CN106250761A - A kind of unit identifying web automation tools and method - Google Patents
A kind of unit identifying web automation tools and method Download PDFInfo
- Publication number
- CN106250761A CN106250761A CN201610607509.1A CN201610607509A CN106250761A CN 106250761 A CN106250761 A CN 106250761A CN 201610607509 A CN201610607509 A CN 201610607509A CN 106250761 A CN106250761 A CN 106250761A
- Authority
- CN
- China
- Prior art keywords
- call stack
- page
- function call
- automation tools
- sandbox
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The present invention discloses a kind of unit identifying web automation tools and method.Wherein, identify the equipment of web automation tools, including: memorizer and processor;Described memorizer, stores javascript detection script;Described processor, the javascript detection script of preset described memorizer storage in the page, obtain function call stack when javascript detection script is made mistakes in page access side's operation page, from described function call stack, find out setting feature, determine that described page access side is web automation tools by described setting feature.The scheme that the present invention provides, can relatively efficiently identify web automation tools.
Description
Technical field
The present invention relates to mobile internet technical field, be specifically related to a kind of unit identifying web automation tools
And method.
Background technology
Along with the development of mobile Internet application, finance, application service provider, ecommerce and government unit etc.
Its operation system is all transplanted on web by all kinds of mechanisms.Because carrying the core business of all kinds of client, web more and more
Become topmost information promulgating platform on the Internet.But, increasing web automation tools is also developed, this
A little web automation tools are used for practising fraud by some malicious access persons sometimes.Such as some malicious access person, uses web automatization
Instrument access web page, with program code construct user behavior (as click on or drag mouse, input through keyboard character, at touch screen
Upper click or dragging etc.), go the activity participating on the page, send out rubbish note and comment spam, carry out that brush is single or brush is praised, it is virtual to get
The resources such as article, whole process is that automatic programming completes the most entirely, it is not necessary to visitor is manual operation as normal users.
These utilize the cheating that web automation tools completes, and can give internet product service provider, bring economic loss and
Negative effect in public praise, also damages the experience of normal users simultaneously.Therefore, how to identify this kind of web automation tools, be to work as
The major issue above faced.
The existing recognition methods for web automation tools, is only capable of detecting some obvious features, and these features
It is easy to the person of being hacked evade.Such as, some of the browser that the existing traditional recognition method person that is read access is used are complete
The most whether office's variable, as browser client acts on behalf of navigator.userAgent character string, it is judged that with the automatic chemical industry of web
According to the keyword with web automation tools, the keyword of tool, judges that this browser is web automation tools.But, no
Few web automation tools can revise the navigator.userAgent of oneself easily, and disguise oneself as normal browser.It addition,
Increasing web automation tools is also with sandbox mechanism, and its web page loaded operates in sandbox environment completely, husky
Case environment is very much like with normal browser environment, though certain delicate environmental difference in being found that sandbox, such as certain overall situation
Attribute is different from normal browser, malicious access person also can easily by environmental variable corresponding in amendment sandbox, thus
Evade rapidly detected and identify.
In sum, the method for existing identification web automation tools also cannot highly desirable identify web automatization
Instrument.
Summary of the invention
For solving above-mentioned technical problem, the present invention provides a kind of unit identifying web automation tools and method,
Can relatively efficiently identify web automation tools.
According to an aspect of the present invention, it is provided that a kind of equipment identifying web automation tools, including memorizer and place
Reason device;
Described memorizer, stores javascript detection script;
Described processor, the javascript detection script of preset described memorizer storage in the page, obtain the page and visit
Function call stack when javascript detection script is made mistakes in the side's of asking operation page, finds out from described function call stack and sets
Determine feature, determine that described page access side is web automation tools by described setting feature.
Preferably, described processor call stack and/or look into across sandbox call stack in the sandbox of described function call stack
Find out setting feature.
According to another aspect of the present invention, it is provided that a kind of device identifying web automation tools, including:
Acquisition module, for obtaining function tune when javascript detection script is made mistakes in page access side's operation page
With stack, wherein said javascript detection script is preset in the middle of the described page;
Search module, for finding out setting feature from the function call stack that described acquisition module obtains;
Identification module, for by the setting feature of described lookup module searches determine described page access side be web from
Dynamic chemical industry tool.
Preferably, described lookup module includes:
First searches submodule, for finding out setting feature call stack in the sandbox of described function call stack;With/
Or,
Second searches submodule, for finding out setting feature across sandbox call stack from described function call stack.
Preferably, described identification module is searched in the sandbox that submodule finds described function call stack according to described first
Call stack lack Exception Type or there is global code keyword, determining that described page access side is web automation tools.
Preferably, described identification module according to described second search submodule find described function call stack across sandbox
Call stack exists web automation tools keyword, evaluation keyword or overall situation action scope keyword, determines described page access
Side is web automation tools.
Preferably, described device also includes: preset module, detects foot for preset javascript in the described page
This, arrange the Proxy Method acting on behalf of DOM Document Object Model DOM standard method in described preset javascript detection script
Call for described page access side.
Preferably, described preset module rewrites established standards method in described Proxy Method, sets mark so that described
The return value of quasi-method is identical with the return value holding of the method for the same name of described DOM standard method.
