+

CN112035840A - A data processing method, apparatus, electronic device and computer storage medium - Google Patents

A data processing method, apparatus, electronic device and computer storage medium Download PDF

Info

Publication number
CN112035840A
CN112035840A CN202010812501.5A CN202010812501A CN112035840A CN 112035840 A CN112035840 A CN 112035840A CN 202010812501 A CN202010812501 A CN 202010812501A CN 112035840 A CN112035840 A CN 112035840A
Authority
CN
China
Prior art keywords
plug
payload
request packet
detection
processed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010812501.5A
Other languages
Chinese (zh)
Inventor
施健康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010812501.5A priority Critical patent/CN112035840A/en
Publication of CN112035840A publication Critical patent/CN112035840A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a data processing method, a data processing device, electronic equipment and a computer storage medium, wherein the method comprises the following steps: determining a pre-marked vulnerability parameter position in a first request packet; performing coding nesting processing on the obtained effective load to obtain a processed effective load; placing the processed effective load into a vulnerability parameter position marked in advance in the first request packet to obtain a second request packet; and performing bypass detection on the second request packet to obtain a detection result.

Description

一种数据处理方法、装置、电子设备和计算机存储介质A data processing method, apparatus, electronic device and computer storage medium

技术领域technical field

本发明涉及网络安全技术领域,尤其涉及一种数据处理方法、装置、电子设备和计算机存储介质。The present invention relates to the technical field of network security, and in particular, to a data processing method, apparatus, electronic device and computer storage medium.

背景技术Background technique

在当今漏洞频出的互联网环境下,不管是传统万维网(World Wide Web,Web)漏洞,还是不断诞生的通用组件漏洞。厂商和单位往往倾向于简便而有效的安全防护系统部署来进行漏洞的防御,从而减少或避免漏洞修补和组件升级可能产生的成本和麻烦。然而,当安全防护系统的防御能力出现短板和不足时,漏洞利用则可通过绕过安全防护系统的拦截从而攻击后端的应用系统。In today's Internet environment with frequent vulnerabilities, whether it is a traditional World Wide Web (Web) vulnerability, or a constantly emerging common component vulnerability. Manufacturers and organizations tend to deploy simple and effective security protection systems to defend against vulnerabilities, thereby reducing or avoiding the costs and troubles that may arise from vulnerability patching and component upgrades. However, when there are shortcomings and deficiencies in the defense capabilities of the security protection system, vulnerability exploits can attack the back-end application system by bypassing the interception of the security protection system.

相关技术中,对于有效载荷(payload)绕过安全防护系统的检测技术主要是:基于内置payload或给定的请求包结合tamper插件进行绕过检测或者模糊测试(Fuzz)扫描。例如,Sqlmap和WhatWAF这类工具主要基于内置结构化查询语言(Structured QueryLanguage,SQL)注入payload或跨站脚本(Cross Site Scripting,XSS)注入payload结合用户指定的tamper插件和请求包,进行漏洞的绕过攻击探测。也有部分Fuzz工具主要采用基于给定的请求包结合tamper单插件调用生成不同的payload进行绕过Fuzz扫描。然而,上述绕过检测方式将payload放入请求包,并对请求包的payload进行绕过检测时,需要在请求包中查找payload的位置,即,无法直接对payload进行拦截,降低安全防护系统绕过检测的效率。In the related art, the detection technology for a payload bypassing a security protection system is mainly: bypass detection or fuzz scanning based on a built-in payload or a given request packet combined with a tamper plug-in. For example, tools such as Sqlmap and WhatWAF are mainly based on the built-in Structured Query Language (SQL) injection payload or Cross Site Scripting (XSS) injection payload combined with user-specified tamper plug-ins and request packets to circumvent vulnerabilities. Attack detection. There are also some Fuzz tools that mainly use a given request package combined with tamper single-plug-in calls to generate different payloads to bypass Fuzz scanning. However, the above-mentioned bypass detection method puts the payload into the request package, and when performing bypass detection on the payload of the request package, it is necessary to find the location of the payload in the request package, that is, the payload cannot be intercepted directly, which reduces the security protection system bypass. over-detection efficiency.

发明内容SUMMARY OF THE INVENTION

本发明实施例提供了一种数据处理方法、装置、电子设备和计算机存储介质。Embodiments of the present invention provide a data processing method, apparatus, electronic device, and computer storage medium.

本发明实施例的技术方案是这样实现的:The technical solution of the embodiment of the present invention is realized as follows:

本发明提供一种数据处理方法,所述方法包括:The present invention provides a data processing method, the method includes:

确定第一请求包中预先标记的漏洞参数位置;determining the location of the vulnerability parameter pre-marked in the first request packet;

对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;Perform encoding and nesting processing on the obtained payload to obtain the processed payload;

将所述处理后的有效载荷放入所述第一请求包中预先标记的漏洞参数位置,得到第二请求包;Putting the processed payload into a pre-marked vulnerability parameter position in the first request packet to obtain a second request packet;

对所述第二请求包进行绕过检测,得到检测结果。Bypass detection is performed on the second request packet to obtain a detection result.

在一些实施例中,所述对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:In some embodiments, the encoding and nesting processing is performed on the acquired payload to obtain the processed payload, including:

调用第一插件对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;所述第一插件包括至少一个插件。The first plug-in is invoked to perform encoding and nesting processing on the acquired payload to obtain the processed payload; the first plug-in includes at least one plug-in.

在一些实施例中,所述调用第一插件对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:In some embodiments, the invoking the first plug-in performs encoding and nesting processing on the acquired payload to obtain the processed payload, including:

在所述第一插件包括多个插件的情况下,根据所述第一插件中的多个插件的优先级顺序调用所述第一插件中的多个插件,对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷。In the case where the first plug-in includes multiple plug-ins, calling multiple plug-ins in the first plug-in according to the priority order of the multiple plug-ins in the first plug-in, and performing the processing on the obtained payload. Encode the nested processing to get the processed payload.

在一些实施例中,所述对所述第二请求包进行绕过检测,包括:In some embodiments, the performing bypass detection on the second request packet includes:

对所述第二请求包中所述处理后的有效载荷进行绕过检测;或,Perform bypass detection on the processed payload in the second request packet; or,

调用第二插件对所述第二请求包进行修改处理,得到第三请求包,对所述第三请求包中所述处理后的有效载荷进行绕过检测;所述第二插件包括至少一个插件。Invoke a second plug-in to modify the second request packet, obtain a third request packet, and perform bypass detection on the processed payload in the third request packet; the second plug-in includes at least one plug-in .

在一些实施例中,所述调用第二插件对所述第二请求包进行修改处理,得到第三请求包,包括:In some embodiments, the invoking the second plug-in modifies the second request packet to obtain a third request packet, including:

在所述第二插件包括多个插件的情况下,根据所述第二插件中的多个插件的优先级顺序调用所述第二插件中的多个插件,对所述第二请求包进行修改处理,得到第三请求包。In the case where the second plug-in includes multiple plug-ins, calling multiple plug-ins in the second plug-in according to the priority order of the multiple plug-ins in the second plug-in, and modifying the second request package process, and obtain the third request packet.

在一些实施例中,所述获取到的有效载荷包括自定义的有效载荷。In some embodiments, the obtained payload includes a custom payload.

在一些实施例中,所述方法还包括:In some embodiments, the method further includes:

在所述检测结果为未绕过的情况下,得到在目标插件更新后第二请求包是否绕过安全防护系统的判断结果;所述目标插件包括第一插件和/或第二插件;所述第一插件用于对所述第二请求包中处理后的有效载荷进行编码嵌套处理;所述第二插件用于对所述第二请求包进行修改处理;In the case that the detection result is not bypassed, obtain a judgment result of whether the second request packet bypasses the security protection system after the target plug-in is updated; the target plug-in includes the first plug-in and/or the second plug-in; the The first plug-in is used to encode and nest the processed payload in the second request packet; the second plug-in is used to modify the second request packet;

在所述判断结果为绕过的情况下,对所述目标插件进行更新;In the case that the judgment result is bypass, update the target plug-in;

在所述判断结果为未绕过的情况下,对所述第二请求包中处理后的有效载荷进行更新处理,得到更新后的有效载荷。In the case that the judgment result is that it is not bypassed, update processing is performed on the processed payload in the second request packet to obtain the updated payload.

本发明提供一种数据处理装置,所述装置包括:The present invention provides a data processing device, the device comprising:

确定模块,用于确定第一请求包中预先标记的漏洞参数位置;a determining module, used to determine the pre-marked vulnerability parameter position in the first request packet;

第一处理模块,用于对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;a first processing module, configured to perform encoding and nesting processing on the acquired payload to obtain the processed payload;

第二处理模块,用于将所述处理后的有效载荷放入所述第一请求包中预先标记的漏洞参数位置,得到第二请求包;a second processing module, configured to place the processed payload into a pre-marked vulnerability parameter position in the first request packet to obtain a second request packet;

检测模块,用于对所述第二请求包进行绕过检测,得到检测结果。A detection module, configured to perform bypass detection on the second request packet to obtain a detection result.

在一些实施例中,所述第一处理模块,用于对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:In some embodiments, the first processing module is configured to perform encoding and nesting processing on the acquired payload to obtain the processed payload, including:

调用第一插件对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;所述第一插件包括至少一个插件。The first plug-in is invoked to perform encoding and nesting processing on the acquired payload to obtain the processed payload; the first plug-in includes at least one plug-in.

