CN107819639B

CN107819639B - Test method and device

Info

Publication number: CN107819639B
Application number: CN201610826842.1A
Authority: CN
Inventors: 万朔; 李锐
Original assignee: Siemens AG
Current assignee: Siemens AG
Priority date: 2016-09-14
Filing date: 2016-09-14
Publication date: 2021-12-24
Anticipated expiration: 2036-09-14
Also published as: CN107819639A

Abstract

The embodiment of the invention relates to the technical field of network protocols, in particular to a testing method and a testing device, which are used for testing whether a browser (104) supports a hypertext transfer protocol (HTTP) security mechanism. The method comprises the steps of firstly receiving a test request, and then sending a security header to the browser (104), wherein the security header is used for configuring the browser (104) to use the HTTP security mechanism; determining whether the browser (104) is processing a web service (106) using the HTTP security mechanism; determining whether the browser (104) supports the HTTP security mechanism according to the judgment result. A method for automatically testing a browser is provided, which reduces human operations. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

Description

Test method and device

Technical Field

The invention relates to the technical field of network protocols, in particular to a testing method and a testing device, which are used for testing whether a browser supports a Hyper Text Transfer Protocol (HTTP) security mechanism.

Background

HTTP is an important transport layer protocol that controls the transmission and processing of HTTP messages through control information in headers (headers).

One of the important functions of the header is to implement security-related processing. The part of the header used to implement the security-related processing may be referred to as a "security header".

HTTP security headers are of various types, such as: an HTTP Strict Transport Security (HSTS) header, an HTTP Public Key keying Extension (HPKP) header, an Extension Frame Options (X-Frame-Options) header, a cross-site scripting Protection (X-XSS-Protection) header, an Extension Content Type Options (X-Content-Type-Options) header, and a Content-Security-Policy (CSP) header, etc. The corresponding HTTP security mechanisms are implemented by these security headers.

In order to implement any HTTP security mechanism such as the above, not only does a developer need to make relevant settings for the server (server), but also the Browser (Browser) on the client (client) needs to support such HTTP security mechanism. Since HTTP security mechanisms are updated more frequently, most browsers, especially older versions, cannot support all HTTP security mechanisms.

How to determine whether a browser supports an HTTP security mechanism is a problem to be solved.

Disclosure of Invention

In view of this, embodiments of the present invention provide a testing method and apparatus for testing whether a browser supports an HTTP security mechanism.

In a first aspect, an embodiment of the present invention provides a testing method for testing whether a browser supports an HTTP security mechanism. The method can be executed by a test server, wherein the test server can send a security header to a browser when testing the browser, the security header is used for configuring the browser to use the HTTP security mechanism to be tested, the test server judges whether the browser adopts the HTTP security mechanism to process a network service, and determines whether the browser supports the HTTP security mechanism according to the judged result.

The scheme can effectively test whether a browser supports an HTTP security mechanism. The test server informs the browser of using the HTTP security mechanism to be tested by sending the security header to the browser, judges whether the HTTP security mechanism is adopted for processing a network service by the browser, and determines whether the browser supports the HTTP security mechanism to be tested according to the judgment result. A method for automatically testing a browser is provided, which reduces human operations. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

The test server can judge whether the browser requests a network service by adopting the HTTP security mechanism according to the principle of security prevention of the HTTP security mechanism to be tested. Therefore, the judgment result obtained by the test server is more accurate.

Some of these HTTP security mechanisms require the browser to request a web service in a specified manner, and are classified herein as "type one"; while other HTTP security mechanisms require that the browser refrain from requesting a web service, these HTTP security mechanisms are categorized here as "type two".

Whether the type I or the type II is adopted, the testing server indicates the HTTP security mechanism which should be adopted by the browser through the security head, a network service is deployed, and the testing server judges whether the browser supports the HTTP security mechanism or not according to the processing of the browser on the network service, so that an effective testing scheme is provided.

For type one, the HTTP security mechanism requests a network service for a browser only in a specified manner; the security header is specifically used for configuring a mode of the browser for requesting the network service; the test server judges whether the browser requests the network service according to the mode appointed by the security header; if the browser requests the network service according to the mode designated by the security header, the test server determines that the browser supports the HTTP security mechanism; otherwise, the test server determines that the browser does not support the HTTP security mechanism.

Specifically, for type one, the HTTP security mechanism requests a web service for a browser only through a secure hypertext transfer protocol secure HTTPs, and the security header is a HTTP header that strictly transfers a secure HSTS header, and is specifically configured to configure the browser to request the web service only through the HTTPs; the test server controls the network service to send an HSTS header in response to an HTTP request of the browser; judging whether the browser requests the network service through HTTPS after receiving the HSTS header, and if the browser requests the network service through HTTPS, determining that the browser supports the HTTP security mechanism; otherwise, determining that the browser does not support the HTTP security mechanism.

Specifically, for Type one, the HTTP security mechanism displays Content of a web service in a specified manner for a browser, and the security header is an extended Content Type option X-Content-Type-Options header, and is specifically configured to configure the browser to display the Content of the web service in the specified manner; the test server judges whether the browser displays the Content of the network service according to the mode specified in the X-Content-Type-Options header; if the browser displays the Content of the network service according to the mode specified in the X-Content-Type-Options header, determining that the browser supports the HTTP security mechanism, otherwise determining that the browser does not support the HTTP security mechanism.

For type two, the HTTP security mechanism is to prohibit a browser from requesting a network service; the security header is specifically configured to configure the browser to prohibit requesting a network service according to the HTTP security mechanism; the test server judges whether the browser requests the network service; if the browser requests the network service, determining that the browser does not support the HTTP security mechanism; otherwise, determining that the browser supports the HTTP security mechanism.

Specifically, for type two, the HTTP security mechanism is to allow only one browser using a pre-agreed set of public keynails to access a web service; the security header is an HTTP public key nail extension (HPKP) header specifically configured to configure a set of public key nails usable by the browser to request another network service other than the network service, wherein the other network service has a same domain name as the network service but a different Internet Protocol (IP) address; the test server judges whether the browser requests the network service when being redirected to the network service, if so, the test server determines that the browser does not support the HTTP security mechanism, otherwise, the test server determines that the browser supports the HTTP security mechanism.

Specifically, for type two, the HTTP security mechanism is to prohibit a browser from accessing a web page embedded in another web page; the security header is X-Frame-Options, and is specifically used for configuring the browser to prohibit access to the embedded webpage; the network service is a webpage embedded into other webpages;

the test server judges whether the browser requests the network service when accessing a webpage embedded with the network service; and if the network service is requested, determining that the browser does not support the HTTP security mechanism, otherwise, determining that the browser supports the HTTP security mechanism.

Specifically, for type two, the HTTP security mechanism executes only a script file of a specified site for a browser; the security header is a Content Security Policy (CSP) header and is specifically used for configuring a website to which the script file executable by the browser belongs; the network service is a script file and does not belong to the site designated by the CSP header; and the test server judges whether the browser executes the script file serving as the network service, if so, the test server determines that the browser does not support the HTTP security mechanism, otherwise, the test server determines that the browser supports the HTTP security mechanism.

Specifically, for type two, the HTTP security mechanism is a browser that prohibits execution of a cross-site script, and the security header is an X-XSS-Protection header, and is specifically configured to configure the browser to prohibit execution of a cross-site script; the test server judges whether the browser requests the network service when the browser includes a cross-site script in the content of the received network request response and the included cross-site script indicates that the browser requests the network service; and if the network service is requested, determining that the browser does not support the HTTP security mechanism, otherwise, determining that the browser supports the HTTP security mechanism.

Optionally, before the test server sends the security header to the browser, a test request from the browser is received, where the test request is used to request to test whether the browser supports the HTTP security mechanism.

In this alternative implementation, the browser initiates testing of an HTTP security mechanism.

In a second aspect, an embodiment of the present invention provides a testing apparatus for testing whether a browser supports a hypertext transfer protocol HTTP security mechanism, where the testing apparatus includes: a sending module, configured to send a security header to the browser, where the security header is configured to configure the browser to use the HTTP security mechanism; and the processing module is used for judging whether the browser processes a network service by adopting the HTTP security mechanism and determining whether the browser supports the HTTP security mechanism according to the judged result.

