CN105100084A - Method and system for preventing cross-site request forgery attack - Google Patents
Method and system for preventing cross-site request forgery attack Download PDFInfo
- Publication number
- CN105100084A CN105100084A CN201510394384.4A CN201510394384A CN105100084A CN 105100084 A CN105100084 A CN 105100084A CN 201510394384 A CN201510394384 A CN 201510394384A CN 105100084 A CN105100084 A CN 105100084A
- Authority
- CN
- China
- Prior art keywords
- file
- strategy
- http request
- client
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 235000014510 cooky Nutrition 0.000 claims abstract description 69
- 238000001914 filtration Methods 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims description 51
- 230000008878 coupling Effects 0.000 claims description 10
- 238000010168 coupling process Methods 0.000 claims description 10
- 238000005859 coupling reaction Methods 0.000 claims description 10
- 239000000203 mixture Substances 0.000 claims description 9
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 230000004044 response Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention is applicable for the technical field of network safety, and provides a method and a system for preventing a cross-site request forgery attack. The method comprises the steps that: a client generates an HTTP request when page information of a browser is received; the client performs filtration treatment on cookie information in the HTTP request based on a strategy document obtained from a server-side; the client sends the HTTP request after subjected to the filtration treatment to the server-side. In the method and the system for preventing the cross-site request forgery attack, the strategy document is provided by the server-side, the server-side defines requests from which pages the service-side expects to receive exactly, and the client performs authenticity judgment on the HTTP request based on the strategy document, so that requests which are not allowed by the strategy document are guaranteed to not carry cookie of a user, requests which the server-side does not expect to receive cannot be sent by the client, and the network safety of the client is guaranteed.
Description
Technical field
The present invention relates to network security, mainly secure browser and web application safety, particularly relate to a kind of method and system prevented across station request forgery attack.
Background technology
Communicate mainly through HTTP (HyperTextTransferProtocol, HTML (Hypertext Markup Language)) agreement between Website server of the prior art and subscription client.According to the definition of http protocol, this agreement is a stateless agreement, and namely the communication things each time of server and client is all independent of each other, during the communication next time of server and client, and does not know the information of last communication.But in actual applications, need again to intercom mutually continuously, with having state between server with client, therefore cookie technology has been introduced into as the modal solution of one.
In order to keep the connection having state between server and client, needing server to have the ability to identify the request from different clients, therefore needing to preserve the information of user's connection so that server identification at server or client.Even and if select, at server preservation user connection information, also to need the nameplate preserving a section short and small in client.Therefore, http protocol defines a section of the being kept at client text for illustration of user connection information or mark, is called as cookie.When user's first time Website login, server can set up the cookie in this server net territory at browser by the set-cookie field of web response header Web.Afterwards, arranging in cookie to the cookie expired time, all requests being sent to this net territory from this browser all automatically can add the cookie of this user in this net territory by viewed device the cookie field of header.Like this when server receives a request with cookie information, server just can pass through this information identification user.
Due to cookie be server for identifying the key message of user, therefore cookie also become multiple network attack target.Different from the attack pattern that cross-site scripting attack etc. directly steals user cookie, (crosssiterequestforgery is forged across station request, CSRF) attack does not directly obtain user cookie, but the mechanism of cookie is automatically added by browser, the cookie using user reaches the object of attack.In the unwitting situation of user, CSRF assailant has forged the request of a user, by some means, this request is sent on the browser of user.Because this request carries the cookie of user, therefore can successfully perform by serviced device.Assailant can be allowed across station request forgery attack to obtain or revise the accounts information of other users, therefore the confidentiality of chief destructive information security and integrality.
In prior art, this defect is by asking the responsibility of false distinguishing to specify improper causing to user, and prior art only allows client or only allow server carry out asking the judgement of the true and false, and client can not know that whether one be that server is expected from certain page to the request of another page, server can not know the request from client is generated under what kind of context, can not effectively prevent CSRF from attacking.
In summary, obviously there is inconvenience and defect in actual use in prior art, so be necessary to be improved.
Summary of the invention
For above-mentioned defect, the object of the present invention is to provide a kind of method and system prevented across station request forgery attack, by the strategy file that service end provides, it judges whether client-requested forges, ensure that the request do not allowed by strategy file can not carry the cookie of user, ensure that the network security of client, solve service end in prior art and do not understand context that client-requested sends and client does not understand the problem which request is service end wish to accept.