在一些实施例中,所述第一处理模块,用于调用第一插件对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:In some embodiments, the first processing module is configured to call the first plug-in to perform encoding and nesting processing on the acquired payload, and obtain the processed payload, including:

在所述第一插件包括多个插件的情况下,根据所述第一插件中的多个插件的优先级顺序调用所述第一插件中的多个插件,对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷。In the case where the first plug-in includes multiple plug-ins, calling multiple plug-ins in the first plug-in according to the priority order of the multiple plug-ins in the first plug-in, and performing the processing on the obtained payload. Encode the nested processing to get the processed payload.

在一些实施例中,所述检测模块,用于所述对所述第二请求包进行绕过检测,包括:In some embodiments, the detection module, configured to perform bypass detection on the second request packet, includes:

对所述第二请求包中所述处理后的有效载荷进行绕过检测;或,Perform bypass detection on the processed payload in the second request packet; or,

调用第二插件对所述第二请求包进行修改处理,得到第三请求包,对所述第三请求包中所述处理后的有效载荷进行绕过检测;所述第二插件包括至少一个插件。Invoke a second plug-in to modify the second request packet, obtain a third request packet, and perform bypass detection on the processed payload in the third request packet; the second plug-in includes at least one plug-in .

在一些实施例中,所述检测模块,用于调用第二插件对所述第二请求包进行修改处理,得到第三请求包,包括:In some embodiments, the detection module is configured to call a second plug-in to modify the second request packet to obtain a third request packet, including:

在所述第二插件包括多个插件的情况下,根据所述第二插件中的多个插件的优先级顺序调用所述第二插件中的多个插件,对所述第二请求包进行修改处理,得到第三请求包。In the case where the second plug-in includes multiple plug-ins, calling multiple plug-ins in the second plug-in according to the priority order of the multiple plug-ins in the second plug-in, and modifying the second request package process, and obtain the third request packet.

在一些实施例中,所述获取到的有效载荷包括自定义的有效载荷。In some embodiments, the obtained payload includes a custom payload.

在一些实施例中,所述装置还包括判断模块,所述判断模块,用于:In some embodiments, the apparatus further includes a judging module, the judging module is configured to:

在所述检测结果为未绕过的情况下,得到在目标插件更新后第二请求包是否绕过安全防护系统的判断结果;所述目标插件包括第一插件和/或第二插件;所述第一插件用于对所述第二请求包中处理后的有效载荷进行编码嵌套处理;所述第二插件用于对所述第二请求包进行修改处理;In the case that the detection result is not bypassed, obtain a judgment result of whether the second request packet bypasses the security protection system after the target plug-in is updated; the target plug-in includes the first plug-in and/or the second plug-in; the The first plug-in is used to encode and nest the processed payload in the second request packet; the second plug-in is used to modify the second request packet;

在所述判断结果为绕过的情况下,对所述目标插件进行更新;In the case that the judgment result is bypass, update the target plug-in;

在所述判断结果为未绕过的情况下,对所述第二请求包中处理后的有效载荷进行更新处理,得到更新后的有效载荷。In the case that the judgment result is that it is not bypassed, update processing is performed on the processed payload in the second request packet to obtain the updated payload.

本发明提供一种电子设备,所述设备包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现前述一个或多个技术方案提供的数据处理方法。The present invention provides an electronic device, the device includes a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor implements one or more of the foregoing technical solutions when executing the program. data processing method.

本发明提供一种计算机存储介质,所述计算机存储介质存储有计算机程序;所述计算机程序被执行后能够实现前述一个或多个技术方案提供的数据处理方法。The present invention provides a computer storage medium, where a computer program is stored in the computer storage medium; after the computer program is executed, the data processing method provided by one or more of the foregoing technical solutions can be implemented.

本发明实施例提供了一种数据处理方法、装置、电子设备和计算机存储介质,所述方法包括:确定第一请求包中预先标记的漏洞参数位置;对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;将所述处理后的有效载荷放入所述第一请求包中预先标记的漏洞参数位置,得到第二请求包;对所述第二请求包进行绕过检测,得到检测结果。可以看出,通过将处理后的有效载荷放入第一请求包中预先标记的漏洞参数位置;可以直接基于预先标记的漏洞参数位置,快速地对第二请求包中处理后的有效载荷进行绕过检测,进而,提高安全防护系统绕过检测的效率。Embodiments of the present invention provide a data processing method, apparatus, electronic device, and computer storage medium. The method includes: determining a pre-marked vulnerability parameter location in a first request packet; encoding and nesting the acquired payload , obtain the processed payload; put the processed payload into the pre-marked vulnerability parameter position in the first request packet to obtain a second request packet; perform bypass detection on the second request packet, Get test results. It can be seen that by placing the processed payload into the pre-marked vulnerability parameter position in the first request packet; the processed payload in the second request packet can be quickly bypassed directly based on the pre-marked vulnerability parameter position. Over-detection, and further, improve the efficiency of the security protection system bypassing detection.

附图说明Description of drawings

图1为本发明实施例的一种数据处理方法的流程图;1 is a flowchart of a data processing method according to an embodiment of the present invention;

图2为本发明实施例的另一种数据处理方法的流程示意图;2 is a schematic flowchart of another data processing method according to an embodiment of the present invention;

图3为本发明实施例的插件调用的流程示意图;3 is a schematic flowchart of a plug-in invocation according to an embodiment of the present invention;

图4a为本发明实施例的一种数据处理的组成结构示意图;FIG. 4a is a schematic diagram of the composition and structure of a data processing according to an embodiment of the present invention;

图4b为本发明实施例的另一种数据处理的组成结构示意图;FIG. 4b is a schematic diagram of the composition and structure of another data processing according to an embodiment of the present invention;

图5为本发明提供的电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device provided by the present invention.

具体实施方式Detailed ways

以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

WAF是通过执行一系列针对超文本传输协议(Hyper Text Transfer Protocol,HTTP)和超文本传输安全协议(Hyper Text Transfer Protocol over Secure SocketLayer,HTTPS)的安全策略来专门为Web应用提供保护的产品。WAF能够对来自Web应用程序客户端的各类请求进行内容检测和验证,确保其安全性与合法性,对非法的请求,即针对网络应用层的攻击,例如SQL注入、跨站脚本攻击、参数篡改、应用平台漏洞攻击、拒绝服务攻击等予以实时阻断,从而对各类网站站点进行有效防护。WAF is a product that provides protection for Web applications by implementing a series of security policies for Hyper Text Transfer Protocol (HTTP) and Hyper Text Transfer Protocol over Secure SocketLayer (HTTPS). WAF can perform content detection and verification on various requests from web application clients to ensure their security and legality. For illegal requests, that is, attacks against the network application layer, such as SQL injection, cross-site scripting attacks, and parameter tampering , application platform vulnerability attacks, denial of service attacks, etc. are blocked in real time, so as to effectively protect various websites.

由于WAF绕过检测是一个动态的对抗过程,需根据实时返回的检测结果对payload的构造和tamper插件的调用进行更新处理。Since WAF bypass detection is a dynamic confrontation process, it is necessary to update the construction of the payload and the invocation of the tamper plugin according to the detection results returned in real time.

相关技术中,对于WAF绕过检测方法存在以下缺点:In the related art, the WAF bypass detection method has the following disadvantages:

1)相关技术中,对于WAF绕过检测,通常局限于内置的payload,如XSS和SQL注入;无法将实时自定义的payload放入请求包,进行发包交互,使得检测方式不够灵活。此外,在进行绕过检测的过程中,对于内置的payload,需要逐一将每个内置的payload放入请求包,进行绕过检测,即,会存在大量发包的情况,造成攻击流量过大。1) In related technologies, WAF bypass detection is usually limited to built-in payloads, such as XSS and SQL injection; it is impossible to put real-time customized payloads into request packets and send packets to interact, making the detection method inflexible. In addition, in the process of bypass detection, for the built-in payloads, each built-in payload needs to be put into the request packet one by one for bypass detection, that is, there will be a large number of packets sent, resulting in excessive attack traffic.

2)相关技术中,对于WAF绕过检测,检测工具无法通过请求包来指定特定的漏洞参数点;进而,无法有针对性地根据漏洞参数点的位置直接对payload进行拦截,降低WAF绕过检测的效率。2) In the related art, for WAF bypass detection, the detection tool cannot specify specific vulnerability parameter points through the request packet; furthermore, it is impossible to directly intercept the payload according to the position of the vulnerability parameter point, reducing WAF bypass detection. s efficiency.

3)相关技术中,FUZZ工具为单插件调用,即,每次只能调用单个插件进行绕过检测,然而,单个插件的请求包很容易被拦截,容易产生过多无意义的请求包,无法满足多插件嵌套绕过的场景,进而,降低WAF绕过检测的成功率。3) In the related art, the FUZZ tool is called by a single plug-in, that is, only a single plug-in can be called to bypass detection at a time. However, the request packet of a single plug-in is easily intercepted, and it is easy to generate too many meaningless request packets, which cannot be detected. It satisfies the scenario of multi-plug-in nested bypass, and further reduces the success rate of WAF bypass detection.

基于上述技术问题,本发明提供一种数据处理方法,下面将结合本发明中的附图,对本发明中的技术方案进行清楚、完整地描述。Based on the above technical problems, the present invention provides a data processing method. The technical solutions in the present invention will be described clearly and completely below with reference to the accompanying drawings in the present invention.