The scheme can effectively test whether a browser supports an HTTP security mechanism. The device informs the browser of using the HTTP security mechanism to be tested by sending a security header to the browser, judges whether the HTTP security mechanism is adopted by the browser for processing a network service, and determines whether the browser supports the HTTP security mechanism to be tested according to the judgment result. A scheme for automatically testing a browser is provided, and human operation is reduced. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

The device can judge whether the browser adopts the HTTP security mechanism to process a network service according to the principle that the HTTP security mechanism to be tested carries out security precaution. The judgment result obtained in this way is more accurate.

Whether the type I or the type II is adopted, the device indicates the HTTP security mechanism which should be adopted by the browser through the security header, and by deploying a network service, the device judges whether the browser supports the HTTP security mechanism according to the processing of the browser on the network service, and an effective test scheme is provided.

For type one, the HTTP security mechanism requests a network service for a browser only in a specified manner; the security header is specifically used for configuring a mode of the browser for requesting the network service; the device judges whether the browser requests the network service according to the mode appointed by the security header; if the browser requests the network service according to the mode designated by the security header, the device determines that the browser supports the HTTP security mechanism; otherwise, determining that the browser does not support the HTTP security mechanism.

Specifically, for type one, the HTTP security mechanism requests a web service for a browser only in a specified manner; the security header sent by the sending module is specifically used for configuring the mode of the browser for requesting the network service; the processing module is specifically configured to: judging whether the browser requests the network service according to the mode specified by the safety head, and if the browser requests the network service according to the mode specified by the safety head, determining that the browser supports the HTTP safety mechanism; otherwise, determining that the browser does not support the HTTP security mechanism.

Specifically, for type one, the HTTP security mechanism requests a web service for a browser only through the secure hypertext transfer protocol secure HTTPs; the security header sent by the sending module is a hypertext transfer protocol (HTTP) strict transmission security (HSTS) header, and the security header is specifically used for configuring that the browser requests the network service only through HTTPS; the sending module is specifically configured to control the web service to send an HSTS header in response to an HTTP request of the browser; the processing module is specifically configured to determine whether the browser requests the network service through the HTTPS after receiving the HSTS header.

Specifically, for type one, the HTTP security mechanism displays the content of a web service in a specified manner for a browser; the security header sent by the sending module is an extended Content Type option X-Content-Type-Options header, and the security header is specifically configured to configure the browser to display the Content of the web service in a specified manner; the processing module is specifically configured to determine whether the browser displays the Content of the web service in a manner specified in the X-Content-Type-Options header.

For type two, the HTTP security mechanism is to prohibit a browser from requesting a network service; the security header sent by the sending module is specifically used for configuring the browser to prohibit requesting a network service according to the HTTP security mechanism; the processing module is specifically configured to: judging whether the browser requests the network service, and if the browser requests the network service, determining that the browser does not support the HTTP security mechanism; otherwise, determining that the browser supports the HTTP security mechanism.

Specifically, for type two, the HTTP security mechanism is to allow only one browser using a pre-agreed set of public keynails to access a web service; the security header sent by the sending module is an HTTP public key nail extension (HPKP) header, and is specifically used for configuring a set of public key nails which can be used when the browser requests another network service other than the network service, wherein the other network service has the same domain name as the network service but a different Internet Protocol (IP) address; the processing module is specifically configured to determine whether the browser requests the network service when being redirected to the network service.

Specifically, for type two, the HTTP security mechanism is to prohibit a browser from accessing a web page embedded in another web page; the security header sent by the sending module is an X-Frame-Options, the security header is specifically used for configuring the browser to prohibit access to the embedded webpage, and the web service is one webpage embedded in other webpages; the processing module is specifically configured to determine whether the browser requests the web service when accessing a web page embedded with the web service.

Specifically, for type two, the HTTP security mechanism executes only a script file of a specified site for a browser; the security header sent by the sending module is a Content Security Policy (CSP) header, the security header is specifically used for configuring a site to which a script file executable by the browser belongs, and the web service is a script file and does not belong to the site specified by the CSP header; the processing module is specifically configured to determine whether the browser executes a script file serving as the web service.

Specifically, for type two, the HTTP security mechanism prohibits execution of a cross-site script for a browser; the security header sent by the sending module is an X-XSS-Protection header, and the security header is specifically used for configuring the browser to prohibit the browser from executing a cross-site script; the processing module is specifically configured to determine whether the browser requests the network service when the browser includes a cross-site script in the content of the received network request response and the included cross-site script indicates that the browser requests the network service.

Optionally, the apparatus may further comprise: a receiving module, configured to receive a test request from the browser before the sending module sends the security header to the browser, where the test request is used to request to test whether the browser supports the HTTP security mechanism.

In a third aspect, an embodiment of the present invention provides a testing apparatus for testing whether a browser supports a hypertext transfer protocol HTTP security mechanism, where the testing apparatus includes: a memory for storing computer instructions; a processor for invoking the computer instructions to perform the method of the first aspect or any of its possible implementations.

The scheme can effectively test whether a browser supports an HTTP security mechanism. The device informs the browser of using the HTTP security mechanism to be tested by sending the security header to the browser, judges whether the HTTP security mechanism is adopted by the browser for processing a network service, and determines whether the browser supports the HTTP security mechanism to be tested according to the judgment result. A scheme for automatically testing a browser is provided, and human operation is reduced. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

The device can judge whether the browser requests a network service by adopting the HTTP security mechanism according to the principle of security prevention of the HTTP security mechanism to be tested. The judgment result obtained in this way is more accurate.

In a fourth aspect, a method is provided for testing whether a browser supports each of at least two hypertext transfer protocol, HTTP, security mechanisms. The method may be performed by a test server. The test server sends a test script file to the browser, wherein the test script file is used for controlling and testing whether the browser supports each of the at least two HTTP security mechanisms. The test server receives test requests sent by the browser aiming at each of the at least two HTTP security mechanisms respectively, and after receiving each test request, the test server executes the following operations: sending a security header to the browser in response to the test request, wherein the security header is used for configuring the HTTP security mechanism for which the test request is directed by the browser; judging whether the browser processes a network service by adopting the HTTP security mechanism for which the test request is directed; and determining whether the browser supports the HTTP security mechanism for which the test request is directed according to the result of the judgment.

The scheme can effectively test whether a browser supports an HTTP security mechanism. The test server informs the browser of the HTTP security mechanism by sending a security header to the browser aiming at any one of at least two HTTP security mechanisms to be tested, judges whether the HTTP security mechanism is adopted by the browser for processing a network service, and determines whether the browser supports the HTTP security mechanism to be tested according to the judgment result. A method for automatically testing a browser is provided, which reduces human operations. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

Furthermore, the test server configures the at least two HTTP security mechanisms to be tested by testing a script file to the browser. And subsequently, the browser initiates a test aiming at each HTTP security mechanism according to the test script file, and the test server tests each HTTP security mechanism respectively. Therefore, the test of various HTTP security mechanisms can be effectively realized, and the test efficiency is higher.

In a fifth aspect, an embodiment of the present invention provides a testing apparatus for testing whether a browser supports each of at least two HTTP security mechanisms. The device includes: and the sending module is used for sending a test script file to the browser, and the test script file is used for controlling and testing whether the browser supports each of the at least two HTTP security mechanisms. A receiving module, configured to receive a test request from the browser, where the test request is sent for each of the at least two HTTP security mechanisms. A processing module, configured to, after the receiving module receives each of the test requests, perform the following operations: in response to the test request, controlling the sending module to send a security header to the browser, wherein the security header is used for configuring the HTTP security mechanism for the browser to use the test request; judging whether the browser processes a network service by adopting the HTTP security mechanism for which the test request is directed; and determining whether the browser supports the HTTP security mechanism aimed at by the test request according to the judgment result.

The scheme can effectively test whether a browser supports an HTTP security mechanism. The device informs the browser of the HTTP security mechanism by sending a security header to the browser aiming at any one of at least two HTTP security mechanisms to be tested, judges whether the HTTP security mechanism is adopted by the browser for processing a network service, and determines whether the browser supports the HTTP security mechanism to be tested according to the judgment result. A scheme for automatically testing a browser is provided, and human operation is reduced. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

Furthermore, the apparatus configures the at least two HTTP security mechanisms to be tested by testing a script file to the browser. And subsequently, the browser initiates a test aiming at each HTTP security mechanism according to the test script file, and the device tests each HTTP security mechanism respectively. Therefore, the test of various HTTP security mechanisms can be effectively realized, and the test efficiency is higher.