To achieve these goals, the invention provides a kind of method prevented across station request forgery attack, described method comprises the steps:
Client, when receiving the Page messages of browser, generates HTTP request;
Described client carries out filtration treatment according to the strategy file obtained from service end to the cookie information in described HTTP request;
Described HTTP request after filtration treatment is sent to described service end by described client.
According to method of the present invention, described client comprises the step that the cookie information in described HTTP request carries out filtration treatment according to the strategy file obtained from service end:
Described client searches the associating policy file of described HTTP request in local file system;
The timestamp that described client does not find the described associating policy file in described associating policy file or described local file system is less than the up-to-date timestamp of the described associating policy file in described service end, upgrades described strategy file from described service end.
According to method of the present invention, described client comprises search the step of the associating policy file of described HTTP request in local file system after:
Described client obtains the up-to-date timestamp of described associating policy file from described service end;
In described client, the up-to-date timestamp of the timestamp of the described associating policy file in local file system with the described associating policy file obtained from described service end is contrasted.
According to method of the present invention, described client also comprises the step that the cookie information in described HTTP request carries out filtration treatment according to the strategy file obtained from service end:
Described client searches processing result information as keyword according to the source address information in described HTTP request, target address information in strategy file;
And according to the described processing result information found, determine whether delete or revise the cookie information in described HTTP request.
According to method of the present invention, the step that described client searches processing result information according to the source address information in described HTTP request, target address information as keyword in strategy file comprises:
Described client searches corresponding strategy entries according to the target address information in described HTTP request in described strategy file, and described strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition;
Described client judges whether the source address information in described HTTP request mates with the source address information in the strategy entries found;
If coupling, described in processing result information in the strategy entries that finds be required processing mode.
The present invention is corresponding provides a kind of system prevented across station request forgery attack, and described system comprises client and service end, and described client comprises:
Request generation module, for when receiving the Page messages of browser, generates HTTP request;
Processing module, for carrying out filtration treatment according to the strategy file obtained from described service end to the cookie information described HTTP request;
Request sending module, for being sent to described service end by the described HTTP request after filtration treatment.
According to system of the present invention, described processing module also comprises strategy file updating block,
Described strategy file updating block is used for the associating policy file searching described HTTP request in local file system, and for less than the up-to-date timestamp of the described associating policy file in described service end at the timestamp not finding the described associating policy file in described associating policy file or described local file system, upgrade described strategy file from described service end.
According to system of the present invention, described strategy file updating block comprises:
Timestamp obtains subelement, for obtaining the up-to-date timestamp of described associating policy file from described service end;
Timestamp contrast subunit, for contrasting the up-to-date timestamp of the timestamp of the described associating policy file in local file system with the described associating policy file obtained from described service end.
According to system of the present invention, described processing module also comprises cookie information filtration treatment unit,
Described cookie information filtration treatment unit is used in strategy file, searching processing result information as keyword according to the source address information in described HTTP request, target address information, and for determining whether delete or revise the cookie information in described HTTP request according to the processing result information found.
According to system of the present invention, described cookie information filtration treatment unit comprises:
Strategy entries inquiry subelement, for searching corresponding strategy entries in described strategy file according to the target address information in described HTTP request, described strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition;
Coupling subelement, for judging whether the source address information in described HTTP request mates with the source address information in the strategy entries found, if mate, described in processing result information in the strategy entries that finds be required processing mode.
The present invention passes through at the strategy file of client maintenance from service end, and determine that the cookie information whether retaining each HTTP request generated by client carries out filtration treatment according to this strategy file content, finally the HTTP request after filtration is sent to service end.Because strategy file is provided by service end, the request which page its hope of service end accurate definition receives from, client carries out true and false judgement according to strategy file to HTTP request, ensure that the request do not allowed by strategy file can not carry the cookie of user, service end does not wish that the request accepted can not be sent by client, ensure that the network security of client.Solve service end in prior art and do not understand context that client-requested sends and client does not understand the problem which request is service end wish to accept.