在本发明的一些实施例中,数据处理方法可以利用数据处理装置中的处理器实现,上述处理器可以为特定用途集成电路(Application Specific Integrated Circuit,ASIC)、数字信号处理器(Digital Signal Processor,DSP)、数字信号处理装置(DigitalSignal Processing Device,DSPD)、可编程逻辑装置(Programmable Logic Device,PLD)、现场可编程逻辑门阵列(Field Programmable Gate Array,FPGA)、中央处理器(CentralProcessing Unit,CPU)、控制器、微控制器、微处理器中的至少一种。In some embodiments of the present invention, the data processing method may be implemented by using a processor in a data processing apparatus, and the above-mentioned processor may be an application specific integrated circuit (ASIC), a digital signal processor (Digital Signal Processor, DSP), Digital Signal Processing Device (DSPD), Programmable Logic Device (Programmable Logic Device, PLD), Field Programmable Gate Array (Field Programmable Gate Array, FPGA), Central Processing Unit (Central Processing Unit, CPU) ), at least one of a controller, a microcontroller, and a microprocessor.

图1为本发明实施例的一种数据处理方法的流程图,如图1所示,该方法包括:FIG. 1 is a flowchart of a data processing method according to an embodiment of the present invention. As shown in FIG. 1 , the method includes:

步骤100:确定第一请求包中预先标记的漏洞参数位置。Step 100: Determine the location of the vulnerability parameter pre-marked in the first request packet.

在一些实施例中,第一请求包可以是HTTP请求包,也可以是HTTPS请求包;其中,HTTP和HTTPS用于表示应用层协议,定义了浏览器或其它应用程序与Web服务器之间通讯的过程以及数据交互的格式。In some embodiments, the first request packet may be an HTTP request packet or an HTTPS request packet; wherein HTTP and HTTPS are used to represent application layer protocols, which define the communication protocol between browsers or other applications and the Web server. Process and format of data interaction.

本发明实施例中,第一请求包由请求行、请求头和请求正文这三部分组成;其中,请求行包括请求方式、统一资源定位符(Uniform Resource Locator,URL)、协议和协议的版本。请求头包含客户端环境和请求正文的有用信息;例如,请求头可以声明浏览器所用的语言和请求正文的长度等。请求头和请求正文之间是一个空行,空行用于表示请求头的结束,以及请求正文的开始;请求正文可以包含用户提交的查询字符串信息等。In the embodiment of the present invention, the first request packet is composed of three parts: a request line, a request header and a request body; wherein, the request line includes a request mode, a Uniform Resource Locator (URL), a protocol and a version of the protocol. Request headers contain useful information about the client's environment and the request body; for example, request headers can declare the language used by the browser, the length of the request body, etc. There is a blank line between the request header and the request body. The blank line is used to indicate the end of the request header and the beginning of the request body; the request body can contain query string information submitted by the user, etc.

在一些实施例中,请求行的代码可以表示为:GET/sample.jspHTTP/1.1,其中,“GET”表示请求方式,“/sample.jsp”表示URL,“HTTP/1.1”表示协议和协议的版本。In some embodiments, the code of the request line can be expressed as: GET/sample.jspHTTP/1.1, where "GET" indicates the request method, "/sample.jsp" indicates the URL, and "HTTP/1.1" indicates the protocol and the protocol Version.

在一种实施方式中,漏洞参数位置表示将有效载荷放入第一请求包的位置;在请求包进行绕过检测之前,需要对第一请求包中的漏洞参数位置进行标记;例如,第一请求包的参数为:para=<$>xxx<$>或Accept:<$>xxx<$>。其中,para表示第一请求包中的查询(GET)、修改(POST)、增加(PUT)和删除(DELETE)等参数;Accept表示第一请求包中请求头对应的参数;<$>表示标记的漏洞参数位置。In one embodiment, the vulnerability parameter position indicates the position where the payload is put into the first request packet; before the bypass detection is performed on the request packet, the vulnerability parameter position in the first request packet needs to be marked; for example, the first The parameters of the request package are: para=<$>xxx<$> or Accept:<$>xxx<$>. Among them, para represents parameters such as query (GET), modification (POST), addition (PUT), and deletion (DELETE) in the first request packet; Accept represents the parameters corresponding to the request header in the first request packet; <$> represents the mark The vulnerability parameter location.

在一些实施例中,假设还未标记的第一请求包的POST参数表示为:para=12345,则将漏洞参数位置标记后的POST参数可以表示为para=1<$>23<$>45,也可以表示为para=1<$>234<$>5,可以根据实际应用环境对漏洞参数位置进行标记。In some embodiments, assuming that the POST parameter of the unmarked first request packet is represented as: para=12345, the POST parameter after marking the vulnerability parameter position can be represented as para=1<$>23<$>45, It can also be expressed as para=1<$>234<$>5, and the vulnerability parameter position can be marked according to the actual application environment.

在一种实施方式中,由于第一请求包包括请求行、请求头和请求正文这三个部分,因而,可以对第一请求包的三个部分标记对应的漏洞参数位置。In an implementation manner, since the first request packet includes three parts: the request line, the request header and the request body, the corresponding vulnerability parameter positions can be marked for the three parts of the first request packet.

可见,通过该步骤可以使第一请求包的绕过检测不仅仅局限于第一请求包中请求行的GET参数或POST参数,还能够拓展到整个第一请求包结构中。It can be seen that through this step, the bypass detection of the first request packet can be not limited to the GET parameter or POST parameter of the request line in the first request packet, but can also be extended to the entire structure of the first request packet.

在一些实施例中,漏洞参数位置可以根据用户需求在第一请求包中请求行、请求头和请求正文的任一位置进行标记。In some embodiments, the vulnerability parameter position may be marked in any position of the request line, request header and request body in the first request packet according to user requirements.

步骤101:对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷。Step 101: Encoding and nesting processing is performed on the acquired payload to obtain a processed payload.

这里,有效载荷表示病毒或漏洞利用代码实现有害或恶意行为的部分叫做有效负载;也可以指在程序中起关键作用的代码。Here, the payload means that the part of the virus or exploit code that achieves harmful or malicious behavior is called the payload; it can also refer to the code that plays a key role in the program.

本发明实施例中,对于有效载荷的获取方式,可以通过用户直接输入,也可以通过绕过检测装置主动获取。In this embodiment of the present invention, the method for acquiring the payload may be directly input by the user, or may be acquired actively by bypassing the detection device.

本发明实施例中,编码嵌套处理可以用于将获取到的有效载荷转换成更具有绕过可能性的有效载荷。In this embodiment of the present invention, the encoding nesting process may be used to convert the obtained payload into a payload with more bypass possibility.

本发明的一些实施例中,若对获取到的有效载荷不进行编码嵌套处理,而是直接进行绕过测试,则在发包检测过程中,很大程度上会被安全防护系统拦截,这对后续安全防护系统的防御规则和拦截逻辑的确定没有过多的参考价值,属于无意义的发包。这里,安全防护系统可以为Web应用防火墙(Web Application Firewall,WAF),也可以为其它由硬件、软件或软硬件组成的能够提供防御能力的防护系统。In some embodiments of the present invention, if the obtained payload is not subjected to encoding and nesting processing, but is directly subjected to bypass testing, it will be intercepted by the security protection system to a large extent in the process of packet sending and detection. The determination of the defense rules and interception logic of the subsequent security protection system does not have too much reference value, and is a meaningless contract. Here, the security protection system may be a Web Application Firewall (Web Application Firewall, WAF), or may be another protection system composed of hardware, software, or hardware and software that can provide defense capabilities.

可见,通过对获取到的有效载荷进行编码嵌套处理,可以提高绕过安全防护系统的成功率,使得在发包检测过程中,不易于被安全防护系统拦截,进而,方便后续确定安全防护系统的防御规则和拦截逻辑。It can be seen that by encoding and nesting the obtained payload, the success rate of bypassing the security protection system can be improved, so that it is not easy to be intercepted by the security protection system in the process of packet sending and detection, and further, it is convenient to determine the security protection system in the future. Defense rules and blocking logic.

在一种实施方式中,对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,可以包括:调用第一插件对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;第一插件包括至少一个插件。In one embodiment, performing encoding nesting processing on the acquired payload to obtain the processed payload may include: invoking a first plug-in to perform encoding and nesting processing on the acquired payload to obtain the processed payload. payload; the first plug-in includes at least one plug-in.

本发明实施例中,第一插件可以表示作用于当前有效载荷的插件;可以通过一个插件或者多个插件相结合的方式对获取到的有效载荷进行编码嵌套处理。In this embodiment of the present invention, the first plug-in may represent a plug-in acting on the current payload; the acquired payload may be encoded and nested by one plug-in or a combination of multiple plug-ins.

在一些实施例中,可以通过base64编码等插件对获取到的有效载荷进行编码,其中,Base64编码是从二进制到字符的过程,可用于在HTTP环境下传递较长的标识信息。In some embodiments, the obtained payload may be encoded by a plug-in such as base64 encoding, where the Base64 encoding is a process from binary to character, and can be used to transmit longer identification information in an HTTP environment.

在一些实施例中,在获取到的有效载荷为sky的情况下,通过base64编码处理得到的有效载荷为c2t5,由于有效载荷c2t5明显区别于有效载荷sky,因而相比于有效载荷sky,有效载荷c2t5更具绕过安全防护系统的可能性。In some embodiments, when the obtained payload is sky, the payload obtained through base64 encoding processing is c2t5. Since the payload c2t5 is significantly different from the payload sky, the payload is higher than the payload sky. c2t5 is more likely to bypass the security protection system.