In a sixth aspect, an embodiment of the present invention provides a testing apparatus for testing whether a browser supports a hypertext transfer protocol HTTP security mechanism, where the testing apparatus includes: a memory for storing computer instructions; a processor for invoking the computer instructions to perform the method provided by the fourth aspect.

The scheme can effectively test whether a browser supports an HTTP security mechanism. The device informs the browser of the HTTP security mechanism by sending a security header to the browser aiming at any one of at least two HTTP security mechanisms to be tested, judges whether the HTTP security mechanism is adopted by the browser for processing a network service, and determines whether the browser supports the HTTP security mechanism to be tested according to the judgment result. A method for automatically testing a browser is provided, which reduces human operations. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter.

In a seventh aspect, an embodiment of the present invention provides a computer-readable medium, where the computer-readable medium stores computer instructions, and when the computer instructions are executed by a processor, the computer instructions provide the method according to the first aspect or any one of the possible implementations of the first aspect, or the fourth aspect, or any one of the optional implementations of the fourth aspect.

Drawings

Fig. 1 is a schematic structural diagram of a test system according to an embodiment of the present invention;

FIGS. 2 to 6 are flow charts of testing methods provided in the embodiments of the present invention, respectively;

fig. 7 to fig. 10 are schematic structural diagrams of a testing apparatus according to an embodiment of the present invention.

List of reference numerals:

10: the test system 101: the host computer 102: the test server 103: target server

104: the browser 105: the test program 106: network service

S201: receiving a test request S202: sending safety head

S203: whether browser 104 employs HTTP security mechanisms

S204: the browser 104 supports the HTTP security mechanism S205: browser 104 does not support HTTP security mechanisms

S2011: HTTP security mechanism to be tested S2031: service request

S2032: the browser 104 requests the web service 106 in a manner specified by the security header

S2033: determination result S2034: whether browser 104 supports HTTP security mechanisms

S2012: test started S2035: service request

S2036: whether a service request is received before the timer times out S2037: the judgment result

S2038: whether browser 104 supports HTTP security mechanisms

S2039 a: service response S2039 b: displaying content of web service 106

S601: test start S602: js S603: HSTS test request S604: HSTS safety head

S605: service request S606: XSS test request S607: XSS security header S608: service request

70: the test apparatus 701: the sending module 702: the processing module 703: receiving module

80: the test apparatus 801: the memory 802: the processor 901: transmission module

902: the processing module 903: the receiving module 100: test apparatus 1001: memory device

1002: processor with a memory having a plurality of memory cells

Detailed Description

The variety of browsers is vast, and multiple versions of each browser are possible. When publishing a web service, it is necessary to explicitly provide which browsers, or more precisely which versions of which browsers, support the HTTP security mechanism employed by the web service. Therefore, it is desirable to test one or more browsers, and possibly multiple versions of a browser, to determine if they support some HTTP security mechanism.

In the embodiment of the invention, whether a browser supports the HTTP security mechanism is tested based on the principle that the HTTP security mechanism carries out security precaution. A device running a test program, for example, a server instructs a browser to use the HTTP security mechanism when requesting a certain web service (the web service may be deployed on the server or may be deployed on another server), for example, when the browser accesses a web page pointed by a Uniform Resource Locator (URL), and then determines whether the browser performs security protection according to the HTTP security mechanism to determine whether the browser supports the HTTP security mechanism.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Fig. 1 illustrates a test system 10 provided by an embodiment of the present invention. The test system 10 may include a host 101, a test server 102, and a target server 103.

Therein, a browser 104 to be tested may be installed on the host 101.

The test program 105 may be installed on the test server 102 and configured to execute the test method provided by the embodiment of the present invention to test whether the browser 104 supports an HTTP security mechanism. Test program 105 configures the HTTP security mechanism used by browser 104.

The target server 103 may have a web service 106 deployed thereon. According to various HTTP security mechanisms, test program 105 may determine whether browser 104 supports an HTTP security mechanism based on whether browser 104 requests web service 106 on target server 103, and in some cases, further based on the manner in which browser 104 requests web service 106.

Alternatively, test program 105 may monitor target server 103 or target server 103 notifies test program 105 so that test program 105 determines whether browser 104 requested web service 106 and, in some cases, knows whether browser 104 requested web service 106 using an HTTP security mechanism.

Alternatively, the test server 102 and the target server 103 may be Apache servers.

The system architecture of the test system 10 shown in fig. 1 is referred to as "system architecture one". Still other alternative variations of test system 10 may include, but are not limited to:

the second system architecture,

The host 101 and the test server 102 are the same device, and the test program 105 runs on the host 101. The target server 103 is a separate device.

The system architecture III,

The test server 102 and the target server 103 are the same device, and the host 101 is a separate device.

The browser 104 is a browser to be tested, and the types thereof may include, but are not limited to:

internet browser (Internet Explorer, IE), Firefox (FF) browser, Opera (Opera) browser, Safari browser, google (Chrome) browser, Android (Android), etc.

The browser 104, in turn, may subdivide the versions, such as for IEs, IEs 6, IE8, IE10, etc., which are different versions of the IE.

Different kinds, versions of browser-supported HTTP security mechanisms typically differ. Therefore, it is only necessary to test whether the browser 104 supports the HTTP security mechanism.

Host 101 may be any device capable of running a browser, test server 102 may be any device capable of executing test program 105, and target server 103 may be any device capable of deploying a web service. The host 101 may be: various electronic devices such as notebook computers, tablet computers, smart phones, and the like; in addition, the system can also be a control instrument, an industrial personal computer, monitoring equipment and the like applied to the industrial field. The test server 102 and the target server 103 may be: various electronic devices such as Personal Computer (PC) servers and notebook computers; in addition, the system can also be a control instrument, an industrial personal computer, monitoring equipment and the like applied to the industrial field.

Test program 105 may be written in the javascript (js) language. Test program 105 may include at least one program. The composition of the test program 105 will be described later in connection with different system architectures of the test system 10.

The web service 106 may be a web application. Typically, a web service is provided based on an established network connection, and a browser requests a web service on a server after establishing a network connection with the server.

Fig. 2 shows a flowchart of a testing method provided by the embodiment of the present invention. The test method may be performed by the test program 105. As shown in fig. 2, the method comprises the steps of:

s201: a test request is received from browser 104.

Wherein the test request is used to request to test whether the browser 104 supports an HTTP security mechanism.

S202: a security header is sent to the browser 104.

Wherein, the security header is used for configuring the browser (104) to adopt the HTTP security mechanism requested to be tested in step S201.

S203: a determination is made as to whether the browser (104) is to process a web service (106) using the HTTP security mechanism.

If the browser (104) is determined to adopt the HTTP security mechanism to process the network service (106), step S204 is executed, otherwise step S205 is executed.

S204: it is determined that the browser (104) supports the configured HTTP security mechanism.

S205: it is determined that the browser (104) does not support the configured HTTP security mechanism.

Step S201 is an optional step, and the test program 105 may directly send a security header to the browser 104 to configure the browser 104 to use an HTTP security mechanism, without the browser 104 initiating a test request first.

The principles for implementing security protection by different HTTP security mechanisms are different, and in summary, they can be roughly divided into the following two categories:

type one,

The HTTP security mechanism specifies the manner in which a browser requests a web service.

Such as: an HSTS header specifying that the browser must request a web service over HTTPS.

For another example: an X-Content-Type-Options header that specifies that the browser must display the contents of the web service in a specified manner.

For type one, in the embodiment of the present invention, the test program 105 determines whether the browser (104) requests the web service (106) in the manner specified by the security header, and if the browser (104) requests the web service (106) in the manner specified by the security header, it is determined that the browser (104) supports the corresponding HTTP security mechanism; otherwise, it is determined that the browser (104) does not support the corresponding HTTP security mechanism.

With respect to type one, FIG. 3 illustrates the interaction between test program 105, browser 104, and web service 106 in an embodiment of the present invention.

For type one, any of the system architectures described above may be employed. When the system architecture three is adopted, the test server 102 and the target server 103 are the same device, and the network service 106 and the test program 105 are deployed on the same device, or the network service 106 is a component of the test program 105.

After receiving the test request in step S201, the test program 105 can learn which HTTP security mechanism the browser 104 is to test. The test program 105 may execute step S2011 before or while sending the security header at step S202, notify the web service 106 to: the web service 106 should receive the service request from the browser 104 according to which HTTP security mechanism.

