method, when the API server receives a request for calling and starting a scanning interface by a user, if the running scanning task does not have the scanning task of the system to be tested, the background server in the background resource is triggered to start the scanning task of the system to be tested.
In the method, when the API server receives a request for calling an interface for acquiring scanning progress information from a user, a background database in background resources is called to inquire the progress information of the scanning task of the system to be tested, which is input by the user, and the progress information is returned to the user.
In the method, when the API server receives a request for acquiring a real-time information interface called by a user, a background database in background resources is called to inquire vulnerability information corresponding to a scanning task of the system to be tested, which is input by the user, and the vulnerability information is returned to the user.
In the method, when the API server receives a request of calling the scanning stopping interface by a user, the background server in the background resource is called to stop the scanning task of the system to be tested.
In the method, when the API server receives a request for calling an interface for acquiring the scanning result from a user, a background database in background resources is called to inquire and the scanning result of the scanning task of the system to be tested, which is input by the user, is returned to the user.
The invention also provides a website security scanning device, which is located in the API server and comprises: the interface issuing unit and the request processing unit; wherein,
the interface publishing unit is used for publishing a website security scanning service interface to a user;
and the request processing unit is used for calling background resources to perform corresponding security scanning service on the tested system according to a preset mapping rule when receiving a request of calling the website security scanning service interface by a user.
In the above apparatus, the request processing unit is further configured to provide a token to the user when receiving a token request from the user, and store the token in the background database of the background resource;
the request for calling the website security scanning service interface by the user comprises a token of the user;
and the background database inquires whether the token of the user is valid, and if so, the request processing unit is further used for continuously executing the step of calling background resources to perform corresponding security scanning service on the tested system according to the preset mapping rule.
In the device, the interface issuing unit is specifically configured to set a website security scanning service interface, a web address, and a mapping rule between the API server and the background resource, where the mapping rule is a mapping relationship between the web address and a network security scanning server interface of the background resource; and the API server provides the URL set formed by the webpage addresses to the user.
In the above device, the website security scanning service interface includes an application token interface, an activation token interface, a start scanning interface, a scan progress information obtaining interface, a real-time information obtaining interface, a scan stopping interface, or a scan result obtaining interface.
In the device, the request processing unit is specifically configured to, when receiving a request for a user to invoke a token application interface, invoke a background database in background resources and determine whether the user has applied for a token, and send a token activation mail to the user mailbox when the user has not applied for the token; and when a request for calling an activation token interface, which is sent by clicking the token activation mail by the user, is received, activating the token and sending the activated token to the user.
In the apparatus, the request processing unit is specifically configured to, when a request for starting a scanning interface is received from a user, trigger a background server in a background resource to start a scanning task performed on the system under test if there is no scanning task of the system under test in a scanning task that is running.
In the device, the request processing unit is specifically configured to, when receiving a request for calling an interface for acquiring scanning progress information from a user, call a background database in a background resource to query progress information of a scanning task of the system under test, which is input by the user, and return the progress information to the user.
In the device, the request processing unit is specifically configured to, when a request for obtaining a real-time information interface called by a user is received, call a background database in a background resource to query vulnerability information corresponding to a scanning task of the system under test, which is input by the user, and return the vulnerability information to the user.
In the device, the request processing unit is specifically configured to, when receiving a request for invoking a scan stopping interface by a user, invoke a background server in a background resource to stop a scanning task performed on the system under test.
In the device, the request processing unit is specifically configured to, when receiving a request for calling an interface for obtaining a scanning result from a user, call a background database in a background resource to query and search a scanning result of a scanning task of the system under test, which is input by the user, and return the scanning result to the user.
According to the technical scheme, the website safety automatic scanning is realized according to the request of the user, so that special safety testers are not required to schedule to safely scan the website, and the website safety scanning efficiency can be improved; in addition, the invention realizes the security scanning of the tested website on the network side in a unified way by the user requesting the API server, and the user can realize the security scanning of the website without installing any security scanning tool in the local equipment, thereby saving the local equipment resources.
