CN112560025A - Interface permission detection method, device, medium and electronic equipment - Google Patents

Interface permission detection method, device, medium and electronic equipment Download PDF

Info

Publication number
CN112560025A
CN112560025A CN202011454563.XA CN202011454563A CN112560025A CN 112560025 A CN112560025 A CN 112560025A CN 202011454563 A CN202011454563 A CN 202011454563A CN 112560025 A CN112560025 A CN 112560025A
Authority
CN
China
Prior art keywords
response data
packet
interface
target interface
original
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011454563.XA
Other languages
Chinese (zh)
Inventor
潘清剑
宋亚男
邓贞明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Manyun Logistics Information Co Ltd
Original Assignee
Jiangsu Manyun Logistics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Manyun Logistics Information Co Ltd filed Critical Jiangsu Manyun Logistics Information Co Ltd
Priority to CN202011454563.XA priority Critical patent/CN112560025A/en
Publication of CN112560025A publication Critical patent/CN112560025A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a method, a device, a medium and an electronic device for detecting the authority of an interface. The method comprises the following steps: acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein the original request packet includes original authentication information; removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to obtain response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data; and determining whether the target interface is unauthorized according to the response data. By the technical scheme, the work of actively clicking access by a safety engineer is reduced, and the unauthorized detection efficiency is improved, so that the application product is ensured to pass the safety detection before being released to the production environment.

Description

Interface permission detection method, device, medium and electronic equipment
Technical Field
The embodiment of the application relates to the technical field of computer application, in particular to a method, a device, a medium and an electronic device for detecting the authority of an interface.
Background
An unauthorized vulnerability is a common security vulnerability in Web applications. The threat is that one account can control all-station user data. Of course, these data are limited to only the data corresponding to the existence of the vulnerability. The reason for the unauthorized vulnerability is mainly because the developer excessively believes the data requested by the client when adding, deleting, changing and querying the data, thereby omitting the judgment of the authority.
In the semi-automatic unauthorized detection method, the flow is passively acquired in the form of an agent or a plug-in, and a tester needs to install the plug-in or the agent in a local browser, configure a system to be tested, and manually access a page and click a function button in the page to acquire the flow.
However, the semi-automated unauthorized detection method requires intervention of penetration testing personnel to obtain the flow, which increases the labor cost. In addition, due to unfamiliarity of a tester with page functions, some functions are likely to be missed, and potential safety hazards are brought. In addition, because the version of the internet product is updated quickly, each version update needs to be tested, and the offline manual mode is inefficient.
Disclosure of Invention
The embodiment of the application provides an interface authority detection method, an interface authority detection device, an interface authority detection medium and electronic equipment, so that the efficiency of unauthorized detection is improved.
In a first aspect, an embodiment of the present application provides a method for detecting an authority of an interface, where the method includes:
acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein the original request packet includes original authentication information;
removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to obtain response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data;
and determining whether the target interface is unauthorized according to the response data.
Optionally, determining whether the target interface is unauthorized according to the response data includes:
determining the number of response data which represents that the interface is effective in the response data;
and if at least two pieces of response data representing that the interface is valid exist, determining whether the target interface is unauthorized according to the at least two pieces of response data representing that the interface is valid.
Optionally, determining whether the target interface is unauthorized according to at least two response data indicating that the interface is valid includes:
if the response data of the original request packet is invalid, selecting two response data from all the response data representing the valid interface;
comparing whether the optional two response data are the same;
and if so, determining that the target interface is unauthorized.
Optionally, determining whether the target interface is unauthorized according to at least two response data indicating that the interface is valid includes:
if the response data of the original request packet is valid, determining whether the response data of the de-authentication packet is valid;
if the response data of the original request packet is valid, comparing whether the response data of the original request packet is the same as the response data of the de-authentication packet;
if the two interfaces are the same, the target interface is determined to be unauthorized.
