CN103944900A - Cross-station request attack defense method and device based on encryption - Google Patents
Cross-station request attack defense method and device based on encryption Download PDFInfo
- Publication number
- CN103944900A CN103944900A CN201410158128.0A CN201410158128A CN103944900A CN 103944900 A CN103944900 A CN 103944900A CN 201410158128 A CN201410158128 A CN 201410158128A CN 103944900 A CN103944900 A CN 103944900A
- Authority
- CN
- China
- Prior art keywords
- request
- client
- random number
- token
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000007123 defense Effects 0.000 title abstract description 10
- 238000012545 processing Methods 0.000 claims description 40
- 230000002265 prevention Effects 0.000 claims description 24
- 238000012795 verification Methods 0.000 abstract 1
- 235000014510 cooky Nutrition 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000005242 forging Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a cross-station request attack defense method based on encryption. The cross-station request attack defense method based on encryption is applied to a system comprising a client-side and a server-side. The method includes the identity authentication step, the client-side attack defense step and the server-side attack defense step. In the identity authentication step, the server-side carries out identity authentication on the client-side. In the client-side attack defense step, the client-side verified as a legal user in the identity authentication step receives a random number token sent by the server-side, and later requests are encrypted by the random number token and become encrypted requests. In the server-side attack defense step, when the server-side receives the later encrypted requests of the client-side of the legal user, the random number token is adopted for decryption verification, so that cross-station request attack defense is achieved. The invention further discloses a cross-station request attack defense device based on encryption.
Description
Technical field
The present invention relates to network security, is mainly secure browser and web application safety.More specifically, relate to a kind of defence method and system across station request forgery attack of usurping user right.
Background technology
Forging (Cross Site Request Forgery, CSRF) across station request and attack, is the attack method that a kind of terminal use of forcing to do one's bidding carries out non-user intention operation on listed web application.The target of its attack is user instead of web application, and does not need to utilize any browser leak, but utilizes the session of having carried out authentication to attack, and utilizes implicit authentication leak to reach attack.
Forging across station request is a kind of more obscure attack, victim probably clicks a malice link because of carelessness, will victim utilization, its essence is the identity that assailant has usurped victim, sends malicious requests with victim's name, and the thing that can do comprises: send mail, message, steal account, buy even commodity, ideal money is transferred accounts etc.The problem causing comprises: individual privacy is revealed and property safety.Attack consequence and depend on utilized leak and victim's authority.
In prior art, due to HTML (Hypertext Markup Language) (Hyper Text Transfer Protocol, HTTP) self be a kind of stateless protocol, cannot associated twice continuous request, therefore carry out recording status, the continuous request of associated same user by authentication information such as Cookie, Session and HTTP.For example, after user successfully carries out authentication, browser will obtain the Cookie of its identity of mark, as long as do not close browser or log off, in the time sending request to this website, browser all can " automatically " send together with this Cookie, need not user intervention, and no matter this request is to stem from the link that application program provides, URL(uniform resource locator) (Uniform Resource Locator, URL) or other sources of receiving from other places.Server in station is identified user by Cookie, if server in station has been received the request with victim's Cookie, it will regard what listed victim sent as this request so, server in station can think that this is the effective request through confirming, so can carry out this " believable action ", thereby provide chance for attacking.Although this Authentication mechanism of Web website can ensure that a request comes from certain user's browser to targeted sites, but cannot ensure that user really of this request sends, or through that user's approval.Why can occur across station request forgery attack, that basic reason is exactly that Web website verifies is Web browser but not user itself.
Fig. 1 is that CSRF attacks dependence diagram.In figure, step 1 asks to protect the protection page of website for user, then step 2 is server in station prompting user input authentication information, step 3 is submitted oneself user name and encrypted message to for user, step 4 is set up legal session for server in station authentication of users information, and to user's generating identification user's cookie information, step 5-8 normally sends request to server in station for user, and server in station to its carry out Business Processing send it back should, step 9-11 is assailant's attack process, wherein step 9 is that victim and user access malice website, step 10 is the content that malice website returns to user's request, in the content of wherein returning, contain the malicious requests that is sent to protection website, step 11 is initiated request to the malicious requests in the initiation request of protection website or webpage from trend protection website for user clicks malice link because of carelessness, browser can automatically carry the Cookie of user under this website then to send this request, owing to containing cookie information in request, server in station can be thought the legitimate request that logged-in user sends, thereby carry out Business Processing, carry out assailant's malicious action.
At present, for forging across station request, mainly contain two kinds of methods:
The first is to use POST request to carry out across station request forgery attack, and to important write operation, POST request is only accepted in website, defends across station request forgery attack with this.But the shortcoming of the method is, any GET request can be constructed list asks to send by POST, and therefore the method can only increase assailant and realize the difficulty of attack, can not take precautions against across station request and forge.
The second is to realize the strick precaution across station request forgery attack by checking token, can in HTTP request, add a random token who produces with the form of parameter, and set up a blocker at server end and verify this token, if in request, do not have token or token content incorrect, think it may is that CSRF attacks and refusal changes request.The user that this " checking token " can be logined easily guesses out.But developer usually forgets this strick precaution of enforcement, and it is the safety that is difficult to ensure token itself that the method also has a shortcoming, likely reveal token to other websites by URL or HTTP Referer header.By name at periodical: In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006., name of document is: Preventing cross site request forgery attacks, authors' name is called: Nenad Jovanovic, Engin Kirda, discloses the method in the document of and Christopher Kruegel.
The third is checking HTTP Referer header, (HTTP Referer is a part of header, in the time that browser sends request to web server, generally can bring Referer, tell server I from which page link come, server take this to obtain some information for the treatment of.) by checking HTTP Referer header, only accept the request from trusted sources, but browse the privacy contents such as record owing to relating to user in Referrer content, therefore most uses of having forbidden Referer header file in HTTP request, be called at journal title: Proc.15th ACM Conf.Computer and Communications Security, ACM Press, 2008, pp.75 – 87., name of document is: Robust Defenses for Cross-Site Request Forgery, authors' name is called: A.Barth, C.Jackson, in the document of and J.C.Mitchell, the method is disclosed.