本发明实施例中,由于单个插件绕过安全防护系统的可能性往往较低,因而,在绕过检测过程中,通过多个插件相结合的方式对有效载荷进行处理,可以增加有效载荷绕过安全防护系统的成功率的同时减少不必要的发包。In the embodiment of the present invention, since the possibility of a single plug-in bypassing the security protection system is often low, in the bypass detection process, the payload is processed by a combination of multiple plug-ins, which can increase the number of payload bypasses. Safeguard the success rate of the system while reducing unnecessary outsourcing.

在一种实施方式中,调用第一插件对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,可以包括:在第一插件包括多个插件的情况下,根据第一插件中的多个插件的优先级顺序调用第一插件中的多个插件,对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷。In an implementation manner, invoking the first plug-in to perform encoding and nesting processing on the acquired payload to obtain the processed payload may include: in the case that the first plug-in includes multiple plug-ins, according to the first plug-in Multiple plugins in the first plugin are called in the priority order of the multiple plugins, and the obtained payload is encoded and nested to obtain the processed payload.

本发明实施例中,在第一插件包括多个插件的情况下,可以预先设置多个插件之间的优先级顺序,基于该优先级顺序,逐一调用插件对获取到的有效载荷进行编码处理。In this embodiment of the present invention, when the first plug-in includes multiple plug-ins, a priority order among the multiple plug-ins may be preset, and based on the priority order, the plug-ins are called one by one to encode the acquired payload.

在一些实施例中,在第一插件包括插件A1、插件A2和插件A3的情况下,如果优先级顺序依次为:插件A1、插件A2、插件A3;则先调用插件A1对获取到的有效载荷进行编码处理,再调用插件A2对获取到的有效载荷进行编码处理,最后调用插件A3对获取到的有效载荷进行编码处理,待第一插件调用结束后,得到处理后的有效载荷。In some embodiments, when the first plug-in includes plug-in A1, plug-in A2, and plug-in A3, if the priority order is: plug-in A1, plug-in A2, plug-in A3; then call plug-in A1 first to obtain the payload Perform encoding processing, then call the plug-in A2 to encode the obtained payload, and finally call the plug-in A3 to encode the obtained payload. After the first plug-in is called, the processed payload is obtained.

这里,对于第一插件中多个插件的优先级设置方法可以根据实际应用环境进行设置,本发明实施例对此不作限制。Here, the method for setting the priorities of multiple plug-ins in the first plug-in may be set according to an actual application environment, which is not limited in the embodiment of the present invention.

在一种实施方式中,获取到的有效载荷包括自定义的有效载荷。即,有效载荷可以根据具体检测环境中安全防护系统拦截特点进行自定义设置,将自定义的有效载荷进行编码嵌套处理,可以有效避免不必要的发包,提高安全防护系统绕过检测的效率。In one embodiment, the obtained payload includes a custom payload. That is, the payload can be customized according to the interception characteristics of the security protection system in the specific detection environment, and the custom payload can be encoded and nested, which can effectively avoid unnecessary packet sending and improve the efficiency of the security protection system bypassing detection.

步骤102:将处理后的有效载荷放入第一请求包中预先标记的漏洞参数位置,得到第二请求包。Step 102: Put the processed payload into a pre-marked vulnerability parameter position in the first request packet to obtain a second request packet.

本发明实施例中,首先通过第一请求包预先标记漏洞参数位置;然后,获取需要进行绕过检测的有效载荷,通过调用第一插件对有效载荷进行编码嵌套处理,得到处理后的有效载荷;最后,将处理后的有效载荷放入第一请求包中预先标记的漏洞参数位置,得到第二请求包。In the embodiment of the present invention, the vulnerability parameter position is pre-marked by the first request packet; then, the payload that needs to be bypassed for detection is obtained, and the payload is encoded and nested by calling the first plug-in to obtain the processed payload ; Finally, put the processed payload into the pre-marked vulnerability parameter position in the first request packet to obtain the second request packet.

在一些实施例中,假设未进行标记的第一请求包的POST参数表示为:para=1234,对第一请求包的漏洞参数位置标记后的POST参数表示为para=1<$>23<$>4;若获取到的有效载荷为有效载荷B,调用第一插件对有效载荷B进行编码嵌套处理得到有效载荷C,则在后续发包检测过程中将漏洞参数位置的原始内容23替换为有效载荷C,则最终进行绕过检测的第一请求包的POST参数表示为para=1<$>C<$>4。In some embodiments, it is assumed that the POST parameter of the unmarked first request packet is represented as: para=1234, and the POST parameter after marking the vulnerability parameter position of the first request packet is represented as para=1<$>23<$ >4; if the obtained payload is payload B, call the first plug-in to encode and nest the payload B to obtain payload C, then replace the original content 23 of the vulnerability parameter position with valid payload in the subsequent packet detection process If the payload is C, the POST parameter of the first request packet for which the bypass detection is finally performed is represented as para=1<$>C<$>4.

本发明实施例中,通过在第一请求包中预先标记漏洞参数位置,使得程序能够自动识别出漏洞参数位置并在后续发包检测过程中将漏洞参数位置的原始内容替换为进行绕过检测的有效载荷;此外,基于优先级顺序的多个插件调用对有效载荷进行编码嵌套,能够在实时交互和高效的发包绕过测试过程中实现动态的安全防护系统绕过检测。In the embodiment of the present invention, by pre-marking the vulnerability parameter position in the first request packet, the program can automatically identify the vulnerability parameter position and replace the original content of the vulnerability parameter position with a valid value for bypassing detection in the subsequent packet sending detection process. Payload; in addition, the payload is encoded and nested based on the priority order of multiple plug-in calls, which can realize dynamic security protection system bypass detection during real-time interaction and efficient packet bypass testing.

步骤103:对第二请求包进行绕过检测,得到检测结果。Step 103: Perform bypass detection on the second request packet to obtain a detection result.

本发明实施例中,通过安全防护系统对处理后的有效载荷进行绕过检测;由于第二请求包中包括处理后的有效载荷;因而,可以根据第二请求包,得到安全防护系统对处理后的有效载荷的检测结果。In the embodiment of the present invention, the processed payload is bypassed and detected by the security protection system; since the second request packet includes the processed payload; therefore, the security protection system can obtain the processed payload according to the second request packet. The detection result of the payload.

本发明实施例中,对处理后的有效载荷进行绕过检测的检测结果包括两种情况:一种是未绕过的情况;一种是绕过的情况,即,安全防护系统对处理后的有效载荷拦截失败。In the embodiment of the present invention, the detection result of bypass detection on the processed payload includes two cases: one is not bypassed; the other is bypassed, that is, the security protection system Payload interception failed.

本发明的一些实施例中,针对拦截失败的情况,将第二请求包进行存储,用于后续方便判断安全防护系统的防御规则和拦截逻辑,确保网络的安全性。In some embodiments of the present invention, in the case of interception failure, the second request packet is stored for subsequent convenient judgment of the defense rules and interception logic of the security protection system to ensure network security.

在一种实施方式中,对第二请求包进行绕过检测,包括:In one embodiment, bypassing detection on the second request packet includes:

对第二请求包中处理后的有效载荷进行绕过检测;或,Perform bypass detection on the processed payload in the second request packet; or,

调用第二插件对第二请求包进行修改处理,得到第三请求包,对第三请求包中处理后的有效载荷进行绕过检测;第二插件包括至少一个插件。The second plug-in is called to modify the second request packet to obtain a third request packet, and bypass detection is performed on the processed payload in the third request packet; the second plug-in includes at least one plug-in.

本发明实施例中,第二插件可以表示作用于第二请求包的插件;即,通过调用第二插件可以对第二请求包进行修改处理。In this embodiment of the present invention, the second plug-in may represent a plug-in acting on the second request package; that is, the second request package may be modified by invoking the second plug-in.

在一些实施例中,调用第二插件可以对第二请求包的请求包进行修改;还可以使用通过绕过插件对第二请求包的传输格式进行修改和替换;例如,使用带随机注释符的Chunked编码格式传输,或是使用畸形格式的multipart-data数据传输。In some embodiments, the request packet of the second request packet can be modified by invoking the second plug-in; the transmission format of the second request packet can also be modified and replaced by bypassing the plug-in; Chunked encoding format transmission, or multipart-data data transmission using malformed format.

本发明实施例中,在调用第一插件对有效载荷进行处理的基础上,调用第二插件对第二请求包进行修改处理;可以进一步增加有效载荷绕过安全防护系统的成功率的同时减少不必要的发包。In the embodiment of the present invention, on the basis of invoking the first plug-in to process the payload, the second plug-in is invoked to modify the second request packet; the success rate of bypassing the security protection system by the payload can be further increased, and the inconvenience is reduced. Necessary package.

在一种实施方式中,调用第二插件对第二请求包进行修改处理,得到第三请求包,可以包括:在第二插件包括多个插件的情况下,根据第二插件中的多个插件的优先级顺序调用第二插件中的多个插件,对第二请求包进行修改处理,得到第三请求包。In an implementation manner, invoking the second plug-in to modify the second request packet to obtain the third request packet may include: in the case that the second plug-in includes multiple plug-ins, according to the plurality of plug-ins in the second plug-in Call multiple plug-ins in the second plug-in in order of priority, modify the second request packet, and obtain the third request packet.