Optionally, after determining the number of response data indicating that the interface is valid in the response data, the method further includes:
and if the number of the response data representing the effective interface is less than two, generating prompt information for manual intervention examination.
Optionally, determining whether the response data are the same includes:
if the returned packet is html, the html character strings of the two response data are completely the same, and the response data are determined to be the same;
if the return packet is json, the keys of the two pieces of response data are the same, the value matching degree of the value is larger than the set threshold value, and the pieces of response data are determined to be the same.
Optionally, the obtaining of the original request packet of the target interface includes:
when the test environment that the application is released to the PaaS is detected, the original request packets of all the interfaces under the application are inquired from the Nginx flow mirror library according to the application name.
In a second aspect, an embodiment of the present application provides an apparatus for detecting a permission of an interface, where the apparatus includes:
the response data acquisition module is used for acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein the original request packet includes original authentication information;
the response data acquisition module is further used for removing the original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to acquire response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data;
and the interface override determining module is used for determining whether the target interface is overridden according to the response data.
In a third aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for detecting a permission of an interface according to any embodiment of the present application.
In a fourth aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the method for detecting the authority of an interface according to any embodiment of the present application.
According to the technical scheme provided by the embodiment of the application, response data is obtained by obtaining an original request packet of a target interface and requesting the target interface again based on the original request packet; wherein the original request packet includes original authentication information; removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to obtain response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data; and determining whether the interface is unauthorized according to the response data. By the technical scheme, the work of actively clicking access by a safety engineer is reduced, and the unauthorized detection efficiency is improved, so that the application product is ensured to pass the safety detection before being released to the production environment.
Drawings
Fig. 1 is a flowchart of a method for detecting a permission of an interface according to an embodiment of the present application;
fig. 2 is a schematic diagram of a method for detecting a permission of an interface according to a second embodiment of the present application;
fig. 3 is a schematic diagram of a method for detecting a permission of an interface according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of an authority detection apparatus of an interface according to a fourth embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some of the structures related to the present application are shown in the drawings, not all of the structures.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1 is a flowchart of a method for detecting an authority of an interface according to an embodiment of the present application, where the present embodiment is applicable to a case of detecting an authority of an interface, and the method can be executed by an apparatus for detecting an authority of an interface according to an embodiment of the present application, where the apparatus can be implemented by software and/or hardware, and can be integrated in an electronic device bearing an authority detection function of an interface.
As shown in fig. 1, the method for detecting the permission of the interface includes:
s110, obtaining an original request packet of the target interface, and re-requesting the target interface based on the original request packet to obtain response data.
The number of interfaces may be one or more for a certain application, and the target interface may be any one of all interfaces. I.e., the operation of the target interface, is equally applicable to all other interfaces with the application. The original request packet may be a request packet sent through a target interface, which may include original authentication information, a request header, a request body, request data, and other information; the original authentication information may be information such as an account and a password of the user. The response data is data returned to the client by the server, and may include a response status code, authentication information, a return packet, and the like. Wherein the return packet is
In this embodiment, the obtaining of the original request packet of the target interface may specifically be: when the test environment that the application is released to the PaaS is detected, the original request packets of all the interfaces under the application are inquired from the Nginx flow mirror library according to the application name.
It can be understood that by querying the request packet from the Nginx traffic mirror library, the work of the security engineer for actively clicking access is reduced, and the coverage rate of the traffic is improved.
Further, re-request is carried out on the target interface based on the original request packet, and response data are obtained. Specifically, a client initiates a request to a server for a target interface based on a request packet, and at this time, the request packet does not contain authentication information; the server receives the request and feeds back the request to the client side to form a return packet with original authentication information; the client receives a return packet with original authentication information returned by the server, namely an original request packet of the target interface, and re-requests the target interface based on the original request packet; the server returns response data to the client based on the request; and the client acquires response data fed back by the server.
