CN111078542A - Webpage server response head security configuration detection method and device - Google Patents
Webpage server response head security configuration detection method and device Download PDFInfo
- Publication number
- CN111078542A CN111078542A CN201911203305.1A CN201911203305A CN111078542A CN 111078542 A CN111078542 A CN 111078542A CN 201911203305 A CN201911203305 A CN 201911203305A CN 111078542 A CN111078542 A CN 111078542A
- Authority
- CN
- China
- Prior art keywords
- configuration
- security
- security configuration
- response
- configuration file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004044 response Effects 0.000 title claims abstract description 59
- 238000001514 detection method Methods 0.000 title claims abstract description 10
- 238000012360 testing method Methods 0.000 claims abstract description 26
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000005457 optimization Methods 0.000 claims abstract description 14
- 230000002159 abnormal effect Effects 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 230000006978 adaptation Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 abstract description 3
- 230000004048 modification Effects 0.000 abstract description 3
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 208000028257 Joubert syndrome with oculorenal defect Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000011076 safety test Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Data Mining & Analysis (AREA)
- Information Transfer Between Computers (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for detecting the security configuration of a response head of a web server, which comprises the following steps: scanning a configuration file of the tested webpage server, comparing the configuration file with a response head security configuration identification library, and outputting potential safety hazards; scanning the configuration file optimization items of the tested webpage server, comparing the configuration file optimization items with the HTTP response head security configuration library, and outputting security configuration suggestions; and after the configuration is finished, carrying out URL traversal and complete request response test, and judging whether the tested webpage server responds correctly. The invention also provides a detection device, gives more comprehensive information prompt and modification suggestions and is provided with browser versions supported by each configuration. For the problem that unidentified function bugs are introduced by modifying the security configuration, the problem can be timely and quickly positioned through URL traversal and complete request response test after the configuration is completed, and the pressure on testers is reduced to the greatest extent.
Description
Technical Field
The invention relates to the technical field of server testing, in particular to a method and a device for detecting safety configuration of a response head of a web server.
Background
In the traditional detection mode, the research and experience of a developer are used as a main input for controlling the quality of the response head of the web end. During testing, the basic function test is mainly used, the black box safety test is mainly used in the safety aspect, and no clear and hard requirements are provided for response header fields of webservers (the name of Web Server is called Web Server or Web Server, the Web Server is also called WWW (WORLDWIDE WEB)) which mainly have the function of providing online information browsing service. The web services that are ultimately developed carry a significant safety risk. This becomes an inevitable point when we are doing security assessment work.
Secondly, when a research and development staff repairs a certain security vulnerability, if the integrity of the whole system is not considered and only part of the content is adjusted, the situation that a new bug is introduced due to the vulnerability solving is easily caused. Helping developers to identify and locate bugs that may be introduced is also a challenge facing security assessment efforts.
Disclosure of Invention
The invention aims to provide a method and a device for detecting the safety configuration of a response head of a web server, which can timely and quickly locate problems and reduce the pressure on testers to the greatest extent.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides a method for detecting the security configuration of a response head of a web server, which comprises the following steps:
scanning a configuration file of the tested webpage server, comparing the configuration file with a response head security configuration identification library, and outputting potential safety hazards;
scanning the configuration file optimization items of the tested webpage server, comparing the configuration file optimization items with the HTTP response head security configuration library, and outputting security configuration suggestions;
and after the configuration is finished, carrying out URL traversal and complete request response test, and judging whether the tested webpage server responds correctly.
With reference to the first aspect, in a first possible implementation manner of the first aspect, in the test process, when the verification module encounters an abnormal situation including, but not limited to, a new undefined field and/or incomplete field related information, the response header security configuration identification library and the HTTP response header security configuration library record the abnormal situation through a log, and add the content of the abnormal situation to a corresponding database.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the outputting the potential safety hazard specifically includes:
the output includes, but is not limited to, fields where hazards are utilized, incomplete content, and unconfigured items.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the outputting the security configuration suggestion specifically includes:
the output includes but is not limited to security field addition suggestions, browser version information supported after adaptation.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, after the configuration is completed, performing URL traversal and complete request response test to determine whether the tested web server responds correctly, specifically including:
collecting all URL records used by the page and the background as url.log as input content;
respectively selecting a low-version browser and a high-version browser to send all GET, POST/PUT and DELETE requests, and judging whether the tested web server returns correctly or not by checking and identifying corresponding values of the requests.