本发明实施例中,在第二插件包括多个插件的情况下,可以预先设置多个插件之间的优先级顺序,基于该优先级顺序,调用插件对获取到的有效载荷进行编码处理。In this embodiment of the present invention, when the second plug-in includes multiple plug-ins, a priority order among the multiple plug-ins may be preset, and based on the priority order, the plug-in is invoked to encode the acquired payload.

在一些实施例中,在第二插件包括插件D1、插件D2和插件D3的情况下,如果优先级顺序依次为:插件D1、插件D2、插件D3;则先调用插件D1对第二请求包进行修改处理,再调用插件D2对第二请求包进行修改处理,最后调用插件D3对第二请求包进行修改处理,待第二插件调用结束后,得到第三请求包。In some embodiments, when the second plug-in includes plug-in D1, plug-in D2, and plug-in D3, if the priority order is: plug-in D1, plug-in D2, and plug-in D3; After the modification processing, the plug-in D2 is called to modify the second request packet, and finally the plug-in D3 is called to modify the second request packet. After the second plug-in is called, the third request packet is obtained.

本发明实施例中,基于第二插件中的多个插件的优先级顺序对第二请求包进行修改处理,能够提高绕过检测效率的同时减少因多个插件调用出错产生的检测失败的问题。In the embodiment of the present invention, the modification processing is performed on the second request packet based on the priority order of multiple plug-ins in the second plug-in, which can improve the bypass detection efficiency and reduce the problem of detection failure caused by multiple plug-in invocation errors.

这里,对于第二插件中多个插件的优先级设置方法可以根据实际应用环境进行设置,本发明实施例对此不作限制。Here, the priority setting method for multiple plug-ins in the second plug-in may be set according to an actual application environment, which is not limited in this embodiment of the present invention.

本发明实施例中,安全防护系统可以直接对第二请求包中处理后的有效载荷进行绕过检测,得到检测结果;也可以对第三请求包中处理后的有效载荷进行绕过检测,得到检测结果。In the embodiment of the present invention, the security protection system may directly perform bypass detection on the processed payload in the second request packet to obtain the detection result; it may also perform bypass detection on the processed payload in the third request packet to obtain Test results.

在检测结果为未绕过的情况下,得到在目标插件更新后第二请求包是否绕过安全防护系统的判断结果;目标插件包括第一插件和/或第二插件;第一插件用于对第二请求包中处理后的有效载荷进行编码嵌套处理;第二插件用于对第二请求包进行修改处理;在判断结果为绕过的情况下,对目标插件进行更新;在判断结果为未绕过的情况下,对第二请求包中处理后的有效载荷进行更新处理,得到更新后的有效载荷。In the case that the detection result is not bypassed, the judgment result of whether the second request packet bypasses the security protection system after the update of the target plug-in is obtained; the target plug-in includes the first plug-in and/or the second plug-in; the first plug-in is used to The processed payload in the second request packet is encoded and nested; the second plug-in is used to modify the second request packet; if the judgment result is bypass, update the target plug-in; if the judgment result is If not bypassed, update the processed payload in the second request packet to obtain the updated payload.

本发明的一些实施例中,在检测结果为未绕过的情况下,即,对第二请求包成功拦截;针对这种情况,需要安全人员进一步判断在目标插件更新后第二请求包是否还能绕过安全防护系统,得到判断结果。In some embodiments of the present invention, in the case where the detection result is not bypassed, that is, the second request packet is successfully intercepted; for this situation, security personnel are required to further determine whether the second request packet is still available after the target plug-in is updated. It can bypass the security protection system and get the judgment result.

本发明实施例中,在判断结果为绕过的情况下,可以通过增加或减少第一插件的调用数目,得到更新后的第一插件;将处理后的有效载荷与更新后的第一插件相结合,提高绕过安全防护系统的可能性;也可以通过增加或减少第二插件的调用数目,得到更新后的第一插件;将处理后的第三请求包与更新后的第二插件相结合,提高绕过安全防护系统的可能性。In the embodiment of the present invention, in the case that the judgment result is bypass, the updated first plug-in can be obtained by increasing or decreasing the number of calls of the first plug-in; the processed payload is compared with the updated first plug-in. Combined, the possibility of bypassing the security protection system is improved; the updated first plug-in can also be obtained by increasing or decreasing the number of calls of the second plug-in; the processed third request package is combined with the updated second plug-in , increasing the likelihood of bypassing security systems.

在一些实施例中,在判断结果为未绕过的情况下,可以根据处理后的有效载荷对获取到的有效载荷进行更新处理,得到更新后的有效载荷;使用更新后的有效载荷依次执行上述步骤101至步骤103。In some embodiments, in the case that the judgment result is that it is not bypassed, the obtained payload can be updated according to the processed payload to obtain the updated payload; and the above-mentioned payload can be sequentially performed using the updated payload. Step 101 to Step 103.

由于安全防护系统绕过检测是一个动态的对抗过程,需要通过实时的返回对绕过检测进行动态调整;而本申请实施例中,根据实时返回的检测结果判断是否对处理后的有效载荷进行更新处理,还是对第一插件和/或第二插件进行更新处理;即,能够通过实时的返回对绕过检测进行动态调整,进而,保证安全防护系统绕过检测过程中的动态对抗,使得绕过检测更具备灵活性和高效率,同时减少发包量。Since the bypass detection of the security protection system is a dynamic confrontation process, it is necessary to dynamically adjust the bypass detection through real-time return. In this embodiment of the present application, it is determined whether to update the processed payload according to the real-time return detection result. processing, or update the first plug-in and/or the second plug-in; that is, it is possible to dynamically adjust the bypass detection through real-time returns, and further, to ensure that the security protection system bypasses the dynamic confrontation in the detection process, so that the bypass detection can be bypassed. Inspection is more flexible and efficient, while reducing the number of packets sent.

为了能够更加体现本发明的目的,在本发明上述实施例的基础上,进行进一步的举例说明。In order to better reflect the purpose of the present invention, further examples are provided on the basis of the above embodiments of the present invention.

图2为本发明实施例的另一种数据处理方法的流程示意图,如图2所示,主要包括:FIG. 2 is a schematic flowchart of another data processing method according to an embodiment of the present invention, as shown in FIG. 2 , which mainly includes:

步骤20:漏洞参数位置标记。Step 20: Vulnerability parameter location marking.

在一种实施方式中,在进行绕过检测之初,需要给定一个请求包,并在请求包中对即将进行绕过测试的漏洞参数位置进行标记;例如,请求包的参数为:para=<$>xxx<$>或Accept:<$>xxx<$>。其中,para表示请求包中的查询(GET)、修改(POST)、增加(PUT)和删除(DELETE)等参数;Accept表示请求包中请求头对应的参数;<$>表示标记的漏洞参数位置。可见,通过漏洞参数位置标记,可以让程序识别出漏洞参数位置并在后续发包检测过程中对漏洞参数位置的内容进行替换。可见,该步骤使得绕过测试不仅仅局限于GET或POS等参数,能够拓展到整个请求包结构中。In one implementation, at the beginning of bypass detection, a request package needs to be given, and the location of the vulnerability parameter to be bypassed tested in the request package is marked; for example, the parameter of the request package is: para= <$>xxx<$> or Accept:<$>xxx<$>. Among them, para represents the query (GET), modify (POST), add (PUT) and delete (DELETE) parameters in the request package; Accept represents the parameter corresponding to the request header in the request package; <$> represents the marked vulnerability parameter location . It can be seen that through the vulnerability parameter position mark, the program can identify the vulnerability parameter position and replace the content of the vulnerability parameter position in the subsequent packet detection process. It can be seen that this step makes the bypass test not limited to parameters such as GET or POS, but can be extended to the entire request packet structure.

步骤21:获取有效载荷。Step 21: Get the payload.

在一种实施方式中,对于有效载荷的获取方式,可以通过用户直接输入,也可以通过绕过检测装置主动获取;获取的有效载荷可以包括用户自定义的有效载荷;可根据具体环境中的WAF拦截特点对有效载荷进行有针对性的更新;即,可以依据实时返回的判断结果,对有效载荷进行更新处理。In one embodiment, the way of acquiring the payload can be directly input by the user, or can be acquired actively by bypassing the detection device; the acquired payload can include a user-defined payload; it can be determined according to the WAF in a specific environment The interception feature makes targeted updates to the payload; that is, the payload can be updated according to the judgment result returned in real time.

步骤22:获取插件。Step 22: Get the plugin.

在一种实施方式中,插件包括上述实施例的第一插件和第二插件;可以通过勾选的方式确定调用的插件;即,可根据具体环境中的WAF拦截特点对插件进行有针对性的更新和调用,可更快地检测出WAF的拦截逻辑和拦截特征点,减少不必要的发包;可见,通过使用其它更有绕过可能性的有效载荷或插件相结合,从而使绕过检测在动态调整中更具备灵活性和高效率,同时减少发包量。In one embodiment, the plug-in includes the first plug-in and the second plug-in in the above embodiment; the plug-in to be called can be determined by checking; that is, the plug-in can be targeted according to the WAF interception characteristics in the specific environment. Updates and calls can detect the interception logic and interception feature points of WAF faster, and reduce unnecessary packets; it can be seen that by using other payloads or plug-ins that are more likely to bypass, bypass detection can be More flexibility and high efficiency in dynamic adjustment, while reducing the amount of outgoing packages.

步骤23:进行插件排序。Step 23: Do plugin sorting.

在一种实施方式中,在第一插件包括多个插件的情况下,根据第一插件中的多个插件的优先级顺序进行排序,在第二插件包括多个插件的情况下,根据第二插件中的多个插件的优先级顺序进行排序;在绕过检测中,单一插件绕过方法的作用往往微乎其微,需要多种插件绕过方法相结合来提高攻击绕过的成功率。多插件调用需要在每个插件中设定一个调用优先级来减少和避免嵌套过程中产生不必要的错误。In one embodiment, when the first plug-in includes multiple plug-ins, sorting is performed according to the priority order of the multiple plug-ins in the first plug-in, and when the second plug-in includes multiple plug-ins, the sorting is performed according to the second plug-in. The priority order of multiple plug-ins in the plug-in is sorted; in bypass detection, the effect of a single plug-in bypass method is often negligible, and a combination of multiple plug-in bypass methods is required to improve the success rate of attack bypass. Multiple plugin calls need to set a calling priority in each plugin to reduce and avoid unnecessary errors in the nesting process.

步骤24:调用插件。Step 24: Invoke the plugin.

在一种实施方式中,根据优先级顺序调用第一插件可对有效载荷进行编码,根据优先级顺序调用第二插件可对请求包进行修改。在调用插件的过程中,首先根据第一插件中多个插件的优先级顺序来对有效载荷进行编码(如base64编码等插件),并最终生成一个处理后的有效载荷作用于请求包中;其次依据第二插件中多个插件的优先级顺序调用直接作用于请求包的通用绕过插件(如Chunked编码等插件)对请求包进行修改;待每个插件调用完毕后,得到处理后的请求包。In one embodiment, calling the first plug-in according to the priority order can encode the payload, and calling the second plug-in according to the priority order can modify the request packet. In the process of invoking the plug-in, the payload (such as base64 encoding and other plug-ins) is first encoded according to the priority order of multiple plug-ins in the first plug-in, and finally a processed payload is generated to act on the request package; secondly According to the priority order of multiple plug-ins in the second plug-in, the general bypass plug-in (such as Chunked encoding plug-in) that directly acts on the request package is called to modify the request package; after each plug-in is called, the processed request package is obtained .

步骤25:发送处理后的请求包与检测结果判断。Step 25: Send the processed request packet and judge the detection result.

在一种实施方式中,将处理后的请求包进行发送,得到检测结果;在检测结果为绕过的情况下,将对应的请求包进行存储,用于后续方便判断WAF的防御规则和拦截逻辑。在检测结果为未绕过的情况下,需要安全人员进一步判断在目标插件更新后的请求包是否还能绕过安全防护系统,得到判断结果。目标插件包括第一插件和/或第二插件;第一插件用于对第二请求包中处理后的有效载荷进行编码嵌套处理;第二插件用于对第二请求包进行修改处理;In one embodiment, the processed request packet is sent to obtain a detection result; if the detection result is bypassed, the corresponding request packet is stored for subsequent determination of the WAF's defense rules and interception logic . In the case that the detection result is not bypassed, security personnel are required to further judge whether the request package after the target plug-in update can bypass the security protection system, and obtain the judgment result. The target plug-in includes a first plug-in and/or a second plug-in; the first plug-in is used to encode and nest the processed payload in the second request packet; the second plug-in is used to modify the second request packet;

在判断结果为绕过的情况下,对目标插件进行更新;在得到更新后的目标插件后,返回执行步骤22;在判断结果为未绕过的情况下,对第二请求包中处理后的有效载荷进行更新处理,得到更新后的有效载荷;在得到更新后的有效载荷后,返回执行步骤21。If the judgment result is bypassed, update the target plug-in; after obtaining the updated target plug-in, return to step 22; if the judgment result is not bypassed, update the processed in the second request packet The payload is updated to obtain the updated payload; after the updated payload is obtained, return to step 21 .

本发明实施例中,WAF绕过是动态的对抗过程,通过实时的请求包交互,方便安全人员判断WAF的防御规则和拦截逻辑。并根据检测结果有针对性的对有效载荷或插件调用进行修改和更新。In the embodiment of the present invention, WAF bypass is a dynamic confrontation process, and through real-time request packet interaction, it is convenient for security personnel to judge the defense rules and interception logic of WAF. And according to the detection results, the payload or plug-in calls are modified and updated in a targeted manner.

本发明实施例可以在请求包中标记漏洞参数位置,通过调用第一插件对自定义的有效载荷进行编码嵌套处理,并将处理后的有效载荷放入请求包中的漏洞参数位置,得到第一请求包;再调用第二插件对第一请求包进行修改处理,得到第二请求包,最终对第二请求包进行绕过测试;可以看出,本发明实施例能够在实时交互和高效的发包测试过程中实现动态的WAF绕过检测。有效避免产生过多无意义的请求,保证WAF绕过检测过程中的动态对抗,提高WAF绕过检测的灵活性。In the embodiment of the present invention, the vulnerability parameter position can be marked in the request package, the custom payload is encoded and nested by invoking the first plug-in, and the processed payload is put into the vulnerability parameter position in the request package to obtain the first plug-in. a request package; then call the second plug-in to modify the first request package, obtain the second request package, and finally perform a bypass test on the second request package; it can be seen that the embodiment of the present invention can interact in real time and efficiently. Dynamic WAF bypass detection is implemented in the process of sending packets. Effectively avoid generating too many meaningless requests, ensure dynamic confrontation in the process of WAF bypass detection, and improve the flexibility of WAF bypass detection.

由于绕过检测的过程离不开插件的更新和扩展,通过对插件的补充和不断优化,可提高整体攻击绕过检测的能力和水平。插件主要可分为两种:第一种是作用于有效载荷的插件,即第一插件;主要用于对自定义的有效载荷进行编码嵌套处理;第二种是作用于请求包的插件,即第二插件,主要用于对请求包进行修改;下面通过图3对这两种插件的调用过程进行说明。Since the process of bypassing detection is inseparable from the update and expansion of plug-ins, the ability and level of the overall attack bypass detection can be improved by supplementing and continuously optimizing plug-ins. Plug-ins can be mainly divided into two types: the first is the plug-in that acts on the payload, that is, the first plug-in; it is mainly used to encode and nest the custom payload; the second is the plug-in that acts on the request package. That is, the second plug-in is mainly used to modify the request package; the calling process of the two plug-ins will be described below with reference to FIG. 3 .

图3为本发明实施例的调用插件的流程示意图,如图3所示,主要包括:调用插件作用类型判断、处理有效载荷和对处理请求包这三个步骤,通过这三个步骤可以得到处理后的有效载荷和请求包。FIG. 3 is a schematic flowchart of calling a plug-in according to an embodiment of the present invention. As shown in FIG. 3 , it mainly includes three steps: judging the function type of the plug-in call, processing the payload, and processing the request packet. Processing can be obtained through these three steps. The following payload and request packet.

首先,在调用插件的过程中,根据插件作用类型确定是调用插件为作用于有效载荷的第一插件还是作用于请求包的第二插件。First, in the process of invoking the plug-in, it is determined whether the invoking plug-in is the first plug-in acting on the payload or the second plug-in acting on the request package according to the plug-in action type.

然后,确定第一插件,获取当前有效载荷,调用第一插件对当前有效载荷进行编码,返回处理后的有效载荷。Then, the first plug-in is determined, the current payload is acquired, the first plug-in is called to encode the current payload, and the processed payload is returned.

最后,确定第二插件,获取请求包,调用第二插件对请求包进行修改,返回处理后的请求包。Finally, the second plug-in is determined, the request package is obtained, the second plug-in is called to modify the request package, and the processed request package is returned.

在一种实施方式中,在获取到当前有效载荷时,调用封装的插件编码函数对其进行的编码处理;例如,base64编码或是SQL注入中注释的替换等。In one embodiment, when the current payload is obtained, the encapsulated plug-in encoding function is invoked to perform encoding processing on it; for example, base64 encoding or replacement of comments in SQL injection, etc.

在一种实施方式中,在获取到请求包时,对其进行格式修改和替换,尝试使用通用绕过插件;例如,使用带随机注释符的Chunked编码格式传输,或使用畸形格式的multipart-data数据传输。In one embodiment, when the request packet is obtained, it modifies and replaces its format, and tries to use a general bypass plug-in; for example, use the Chunked encoding format with random annotations for transmission, or use the malformed format of multipart-data data transmission.

这里,第一插件和第二插件均具备可扩展性,通过将当前有效载荷或请求包作为标准化输入,引入高度封装的插件编码函数,将处理后的有效载荷或请求包作为标准化输出进行返回。Here, both the first plugin and the second plugin are extensible. By taking the current payload or request package as a standardized input, a highly encapsulated plugin encoding function is introduced, and the processed payload or request package is returned as a standardized output.

可见,本发明实施例可以基于多插件嵌套调用的方法更新有效载荷或请求包来进行攻击绕过检测,进而,实现动态的WAF绕过检测。It can be seen that the embodiments of the present invention can perform attack bypass detection by updating payloads or request packets based on the method of nested invocation of multiple plug-ins, thereby realizing dynamic WAF bypass detection.