The PaaS actually refers to a platform developed by software as a service, and the PaaS can integrate various existing service capabilities, and can be specifically classified into an application server, a service capability access, a service engine, and a service open platform. The Nginx (Engine x) is a high performance HTTP and reverse proxy server, also an IMAP/POP3/SMTP server, developed by Itgoer Sesojeff. It publishes source code in the form of a BSD-like license and is distinguished by its stability, rich functionality, example profiles and low consumption of system resources. Its advantages are less memory occupied and high concurrency.
S120, removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting a target interface based on the de-authentication packet to obtain response data; and replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data.
The de-authentication packet refers to a request packet obtained by removing original authentication information in an original request packet; the rebuilt packet is a request packet in which the original authentication information in the original request packet is replaced with other authentication information.
In this embodiment, the original authentication information in the original request packet is removed to obtain a de-authentication packet, and a request is made to the target interface based on the de-authentication packet to obtain response data. Specifically, a client initiates a request to a server for a target interface based on a request packet, and at this time, the request packet does not contain authentication information; the server receives the request and feeds back the request to the client side to form a return packet with original authentication information; the client receives a return packet with original authentication information returned by the server, namely an original request packet of the target interface, removes the original authentication information in the original request packet to obtain a de-authentication packet, and requests the target interface based on the de-authentication packet; the server returns response data to the client based on the request; and the client acquires response data fed back by the server.
The original authentication information can be replaced by the preset amount of test authentication information to obtain a reconstruction packet, and a target interface is requested again based on the reconstruction packet to obtain response data. Specifically, a client initiates a request to a server for a target interface based on a request packet, and at this time, the request packet does not contain authentication information; the server receives the request and feeds back the request to the client side to form a return packet with original authentication information; the client receives a return packet with original authentication information, namely an original request packet of a target interface, returned by the server, replaces the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and makes a reconstruction request for the target interface based on the reconstruction packet; the server returns response data to the client based on the request; and the client acquires response data fed back by the server. The preset number is set by a person skilled in the art as needed, and may be N, for example, where N represents any natural number greater than 0.
And S130, determining whether the target interface is unauthorized according to the response data.
Through the above S110 and S120, N +2 pieces of response data, that is, response data based on the original request packet, response data based on the de-authentication packet, and N pieces of response data based on the reconfiguration packet, can be obtained, and the number of pieces of response data representing that the interface is valid in the response data is determined. Specifically, whether the target interface is valid is judged according to the response status code in the response data, and if the response status code is 2 × or 3 × such as 200 or 301, it indicates that the target interface is valid; and if the response status code is other, the target interface is invalid. The response status code is sent by the server in response to a request from the client to the server, the response status code 200 indicates that the request is successful, the response status code 301 indicates that the request is permanently moved, the requested Resource has been permanently moved to a new Universal Resource Identifier (URI) URI, the return information includes the new URI, and the browser is automatically directed to the new URI.
And if at least two pieces of response data representing that the interface is valid exist, determining whether the target interface is unauthorized according to the at least two pieces of response data representing that the interface is valid. Specifically, if the number of the response data valid for the interface is greater than two, two valid response data are arbitrarily selected from the valid response data, and the two response data are compared to determine whether the two response data are the same, and if so, the target interface is determined to be unauthorized.
According to the technical scheme provided by the embodiment of the application, response data is obtained by obtaining an original request packet of a target interface and requesting the target interface again based on the original request packet; wherein the original request packet includes original authentication information; removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to obtain response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data; and determining whether the interface is unauthorized according to the response data. By the technical scheme, the work of actively clicking access by a safety engineer is reduced, and the unauthorized detection efficiency is improved, so that the application product is ensured to pass the safety detection before being released to the production environment.