Visible, for existing server, some solutions that exist in prior art can not well be taken precautions against across station request forgery attack, therefore, need a kind of method effectively to take precautions against across station request forgery attack.
Summary of the invention
Technical problem to be solved by this invention be to provide a kind of based on encrypt across station request attack prevention method and device thereof, to overcome the problem of can not fine strick precaution attacking across station request existing in prior art.
For reaching above-mentioned purpose, the invention provides a kind of based on encrypt across station request attack prevention method, be applied to the system that comprises client and server end, it is characterized in that, described method comprises:
Authentication step: for described client being carried out to authentication by described server end;
Client side attack is taken precautions against step: be verified as the random number token that server end sends described in the client of validated user by described authentication step, and adopt described random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending step: in the time that described server end receives the follow-up described encryption request of client of described validated user, adopt described random number token to be decrypted checking, to realize across station request attack-defending.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described server end is taken precautions against step and is comprised:
Page determining step: judge that the page that described client logs in is the protected page or the public visit page;
Random number token generates step: the client for the described validated user by checking generates described random number token, and described random number token being sent to the client of described validated user, described random number token is associated with the session id of described validated user.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described client is taken precautions against step and is comprised:
Extract token step: the described random number token that the client of described validated user sends from described server end, and extract described random number token;
Judge request step: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether described request is that this client application is sent, described client application requests if, be encrypted by described random number token, non-described client application requests if, directly sends;
Encrypt request step: the request content that the client of described validated user is sent to described server end is encrypted by described random number token;
Send request step: the described request after encrypting is sent to described server end.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described server end is taken precautions against step and is also comprised:
Decryption step: the described encryption request that described client is sent adopts described token to be decrypted as key, to verify the legitimacy of described encryption request;
Business Processing step: according to the described encryption request after deciphering, carry out corresponding Business Processing.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described random number token generates step and also comprises:
User is login step not: the session id of inquiring user does not exist, and judges that described user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login step: the session id of inquiring user exists, and judges that described user logins, is the client of described validated user.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described decryption step also comprises:
Search token step: by with the session id of described validated user, search the described random number token being associated with described session id;
Raw requests decryption step: adopt and search the described random number token that token step obtains and decipher the request that described client sends, obtain the raw requests of described client.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described Business Processing step also comprises:
Successful decryption step: if adopt the success of described raw requests decryption step deciphering described request, carry out Business Processing according to described request;
Decryption failures step: if adopt the failure of described raw requests decryption step deciphering described request, do not carry out Business Processing, and to the described validated user information that gives a warning.
The present invention also provide a kind of based on encrypt across station request attack-defending device, adopt as described in based on encrypt across station request attack prevention method, described method is applied to the system that comprises client and server end, it is characterized in that, described device comprises:
Authentication module: for described client being carried out to authentication by described server end;
Client side attack is taken precautions against module: be verified as the random number token that server end sends described in the client of validated user by described authentication step, and adopt described random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending module: in the time that described server end receives the follow-up described encryption request of client of described validated user, adopt described random number token to be decrypted checking, to realize across station request attack-defending.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described server end is taken precautions against module and is comprised:
Page judge module: judge that the page that described client logs in is the protected page or the public visit page;
Random number token generation module: the client for the described validated user by checking generates described random number token, and described random number token being sent to the client of described validated user, described random number token is associated with the session id of described validated user.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described client is taken precautions against module and is comprised:
Extract token module: the described random number token that the client of described validated user sends from described server end, and extract described random number token;
Judge request module: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether described request is that this client application is sent, described client application requests if, be encrypted by described random number token, non-described client application requests if, directly sends;
Encrypt request module: the request content that the client of described validated user is sent to described server end is encrypted by described random number token;
Send request module: the described request after encrypting is sent to described server end.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described server end is taken precautions against module and is also comprised:
Deciphering module: the described encryption request that described client is sent adopts described token to be decrypted as key, to verify the legitimacy of described encryption request;
Service Processing Module: according to the described encryption request after deciphering, carry out corresponding Business Processing.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described random number token generation module also comprises:
User is login module not: the session id of inquiring user does not exist, and judges that described user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login module: the session id of inquiring user exists, and judges that described user logins, is the client of described validated user.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described deciphering module also comprises:
Search token module: by with the session id of described validated user, search the described random number token being associated with described session id;
Raw requests deciphering module: adopt and search the described random number token that token step obtains and decipher the request that described client sends, obtain the raw requests of described client.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described Service Processing Module also comprises:
Successful decryption module: if adopt the success of described raw requests decryption step deciphering described request, carry out Business Processing according to described request;
Decryption failures module: if adopt the failure of described raw requests decryption step deciphering described request, do not carry out Business Processing, and to the described validated user information that gives a warning.
The present invention is with existing across compared with station request attack-defending technology, and beneficial effect of the present invention is:
1, do not need to revise existing server in station code: just can take precautions against across station request forgery attack by simple configuration, what existing precautionary technology had need to revise server in station code could realize, say much having developed very ripe should being used for, want to use this precautionary technology, mean and must again develop or revise application, this not only can expend ample resources, and can cause the reduction of a lot of performances, therefore this prevention method that need to revise server in station, develops very slow;
2, applicability is strong: the application that needs are taken precautions against does not have special requirement, does not need application to use specific development technique, JAVA, PHP, the method that the application of the development technique exploitations such as ASP can be used the present invention to propose;
3, use simply: do not need user interactions, do not need user to define white list, use the user of application without the need for relevant security knowledge, reduced the difficulty that user uses;
4, by URL request is encrypted, make the assailant cannot know the concrete form (invoking page, parameter etc.) of request, strengthen the difficulty that assailant understands attacking application, strengthen assailant and realized the difficulty of attack.
Brief description of the drawings
Fig. 1 is that CSRF attacks dependence diagram;
Fig. 2 is the inventive method steps flow chart schematic diagram;
Fig. 3 is the inventive method detailed step schematic flow sheet;
Fig. 4 is the server end schematic flow sheet that defence CSRF provided by the invention attacks;
Fig. 5 is the client schematic flow sheet of cross-site attack prevention method of the present invention;
Fig. 6 is the structural representation of the present invention across station request attack-defending device;
Fig. 7 is the detailed structure schematic diagram of the present invention across station request attack-defending device.
Wherein, Reference numeral:
100 authentication module 200 client side attacks are taken precautions against module
300 server end attack-defending modules
201 extract token module 202 judges request module
203 encrypt request module 204 sends request module
301 page judge module 302 random number token generation modules
303 deciphering module 304 Service Processing Modules
S1~S3, S21~S24, S31~S34, S321~S322, S331~S332, S341~S342: the administration step of various embodiments of the present invention
Embodiment
Provide the specific embodiment of the present invention below, with concrete embodiment, the present invention is described in detail by reference to the accompanying drawings.
The present invention proposes the method that one utilizes random number (token) as key, URL to be encrypted, and realizes the strick precaution across station request forgery attack.In order to achieve the above object, the assailant that the present invention utilizes server in station to generate is difficult to the random number of conjecture, and uses random number encryption URL, and because assailant cannot intercept and capture random number by smelling means such as visiting packet capturing, he cannot forge correct request.Even if browser can attach the Cookie of login user in the request of forgery automatically, because request is not server in station accreditation, therefore server in station is disregarded, ask the strick precaution of forgery attack across standing thereby realize.
The present invention relates generally to two class entities: client (user visits application site by browser) and service end (server that application site is disposed).
Provided by the invention a kind of based on encrypt across station request attack prevention method, be applied to the system that comprises client and server end, Fig. 2 is the inventive method steps flow chart schematic diagram, as shown in Figure 2, the method comprises:
Authentication step S1: for client being carried out to authentication by server end;
Client side attack is taken precautions against step S2: be verified as the random number token of the client server end transmission of validated user by authentication step, and adopt random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending step S3: in the time that server end receives the follow-up encryption request of client of validated user, adopt random number token to be decrypted checking, to realize across station request attack-defending.
Wherein, client side attack strick precaution step S2 comprises:
Extract token step S21: the random number token that the client of validated user sends from server end, and extract random number token;
Judge request step S22: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether request is that this client application is sent, this client application requests if, be encrypted by random number token, non-client application requests if, directly sends;
Encrypt request step S23: the request content that the user end to server end of validated user is sent is encrypted by random number token;
Send request step S24: the described request after encrypting is sent to described server end.
Wherein, server end attack-defending step S3 comprises:
Page determining step S31: judge that the page that client logs in is the protected page or the public visit page;
Random number token generates step S32: the client for the validated user by checking generates random number token, and random number token is sent to the client of validated user, and random number token is associated with the session id of validated user;
Decryption step S33: the encryption request that client is sent adopts token to be decrypted as key, to verify the legitimacy of the request of encryption;
Business Processing step S34: according to the encryption request after deciphering, carry out corresponding Business Processing.
Wherein, Fig. 3 is the inventive method detailed step schematic flow sheet, and as shown in Figure 3, random number token generates step S32 and also comprises:
User is login step S321 not: the session id of inquiring user does not exist, and judges that user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login step S322: the session id of inquiring user exists, and judges that user logins, is the client of validated user.
Wherein, decryption step S33 also comprises:
Search token step S331: by with the session id of validated user, search the random number token being associated with session id;
Raw requests decryption step S332: adopt and search the request that random number token deciphering client that token step obtains sends, obtain the raw requests of client.
Wherein, Business Processing step S34 also comprises:
Successful decryption step S341: if adopt the success of raw requests decryption step decoding request, carry out Business Processing according to request;
Decryption failures step S342: if adopt the failure of raw requests decryption step decoding request, do not carry out Business Processing, and to the validated user information that gives a warning.
Below in order better the principle of technical solution of the present invention to be introduced, first for providing a specific embodiment across station request forgery attack.
Suppose that user A has logined the bank account of oneself, server in station is that A has returned to corresponding session session id authentication information, A has a deposit in bank, now sending HTTP request http://bank.example/withdraw account=A & amount=10000 & for=B by the website to bank can allow A 10000 deposit be forwarded under the account of B, this request sends to after website of bank, server in station can first verify that whether this request is from legal session, and whether the user of this session logins, if be accompanied with the session id authentication information of A in this request, server in station can think that this solicit operation is that logged-in user A sends.
If there is an assailant B also to have account in this bank, and he is by the understanding to website of bank, knows the operation of can transferring accounts by URL above.B can oneself send request to bank: http://bank.example/withdraw account=A & amount=10000 & for=B.But because this is asked from B itself but not A, therefore do not comprise the relevant authentication information of A, can not be through safety certification, this request can not be worked.
At this moment, B expects using the attack pattern of CSRF, he the website that can control himself, put into following code: src=" http://bank.example/withdraw account=A & amount=10000 & for=B ", and by advertisement, prize-winning information etc. lures that A visits his website into.If A has now logined website of bank, and when opening new label and visiting this malicious websites, above-mentioned URL can send HTTP in the mode of GET from the browser of A and ask bank, because A has now logined website of bank, browser will be by the session id of A together subsidiary sending, if the session of the browser of A and bank is also not out of date, because server in station is by session id identification user, therefore website of bank can think that this is the request that A sends, tragedy has occurred, website of bank is considered as legal request by above-mentioned request and processes, money will be transferred to the account of B from the account of A, and A knew nothing at that time.Lacked when A finds account money, removed bank's inquiry log, he also can only find really to have a legitimate request that comes from himself to shift fund, without any the vestige of being attacked.