图4a为本发明实施例的一种数据处理的组成结构示意图,如图4a所示,装置包括:确定模块400、第一处理模块401、第二处理模块402和检测模块403,其中:FIG. 4a is a schematic diagram of the composition and structure of a data processing according to an embodiment of the present invention. As shown in FIG. 4a, the apparatus includes: a determination module 400, a first processing module 401, a second processing module 402, and a detection module 403, wherein:

确定模块400,用于确定第一请求包中预先标记的漏洞参数位置;A determination module 400, configured to determine the pre-marked vulnerability parameter position in the first request packet;

第一处理模块401,用于对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;The first processing module 401 is configured to perform encoding and nesting processing on the acquired payload to obtain the processed payload;

第二处理模块402,用于将处理后的有效载荷放入第一请求包中预先标记的漏洞参数位置,得到第二请求包;The second processing module 402 is configured to put the processed payload into a pre-marked vulnerability parameter position in the first request packet to obtain a second request packet;

检测模块403,用于对第二请求包进行绕过检测,得到检测结果。The detection module 403 is configured to perform bypass detection on the second request packet to obtain a detection result.

在一种实施方式中,第一处理模块401,用于对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:In one embodiment, the first processing module 401 is configured to perform encoding and nesting processing on the acquired payload to obtain the processed payload, including:

调用第一插件对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;第一插件包括至少一个插件。The first plug-in is called to perform encoding and nesting processing on the acquired payload to obtain the processed payload; the first plug-in includes at least one plug-in.

在一种实施方式中,第一处理模块401,用于调用第一插件对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:In one embodiment, the first processing module 401 is configured to call the first plug-in to perform encoding and nesting processing on the acquired payload, and obtain the processed payload, including:

在第一插件包括多个插件的情况下,根据第一插件中的多个插件的优先级顺序调用第一插件中的多个插件,对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷。When the first plug-in includes multiple plug-ins, call multiple plug-ins in the first plug-in according to the priority order of the multiple plug-ins in the first plug-in, perform encoding and nesting processing on the acquired payload, and obtain the processed payload.

在一种实施方式中,检测模块403,用于对第二请求包进行绕过检测,包括:In one embodiment, the detection module 403, configured to perform bypass detection on the second request packet, includes:

对第二请求包中处理后的有效载荷进行绕过检测;或,Perform bypass detection on the processed payload in the second request packet; or,

调用第二插件对第二请求包进行修改处理,得到第三请求包,对第三请求包中处理后的有效载荷进行绕过检测;第二插件包括至少一个插件。The second plug-in is called to modify the second request packet to obtain a third request packet, and bypass detection is performed on the processed payload in the third request packet; the second plug-in includes at least one plug-in.

在一种实施方式中,检测模块403,用于调用第二插件对第二请求包进行修改处理,得到第三请求包,包括:In one embodiment, the detection module 403 is configured to call the second plug-in to modify the second request packet to obtain the third request packet, including:

在第二插件包括多个插件的情况下,根据第二插件中的多个插件的优先级顺序调用第二插件中的多个插件,对第二请求包进行修改处理,得到第三请求包。When the second plug-in includes multiple plug-ins, the multiple plug-ins in the second plug-in are called according to the priority order of the multiple plug-ins in the second plug-in, and the second request packet is modified to obtain the third request packet.

在一种实施方式中,获取到的有效载荷包括自定义的有效载荷。In one embodiment, the obtained payload includes a custom payload.

图4b为本发明实施例的另一种数据处理的组成结构示意图,如图4b所示,装置还包括判断模块404,判断模块404,用于:FIG. 4b is a schematic diagram of the composition structure of another data processing according to an embodiment of the present invention. As shown in FIG. 4b, the apparatus further includes a judgment module 404, and the judgment module 404 is used for:

在检测结果为未绕过的情况下,得到在目标插件更新后第二请求包是否绕过安全防护系统的判断结果;目标插件包括第一插件和/或第二插件;第一插件用于对第二请求包中处理后的有效载荷进行编码嵌套处理;第二插件用于对第二请求包进行修改处理;In the case that the detection result is not bypassed, the judgment result of whether the second request packet bypasses the security protection system after the update of the target plug-in is obtained; the target plug-in includes the first plug-in and/or the second plug-in; the first plug-in is used to The payload processed in the second request packet is encoded and nested; the second plug-in is used to modify the second request packet;

在判断结果为绕过的情况下,对目标插件进行更新;If the judgment result is bypass, update the target plug-in;

在判断结果为未绕过的情况下,对第二请求包中处理后的有效载荷进行更新处理,得到更新后的有效载荷。In the case that the judgment result is that it is not bypassed, update processing is performed on the processed payload in the second request packet to obtain the updated payload.

在实际应用中,上述确定模块400、第一处理模块401、第二处理模块402、检测模块403和判断模块404均可以由位于电子设备中的处理器实现,该处理器可以为ASIC、DSP、DSPD、PLD、FPGA、CPU、控制器、微控制器、微处理器中的至少一种。In practical applications, the above determination module 400, first processing module 401, second processing module 402, detection module 403 and judgment module 404 can all be implemented by a processor located in an electronic device, and the processor can be an ASIC, DSP, At least one of DSPD, PLD, FPGA, CPU, controller, microcontroller, and microprocessor.

另外,在本实施例中的各功能模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。In addition, each functional module in this embodiment may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or can be implemented in the form of software function modules.

集成的单元如果以软件功能模块的形式实现并非作为独立的产品进行销售或使用时,可以存储在一个计算机可读取存储介质中,基于这样的理解,本实施例的技术方案本质上或者说对相关技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)或processor(处理器)执行本实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read OnlyMemory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of software function modules and is not sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this embodiment is essentially or correct. Part of the contribution made by the related art or all or part of the technical solution can be embodied in the form of a software product, the computer software product is stored in a storage medium, and includes several instructions to make a computer device (which can be a personal computer). , server, or network device, etc.) or processor (processor) executes all or part of the steps of the method in this embodiment. The aforementioned storage medium includes: U disk, removable hard disk, read only memory (Read Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes.

具体来讲,本实施例中的一种数据处理方法对应的计算机程序指令可以被存储在光盘、硬盘、U盘等存储介质上,当存储介质中的与一种数据处理方法对应的计算机程序指令被一电子设备读取或被执行时,实现前述实施例的任意一种数据处理方法。Specifically, a computer program instruction corresponding to a data processing method in this embodiment may be stored on a storage medium such as an optical disk, a hard disk, a U disk, etc. When the computer program instruction corresponding to a data processing method in the storage medium When read or executed by an electronic device, any one of the data processing methods in the foregoing embodiments is implemented.

基于前述实施例相同的技术构思,参见图5,其示出了本发明实施例提供的电子设备500,可以包括:存储器501和处理器502;其中,Based on the same technical concept as the foregoing embodiments, see FIG. 5 , which shows an electronic device 500 provided by an embodiment of the present invention, which may include: a memory 501 and a processor 502; wherein,

存储器501,用于存储计算机程序和数据;memory 501 for storing computer programs and data;

处理器502,用于执行存储器中存储的计算机程序,以实现前述实施例的任意一种数据处理方法。The processor 502 is configured to execute the computer program stored in the memory to implement any one of the data processing methods in the foregoing embodiments.

在实际应用中,上述存储器501可以是易失性存储器(volatile memory),例如RAM;或者非易失性存储器(non-volatile memory),例如ROM、快闪存储器(flash memory)、硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD);或者上述种类的存储器的组合,并向处理器502提供指令和数据。In practical applications, the above-mentioned memory 501 may be a volatile memory (volatile memory), such as RAM; or a non-volatile memory (non-volatile memory), such as ROM, flash memory (flash memory), hard disk (Hard Disk memory) Drive, HDD) or solid-state drive (Solid-State Drive, SSD); or a combination of the above types of memory, and provide instructions and data to the processor 502 .

上述处理器502可以为ASIC、DSP、DSPD、PLD、FPGA、CPU、控制器、微控制器、微处理器中的至少一种。可以理解地,对于不同的增强现实云平台,用于实现上述处理器功能的电子器件还可以为其它,本发明实施例不作具体限定。The above-mentioned processor 502 may be at least one of ASIC, DSP, DSPD, PLD, FPGA, CPU, controller, microcontroller, and microprocessor. It can be understood that, for different augmented reality cloud platforms, the electronic device used to implement the above processor function may also be other, which is not specifically limited in the embodiment of the present invention.

在一些实施例中,本发明实施例提供的装置具有的功能或包含的模块可以用于执行上文方法实施例描述的方法,其具体实现可以参照上文方法实施例的描述,为了简洁,这里不再赘述In some embodiments, the functions or modules included in the apparatus provided in the embodiments of the present invention may be used to execute the methods described in the above method embodiments. For specific implementation, reference may be made to the above method embodiments. For brevity, here No longer

上文对各个实施例的描述倾向于强调各个实施例之间的不同之处,其相同或相似之处可以互相参考,为了简洁,本文不再赘述The above description of the various embodiments tends to emphasize the differences between the various embodiments, and the similarities or similarities can be referred to each other. For the sake of brevity, details are not repeated herein.

本发明所提供的各方法实施例中所揭露的方法,在不冲突的情况下可以任意组合,得到新的方法实施例。The methods disclosed in each method embodiment provided by the present invention can be combined arbitrarily without conflict to obtain a new method embodiment.

本发明所提供的各产品实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的产品实施例。The features disclosed in each product embodiment provided by the present invention can be combined arbitrarily without conflict to obtain a new product embodiment.

