CN-122027257-A - Method and device for detecting applet loopholes based on GUI (graphical user interface) agent, electronic equipment and storage medium

Abstract

The application discloses a method, a device, electronic equipment and a storage medium for detecting an applet vulnerability based on a GUI (graphical user interface) agent, which are applied to the electronic equipment, and particularly used for carrying out static analysis on an applet to be detected to obtain a global knowledge base of the applet, driving the GUI agent to execute various operations on the applet based on the global knowledge base, capturing two groups of HTTP/HTTPS session records in the executing operation process, wherein the two groups of HTTP/HTTPS session records comprise requests and responses of an attacker and requests and responses of a victim, and determining whether BOLA vulnerabilities exist or not based on the detection of the two groups of HTTP/HTTPS session records. According to the technical scheme, the deep page is globally excavated and the triggering conditions are hidden by means of static analysis, so that a request which is difficult to cover by the traditional method can be captured, then accurate path planning is realized based on the GUI agent by using page navigation information, blind clicking is avoided, and coverage rate and efficiency are remarkably improved.

Inventors

• Kong Queping
• LI XULONG
• FENG CONG
• WANG CHENG
• YE JIAAN
• ZHOU WEIQI

Assignees

• 广州市公安局网络安全保卫支队

Dates

Publication Date

20260512

Application Date

20260129

Claims (10)

1. 1. The method for detecting the applet loopholes based on the GUI agent is applied to the electronic equipment and is characterized by comprising the following steps: Carrying out static analysis on the applet to be detected to obtain a global knowledge base of the applet; Driving a GUI agent to execute various operations on the small program based on a global knowledge base, and capturing two groups of HTTP/HTTPS session records in the executing operation process, wherein the two groups of HTTP/HTTPS session records comprise requests and responses of an attacker and requests and responses of a victim; based on the detection of the two sets of HTTP/HTTPs session records, it is determined whether the applet has a BOLA vulnerability.
2. 2. The applet vulnerability detection method as set forth in claim 1, wherein the performing static analysis on the applet to be detected to obtain a global knowledge base of the applet comprises the steps of: Decompiling the applet locally to obtain a source code of the applet; extracting based on the source code to obtain a page list and an entry page of the applet; And carrying out static analysis on page scripts of each page based on the page list and the entry page to obtain the global knowledge base.
3. 3. The applet vulnerability detection method of claim 2, wherein the global knowledge base comprises part or all of a page list, page subject and function descriptions, page jump relationships and jump conditions, web request triggerable controls and their action types and whether a web request relates to an object identifier.
4. 4. The applet vulnerability detection method of claim 1, wherein the global knowledge base driven GUI agent performs various operations on the applet, capturing two sets of HTTP/HTTPs session records during the execution operations, comprising the steps of: generating a navigation structure diagram of the applet based on the global knowledge base; generating a target for each network request that may contain an object identifier based on the navigation structure map; And operating the applet based on the target driving the GUI agent, and executing data capture in the process that the applet is operated to obtain the two groups of HTTP/HTTPS session records.
5. 5. The method for detecting an applet vulnerability according to claim 4, wherein the operating the applet based on the target driving the GUI agent performs data capturing during the operation of the applet to obtain the two sets of HTTP/HTTPs session records, comprising the steps of: Generating a structured prompt word based on the target, wherein the structured prompt word comprises a step of initializing and logging in a victim account, a page where a target network request is located, a control and action for triggering the request and the page navigation chart; inputting the structured prompt into the GUI agent to cause it to operate on the applet; In the process that the applet is operated, recording a network request triggered by a victim account to obtain a request and a response of the victim; and recording an attacker account, executing a network request based on an action sequence of the applet in the execution process, and obtaining the request and response of the attacker.
6. 6. The applet vulnerability detection method of claim 1, wherein the determining whether the applet has BOLA vulnerabilities based on the detection of the two sets of HTTP/HTTPs session records comprises the steps of: identifying an object identifier in the attacker's request and response; Replacing the object identifier with an object identifier of a victim; transmitting the modified request and collecting new response in the transmitting process; Identifying the new response, if sensitive information of the victim exists in the new response, then BOLA loopholes exist, otherwise, BOLA loopholes do not exist.
7. 7. The applet vulnerability detection method of claim 6, wherein the sensitive information is identity information, account information or travel information.
8. 8. An applet vulnerability detection device based on GUI agent is applied to electronic equipment, characterized in that, the vulnerability detection device includes: The application knowledge base construction module is configured to perform static analysis on the applet to be detected to obtain a global knowledge base of the applet; An application exploration module configured to drive a GUI agent to perform a plurality of operations on the applet based on a global knowledge base, capturing two sets of HTTP/HTTPs session records during the performing of the operations, the two sets of HTTP/HTTPs session records including a request and a response of an attacker and a request and a response of a victim; and the vulnerability detection module is configured to determine whether BOLA vulnerabilities exist in the applet based on detection of the two groups of HTTP/HTTPS session records.
9. 9. An electronic device comprising at least one processor and a memory coupled to the processor, wherein: the memory is used for storing a computer program or instructions; the processor is configured to execute the computer program or instructions to cause the electronic device to implement the applet vulnerability detection method according to any one of claims 1-7.
10. 10. A computer-readable storage medium for use with an electronic device, wherein the storage medium carries one or more computer programs executable by the electronic device to cause the electronic device to implement the applet vulnerability detection method of any one of claims 1-7.