Accompanying drawing explanation
Fig. 1 is a kind of theory diagram preventing the system of asking forgery attack across station of the present invention;
Fig. 2 is a kind of flow chart preventing the method for asking forgery attack across station of the present invention;
Fig. 3 is the flow chart that the present invention prevents a kind of specific embodiment of method across station request forgery attack.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
The invention provides a kind of method and system prevented across station request forgery attack, target is that protection client is not attacked by CSRF.The basic reason of CSRF success attack is: when service end receives a client-requested, and service end is difficult to judge by the content of this client-requested the occasion (namely how this request is sent by browser) that this request sends; And when browser end sends a request, although browser end knows the occasion that this request sends, and do not know the safety regulation of request object website, therefore can indistinguishably cookie field be joined in request content.Method and system provided by the invention, the strategy file filtered is asked by being provided one by service end, filtered before request sends by the content of browser end strategically file, and safeguard that the local policy file moment keeps the update rule of last state, ensure that request that each is sent by browser end meets the safety regulation of request target website.
As shown in Figure 1, the invention provides a kind of system prevented across station request forgery attack, this system comprises client 100 and service end 200.User visits application site by the browser of client 100, the server that this service end 2000 is disposed for application site.Wherein, this client 100 comprises: request generation module 10, processing module 20 and request sending module 30.
Request generation module 10, for when receiving the Page messages of browser, generates HTTP request.When user uses client 100 browsing page, the event (as clicked) that client 100 can trigger on webpage according to script sentence or the user of webpage, generates HTTP request.
Processing module 20, for carrying out filtration treatment according to the strategy file obtained from service end 200 to the cookie information HTTP request.
Request sending module 30, for being sent to service end 200 by the HTTP request after filtration treatment.Thus ensure that the request do not allowed by strategy file can not carry the cookie of user, Deterministic service end 200 does not wish that the request accepted can not be sent by client 100, ensure that the network security of client 100.
As shown in Figure 1, processing module 20 comprises strategy file updating block 21 and cookie information filtration treatment unit 22.
Strategy file updating block 21, for searching the associating policy file of described HTTP request in local file system, and for less than the up-to-date timestamp of the associating policy file in service end at the timestamp not finding the associating policy file in associating policy file or local file system, from service end 200 update strategy file.Timestamp is less, then the modification time of this strategy file more early, and this strategy file is older; Timestamp is larger, then the modification time of this strategy file is more late, and this strategy file is newer.
Concrete, after client 100 generates HTTP request, client 100 checks the target URL of this HTTP request, searches whether there is corresponding strategy file according to the domain name at target URL in local file system.Local strategy file can be given tacit consent to and all leaves in a certain catalogue, and according to fixing file name formats (as " policy_ domain name .sqlite ").As long as be aware of the domain name field of the target URL of certain request like this, just can obtain path and the filename of its local policy file accordingly, and then know whether this local policy file exists and it revises the date recently.If the modification time of the associating policy file in the local file system of client 100 is more Zao than the modification time of the associating policy file in service end 200, then client 100 needs from service end 200 update strategy file, ensures that the strategy file that client 100 uses is up-to-date.Client 100 can initiate the request of file download to service end 20020, the strategy file of service end 200 is downloaded to local default path, and covers local strategy file (if local file system has strategy file).
Cookie information filtration treatment unit 22, for searching processing result information as keyword according to the source address information in described HTTP request, target address information in strategy file, and for determining whether delete or revise the cookie information in described HTTP request according to the processing result information found.Concrete, strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition.Cookie information filtration treatment unit 22 processes HTTP request according to the processing result information found.If result is safety, then HTTP request is not made an amendment; If result is dangerous, then delete the cookie field in this HTTP request; If result has other to describe, such as, only delete some value in cookie, then delete the analog value in cookie field in this request.Need by the legal cookie ability success of user because CSRF attacks, if therefore this HTTP request is legitimate request, then its strategy entries can be shown as " permission " in strategy file, thus its cookie field can be retained; If this HTTP request is illegal request, then its strategy entries can not occur (also namely can not find processing result information as keyword according to the source address information in HTTP request, target address information in strategy file) in strategy file, or be shown as " not allowing ", therefore its cookie field is deleted.And when the HTTP request of service end 200 receive that client 100 sends not containing cookie field, owing to cannot judge user identity, service end 200 can not carry out the operation relevant to this user identity, thus avoids CSRF attack.
As shown in Figure 1, strategy file updating block 21 also comprises timestamp acquisition subelement 211 and timestamp contrast subunit 212.
