Search

CN-122027290-A - Method and system for JS vulnerability detection and sensitive information mining aiming at intranet scene

CN122027290ACN 122027290 ACN122027290 ACN 122027290ACN-122027290-A

Abstract

The invention relates to the technical field of network security detection, in particular to a JS vulnerability detection and sensitive information mining method and system for an intranet scene. The method comprises the steps of dynamically rendering a page and extracting JS resources based on an extensible crawler framework in a resource acquisition stage, analyzing the JS resources by adopting a dual-engine mode of AST static analysis and sandbox dynamic execution in an analysis stage, and carrying out vulnerability verification and sensitive data identification based on a multidimensional joint judgment model in a detection stage. The invention adopts a three-layer architecture of layering analysis, dynamic verification and intelligent mining, can break through the limitation of the traditional tool in the aspects of dynamic content capturing, code semantic analysis and intranet suitability, obviously improves the coverage rate and accuracy of intranet JS vulnerability detection, and provides more reliable guarantee for the intranet safety of enterprises.

Inventors

  • WANG PENGFEI

Assignees

  • 河南中原消费金融股份有限公司

Dates

Publication Date
20260512
Application Date
20260212

Claims (10)

  1. 1. The JS vulnerability detection and sensitive information mining method for the intranet scene is characterized by comprising the following steps: dynamically rendering a page based on an extensible crawler frame and extracting JS resources in a resource acquisition stage; The dynamic rendering simulates a user interaction event through a headless browser to trigger asynchronous loading, and realizes transparent penetration of an enterprise intranet authentication protocol by calling a security authentication interface provided by an operating system; in the analysis stage, analyzing the JS resources by adopting a dual-engine mode of AST static analysis and sandbox dynamic execution; wherein, AST static analysis identifies the Fetch API and Axios call chains by traversing the abstract syntax tree to extract the interface address, and tracks hidden interfaces in the closure by combining with scope analysis and asynchronous analysis to identify delay requests; in the detection stage, performing vulnerability verification and sensitive data identification based on a multidimensional joint judgment model; The sensitive information mining is realized through the cooperative work of three-layer recognition engines, wherein the sensitive information mining comprises grammar layer recognition based on preset regular rules, semantic layer recognition based on variable naming analysis and environment layer recognition based on execution context tracking, and variable association analysis among multiple JS files is realized through a cross-file symbol table construction algorithm.
  2. 2. The JS vulnerability detection and sensitive information mining method for intranet scenario of claim 1, wherein the security authentication interface comprises an operating system security support interface SSPI or a generic security service application program interface GSS-API for auto-negotiating NTLM or Kerberos authentication protocols and downgrading to NTLMv2 when Kerberos is not available.
  3. 3. The method for detecting and mining sensitive information about JS holes in intranet scenes according to claim 2, further comprising reading Kerberos ticket cache of an operating system, automatically initiating a renewal request for a ticket about to expire, and dynamically acquiring new service tickets according to domain trust relations during cross-domain access.
  4. 4. The method for detecting and mining sensitive information of JS loopholes aiming at intranet scenes according to claim 1, wherein the method is characterized by further comprising an internal domain name white list management step in a resource collection stage, wherein all resource links found in a dynamic rendering process are matched and filtered based on a preset intranet domain name mode, a private IP section and user-defined rules, and only JS resources related to successfully matched intranet assets are brought into a subsequent analysis flow.
  5. 5. The method for detecting JS vulnerability and mining sensitive information for intranet scene as recited in claim 1, wherein the combined scope analysis tracks hidden interfaces within the closure, including building an independent scope object for each function node and recording the external variables captured by the scope while traversing the abstract syntax tree, and tracing back up the scope chain until the final definition or assignment position of the variable is located if the URL parameter is a variable when the network request call is identified.
  6. 6. The method for detecting and mining sensitive information of JS loopholes for intranet scenes according to claim 1, wherein the asynchronous analysis and identification delay request comprises the steps of identifying setTimeout or Promise construction function nodes in codes and placing callback functions of the setTimeout or Promise construction function nodes into a delay analysis queue, and after abstract syntax tree traversal is completed, executing the callback functions in the delay analysis queue in sequence, and carrying out recursive AST analysis and interface address extraction on internal codes of the callback functions.
  7. 7. The method for detecting and mining sensitive information for JS vulnerability in intranet scenarios of claim 1, wherein the sandbox is dynamically executed, comprising constructing a simulated intranet running context in a virtual machine environment, wherein the context at least comprises a simulated window. Location. Hostname and document. Domain, and performing Hook on fetch, XMLHttpRequest network request interfaces to capture and record all network requests initiated by JavaScript codes.
  8. 8. The JS vulnerability detection and sensitive information mining method for intranet scene of claim 1, wherein the response content similarity analysis calculates the edit distance after standardized processing and dynamic token desensitization, the time delay feature detection is determined by dynamic baseline establishment and abnormal threshold, the error information pattern recognition is hierarchical matched by an error fingerprint library, and the behavioral feature analysis captures non-explicit attack traces by monitoring bypass signals.
  9. 9. The method for detecting JS holes and mining sensitive information for intranet scenes according to claim 1, wherein the algorithm is constructed by a cross-file symbol table, and the method comprises the steps of selecting cross-file homonym variables according to scope depth, performing ESM and CommonJS bi-directional translation on module import and export relations, generating unique identifiers for cross-file closure functions, and reconstructing scope chains of the cross-file homonym variables.
  10. 10. The JS vulnerability detection and sensitive information mining system for an intranet scene is characterized by comprising the following steps: the resource acquisition module is used for dynamically rendering pages and extracting JS resources based on an extensible crawler framework, wherein the dynamic rendering simulates a user interaction event through a headless browser to trigger asynchronous loading, and realizes transparent penetration of an enterprise intranet authentication protocol by calling a security authentication interface provided by an operating system; The analysis module is used for analyzing the JS resources by adopting a dual-engine mode of AST static analysis and sandbox dynamic execution, wherein the AST static analysis identifies a Fetch API and Axios call chains by traversing an abstract syntax tree to extract an interface address, and combines scope analysis to track hidden interfaces in a closure and asynchronous analysis to identify delay requests; The detection module is used for carrying out vulnerability verification and sensitive data identification based on a multi-dimensional joint judgment model, wherein the multi-dimensional joint judgment model comprehensively considers detection results of four dimensions of response content similarity, time delay characteristics, error information modes and behavior characteristics, sensitive information mining is realized through cooperative work of three-layer recognition engines, the detection module comprises grammar layer recognition based on preset regular rules, semantic layer recognition based on variable naming analysis and environment layer recognition based on execution context tracking, and variable association analysis among multiple JS files is realized through a cross-file symbol table construction algorithm.