The second aspect of the present invention provides a device for detecting security configuration of response header of web server, including:
the potential safety hazard output module scans the configuration file of the tested webpage server, compares the configuration file with the response head safety configuration identification library and outputs the potential safety hazard;
the safety configuration suggestion output module scans the configuration file optimization items of the tested webpage server, compares the configuration file optimization items with the HTTP response head safety configuration library and outputs safety configuration suggestions;
and the response test module is used for performing URL traversal and complete request response test after configuration is completed and judging whether the tested webpage server responds correctly.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the method further includes: and the database updating module is used for recording abnormal situations through logs and adding the contents of the abnormal situations to the corresponding database when the checking module encounters the abnormal situations including but not limited to new undefined fields and/or incomplete field related information in the testing process.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
1. based on the configuration requirements of the existing response header, a verification of the security configuration of the web service is given. Unlike the conventional approach, more comprehensive information prompting and modification suggestions are given here, and the browser versions that each configuration can support are provided.
2. For the problem that unidentified function bugs are introduced by modifying the security configuration, the problem can be timely and quickly positioned through URL traversal and complete request response test after the configuration is completed, and the pressure on testers is reduced to the greatest extent.
Drawings
FIG. 1 is a flow chart of an embodiment of the method of the present invention;
FIG. 2 is a schematic diagram of an embodiment of the apparatus of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
As shown in fig. 1, a method for detecting security configuration of a response header of a web server includes the following steps:
s1, scanning the configuration file of the tested webpage server, comparing the configuration file with the response head security configuration identification library, and outputting the potential safety hazard;
s2, scanning the configuration file optimization items of the tested webpage server, comparing the configuration file optimization items with the HTTP response head security configuration library, and outputting security configuration suggestions;
and S3, after the configuration is completed, URL traversal and complete request response test are carried out, and whether the tested webpage server responds correctly is judged.
The response head security configuration identification library and the HTTP response head security configuration library record abnormal situations through logs when the verification module encounters the abnormal situations including but not limited to new undefined fields and/or incomplete field related information in the test process, and add the contents of the abnormal situations to the corresponding database.
In step S1, outputting the potential safety hazard, specifically including: the output includes, but is not limited to, fields where hazards are utilized, incomplete content, and unconfigured items. And establishing a set of response head security configuration identification library, which is recorded as library A and used for scanning and comparing the security condition of the web server configuration file when the web system to be tested is taken, and outputting the existing security hidden troubles, such as the missing security response head field, the incomplete security response head field value and the like.
Library A:
there may be an Sql injected http header: User-Agent, Cookie, X-Forwarded-For, Client-IP, Repreferer, Host
XSS:Rerferer、host
crlf injection attack: when the Last-Modified field is not present
Content-Type injection: struts2 framework
Content-position utilizes: space in Content-Disposition field, multi-Content-Disposition, and the like
In addition: more attacks are made on Host, and extra attention is needed. The output of this step is to help the developer quickly identify the fields that are easily exploited.
In step S2, outputting a security configuration suggestion specifically includes: the output includes but is not limited to security field addition suggestions, browser version information supported after adaptation. And establishing a set of HTTP header security configuration library, and recording as library B, namely, providing higher requirements and suggestions for a server response head for further improving the stability and the security of the web service.
By scanning and comparing the current configuration, a recommendation for a given security field (a recommendation for an added security configuration) is output. And providing the version information of each browser supported after the adaptation.