Preferably, described preset module arranges actively to dish out in described Proxy Method and sets the exception of type.
Preferably, described acquisition module Proxy Method of javascript detection script in page access side's invoking page
And described Proxy Method dishes out after setting the exception of type, obtain the complete function call stack comprised in described exception, described
Function call stack calls the function information to the exception throws point the called function of innermost layer containing being described from outermost;
Described lookup module, by resolving the information of the exception throws point in described function call stack, is searched described function and is adjusted
Setting feature whether is contained with stack.
According to another aspect of the present invention, it is provided that a kind of method identifying web automation tools, including:
Obtain function call stack when javascript detection script is made mistakes in page access side's operation page, wherein said
Javascript detection script is preset in the middle of the described page;
Setting feature is found out from described function call stack;
Determine that described page access side is web automation tools by described setting feature.
Preferably, described from described function call stack, find out setting feature, including:
Call stack and/or find out setting feature across sandbox call stack in the sandbox of described function call stack.
Preferably, described determine that described page access side is web automation tools by described setting feature, including:
Call stack lacks in the sandbox according to described function call stack Exception Type or there is global code keyword, really
Fixed described page access side is web automation tools.
Preferably, described determine that described page access side is web automation tools by described setting feature, including:
In sandbox call stack, web automation tools keyword, evaluation keyword is there is according to described function call stack
Or overall situation action scope keyword, determine that described page access side is web automation tools.
Preferably, described method also includes:
The Proxy Method confession acting on behalf of DOM Document Object Model DOM standard method it is provided with in described javascript detection script
Described page access side calls.
Preferably, the established standards method in described Proxy Method is rewritten, so that the returning of described established standards method
Return value identical with the return value holding of the method for the same name of described DOM standard method.
Preferably, described method also includes:
Arranging in described Proxy Method actively dishes out sets the exception of type.
Preferably, function call when javascript detection script is made mistakes during described acquisition page access side runs the page
Stack, including:
In page access side's invoking page, Proxy Method and the described Proxy Method of javascript detection script is dished out
After setting the exception of type, obtaining the complete function call stack comprised in described exception, described function call stack is containing being described
The function information to the exception throws point the called function of innermost layer is called from outermost;
Described from described function call stack, find out setting feature, including:
By resolving the information of the exception throws point in described function call stack, search whether described function call stack contains
Set feature.
It is found that the technical scheme of the embodiment of the present invention, the javascript detection script of preset setting in the page,
Javascript detection script preset in the described page can be run, then by obtaining page when page access side's accession page
Face access side runs function call stack when javascript detection script is made mistakes, it is possible to search from described function call stack
Go out to set feature, determine that described page access side is web automation tools, even if so that web is automatic by setting feature
Chemical industry tool is with sandbox mechanism, it is also possible to the setting feature identification found out based on function call stack goes out web automation tools,
Therefore the technical scheme of the embodiment of the present invention can relatively efficiently identify web automation tools.
Further, in the embodiment of the present invention, can according to call stack in the sandbox of described function call stack and/or across
The setting feature found out in sandbox call stack determines that described page access side is web automation tools, say, that can be only
Utilize call stack in sandbox, or merely with across sandbox call stack, or utilize in sandbox call stack and across sandbox call stack simultaneously, come
Identify web automation tools.
Further, the embodiment of the present invention can arrange in described javascript detection script and act on behalf of DOM
The Proxy Method of (Document Object Model, DOM Document Object Model) standard method calls, also for described page access side
I.e. call for described page access side by arranging javascript honey jar so that produce and be used for knowing across sandbox call stack
Not.
Further, the embodiment of the present invention can rewrite established standards method in described Proxy Method, so that described
The return value of established standards method is identical with the return value holding of the method for the same name of described DOM standard method, in order to be prevented effectively from
Malicious access person finds the javascript honey jar arranged, and strengthens the disguise of identifying schemes, and then improves malicious access person's rule
The difficulty kept away.
Further, the embodiment of the present invention can arrange actively to dish out in described Proxy Method and set the exception of type,
Malicious access person cannot be distorted easily.
Accompanying drawing explanation
By combining accompanying drawing, disclosure illustrative embodiments is described in more detail, the disclosure above-mentioned and its
Its purpose, feature and advantage will be apparent from, wherein, in disclosure illustrative embodiments, and identical reference number
Typically represent same parts.
Fig. 1 is the schematic block of a kind of equipment identifying web automation tools according to an embodiment of the invention
Figure;
Fig. 2 is the schematic block of a kind of device identifying web automation tools according to an embodiment of the invention
Figure;
Fig. 3 is that another of a kind of device identifying web automation tools according to an embodiment of the invention is schematic
Block diagram;
Fig. 4 is the schematic flow of a kind of method identifying web automation tools according to an embodiment of the invention
Figure;
Fig. 5 is that another of a kind of method identifying web automation tools according to an embodiment of the invention is schematic
Flow chart.
