Search

CN-122001936-A - Information system route and API scanning test tool

CN122001936ACN 122001936 ACN122001936 ACN 122001936ACN-122001936-A

Abstract

The invention provides an information system routing and API scanning test tool, which relates to the technical field of information technology safety test, and comprises the steps of carrying out target survival verification on a target URL, generating a complete absolute URL list, obtaining an independent path component, generating an ordered and de-duplicated path combination queue to be scanned through depth-controllable Cartesian product operation, scanning the path combination queue to be scanned in a multithreading concurrency mode through an intelligent scanning working module, simultaneously acquiring and displaying system resource utilization rate in real time through a system resource monitoring module, receiving and applying configuration parameter updating from a visual interaction interface module in real time through the intelligent scanning working module in the scanning process, collecting and filtering a scanning response result, and storing the result in real time.

Inventors

  • ZHANG YONG
  • WANG JINYI
  • WEI ZIHAN
  • An Kaikai
  • Yu Xianya

Assignees

  • 国网河南省电力公司信息通信分公司
  • 国网河南省电力公司

Dates

Publication Date
20260508
Application Date
20260211

Claims (8)

  1. 1. The information system routing and API scanning test tool is characterized by comprising a JavaScript file analysis module, a path combination generation module, an intelligent scanning work module, a system resource monitoring module and a visual interaction interface module, wherein the test tool is used for executing the following steps: S1, receiving a target URL through the visual interaction interface module, and performing target survival verification; s2, performing dynamic URL extraction on the verified target URL through the JavaScript file analysis module to generate a complete absolute URL list; s3, analyzing the absolute URL list through the path combination generation module to obtain an independent path assembly, and generating an ordered and duplicate-removed path combination queue to be scanned through depth-controllable Cartesian product operation according to preset scanning depth; S4, scanning the path combination queue to be scanned in a multithreading concurrent mode through the intelligent scanning working module, and simultaneously acquiring and displaying the utilization rate of system resources in real time through the system resource monitoring module; S5, in the scanning process, receiving and applying configuration parameter updating from the visual interaction interface module in real time through the intelligent scanning working module, wherein the configuration parameter updating at least comprises the change of scanning depth, concurrent threads, basic paths, request delay and retry times, and the scanning task currently being executed is not required to be interrupted when the updating is applied; And S6, collecting and filtering scanning response results, and storing the results in real time.
  2. 2. The information system routing and API scan test tool of claim 1, wherein said dynamic URL extraction comprises the steps of: S21, analyzing the HTML of the target page, and separating an inline JavaScript script and an external JavaScript script; S22, downloading the content of the external-chain JavaScript file in parallel; S23, matching the content of the inline JavaScript and the content of the external JavaScript file by adopting four layers of nested regular expressions so as to extract URL fragments including a complete URL, a relative path, a path with an extension and a rear-end file path; and S24, splicing, de-duplicating and sequencing the extracted URL fragments and the source URL to generate a complete absolute URL list.
  3. 3. The information system routing and API scan test tool of claim 1, wherein said four-layer nested regular expression of step S23 is written in VERBOSE patterns, comprising: a first regular pattern for matching a complete URL containing http://, https:// or//; a second regular pattern for matching relative paths starting with/,/or/; a third regular pattern for matching paths that contain/characters and end with php, asp, aspx, jsp, json, action, html, js, txt, or xml; a fourth regular pattern for matching file paths that end directly in php, asp, aspx, jsp, json, action, html, js, txt, or xml.
  4. 4. The information system routing and API scan test tool as recited in claim 1, wherein step S3 includes the steps of: S31, analyzing each URL in the absolute URL list, extracting a corresponding path part, dividing the path part into a plurality of path components according to/and filtering empty components; S32, setting a maximum scanning depth N, and for each depth N from 1 to N, calculating N-dimensional Cartesian products of all path components to generate all possible path combinations of corresponding depths; s33, performing de-duplication on path combinations generated by each depth, and checking whether the number of the combinations exceeds a preset single depth upper limit; S34, sorting all path combinations with depth meeting the requirements according to the depth ascending order and the dictionary order to form the path combination queue to be scanned.
  5. 5. The information system routing and API scan test tool as recited in claim 1, wherein step S5 includes the steps of: S51, setting anti-shake delay in the visual interactive interface module, and delaying a preset time to trigger a configuration update signal after user configuration change; S52, transmitting the configuration update signal to the intelligent scanning working module through a cross-thread communication mechanism; s53, implementing atomic operation in the intelligent scanning working module through a mutual exclusion lock, comparing new and old parameters and updating global configuration variables; S54, performing linkage processing according to the parameter change type, namely safely rebuilding a thread pool if the number of threads is changed, filtering paths exceeding the new depth in the path combination queue to be scanned if the scanning depth is reduced, generating path combinations with the new depth only and enqueuing if the depth is increased, and resetting a history record and updating a basic URL if the basic path is changed.
  6. 6. The information system routing and API scan test tool of claim 1, further adapted to perform the steps of: S01, importing and verifying a plurality of target URLs in batches to generate an effective target list; s02, taking each target in the list as a current target in sequence, and automatically executing the steps S2 to S4; S03, generating an independent result file for the scanning result of each current target, and displaying the batch scanning progress in real time; and S04, if the current target fails in the path extraction or scanning process, automatically recording errors and switching to the next target in the list, and continuing to execute the batch scanning flow.
  7. 7. The information system routing and API scan test tool according to claim 1, wherein in step S4, said intelligent scan job module configures an adjustable request delay, number of failed retries, and request timeout time for each scan request and avoids repeated scans by maintaining a set of visited URLs.
  8. 8. The information system routing and API scan test tool of claim 1, wherein said system resource monitor module triggers resource data collection by a timer independent of the scan thread, the collected data including CPU instantaneous usage, memory occupancy, and disk usage obtained by the system library, and pushes the data to said visual interactive interface module for visual presentation.