And (4) library B:
Content-Security-Policy: default-src, child-src, connect-src, font-src, img-src, media-src, object-src, style-src, base-uri, orm-action, upgrade-instance-requests, etc. Firefox > -23; chrome > -25
X-Frame-Options:DENY、SAMEORIGIN、ALLOW-FROM uri Chrome4.1.249+、Firefox3.6.9+、IE8+
X-Content-Type-Options: settings IE8+, Chrome for MIME type
Strict-Transport-Security:Chrome>=4.0.211.0、Firefox>=17
HTTP Public Key Pinning(HPKP)Firefox、Chrome<67
X-XSS-Protection All
Access-Control-Allow-Origin(CORS)
Cookie security policy
HttpOnly
Secure
It should be noted here that, during the initialization of the libraries a and B, the contents of the libraries a and B are filled according to the experience of the security tester, and during the testing process, when the verification module encounters a new undefined field or the information related to the field (such as a value to be configured, a supported browser version number, etc.) is not complete, a special log is provided for recording, and the contents of the library are added to the contents of the library. To form a good iterative update of the matching library.
In step S3, after configuration is completed, URL traversal and complete request response test are performed to determine whether the tested web server responds correctly, which specifically includes:
collecting all URL records used by the page and the background as url.log as input content;
respectively selecting a low-version browser and a high-version browser to send all GET, POST/PUT and DELETE requests, and judging whether the tested web server returns correctly or not by checking and identifying corresponding values of the requests.
After the developer configures the server, the developer starts the server web service. Log records all URLs used in the collection page and in the background are URL. Taking the request as input, respectively selecting a typical low-version browser and a typical high-version browser to send all requests such as GET, POST/PUT, DELETE and the like, and judging whether the web server returns correctly by checking and identifying corresponding values of the requests. Through such URL traversal and full request response testing, a check is made for suitability of the server security configuration.
As shown in fig. 2, the web server response header security configuration detection apparatus includes:
the potential safety hazard output module 11 is used for scanning the configuration file of the tested webpage server, comparing the configuration file with the response head safety configuration identification library and outputting the potential safety hazard;
a safety configuration suggestion output module 12, which scans the configuration file optimization items of the tested web server, compares the configuration file optimization items with the HTTP response head safety configuration library and outputs a safety configuration suggestion;
and the response test module 13 performs URL traversal and complete request response test after configuration is completed, and determines whether the tested web server responds correctly.
The database updating module 14, during the test, when the checking module encounters an abnormal situation including, but not limited to, new undefined fields and/or incomplete field related information, records the abnormal situation through a log, and adds the content of the abnormal situation to the corresponding database.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.
Claims (7)
1. A webpage server response head security configuration detection method is characterized by comprising the following steps:
scanning a configuration file of the tested webpage server, comparing the configuration file with a response head security configuration identification library, and outputting potential safety hazards;
scanning the configuration file optimization items of the tested webpage server, comparing the configuration file optimization items with the HTTP response head security configuration library, and outputting security configuration suggestions;
and after the configuration is finished, carrying out URL traversal and complete request response test, and judging whether the tested webpage server responds correctly.
2. The web server response header security configuration detection method of claim 1, wherein the response header security configuration identification library and the HTTP response header security configuration library record the abnormal situation by logging and add the content of the abnormal situation to the corresponding database when the verification module encounters the abnormal situation including but not limited to the new undefined field and/or the incomplete field related information during the test process.
3. The method for detecting the security configuration of the response header of the web server according to claim 1, wherein the outputting the security risk specifically comprises:
the output includes, but is not limited to, fields where hazards are utilized, incomplete content, and unconfigured items.
4. The web server response header security configuration detection method of claim 1, wherein outputting the security configuration suggestion specifically comprises:
the output includes but is not limited to security field addition suggestions, browser version information supported after adaptation.
5. The method for detecting the security configuration of the response header of the web server according to claim 1, wherein after the configuration is completed, URL traversal and complete request response test are performed to determine whether the tested web server responds correctly, which specifically includes:
collecting all URL records used by the page and the background as url.log as input content;
respectively selecting a low-version browser and a high-version browser to send all GET, POST/PUT and DELETE requests, and judging whether the tested web server returns correctly or not by checking and identifying corresponding values of the requests.