On the basis of the above embodiment, after the number of response data indicating that the interface is valid in the response data is determined, if the number of response data indicating that the interface is valid is less than two, prompt information for manual intervention auditing is generated. Specifically, if the number of the response data indicating that the interface is valid is 0 or 1, it cannot be determined whether the target interface is unauthorized by comparing the valid response data, and then prompt information for manual intervention review is generated and displayed on the platform for a full-time safety engineer to handle.
Example two
Fig. 2 is a flowchart of a method for detecting the permission of an interface according to the second embodiment of the present application, and based on the second embodiment, the operation "determining whether the target interface is unauthorized according to at least two response data indicating that the interface is valid" is optimized. As shown in fig. 2, the method may specifically include:
s210, obtaining an original request packet of the target interface, and re-requesting the target interface based on the original request packet to obtain response data.
Wherein the original request packet includes original authentication information.
S220, removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting a target interface based on the de-authentication packet to obtain response data; and replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data.
The preset number is set by a person skilled in the art as needed, and may be N, for example, where N represents any natural number greater than 0.
With reference to the above example, N +2 response data, that is, response data based on the original request packet, response data based on the de-authentication packet, and N response data based on the reconfiguration packet, may be obtained, so as to determine the number of response data representing that the interface is valid in the response data.
And if at least two pieces of response data representing that the interface is valid exist in the valid response data, determining whether the target interface is unauthorized according to the at least two pieces of response data representing that the interface is valid. Further, whether the target interface is unauthorized or not can be determined according to whether the response data of the original request packet and the response data of the de-authentication packet are valid or not and according to at least two response data which represent that the interfaces are valid or not.
S230, judging whether the response data of the original request packet is valid, if not, executing S240; if yes, go to S270.
And S240, selecting two optional response data from all the response data which show the validity of the interface.
And S250, comparing whether the optional two response data are the same.
And S260, if the data are the same, determining that the target interface is unauthorized.
Specifically, if the response data of the original request packet is invalid, two response data are selected from all the response data indicating that the interface is valid, that is, two response data are selected from the response data of the de-authentication packet and the response data of the reconstruction packet, and the two response data are compared to determine whether the two response data are the same, if so, the target interface is unauthorized; if not, the target interface is not unauthorized.
S270, whether the response data of the de-authentication packet is valid is determined.
And S280, if the response data of the original request packet is valid, comparing whether the response data of the original request packet is the same as the response data of the de-authentication packet.
And S290, if the data are the same, determining that the target interface is unauthorized.
Specifically, if the response data of the original request packet is valid, then whether the response data of the authentication packet is valid is determined; if the response data of the de-authentication packet is valid, comparing whether the response data of the original request packet is the same as the response data of the de-authentication packet, and if so, indicating that the target interface is unauthorized; if not, the target interface is not unauthorized. Further, if the response data of the de-authentication packet is invalid, selecting two response data from the response data of the original request packet and the valid response data in the response data of the reconstruction packet, comparing whether the two response data are the same, and if so, indicating that the target interface is unauthorized; if not, the target interface is not unauthorized.
It should be noted that, under the condition that both the response data of the original request packet and the response data of the de-authentication packet are valid, it is not necessary to determine whether the response data of the reconfiguration packet is valid, so that the speed of the unauthorized detection can be increased more quickly.
According to the technical scheme provided by the embodiment of the application, whether the target interface is unauthorized is further determined according to at least two response data which represent that the interface is effective under the condition that whether the response data of the original request packet is effective. By the technical scheme, the unauthorized detection speed is increased, and the unauthorized detection efficiency is further improved, so that the application product is guaranteed to pass safety detection before being released to a production environment.
On the basis of the above embodiment, it is determined whether the response data are the same, and it may be determined whether the response data are the same according to the type of a return packet in the response data, specifically, if the return packet is html hypertext Markup Language (Hyper Text Markup Language), html character strings of the two response data are completely the same, and it is determined that the response data are the same; if the return packet is json, the keys of the two pieces of response data are the same, the value matching degree of the value is larger than the set threshold value, and the pieces of response data are determined to be the same. Wherein the setting of the threshold is empirically set by a person skilled in the art.