[ description of the drawings ]
FIG. 1 is a flow chart illustrating a preferred embodiment of a method for implementing a website security scan according to the present invention;
FIG. 2 is a schematic flow chart of a preferred embodiment of a method for implementing step 103 of the present invention;
FIG. 3 is a schematic structural diagram of a preferred embodiment of a website security scanning system implemented in the present invention;
fig. 4 is a schematic structural diagram of a website security scanning apparatus according to a preferred embodiment of the present invention.
[ detailed description ] embodiments
The basic idea of the invention is: the API server issues a website security scanning service interface to a user; and when a request of calling a website security scanning service interface by a user is received, the API server calls background resources to perform corresponding security scanning service on the system to be tested according to a preset mapping rule.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
The invention provides a website security scanning method, fig. 1 is a schematic flow chart of a preferred embodiment of the website security scanning method implemented by the invention, and as shown in fig. 1, the preferred embodiment includes the following steps:
step 101, an API server issues a website security scanning service interface to a user.
Specifically, in order to provide a website security scanning service for a user, a website security scanning service Interface between an Application Programming Interface (API) server and a background resource needs to be set in the API server, and through the website security scanning service Interface, the API server can call the background resource to perform security scanning on a system to be tested; the website security scanning service interface comprises: the system comprises a token applying interface, a token activating interface, a scanning starting interface, a scanning progress information acquiring interface, a real-time information acquiring interface, a scanning stopping interface and a scanning result acquiring interface.
Writing an interface processing function and an interface name in an interface processing file of an API server, and setting a website security scanning service interface in the API server through a defined interface processing function, wherein the website security scanning service interface is shown in table 1, and more than one website security scanning service interface forms an interface set; then, in the url.py file of the API server, generating a Uniform Resource Locator (URL) set according to the interface name and a preset mapping rule, where the preset mapping rule is a mapping relationship between a web address in the URL set and a network security scanning server interface of a background Resource, as shown in table 1, www.xxx.com is a background Resource, token, activate, and the like are interface names, so that a website security scanning service interface in the interface set has a one-to-one correspondence with a web address in the URL set, and provides the URL set to a user through the API file, and after the user calls the web address in the URL set, the API server calls a corresponding website security scanning service interface according to the preset mapping rule, and triggers the background Resource to perform security scanning on the system to be tested; in this embodiment, the background resource includes a background database and a background server.
TABLE 1
| Interface assembly | URL collection |
| Application token interface | www.xxx.com/token |
| Activation token interface | www.xxx.com/activate |
| Start-up scan interface | www.xxx.com/start |
| Interface for obtaining scanning progress information | www.xxx.com/proc |
| Interface for acquiring real-time information | www.xxx.com/detail |
| Stop scan interface | www.xxx.com/stop |
| Interface for obtaining scanning result | www.xxx.com/result |
102, when receiving a token request of a user, providing the token for the user by the API server, and storing the token in a background database of the background resource; .
Specifically, a user calls a webpage address www.xxx.com/token in the URL set and inputs a user mailbox in a text box of the webpage address to realize the purpose of initiating a token request to the API server; the method comprises the steps that an API server judges that a website security scanning service interface called by a user is a token application interface according to a preset mapping rule, so that a request for calling the website security scanning service interface initiated by the user is a token request, the API server calls a corresponding token application interface after receiving the token request, and an interface processing function corresponding to the token application interface judges whether the user applies for a token according to a user mailbox input by the user; if the interface processing function corresponding to the application token interface does not find the user mailbox in the background database, which indicates that the user does not apply for the token yet, the user token is successfully applied, and the interface processing function corresponding to the application token interface sends a token activation mail to the user mailbox; after receiving the token activation mail, the user initiates a token activation request to the API server by clicking the webpage address www.xxx.com/activate in the token activation mail; the method comprises the steps that an API server judges that a website security scanning service interface called by a user is an activation token interface according to a preset mapping rule, so that a request for calling the website security scanning service interface by the user is an activation token request, the API server calls the activation token interface, an interface processing function corresponding to the activation token interface activates a token, the activated token is sent to a user mailbox through a mail, meanwhile, an interface processing function corresponding to the activation token interface adds the user mailbox of the user into a background database, and an activation state bit of the token in the background database is set to be activated; if the user mailbox is found in the background database by the interface processing function corresponding to the application token interface, which indicates that the user has applied for the token, the user token application fails, and the interface processing function corresponding to the application token interface returns prompt information of the token application failure to the user through a token request response.