6. A webpage server response head security configuration detection device is characterized by comprising:
the potential safety hazard output module scans the configuration file of the tested webpage server, compares the configuration file with the response head safety configuration identification library and outputs the potential safety hazard;
the safety configuration suggestion output module scans the configuration file optimization items of the tested webpage server, compares the configuration file optimization items with the HTTP response head safety configuration library and outputs safety configuration suggestions;
and the response test module is used for performing URL traversal and complete request response test after configuration is completed and judging whether the tested webpage server responds correctly.
7. The web server response header security configuration detection apparatus of claim 6, further comprising: and the database updating module is used for recording abnormal situations through logs and adding the contents of the abnormal situations to the corresponding database when the checking module encounters the abnormal situations including but not limited to new undefined fields and/or incomplete field related information in the testing process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911203305.1A CN111078542A (en) | 2019-11-29 | 2019-11-29 | Webpage server response head security configuration detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911203305.1A CN111078542A (en) | 2019-11-29 | 2019-11-29 | Webpage server response head security configuration detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111078542A true CN111078542A (en) | 2020-04-28 |
Family
ID=70312115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911203305.1A Pending CN111078542A (en) | 2019-11-29 | 2019-11-29 | Webpage server response head security configuration detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111078542A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741030A (en) * | 2020-08-26 | 2020-10-02 | 北京赛宁网安科技有限公司 | Website security detection system and method combining Web automation and agent interception |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488400A (en) * | 2014-12-13 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Comprehensive detection method and system of malicious webpage |
| CN106209487A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | For detecting the method and device of the security breaches of webpage in website |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
-
2019
- 2019-11-29 CN CN201911203305.1A patent/CN111078542A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488400A (en) * | 2014-12-13 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Comprehensive detection method and system of malicious webpage |
| CN106209487A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | For detecting the method and device of the security breaches of webpage in website |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741030A (en) * | 2020-08-26 | 2020-10-02 | 北京赛宁网安科技有限公司 | Website security detection system and method combining Web automation and agent interception |
| CN111741030B (en) * | 2020-08-26 | 2020-12-04 | 北京赛宁网安科技有限公司 | Website security detection system and method combining Web automation and agent interception |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019240583B2 (en) | Detection and repair of broken single sign-on integration | |
| US8949996B2 (en) | Transforming unit tests for security testing | |
| KR101001132B1 (en) | Method and System for Determining Vulnerability of Web Application | |
| WO2020233022A1 (en) | Vulnerability detection method and apparatus, computer device, and storage medium | |
| CN102546576B (en) | A kind of web page horse hanging detects and means of defence, system and respective code extracting method | |
| CN101964025B (en) | XSS detection method and equipment | |
| US9356955B2 (en) | Methods for determining cross-site scripting and related vulnerabilities in applications | |
| US10505966B2 (en) | Cross-site request forgery (CSRF) vulnerability detection | |
| CN101483514B (en) | Evaluation method for WEB application | |
| EP1420562A2 (en) | Automated detection of cross site scripting vulnerabilities | |
| CN107832622A (en) | Leak detection method, device, computer equipment and storage medium | |
| CN108459850B (en) | Method, device and system for generating test script | |
| CN109672658B (en) | JSON hijacking vulnerability detection method, device, equipment and storage medium | |
| CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
| Li et al. | The application of fuzzing in web software security vulnerabilities test | |
| US7984501B2 (en) | Component-oriented system and method for web application security analysis | |
| US9923916B1 (en) | Adaptive web application vulnerability scanner | |
| US20160127409A1 (en) | Web service testing | |
| US11297091B2 (en) | HTTP log integration to web application testing | |
| CN114138633A (en) | Method, device and equipment for testing software based on data driving and readable medium | |
| CN111078542A (en) | Webpage server response head security configuration detection method and device | |
| CN105262720A (en) | Web robot traffic identification method and device | |
| CN113672233B (en) | Server out-of-band management method, device and equipment based on Redfish | |
| CN114238733A (en) | Key information extraction method and device, computer storage medium and electronic equipment | |
| CN115378655A (en) | Vulnerability detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |