Background technology
Forging (Cross Site Request Forgery, CSRF) across station request and attack, is the attack method that a kind of terminal use of forcing to do one's bidding carries out non-user intention operation on listed web application.The target of its attack is user instead of web application, and does not need to utilize any browser leak, but utilizes the session of having carried out authentication to attack, and utilizes implicit authentication leak to reach attack.
Forging across station request is a kind of more obscure attack, victim probably clicks a malice link because of carelessness, will victim utilization, its essence is the identity that assailant has usurped victim, sends malicious requests with victim's name, and the thing that can do comprises: send mail, message, steal account, buy even commodity, ideal money is transferred accounts etc.The problem causing comprises: individual privacy is revealed and property safety.Attack consequence and depend on utilized leak and victim's authority.
In prior art, due to HTML (Hypertext Markup Language) (Hyper Text Transfer Protocol, HTTP) self be a kind of stateless protocol, cannot associated twice continuous request, therefore carry out recording status, the continuous request of associated same user by authentication information such as Cookie, Session and HTTP.For example, after user successfully carries out authentication, browser will obtain the Cookie of its identity of mark, as long as do not close browser or log off, in the time sending request to this website, browser all can " automatically " send together with this Cookie, need not user intervention, and no matter this request is to stem from the link that application program provides, URL(uniform resource locator) (Uniform Resource Locator, URL) or other sources of receiving from other places.Server in station is identified user by Cookie, if server in station has been received the request with victim's Cookie, it will regard what listed victim sent as this request so, server in station can think that this is the effective request through confirming, so can carry out this " believable action ", thereby provide chance for attacking.Although this Authentication mechanism of Web website can ensure that a request comes from certain user's browser to targeted sites, but cannot ensure that user really of this request sends, or through that user's approval.Why can occur across station request forgery attack, that basic reason is exactly that Web website verifies is Web browser but not user itself.
Fig. 1 is that CSRF attacks dependence diagram.In figure, step 1 asks to protect the protection page of website for user, then step 2 is server in station prompting user input authentication information, step 3 is submitted oneself user name and encrypted message to for user, step 4 is set up legal session for server in station authentication of users information, and to user's generating identification user's cookie information, step 5-8 normally sends request to server in station for user, and server in station to its carry out Business Processing send it back should, step 9-11 is assailant's attack process, wherein step 9 is that victim and user access malice website, step 10 is the content that malice website returns to user's request, in the content of wherein returning, contain the malicious requests that is sent to protection website, step 11 is initiated request to the malicious requests in the initiation request of protection website or webpage from trend protection website for user clicks malice link because of carelessness, browser can automatically carry the Cookie of user under this website then to send this request, owing to containing cookie information in request, server in station can be thought the legitimate request that logged-in user sends, thereby carry out Business Processing, carry out assailant's malicious action.
At present, for forging across station request, mainly contain two kinds of methods:
The first is to use POST request to carry out across station request forgery attack, and to important write operation, POST request is only accepted in website, defends across station request forgery attack with this.But the shortcoming of the method is, any GET request can be constructed list asks to send by POST, and therefore the method can only increase assailant and realize the difficulty of attack, can not take precautions against across station request and forge.
The second is to realize the strick precaution across station request forgery attack by checking token, can in HTTP request, add a random token who produces with the form of parameter, and set up a blocker at server end and verify this token, if in request, do not have token or token content incorrect, think it may is that CSRF attacks and refusal changes request.The user that this " checking token " can be logined easily guesses out.But developer usually forgets this strick precaution of enforcement, and it is the safety that is difficult to ensure token itself that the method also has a shortcoming, likely reveal token to other websites by URL or HTTP Referer header.By name at periodical: In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006., name of document is: Preventing cross site request forgery attacks, authors' name is called: Nenad Jovanovic, Engin Kirda, discloses the method in the document of and Christopher Kruegel.
The third is checking HTTP Referer header, (HTTP Referer is a part of header, in the time that browser sends request to web server, generally can bring Referer, tell server I from which page link come, server take this to obtain some information for the treatment of.) by checking HTTP Referer header, only accept the request from trusted sources, but browse the privacy contents such as record owing to relating to user in Referrer content, therefore most uses of having forbidden Referer header file in HTTP request, be called at journal title: Proc.15th ACM Conf.Computer and Communications Security, ACM Press, 2008, pp.75 – 87., name of document is: Robust Defenses for Cross-Site Request Forgery, authors' name is called: A.Barth, C.Jackson, in the document of and J.C.Mitchell, the method is disclosed.
Visible, for existing server, some solutions that exist in prior art can not well be taken precautions against across station request forgery attack, therefore, need a kind of method effectively to take precautions against across station request forgery attack.