Optionally, after receiving the service request from the browser 104 in the subsequent step S2031, the web service 106 executes step S2032 to determine whether the browser 104 requests the web service 106 in a manner specified by the security header. Further, the web service 106 executes step S2033, and notifies the test program 105 of the determination result of step S2032. The test program 105 may determine whether the browser 104 supports the HTTP security mechanism according to the determination result received in step S2033, that is: if the browser 104 requests the web service 106 in a manner specified by the security header, it is determined that the browser 104 supports the HTTP security mechanism; otherwise, it is determined that the browser 104 does not support the HTTP security mechanism described above.

Or, alternatively, the web service 106 may determine only the way in which the browser 104 requests the web service 106 when performing step S2032. Further, when step S2033 is executed, the test program 105 is notified of the manner in which the browser 104 requests the web service 106, which is determined at step S2032. The test program 105 may determine whether the browser 104 supports the HTTP security mechanism according to the manner of the browser 104 requesting the web service 106 received in step S2033, that is: if the browser 104 requests the web service 106 in a manner specified by the security header, it is determined that the browser 104 supports the HTTP security mechanism; otherwise, it is determined that the browser 104 does not support the HTTP security mechanism described above.

In step S2033, the web service 106 may actively notify the test program 105 of the determination result of step S2032 or the manner in which the browser 104 requests the web service 106; alternatively, after step S2032 is executed, the web service 106 stores the determination result or the determined mode, and when receiving a result query from the test program 105, sends the determination result or the mode in which the browser 104 requests the web service 106 to the test program 105.

Type two,

The HTTP security mechanism prohibits a browser from requesting a web service.

Such as: HPKP, which prohibits a browser from requesting a fake web service that has the same domain name as the real web service but a different Internet Protocol (IP) address.

For another example: X-Frame-Options, which prohibit a browser from accessing a web page embedded in another web page.

For another example: CSP, which prohibits a browser from executing script files for non-designated domains.

For another example: X-XSS-Protection, which prohibits a browser from executing cross-site scripts.

For type two, in the embodiment of the present invention, the network service prohibited from being requested is the network service 106. The test program 105 determines whether the browser (104) requests a web service (106); determining that the browser (104) does not support the HTTP security mechanism if the browser (104) requests the web service (106); otherwise, it is determined that the browser (104) supports the HTTP security mechanism to be tested.

With respect to type two, FIG. 4 illustrates the interaction between test program 105, browser 104, and web service 106 in an embodiment of the present invention.

For type two, any of the system architectures described above may be employed. If system architecture three is adopted, it is necessary to deploy both test program 105 and web service 106 on the same device. Since the test program 105 sends the security header to the browser 104 after receiving the test request, it can also be considered as a web service, but if the system architecture is three, the IP address of the web service corresponding to the test program 105 is different from the IP address of the web service 106.

After receiving the test request in step S201, the test program 105 can learn which HTTP security mechanism the browser 104 is to test. The test program 105 may notify the web service 106 that the test has been started through step S2012 before or while the security header is sent through step S202. After receiving the notification of the test program 105, the network service 106 may start a timer, where the length of the timer may be determined according to the distance between the browser 104 and the network service 106 in the test system 10, the distance between the test program 105 and the browser 104, the type of the transmission line, and the like, and in addition, considering the processing delay of the browser 104 processing the security header, the length should be not less than the sum of the transmission delay between the devices and the processing delay of the browser 104.

If the test program 105 does not support the HTTP security mechanism for the test, it sends a service request to the web service 106 through step S2035. After receiving the service request, the web service 106 may notify the test program 105 that the service request of the browser 104 has been received through step S2037, or directly notify the test program 105 that: browser 104 does not support the HTTP security mechanism of this test.

If the test program 105 supports the HTTP security mechanism for the test, the web service 106 will not receive the service request from the browser 104, and the timer will time out. The web service 106 determines whether a service request is received before the timer times out through step S2036, and notifies the test program 105 of the timer time out through step S2037 after the timer times out, or directly notifies the test program 105 of: browser 104 supports the HTTP security mechanism of this test.

In step S2038, the test program 105 determines whether the browser 104 supports the HTTP security mechanism under test according to the determination result received in step S2037. Such as: if the web service 106 indicates that the web service 106 does not receive the service request from the browser 104 before the timer expires in step S2037, the test program 105 determines that the browser 104 supports the tested HTTP security mechanism; if the web service 106 indicates in the web service 106 in step S2037 that the web service 106 receives the service request from the browser 104, it is determined that the browser 104 does not support the HTTP security mechanism for testing.

For type two, optionally, if the web service 106 uses a timer and a service request is received from the browser 104 before the timer expires, the web service 106 terminates the timer.

The following describes the security protection principle of different HTTP security mechanisms, and the test scheme of the embodiment of the present invention. Of course, the embodiments of the present invention are not only applicable to testing the security mechanism of HTTP, but also applicable to determining whether the browser supports the security mechanism of the network protocol according to the processing of the browser on a network service by configuring the security header with the security mechanism of the network protocol used by the browser.

One, HSTS

HSTS is used to help servers protect against protocol degradation attacks and cookie attacks. A server may establish a connection with the server using only the Secure Hypertext Transfer Protocol Secure (HTTPS) using the HSTS mandatory browser (or other user agent). A server that employs HSTS will ensure that the browser is always connected to the HTTPS encrypted version of the server, eliminating the need for the user to manually enter an encrypted address in the URL address bar.

The server may open the HSTS by: when a browser sends a request through HTTP, a Strict-Transport-Security (Strict-Transport-Security) field is included in a response header of a hypertext transfer protocol returned by a server, and the browser is instructed to request a network connection deployed on the server using HTTPs through the Strict-Transport-Security (Strict-Security) field.

Therefore, in step S202, the test program 105 can control the web service 106 to include the following fields and parameters in the security header sent to the browser 104 after receiving the HTTP request (e.g., HTTP:// xxx) sent by the browser 104:

Strict-Transport-Security:max-age＝31536000；includeSubDomains。

the safety head indicates: in the next year (i.e. 31536000 seconds), the browser receiving the security header must initiate a connection using HTTPs whenever it sends an HTTP request to the xxx or its sub-domain name. For example, if the user clicks on a hyperlink or enters in the address bar, the browser should automatically transcribe http to https and then send the request directly to https:// xxx.

Wherein the https:// xxx/is web service 106.

The web service 106 or the test program 105 determines whether the service request from the browser 104 is http:// xxx/https:// xxx/, and if the service request is http:// xxx/, it is determined that the browser 104 does not support the HSTS, and if the service request is https:// xxx/, it is determined that the browser 104 supports the HSTS.

Two, X-Content-Type-operations

X-Content-Type-Options may be used to prevent Microsoft browser (Microsoft Internet Explorer, MSIE) or Google browser (Chrome) from translating files to other types than the Type of Content specified in the HTTP header.

The server may turn on X-Content-Type-Options as follows: when the browser sends out an HTTP request, an X-Content-Type-Options field is contained in a response header of HTTP returned by the server, and the browser is instructed to use an HTTP security mechanism of X-Content-Type-Options through the field.

Therefore, in step S202, the test program 105 may include the following fields and parameters in the security header sent to the browser 104:

“X-Content-Type-Options:nosniff”and“Content-Type:text/plain；”

wherein the nosniff indicates no listening. context-Type text/play represents displaying source code text.

After the browser 104 receives the security header, if the browser 104 supports X-Content-Type-operations and the requested web service 106 is an HTML web page, the browser 104 displays a source code text of the HTML web page; if X-Content-Type-Options is not supported, the browser 104 will display an HTML page.

Referring to the interaction diagram shown in fig. 5, this is slightly different from fig. 3 because what test program 105 needs to judge is whether browser 104 displays the contents of web service 106 in a specified manner. The concrete description is as follows:

steps S201, S202, and S2035 may be as before, and after receiving the service request from the browser 104 through step S2035, the web service 106 sends a service response to the browser 104 through step S2039a, such as: if web service 106 is an HTML web page, web service 106 returns the HTML web page to browser 104.

The browser 104, upon receiving the service response through step S2039a, displays the content of the web service 106 through step S2039 b. If the security header is the same and the web service 106 is an HTML web page, in the case that the browser 104 supports X-Content-Type-operations, the browser 104 displays the source code text of the HTML web page in step S2039 b; in the case where the browser 104 does not support X-Content-Type-operations, the browser 104 directly displays the HTML web page in step S2039 b.

In step S2032, the browser 104 may capture the Content displayed in step S2039b by the screen capture software, and send the captured screen to the test program 105, and the test program 105 determines whether the browser 104 displays the Content of the web service 106 in a manner of setting a security header, if so, it is determined that the browser 104 supports X-Content-Type-operations, otherwise, it is determined that the browser 104 does not support X-Content-Type-operations.

Another optional method is that the browser 104 automatically determines whether to display the Content of the web service 106 in a manner specified by the security header after screen capture, and sends the determination result to the test program 105, and the test program 105 determines whether the browser 104 supports X-Content-Type-Options according to the received determination result.

III, HPKP

HPKP is used to help HTTPS websites deny access by attackers using wrongly issued or otherwise forged credentials. The HTTPS web server provides a set of public key hashes, one or more of which are used by the web server in the certificate chain upon subsequent connection. HPKP requires the host to be mature in its operation or organization because the host may be fixed to a set of public key hash values and become unavailable. With HPKP, the host operator can greatly reduce man-in-the-middle (MITM) attacks and other false authentication problems without incurring excessive risk.

The server may turn on the HPKP by: when the browser sends an HTTP request, a response header of HTTP returned by the server contains a Public-Key-Pins (PKP) field, wherein the Public Key pin indicated in the Public Key-pin field is a Public Key hash value.

Thus, in step S202, the test program 105 may include the following fields and parameters in sending the security header to the browser 104:

such as: the response head contains:

“Public-Key-Pins:max-age＝4000；pin-sha256＝”abcd01235678WLTUVW””

this means that: the server has specified that the browser has 4000 seconds to hash the public key (content inside quotation mark) in the certificate item by sha256 and then encode base 64.

After receiving the HPKP header, if the browser supports the HPKP, the public key hash value should be stored. Therefore, it can be determined whether the browser supports HPKP by determining whether the browser stores the public key hash value described above.

In addition, when a browser is redirected to a fake web service using the same domain name as the server, the browser can block requests for the fake web service if the browser supports HPKP.

In the embodiment of the present invention, the browser 104 first establishes a connection with a web service, and stores the public key hash value, and then the web service is changed to the web service 106 having the same domain name but different IP, and if the subsequent request web service 106 is blocked, it indicates that the browser supports HPKP.

If the web service 106 receives a service request from the browser 104 before the timer expires, the test program 105 determines that the browser 104 does not support the HPKP, and if the timer expires, the test program 105 determines that the browser 104 supports the HPKP.

Four, X-Frame-Options

X-Frame-operations improve the ability of web applications to protect against click hacking (Clickjaking), which provides a communication mechanism from a host to a client browser that can be used to control whether the browser displays content sent in frames of other web pages.

The server may turn on X-Frame-Options as follows: after receiving a service request from the browser, a response header returned by the server comprises an X-Frame-Options field, and the value of the field is set as reject (deny).

X-Frame-Options:deny

the web service 106 may be preset as one web page embedded in other web pages. If the browser 104 supports X-Frame-Options, the browser 104 does not request a web page corresponding to the web service 106 when accessing the other web pages; if the browser 104 does not support X-Frame-Options, the browser 104 will request the web page corresponding to the web service 106 when accessing the other web pages.

If the web service 106 receives a service request from the browser 104 before the timer expires, the test program 105 determines that the browser 104 does not support X-Frame-Options, and if the timer expires, the test program 105 determines that the browser 104 supports X-Frame-Options.

Five, X-XSS-Protection

X-XSS-Protection can be used to filter out Cross-site scripting (XSS).

The server may turn on X-XSS-Protection as follows: after receiving a service request from the browser, the server returns a response header including an X-XSS-Protection field, and sets the value of the field to 1 and sets the mode value to block.

X-XSS-Protection:1；mode＝block。

the test program 105 may preset the browser 104 to request other web services besides the web service 106 after receiving the security header, and the web services may be deployed on the test server 102. After the browser 104 sends the service request to the web service, the web service returns a web request response including a script, and the included script instructs the browser 104 to request the web service 106.

If the browser 104 supports X-XSS-Protection, the script in the network request response will not be executed, and thus the network service 106 will not be requested; if the browser 104 does not support X-XSS-Protection, the script in the network request response is executed, thereby requesting the network service 106.

If the web service 106 receives a service request from the browser 104 before the timer expires, the test program 105 determines that the browser 104 does not support X-XSS-Protection, and if the timer expires, the test program 105 determines that the browser 104 supports X-XSS-Protection.

Sixthly, CSP

CSP has a major impact on the way browsers display web pages, and can be used to block a variety of attacks including cross-site scripting and other cross-site embedding (injection).

The server may turn on the CSP as follows: after receiving the service request from the browser, the server returns a response header which comprises a Content-Security-Policy field and sets the value of the field to script-src 'self'.

Therefore, in step S202, the test program 105 may include the following fields and parameters in the security header sent to the browser 104: Content-Security-Policy script-src 'self'.

The web service 106 may be pre-configured as a cross-domain script file. If the web service 106 receives a service request from the browser 104 before the timer expires, the test program 105 determines that the browser 104 does not support X-XSS-Protection, and if the timer expires, the test program 105 determines that the browser 104 supports X-XSS-Protection.

In the above, the method for testing whether a browser 104 supports an HTTP security mechanism in the embodiment of the present invention is described. To achieve efficiency of testing, a browser 104 may be considered to separately test whether the browser 104 supports each of a plurality of HTTP security mechanisms. Further, it can be tested whether each of the plurality of HTTP security mechanisms is supported by each of the plurality of browsers 104, respectively, for each of the plurality of browsers 104.

Optionally, in the test system 10, multiple browsers 104 may be installed on the host 101, such as the aforementioned IE, Chrome, Firefox, Android, Sarafi, and Opera browsers, and different versions of the same browser are regarded as different browsers.

Among other things, the test server 102 may support multiple HTTP security mechanisms to be tested, because the test server 102 needs to send a security header to the browser 104, and thus, needs to support each HTTP security mechanism to be tested. The web service 106 may support multiple HTTP security mechanisms, or the web service 106 supporting the HTTP security mechanism may be deployed separately for each HTTP security mechanism.

Next, another test flow provided by the embodiment of the present invention is described with reference to fig. 6. As shown in fig. 6, the process may include the following steps:

s601: the browser 104 sends a test start command to the test program 105.

S602: the test program 105 recognizes a command for test start from the browser 104, and transmits a test script (i.e., test. js shown in fig. 6) to the browser 104 upon receiving the command.

S603: js, the browser 104 sends an HSTS test request to the test program 105 according to the test command in the test.

S604: upon receiving the HSTS test request, the test program 105 sends an HSTS security header to the browser 104.

S605: after receiving the HSTS security header, the browser 104 sends a service request to the web service 106 according to the test command in test.

S606: js sends an XSS test request to the web service 106 according to the test command in test.

S607: upon receiving the XSS test request, test program 105 sends an XSS security header to browser 104.

S608: the browser 104, upon receiving the XSS security header, sends a service request to the web service 106 according to the test command in test.

And the following analogy is performed, and the test is performed in sequence according to the sequence set in test. Js sets that the test is carried out according to the following sequence of numbers from small to large:

1、HSTS，2、HPKP，3、X-Frame-Options，4、X-XSS-Protection，5、X-Content-Type-Options，6、Content-Security-Policy。

js may include a plurality of test commands. If one browser 104 is installed on the host 101, the test script may control which mechanisms of the plurality of HTTP security mechanisms are supported by the one browser 104 to be tested. If a plurality of browsers 104 are installed on the host 101, the test script can control each browser 104 in the plurality of browsers 104 to be tested respectively; and for the same browser 104, testing of multiple HTTP security mechanisms can be implemented.

Next, the setting of the test script for the same browser 104 and the test procedure for other browsers 104 are described in the same manner.

Such as: the support of the various HTTP security mechanisms by IE7 is tested. And testing sequentially according to the sequence of the numbers from small to large.

Js may include test command groups executed in the above order, each test command group corresponding to an HTTP security mechanism.

Taking HSTS as an example, the corresponding test command set may perform the following operations:

1. the test command controls the browser 104 to send a test request for requesting to test whether the browser 104 supports the HSTS to the test program 105. The test request may be a service request sent to the test program 105 (step S603), and by setting parameters in the service request, the test program 105 can identify whether the browser 104 needs to be tested to support HSTS (correspondence between values of the service request parameters and HTTP security mechanism types may be agreed in advance between the host 101 and the test program 105).