Detailed description of the invention
It is more fully described the preferred implementation of the disclosure below with reference to accompanying drawings.Although accompanying drawing shows the disclosure
Preferred implementation, however, it is to be appreciated that may be realized in various forms the disclosure and the embodiment party that should not illustrated here
Formula is limited.On the contrary, it is provided that these embodiments are to make the disclosure more thorough and complete, and can be by the disclosure
Scope intactly conveys to those skilled in the art.
The present invention provides a kind of equipment identifying web automation tools, can relatively efficiently identify the automatic chemical industry of web
Tool.
Fig. 1 is the schematic block of a kind of equipment identifying web automation tools according to an embodiment of the invention
Figure.
As it is shown in figure 1, the equipment 10 at a kind of web of identification automation tools includes: memorizer 11 and processor 12.
Described memorizer 11, stores javascript detection script.
Described processor 12, in the page, the javascript detection script of preset described memorizer 11 storage, obtains page
Function call stack when face access side runs that in the page, javascript detection script is made mistakes, searches from described function call stack
Go out to set feature, determine that described page access side is web automation tools by described setting feature.
Described processor 12 call stack and/or find out across sandbox call stack in the sandbox of described function call stack sets
Determine feature.
Processor 12 in the equipment of above-mentioned identification web automation tools, can as an independent apparatus structure,
This independent apparatus structure is properly termed as a kind of device identifying web automation tools, the device of this identification web automation tools
Multiple submodule can be included, below in conjunction with Fig. 2 and Fig. 3, the structure of the device of this identification web automation tools is carried out in detail
Describe in detail bright.
Fig. 2 is the schematic block of a kind of device identifying web automation tools according to an embodiment of the invention
Figure.
As in figure 2 it is shown, may include that acquisition module 21 in the device 20 of a kind of web of identification automation tools, search mould
Block 22 and identification module 23.
Acquisition module 21, for obtaining function when javascript detection script is made mistakes in page access side's operation page
Call stack, wherein said javascript detection script is preset in the middle of the described page.
Search module 22, for finding out setting feature from the function call stack that described acquisition module obtains.
For the setting feature searched by described lookup module 22, identification module 23, determines that described page access side is
Web automation tools.
Search module 22 can in the sandbox of described function call stack call stack and/or find out across sandbox call stack
Set feature.
From this embodiment, the technical scheme of the embodiment of the present invention, the javascript inspection of preset setting in the page
Survey script, javascript detection script preset in the described page can be run when page access side's accession page, then be logical
Cross the function call stack obtained when page access side's operation javascript detection script is made mistakes, it is possible to from described function call
Stack finds out setting feature, determines that described page access side is web automation tools by setting feature, even if so that
Web automation tools is with sandbox mechanism, it is also possible to it is automatic that the setting feature identification found out based on function call stack goes out web
Chemical industry has, and therefore the technical scheme of the embodiment of the present invention can relatively efficiently identify web automation tools.
Fig. 3 is that another of a kind of device identifying web automation tools according to an embodiment of the invention is schematic
Block diagram.
As it is shown on figure 3, may include that acquisition module 21 in the device 20 of a kind of web of identification automation tools, search mould
Block 22, identification module 23, preset module 24.
Wherein, acquisition module 21, search module 22, identification module 23 function shown in Figure 2.
Wherein, described lookup module 22 may include that the first lookup submodule 221 and/or second searches submodule 222.
First searches submodule 221, for finding out setting feature call stack in the sandbox of described function call stack.
Second searches submodule 222, for finding out setting feature across sandbox call stack from described function call stack.
Wherein, described identification module 23 is searched submodule 221 according to described first and is found the sand of described function call stack
Call stack lack in case Exception Type or there is global code global code keyword, determining that described page access side is
Web automation tools.
Wherein, described identification module 23 according to described second search submodule 222 find described function call stack across
Sandbox call stack exists web automation tools keyword, evaluation keyword (evaluate) or overall situation action scope global
Scope keyword, determines that described page access side is web automation tools.
Preset module 24, for preset javascript detection script in the described page, described preset
Javascript detection script arranges the Proxy Method acting on behalf of DOM Document Object Model DOM standard method for described page access side
Call.
Wherein, described preset module 23 rewrites established standards method in described Proxy Method, sets mark so that described
The return value of quasi-method is identical with the return value holding of the method for the same name of described DOM standard method.
Wherein, described preset module 23 arranges actively to dish out in described Proxy Method and sets the Exception Type of type.
Wherein, described acquisition module 21 Proxy Method of javascript detection script in page access side's invoking page
And described Proxy Method dishes out after setting the exception of type, obtain the complete function call stack comprised in described exception, described
Function call stack calls the function information to the exception throws point the called function of innermost layer containing being described from outermost;
Described lookup module 22, by resolving the information of the exception throws point in described function call stack, searches described function
Whether call stack contains setting feature.
A kind of equipment identifying web automation tools of the above-mentioned present invention of describing in detail and device, send out for introduced below
The method of the identification web automation tools of bright correspondence.
Fig. 4 is the schematic flow of a kind of method identifying web automation tools according to an embodiment of the invention
Figure.
As shown in Figure 4, in step 401, obtain javascript detection script in page access side's operation page to make mistakes
Time function call stack, wherein said javascript detection script is preset in the middle of the described page.