Summary of the invention
Technical problem to be solved by this invention be to provide a kind of based on encrypt across station request attack prevention method and device thereof, to overcome the problem of can not fine strick precaution attacking across station request existing in prior art.
For reaching above-mentioned purpose, the invention provides a kind of based on encrypt across station request attack prevention method, be applied to the system that comprises client and server end, it is characterized in that, described method comprises:
Authentication step: for described client being carried out to authentication by described server end;
Client side attack is taken precautions against step: be verified as the random number token that server end sends described in the client of validated user by described authentication step, and adopt described random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending step: in the time that described server end receives the follow-up described encryption request of client of described validated user, adopt described random number token to be decrypted checking, to realize across station request attack-defending.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described server end is taken precautions against step and is comprised:
Page determining step: judge that the page that described client logs in is the protected page or the public visit page;
Random number token generates step: the client for the described validated user by checking generates described random number token, and described random number token being sent to the client of described validated user, described random number token is associated with the session id of described validated user.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described client is taken precautions against step and is comprised:
Extract token step: the described random number token that the client of described validated user sends from described server end, and extract described random number token;
Judge request step: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether described request is that this client application is sent, described client application requests if, be encrypted by described random number token, non-described client application requests if, directly sends;
Encrypt request step: the request content that the client of described validated user is sent to described server end is encrypted by described random number token;
Send request step: the described request after encrypting is sent to described server end.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described server end is taken precautions against step and is also comprised:
Decryption step: the described encryption request that described client is sent adopts described token to be decrypted as key, to verify the legitimacy of described encryption request;
Business Processing step: according to the described encryption request after deciphering, carry out corresponding Business Processing.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described random number token generates step and also comprises:
User is login step not: the session id of inquiring user does not exist, and judges that described user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login step: the session id of inquiring user exists, and judges that described user logins, is the client of described validated user.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described decryption step also comprises:
Search token step: by with the session id of described validated user, search the described random number token being associated with described session id;
Raw requests decryption step: adopt and search the described random number token that token step obtains and decipher the request that described client sends, obtain the raw requests of described client.
Above-mentioned based on encrypt across station request attack prevention method, it is characterized in that, described Business Processing step also comprises:
Successful decryption step: if adopt the success of described raw requests decryption step deciphering described request, carry out Business Processing according to described request;
Decryption failures step: if adopt the failure of described raw requests decryption step deciphering described request, do not carry out Business Processing, and to the described validated user information that gives a warning.
The present invention also provide a kind of based on encrypt across station request attack-defending device, adopt as described in based on encrypt across station request attack prevention method, described method is applied to the system that comprises client and server end, it is characterized in that, described device comprises:
Authentication module: for described client being carried out to authentication by described server end;
Client side attack is taken precautions against module: be verified as the random number token that server end sends described in the client of validated user by described authentication step, and adopt described random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending module: in the time that described server end receives the follow-up described encryption request of client of described validated user, adopt described random number token to be decrypted checking, to realize across station request attack-defending.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described server end is taken precautions against module and is comprised:
Page judge module: judge that the page that described client logs in is the protected page or the public visit page;
Random number token generation module: the client for the described validated user by checking generates described random number token, and described random number token being sent to the client of described validated user, described random number token is associated with the session id of described validated user.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described client is taken precautions against module and is comprised:
Extract token module: the described random number token that the client of described validated user sends from described server end, and extract described random number token;
Judge request module: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether described request is that this client application is sent, described client application requests if, be encrypted by described random number token, non-described client application requests if, directly sends;
Encrypt request module: the request content that the client of described validated user is sent to described server end is encrypted by described random number token;
Send request module: the described request after encrypting is sent to described server end.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described server end is taken precautions against module and is also comprised:
Deciphering module: the described encryption request that described client is sent adopts described token to be decrypted as key, to verify the legitimacy of described encryption request;
Service Processing Module: according to the described encryption request after deciphering, carry out corresponding Business Processing.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described random number token generation module also comprises:
User is login module not: the session id of inquiring user does not exist, and judges that described user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login module: the session id of inquiring user exists, and judges that described user logins, is the client of described validated user.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described deciphering module also comprises:
Search token module: by with the session id of described validated user, search the described random number token being associated with described session id;
Raw requests deciphering module: adopt and search the described random number token that token step obtains and decipher the request that described client sends, obtain the raw requests of described client.