Briefly introduce the principle across station request forgery attack above; in the present invention, server in station judges whether the content of request access is protection content; if prompting user inputs the authorization informations such as username and password; and generate the corresponding session id of session and random number token, send to client.In the follow-up request of user, client can be encrypted URL request content with random number token, then sends request.Server in station can find corresponding token according to corresponding session id, and to URL request deciphering, for the request of successful decryption, the request of illustrating utilizes random number token to encrypt, and this random number only has client user to know, be legitimate request, therefore server in station can carry out related service processing according to request content.Because assailant cannot obtain random number, cannot correctly encrypt the request of forging, even if browser can attach the session id of login user in the request of forging automatically, deciphering also can be failed, server in station not only can not carry out Business Processing, and can give a warning to user, so just can take precautions against across station request forgery attack.
Below with reference to above-described embodiment and accompanying drawing, the step of the embodiment of the present invention is elaborated.
Fig. 4 is the server end schematic flow sheet that defence CSRF provided by the invention attacks, and as shown in Figure 4, the key step of server end comprises:
10, judge whether it is the protection page;
20, judge whether user logins;
30, the request of encrypting is decrypted;
40, Business Processing.
Concrete a kind of execution mode is as follows:
10, judge whether it is the protection page.General application is all divided into the protection page and the public page.
1) the public page does not need user just to login can to access, and as login.html, index.html etc., because there is no important operation, can not work the mischief, and therefore server in station can directly carry out corresponding Business Processing according to request.
2) protect the page to need user to login and could access, need user to authenticate, such as amendment user cipher, personal information, transfers accounts etc.Therefore server in station need to judge whether user logins, and whether current be legal session.
20, judge whether user logins.Effectively judge according to whether session id is legal whether user logins, and whether has a legal session.
1) if there is no session id illustrates that user does not login, or session is out of date, need to re-start login authentication.Specifically mainly comprise the following steps:
11) jump to login interface, prompting user's input authentication information (being generally user name and password).
12) whether user name and the password of the input of server in station authentication of users be correct, and incorrect words, jump to login page again, require user to re-enter authentication information.
13) after being verified, server in station can create a legitimate conversation, and generates session id and the random number token of associated user session, returns to the page of user's request, and session id and random number token are returned to client.
2) if there is session id, successfully login of user is described, client has the random number token that server in station sends over, now follow-up request, if legal, application is sent, and should utilize token random number to carry out encryption.
30, the request of encrypting is decrypted, listed user, can have server in station and send the random number token returning, therefore the request that follow-up this application is sent all should utilize token as secret key encryption, because assailant does not have token, the request that can not correctly decipher is likely that assailant forges.
1), in the contingency table of the session of server in station storage id and token, find corresponding token according to the session id in request.
2), with the part of encrypting in token decoding request (invoking page, parameter etc.), just can obtain the raw requests that client sends.
40, Business Processing.
1), use token successful decryption, illustrate that when request utilizes token that server in station sends to encrypt, be the legitimate request that application is sent, therefore server in station can carry out corresponding Business Processing according to request.
2), Decryption failures, illustrate request use encryption key be wrong, be likely the token that assailant guesses, with conjecture token to forgery request encrypt; Or request is not encrypted, and Decryption failures, does not therefore carry out Business Processing to it, and sends corresponding warning message to user.
Fig. 5 is the client schematic flow sheet of cross-site attack prevention method of the present invention, and as shown in Figure 5, the key step of client comprises:
50, extract token;
60, judge whether request is that this application is sent;
70, encrypt request;
80, send request.
Concrete a kind of execution mode is as follows:
50, extract token.In the response of client slave site server, extract service end and send to the token of client.Token can be placed in the response page of server in station and take back, and also can transmit separately.
60, judge whether request is that this application is sent.Whether the mate with the Fully-Qualified Domain Name of object website of source Website server of request sent in judgement, if coupling, can think request time, this application is sent, otherwise thinks that asking is not that this application is sent.
1) if when request this application send, utilize token to encrypt it.
2) if request is not that this application is sent, do not deal with, directly send.
70, encrypt request.Partial content (invoking page, parameter etc.) in URL request is encrypted, and the server address of the application in URL request etc. still sends with plaintext form, with the service end that sends to that ensures that request can be correct.Wherein cryptographic operation, a plug-in unit can issuing by application completes.
For example, in above-mentioned example, http://bank.example/withdraw account=A & amount=10000 & for=B, utilizes the token of server transmission to " withdraw account=A & amount=10000 & for=B " Partial encryption.Should be appreciated that the present invention can adopt other modes to be encrypted, specific embodiment described herein only, in order to explain the present invention, is not intended to limit the present invention.
80, send request.Request after encrypting is issued to service end.
The present invention also provides a kind of and asks attack-defending device based on what encrypt across station, described in adopting, ask attack prevention method based on what encrypt across station, the method is applied to the system that comprises client and server end, Fig. 6 is the structural representation of the present invention across station request attack-defending device, as shown in Figure 6, this device comprises:
Authentication module 100: for client being carried out to authentication by server end;
Client side attack is taken precautions against module 200: be verified as the random number token of the client server end transmission of validated user by authentication step, and adopt random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending module 300: in the time that server end receives the follow-up encryption request of client of validated user, adopt random number token to be decrypted checking, to realize across station request attack-defending.
Wherein, client side attack strick precaution module 200 comprises:
Extract token module 201: the random number token that the client of validated user sends from server end, and extract random number token;
Judge request module 202: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether request is that this client application is sent, this client application requests if, be encrypted by random number token, non-client application requests if, directly sends;
Encrypt request module 203: the request content that the user end to server end of validated user is sent is encrypted by random number token;
Send request module 204: the request after encrypting is sent to server end.
Wherein, server end attack-defending module 300 comprises:
Page judge module 301: judge that the page that client logs in is the protected page or the public visit page;
Random number token generation module 302: the client for the validated user by checking generates random number token, and random number token is sent to the client of validated user, and random number token is associated with the session id of validated user;
Deciphering module 303: the encryption request that client is sent adopts token to be decrypted as key, to verify the legitimacy of the request of encryption;
Service Processing Module 304: according to the encryption request after deciphering, carry out corresponding Business Processing.
