Search

CN-122001640-A - Method and device for automatically reconstructing stateful Web attack pre-step sequence

CN122001640ACN 122001640 ACN122001640 ACN 122001640ACN-122001640-A

Abstract

The application particularly relates to a method and a device for automatically reconstructing a pre-step sequence of a stateful Web attack, wherein the method comprises the steps of receiving a final attack request, constructing a target state portrait based on the final attack request, calculating a state distance between a current application state and the target state based on the target state portrait, determining a shortest path of the target state portrait based on a preset data driving guiding model and the state distance, generating a candidate request sequence by using a preset operation sequence generation engine based on the shortest path, evaluating the difference between a rear end state after executing the candidate request sequence and the target state portrait based on a preset comprehensive scoring function, and obtaining the comprehensive score of the candidate request sequence, wherein the candidate request sequence is used as a request sequence corresponding to the comprehensive score when the comprehensive score meets a preset condition. Therefore, the problems that the stateful Web attack sequence is difficult to automatically reconstruct, the efficiency of multi-step vulnerability verification is low, the attack investigation depends on manpower and the like are solved.

Inventors

  • HE ZHUOFENG
  • PENG YIHAO
  • ZHANG JINGRUN
  • MU XINYU
  • WAN HAI
  • ZHAO XIBIN

Assignees

  • 清华大学

Dates

Publication Date
20260508
Application Date
20260128

Claims (10)

  1. 1. A method for automatically reconstructing a sequence of stateful Web attack pre-steps, comprising the steps of: Receiving a final attack request; constructing a target state portrait based on the final attack request, and calculating a state distance between a current application state and a target state based on the target state portrait; determining a shortest path of the target state portrait based on a preset data driving guide model and the state distance, and generating a candidate request sequence by using a preset operation sequence generation engine based on the shortest path; And evaluating the difference between the rear end state after executing the candidate request sequence and the target state portrait based on a preset comprehensive scoring function to obtain the comprehensive score of the candidate request sequence, and taking the candidate request sequence as a request sequence corresponding to the comprehensive score when the comprehensive score meets a preset condition.
  2. 2. The method of claim 1, wherein constructing a target state representation based on the final attack request comprises: injecting a lightweight probe into a target Web application framework key life cycle point, and isolating a complete call sequence of the final attack request based on the lightweight probe; and extracting file dependencies and database dependencies from the complete call sequence, and normalizing the file dependencies and database dependencies into tabular representations to form the target state portrait.
  3. 3. The method of claim 1, further comprising, prior to determining a shortest path for a target state image based on the preset guidance model and the state distance: Constructing an API dependency graph and a parameter source association model; And obtaining the preset data driving guide model according to the API dependency graph and the parameter source association model.
  4. 4. A method according to claim 3, wherein said constructing a parameter source association model comprises: acquiring a plurality of request parameters and a plurality of data source positions; collecting the historical value of each request parameter to form a first value set, and collecting the historical value of each data source position to form a second value set; Calculating Jaccard similarity between the first value set and the second value set, and determining an association score of each request parameter and each data source position based on the Jaccard similarity; and sorting the plurality of data source positions based on the association scores to obtain a data source position list, and determining the parameter source association model based on the data source position list.
  5. 5. A method according to claim 3, wherein said building an API dependent graph comprises: calculating direct data flow dependencies and indirect data flow dependencies between APIs based on the request parameters; and carrying out probability fusion on the direct data stream dependency and the indirect data stream dependency to obtain API secondary probability, and constructing the API dependency graph according to the API secondary probability.
  6. 6. The method of claim 1, wherein the predetermined composite scoring function is: ; Wherein, the For the composite score of the candidate request sequence, Is that Is used for the weight parameters of the (c), For the status distance rewards, Is that Is used for the weight parameters of the (c), In order to cover the gain rewards, Is that Is used for the weight parameters of the (c), Rewards for responding to the value range.
  7. 7. An apparatus for automatically reconstructing a stateful Web attack pre-step sequence, comprising: the receiving module is used for receiving the final attack request; The computing module is used for constructing a target state portrait based on the final attack request and computing a state distance between a current application state and a target state based on the target state portrait; The generation module is used for determining the shortest path of the target state portrait based on a preset data driving guide model and the state distance, and generating a candidate request sequence by utilizing a preset operation sequence generation engine based on the shortest path; And the evaluation module is used for evaluating the difference between the rear end state after the candidate request sequence is executed and the target state portrait based on a preset comprehensive scoring function to obtain the comprehensive score of the candidate request sequence, and taking the candidate request sequence as the request sequence corresponding to the comprehensive score when the comprehensive score meets a preset condition.
  8. 8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to implement the method for automatically reconstructing a sequence of stateful Web attack pre-steps according to any of claims 1-6.
  9. 9. A computer readable storage medium having stored thereon a computer program, the program being for execution by a processor for implementing the method for automatically reconstructing a sequence of stateful Web attack pre-steps according to any of claims 1-6.
  10. 10. A computer program product storing a computer program, characterized in that the program, when executed by a processor, implements a method for automatically reconstructing a sequence of stateful Web attack pre-steps according to any of the claims 1-6.