Above-mentioned based on encrypt across station request attack-defending device, it is characterized in that, described Service Processing Module also comprises:
Successful decryption module: if adopt the success of described raw requests decryption step deciphering described request, carry out Business Processing according to described request;
Decryption failures module: if adopt the failure of described raw requests decryption step deciphering described request, do not carry out Business Processing, and to the described validated user information that gives a warning.
The present invention is with existing across compared with station request attack-defending technology, and beneficial effect of the present invention is:
1, do not need to revise existing server in station code: just can take precautions against across station request forgery attack by simple configuration, what existing precautionary technology had need to revise server in station code could realize, say much having developed very ripe should being used for, want to use this precautionary technology, mean and must again develop or revise application, this not only can expend ample resources, and can cause the reduction of a lot of performances, therefore this prevention method that need to revise server in station, develops very slow;
2, applicability is strong: the application that needs are taken precautions against does not have special requirement, does not need application to use specific development technique, JAVA, PHP, the method that the application of the development technique exploitations such as ASP can be used the present invention to propose;
3, use simply: do not need user interactions, do not need user to define white list, use the user of application without the need for relevant security knowledge, reduced the difficulty that user uses;
4, by URL request is encrypted, make the assailant cannot know the concrete form (invoking page, parameter etc.) of request, strengthen the difficulty that assailant understands attacking application, strengthen assailant and realized the difficulty of attack.
Embodiment
Provide the specific embodiment of the present invention below, with concrete embodiment, the present invention is described in detail by reference to the accompanying drawings.
The present invention proposes the method that one utilizes random number (token) as key, URL to be encrypted, and realizes the strick precaution across station request forgery attack.In order to achieve the above object, the assailant that the present invention utilizes server in station to generate is difficult to the random number of conjecture, and uses random number encryption URL, and because assailant cannot intercept and capture random number by smelling means such as visiting packet capturing, he cannot forge correct request.Even if browser can attach the Cookie of login user in the request of forgery automatically, because request is not server in station accreditation, therefore server in station is disregarded, ask the strick precaution of forgery attack across standing thereby realize.
The present invention relates generally to two class entities: client (user visits application site by browser) and service end (server that application site is disposed).
Provided by the invention a kind of based on encrypt across station request attack prevention method, be applied to the system that comprises client and server end, Fig. 2 is the inventive method steps flow chart schematic diagram, as shown in Figure 2, the method comprises:
Authentication step S1: for client being carried out to authentication by server end;
Client side attack is taken precautions against step S2: be verified as the random number token of the client server end transmission of validated user by authentication step, and adopt random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending step S3: in the time that server end receives the follow-up encryption request of client of validated user, adopt random number token to be decrypted checking, to realize across station request attack-defending.
Wherein, client side attack strick precaution step S2 comprises:
Extract token step S21: the random number token that the client of validated user sends from server end, and extract random number token;
Judge request step S22: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether request is that this client application is sent, this client application requests if, be encrypted by random number token, non-client application requests if, directly sends;
Encrypt request step S23: the request content that the user end to server end of validated user is sent is encrypted by random number token;
Send request step S24: the described request after encrypting is sent to described server end.
Wherein, server end attack-defending step S3 comprises:
Page determining step S31: judge that the page that client logs in is the protected page or the public visit page;
Random number token generates step S32: the client for the validated user by checking generates random number token, and random number token is sent to the client of validated user, and random number token is associated with the session id of validated user;
Decryption step S33: the encryption request that client is sent adopts token to be decrypted as key, to verify the legitimacy of the request of encryption;
Business Processing step S34: according to the encryption request after deciphering, carry out corresponding Business Processing.
Wherein, Fig. 3 is the inventive method detailed step schematic flow sheet, and as shown in Figure 3, random number token generates step S32 and also comprises:
User is login step S321 not: the session id of inquiring user does not exist, and judges that user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login step S322: the session id of inquiring user exists, and judges that user logins, is the client of validated user.
Wherein, decryption step S33 also comprises:
Search token step S331: by with the session id of validated user, search the random number token being associated with session id;
Raw requests decryption step S332: adopt and search the request that random number token deciphering client that token step obtains sends, obtain the raw requests of client.
Wherein, Business Processing step S34 also comprises:
Successful decryption step S341: if adopt the success of raw requests decryption step decoding request, carry out Business Processing according to request;
Decryption failures step S342: if adopt the failure of raw requests decryption step decoding request, do not carry out Business Processing, and to the validated user information that gives a warning.
Below in order better the principle of technical solution of the present invention to be introduced, first for providing a specific embodiment across station request forgery attack.