Upon receiving the test request, test program 105 determines whether browser 104 needs to be tested for HSTS support. The test program 105 sends the HSTS security header to the browser 104 (step S604).

2. The test command controls the browser 104 to receive the HSTS security header and obtain fields and parameter values in the HSTS security header.

3. The test command controls the browser 104 to send a service request to the web service 106.

The test command may specify the web service 106 to be requested by the browser 104, and specify that the browser 104 uses HTTP security mechanism, HSTS.

If the browser 104 supports HSTS, it processes the service request according to the fields and parameters in the HSTS security header and sends the service request to the web service 106 (step S605).

And after the test command set corresponding to the HSTS is executed, executing the test command set corresponding to the HPKP. The set domain HSTS type of the test command group comprises: send test requests, receive security headers, and send service requests to the web service 106. The processing and setting of the commands may refer to the description of the HPKP test method described earlier.

With regard to the type one of the aforementioned security precautions, whether or not the browser 104 supports the HTTP security mechanism, a service request is sent to the web service 106, only in a different manner than the manner in which the service request is sent or the manner in which the browser 104 displays the content of the web service 106.

For type two of the aforementioned security precautions, the web service 106 is set to be the web service that is prohibited from requesting by the HTTP security mechanism. If the browser 104 does not support the HTTP security mechanism, a service request is sent to the web service 106; if the HTTP security mechanism is supported, no service request is sent to the web service 106.

For type one of security precautions, the web service 106 may record the manner in which the browser 104 sends the service request; for type two of security precautions, the web service 106 may record whether a service request is received from the browser 104 before the timer expires.

Web service 106 may send the recorded content to test program 105, and test program 105 determines which HTTP security mechanisms are supported and/or which HTTP security mechanisms are not supported by browser 104 based on the received records.

In the following, examples of several test command sets in test. Wherein, target _ IP is the IP address of the network service 106; 'get' indicates that the web service 106 is requested by get; alert means to give a prompt; function (addresses) indicates that if the browser 104 processes the web service 106 by using the HTTP security mechanism tested by the test command group, the browser 104 is prompted to support the information of the HTTP security mechanism; function (options) indicates that if the browser 104 does not adopt the HTTP security mechanism tested by the test command group to process the web service 106, the browser 104 is prompted not to support the HTTP security mechanism; failure, namely failure of testing, that neither prompts the browser 104 to support the HTTP security mechanism, nor prompts the browser 104 to support the HTTP security mechanism, and then prompts an error.

1. Test Command group function for HSTS _ test ()

2. Test command set for HPKP function HPKP _ test ()

3. Test Command set for X-Frame-Options function X-Frame-Options _ test ()

4. Test Command group function X-XSS-Protection for X-XSS-Protection

5. Test command set functions X-Content-Type-operations for X-Content-Type-operations

6. Test command set function Content-Security-Policy for Content-Security-Policy

Fig. 7 shows a testing apparatus 70 according to an embodiment of the present invention. The testing device 70 may be used to test whether a browser 104 supports an HTTP security mechanism.

As shown in fig. 7, the test device 70 may include:

a sending module 701, configured to send a security header to the browser 104, where the security header is used to configure the browser 104 to use an HTTP security mechanism;

a processing module 702, configured to determine whether the browser 104 processes a web service 106 using the HTTP security mechanism, and determine whether the browser 104 supports the HTTP security mechanism according to a result of the determination.

As previously mentioned, the principle of implementing security precautions by HTTP security mechanisms can be divided into "type one" and "type two".

For the type one, the HTTP security mechanism requests a network service for a browser only in a specified mode; the security header sent by the sending module 701 is specifically used for configuring a mode in which the browser 104 requests the web service 106; the processing module 702 is specifically configured to: judging whether the browser 104 requests the network service 106 in a mode specified by the security header, and if the browser 104 requests the network service 106 in the mode specified by the security header, determining that the browser 104 supports an HTTP security mechanism; otherwise, it is determined that the browser 104 does not support the HTTP security mechanism.

Optionally, the HTTP security mechanism requests a web service for a browser only through the secure hypertext transfer protocol secure HTTPs; the security header sent by the sending module 701 is a hypertext transfer protocol strict transport security HSTS header, and the security header is specifically used for configuring the browser 104 to request the web service 106 only through HTTPS; a sending module 701, specifically configured to control the web service 106 to send an HSTS header in response to an HTTP request of the browser 104; the processing module 702 is specifically configured to determine whether the browser 104 requests the web service 106 through the HTTPS after receiving the HSTS header.

Optionally, the HTTP security mechanism displays the content of a web service in a specified manner for a browser; the security header sent by the sending module 701 is an extended Content Type option X-Content-Type-Options header, and the security header is specifically used for configuring the browser 104 to display the Content of the web service 106 in a specified manner; the processing module 702 is specifically configured to determine whether the browser 104 displays the Content of the web service 106 in a manner specified in the X-Content-Type-Options header.

Optionally, the HTTP security mechanism is to prohibit a browser from requesting a web service; the security header sent by the sending module 701 is specifically used for configuring the browser 104 to prohibit requesting a web service 106 according to the HTTP security mechanism; the processing module 702 is specifically configured to: determining whether the browser 104 requests the web service 106, and if the browser 104 requests the web service 106, determining that the browser 104 does not support the HTTP security mechanism; otherwise, it is determined that the browser 104 supports the HTTP security mechanism.

Alternatively, the HTTP security mechanism is to allow only one browser using a pre-agreed set of public keynails to access a network service;

the security header sent by the sending module 701 is an HTTP public key nail extension HPKP header, and is specifically configured to configure a set of public key nails that can be used when the browser 104 requests another network service other than the network service 106, where the another network service has the same domain name as the network service 106 but a different internet protocol IP address;

the processing module 702 is specifically configured to determine whether the browser 104 requests the web service 106 when being redirected to the web service 106.

For the type two, the HTTP security mechanism is used for forbidding a browser to access a webpage embedded in other webpages; the security header sent by the sending module 701 is X-Frame-Options, the security header is specifically used for configuring the browser 104 to prohibit access to the embedded web page, and the web service 106 is one web page embedded in other web pages; the processing module 702 is specifically configured to determine whether the browser 104 requests the web service 106 when accessing a web page embedded with the web service 106.

Optionally, the HTTP security mechanism only executes a script file of a specified site for a browser; the security header sent by the sending module 701 is a content security policy CSP header, the security header is specifically used for configuring a site to which a script file executable by the browser 104 belongs, and the web service 106 is a script file and does not belong to a site specified by the CSP header; the processing module 702 is specifically configured to determine whether the browser 104 executes the script file as the web service 106.

Optionally, the HTTP security mechanism prohibits execution of a cross-site script for a browser; the security header sent by the sending module 701 is an X-XSS-Protection header, and is specifically used for configuring the browser 104 to prohibit execution of a cross-site script; the processing module 702 is specifically configured to determine whether the browser 104 requests the web service 106 when the content of the received web request response includes a cross-site script and the included cross-site script indicates that the browser 104 requests the web service 106.

Optionally, the testing device 70 may further include: a receiving module 703, configured to receive a test request from the browser 104 before the sending module 701 sends the security header to the browser 104, where the test request is used to request to test whether the browser 104 supports the HTTP security mechanism.

The sending module 701 may also be used to perform other sending operations of the test server 106. Processing module 702 may also be used to perform other processing operations for test server 106. The receiving module 703 may also be used to perform other receiving operations of the test server 106. Other alternative implementations of the apparatus may refer to the implementation of the test server 106, and are not described here in detail.

Fig. 8 shows a testing apparatus 80 according to an embodiment of the present invention. The testing device 70 may be used to test whether a browser 104 supports an HTTP security mechanism. The testing device 80 may be located in the testing server 106, or the testing device 80 may be the testing server 106.

As shown in fig. 8, the testing device 80 may include:

a memory 801 for storing computer instructions (such as the test program 105 described above);

a processor 802 for calling the above-mentioned computer instructions stored on the memory 801 to execute any one of the test methods shown in fig. 2 to 6.

Fig. 9 shows a testing apparatus 90 according to an embodiment of the present invention. The testing device 90 is operable to test whether a browser 104 supports each of at least two HTTP security mechanisms.