Wherein, Fig. 7 is the detailed structure schematic diagram of the present invention across station request attack-defending device, and as shown in Figure 7, random number token generation module 302 also comprises:
User is login module 3021 not: the session id of inquiring user does not exist, and judges that user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login module 3022: the session id of inquiring user exists, and judges that user logins, is the client of validated user.
Wherein, deciphering module 303 also comprises:
Search token module 3031: by with the session id of validated user, search the random number token being associated with session id;
Raw requests deciphering module 3032: adopt and search the request that random number token deciphering client that token step obtains sends, obtain the raw requests of client.
Wherein, Service Processing Module 304 also comprises:
Successful decryption module 3041: if adopt the success of raw requests decryption step decoding request, carry out Business Processing according to request;
Decryption failures module 3042: if adopt the failure of raw requests decryption step decoding request, do not carry out Business Processing, and to the validated user information that gives a warning.
In sum, provided by the invention based on encrypt across station request attack prevention method and device thereof, do not need to revise existing server in station, just can carry out well across station request attack defending.
Certainly; the present invention also can have other various embodiments; in the situation that not deviating from spirit of the present invention and essence thereof; those of ordinary skill in the art are when making according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (14)
1. ask an attack prevention method based on what encrypt across station, be applied to the system that comprises client and server end, it is characterized in that, described method comprises:
Authentication step: for described client being carried out to authentication by described server end;
Client side attack is taken precautions against step: be verified as the random number token that server end sends described in the client of validated user by described authentication step, and adopt described random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending step: in the time that described server end receives the follow-up described encryption request of client of described validated user, adopt described random number token to be decrypted checking, to realize across station request attack-defending.
2. ask attack prevention method based on what encrypt across station according to claim 1, it is characterized in that, described server end attack-defending step comprises:
Page determining step: judge that the page that described client logs in is the protected page or the public visit page;
Random number token generates step: the client for the described validated user by checking generates described random number token, and described random number token being sent to the client of described validated user, described random number token is associated with the session id of described validated user.
3. ask attack prevention method based on what encrypt across station according to claim 1, it is characterized in that, described client side attack is taken precautions against step and is comprised:
Extract token step: the described random number token that the client of described validated user sends from described server end, and extract described random number token;
Judge request step: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether described request is that this client application is sent, described client application requests if, be encrypted by described random number token, non-described client application requests if, directly sends;
Encrypt request step: the request content that the client of described validated user is sent to described server end is encrypted by described random number token;
Send request step: the described request after encrypting is sent to described server end.
4. ask attack prevention method based on what encrypt across station according to claim 1, it is characterized in that, described server end attack-defending step also comprises:
Decryption step: the described encryption request that described client is sent adopts described token to be decrypted as key, to verify the legitimacy of described encryption request;
Business Processing step: according to the described encryption request after deciphering, carry out corresponding Business Processing.
5. ask attack prevention method based on what encrypt across station according to claim 2, it is characterized in that, described random number token generates step and also comprises:
User is login step not: the session id of inquiring user does not exist, and judges that described user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login step: the session id of inquiring user exists, and judges that described user logins, is the client of described validated user.
6. ask attack prevention method based on what encrypt across station according to claim 4, it is characterized in that, described decryption step also comprises:
Search token step: by with the session id of described validated user, search the described random number token being associated with described session id;
Raw requests decryption step: adopt and search the described random number token that token step obtains and decipher the request that described client sends, obtain the raw requests of described client.
7. ask attack prevention method based on what encrypt across station according to claim 4, it is characterized in that, described Business Processing step also comprises:
Successful decryption step: if adopt the success of described raw requests decryption step deciphering described request, carry out Business Processing according to described request;
Decryption failures step: if adopt the failure of described raw requests decryption step deciphering described request, do not carry out Business Processing, and to the described validated user information that gives a warning.
8. ask attack-defending device based on what encrypt across station for one kind, adopt as described in any one in claim 1-7 and ask attack prevention method based on what encrypt across station, described method is applied to the system that comprises client and server end, it is characterized in that, described device comprises:
Authentication module: for described client being carried out to authentication by described server end;
Client side attack is taken precautions against module: be verified as the random number token that server end sends described in the client of validated user by described authentication step, and adopt described random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending module: in the time that described server end receives the follow-up described encryption request of client of described validated user, adopt described random number token to be decrypted checking, to realize across station request attack-defending.
9. ask attack-defending device based on what encrypt across station according to claim 8, it is characterized in that, described server end attack-defending module comprises:
Page judge module: judge that the page that described client logs in is the protected page or the public visit page;
Random number token generation module: the client for the described validated user by checking generates described random number token, and described random number token being sent to the client of described validated user, described random number token is associated with the session id of described validated user.
10. ask attack-defending device based on what encrypt across station according to claim 8, it is characterized in that, described client side attack is taken precautions against module and is comprised:
Extract token module: the described random number token that the client of described validated user sends from described server end, and extract described random number token;
Judge request module: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether described request is that this client application is sent, described client application requests if, be encrypted by described random number token, non-described client application requests if, directly sends;
Encrypt request module: the request content that the client of described validated user is sent to described server end is encrypted by described random number token;
Send request module: the described request after encrypting is sent to described server end.
11. ask attack-defending device based on what encrypt across station according to claim 8, it is characterized in that, described server end attack-defending module also comprises:
Deciphering module: the described encryption request that described client is sent adopts described token to be decrypted as key, to verify the legitimacy of described encryption request;
Service Processing Module: according to the described encryption request after deciphering, carry out corresponding Business Processing.
12. ask attack-defending device based on what encrypt across station according to claim 9, it is characterized in that, described random number token generation module also comprises:
User is login module not: the session id of inquiring user does not exist, and judges that described user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login module: the session id of inquiring user exists, and judges that described user logins, is the client of described validated user.