This step can be obtained page access side run in the page by the device of identification web automation tools
Function call stack when javascript detection script is made mistakes.
Wherein, preset javascript detection script, its source code can be the code obscured, in case by malicious access person
Identify purposes.
In step 402, from described function call stack, setting feature is found out.
This step can be found out setting feature by the device of identification web automation tools from described function call stack.
Wherein, this step can call stack and/or lookup across sandbox call stack in the sandbox of described function call stack
Go out to set feature.
In step 403, determined that by described setting feature identifying described page access side is automation tools.
This step can be determined by described setting feature identified described page by the device of identification web automation tools
Face access side is automation tools.
Wherein, determine that described page access side is web automation tools by described setting feature, may include that basis
Call stack lacks in the sandbox of described function call stack Exception Type or there is global code global code keyword, really
Fixed described page access side is web automation tools.
Wherein, determine that described page access side is web automation tools by described setting feature, it is also possible to including: root
In sandbox call stack, web automation tools keyword, evaluation keyword (evaluate) is there is according to described function call stack
Or overall situation action scope global scope keyword, determine that described page access side is web automation tools.
It should be noted that, said method can also include: is provided with generation in described preset javascript detection script
The Proxy Method of reason DOM standard method calls for described page access side.Wherein, the established standards method in described Proxy Method
It is rewritten, so that the return value of the method for the same name of the return value of described established standards method and described DOM standard method keeps
Identical.Described method can also include: actively dishing out in described Proxy Method sets the exception of type.
It should be noted that, letter when javascript detection script is made mistakes in the above-mentioned acquisition page access side operation page
Number call stack, may include that the Proxy Method of javascript detection script in page access side's invoking page and described generation
Reason method dish out set type exception after, obtain the complete function call stack comprised in described exception, described function call
Stack calls the function information to the exception throws point the called function of innermost layer containing being described from outermost;Above-mentioned from institute
State and function call stack finds out setting feature, may include that by the exception throws point in the described function call stack of parsing
Information, searches whether described function call stack contains setting feature.
From this embodiment, the technical scheme of the embodiment of the present invention, the javascript inspection of preset setting in the page
Survey script, javascript detection script preset in the described page can be run when page access side's accession page, then be logical
Cross the function call stack obtained when page access side's operation javascript detection script is made mistakes, it is possible to from described function call
Stack finds out setting feature, determines that described page access side is web automation tools by setting feature, even if so that
Web automation tools is with sandbox mechanism, it is also possible to it is automatic that the setting feature identification found out based on function call stack goes out web
Chemical industry has, and therefore the technical scheme of the embodiment of the present invention can relatively efficiently identify web automation tools.
Fig. 5 is that another of a kind of method identifying web automation tools according to an embodiment of the invention is schematic
Flow chart.
Fig. 5 describe in more detail the technical scheme of the embodiment of the present invention relative to Fig. 4.
The technical scheme of the embodiment of the present invention is by luring web automation tools to quote the function call stack of oneself, logical
Cross the difference checking that the setting feature of this call stack finds its environment and normal page access side, thus identify web automatization
Instrument.Web automation tools described in the embodiment of the present invention, such as, can be existing based on various rendering engines without interface
Browser (such as PhantomJS, SlimerJS, TrifileJS and spin-off thereof) and the instrument etc. of other simulation normal browser
(such as HtmlUnit).
As it is shown in figure 5, in step 501, preset javascript detection script is embedded in advance at web page.
The embodiment of the present invention embeds one section of javascript detection script in web page in advance, and this script achieves base
Automation tools detection technique in call stack.When malicious access person is prefixed javascript with the loading of web automation tools
The web page of detection script, and when the page injects malicious script, above-mentioned javascript detection script just can detect currently
Whether the visitor of the page employs web automation tools.
It should be noted that, described preset javascript detection script, its source code can carry out obscuring process, in case
Purposes is identified by malicious access person.
Wherein, the embodiment of the present invention can also arrange in described preset javascript detection script and act on behalf of DOM mark
The Proxy Method of quasi-method calls for web automation tools.Generate the Proxy Method acting on behalf of some DOM standard methods, that is to say
Arranging javascript honey jar, induction malicious access person calls these Proxy Methods.Described honey jar is it can be understood as be information
Collection system, honey jar is the target deliberately allowing people attack, and decoy attack person comes to attack, after assailant invades, it is possible to know
The attack pattern of road assailant, thus understand new attack and the leak of self defence existence that assailant starts.Therefore, as
When really the malicious script of web automation tools calls these Proxy Methods that web page is provided, generation will be triggered across sand
Case call stack.Generic function call stack can include in sandbox call stack or across sandbox call stack.Wherein, with normal browser phase
Ratio, in sandbox there is trickle characteristic difference in call stack, there is obvious characteristic difference across sandbox call stack, therefore by arranging
Proxy Method calls for web automation tools to trigger and produces across sandbox call stack, can be easier to identify web automatization
Instrument.It should be noted that, being identified across sandbox call stack if do not used, then can be not provided with above-mentioned Proxy Method.