As shown in fig. 9, the apparatus includes:

a sending module 901, configured to send a test script file to the browser 104, where the test script file is used to control whether the test browser 104 supports each of at least two HTTP security mechanisms;

a receiving module 903, configured to receive a test request sent from the browser 104 for each of at least two HTTP security mechanisms;

a processing module 902, configured to, after the receiving module 903 receives each test request, perform the following operations: in response to the test request, the control sending module 901 sends a security header to the browser 104, where the security header is used to configure an HTTP security mechanism for the browser 104 to use the test request; judging whether the browser 104 processes one network service 106 by adopting a 1001HTTP security mechanism aiming at the test request; and determining whether the browser 104 supports the HTTP security mechanism for the test request according to the judgment result.

The sending module 901 of the device 90 may also be used to perform other sending operations of the test server 106, the receiving module 903 may also be used to instruct the test server 106 to perform other receiving operations, and the processing module 903 may also be used to perform other processing operations of the test server 106. Other alternative implementations of the apparatus 90 may refer to the implementation of the test server 106 and are not described in detail herein.

Fig. 10 shows a testing apparatus 100 according to an embodiment of the present invention. The testing device 100 is operable to test whether a browser 104 supports each of at least two HTTP security mechanisms. The testing device may be located in the testing server 106, or the testing device may be the testing server 106.

As shown in fig. 10, the apparatus 100 includes:

a memory 1001 for storing computer instructions (such as the test program 105 described above);

a processor 1002 for invoking the above-mentioned computer instructions stored in the memory 1001 to perform the following method:

sending a test script file to the browser 104, the test script file being used to control whether the test browser 104 supports each of the at least two HTTP security mechanisms;

receiving a test request from browser 104 sent separately for each of at least two HTTP security mechanisms;

after receiving each test request, the following operations are executed: sending a security header to the browser 104 in response to the test request, wherein the security header is used for configuring an HTTP security mechanism for the browser 104 to use the test request; determining whether the browser 104 processes a web service 106 using the HTTP security mechanism for which the test request is directed; and determining whether the browser 104 supports the HTTP security mechanism for which the test request is directed according to a result of the determination.

Other alternative implementations of the apparatus 100 may refer to the test server 106, which will not be described herein.

Embodiments of the present invention also provide a computer storage medium storing instructions for causing a machine to perform an auditing method for program code as described herein. Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.

In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.

Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.

Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.

Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion unit connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion unit to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.

In summary, in the embodiment of the present invention, when the test server tests the browser, the test server may send a security header to the browser, where the security header is used to configure the browser to use the HTTP security mechanism to be tested, and the test server determines whether the browser processes a network service by using the HTTP security mechanism, and determines whether the browser supports the HTTP security mechanism according to a result of the determination. The scheme can effectively test whether a browser supports an HTTP security mechanism. The test server informs the browser of using the HTTP security mechanism to be tested by sending the security header to the browser, judges whether the HTTP security mechanism is adopted for processing a network service by the browser, and determines whether the browser supports the HTTP security mechanism to be tested according to a judgment result. A method for automatically testing a browser is provided, which reduces human operations. Whether the browser supports the HTTP security mechanism to be tested can be determined according to the processing of the browser on the network service, the judgment result is accurate, and the time required by testing is shorter. The test server can judge whether the browser requests a network service by adopting the HTTP security mechanism according to the principle of security prevention of the HTTP security mechanism to be tested. Therefore, the judgment result obtained by the test server is more accurate.

It should be noted that not all steps and modules in the above flows and system structure diagrams are necessary, and some steps or modules may be omitted according to actual needs. The execution order of the steps is not fixed and can be adjusted as required. The system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by a plurality of physical entities, or some components in a plurality of independent devices may be implemented together.

In the above embodiments, the hardware unit may be implemented mechanically or electrically. For example, a hardware element may comprise permanently dedicated circuitry or logic (such as a dedicated processor, FPGA or ASIC) to perform the corresponding operations. The hardware elements may also comprise programmable logic or circuitry, such as a general purpose processor or other programmable processor, that may be temporarily configured by software to perform the corresponding operations. The specific implementation (mechanical, or dedicated permanent, or temporarily set) may be determined based on cost and time considerations.

While the invention has been shown and described in detail in the drawings and in the preferred embodiments, it is not intended to limit the invention to the embodiments disclosed, and it will be apparent to those skilled in the art that various combinations of the code auditing means in the various embodiments described above may be used to obtain further embodiments of the invention, which are also within the scope of the invention.

Claims

1. A method for testing whether a browser (104) supports a hypertext transfer protocol, HTTP, security mechanism, comprising:

sending a security header to the browser (104), wherein the security header is used to configure the browser (104) to use the HTTP security mechanism;

determining whether the browser (104) is processing a web service (106) using the HTTP security mechanism;

determining whether the browser (104) supports the HTTP security mechanism according to the judgment result;

the determining whether the browser (104) is to process a web service (106) using the HTTP security mechanism includes: determining whether the browser (104) requests the web service (106) in a manner specified by the security header; alternatively, it comprises: it is determined whether the browser (104) requested the web service (106).

2. The method of claim 1, wherein when determining whether the browser (104) is to process a web service (106) using the HTTP security mechanism, comprises: when determining whether the browser (104) requests the web service (106) in a manner specified by the security header,

the HTTP security mechanism requests a network service for a browser only in a specified mode; the security header is specifically configured to configure a manner in which the browser (104) requests the web service (106);

determining whether the browser (104) supports the HTTP security mechanism according to a result of the determination, including: determining that the browser (104) supports the HTTP security mechanism if the browser (104) requests the web service (106) in a manner specified by the security header; otherwise, it is determined that the browser (104) does not support the HTTP security mechanism.

3. The method according to claim 2, wherein the HTTP security mechanism requests a web service for a browser only over secure hypertext transfer protocol, HTTPs, and the security header is a hypertext transfer protocol-critical transport, HSTS, header, in particular for configuring the browser (104) to request the web service (106) only over HTTPs;

sending a security header to the browser (104), comprising: control said web service (106) to send an HSTS header in response to an HTTP request by said browser (104);

determining whether the browser (104) requests the web service (106) in a manner specified by the security header, comprising: determining whether the browser (104) requests the web service (106) over HTTPS after receiving the HSTS header.

4. The method of claim 2, wherein the HTTP security mechanism displays the Content of a web service in a specified manner for a browser, and wherein the security header is an extended Content Type option X-Content-Type-Options header, specifically for configuring the browser (104) to display the Content of the web service (106) in the specified manner;

determining whether the browser (104) requests the web service (106) in a manner specified by the security header, comprising: and judging whether the browser (104) displays the Content of the network service (106) according to the mode specified in the X-Content-Type-Options header.

5. The method of claim 1, wherein when said determining whether said browser (104) is processing a web service (106) using said HTTP security mechanism comprises: determining whether the browser (104) requested the web service (106),

the HTTP security mechanism is used for forbidding a browser to request a network service; the security header is specifically configured to configure the browser (104) to refrain from requesting a web service (106) according to the HTTP security mechanism;

determining whether the browser (104) supports the HTTP security mechanism according to a result of the determination, including: determining that the browser (104) does not support the HTTP security mechanism if the browser (104) requests the web service (106); otherwise, determining that the browser (104) supports the HTTP security mechanism.

6. The method of claim 5, wherein the HTTP security mechanism is to allow only one browser using a pre-agreed set of public keypins to access a network service; the security header is an HTTP public key nail extension (HPKP) header specifically configured to configure a set of public key nails usable by the browser (104) to request another network service other than the network service (106), wherein the other network service has a same domain name as the network service (106) but a different Internet Protocol (IP) address;

determining whether the browser (104) requests the web service (106), comprising: determining whether the browser (104) requested the web service (106) when redirected to the web service (106).

7. The method of claim 5, wherein the HTTP security mechanism is to prohibit a browser from accessing a web page embedded in another web page; the security header is an X-Frame-Options, and is specifically used for configuring the browser (104) to prohibit access to the embedded webpage; the web service (106) is one web page embedded in other web pages;

determining whether the browser (104) requests the web service (106), comprising: determining whether the browser (104) requested the web service (106) when accessing a web page embedded with the web service (106).

8. The method of claim 5, wherein the HTTP security mechanism executes only a script file for a specified site for a browser; the security header is a Content Security Policy (CSP) header and is specifically used for configuring a site to which a script file executable by the browser (104) belongs; the web service (106) is a script file and does not belong to the site specified by the CSP header;

determining whether the browser (104) requests the web service (106), comprising: it is determined whether the browser (104) executed a script file as the web service (106).