Html is an abbreviation of hypertext Markup Language (Hyper Text Markup Language), an application under standard universal Markup Language. html is not a programming language, but a markup language (markup language), which is a necessary tool for web page production. "hypertext" refers to the non-text elements that may contain pictures, links, and even music and programs. The structure of hypertext markup language (or hypertext markup language) includes a "header" section that provides information about a web page and a "body" section that provides specific content of the web page. json (js object Notation) is a lightweight data exchange format. Based on a subset of ECMAScript (js specification established by European computer Association), the method adopts a text format completely independent of a programming language to store and represent data, is easy to read and write by people, is also easy to analyze and generate by a machine, and effectively improves the network transmission efficiency.
EXAMPLE III
Fig. 3 is a flowchart of an interface permission detection method provided in the third embodiment of the present application, and a preferred implementation is provided on the basis of the third embodiment.
As shown in fig. 3, the method may specifically include:
s301, the unauthorized detection is started.
S302, an original request packet of the target interface is obtained, and a re-request is carried out on the target interface based on the original request packet to obtain response data.
S303, removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting a target interface based on the de-authentication packet to obtain response data; and replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data.
S304, judging whether the response state code in the response data is valid, if so, executing S305; if not, go to step S307.
S305, judging whether the control key words in the response data are valid, if so, executing S306; if not, go to step S307.
The response data includes control keywords, such as no authority and authority. If the control key words in the response data have authority, the target interface is valid; and if the control key words in the response data have no authority, the target interface is invalid.
And S306, the interface mark is valid.
And S307, the interface mark is invalid.
The above is the judgment process of the interface validity, and the following is the judgment process of the interface override.
And S308, determining the number of response data which represent the effective interface in the response data according to the interface mark.
S309, judging whether the number of the effective response data is larger than 1, if so, executing S311; if not, go to S310.
And S310, the target interface is in a manual to-be-audited state, and S319 is executed.
S311, judging whether the original request packet is valid, if so, executing S312; if not, go to S315.
S312, judging whether the response data of the original request packet is valid, if so, executing S313; if not, go to S315.
S313, comparing whether the authentication information in the original request packet is the same as the authentication information in the response data of the original request packet, if so, executing S314; if not, go to S315.
And S314, the target interface is not authorized to access, and S319 is executed.
And S315, selecting two optional response data from all the response data which show the validity of the interface.
S316, judging whether the two response data are the same, if so, executing S317; if not, go to step S318.
S317, the target interface is unauthorized, and S319 is executed.
S318, the target interface is not unauthorized, and S319 is executed.
And S319, ending detection.
Example four
Fig. 4 is a schematic structural diagram of an interface permission detection apparatus according to a fourth embodiment of the present application, where the present embodiment is applicable to a situation of permission detection of an interface, and the apparatus may be implemented by software and/or hardware, and may be integrated in an electronic device bearing a permission detection function of the interface.
As shown in fig. 4, the apparatus may include a response data acquisition module 410 and an interface override determination module 420, wherein,
a response data obtaining module 410, configured to obtain an original request packet of a target interface, and perform a re-request on the target interface based on the original request packet to obtain response data; wherein, the original request packet comprises original authentication information;
the response data obtaining module 410 is further configured to remove original authentication information in the original request packet to obtain a de-authentication packet, and request the target interface based on the de-authentication packet to obtain response data; replacing original authentication information with a preset amount of test authentication information to obtain a reconstruction package, and requesting a target interface again based on the reconstruction package to obtain response data;
an interface override determination module 420 for determining whether the target interface is overridden based on the response data.