Suppose that user A has logined the bank account of oneself, server in station is that A has returned to corresponding session session id authentication information, A has a deposit in bank, now sending HTTP request http://bank.example/withdraw account=A & amount=10000 & for=B by the website to bank can allow A 10000 deposit be forwarded under the account of B, this request sends to after website of bank, server in station can first verify that whether this request is from legal session, and whether the user of this session logins, if be accompanied with the session id authentication information of A in this request, server in station can think that this solicit operation is that logged-in user A sends.
If there is an assailant B also to have account in this bank, and he is by the understanding to website of bank, knows the operation of can transferring accounts by URL above.B can oneself send request to bank: http://bank.example/withdraw account=A & amount=10000 & for=B.But because this is asked from B itself but not A, therefore do not comprise the relevant authentication information of A, can not be through safety certification, this request can not be worked.
At this moment, B expects using the attack pattern of CSRF, he the website that can control himself, put into following code: src=" http://bank.example/withdraw account=A & amount=10000 & for=B ", and by advertisement, prize-winning information etc. lures that A visits his website into.If A has now logined website of bank, and when opening new label and visiting this malicious websites, above-mentioned URL can send HTTP in the mode of GET from the browser of A and ask bank, because A has now logined website of bank, browser will be by the session id of A together subsidiary sending, if the session of the browser of A and bank is also not out of date, because server in station is by session id identification user, therefore website of bank can think that this is the request that A sends, tragedy has occurred, website of bank is considered as legal request by above-mentioned request and processes, money will be transferred to the account of B from the account of A, and A knew nothing at that time.Lacked when A finds account money, removed bank's inquiry log, he also can only find really to have a legitimate request that comes from himself to shift fund, without any the vestige of being attacked.
Briefly introduce the principle across station request forgery attack above; in the present invention, server in station judges whether the content of request access is protection content; if prompting user inputs the authorization informations such as username and password; and generate the corresponding session id of session and random number token, send to client.In the follow-up request of user, client can be encrypted URL request content with random number token, then sends request.Server in station can find corresponding token according to corresponding session id, and to URL request deciphering, for the request of successful decryption, the request of illustrating utilizes random number token to encrypt, and this random number only has client user to know, be legitimate request, therefore server in station can carry out related service processing according to request content.Because assailant cannot obtain random number, cannot correctly encrypt the request of forging, even if browser can attach the session id of login user in the request of forging automatically, deciphering also can be failed, server in station not only can not carry out Business Processing, and can give a warning to user, so just can take precautions against across station request forgery attack.
Below with reference to above-described embodiment and accompanying drawing, the step of the embodiment of the present invention is elaborated.
Fig. 4 is the server end schematic flow sheet that defence CSRF provided by the invention attacks, and as shown in Figure 4, the key step of server end comprises:
10, judge whether it is the protection page;
20, judge whether user logins;
30, the request of encrypting is decrypted;
40, Business Processing.
Concrete a kind of execution mode is as follows:
10, judge whether it is the protection page.General application is all divided into the protection page and the public page.
1) the public page does not need user just to login can to access, and as login.html, index.html etc., because there is no important operation, can not work the mischief, and therefore server in station can directly carry out corresponding Business Processing according to request.
2) protect the page to need user to login and could access, need user to authenticate, such as amendment user cipher, personal information, transfers accounts etc.Therefore server in station need to judge whether user logins, and whether current be legal session.
20, judge whether user logins.Effectively judge according to whether session id is legal whether user logins, and whether has a legal session.
1) if there is no session id illustrates that user does not login, or session is out of date, need to re-start login authentication.Specifically mainly comprise the following steps:
11) jump to login interface, prompting user's input authentication information (being generally user name and password).
12) whether user name and the password of the input of server in station authentication of users be correct, and incorrect words, jump to login page again, require user to re-enter authentication information.
13) after being verified, server in station can create a legitimate conversation, and generates session id and the random number token of associated user session, returns to the page of user's request, and session id and random number token are returned to client.
2) if there is session id, successfully login of user is described, client has the random number token that server in station sends over, now follow-up request, if legal, application is sent, and should utilize token random number to carry out encryption.
30, the request of encrypting is decrypted, listed user, can have server in station and send the random number token returning, therefore the request that follow-up this application is sent all should utilize token as secret key encryption, because assailant does not have token, the request that can not correctly decipher is likely that assailant forges.
1), in the contingency table of the session of server in station storage id and token, find corresponding token according to the session id in request.
2), with the part of encrypting in token decoding request (invoking page, parameter etc.), just can obtain the raw requests that client sends.
40, Business Processing.
1), use token successful decryption, illustrate that when request utilizes token that server in station sends to encrypt, be the legitimate request that application is sent, therefore server in station can carry out corresponding Business Processing according to request.