A token user list and an activation state table of a token are maintained in a background database, user mailboxes which have applied for tokens are stored in the token user list, and each user mailbox can only apply for a token once to obtain a token, so that for the user mailboxes which have applied for tokens, an interface processing function corresponding to a token application interface does not provide a token for a user in the user mailbox any more, and step 103 can be directly executed; the token's activation state table maintains the activation state of the token for later API server queries.
And 103, when receiving a request of a user for calling a website security scanning service interface, the API server calls background resources to perform corresponding security scanning service on the system to be tested according to a preset mapping rule.
Fig. 2 is a schematic flow chart of a preferred embodiment of a specific implementation method of step 103 of the present invention, and as shown in fig. 2, the preferred embodiment includes the following steps:
step 201, when a request for calling a website security scanning service interface is a scanning request, an API server calls a background server to start a scanning task of a system under test according to a preset mapping rule.
Specifically, a user sends a request for calling a website security scanning service interface to an API server by calling a web page address www.xxx.com/start in a URL set, where the request for calling the website security scanning service interface is an HTTP request in a post (post) mode, where a post parameter input by the user in a text box of the web page address is carried, and the post parameter includes information such as a token, a scanning site URL, a site user name, a site password, and a scanning site URL prefix; the token is a token previously acquired by the user.
After receiving a request of a user for calling a website security scanning service interface, an API server judges that the called website security scanning service interface is a starting scanning interface according to a preset mapping rule, so that the request for calling the website security scanning service interface is a scanning request, the API server calls the starting scanning interface, an interface processing function corresponding to the starting scanning interface judges whether a token carried in the scanning request is valid, the interface processing function corresponding to the starting scanning interface inquires an activation state bit of the token in a background database, if the activation state bit of the token is activated, the token in the scanning request is judged to be valid, then the interface processing function corresponding to the starting scanning interface inquires whether the same scanning task is running in the background database, if the scanning task running in the background database contains the scanning task corresponding to the URL of the scanning site, if the same scanning task is judged to be running, starting an interface processing function corresponding to the scanning interface and returning prompt information of repeated scanning tasks to the user through scanning response; if the scanning task corresponding to the URL of the scanning site does not exist in the scanning tasks running in the background database, judging that no same scanning task is running, starting an interface processing function corresponding to a scanning interface to trigger a background server, sending the URL of the scanning site to the background server, starting the scanning task of the URL of the scanning site by the background server, and returning the state of the started scanning task to the interface processing function corresponding to the started scanning interface; if the scanning task is successfully started, starting an interface processing function corresponding to the scanning interface, returning the scanning task ID and prompt information of successfully starting the scanning task to the user through a scanning response, and adding the scanning task in a background database; if the scanning task is failed to start, starting an interface processing function corresponding to the scanning interface and returning prompt information of the failure of starting the scanning task to the user through scanning response; usually, the network condition causes the failure of starting the scanning task, for example, according to the configuration, the scanning of the web vulnerability can only be used for the internal network, and the scanning site URL in the scanning request belongs to the external network, which causes the failure of starting the scanning task; if the activation state bit of the token in the background database is not activated, starting an interface processing function corresponding to the scanning interface to judge that the token in the scanning request is invalid, not starting the scanning task, and returning prompt information that the token is invalid to the user through scanning response by starting the interface processing function corresponding to the scanning interface.
The background database maintains a scanning task list, the scanning task list stores scanning site URLs corresponding to the running scanning tasks, and after a scanning task is successfully started by the background server, the scanning site URLs of the scanning task need to be added into the scanning task list.
Step 202, after the scanning task is started successfully, when the request of the user for calling the website security scanning service interface is a scanning progress request, the API server calls the background database according to the preset mapping rule to provide progress information for the user.