According to the technical scheme provided by the embodiment of the application, response data is obtained by obtaining an original request packet of a target interface and requesting the target interface again based on the original request packet; wherein, the original request packet comprises original authentication information; removing original authentication information in an original request packet to obtain a de-authentication packet, and requesting a target interface based on the de-authentication packet to obtain response data; replacing original authentication information with a preset amount of test authentication information to obtain a reconstruction package, and requesting a target interface again based on the reconstruction package to obtain response data; determining whether the interface is unauthorized based on the response data. By the technical scheme, the work of actively clicking access by a safety engineer is reduced, and the unauthorized detection efficiency is improved, so that the application product is ensured to pass the safety detection before being released to the production environment.
Further, the interface override determination module 420 includes a number determination unit and an interface override determination unit, wherein,
a quantity determination unit for determining the quantity of response data indicating that the interface is valid in the response data;
and the interface override determining unit is used for determining whether the target interface is overridden according to the at least two response data which represent the effective interface if the at least two response data which represent the effective interface exist.
Further, the interface override determination unit is specifically configured to,
if the response data of the original request packet is invalid, selecting two response data from all the response data representing the valid interface;
comparing whether the optional two response data are the same;
and if so, determining that the target interface is unauthorized.
Further, the interface override determination unit is further specifically configured to,
if the response data of the original request packet is valid, determining whether the response data of the de-authentication packet is valid;
if the response data of the original request packet is valid, comparing whether the response data of the original request packet is the same as the response data of the de-authentication packet;
if the two interfaces are the same, the target interface is determined to be unauthorized.
Further, the interface override determination module 420 further includes a prompt information generation unit, configured to generate a prompt information for manual intervention auditing if the number of response data indicating that the interface is valid is less than two.
Further, determining whether the response data is the same comprises:
if the returned packet is html, the html character strings of the two response data are completely the same, and the response data are determined to be the same;
if the return packet is json, the keys of the two pieces of response data are the same, the value matching degree of the value is larger than the set threshold value, and the pieces of response data are determined to be the same.
Further, obtaining the original request packet of the target interface includes:
when the test environment that the application is released to the PaaS is detected, the original request packets of all the interfaces under the application are inquired from the Nginx flow mirror library according to the application name.
The interface permission detection device provided by the embodiment of the application can execute the interface permission detection method provided by any embodiment of the application, and has the corresponding functional module and beneficial effect of executing the interface permission detection method.
EXAMPLE five
An embodiment of the present application provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a method for detecting a permission of an interface, where the method includes:
acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein, the original request packet comprises original authentication information;
removing original authentication information in an original request packet to obtain a de-authentication packet, and requesting a target interface based on the de-authentication packet to obtain response data; replacing original authentication information with a preset amount of test authentication information to obtain a reconstruction package, and requesting a target interface again based on the reconstruction package to obtain response data;
determining whether the interface is unauthorized based on the response data.
Storage media refers to any of various types of memory electronics or storage electronics. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDR RAM, SRAM, EDO RAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in the computer system in which the program is executed, or may be located in a different second computer system connected to the computer system through a network (such as the internet). The second computer system may provide the program instructions to the computer for execution. The term "storage medium" may include two or more storage media that may reside in different unknowns (e.g., in different computer systems connected by a network). The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.
Of course, the storage medium provided in the embodiments of the present application and containing computer-executable instructions is not limited to the operations of the permission detection method of the interface as described above, and may also perform related operations in the permission detection method of the interface provided in any embodiments of the present application.
The fifth embodiment of the present application further provides an electronic device, where the permission detection apparatus of the interface provided in the fifth embodiment of the present application may be integrated in the electronic device, and the electronic device may be configured in a system, or may be a device that performs part or all of functions in the system. Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 5, the present embodiment provides an electronic device 500, which includes: one or more processors 520; the storage device 510 is configured to store one or more programs, and when the one or more programs are executed by the one or more processors 520, the one or more processors 520 implement the method for detecting the authority of the interface provided in the embodiment of the present application, the method includes:
acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein, the original request packet comprises original authentication information;
removing original authentication information in an original request packet to obtain a de-authentication packet, and requesting a target interface based on the de-authentication packet to obtain response data; replacing original authentication information with a preset amount of test authentication information to obtain a reconstruction package, and requesting a target interface again based on the reconstruction package to obtain response data;
determining whether the interface is unauthorized based on the response data.
