Search

CN-122019356-A - Automatic mining system and method for applet API authentication loopholes based on IAST technology

CN122019356ACN 122019356 ACN122019356 ACN 122019356ACN-122019356-A

Abstract

The invention provides an automatic mining system and method for an API authentication vulnerability of an applet based on IAST technology, wherein a data acquisition module acquires front-end operation data through a IAST probe and intercepts network traffic through a global agent, a data processing and association module performs fusion processing on multi-source data and builds an operation context, a dynamic taint analysis module performs fine-granularity data stream tracking and generates an API authentication parameter image, an intelligent test engine module automatically generates a targeted test case according to a vulnerability model library, a test execution and replay module realizes automatic replay of the test case through an agent middleware, and a vulnerability analysis and report module performs multi-dimensional intelligent analysis on a response result and generates a vulnerability report. The method has the advantages that accurate and automatic mining of API authentication loopholes such as horizontal override, vertical override and Token bypass of the applet is realized, the detection efficiency and accuracy are improved, and the adaptability problem of the traditional method under the complex authentication scene of the applet is effectively solved.

Inventors

  • Jin Guoao
  • ZHU BODI
  • LIU XIAO
  • LIU PENGJU
  • LI KAI
  • CUI YIQUN
  • YANG DONG
  • WANG WENQING
  • Deng Nandie
  • BI YUBING
  • WU LE
  • LI DI
  • Kuang Zhu

Assignees

  • 华能国际电力股份有限公司
  • 西安热工研究院有限公司

Dates

Publication Date
20260512
Application Date
20251208

Claims (10)

  1. 1. An automated mining system for applet API authentication vulnerabilities based on IAST technology, the system comprising: The data acquisition module is configured to acquire the front-end running data of the applet through the IAST probe and intercept the network traffic through the global agent module; the data processing and associating module is configured to receive the data of the data acquisition module and perform fusion processing and context construction; the dynamic taint analysis module is configured to execute dynamic taint tracking based on the output of the data processing and association module and generate an API authentication parameter portrait; the intelligent test engine module is configured to automatically generate test cases according to the API authentication parameter portraits and the vulnerability model library; The test execution and playback module is configured to play back the test cases generated by the test engine to the target server through the agent; and the vulnerability analysis and reporting module is configured to receive the server response and output a final vulnerability scanning report according to the judging rule.
  2. 2. The automated mining system for applet API authentication holes based on IAST technology of claim 1, wherein the data collection module: The IAST probe mounts a WeChat JS-SDK API in a function, prototype and object definition mode by rewriting, and is used for collecting function call, parameters, return values and call stack information; The global agent module realizes HTTPS flow decryption through an intermediate agent architecture and a custom CA certificate, and is used for collecting HTTP/HTTPS request and response, webSocket communication and cloud function call flow.
  3. 3. The IAST technology-based applet API authentication vulnerability automated mining system of claim 1, wherein the data processing and association module is specifically configured to: performing time sequence matching on IAST event streams and network request streams by adopting a dynamic time warping algorithm variant; Establishing a mapping relation from front-end operation to back-end request based on the parsed call stack information; The identity identifier, session token and authority parameters are marked according to predefined taint source rules.
  4. 4. The IAST technology based applet API authentication vulnerability automated mining system of any one of claims 1 to 3, wherein the dynamic taint analysis module is specifically configured to: adding taint propagation logic on the V8 engine byte code execution level to realize fine-grained data flow tracking; monitoring propagation paths of the taint data in variable assignment, function parameter transmission and expression calculation; When the stain data flows into the network request, the parameter name, the position and the value are recorded, and a structured API authentication parameter portrait is generated.
  5. 5. A IAST technology based applet API authentication vulnerability automated mining system according to any one of claims 1 to 3, wherein the vulnerability model library in the intelligent test engine module contains the following test policies: the horizontal override test strategy is used for generating a test case for replacing the user identification parameters; the vertical override test strategy is used for generating a test case for modifying the role or authority parameters; The token security test strategy is used for generating a test case for removing, tampering or reusing the authentication token; and the business logic test strategy is used for generating test cases violating the business rule parameter combination.
  6. 6. A IAST technology based applet API authentication vulnerability automated mining system according to any one of claims 1 to 3, wherein the test execution and replay module implements automatic replay of test cases through proxy middleware, specifically configured to: Maintaining a complete session context, and ensuring consistency of a test environment; In the process of request replay, network request parameters are rewritten in real time, test cases are injected, and meanwhile, the integrity of other parameters is maintained; All test requests and responses are fully recorded, including detailed information such as request timing, response time, response data, etc., to provide data support for subsequent analysis.
  7. 7. A IAST technology based applet API authentication vulnerability automated mining system as claimed in any one of claims 1 to 3, wherein said vulnerability analysis and reporting module employs a multi-dimensional analysis method comprising: The differential analysis technology is used for comparing the state code, the head and the content structure of the original response and the test response; semantic analysis technology, which is used for identifying authority control feature semantics in response through NLP model; the machine learning classifier is used for comprehensively evaluating the confidence level of the existence of the vulnerability based on the historical data; finally, a structured report is generated that contains vulnerability types, risk levels, POC requests, and repair suggestions.
  8. 8. An automated mining method for applet API authentication loopholes based on IAST technology, which is characterized by comprising the following steps: Monitoring and collecting the running data of the front end of the applet in real time through IAST probes deployed in the applet running environment, and intercepting all network communication traffic between the applet client and the server through a global proxy module; The run-time data and the network traffic are fused and processed, an operation context information chain taking a network request as a core is constructed, and sensitive data sources are marked based on predefined stain source rules; Based on a dynamic taint tracking technology, analyzing a propagation path of the sensitive data in a JavaScript operating environment, accurately identifying key parameters for authentication in a network request, and generating an API authentication parameter portrait; According to a preset vulnerability model library, aiming at the API authentication parameter portrait, automatically mutating to generate a test case set for testing authentication vulnerabilities; The test case is replayed and sent to a target API through the global agent module, and a response result of the analysis server is received; Based on a predefined vulnerability determination rule, performing intelligent analysis on the response result, finally determining whether the target API has an authentication vulnerability or not, and outputting a vulnerability report.
  9. 9. An electronic device, comprising: one or more processors; A storage unit, configured to store one or more programs, where the one or more programs, when executed by the one or more processors, enable the one or more processors to implement the method for automatically mining an applet API authentication vulnerability based on IAST technology according to claim 8.
  10. 10. A computer readable storage medium having stored thereon a computer program, which when executed by a processor is capable of implementing the method for automated mining of applet API authentication holes based on IAST technology as defined in claim 8.