13. according to asking attack-defending device based on what encrypt across station described in claim 12, it is characterized in that, described deciphering module also comprises:
Search token module: by with the session id of described validated user, search the described random number token being associated with described session id;
Raw requests deciphering module: adopt and search the described random number token that token step obtains and decipher the request that described client sends, obtain the raw requests of described client.
14. according to asking attack-defending device based on what encrypt across station described in claim 12, it is characterized in that, described Service Processing Module also comprises:
Successful decryption module: if adopt the success of described raw requests decryption step deciphering described request, carry out Business Processing according to described request;
Decryption failures module: if adopt the failure of described raw requests decryption step deciphering described request, do not carry out Business Processing, and to the described validated user information that gives a warning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410158128.0A CN103944900B (en) | 2014-04-18 | 2014-04-18 | It is a kind of that attack prevention method and its device are asked across station based on encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410158128.0A CN103944900B (en) | 2014-04-18 | 2014-04-18 | It is a kind of that attack prevention method and its device are asked across station based on encryption |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103944900A true CN103944900A (en) | 2014-07-23 |
| CN103944900B CN103944900B (en) | 2017-11-24 |
Family
ID=51192384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410158128.0A Active CN103944900B (en) | 2014-04-18 | 2014-04-18 | It is a kind of that attack prevention method and its device are asked across station based on encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103944900B (en) |
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104852907A (en) * | 2015-04-17 | 2015-08-19 | 杭州华三通信技术有限公司 | Cross-site request forgery CSRF attack recognition method and device |
| CN105354451A (en) * | 2014-08-20 | 2016-02-24 | 腾讯科技(深圳)有限公司 | Access authentication method and system |
| CN105407102A (en) * | 2015-12-10 | 2016-03-16 | 四川长虹电器股份有限公司 | Http request data reliability verification method |
| CN105516264A (en) * | 2015-11-30 | 2016-04-20 | 努比亚技术有限公司 | Distributed cluster system based session sharing method, apparatus and system |
| CN105915537A (en) * | 2016-05-27 | 2016-08-31 | 努比亚技术有限公司 | Token generation method, token calibration method and token authentication server |
| CN106302481A (en) * | 2016-08-19 | 2017-01-04 | 中国银联股份有限公司 | The method and apparatus that detection WebSocket forges leak across station request |
| CN106302414A (en) * | 2016-08-04 | 2017-01-04 | 北京百度网讯科技有限公司 | The anti-grasping means of web site contents and device |
| CN106453352A (en) * | 2016-10-25 | 2017-02-22 | 电子科技大学 | Single-system multi-platform authentication method |
| CN107196950A (en) * | 2017-06-12 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | Method of calibration, device and service end |
| CN107294921A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | The processing method and processing device that a kind of web terminal is accessed |
| CN107612926A (en) * | 2017-10-12 | 2018-01-19 | 成都知道创宇信息技术有限公司 | A kind of a word WebShell hold-up interception methods based on client identification |
| CN107634942A (en) * | 2017-09-08 | 2018-01-26 | 北京京东尚科信息技术有限公司 | The method and apparatus for identifying malicious requests |
| CN107682346A (en) * | 2017-10-19 | 2018-02-09 | 南京大学 | A kind of fast positioning and identifying system and method for CSRF attacks |
| CN107809483A (en) * | 2017-10-27 | 2018-03-16 | 大猫网络科技(北京)股份有限公司 | A kind of transaction voucher store method and device |
| CN107819579A (en) * | 2017-12-13 | 2018-03-20 | 西安Tcl软件开发有限公司 | A kind of processing method, server and the computer-readable recording medium of user's request |
| CN109788477A (en) * | 2018-12-28 | 2019-05-21 | 天翼电子商务有限公司 | It is a kind of to prevent the method, system and server-side that key message is ravesdropping in webpage |
| CN109873818A (en) * | 2019-02-01 | 2019-06-11 | 湖南快乐阳光互动娱乐传媒有限公司 | A kind of method and system preventing unauthorized access server |
| CN110061967A (en) * | 2019-03-15 | 2019-07-26 | 平安科技(深圳)有限公司 | Business datum providing method, device, equipment and computer readable storage medium |
| CN110176988A (en) * | 2019-04-25 | 2019-08-27 | 中国人民解放军战略支援部队信息工程大学 | Guarantee that redundancy executes body and encrypts the consistent device and method of behavior |
| US10454949B2 (en) | 2015-11-20 | 2019-10-22 | International Business Machines Corporation | Guarding against cross-site request forgery (CSRF) attacks |
| CN110875903A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Security defense method and device |
| CN111371743A (en) * | 2020-02-21 | 2020-07-03 | 上海红神信息技术有限公司 | Security defense method, device and system |
| CN111417122A (en) * | 2020-03-25 | 2020-07-14 | 杭州迪普科技股份有限公司 | Attack prevention method and device |
| CN113055344A (en) * | 2019-12-27 | 2021-06-29 | 贵州白山云科技股份有限公司 | Scheduling method, device, medium and equipment |
| CN113783824A (en) * | 2020-06-10 | 2021-12-10 | 中国电信股份有限公司 | Method, apparatus, client, system and medium for preventing cross-site request forgery |
| CN114884736A (en) * | 2022-05-11 | 2022-08-09 | 山东鲁软数字科技有限公司 | Anti-explosion attack safety protection method and device |
| CN115065537A (en) * | 2022-06-16 | 2022-09-16 | 公安部第三研究所 | Defense system and dynamic defense method for WEB application automation attack behavior |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320567A1 (en) * | 2007-06-20 | 2008-12-25 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