Timestamp obtains subelement 211, for obtaining the up-to-date timestamp of associating policy file from service end 200.Concrete, client 100 is according to the domain name of the target of HTTP request, and the time service interface to corresponding domain sends a GET request, obtains the up-to-date timestamp of the strategy file in this territory.This time service interface can be a page script, its URL can be the fixed position under domain name, such as " domain name/time.jsp ", its function is acceptance GET request, read the amendment date of the strategy file (such as " domain name/policy_ domain name .sqlite ") in this territory afterwards, then this date value is added in response message, sent to by response message GET to ask source client.
Timestamp contrast subunit 212, for contrasting the up-to-date timestamp of the timestamp of the associating policy file in local file system with the described associating policy file obtained from service end 200.
As shown in Figure 1, cookie information filtration treatment unit 22 also comprises strategy entries inquiry subelement 221 and coupling subelement 222.
Strategy entries inquiry subelement 221, for searching corresponding strategy entries in strategy file according to the target address information in HTTP request, strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition.
Coupling subelement 222, for judging whether the source address information in HTTP request mates with the source address information in the strategy entries found, if coupling, the processing result information in the strategy entries found is required processing mode.Concrete, the content of strategy file is the strategy entries composition of " address, source; destination address; result " by several forms, address regular expression of wherein originating is expressed, client 100 searches corresponding strategy entries according to the destination address of this HTTP request in strategy file, after finding corresponding strategy entry, the address, source checking this HTTP request whether with address, the source matching regular expressions of this entry, if coupling, the result field of this entry is required processing mode.
In the present invention, client 100 for providing the function of web browser, and after HTTP request generates, is carried out CSRF filtration treatment to it, is sent request more afterwards.This client 100 comprises strategy file updating block 21 and cookie information filtration treatment unit 22, strategy file updating block 21 is for checking the timestamp of local policy file, by the timestamp of GET acquisition request Thin Client Thick Server file, and determine the need of transaction file by comparing timestamp.Obtain the up-to-date strategy file of server end finally by file download and cover local file.Cookie information filtration treatment unit 22 is searched as keyword for address, source, the destination address of this being asked in strategy file, according to the result found, determines whether delete the cookie field contents in this request.Service end 200 is for providing the function of web site server end, and the fixed position under its domain name provides strategy file and time service interface.
As shown in Figure 2, the present invention is corresponding provides a kind of method prevented across station request forgery attack, and the method is realized by the system in Fig. 1.The method comprises:
Step S201, client, when receiving the Page messages of browser, generates HTTP request.This step is realized by request generation module 10 as shown in Figure 1.
Step S202, client carries out filtration treatment according to the strategy file obtained from service end to the cookie information in HTTP request.This step is realized by processing module 20 as shown in Figure 1.
Step S203, the HTTP request after filtration treatment is sent to service end by client.This step is realized by request sending module 30 as shown in Figure 1.
Preferably, client comprises the step that the cookie information in HTTP request carries out filtration treatment according to the strategy file obtained from service end: client searches the associating policy file of HTTP request in local file system; The timestamp that client does not find the associating policy file in associating policy file or local file system is less than the up-to-date timestamp of the associating policy file in service end, from service end update strategy file.
Preferably, client comprises search the step of the associating policy file of HTTP request in local file system after: client obtains the up-to-date timestamp of associating policy file from service end; In client, the up-to-date timestamp of the timestamp of the associating policy file in local file system with the associating policy file obtained from service end is contrasted.
Preferably, client also comprises the step that the cookie information in HTTP request carries out filtration treatment according to the strategy file obtained from service end: client searches processing result information as keyword according to the source address information in HTTP request, target address information in strategy file; And according to the processing result information found, determine whether delete or revise the cookie information in HTTP request.
Preferably, the step that client searches processing result information according to the source address information in HTTP request, target address information as keyword in strategy file comprises: client searches corresponding strategy entries according to the target address information in HTTP request in strategy file, and strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition; Client judges whether the source address information in HTTP request mates with the source address information in the strategy entries found; If coupling, the processing result information in the strategy entries found is required processing mode.
Fig. 3 is the flow chart that the present invention prevents a kind of specific embodiment of method across station request forgery attack.This flow process comprises the following steps:
Step S301, client generates HTTP request.When user uses client 100 browsing page, the event (as clicked) that client can trigger on webpage according to the script sentence of webpage or user, generates HTTP request.In the present invention, client can not perform after generating HTTP request at once, but introduces the handling process of following steps.