Description

Method and system for JS vulnerability detection and sensitive information mining aiming at intranet scene Technical Field The invention relates to the technical field of network security detection, in particular to a JS vulnerability detection and sensitive information mining method and system for an intranet scene. Background With the rapid development of Web application technology, javaScript plays an increasingly important role in modern Web applications, especially in an intranet environment, and a great deal of business logic and sensitive information processing depend on front-end JavaScript codes. However, potential security holes and sensitive information leakage problems in JavaScript codes are increasingly prominent, and a serious threat is formed to enterprise information security. Currently, technologies for JavaScript security detection are mainly divided into two major categories, namely static analysis and dynamic detection. In terms of dynamic detection, chinese patent CN106022135A discloses an automated detection system capable of dynamically judging XSS vulnerabilities, which simulates browser behavior by introducing a library containing browser kernels, parses JavaScript and loads Ajax to obtain hidden injection points in a page. Similarly, chinese patent CN104881607B also proposes an XSS vulnerability detection system based on simulating browser behavior, which employs a combination of a crawler module and a vulnerability detection module to improve the coverage of injection points. In terms of a static and dynamic combined detection method, chinese patent CN109462583B provides a static and dynamic combined reflection type vulnerability detection method, and the XSS vulnerability is detected by combining static stain propagation and dynamic Fuzzing test. Aiming at the security detection of an intranet environment, china patent CN110912890B discloses an intranet-oriented vulnerability attack detection system, which comprises an information collection module, a vulnerability detection module and a vulnerability analysis module, and the crawler technology is utilized to pull PoC related information from the Internet for vulnerability detection. In terms of code analysis technology, china patent CN115270131B proposes a Java deserialization vulnerability detection method, and a code attribute graph technology, a static analysis technology and a dynamic instrumentation technology are combined to detect security vulnerabilities in Java applications. However, the prior art still has a plurality of defects when carrying out JavaScript vulnerability detection and sensitive information mining under an intranet environment, namely firstly, the traditional scanner cannot effectively process contents dynamically rendered by a modern front end frame (such as a reaction, a Vue and the like) to cause insufficient detection coverage of a JavaScript interface, a large amount of code logics triggered by asynchronous loading and user interaction cannot be effectively analyzed, secondly, the traditional static analysis method mainly relies on simple technologies such as regular matching and the like, so that JavaScript confusion codes, complex variable transfer logics and hidden interfaces in a closure are difficult to process, the detection precision is insufficient and the omission rate is high, and secondly, the prior art lacks special adaptation to enterprise-level intranet environments, particularly, insufficient support to enterprise authentication protocols such as NTLM, kerberos and the like, can not realize effective resource access and security detection in the complex intranet environment, and finally, the traditional detection method still needs to be improved in the aspects of processing multi-level analysis of cross-file code association, multi-level identification of sensitive information and accuracy of vulnerability verification, and is difficult to meet the requirements of the enterprise intranet environment and accurate security detection. Disclosure of Invention The invention provides a JS vulnerability detection and sensitive information mining method and system for an intranet scene by adopting a three-layer architecture of hierarchical analysis-dynamic verification-intelligent mining, aiming at solving the technical problems of insufficient dynamic content coverage, insufficient static analysis precision, poor intranet suitability and low detection efficiency and accuracy existing in the prior art when the JS vulnerability detection and sensitive information mining are carried out in an intranet environment, realizing the technical effects of obviously improving the detection coverage rate and the precision, comprehensively improving the intranet environment suitability, greatly improving the detection efficiency and enhancing the sensitive information mining capability. According to the method, a JS vulnerability detection and sensitive information mining method for an intranet scene