Of course, those skilled in the art can understand that the processor 520 also implements the technical solution of the method for detecting the authority of the interface provided in any embodiment of the present application.
The electronic device 500 shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 5, the electronic device 500 includes a processor 520, a storage 510, an input 530, and an output 540; the number of the processors 520 in the electronic device may be one or more, and one processor 520 is taken as an example in fig. 5; the processor 520, the storage 510, the input device 530, and the output device 540 in the electronic apparatus may be connected by a bus or other means, and are exemplified by a bus 550 in fig. 5.
The storage device 510 is a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and module units, such as program instructions corresponding to the method for detecting the authority of the interface in the embodiment of the present application.
The storage device 510 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the storage 510 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, storage 510 may further include memory located remotely from processor 520, which may be connected via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 530 may be used to receive input numbers, character information, or voice information, and to generate key signal inputs related to user settings and function control of the electronic apparatus. The output device 540 may include a display screen, speakers, etc. of electronic equipment.
The electronic equipment provided by the embodiment of the application can provide a data base for resource allocation of the system based on the result of behavior information analysis of the user, so that the purpose that the resources of the system can be allocated reasonably can be achieved.
The permission detection device, the medium and the electronic device of the interface provided in the above embodiments can execute the permission detection method of the interface provided in any embodiment of the present application, and have corresponding functional modules and beneficial effects for executing the method. For the technical details that are not described in detail in the above embodiments, reference may be made to the method for detecting the authority of the interface provided in any embodiment of the present application.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present application and the technical principles employed. It will be understood by those skilled in the art that the present application is not limited to the particular embodiments illustrated herein, and that various obvious changes, rearrangements and substitutions may be made therein by those skilled in the art without departing from the scope of the application. Therefore, although the present application has been described in more detail with reference to the above embodiments, the present application is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the appended claims.

Claims (10)

1. A method for detecting the authority of an interface is characterized in that the method comprises the following steps:
acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein the original request packet includes original authentication information;
removing original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to obtain response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data;
and determining whether the target interface is unauthorized according to the response data.
2. The method of claim 1, wherein determining whether the target interface is unauthorized based on the response data comprises:
determining the number of response data which represents that the interface is effective in the response data;
and if at least two pieces of response data representing that the interface is valid exist, determining whether the target interface is unauthorized according to the at least two pieces of response data representing that the interface is valid.
3. The method of claim 2, wherein determining whether the target interface is unauthorized based on at least two response data indicating that the interface is valid comprises:
if the response data of the original request packet is invalid, selecting two response data from all the response data representing the valid interface;
comparing whether the optional two response data are the same;
and if so, determining that the target interface is unauthorized.
4. The method of claim 2, wherein determining whether the target interface is unauthorized based on at least two response data indicating that the interface is valid comprises:
if the response data of the original request packet is valid, determining whether the response data of the de-authentication packet is valid;
if the response data of the original request packet is valid, comparing whether the response data of the original request packet is the same as the response data of the de-authentication packet;
if the two interfaces are the same, the target interface is determined to be unauthorized.
5. The method of claim 2, wherein after determining the amount of response data in the response data that indicates that the interface is valid, the method further comprises:
and if the number of the response data representing the effective interface is less than two, generating prompt information for manual intervention examination.
6. The method of claim 3 or 4, wherein determining whether the response data is the same comprises:
if the returned packet is html, the html character strings of the two response data are completely the same, and the response data are determined to be the same;
if the return packet is json, the keys of the two pieces of response data are the same, the value matching degree of the value is larger than the set threshold value, and the pieces of response data are determined to be the same.