Step S302, checks whether the strategy file corresponding with HTTP request in local file system.If have, enter step S303, otherwise enter step S305.After client 100 generates HTTP request, client checks the target URL of this HTTP request, searches whether there is corresponding strategy file according to the domain name at target URL in local file system.Local strategy file can be given tacit consent to and all leaves in a certain catalogue, and according to fixing file name formats (as " policy_ domain name .sqlite ").As long as be aware of the domain name field of the target URL of certain request like this, just can obtain path and the filename of its local policy file accordingly, and then know whether this local policy file exists and it revises the date recently.
Step S303, client is according to the domain name of the target of this request, and the time service interface to corresponding domain sends a GET request, obtains the up-to-date timestamp of the strategy file in this territory.This time service interface can be a page script, its URL can be the fixed position under domain name, such as " domain name/time.jsp ", its function is acceptance GET request, read the amendment date of the strategy file (such as " domain name/policy_ domain name .sqlite ") in this territory afterwards, then this date value is added in response message, sent to by response message GET to ask source client.
Step S304, client judges whether the timestamp of local policy file is less than the timestamp of the strategy file that GET request obtains.If local time stamp is less than the timestamp that GET request obtains, then perform step S305; Local time stamp is not less than the timestamp that GET request obtains, then perform step S306.In this step, timestamp is less, then the modification time of this strategy file more early, and this strategy file is older; Timestamp is larger, then the modification time of this strategy file is more late, and this strategy file is newer.
Step S305, client upgrades local strategy file.Concrete, the strategy file due to client this locality do not exist or its timestamp older than the timestamp of the strategy file of server end, therefore need to upgrade, ensure that the strategy file that client uses is up-to-date.Client can initiate the request of file download to service end, the strategy file of service end is downloaded to local default path, and covers local strategy file (if local file system has strategy file).
Step S306, client reads local strategy file and inquires about.In this step, the content of strategy file is the strategy entries composition of " source address information, target address information, processing result information " by several forms, and address regular expression of wherein originating is expressed.Client searches corresponding entry according to the destination address of this HTTP request in strategy file.After finding respective entries, the address, source checking this HTTP request whether with address, the source matching regular expressions of this entry, if coupling, the result field of this entry is required processing mode.
Step S307, client carries out filtration treatment according to the result found to HTTP request.Concrete, client processes HTTP request according to the processing result information found in step S306, if result is safety, then to the amendment that begs off from doing; If result is dangerous, then delete the cookie field in this request; If result has other to describe, such as, only delete some value in cookie, then delete the analog value in cookie field in this request.
Step S308, the request be disposed is sent to service end by client.
Step S309, service end receives this request and carries out respective handling.
Need by the legal cookie ability success of user because CSRF attacks, if therefore this HTTP request is legitimate request, then its strategy entries can be shown as " permission " in strategy file, thus its cookie field can be retained; If this HTTP request is illegal request, then its strategy entries can not occur (also namely can not find processing result information as keyword according to the source address information in HTTP request, target address information in strategy file) in strategy file, or be shown as " not allowing ", therefore its cookie field is deleted.And when the HTTP request of service end receive that client sends not containing cookie field, owing to cannot judge user identity, service end can not carry out the operation relevant to this user identity, thus avoids CSRF attack.
In sum, the present invention passes through at the strategy file of client maintenance from service end, and determine that the cookie information whether retaining each HTTP request generated by client carries out filtration treatment according to this strategy file content, finally the HTTP request after filtration is sent to service end.Because strategy file is provided by service end, the request which page its hope of service end accurate definition receives from, client carries out true and false judgement according to strategy file to HTTP request, ensure that the request do not allowed by strategy file can not carry the cookie of user, service end does not wish that the request accepted can not be sent by client, ensure that the network security of client.Solve service end in prior art and do not understand context that client-requested sends and client does not understand the problem which request is service end wish to accept.
Certainly; the present invention also can have other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention, but these change accordingly and are out of shape the protection range that all should belong to the claim appended by the present invention.
Claims (10)
1. prevent the method across station request forgery attack, it is characterized in that, described method comprises:
Client, when receiving the Page messages of browser, generates HTTP request;
Described client carries out filtration treatment according to the strategy file obtained from service end to the cookie information in described HTTP request;
Described HTTP request after filtration treatment is sent to described service end by described client.