Description

Method and device for automatically reconstructing stateful Web attack pre-step sequence Technical Field The application relates to the technical field of computer security, in particular to a method and a device for automatically reconstructing a stateful Web attack pre-step sequence. Background Modern Web applications have evolved into complex and highly stateful systems. However, this complexity also brings new attack facets, and therefore, a core and urgent issue is how to automatically and efficiently reconstruct its complete pre-state construct sequence given only the knowledge of the final attack request? In the related art, automated Web application testing has been largely studied on this task. One type of operation is coverage-guided gray box fuzziness tester (coverage-guided grey-box fuzzers), which is good at expanding code execution paths. To improve efficiency, researchers have proposed directional fuzziness testers that focus fuzziness testing at predefined, potentially dangerous code locations in Web applications. Another more relevant class of work focuses on fuzzing the RESTful API (Representational STATE TRANSFER API) call sequence in an attempt to discover deep vulnerabilities by generating longer request sequences. Some of these methods are data driven, assuming longer sequences are more prone to trigger defects, others rely on manually annotated API (Application Programming Interface) specifications, or infer API dependencies with REST (Representational STATE TRANSFER) semantics. However, the related art method has significant drawbacks in terms of utilizing the final attack state, understanding the existing value of the backend, and robustness under non-ideal REST design, and needs to be solved. Disclosure of Invention The application provides a method and a device for automatically reconstructing a front-end step sequence of a stateful Web attack, which are used for solving the problems of difficult automatic reconstruction of the stateful Web attack sequence, low multi-step vulnerability verification efficiency, dependence on manual attack investigation and the like. An embodiment of a first aspect of the present application provides a method for automatically reconstructing a stateful WEB attack pre-step sequence, including the steps of: Receiving a final attack request; constructing a target state portrait based on the final attack request, and calculating a state distance between a current application state and a target state based on the target state portrait; determining a shortest path of the target state portrait based on a preset data driving guide model and the state distance, and generating a candidate request sequence by using a preset operation sequence generation engine based on the shortest path; And evaluating the difference between the rear end state after executing the candidate request sequence and the target state portrait based on a preset comprehensive scoring function to obtain the comprehensive score of the candidate request sequence, and taking the candidate request sequence as a request sequence corresponding to the comprehensive score when the comprehensive score meets a preset condition. Optionally, the constructing the target state portrait based on the final attack request includes: injecting a lightweight probe into a target Web application framework key life cycle point, and isolating a complete call sequence of the final attack request based on the lightweight probe; and extracting file dependencies and database dependencies from the complete call sequence, and normalizing the file dependencies and database dependencies into tabular representations to form the target state portrait. Optionally, before determining the shortest path of the target state image based on the preset guiding model and the state distance, the method further includes: Constructing an API dependency graph and a parameter source association model; And obtaining the preset data driving guide model according to the API dependency graph and the parameter source association model. Optionally, the constructing a parameter source association model includes: acquiring a plurality of request parameters and a plurality of data source positions; collecting the historical value of each request parameter to form a first value set, and collecting the historical value of each data source position to form a second value set; Calculating Jaccard similarity between the first value set and the second value set, and determining an association score of each request parameter and each data source position based on the Jaccard similarity; and sorting the plurality of data source positions based on the association scores to obtain a data source position list, and determining the parameter source association model based on the data source position list. Optionally, the building an API dependent graph includes: calculating direct data flow dependencies and indirect data flow dependencies between APIs bas