9. The method of claim 5, wherein the HTTP security mechanism is a browser-prohibited execution of a cross-site script, and wherein the security header is an X-XSS-Protection header, and is specifically configured to configure the browser (104) to prohibit execution of a cross-site script;

determining whether the browser (104) requests the web service (106), comprising: determining whether the browser (104) requests the web service (106) when the browser (104) includes a cross-site script in the content of the received web request response and the included cross-site script indicates that the browser (104) requests the web service (106).

10. The method of any of claims 1 to 9, further comprising, prior to sending the security header to the browser (104):

receiving a test request from the browser (104), wherein the test request is used for requesting to test whether the browser (104) supports the HTTP security mechanism.

11. A testing apparatus (70) for testing whether a browser (104) supports a hypertext transfer protocol, HTTP, security mechanism, comprising:

a sending module (701) configured to send a security header to the browser (104), wherein the security header is configured to configure the browser (104) to use the HTTP security mechanism;

a processing module (702) for determining whether the browser (104) is to process a web service (106) using the HTTP security mechanism, and determining whether the browser (104) supports the HTTP security mechanism according to a result of the determination;

the processing module (702) determining whether the browser (104) is to process a web service (106) using the HTTP security mechanism, comprising: determining whether the browser (104) requests the web service (106) in a manner specified by the security header; alternatively, it comprises: it is determined whether the browser (104) requested the web service (106).

12. The apparatus (70) of claim 11, wherein when the processing module (702) determines whether the browser (104) is processing a web service (106) using the HTTP security mechanism, comprises: when determining whether the browser (104) requests the web service (106) in a manner specified by the security header,

the HTTP security mechanism requests a network service for a browser only in a specified mode;

the security header sent by the sending module (701) is specifically used for configuring the mode of the browser (104) for requesting the network service (106);

the processing module (702) further configured to:

determining that the browser (104) supports the HTTP security mechanism if the browser (104) requests the web service (106) in a manner specified by the security header; otherwise, it is determined that the browser (104) does not support the HTTP security mechanism.

13. The apparatus (70) of claim 12,

the HTTP security mechanism is that a browser only requests a network service through a secure hypertext transfer protocol (HTTPS);

the security header sent by the sending module (701) is a hypertext transfer protocol strict transport security (HSTS) header, and the security header is specifically configured to configure the browser (104) to request the web service (106) only through HTTPS;

the sending module (701) is specifically configured to control the web service (106) to send an HSTS header in response to an HTTP request of the browser (104);

the processing module (702) is specifically configured to determine whether the browser (104) requests the web service (106) through HTTPS after receiving the HSTS header.

14. The apparatus (70) of claim 12,

the HTTP security mechanism displays the content of a web service in a specified manner for a browser;

the security header sent by the sending module (701) is an extended Content Type option X-Content-Type-Options header, and the security header is specifically configured to configure the browser (104) to display the Content of the web service (106) in a specified manner;

the processing module (702) is specifically configured to determine whether the browser (104) displays the Content of the web service (106) in a manner specified in the X-Content-Type-Options header.

15. The apparatus (70) of claim 11, wherein when the processing module (702) determines whether the browser (104) is processing a web service (106) using the HTTP security mechanism, comprises: determining whether the browser (104) requested the web service (106),

the HTTP security mechanism is used for forbidding a browser to request a network service;

the security header sent by the sending module (701) is specifically configured to configure the browser (104) to prohibit requesting a web service (106) according to the HTTP security mechanism;

the processing module (702) further configured to:

determining that the browser (104) does not support the HTTP security mechanism if the browser (104) requests the web service (106); otherwise, determining that the browser (104) supports the HTTP security mechanism.

16. The device (70) of claim 15,

the HTTP security mechanism is used for allowing only one browser using a pre-agreed set of public key nails to access a network service;

the security header sent by the sending module (701) is an HTTP public key nail extension (HPKP) header specifically configured to configure a set of public key nails usable by the browser (104) to request another network service other than the network service (106), wherein the other network service has the same domain name as the network service (106) but a different Internet Protocol (IP) address;

the processing module (702) is specifically configured to determine whether the browser (104) requests the web service (106) when being redirected to the web service (106).

17. The device (70) of claim 15,

the HTTP security mechanism is used for forbidding a browser to access a webpage embedded in other webpages;

the security header sent by the sending module (701) is an X-Frame-Options, the security header is specifically used for configuring the browser (104) to prohibit access to the embedded web page, and the web service (106) is one of the embedded web pages;

the processing module (702) is specifically configured to determine whether the browser (104) requests the web service (106) when accessing a web page embedded with the web service (106).

18. The device (70) of claim 15,

the HTTP security mechanism is that only one script file of a specified site is executed by one browser;

the security header sent by the sending module (701) is a Content Security Policy (CSP) header, the security header is specifically used for configuring a site to which a script file executable by the browser (104) belongs, and the web service (106) is a script file and does not belong to a site specified by the CSP header;

the processing module (702) is specifically configured to determine whether the browser (104) executes a script file as the web service (106).

19. The device (70) of claim 15,

the HTTP security mechanism prohibits a browser from executing a cross-site script;

the security header sent by the sending module (701) is an X-XSS-Protection header, and the security header is specifically used for configuring the browser (104) to prohibit execution of a cross-site script;

the processing module (702) is specifically configured to determine whether the browser (104) requests the web service (106) when the received content of the web request response includes a cross-site script and the included cross-site script indicates that the browser (104) requests the web service (106).

20. The apparatus (70) of any of claims 11-19, further comprising:

a receiving module (703) for receiving a test request from the browser (104) before the sending module (701) sends the security header to the browser (104), wherein the test request is used for requesting to test whether the browser (104) supports the HTTP security mechanism.

21. A testing apparatus (80) for testing whether a browser (104) supports a hypertext transfer protocol, HTTP, security mechanism, comprising:

a memory (801) for storing computer instructions;

a processor (802) for invoking the computer instructions to perform the method according to any of claims 1-10.

22. A method for testing whether a browser (104) supports each of at least two hypertext transfer protocol, HTTP, security mechanisms, comprising:

sending a test script file to the browser (104), the test script file for controlling testing whether the browser (104) supports each of the at least two HTTP security mechanisms;

receiving a test request from the browser (104) sent separately for each of the at least two HTTP security mechanisms;

after receiving each test request, executing the following operations:

sending a security header to the browser (104) in response to the test request, wherein the security header is used to configure the HTTP security mechanism for use by the browser (104) with respect to the test request;

determining whether the browser (104) is to process a web service (106) using the HTTP security mechanism for which the test request is intended;

determining whether the browser (104) supports the HTTP security mechanism for which the test request is directed according to a result of the determination;

the determining whether the browser (104) processes a web service (106) using the HTTP security mechanism for which the test request is intended includes: determining whether the browser (104) requests the web service (106) in a manner specified by the security header; alternatively, it comprises: it is determined whether the browser (104) requested the web service (106).

23. A testing apparatus (90) for testing whether a browser (104) supports each of at least two hypertext transfer protocol, HTTP, security mechanisms, comprising:

a sending module (901) for sending a test script file to the browser (104), the test script file being used for controlling testing whether the browser (104) supports each of the at least two HTTP security mechanisms;

a receiving module (903) for receiving a test request from the browser (104) sent for each of the at least two HTTP security mechanisms;

a processing module (902) configured to, after the receiving module (903) receives each of the test requests, perform the following operations:

in response to the test request, controlling the sending module (901) to send a security header to the browser (104), wherein the security header is used for configuring the HTTP security mechanism for the browser (104) to use the test request;

the processing module (902) determines whether the browser (104) processes a web service (106) using the HTTP security mechanism for which the test request is intended, including: determining whether the browser (104) requests the web service (106) in a manner specified by the security header; alternatively, it comprises: it is determined whether the browser (104) requested the web service (106).

24. A testing apparatus (100) for testing whether a browser (104) supports a hypertext transfer protocol, HTTP, security mechanism, comprising:

a memory (1001) for storing computer instructions;

a processor (1002) for invoking said computer instructions to perform the method according to claim 22.

25. A computer readable medium having computer instructions stored thereon, which when executed by a processor, cause the processor to perform the method of any one of claims 1 to 10 or claim 22.