2. method according to claim 1, is characterized in that, described client comprises the step that the cookie information in described HTTP request carries out filtration treatment according to the strategy file obtained from service end:
Described client searches the associating policy file of described HTTP request in local file system;
The timestamp not finding the described associating policy file in described associating policy file or described local file system is less than the up-to-date timestamp of the described associating policy file in described service end, and described client upgrades described strategy file from described service end.
3. method according to claim 2, is characterized in that, described client comprises search the step of the associating policy file of described HTTP request in local file system after:
Described client obtains the up-to-date timestamp of described associating policy file from described service end;
In described client, the up-to-date timestamp of the timestamp of the described associating policy file in local file system with the described associating policy file obtained from described service end is contrasted.
4. method according to claim 1, is characterized in that, described client also comprises the step that the cookie information in described HTTP request carries out filtration treatment according to the strategy file obtained from service end:
Described client searches processing result information as keyword according to the source address information in described HTTP request, target address information in strategy file;
And according to the described processing result information found, determine whether delete or revise the cookie information in described HTTP request.
5. method according to claim 4, is characterized in that, the step that described client searches processing result information according to the source address information in described HTTP request, target address information as keyword in strategy file comprises:
Described client searches corresponding strategy entries according to the target address information in described HTTP request in described strategy file, and described strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition;
Described client judges whether the source address information in described HTTP request mates with the source address information in the strategy entries found;
If coupling, described in processing result information in the strategy entries that finds be required processing mode.
6. prevent the system across station request forgery attack, described system comprises client and service end, it is characterized in that, described client comprises:
Request generation module, for when receiving the Page messages of browser, generates HTTP request;
Processing module, for carrying out filtration treatment according to the strategy file obtained from described service end to the cookie information described HTTP request;
Request sending module, for being sent to described service end by the described HTTP request after filtration treatment.
7. system according to claim 6, is characterized in that, described processing module also comprises strategy file updating block,
Described strategy file updating block is used for the associating policy file searching described HTTP request in local file system, and for less than the up-to-date timestamp of the described associating policy file in described service end at the timestamp not finding the described associating policy file in described associating policy file or described local file system, upgrade described strategy file from described service end.
8. system according to claim 7, is characterized in that, described strategy file updating block comprises:
Timestamp obtains subelement, for obtaining the up-to-date timestamp of described associating policy file from described service end;
Timestamp contrast subunit, for contrasting the up-to-date timestamp of the timestamp of the described associating policy file in local file system with the described associating policy file obtained from described service end.
9. system according to claim 6, is characterized in that, described processing module also comprises cookie information filtration treatment unit,
Described cookie information filtration treatment unit is used in strategy file, searching processing result information as keyword according to the source address information in described HTTP request, target address information, and for determining whether delete or revise the cookie information in described HTTP request according to the processing result information found.
10. system according to claim 9, is characterized in that, described cookie information filtration treatment unit comprises:
Strategy entries inquiry subelement, for searching corresponding strategy entries in described strategy file according to the target address information in described HTTP request, described strategy file comprises the strategy entries of multiple origin source address information, target address information and processing result information composition;