The Proxy Method of DOM standard method is set in described preset javascript detection script, including but do not limit
DOM Document Object Model DOM standard method in amendment sandbox, such as document.getElementById () method etc..Generally this
Class method is the DOM standard method that malicious access person positions or distorts page elements, analog subscriber must be used time mutual.With
As a example by document.getElementById method, the embodiment of the present invention can arrange agency
Document.getElementById method.
Further, the embodiment of the present invention can also arrange actively throw exception in Proxy Method, subsequently through inspection
The call stack of this exception, checks whether there is suspicious feature in call stack to identify web automation tools.Described dishing out is different
Often (throw exception), it is a routine processes action in the front end scripts such as javascript.Throw exception refers to
When the front end language codes such as javascript operate in the web client environment such as browser, due to code logic or operation ring
This line code that border etc. are wrong and cause web client to be immediately terminated current execution, generates an exception object and to upper level
Calling function and return this exception object, upper level calls function and can select to capture this exception, and is analyzed call stack.Logical
Often, exception object can comprise the context of code currently performing to make mistakes and call description information (the such as institute in path
Filename, line number, function name etc.), the most commonly referred call stack.The embodiment of the present invention is actively dished out in Proxy Method
Abnormal, obtain the call stack of this exception, resolve this call stack, it is judged that whether this call stack contains suspicious feature, according to judgement
Result identifies web automation tools.It is said that in general, different web automation tools have different call stack features.
The embodiment of the present invention, by actively throw exception, obtains the call stack of this exception and resolves this call stack, can dash forward
The sandbox of more broken web automation tools limits, and detects its feature across sandbox call stack.For the exception actively dished out,
The Exception Type that can select the setting type that some malicious access persons cannot distort easily is dished out, such as TypeError (class
Type mistake) Exception Type etc. of type.
It should be noted that, in order to not cause the suspection of malicious access person, the Proxy Method that the embodiment of the present invention is arranged is permissible
Use the mode calling real document.getElementById () method, and execution result is returned to malicious access
Person.By the proxied DOM standard method that Selection and call is real, and result will be called return to called side (such as malicious access
Person), called side can be avoided to find that this is the javascript honey jar set, and then try every possible means to evade detection.
It should be noted that, equally in order to not cause the suspection of malicious access person, the agent that the embodiment of the present invention is arranged
Method can rewrite the standard method setting type, the toString of such as document.getElementById,
The standard methods such as toLocaleString, valueOf and toSource, in order to avoid malicious access person views the interior of Proxy Method
Portion's source code.By rewriteeing the standard methods such as toString, toLocaleString, valueOf, toSource, make these standards
The return value of method is identical with the return value holding of the method for the same name of DOM standard method, can be prevented effectively from malicious access person and send out
The honey jar of existing above-mentioned setting, thus strengthen the disguise of this programme, and then improve the difficulty that malicious access person evades.
In step 502, page access side loads web page, runs the javascript detection script in the page.
In step 503, obtain function when javascript detection script is made mistakes in page access side's operation page to adjust
Use stack.
In this step, can obtain when in page access side's operation page, preset javascript detection script is made mistakes
Function call stack, including call stack in sandbox and/or across sandbox call stack.Wherein, compared with normal browser, call in sandbox
There is trickle characteristic difference in stack, there is obvious characteristic difference across sandbox call stack.
In step 504, described page access is gone out according to the setting feature identification found out from described function call stack
Side is web automation tools.
This step according to call stack in the sandbox of described function call stack and/or can find out in sandbox call stack
Setting feature identification to go out described page access side be automation tools.
1) institute can be gone out according only to the setting feature identification found out in call stack in the sandbox of described function call stack
Stating page access side is automation tools, including: according in the sandbox of described function call stack, call stack lacks Exception Type
Or there is global code global code keyword, identifying described page access side is automation tools.
In normal browser, when the javascript detection script on web page is run and is made mistakes, javascript
Engine can throw exception, this exception comprises complete function call stack, call stack describe from outermost call function to
The information of the exception throws point in the called function of innermost layer, includes but not limited to function name, filename, line number, row number etc..
Citing describes, and when accessing certain website, normal browser is dished out call stack, when can run in normal browser with intercept page
The front two segment call stacks printed, this two segment calls stack is calling during normal javascript detection script execution in being the page
Call stack in stack, referred to as sandbox.When using web automation tools to access identical website, call stack of dishing out is (with PhantonJS
As a example by), first three the segment call stack printed when can run in web automation tools with intercept page, same, the most first two sections
Be the call stack of normal javascript detection script in the page, i.e. call stack in sandbox, the 3rd section is then by web automatization
The call stack of the javascript detection script that instrument is injected in the page, is referred to as across sandbox call stack.
In the past two sections it can be seen that in the sandbox of PhantomJS the form of call stack different with normal browser, the brightest
Aobvious feature does not has Exception Type TypeError exactly.Secondly, for the description of overall situation javascript function, web automatization
Instrument PhantomJS global code keyword, generic browser does not the most use global code keyword.Cause
This, according to lacking Exception Type in call stack in the sandbox of described function call stack or there is global code global code pass
Key word, can identify described page access side is web automation tools.