本发明所提供的各方法或设备实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的方法实施例或设备实施例。The features disclosed in each method or device embodiment provided by the present invention can be combined arbitrarily without conflict to obtain a new method embodiment or device embodiment.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including but not limited to disk storage, optical storage, and the like.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其它可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其它可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可装载到计算机或其它可编程数据处理设备上,使得在计算机或其它可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其它可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

以上,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (10)

1.一种数据处理方法,其特征在于,所述方法包括:1. a data processing method, is characterized in that, described method comprises: 确定第一请求包中预先标记的漏洞参数位置;determining the location of the vulnerability parameter pre-marked in the first request packet; 对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;Perform encoding and nesting processing on the obtained payload to obtain the processed payload; 将所述处理后的有效载荷放入所述第一请求包中预先标记的漏洞参数位置,得到第二请求包;Putting the processed payload into a pre-marked vulnerability parameter position in the first request packet to obtain a second request packet; 对所述第二请求包进行绕过检测,得到检测结果。Bypass detection is performed on the second request packet to obtain a detection result. 2.根据权利要求1所述的方法,其特征在于,所述对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:2. The method according to claim 1, characterized in that, performing encoding and nesting processing on the acquired payload to obtain the processed payload, comprising: 调用第一插件对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;所述第一插件包括至少一个插件。The first plug-in is invoked to perform encoding and nesting processing on the acquired payload to obtain the processed payload; the first plug-in includes at least one plug-in. 3.根据权利要求2所述的方法,其特征在于,所述调用第一插件对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷,包括:3. The method according to claim 2, wherein the invoking the first plug-in performs encoding and nesting processing on the obtained payload to obtain the processed payload, comprising: 在所述第一插件包括多个插件的情况下,根据所述第一插件中的多个插件的优先级顺序调用所述第一插件中的多个插件,对所述获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷。In the case where the first plug-in includes multiple plug-ins, calling multiple plug-ins in the first plug-in according to the priority order of the multiple plug-ins in the first plug-in, and performing the processing on the obtained payload. Encode the nested processing to get the processed payload. 4.根据权利要求1所述的方法,其特征在于,所述对所述第二请求包进行绕过检测,包括:4. The method according to claim 1, wherein the performing bypass detection on the second request packet comprises: 对所述第二请求包中所述处理后的有效载荷进行绕过检测;或,Perform bypass detection on the processed payload in the second request packet; or, 调用第二插件对所述第二请求包进行修改处理,得到第三请求包,对所述第三请求包中所述处理后的有效载荷进行绕过检测;所述第二插件包括至少一个插件。Invoke a second plug-in to modify the second request packet, obtain a third request packet, and perform bypass detection on the processed payload in the third request packet; the second plug-in includes at least one plug-in . 5.根据权利要求4所述的方法,其特征在于,所述调用第二插件对所述第二请求包进行修改处理,得到第三请求包,包括:5. The method according to claim 4, wherein the invoking a second plug-in to modify the second request packet to obtain a third request packet, comprising: 在所述第二插件包括多个插件的情况下,根据所述第二插件中的多个插件的优先级顺序调用所述第二插件中的多个插件,对所述第二请求包进行修改处理,得到第三请求包。In the case where the second plug-in includes multiple plug-ins, calling multiple plug-ins in the second plug-in according to the priority order of the multiple plug-ins in the second plug-in, and modifying the second request package process, and obtain the third request packet. 6.根据权利要求1至5任一项所述的方法,其特征在于,所述获取到的有效载荷包括自定义的有效载荷。6. The method according to any one of claims 1 to 5, wherein the acquired payload comprises a self-defined payload. 7.根据权利要求1所述的方法,其特征在于,所述方法还包括:7. The method of claim 1, wherein the method further comprises: 在所述检测结果为未绕过的情况下,得到在目标插件更新后第二请求包是否绕过安全防护系统的判断结果;所述目标插件包括第一插件和/或第二插件;所述第一插件用于对所述第二请求包中处理后的有效载荷进行编码嵌套处理;所述第二插件用于对所述第二请求包进行修改处理;In the case that the detection result is not bypassed, obtain a judgment result of whether the second request packet bypasses the security protection system after the target plug-in is updated; the target plug-in includes the first plug-in and/or the second plug-in; the The first plug-in is used to encode and nest the processed payload in the second request packet; the second plug-in is used to modify the second request packet; 在所述判断结果为绕过的情况下,对所述目标插件进行更新;In the case that the judgment result is bypass, update the target plug-in; 在所述判断结果为未绕过的情况下,对所述第二请求包中处理后的有效载荷进行更新处理,得到更新后的有效载荷。In the case that the judgment result is that it is not bypassed, update processing is performed on the processed payload in the second request packet to obtain the updated payload. 8.一种数据处理装置,其特征在于,所述装置包括:8. A data processing device, wherein the device comprises: 确定模块,用于确定第一请求包中预先标记的漏洞参数位置;a determining module, used to determine the pre-marked vulnerability parameter position in the first request packet; 第一处理模块,用于对获取到的有效载荷进行编码嵌套处理,得到处理后的有效载荷;a first processing module, configured to perform encoding and nesting processing on the acquired payload to obtain the processed payload; 第二处理模块,用于将所述处理后的有效载荷放入所述第一请求包中预先标记的漏洞参数位置,得到第二请求包;a second processing module, configured to place the processed payload into a pre-marked vulnerability parameter position in the first request packet to obtain a second request packet; 检测模块,用于对所述第二请求包进行绕过检测,得到检测结果。A detection module, configured to perform bypass detection on the second request packet to obtain a detection result. 9.一种电子设备,其特征在于,所述设备包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现权利要求1至7任一项所述的方法。9. An electronic device, characterized in that the device comprises a memory, a processor, and a computer program stored on the memory and running on the processor, the processor implementing claims 1 to 7 when executing the program The method of any one. 10.一种计算机存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现权利要求1至7任一项所述的方法。10. A computer storage medium on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the method according to any one of claims 1 to 7 is implemented.
CN202010812501.5A 2020-08-13 2020-08-13 A data processing method, apparatus, electronic device and computer storage medium Pending CN112035840A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010812501.5A CN112035840A (en) 2020-08-13 2020-08-13 A data processing method, apparatus, electronic device and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010812501.5A CN112035840A (en) 2020-08-13 2020-08-13 A data processing method, apparatus, electronic device and computer storage medium

Publications (1)

Publication Number Publication Date
CN112035840A true CN112035840A (en) 2020-12-04

Family

ID=73578189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010812501.5A Pending CN112035840A (en) 2020-08-13 2020-08-13 A data processing method, apparatus, electronic device and computer storage medium

Country Status (1)

Country Link
CN (1) CN112035840A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116055148A (en) * 2022-12-30 2023-05-02 深信服科技股份有限公司 Bypass detection and variation relation learning method and device, electronic equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130232576A1 (en) * 2011-11-18 2013-09-05 Vinsula, Inc. Systems and methods for cyber-threat detection
CN109190368A (en) * 2018-08-19 2019-01-11 杭州安恒信息技术股份有限公司 A kind of SQL injection detection device and SQL injection detection method
CN110266737A (en) * 2019-07-30 2019-09-20 杭州安恒信息技术股份有限公司 Vulnerability detection method, device, equipment and medium for cross-domain resource sharing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130232576A1 (en) * 2011-11-18 2013-09-05 Vinsula, Inc. Systems and methods for cyber-threat detection
CN109190368A (en) * 2018-08-19 2019-01-11 杭州安恒信息技术股份有限公司 A kind of SQL injection detection device and SQL injection detection method
CN110266737A (en) * 2019-07-30 2019-09-20 杭州安恒信息技术股份有限公司 Vulnerability detection method, device, equipment and medium for cross-domain resource sharing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谷家腾: "基于动态分析的 XSS 漏洞检测模型", 《计算机工程》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116055148A (en) * 2022-12-30 2023-05-02 深信服科技股份有限公司 Bypass detection and variation relation learning method and device, electronic equipment and medium

Similar Documents

Publication Publication Date Title
US10027691B2 (en) Apparatus and method for performing real-time network antivirus function
RU2680736C1 (en) Malware files in network traffic detection server and method
US20190334948A1 (en) Webshell detection method and apparatus
US8732304B2 (en) Method and system for ensuring authenticity of IP data served by a service provider
CN103634306B (en) The safety detection method and safety detection server of network data
EP2850781B1 (en) Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
CN105512559B (en) It is a kind of for providing the method and apparatus of accession page
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
CN107979581B (en) Zombie feature detection method and device
CN106576051B (en) A method, network device, and non-transitory machine-readable medium for detecting zero-day threats
CN103401863A (en) Network data flow analysis method and network data flow analysis device based on cloud security
CN104202206A (en) Message processing device and method
CN111865996A (en) Data detection method and device and electronic equipment
KR102014741B1 (en) Matching method of high speed snort rule and yara rule based on fpga
KR20060117693A (en) Web security method and device
KR102014736B1 (en) Matching device of high speed snort rule and yara rule based on fpga
CN112035840A (en) A data processing method, apparatus, electronic device and computer storage medium
CN108259416B (en) Method for detecting malicious webpage and related equipment
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN111181967B (en) Data flow identification method, device, electronic equipment and medium
CN114301689B (en) Campus network security protection method and device, computing equipment and storage medium
JP6635029B2 (en) Information processing apparatus, information processing system, and communication history analysis method
KR20200039550A (en) Method for real-time encryption packet separation and identification in high speed traffic and interworking with yara detection on identified packet, and apparatus thereof
CN112217770A (en) A security detection method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201204

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载