Coupling subelement, for judging whether the source address information in described HTTP request mates with the source address information in the strategy entries found, if mate, described in processing result information in the strategy entries that finds be required processing mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510394384.4A CN105100084B (en) | 2015-07-07 | 2015-07-07 | It is a kind of to prevent the method and system across station request forgery attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510394384.4A CN105100084B (en) | 2015-07-07 | 2015-07-07 | It is a kind of to prevent the method and system across station request forgery attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105100084A true CN105100084A (en) | 2015-11-25 |
| CN105100084B CN105100084B (en) | 2018-03-30 |
Family
ID=54579631
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510394384.4A Active CN105100084B (en) | 2015-07-07 | 2015-07-07 | It is a kind of to prevent the method and system across station request forgery attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105100084B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302791A (en) * | 2016-08-30 | 2017-01-04 | 福建天晴数码有限公司 | The transmission method of browser Cookie and system |
| CN106657044A (en) * | 2016-12-12 | 2017-05-10 | 杭州电子科技大学 | Webpage address hopping method for improving security defense of website system |
| CN106790007A (en) * | 2016-12-13 | 2017-05-31 | 武汉虹旭信息技术有限责任公司 | Web attack defending systems and its method based on XSS and CSRF |
| WO2017152838A1 (en) * | 2016-03-10 | 2017-09-14 | Huawei Technologies Co., Ltd. | Method of mitigating cookie-injection and cookie-replaying attacks |
| CN107294994A (en) * | 2017-07-06 | 2017-10-24 | 网宿科技股份有限公司 | A kind of CSRF means of defences and system based on cloud platform |
| CN107547487A (en) * | 2016-06-29 | 2018-01-05 | 阿里巴巴集团控股有限公司 | A kind of method and device for preventing script from attacking |
| CN107734022A (en) * | 2017-09-30 | 2018-02-23 | 努比亚技术有限公司 | Static resource document down loading method, mobile terminal and computer-readable recording medium |
| CN107734023A (en) * | 2017-09-30 | 2018-02-23 | 努比亚技术有限公司 | Static resource document down loading method, mobile terminal and computer-readable recording medium |
| CN110177096A (en) * | 2019-05-24 | 2019-08-27 | 网易(杭州)网络有限公司 | Client certificate method, apparatus, medium and calculating equipment |
| CN110417746A (en) * | 2019-07-05 | 2019-11-05 | 平安国际智慧城市科技股份有限公司 | Cross-site scripting attack defence method, device, equipment and storage medium |
| CN112153001A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, system, electronic device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN102088465A (en) * | 2011-03-16 | 2011-06-08 | 中国科学院软件研究所 | Hyper text transport protocol (HTTP) Cookie protection method based on preposed gateway |
| CN102255924A (en) * | 2011-08-29 | 2011-11-23 | 浙江中烟工业有限责任公司 | Multi-stage security interconnection platform based on trusted computing and processing flow thereof |
| US20110296036A1 (en) * | 2010-05-25 | 2011-12-01 | International Business Machines Corporation | Method and apparatus for single sign-off using cookie tracking in a proxy |
| CN102594796A (en) * | 2011-12-27 | 2012-07-18 | 中兴通讯股份有限公司 | Terminal device and user information synchronization method |
| CN103078876A (en) * | 2013-01-31 | 2013-05-01 | 北京集奥聚合科技有限公司 | Method and device for protecting privacy of HTTP (hyper text transport protocol) message |
| CN104462583A (en) * | 2014-12-30 | 2015-03-25 | 北京奇虎科技有限公司 | Browser device for advertisement blocking processing and mobile terminal |
-
2015
- 2015-07-07 CN CN201510394384.4A patent/CN105100084B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| US20110296036A1 (en) * | 2010-05-25 | 2011-12-01 | International Business Machines Corporation | Method and apparatus for single sign-off using cookie tracking in a proxy |
| CN102088465A (en) * | 2011-03-16 | 2011-06-08 | 中国科学院软件研究所 | Hyper text transport protocol (HTTP) Cookie protection method based on preposed gateway |
| CN102255924A (en) * | 2011-08-29 | 2011-11-23 | 浙江中烟工业有限责任公司 | Multi-stage security interconnection platform based on trusted computing and processing flow thereof |
| CN102594796A (en) * | 2011-12-27 | 2012-07-18 | 中兴通讯股份有限公司 | Terminal device and user information synchronization method |
| CN103078876A (en) * | 2013-01-31 | 2013-05-01 | 北京集奥聚合科技有限公司 | Method and device for protecting privacy of HTTP (hyper text transport protocol) message |
| CN104462583A (en) * | 2014-12-30 | 2015-03-25 | 北京奇虎科技有限公司 | Browser device for advertisement blocking processing and mobile terminal |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108781367A (en) * | 2016-03-10 | 2018-11-09 | 华为技术有限公司 | The method for reducing Cookie injection and Cookie Replay Attacks |
| CN108781367B (en) * | 2016-03-10 | 2020-12-04 | 华为技术有限公司 | Method for reducing Cookie injection and Cookie replay attacks |