2) institute can be gone out according only to from the setting feature identification found out in sandbox call stack of described function call stack
Stating page access side is web automation tools, including: in sandbox call stack, there is automatization according to described function call stack
Instrument key, evaluation keyword (evaluate) or overall situation action scope global scope keyword, identify the described page
Access side is web automation tools.
By call stack in contrast sandbox, the feature of web automation tools the most can be identified, but become apparent from
Method is to obtain identifying across sandbox call stack, and the malicious script inputted malicious access person across sandbox call stack calls web
The Proxy Method that the page provides can trigger generation.The existing automation tools of web without interface, although can set up and browser execution
The sandbox that environment is similar, and the malicious script that injects toward the page of malicious access person can be run across sandbox thus handle full page,
But malicious script across sandbox call stack, it is possible to intactly expose it from sandbox to calling path in sandbox, therefore lead to
Cross across sandbox call stack to identify that web automation tools is than relatively limited mode.
As a example by web automation tools PhantomJS, it is by web automation tools PhantomJS across sandbox call stack
Sandbox mechanism to web page inject malicious script code time, trigger exception and then the call stack printed.Call from this
Stack can be seen that malicious script complete across sandbox invoked procedure, be first malicious access person ground of injection script from sandbox
Side starts, global context in entrance sandbox, performs the code injected, then the script injected to malicious access person causes different
Often.Whole in sandbox call stack, the most obvious feature is exactly containing web automation tools phantomjs keyword, next to that
Containing evaluation keyword (evaluate), overall situation action scope global scope keyword.If web automation tools is to use
SlimerJS, then the web automation tools keyword contained is exactly SlimerJS keyword.Therefore, adjust according to described function
With stack exist in sandbox call stack web automation tools keyword, evaluation keyword (evaluate) or the overall situation action scope
Global scope keyword, can identify described page access side is web automation tools.
It should be noted that, the embodiment of the present invention can be merely with call stack in sandbox, or merely with across sandbox call stack, or
Utilize in sandbox call stack and across sandbox call stack simultaneously, identify automation tools.
It is found that after the embodiment of the present invention uses above-mentioned recognition methods, for based on the web automation tools without interface
All kinds of attacks (include but not limited to cheating swindle, grab and climb critical data) initiated, all can effectively recognize, carrying of page application
Supplier can take appropriate measures according to recognition result, as ejected identifying code, denied access etc..And, malicious access person
Evade the relatively costly of embodiment of the present invention scheme feature, thus also there is certain practical value.The experiment proved that, the present invention
Embodiment scheme, to existing based on various rendering engines without interface browser (as PhantomJS, SlimerJS,
TrifileJS and spin-off thereof) and the instrument (such as HtmlUnit) of other simulation normal browser, the most effective.
Embodiment of the present invention scheme is compared to traditional based on the scheme of environment measuring in sandbox, and advantage essentially consists in effect
Substantially, cannot evade easily, implement the most hidden.Owing to conventional solution is easy to be realized by malicious access person
Arrive, and be easy to distort the environmental variable of web automation tools, thus effect is bad.Embodiment of the present invention scheme can be adopted
With detecting the method across sandbox call stack so that malicious access person evades less easy, the most generally speaking, the present invention
The recognition methods based on call stack of embodiment scheme, all has recognition effect to numerous web automation tools, and is difficult to evade.
Above describe in detail according to technical scheme by reference to accompanying drawing.
Additionally, the method according to the invention is also implemented as a kind of computer program, this computer program include for
Perform the computer program code instruction of the above steps limited in the said method of the present invention.Or, according to the present invention's
Method is also implemented as a kind of computer program, and this computer program includes computer-readable medium, at this meter
On calculation machine computer-readable recording medium, storage has the computer program of the above-mentioned functions limited in the said method for perform the present invention.Ability
Field technique personnel will also understand is that, in conjunction with various illustrative logical blocks, module, circuit and algorithm described by disclosure herein
Step may be implemented as electronic hardware, computer software or a combination of both.
What flow chart in accompanying drawing and block diagram showed the system and method for the multiple embodiments according to the present invention may be real
Existing architectural framework, function and operation.In this, each square frame in flow chart or block diagram can represent module, a journey
Sequence section or a part for code, a part for described module, program segment or code comprises one or more for realizing regulation
The executable instruction of logic function.It should also be noted that at some as in the realization replaced, in square frame, the function of institute's labelling also may be used
With to be different from accompanying drawing the order generation of institute's labelling.Such as, two continuous print square frames can essentially perform substantially in parallel,
They can also perform sometimes in the opposite order, and this is depending on involved function.It is also noted that block diagram and/or stream
The combination of the square frame in each square frame in journey figure and block diagram and/or flow chart, can be with function or the operation performing regulation
Special hardware based system realize, or can realize with the combination of specialized hardware with computer instruction.
Being described above various embodiments of the present invention, described above is exemplary, and non-exclusive, and also
It is not limited to disclosed each embodiment.In the case of the scope and spirit without departing from illustrated each embodiment, for this skill
For the those of ordinary skill in art field, many modifications and changes will be apparent from.The selection of term used herein, purport
Explaining the principle of each embodiment, actual application or the improvement to the technology in market best, or making the art
Other those of ordinary skill is understood that each embodiment disclosed herein.
