Unmanned Customer Service System Architecture and Security Testing Overview

What is Unmanned Customer Service

Unmanned customer service integrates JD's existing service entry points and self‑service tools, builds a user‑question prediction system, and optimizes an intelligent operation system to shift from passive handling to proactive resolution, turning the service center from a cost center to a value center. The project includes developing an intelligent command‑driven operation system, a question‑prediction system, a unified process for unmanned service, integration of service entry (POP & self‑operated), and a self‑service form system for quick handling of simple issues.

System Architecture

Backend: Spring, MySQL, JimDb, JMQ, MongoDb, JSF. Frontend: (details omitted in source).

What is Security Testing

Security testing verifies that an IT software product meets defined security requirements and quality standards during its lifecycle, especially from development completion to release.

Unmanned Customer Service Security Testing Content

The security testing plan covers four main areas:

Interface security testing (three types of external interfaces).

Vulnerability scanning (XSS, SQL injection, CSRF, file/folder read, file upload).

Privilege testing (various order query and product review scenarios).

Sensitive information analysis (checking for personal data such as address, phone, ID, etc.).

Database Security (DB) Testing

Includes checking for database system vulnerabilities, ensuring no plaintext sensitive data, and protecting critical data (billing, ID, bank account, phone) via encryption or audit.

SQL injection testing is performed with sqlmap, covering Boolean‑based blind, time‑based blind, error‑based, UNION‑based, and stacked queries.

Example commands:

python sqlmap -u "http://www.xxxxxxxx.gov.cn/bxcxnew1.aspx" --forms

python sqlmap -u http://www.xxxxxxxx.gov.cn/bxcxnew1.aspx --data "myusername=admin&mypassword=admin&Submit=Login" --level=5 --risk=3 --dbs

python sqlmap.py -r D:\data.txt --batch

Web Security Testing Methods

Automated tools (AppScan, WebInspect, Nstalker, WVS, custom Struts2Vul), expert analysis, manual review, and penetration testing are used.

Common web attack vectors include scanning, authentication attacks, privilege escalation, web service interfaces, file upload/download, XSS, CSRF, injection, directory traversal, directory listing, HTTP method abuse, and error handling.

Unmanned Customer Service Web Privilege Testing

Privilege testing is performed by intercepting and modifying requests with BurpSuite. Horizontal privilege tests attempt to access resources of users with the same role, while vertical tests (not applicable here) would involve low‑privilege users accessing higher‑privilege resources.

WVS Tool for Web Vulnerability Scanning

WVS (Web Vulnerability Scanner) automatically crawls a site, launches a series of attacks on discovered pages, reports alerts, and generates a comprehensive report after scanning.

Tool List for Security Testing

编号

工具名称

备注

1

Fiddler Web  Debugger

JS文件替换、http协议抓取

2

Wireshark

网络嗅探工具

4

Webscarab

JAVA代理软件

8

sqlmap_jb51

SQL注入扫描工具

9

WVS扫描器

漏洞扫描（选一款）

10

NMAP扫描器

端口扫描

11

BurpSuite

http协议抓取，替换（选一款）

12

XssSniper

xss自检测工具

Source: JD Chengdu Research Institute public account.