| US10356112B2 (en) | 2016-03-10 | 2019-07-16 | Huawei Technologies Co., Ltd. | Method of mitigating cookie-injection and cookie-replaying attacks |
| WO2017152838A1 (en) * | 2016-03-10 | 2017-09-14 | Huawei Technologies Co., Ltd. | Method of mitigating cookie-injection and cookie-replaying attacks |
| CN107547487A (en) * | 2016-06-29 | 2018-01-05 | 阿里巴巴集团控股有限公司 | A kind of method and device for preventing script from attacking |
| CN107547487B (en) * | 2016-06-29 | 2020-11-24 | 阿里巴巴集团控股有限公司 | Method and device for preventing script attack |
| CN106302791B (en) * | 2016-08-30 | 2019-08-13 | 福建天晴数码有限公司 | The transmission method and system of browser Cookie |
| CN106302791A (en) * | 2016-08-30 | 2017-01-04 | 福建天晴数码有限公司 | The transmission method of browser Cookie and system |
| CN106657044A (en) * | 2016-12-12 | 2017-05-10 | 杭州电子科技大学 | Webpage address hopping method for improving security defense of website system |
| CN106790007A (en) * | 2016-12-13 | 2017-05-31 | 武汉虹旭信息技术有限责任公司 | Web attack defending systems and its method based on XSS and CSRF |
| CN107294994A (en) * | 2017-07-06 | 2017-10-24 | 网宿科技股份有限公司 | A kind of CSRF means of defences and system based on cloud platform |
| CN107294994B (en) * | 2017-07-06 | 2020-06-05 | 网宿科技股份有限公司 | CSRF protection method and system based on cloud platform |
| CN107734023A (en) * | 2017-09-30 | 2018-02-23 | 努比亚技术有限公司 | Static resource document down loading method, mobile terminal and computer-readable recording medium |
| CN107734022A (en) * | 2017-09-30 | 2018-02-23 | 努比亚技术有限公司 | Static resource document down loading method, mobile terminal and computer-readable recording medium |
| CN107734022B (en) * | 2017-09-30 | 2021-08-10 | 努比亚技术有限公司 | Static resource file downloading method, mobile terminal and computer readable storage medium |
| CN107734023B (en) * | 2017-09-30 | 2021-08-10 | 努比亚技术有限公司 | Static resource file downloading method, mobile terminal and computer readable storage medium |
| CN110177096A (en) * | 2019-05-24 | 2019-08-27 | 网易(杭州)网络有限公司 | Client certificate method, apparatus, medium and calculating equipment |
| CN110417746A (en) * | 2019-07-05 | 2019-11-05 | 平安国际智慧城市科技股份有限公司 | Cross-site scripting attack defence method, device, equipment and storage medium |
| CN112153001A (en) * | 2020-08-21 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, system, electronic device and storage medium |
| CN112153001B (en) * | 2020-08-21 | 2023-06-23 | 杭州安恒信息技术股份有限公司 | WAF-based network communication method, WAF-based network communication system, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105100084B (en) | 2018-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105100084A (en) | Method and system for preventing cross-site request forgery attack | |
| US10033755B2 (en) | Securing web page content | |
| US9900346B2 (en) | Identification of and countermeasures against forged websites | |
| JP4405248B2 (en) | Communication relay device, communication relay method, and program | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| US8301787B2 (en) | Selective use of anonymous proxies | |
| US8763136B2 (en) | Privacy enhanced browser | |
| US8474048B2 (en) | Website content regulation | |
| EP2408166B1 (en) | Filtering method, system and network device therefor | |
| CN112272158A (en) | Data proxy method, system and proxy server | |
| US9147067B2 (en) | Security method and apparatus | |
| CN105635073B (en) | Access control method and device and network access equipment | |
| US8584240B1 (en) | Community scan for web threat protection | |
| CN106713318B (en) | WEB site safety protection method and system | |
| CN107733853B (en) | Page access method, device, computer and medium | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| WO2016119420A1 (en) | Method, apparatus and communication gateway for detecting malicious access to network resources | |
| CN110708328B (en) | Website static resource anti-stealing link method | |
| CN113709136B (en) | Access request verification method and device | |
| US9191392B2 (en) | Security configuration | |
| GB2560952A (en) | Reconciling received messages | |
| JP2013069016A (en) | Information leakage prevention device and limitation information generation device | |
| US10855723B2 (en) | Enforcing a secure transport protocol with dynamically updated stored data | |
| US20180077065A1 (en) | Transmitting packet | |
| Kulshrestha | An empirical study of HTML5 websockets and their cross browser behavior for mixed content and untrusted certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240320 Address after: Room 711C, Floor 7, Building A, Yard 19, Ronghua Middle Road, Daxing District, Beijing Economic-Technological Development Area, 100176 Patentee after: Beijing Zhongke Flux Technology Co.,Ltd. Country or region after: China Address before: 100190 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing, Haidian District Patentee before: Institute of Computing Technology, Chinese Academy of Sciences Country or region before: China |
|
| TR01 | Transfer of patent right |