| US20100100927A1 (en) * | 2008-10-20 | 2010-04-22 | International Business Machines Corporation | Systems and methods for protecting web based applications from cross site request forgery attacks |
| CN101860540A (en) * | 2010-05-26 | 2010-10-13 | 吴晓军 | Method and device for identifying legality of website service |
| US20110055391A1 (en) * | 2009-08-31 | 2011-03-03 | James Paul Schneider | Multifactor validation of requests to thwart cross-site attacks |
| US20110283110A1 (en) * | 2010-05-13 | 2011-11-17 | Salesforce.Com, Inc. | Secure Communications |
| CN102387152A (en) * | 2011-11-03 | 2012-03-21 | 北京锐安科技有限公司 | Preset-key-based symmetric encryption communication method |
| CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
| CN102571846A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for forwarding hyper text transport protocol (HTTP) request |
| CN102685081A (en) * | 2011-03-17 | 2012-09-19 | 腾讯科技(深圳)有限公司 | Webpage request safe processing method and system |
| CN102857479A (en) * | 2011-06-30 | 2013-01-02 | 北京新媒传信科技有限公司 | Network communication encrypting method and system |
| CN103117998A (en) * | 2012-11-28 | 2013-05-22 | 北京用友政务软件有限公司 | Safety reinforcing method based on JavaEE application system |
| CN103312666A (en) * | 2012-03-09 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method, system and device for preventing CSRF (cross site request forgery) attack |
| CN103634307A (en) * | 2013-11-19 | 2014-03-12 | 北京奇虎科技有限公司 | Method for certificating webpage content and browser |
| CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
-
2014
- 2014-04-18 CN CN201410158128.0A patent/CN103944900B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320567A1 (en) * | 2007-06-20 | 2008-12-25 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
| US20100100927A1 (en) * | 2008-10-20 | 2010-04-22 | International Business Machines Corporation | Systems and methods for protecting web based applications from cross site request forgery attacks |
| US20110055391A1 (en) * | 2009-08-31 | 2011-03-03 | James Paul Schneider | Multifactor validation of requests to thwart cross-site attacks |
| US20110283110A1 (en) * | 2010-05-13 | 2011-11-17 | Salesforce.Com, Inc. | Secure Communications |
| CN101860540A (en) * | 2010-05-26 | 2010-10-13 | 吴晓军 | Method and device for identifying legality of website service |
| CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
| CN102571846A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Method and device for forwarding hyper text transport protocol (HTTP) request |
| CN102685081A (en) * | 2011-03-17 | 2012-09-19 | 腾讯科技(深圳)有限公司 | Webpage request safe processing method and system |
| CN102857479A (en) * | 2011-06-30 | 2013-01-02 | 北京新媒传信科技有限公司 | Network communication encrypting method and system |
| CN102387152A (en) * | 2011-11-03 | 2012-03-21 | 北京锐安科技有限公司 | Preset-key-based symmetric encryption communication method |
| CN103312666A (en) * | 2012-03-09 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method, system and device for preventing CSRF (cross site request forgery) attack |
| CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
| CN103117998A (en) * | 2012-11-28 | 2013-05-22 | 北京用友政务软件有限公司 | Safety reinforcing method based on JavaEE application system |
| CN103634307A (en) * | 2013-11-19 | 2014-03-12 | 北京奇虎科技有限公司 | Method for certificating webpage content and browser |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105354451B (en) * | 2014-08-20 | 2020-10-16 | 腾讯科技(深圳)有限公司 | Access authentication method and system |
| CN105354451A (en) * | 2014-08-20 | 2016-02-24 | 腾讯科技(深圳)有限公司 | Access authentication method and system |
| CN104852907B (en) * | 2015-04-17 | 2018-08-24 | 新华三技术有限公司 | A kind of cross-site forged request CSRF attack recognition method and apparatus |
| CN104852907A (en) * | 2015-04-17 | 2015-08-19 | 杭州华三通信技术有限公司 | Cross-site request forgery CSRF attack recognition method and device |
| US10454949B2 (en) | 2015-11-20 | 2019-10-22 | International Business Machines Corporation | Guarding against cross-site request forgery (CSRF) attacks |
| CN105516264A (en) * | 2015-11-30 | 2016-04-20 | 努比亚技术有限公司 | Distributed cluster system based session sharing method, apparatus and system |
| CN105516264B (en) * | 2015-11-30 | 2018-12-04 | 努比亚技术有限公司 | Session sharing method under distributed cluster system, apparatus and system |
| CN105407102A (en) * | 2015-12-10 | 2016-03-16 | 四川长虹电器股份有限公司 | Http request data reliability verification method |
| CN105407102B (en) * | 2015-12-10 | 2019-05-17 | 四川长虹电器股份有限公司 | Http request data reliability verifying method |
| CN107294921A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | The processing method and processing device that a kind of web terminal is accessed |
| CN105915537A (en) * | 2016-05-27 | 2016-08-31 | 努比亚技术有限公司 | Token generation method, token calibration method and token authentication server |
| CN106302414A (en) * | 2016-08-04 | 2017-01-04 | 北京百度网讯科技有限公司 | The anti-grasping means of web site contents and device |
| CN106302414B (en) * | 2016-08-04 | 2019-05-31 | 北京百度网讯科技有限公司 | The anti-grasping means of web site contents and device |
| CN106302481A (en) * | 2016-08-19 | 2017-01-04 | 中国银联股份有限公司 | The method and apparatus that detection WebSocket forges leak across station request |
| CN106453352A (en) * | 2016-10-25 | 2017-02-22 | 电子科技大学 | Single-system multi-platform authentication method |
| CN106453352B (en) * | 2016-10-25 | 2020-04-17 | 电子科技大学 | Single-system multi-platform identity authentication method |
| CN107196950B (en) * | 2017-06-12 | 2020-06-16 | 武汉斗鱼网络科技有限公司 | Verification method, verification device and server |
| CN107196950A (en) * | 2017-06-12 | 2017-09-22 | 武汉斗鱼网络科技有限公司 | Method of calibration, device and service end |
| CN107634942B (en) * | 2017-09-08 | 2020-07-31 | 北京京东尚科信息技术有限公司 | Method and device for identifying malicious request |