Specifically, after the scanning task is started successfully, in the running process of the scanning task, a user sends a request for calling a website security scanning service interface to an API server by calling a webpage address www.xxx.com/proc in a URL set, wherein the request for calling the website security scanning service interface is a post-mode HTTP request, which carries post parameters input by the user in a text box of the webpage address, and the post parameters include a token and a scanning task ID; the scanning task ID is returned to the user by the background server through the scanning response of the web vulnerability in step 102.
After receiving a request of a user for calling a website security scanning service interface, an API server judges that the called website security scanning service interface is a scanning progress information obtaining interface according to a preset mapping rule, so that the request for calling the website security scanning service interface is a scanning progress request, the API server calls the scanning progress information obtaining interface, an interface processing function corresponding to the scanning progress information obtaining interface judges whether a token carried in the scanning progress request is valid, if the token is valid, the interface processing function corresponding to the scanning progress information interface inquires progress information of a scanning task corresponding to a scanning task ID in a background database, and returns the progress information to the user through a scanning progress response; the method comprises the steps that a scanning task progress list is maintained in a background database, scanning task IDs, progress information of scanning tasks and corresponding relations of the scanning task IDs and the progress information of the scanning tasks are stored in the scanning task progress list, and a background server updates the progress information of the scanning tasks in the background database in real time; in this embodiment, the scanning task state is shown in table 2, and the scanning progress refers to the percentage of scanning site URLs completing scanning in all scanning site URLs; and if the token is invalid, acquiring an interface processing function corresponding to the scanning progress information interface and returning the prompt information of the invalid token to the user through a scanning progress response.
TABLE 2
| Scanning task states | Description of scan job status |
| waiting | The current scanning task is in a waiting state and is in a waiting queue |
| running | The current scanning task is running |
| finish | The current scanning task has finished scanning |
| error | Current scan task error |
After the step 201 or the step 202, the method further includes:
step 203, after the scanning task is started successfully, when the request of the user for calling the website security scanning service interface is a vulnerability information request, the API server calls the background database to provide vulnerability information of the scanning task for the user according to a preset mapping rule.
Specifically, after the scanning task is started successfully, in the running process of the scanning task, the user sends a request for calling a website security scanning service interface to the API server by calling a webpage address www.xxx.com/detail in the URL set, where the request for calling the website security scanning service interface is a post-mode HTTP request, where a post parameter input by the user in a text box of the webpage address is carried, and the post parameter includes a token and a scanning task ID.
After receiving a request for calling a website security scanning service interface, an API server judges that the called website security scanning service interface is a real-time information obtaining interface according to a preset mapping rule, so that the request for calling the website security scanning service interface is a loophole information request, the API server calls the real-time information obtaining interface, an interface processing function corresponding to the real-time information obtaining interface judges whether a token carried in the loophole information request is valid, if the token is valid, loophole information of a scanning task corresponding to the scanning task ID is inquired in a background database, and the loophole information is returned to a user through loophole information response; the background database maintains a vulnerability information list, scanning task IDs, vulnerability information and corresponding relations of the vulnerability information and the scanning task IDs and the vulnerability information are stored in the vulnerability information list, and a background server updates the vulnerability information in the background database in real time; and if the token is invalid, acquiring an interface processing function corresponding to the real-time information interface and returning the prompt information of the invalid token to the user through the vulnerability information response.
After step 201, or step 202, or step 203, the following steps may also be included:
and step 204, after the scanning task is started successfully, when the request of the user for calling the website security scanning service interface is a task stopping request, the API server calls the background server to stop the started scanning task according to a preset mapping rule.
Specifically, after the scanning task is successfully started, in the running process of the scanning task, the user sends a request for calling a website security scanning service interface to the API server by calling the webpage address www.xxx.com/stop in the URL set, where the request for calling the website security scanning service interface is a post-mode HTTP request, and carries a post parameter input by the user in a text box of the webpage address, and the post parameter includes a token and a scanning task ID.