Description

Method and device for detecting applet loopholes based on GUI (graphical user interface) agent, electronic equipment and storage medium Technical Field The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, an electronic device, and a storage medium for detecting an applet vulnerability based on a GUI agent. Background Currently, the applet proposed by the multiple platforms is widely applied due to the characteristics of light weight, installation free, easy access and the like, for example, the daily active users of the applet of the WeChat platform are over 8 hundred million, and the applet covers numerous scenes such as folk life, transportation travel, financial service, life service and the like, and the users can transact social security inquiry, medical insurance payment, consumption payment, travel, banking and the like through the applet, so that a large amount of sensitive information applets such as travel, account, medical information and the like are circulated, and therefore, the applet is very important for monitoring the sensitive information in the applet. However, the vulnerability of BOLA (Broken Object Level Authorization, object level authorization failure) that is widely present in applets makes it an important cause of privacy leakage. When the applet does not properly verify whether the requestor has access to the target object, an attacker can easily obtain or tamper with the sensitive data of others by simply replacing the object identifier in the API request, such as userID, order number, license plate number, etc. For example, in a vehicle track leakage case, an attacker can directly acquire privacy information such as a vehicle parking position, in-out time and the like by modifying a license plate number in a request, and further illegally sell the vehicle to make a profit, and even further induce violent crimes, thereby threatening the personal and property safety of a user. According to the known vulnerability detection schemes based on the random strategy and the machine learning strategy at present, the problem of insufficient coverage exists, so that the leak report of the vulnerability is easy to occur, and therefore, a new detection scheme needs to be provided to improve the coverage rate of vulnerability detection, so that corresponding treatment measures can be timely taken when the vulnerability is found, and the leakage of sensitive information of a user caused by a small program is avoided. Disclosure of Invention In view of the above, the present application provides a method, an apparatus, an electronic device, and a storage medium for detecting vulnerabilities of an applet, which are used for improving coverage rate of the vulnerabilities detection of the applet, and realizing comprehensive detection of the vulnerabilities. In order to achieve the above object, the following solutions have been proposed: The utility model provides an applet vulnerability detection method based on GUI agent, which is applied to electronic equipment, and comprises the following steps: Carrying out static analysis on the applet to be detected to obtain a global knowledge base of the applet; Driving a GUI agent to execute various operations on the small program based on a global knowledge base, and capturing two groups of HTTP/HTTPS session records in the executing operation process, wherein the two groups of HTTP/HTTPS session records comprise requests and responses of an attacker and requests and responses of a victim; based on the detection of the two sets of HTTP/HTTPs session records, it is determined whether the applet has a BOLA vulnerability. Optionally, the static analysis is performed on the applet to be detected to obtain a global knowledge base of the applet, which includes the steps of: Decompiling the applet locally to obtain a source code of the applet; extracting based on the source code to obtain a page list and an entry page of the applet; And carrying out static analysis on page scripts of each page based on the page list and the entry page to obtain the global knowledge base. Optionally, the global knowledge base includes a page list, a page theme and function description, a page jump relation and jump condition, a control capable of triggering the network request and an action type thereof, and whether the network request involves part or all of the object identifiers. Optionally, the driving GUI agent based on the global knowledge base performs various operations on the applet, and captures two sets of HTTP/HTTPs session records during the performing operations, including the steps of: generating a navigation structure diagram of the applet based on the global knowledge base; generating a target for each network request that may contain an object identifier based on the navigation structure map; And operating the applet based on the target driving the GUI agent, and executing data capture