2), Decryption failures, illustrate request use encryption key be wrong, be likely the token that assailant guesses, with conjecture token to forgery request encrypt; Or request is not encrypted, and Decryption failures, does not therefore carry out Business Processing to it, and sends corresponding warning message to user.
Fig. 5 is the client schematic flow sheet of cross-site attack prevention method of the present invention, and as shown in Figure 5, the key step of client comprises:
50, extract token;
60, judge whether request is that this application is sent;
70, encrypt request;
80, send request.
Concrete a kind of execution mode is as follows:
50, extract token.In the response of client slave site server, extract service end and send to the token of client.Token can be placed in the response page of server in station and take back, and also can transmit separately.
60, judge whether request is that this application is sent.Whether the mate with the Fully-Qualified Domain Name of object website of source Website server of request sent in judgement, if coupling, can think request time, this application is sent, otherwise thinks that asking is not that this application is sent.
1) if when request this application send, utilize token to encrypt it.
2) if request is not that this application is sent, do not deal with, directly send.
70, encrypt request.Partial content (invoking page, parameter etc.) in URL request is encrypted, and the server address of the application in URL request etc. still sends with plaintext form, with the service end that sends to that ensures that request can be correct.Wherein cryptographic operation, a plug-in unit can issuing by application completes.
For example, in above-mentioned example, http://bank.example/withdraw account=A & amount=10000 & for=B, utilizes the token of server transmission to " withdraw account=A & amount=10000 & for=B " Partial encryption.Should be appreciated that the present invention can adopt other modes to be encrypted, specific embodiment described herein only, in order to explain the present invention, is not intended to limit the present invention.
80, send request.Request after encrypting is issued to service end.
The present invention also provides a kind of and asks attack-defending device based on what encrypt across station, described in adopting, ask attack prevention method based on what encrypt across station, the method is applied to the system that comprises client and server end, Fig. 6 is the structural representation of the present invention across station request attack-defending device, as shown in Figure 6, this device comprises:
Authentication module 100: for client being carried out to authentication by server end;
Client side attack is taken precautions against module 200: be verified as the random number token of the client server end transmission of validated user by authentication step, and adopt random number token to be encrypted and to become the request of encryption follow-up request;
Server end attack-defending module 300: in the time that server end receives the follow-up encryption request of client of validated user, adopt random number token to be decrypted checking, to realize across station request attack-defending.
Wherein, client side attack strick precaution module 200 comprises:
Extract token module 201: the random number token that the client of validated user sends from server end, and extract random number token;
Judge request module 202: judge according to whether the domain name of the domain name of source Website server and object Website server is identical whether request is that this client application is sent, this client application requests if, be encrypted by random number token, non-client application requests if, directly sends;
Encrypt request module 203: the request content that the user end to server end of validated user is sent is encrypted by random number token;
Send request module 204: the request after encrypting is sent to server end.
Wherein, server end attack-defending module 300 comprises:
Page judge module 301: judge that the page that client logs in is the protected page or the public visit page;
Random number token generation module 302: the client for the validated user by checking generates random number token, and random number token is sent to the client of validated user, and random number token is associated with the session id of validated user;
Deciphering module 303: the encryption request that client is sent adopts token to be decrypted as key, to verify the legitimacy of the request of encryption;
Service Processing Module 304: according to the encryption request after deciphering, carry out corresponding Business Processing.
Wherein, Fig. 7 is the detailed structure schematic diagram of the present invention across station request attack-defending device, and as shown in Figure 7, random number token generation module 302 also comprises:
User is login module 3021 not: the session id of inquiring user does not exist, and judges that user does not login, and re-starts login authentication, and the client of the validated user passing through for certification generates described random number token and session id;
User is login module 3022: the session id of inquiring user exists, and judges that user logins, is the client of validated user.
Wherein, deciphering module 303 also comprises:
Search token module 3031: by with the session id of validated user, search the random number token being associated with session id;
Raw requests deciphering module 3032: adopt and search the request that random number token deciphering client that token step obtains sends, obtain the raw requests of client.
Wherein, Service Processing Module 304 also comprises:
Successful decryption module 3041: if adopt the success of raw requests decryption step decoding request, carry out Business Processing according to request;
Decryption failures module 3042: if adopt the failure of raw requests decryption step decoding request, do not carry out Business Processing, and to the validated user information that gives a warning.
In sum, provided by the invention based on encrypt across station request attack prevention method and device thereof, do not need to revise existing server in station, just can carry out well across station request attack defending.
Certainly; the present invention also can have other various embodiments; in the situation that not deviating from spirit of the present invention and essence thereof; those of ordinary skill in the art are when making according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.