Description

Automatic mining system and method for applet API authentication loopholes based on IAST technology Technical Field The embodiment of the invention relates to the technical field of network security and application security test, in particular to an automatic mining system and method for an applet API authentication vulnerability based on IAST technology. Background Applet ecology, in particular, weChat applets, have become an important carrier for internet services. The application logic is highly dependent on the data interaction between the front-end applet and the back-end server through the API interface. API authentication is a core mechanism for guaranteeing the safety of user data and service resources, and aims to verify the legitimacy of a request and prevent unauthorized access (override) or authority improvement (upgrading). Along with the proliferation of the number of the applets, API authentication loopholes (such as horizontal/vertical override, login state bypass and unauthorized access of interfaces) become one of main security threats, and the method has important practical significance for high-efficiency and accurate automatic detection of the loopholes. At present, detection of the loopholes mainly depends on three technical paths, namely manual testing based on a global agent tool, the method is low in efficiency and narrow in coverage and highly depends on experience and skills of testers, a traditional Dynamic Application Security Test (DAST) scanner is used as a black box testing tool, complex login states (such as mapping relation between codes generated by wx.logins and cloud token) of the applets are difficult to understand and simulate, mixed and encrypted applet codes cannot be effectively processed, detection depth of authentication logic is insufficient and the report missing rate is high, and Static Application Security Test (SAST) can directly analyze source codes but is limited to code confusion, running states and data flows cannot be known, and the true existence of the loopholes cannot be effectively verified. The prior art is difficult to realize deep and automatic mining of the authentication loopholes of the applet API. To overcome the technical limitations described above, the present invention aims to propose an innovative automated excavation solution. The invention is characterized in that an effective API authentication vulnerability detection system is constructed by deeply fusing an Interactive Application Security Test (IAST) technology and a flow analysis technology. By implanting IAST probes in the environment of the small program operation, capturing the front-end sensitive operation, the authentication credential generation process and the data flow in real time, simultaneously, intercepting the network request by combining the flow agent and carrying out association analysis on the two, thereby accurately describing the authentication link. Finally, by the intelligent test engine based on dynamic taint tracking and semantic analysis, the vulnerability test cases are automatically generated, replayed and verified, so that efficient, accurate and automatic mining of the applet API authentication vulnerability is realized, and the defects of the prior art are effectively overcome. Disclosure of Invention The embodiment of the invention aims at least solving one of the technical problems existing in the prior art and provides an automatic mining system and method for the authentication loopholes of an applet API based on IAST technology. In a first aspect, an embodiment of the present invention provides an automated mining system for applet API authentication vulnerabilities based on IAST technology, the system comprising: The data acquisition module is configured to acquire the front-end running data of the applet through the IAST probe and intercept the network traffic through the global agent module; the data processing and associating module is configured to receive the data of the data acquisition module and perform fusion processing and context construction; the dynamic taint analysis module is configured to execute dynamic taint tracking based on the output of the data processing and association module and generate an API authentication parameter portrait; the intelligent test engine module is configured to automatically generate test cases according to the API authentication parameter portraits and the vulnerability model library; The test execution and playback module is configured to play back the test cases generated by the test engine to the target server through the agent; and the vulnerability analysis and reporting module is configured to receive the server response and output a final vulnerability scanning report according to the judging rule. In a second aspect, an embodiment of the present invention provides an automatic mining method for an applet API authentication vulnerability based on IAST technology, where the method includes: Monito