After receiving a request for calling a website security scanning service interface, an API server judges that the called website security scanning service interface is a scanning stopping interface according to a preset mapping rule, so that the request for calling the website security scanning service interface is a task stopping request, the API server calls the scanning stopping interface, an interface processing function corresponding to the scanning stopping interface judges whether a token in the task stopping request is valid, if the token is valid, the interface processing function corresponding to the scanning stopping interface triggers a background server and sends a scanning task ID to the background server, and the background server stops a scanning task corresponding to the scanning task ID and returns a scanning stopping task state to the interface processing function corresponding to the scanning stopping interface; if the scanning task is successfully stopped, stopping an interface processing function corresponding to the scanning interface, returning prompt information that the scanning task is successfully stopped to the user through a task stopping response, and deleting the scanning task in a scanning task list in a background database; if the scanning task fails to stop, stopping an interface processing function corresponding to the scanning interface and returning prompt information of the failure of stopping the scanning task to the user through a task stopping response; for example, if the scanning task ID provided by the user is invalid, the corresponding scanning task cannot be found according to the scanning task ID provided by the user, or the scanning task corresponding to the scanning task ID in the task stopping request has already stopped, the stopping of the scanning task will fail; and if the token is invalid, stopping the interface processing function corresponding to the scanning interface and returning the prompt information that the token is invalid to the user through the task stopping response.
Step 205, after the scanning task is successfully stopped, when the request of the user for calling the website security scanning service interface is the scanning result request, the API server calls the background database according to the preset mapping rule to provide the scanning result report to the user.
Specifically, after the scanning task is successfully stopped, the user sends a request for calling the website security scanning service interface to the API server by calling the webpage address www.xxx.com/result in the URL set, where the request for calling the website security scanning service interface is a post-mode HTTP request, and carries a post parameter input by the user in a text box of the webpage address, and the post parameter includes a token and a scanning task ID.
After receiving a request for calling a website security scanning service interface, an API server judges that the called website security scanning service interface is a scanning result obtaining interface according to a preset mapping rule, so that the request for calling the website security scanning service interface is a scanning result request, the API server calls the scanning result obtaining interface, an interface processing function corresponding to the scanning result obtaining interface judges whether a token in the scanning result request is valid, if the token is valid, a scanning result report link of a scanning task corresponding to the scanning task ID is inquired in a background database, the scanning result report link is returned to a user through a scanning result response, and the user can check a scanning result report of the scanning task after calling the scanning result report link; in this embodiment, the scan result report includes the following contents: the total number of scanned links, the total number of discovered vulnerabilities, a histogram of vulnerability data, a statistical table, detailed description of vulnerabilities, vulnerability hazards, a processing mode and the like; if the token is invalid, acquiring an interface processing function corresponding to the scanning result interface and returning the prompt information that the token is invalid to the user through a scanning result response; the background database maintains a scanning result report list, the scanning result report list stores scanning task IDs, scanning result report links of stopped scanning tasks and corresponding relations of the scanning task IDs, the stopped scanning tasks and the scanning result report links, and the background server adds the scanning result report links of the scanning tasks to the background database after the scanning tasks are successfully stopped.
Fig. 3 is a schematic structural diagram of a preferred embodiment of implementing a website security scanning system according to the present invention, as shown in fig. 3, a user initiates a request for invoking a website security scanning service interface to an API server, and the API server invokes a corresponding interface according to the request for invoking the website security scanning service interface, and triggers a background server to start or stop a scanning task of a system under test, or obtains scanning related information from a background database.
To implement the foregoing method, the present invention further provides a website security scanning apparatus, which may be disposed in an API server, and fig. 3 is a schematic structural diagram of a preferred embodiment of the website security scanning apparatus implemented in the present invention, and as shown in fig. 3, the website security scanning apparatus includes: an interface issuing unit 10 and a request processing unit 20; wherein,
an interface publishing unit 10, configured to publish a website security scanning service interface to a user;
and the request processing unit 20 is configured to, when receiving a request for invoking a website security scanning service interface by a user, invoke background resources to perform corresponding security scanning services on the system under test according to a preset mapping rule.