7. The method of claim 1, wherein obtaining the original request packet for the target interface comprises:
when the test environment that the application is released to the PaaS is detected, the original request packets of all the interfaces under the application are inquired from the Nginx flow mirror library according to the application name.
8. An apparatus for detecting authority of an interface, the apparatus comprising:
the response data acquisition module is used for acquiring an original request packet of a target interface, and re-requesting the target interface based on the original request packet to acquire response data; wherein the original request packet includes original authentication information;
the response data acquisition module is further used for removing the original authentication information in the original request packet to obtain a de-authentication packet, and requesting the target interface based on the de-authentication packet to acquire response data; replacing the original authentication information with a preset amount of test authentication information to obtain a reconstruction packet, and making a reconstruction request for the target interface based on the reconstruction packet to obtain response data;
and the interface override determining module is used for determining whether the interface is overridden according to the response data.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of detecting the authorization of an interface according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of detecting the authorization of an interface according to any of claims 1 to 7 when executing the computer program.
CN202011454563.XA 2020-12-10 2020-12-10 Interface permission detection method, device, medium and electronic equipment Withdrawn CN112560025A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011454563.XA CN112560025A (en) 2020-12-10 2020-12-10 Interface permission detection method, device, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011454563.XA CN112560025A (en) 2020-12-10 2020-12-10 Interface permission detection method, device, medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN112560025A true CN112560025A (en) 2021-03-26

Family

ID=75061854

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011454563.XA Withdrawn CN112560025A (en) 2020-12-10 2020-12-10 Interface permission detection method, device, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112560025A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113204496A (en) * 2021-06-03 2021-08-03 上海中通吉网络技术有限公司 Fiddler-based security override problem batch test method and device
CN118138372A (en) * 2024-04-29 2024-06-04 杭州海康威视数字技术股份有限公司 Intelligent override detection method and device and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113204496A (en) * 2021-06-03 2021-08-03 上海中通吉网络技术有限公司 Fiddler-based security override problem batch test method and device
CN118138372A (en) * 2024-04-29 2024-06-04 杭州海康威视数字技术股份有限公司 Intelligent override detection method and device and electronic equipment

Similar Documents

Publication Publication Date Title
US11099964B2 (en) Framework actuator integration
US7203940B2 (en) Automated installation of an application
WO2020233022A1 (en) Vulnerability detection method and apparatus, computer device, and storage medium
CN109905398B (en) Mobile phone number binding change verification method, device, equipment and storage medium
CN110688659B (en) Method and system for dynamically detecting horizontal override based on IAST test tool
US20180039390A1 (en) Standard commands for native commands
CN113079164B (en) Remote control method and device for bastion machine resources, storage medium and terminal equipment
US20130305096A1 (en) System and method for monitoring web service
US20200314136A1 (en) Apparatus and method for analyzing security vulnerabilities
CN112560025A (en) Interface permission detection method, device, medium and electronic equipment
CN113411333A (en) Unauthorized access vulnerability detection method, device, system and storage medium
CN111597114A (en) Method, device and equipment for verifying small program and storage medium
US10951682B2 (en) Systems and methods for accessing multiple resources via one identifier
JP2023504956A (en) Performance detection method, device, electronic device and computer readable medium
CN114157568B (en) Browser secure access method, device, equipment and storage medium
CN115694699A (en) Time delay parameter acquisition method and device, electronic equipment and storage medium
KR101318132B1 (en) Method for securing a gadget access to a library
CN111338928A (en) Chrome-based browser testing method and device
CN114706786A (en) Application program testing method, device, equipment and medium of mobile terminal
RU2412471C2 (en) Service framework on server side
CN114238816A (en) Browser page intercepting method and device
CN110401654A (en) A kind of method, apparatus of business access, system, equipment and storage medium
CN113326506A (en) Applet monitoring method and device
CN115858964A (en) Page access method, device, equipment and storage medium
CN112558950A (en) System interface generation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210326