| CN107634942A (en) * | 2017-09-08 | 2018-01-26 | 北京京东尚科信息技术有限公司 | The method and apparatus for identifying malicious requests |
| CN107612926B (en) * | 2017-10-12 | 2020-09-29 | 成都知道创宇信息技术有限公司 | One-sentence speech WebShell interception method based on client recognition |
| CN107612926A (en) * | 2017-10-12 | 2018-01-19 | 成都知道创宇信息技术有限公司 | A kind of a word WebShell hold-up interception methods based on client identification |
| CN107682346A (en) * | 2017-10-19 | 2018-02-09 | 南京大学 | A kind of fast positioning and identifying system and method for CSRF attacks |
| CN107809483A (en) * | 2017-10-27 | 2018-03-16 | 大猫网络科技(北京)股份有限公司 | A kind of transaction voucher store method and device |
| CN107819579A (en) * | 2017-12-13 | 2018-03-20 | 西安Tcl软件开发有限公司 | A kind of processing method, server and the computer-readable recording medium of user's request |
| CN107819579B (en) * | 2017-12-13 | 2021-08-24 | 西安Tcl软件开发有限公司 | User request processing method, server and computer readable storage medium |
| CN110875903A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Security defense method and device |
| CN109788477A (en) * | 2018-12-28 | 2019-05-21 | 天翼电子商务有限公司 | It is a kind of to prevent the method, system and server-side that key message is ravesdropping in webpage |
| CN109873818A (en) * | 2019-02-01 | 2019-06-11 | 湖南快乐阳光互动娱乐传媒有限公司 | A kind of method and system preventing unauthorized access server |
| CN110061967A (en) * | 2019-03-15 | 2019-07-26 | 平安科技(深圳)有限公司 | Business datum providing method, device, equipment and computer readable storage medium |
| CN110061967B (en) * | 2019-03-15 | 2022-02-22 | 平安科技(深圳)有限公司 | Service data providing method, device, equipment and computer readable storage medium |
| CN110176988A (en) * | 2019-04-25 | 2019-08-27 | 中国人民解放军战略支援部队信息工程大学 | Guarantee that redundancy executes body and encrypts the consistent device and method of behavior |
| CN113055344A (en) * | 2019-12-27 | 2021-06-29 | 贵州白山云科技股份有限公司 | Scheduling method, device, medium and equipment |
| CN111371743A (en) * | 2020-02-21 | 2020-07-03 | 上海红神信息技术有限公司 | Security defense method, device and system |
| CN111417122B (en) * | 2020-03-25 | 2024-03-01 | 杭州迪普科技股份有限公司 | Attack prevention method and device |
| CN111417122A (en) * | 2020-03-25 | 2020-07-14 | 杭州迪普科技股份有限公司 | Attack prevention method and device |
| CN113783824A (en) * | 2020-06-10 | 2021-12-10 | 中国电信股份有限公司 | Method, apparatus, client, system and medium for preventing cross-site request forgery |
| CN113783824B (en) * | 2020-06-10 | 2022-08-30 | 中国电信股份有限公司 | Method, apparatus, client, system and medium for preventing cross-site request forgery |
| CN114884736A (en) * | 2022-05-11 | 2022-08-09 | 山东鲁软数字科技有限公司 | Anti-explosion attack safety protection method and device |
| CN114884736B (en) * | 2022-05-11 | 2024-04-09 | 山东鲁软数字科技有限公司 | Safety protection method and device for explosion attack prevention |
| CN115065537A (en) * | 2022-06-16 | 2022-09-16 | 公安部第三研究所 | Defense system and dynamic defense method for WEB application automation attack behavior |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103944900B (en) | 2017-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103944900A (en) | Cross-station request attack defense method and device based on encryption | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| US8245030B2 (en) | Method for authenticating online transactions using a browser | |
| US8752208B2 (en) | Detecting web browser based attacks using browser digest compute tests launched from a remote source | |
| Fett et al. | An extensive formal security analysis of the openid financial-grade api | |
| CN110933078B (en) | H5 unregistered user session tracking method | |
| CN103179134A (en) | Single sign on method and system based on Cookie and application server thereof | |
| CN106576041A (en) | Method of mutual verification between a client and a server | |
| CN105577612B (en) | Identity authentication method, third-party server, merchant server and user terminal | |
| CN105721412A (en) | Method and device for authenticating identity between multiple systems | |
| Badra et al. | Phishing attacks and solutions | |
| Huang et al. | A token-based user authentication mechanism for data exchange in RESTful API | |
| Cao et al. | Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel | |
| CN105516066A (en) | Method and device for identifying existence of intermediary | |
| Sood et al. | Inverse Cookie-based Virtual Password Authentication Protocol. | |
| CN107615704A (en) | A kind of device, method and system of the anti-fishing of network | |
| CN106888200B (en) | Identification association method, information sending method and device | |
| CN104811421A (en) | Secure communication method and secure communication device based on digital rights management | |
| Gao et al. | A research of security in website account binding | |
| Aslam et al. | PwdIP-Hash: A lightweight solution to phishing and pharming attacks | |
| Deeptha et al. | Extending OpenID connect towards mission critical applications | |
| Nagpal et al. | Preventive measures for securing web applications using broken authentication and session management attacks: A study | |
| Varshney et al. | A new secure authentication scheme for web login using BLE smart devices | |
| Cheng et al. | Analysis and improvement of the Internet‐Draft IKEv3 protocol | |
| KR101962349B1 (en) | Consolidated Authentication Method based on Certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240320 Address after: Room 711C, Floor 7, Building A, Yard 19, Ronghua Middle Road, Daxing District, Beijing Economic-Technological Development Area, 100176 Patentee after: Beijing Zhongke Flux Technology Co.,Ltd. Country or region after: China Address before: 100190 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District Patentee before: Institute of Computing Technology, Chinese Academy of Sciences Country or region before: China |
|
| TR01 | Transfer of patent right |