Claims (18)
1. the equipment identifying web automation tools, it is characterised in that including: memorizer and processor;
Described memorizer, stores javascript detection script;
Described processor, in the page, the javascript detection script of preset described memorizer storage, obtains page access side
Run function call stack when javascript detection script is made mistakes in the page, from described function call stack, find out setting spy
Levy, determine that described page access side is web automation tools by described setting feature.
Equipment the most according to claim 1, it is characterised in that:
Described processor in the sandbox of described function call stack call stack and/or find out across sandbox call stack setting spy
Levy.
3. the device identifying web automation tools, it is characterised in that including:
Acquisition module, for obtaining function call when javascript detection script is made mistakes in page access side's operation page
Stack, wherein said javascript detection script is preset in the middle of the described page;
Search module, for finding out setting feature from the function call stack that described acquisition module obtains;
By the setting feature of described lookup module searches, identification module, for determining that described page access side is web automatization
Instrument.
Device the most according to claim 3, it is characterised in that described lookup module includes:
First searches submodule, for finding out setting feature call stack in the sandbox of described function call stack;And/or,
Second searches submodule, for finding out setting feature across sandbox call stack from described function call stack.
Device the most according to claim 4, it is characterised in that:
Described identification module is searched submodule according to described first and is found in the sandbox of described function call stack and lack in call stack
Lack Exception Type or there is global code keyword, determining that described page access side is web automation tools.
Device the most according to claim 4, it is characterised in that:
Described identification module is searched submodule according to described second and is found depositing in sandbox call stack of described function call stack
At web automation tools keyword, evaluation keyword or overall situation action scope keyword, determine described page access side be web from
Dynamic chemical industry tool.
Device the most according to claim 3, it is characterised in that described device also includes:
Preset module, for preset javascript detection script in the described page, in described preset javascript inspection
Survey script arranges the Proxy Method acting on behalf of DOM Document Object Model DOM standard method call for described page access side.
Device the most according to claim 7, it is characterised in that:
Described preset module rewrites established standards method in described Proxy Method, so that the return of described established standards method
It is worth identical with the return value holding of the method for the same name of described DOM standard method.
Device the most according to claim 7, it is characterised in that:
Described preset module arranges actively to dish out in described Proxy Method and sets the exception of type.
Device the most according to claim 7, it is characterised in that:
The Proxy Method of described acquisition module javascript detection script in page access side's invoking page and described agency
Method dish out set type exception after, obtain the complete function call stack comprised in described exception, described function call stack
The function information to the exception throws point the called function of innermost layer is called from outermost containing being described;
Described lookup module, by resolving the information of the exception throws point in described function call stack, searches described function call stack
Whether contain setting feature.
11. 1 kinds of methods identifying web automation tools, it is characterised in that including:
Obtain function call stack when javascript detection script is made mistakes in page access side's operation page, wherein said
Javascript detection script is preset in the middle of the described page;
Setting feature is found out from described function call stack;
Determine that described page access side is web automation tools by described setting feature.
12. methods according to claim 11, it is characterised in that described finding out from described function call stack sets spy
Levy, including:
Call stack and/or find out setting feature across sandbox call stack in the sandbox of described function call stack.
13. methods according to claim 12, it is characterised in that described determine that the described page is visited by described setting feature
The side of asking is web automation tools, including:
Call stack lack in the sandbox according to described function call stack Exception Type or there is global code keyword, determining institute
Stating page access side is web automation tools.
14. methods according to claim 12, it is characterised in that described determine that the described page is visited by described setting feature
The side of asking is web automation tools, including:
In sandbox call stack, web automation tools keyword, evaluation keyword or complete is there is according to described function call stack
Office's action scope keyword, determines that described page access side is web automation tools.
15. methods according to claim 11, it is characterised in that described method also includes:
The Proxy Method acting on behalf of DOM Document Object Model DOM standard method it is provided with for described in described javascript detection script
Page access side calls.
16. methods according to claim 15, it is characterised in that:
Established standards method in described Proxy Method is rewritten, so that the return value of described established standards method is with described
The return value of the method for the same name of DOM standard method keeps identical.
17. methods according to claim 15, it is characterised in that described method also includes:
Arranging in described Proxy Method actively dishes out sets the exception of type.