In the above apparatus, the request processing unit 20 is further configured to provide a token to the user when receiving a token request from the user, and store the token in the background database of the background resource;
the request for calling the website security scanning service interface by the user comprises a token of the user;
the background database queries whether the token of the user is valid, and if so, the request processing unit 20 is further configured to continue to execute the step of invoking a background resource to perform a corresponding security scanning service on the system under test according to the preset mapping rule.
The interface publishing unit 20 is specifically configured to set a website security scanning service interface, a web address, and a mapping rule between the API server and the background resource, where the mapping rule is a mapping relationship between the web address and a network security scanning server interface of the background resource; and the API server provides the URL set formed by the webpage addresses to the user.
The website security scanning service interface comprises a token applying interface, a token activating interface, a scanning starting interface, a scanning progress information acquiring interface, a real-time information acquiring interface, a scanning stopping interface or a scanning result acquiring interface.
The request processing unit 20 is specifically configured to, when receiving a request for a user to invoke a token application interface, invoke a background database in a background resource and determine whether the user has applied for a token, and send a token activation mail to the user mailbox when the user has not applied for the token; and when a request for calling an activation token interface, which is sent by clicking the token activation mail by the user, is received, activating the token and sending the activated token to the user.
The request processing unit 20 is specifically configured to, when a request for starting a scanning interface called by a user is received, trigger a background server in a background resource to start a scanning task performed on the system under test if the scanning task of the system under test does not exist in the running scanning task.
The request processing unit 20 is specifically configured to, when receiving a request for calling an interface for obtaining scanning progress information from a user, call a background database in a background resource to query progress information of a scanning task of the system under test, which is input by the user, and return the progress information to the user.
The request processing unit 20 is specifically configured to, when a request for obtaining a real-time information interface called by a user is received, call a background database in a background resource to query vulnerability information corresponding to a scanning task of the system under test, which is input by the user, and return the vulnerability information to the user.
The request processing unit 20 is specifically configured to, when receiving a request for invoking a scan stopping interface by a user, invoke a background server in a background resource to stop a scanning task performed on the system under test.
The request processing unit 20 is specifically configured to, when receiving a request for invoking an interface for obtaining a scanning result from a user, invoke a background database in a background resource to query and a scanning result of a scanning task of the system under test, which is input by the user, and return the scanning result to the user.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (18)
1. A website security scanning method is characterized in that an Application Programming Interface (API) server issues a website security scanning service interface to a user; the method further comprises the following steps:
when a request of a user for calling a website security scanning service interface is received, the API server calls background resources to perform corresponding security scanning service on a tested system according to a preset mapping rule;
the interface for the API server to issue the website security scanning service to the user is as follows:
setting a website security scanning service interface, a webpage address and a mapping rule between an API server and background resources, wherein the mapping rule is a mapping relation between the webpage address and a network security scanning server interface of the background resources; and the API server provides the URL set formed by the webpage addresses to the user.
2. The method of claim 1, further comprising: when receiving a token request of a user, the API server provides the token for the user and stores the token in a background database of the background resource;
the request for calling the website security scanning service interface by the user comprises a token of the user;
the method comprises the following steps that before the API server calls background resources to perform corresponding security scanning service on a tested system according to a preset mapping rule, the method further comprises the following steps: and the background database inquires whether the token of the user is valid, if so, the step of calling background resources to perform corresponding security scanning service on the system to be tested according to the preset mapping rule is continuously executed.
3. The method of claim 1, wherein the website security scanning service interface comprises an application token interface, an activation token interface, a start scanning interface, a get scanning progress information interface, a get real-time information interface, a stop scanning interface, or a get scanning results interface.
4. The method of claim 3, wherein when the API server receives a request from a user to call a token application interface, the API server calls a background database in background resources and determines whether the user has applied for a token, and sends a token activation email to the user mailbox when the user has not applied for a token;
and when receiving a request for calling an activation token interface sent by a user through clicking the token activation mail, the API server activates the token and sends the activated token to the user.
5. The method according to claim 3, wherein when the API server receives a request for starting a scanning interface called by a user, if the running scanning task does not include the scanning task of the system under test, the API server triggers a background server in a background resource to start a scanning task for the system under test.