Description

Information system route and API scanning test tool Technical Field The invention relates to the technical field of information technology safety test, in particular to an information system routing and API scanning test tool. Background Currently, in the technical field of routing and API discovery, the prior art mainly relies on a third party platform (such as Burp Suite plug-in, postman set, etc.) to perform API discovery and testing, and has the problems of data leakage risk and inconvenient use. The existing tool mostly adopts a static dictionary blasting mode, and is difficult to effectively discover an API endpoint dynamically generated by JavaScript, so that the path discovery is incomplete and the report missing rate is high. Meanwhile, the traditional tool lacks real-time analysis capability, cannot dynamically adjust configuration parameters in the scanning process, and is usually restarted after interruption, so that the efficiency is low. In addition, the existing scheme generally lacks real-time monitoring of system resources, is easy to cause resource exhaustion in the scanning process, lacks an intelligent batch mechanism when processing a plurality of targets, depends on manual operation one by one, and has low processing efficiency. For example, the Web crawler-based API interface discovery method disclosed in patent document CN112487055A cannot effectively extract a path dynamically generated by JavaScript, the Web application interface security detection system related to patent document CN113032893a still depends on a predefined interface dictionary, the degree of intelligence is not enough, and the non-patent document "Web application API discovery technical study based on static analysis" is limited to source code analysis, and is difficult to be applied to a black box test scenario. Therefore, how to implement a routing and API scanning tool that does not depend on a third party platform, can intelligently extract a dynamic API path, supports real-time configuration adjustment and resource monitoring, and has efficient batch processing capability has become a technical problem to be solved in the art. Disclosure of Invention Aiming at the technical problems, the invention adopts the following technical scheme: According to the first aspect of the application, an information system routing and API scanning test tool is provided, wherein the tool comprises a JavaScript file analysis module, a path combination generation module, an intelligent scanning work module, a system resource monitoring module and a visual interaction interface module, and the test tool is used for executing the following steps: S1, receiving a target URL through the visual interaction interface module, and performing target survival verification; s2, performing dynamic URL extraction on the verified target URL through the JavaScript file analysis module to generate a complete absolute URL list; s3, analyzing the absolute URL list through the path combination generation module to obtain an independent path assembly, and generating an ordered and duplicate-removed path combination queue to be scanned through depth-controllable Cartesian product operation according to preset scanning depth; S4, scanning the path combination queue to be scanned in a multithreading concurrent mode through the intelligent scanning working module, and simultaneously acquiring and displaying the utilization rate of system resources in real time through the system resource monitoring module; S5, in the scanning process, receiving and applying configuration parameter updating from the visual interaction interface module in real time through the intelligent scanning working module, wherein the configuration parameter updating at least comprises the change of scanning depth, concurrent threads, basic paths, request delay and retry times, and the scanning task currently being executed is not required to be interrupted when the updating is applied; And S6, collecting and filtering scanning response results, and storing the results in real time. The invention has at least the following beneficial effects: The information system routing and API scanning test tool of the invention realizes comprehensive extraction of dynamically generated API paths by introducing the JavaScript file analysis module, effectively solves the technical problems of incomplete path discovery and high missing report rate caused by the traditional dependence on a static dictionary, supports real-time and uninterrupted configuration parameter updating in the scanning process by the intelligent scanning working module, overcomes the efficiency bottleneck of the prior art that scanning is required to be interrupted for adjustment, monitors and feeds back the resource use condition in real time by combining the system resource monitoring module, avoids the system resource exhaustion risk caused by the scanning process, and finally, greatly improves the overall efficiency an