18. methods according to claim 15, it is characterised in that:
Function call stack when javascript detection script is made mistakes in the described acquisition page access side operation page, including:
In page access side's invoking page, the Proxy Method of javascript detection script and described Proxy Method are dished out setting
After the exception of type, obtaining the complete function call stack comprised in described exception, described function call stack is containing being described from
Outer layer call the function information to the exception throws point in the called function of innermost layer;
Described from described function call stack, find out setting feature, including:
By resolving the information of the exception throws point in described function call stack, search whether described function call stack contains setting
Feature.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610607509.1A CN106250761B (en) | 2016-07-28 | 2016-07-28 | Equipment, device and method for identifying web automation tool |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610607509.1A CN106250761B (en) | 2016-07-28 | 2016-07-28 | Equipment, device and method for identifying web automation tool |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106250761A true CN106250761A (en) | 2016-12-21 |
CN106250761B CN106250761B (en) | 2019-12-20 |
Family
ID=57603919
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610607509.1A Active CN106250761B (en) | 2016-07-28 | 2016-07-28 | Equipment, device and method for identifying web automation tool |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106250761B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108319822A (en) * | 2018-01-05 | 2018-07-24 | 武汉斗鱼网络科技有限公司 | A kind of method, storage medium, electronic equipment and the system of protection web page code |
CN108563577A (en) * | 2018-04-19 | 2018-09-21 | 武汉极意网络科技有限公司 | The method for detecting simulator based on JavaScript stack informations |
CN108595328A (en) * | 2018-04-19 | 2018-09-28 | 武汉极意网络科技有限公司 | The method for detecting browser based on JavaScript stack informations |
CN109711123A (en) * | 2018-11-21 | 2019-05-03 | 武汉极意网络科技有限公司 | Behavioral value method and device based on simulation browser detection |
CN112825057A (en) * | 2019-11-20 | 2021-05-21 | 广州凡科互联网科技股份有限公司 | Monitoring method capable of quickly positioning error codes and monitoring ajax request service abnormity |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
CN103605925A (en) * | 2013-11-29 | 2014-02-26 | 北京奇虎科技有限公司 | Webpage tampering detecting method and device |
CN104050178A (en) * | 2013-03-13 | 2014-09-17 | 北京思博途信息技术有限公司 | Internet monitoring anti-spamming method and device |
CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
-
2016
- 2016-07-28 CN CN201610607509.1A patent/CN106250761B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
CN104050178A (en) * | 2013-03-13 | 2014-09-17 | 北京思博途信息技术有限公司 | Internet monitoring anti-spamming method and device |
CN103605925A (en) * | 2013-11-29 | 2014-02-26 | 北京奇虎科技有限公司 | Webpage tampering detecting method and device |
CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108319822A (en) * | 2018-01-05 | 2018-07-24 | 武汉斗鱼网络科技有限公司 | A kind of method, storage medium, electronic equipment and the system of protection web page code |
CN108319822B (en) * | 2018-01-05 | 2020-05-12 | 武汉斗鱼网络科技有限公司 | Method, storage medium, electronic device and system for protecting webpage code |
CN108563577A (en) * | 2018-04-19 | 2018-09-21 | 武汉极意网络科技有限公司 | The method for detecting simulator based on JavaScript stack informations |
CN108595328A (en) * | 2018-04-19 | 2018-09-28 | 武汉极意网络科技有限公司 | The method for detecting browser based on JavaScript stack informations |
CN109711123A (en) * | 2018-11-21 | 2019-05-03 | 武汉极意网络科技有限公司 | Behavioral value method and device based on simulation browser detection |
CN112825057A (en) * | 2019-11-20 | 2021-05-21 | 广州凡科互联网科技股份有限公司 | Monitoring method capable of quickly positioning error codes and monitoring ajax request service abnormity |
Also Published As
Publication number | Publication date |
---|---|
CN106250761B (en) | 2019-12-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Kharraz et al. | Surveylance: Automatically detecting online survey scams | |
US7433864B2 (en) | Compiling information obtained by combinatorial searching | |
CN106250761A (en) | A kind of unit identifying web automation tools and method | |
US8719179B2 (en) | Recruiting service graphical user interface | |
US11509667B2 (en) | Predictive internet resource reputation assessment | |
Gomez et al. | A recommender system of buggy app checkers for app store moderators | |
CN102739653B (en) | Detection method and device aiming at webpage address | |
Trickel et al. | Everyone is different: Client-side diversification for defending against extension fingerprinting | |
JP6047463B2 (en) | Evaluation apparatus and method for evaluating security threats | |
CN106133774A (en) | The automatic checking of the advertiser's identifier in advertisement | |
CN107247902A (en) | Malware categorizing system and method | |
CN104143008A (en) | Method and device for detecting phishing webpage based on picture matching | |
CN106650437A (en) | Webshell detection method and device | |
US20190171544A1 (en) | Hybrid code modification in intermediate language for software application | |
CN104346457A (en) | Method for intercepting business object and browser client | |
CN108062474A (en) | The detection method and device of file | |
Tripathi et al. | A novel web fraud detection technique using association rule mining | |
CN106845248A (en) | A kind of XSS leak detection methods based on state transition graph | |
Li et al. | Large-scale third-party library detection in android markets | |
CN106650454A (en) | SQL injection attack detection method and apparatus | |
Lee et al. | Understanding {iOS-based} Crowdturfing Through Hidden {UI} Analysis | |
US10789159B2 (en) | Non-regressive injection of deception decoys | |
CN105184161B (en) | A kind of detection method and device for mixed mode Mobile solution | |
Kim et al. | {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing | |
US10839066B1 (en) | Distinguishing human from machine input using an animation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20200812 Address after: 310052 room 508, floor 5, building 4, No. 699, Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: Alibaba (China) Co.,Ltd. Address before: 510665 Guangdong city of Guangzhou province Whampoa Tianhe District Road No. 163 Xiping Yun Lu Yun Ping radio square B tower 13 floor 02 unit self Patentee before: Guangzhou Aijiuyou Information Technology Co.,Ltd. |
|
TR01 | Transfer of patent right |