6. The method according to claim 3, wherein when the API server receives a request for acquiring the scanning progress information from a user call, the API server calls a background database in a background resource to inquire the progress information of the scanning task of the system under test input by the user and returns the progress information to the user.
7. The method according to claim 3, wherein when the API server receives a request for acquiring a real-time information interface called by a user, a background database in a background resource is called to inquire vulnerability information corresponding to a scanning task of the system under test input by the user, and the vulnerability information is returned to the user.
8. The method of claim 3, wherein when the API server receives a request from a user to call a scan stopping interface, a background server in a background resource is called to stop a scanning task performed on the system under test.
9. The method according to claim 3, wherein when the API server receives a request from a user to call an interface for obtaining the scanning result, the API server calls a background database in a background resource to query and user-input the scanning result of the scanning task of the system under test, and returns the scanning result to the user.
10. A website security scanning apparatus, located in an API server, comprising: the interface issuing unit and the request processing unit; wherein,
the interface publishing unit is used for publishing a website security scanning service interface to a user;
the request processing unit is used for calling background resources to perform corresponding security scanning service on the system to be tested according to a preset mapping rule when receiving a request of a user for calling a website security scanning service interface;
the interface publishing unit is specifically used for setting a website security scanning service interface, a webpage address and a mapping rule between the API server and the background resource, wherein the mapping rule is a mapping relation between the webpage address and a network security scanning server interface of the background resource; and the API server provides the URL set formed by the webpage addresses to the user.
11. The apparatus of claim 10, wherein the request processing unit is further configured to provide the token to the user when receiving a token request from the user, and store the token in the background database of the background resource;
the request for calling the website security scanning service interface by the user comprises a token of the user;
and the background database inquires whether the token of the user is valid, and if so, the request processing unit is further used for continuously executing the step of calling background resources to perform corresponding security scanning service on the tested system according to the preset mapping rule.
12. The apparatus of claim 11, wherein the website security scanning service interface comprises an application token interface, an activation token interface, a start scanning interface, a get scanning progress information interface, a get real-time information interface, a stop scanning interface, or a get scanning results interface.
13. The apparatus according to claim 12, wherein the request processing unit is specifically configured to, when receiving a request for a user to invoke a token application interface, invoke a background database in a background resource and determine whether the user has applied for a token, and send a token activation mail to the user mailbox when the user has not applied for the token; and when a request for calling an activation token interface, which is sent by clicking the token activation mail by the user, is received, activating the token and sending the activated token to the user.
14. The apparatus according to claim 12, wherein the request processing unit is specifically configured to, when a request for starting a scanning interface is received from a user, trigger a background server in a background resource to start a scanning task performed on the system under test if there is no scanning task of the system under test in the running scanning tasks.
15. The apparatus according to claim 12, wherein the request processing unit is specifically configured to, when receiving a request for invoking an interface for obtaining scanning progress information from a user, invoke a background database in a background resource to query progress information of a scanning task of the system under test, which is input by the user, and return the progress information to the user.
16. The apparatus according to claim 12, wherein the request processing unit is specifically configured to, when receiving a request for obtaining a real-time information interface called by a user, call a background database in a background resource to query vulnerability information corresponding to a scanning task of the system under test input by the user, and return the vulnerability information to the user.
17. The apparatus according to claim 12, wherein the request processing unit is specifically configured to, when receiving a request for invoking a scan stopping interface by a user, invoke a background server in a background resource to stop a scanning task performed on the system under test.
18. The apparatus according to claim 12, wherein the request processing unit is specifically configured to, when receiving a request for invoking an interface for obtaining a scanning result from a user, invoke a background database query in a background resource and a scanning result of a scanning task of the system under test input by the user, and return the scanning result to the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210303263.0A CN103634280B (en) | 2012-08-23 | 2012-08-23 | A kind of web portal security scan method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210303263.0A CN103634280B (en) | 2012-08-23 | 2012-08-23 | A kind of web portal security scan method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103634280A CN103634280A (en) | 2014-03-12 |
| CN103634280B true CN103634280B (en) | 2018-11-09 |
Family
ID=50214912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210303263.0A Active CN103634280B (en) | 2012-08-23 | 2012-08-23 | A kind of web portal security scan method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103634280B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107077410B (en) | 2014-09-15 | 2021-02-05 | 佩里梅特雷克斯公司 | Analyzing client application behavior to detect anomalies and prevent access |
| CN104410633B (en) * | 2014-11-26 | 2018-03-02 | 广州华多网络科技有限公司 | The method and device of security sweep is carried out to anti-concurrent server |
| CN107168813A (en) * | 2017-04-28 | 2017-09-15 | 平安科技(深圳)有限公司 | Task processing method and system |
| CN109561123B (en) * | 2017-09-27 | 2022-02-22 | 北京国双科技有限公司 | Token caching method and device |
| CN108255612A (en) * | 2018-01-23 | 2018-07-06 | 山东汇贸电子口岸有限公司 | The data acquisition platform of uniform permission administration and data management platform integrated approach |
| CN113742736A (en) * | 2021-09-22 | 2021-12-03 | 中国银行股份有限公司 | Method and device for safely scanning incremental code |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automated Penetration Testing System and Method for WEB System |
| CN102082659A (en) * | 2009-12-01 | 2011-06-01 | 厦门市美亚柏科信息股份有限公司 | Vulnerability scanning system oriented to safety assessment and processing method thereof |
| CN102347941A (en) * | 2011-06-28 | 2012-02-08 | 奇智软件(北京)有限公司 | Open-platform-based security application control method |
-
2012
- 2012-08-23 CN CN201210303263.0A patent/CN103634280B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242279A (en) * | 2008-03-07 | 2008-08-13 | 北京邮电大学 | Automated Penetration Testing System and Method for WEB System |
| CN102082659A (en) * | 2009-12-01 | 2011-06-01 | 厦门市美亚柏科信息股份有限公司 | Vulnerability scanning system oriented to safety assessment and processing method thereof |
| CN102347941A (en) * | 2011-06-28 | 2012-02-08 | 奇智软件(北京)有限公司 | Open-platform-based security application control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103634280A (en) | 2014-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103634280B (en) | A kind of web portal security scan method and device | |
| CN108255730B (en) | Software interface testing method, testing equipment, storage medium and device | |
| CN106886494B (en) | Automatic interface testing method and system | |
| CA2879445C (en) | Online user account login method and server system implementing the method | |
| JP6688389B2 (en) | Information leakage inspection method, device, server, and computer-readable storage medium | |
| CN108282489A (en) | A kind of vulnerability scanning method, server-side and system | |
| CN103856467A (en) | Method and distributed system for achieving safety scanning | |
| CN106060004A (en) | Database access method and database agent node | |
| CN115065510B (en) | Login method, device, system, electronic equipment and readable storage medium | |
| CN110990168B (en) | Three-layer associated information generation method, system, electronic equipment and storage medium | |
| CN111522714A (en) | Log query method and device, electronic equipment and storage medium | |
| CN107678956A (en) | A kind of server automated test and management system and method | |
| CN101924799A (en) | Method and system for querying information of domain name | |
| CN105635064A (en) | CSRF attack detection method and device | |
| CN103902912B (en) | The detection method and device of webpage leak | |
| CN103488562B (en) | Automated testing method and device | |
| CN104125308A (en) | Domain name resolution method for multi-users and domain name resolution system | |
| CN104793957B (en) | The method and apparatus that a kind of detection service device has website | |
| CN112733001A (en) | Method and device for acquiring subscription information and electronic equipment | |
| CN109495602B (en) | Method and device for processing network access abnormity | |
| CN113127335A (en) | System testing method and device | |
| CN105721251B (en) | A kind of method and system of configurable test pile service | |
| CN105653625A (en) | Analysis method and device of abnormal data | |
| CN111061637B (en) | Interface testing method, interface testing device and storage medium | |
| CN103617093B (en) | A kind of method for solving terminal fault, client and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |