CN111222130B - Page response method, page request method and page request device - Google Patents
Page response method, page request method and page request device Download PDFInfo
- Publication number
- CN111222130B CN111222130B CN201811426578.8A CN201811426578A CN111222130B CN 111222130 B CN111222130 B CN 111222130B CN 201811426578 A CN201811426578 A CN 201811426578A CN 111222130 B CN111222130 B CN 111222130B
- Authority
- CN
- China
- Prior art keywords
- page content
- page
- information
- preset type
- api
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
One or more embodiments of the present disclosure provide a page response method, a page request method, and an apparatus, where the page response method may include: acquiring corresponding page content according to a page request initiated by a client; when the page content relates to calling of a preset type API, generating verification information applied to the page content; respectively adding the verification information into the head of the page content and the interface parameters of the calling function corresponding to the preset type API in the page content; and returning the page content to the client.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of internet technologies, and in particular, to a page response method, a page request method, and a device.
Background
In the related art, by implementing a CSP (Content Security Policy ) mechanism, detection and defense against vulnerabilities such as XSS (Cross Site Scripting, cross site scripting attack) can be performed, such as determining whether a specified code block in page content needs to execute js code to determine whether the specified code block is allowed to be executed, thereby improving network security.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a page response method, a page request method, and an apparatus.
In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present specification, there is provided a page response method, including:
acquiring corresponding page content according to a page request initiated by a client;
when the page content relates to calling of a preset type API, generating verification information applied to the page content;
respectively adding the verification information into the head of the page content and the interface parameters of the calling function corresponding to the preset type API in the page content;
and returning the page content to the client.
According to a second aspect of one or more embodiments of the present specification, there is provided a page request method, including:
initiating a page request to a server;
analyzing the page content returned by the server to acquire first check information contained in the head of the page content and second check information contained in interface parameters of calling functions corresponding to the preset type API in the page content;
and allowing execution of a calling function corresponding to the preset type API when the first check information is consistent with the second check information.
According to a third aspect of one or more embodiments of the present specification, there is provided a page response device, comprising:
the acquisition unit acquires corresponding page content according to a page request initiated by the client;
the generation unit is used for generating verification information applied to the page content when the page content relates to calling of a preset type API;
the first adding unit is used for respectively adding the verification information into the head of the page content and the interface parameters of the calling function corresponding to the preset type API in the page content;
and the return unit returns the page content to the client.
According to a fourth aspect of one or more embodiments of the present specification, there is provided a page requesting apparatus, including:
a request unit for initiating a page request to a server;
the analysis unit analyzes the page content returned by the server to acquire first check information contained in the head of the page content and second check information contained in interface parameters of calling functions corresponding to the preset type API in the page content;
and a control unit allowing execution of a calling function corresponding to the preset type API when the first check information is identical to the second check information.
Drawings
FIG. 1 is a schematic architecture diagram of a page interaction system according to an exemplary embodiment.
Fig. 2 is a flow chart of a page response method provided by an exemplary embodiment.
Fig. 3 is a flow chart of a page request method provided by an exemplary embodiment.
FIG. 4 is a schematic diagram of a page interaction process provided by an exemplary embodiment.
Fig. 5 is a schematic diagram of an apparatus according to an exemplary embodiment.
Fig. 6 is a block diagram of a page response device provided by an exemplary embodiment.
Fig. 7 is a schematic diagram of another apparatus according to an exemplary embodiment.
Fig. 8 is a block diagram of a page request device provided in an exemplary embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
FIG. 1 is a schematic architecture diagram of a page interaction system according to an exemplary embodiment. As shown in fig. 1, the system may include a server 11, a network 12, several electronic devices, such as a cell phone 13, a PC14, and so on.
The server 11 may be a physical server comprising a separate host, or the server 11 may be a virtual server carried by a cluster of hosts. During the running process, the server 11 may run a server-side program of an application to be implemented as a server side of the application. In the technical solution of one or more embodiments of the present disclosure, the server 11 may implement a secure page interaction scheme by cooperating with clients running on the mobile phone 13 and the PC 14.
The mobile phone 13, PC14 are only some types of electronic devices that can be used. Indeed, it is obvious that the user may also use electronic devices of the type such as: tablet devices, notebook computers, palm top computers (PDAs, personal Digital Assistants), wearable devices (e.g., smart glasses, smart watches, etc.), etc., as one or more embodiments of the present description are not limited in this regard. During the running process, the electronic device may run a program on the client side of a certain application to be implemented as a client of the application.
And the network 12 for interaction between the handset 13, PC14 and server 11 may comprise various types of wired or wireless networks. In one embodiment, the network 12 may include a public switched telephone network (Public Switched Telephone Network, PSTN) and the internet.
Fig. 2 is a flow chart of a page response method provided by an exemplary embodiment. As shown in fig. 2, the method is applied to a server (such as the server 11 shown in fig. 1), and may include the following steps:
step 202, obtaining corresponding page content according to a page request initiated by a client.
In an embodiment, after receiving the page request initiated by the client, the server may respond to the page request in a response manner in the related art to obtain the corresponding page content, which is not limited in this specification.
And 204, when the page content relates to the call to the preset type API, generating verification information applied to the page content.
In an embodiment, the preset type of API may include a privileged API, i.e., a system API where the encapsulated js interface object needs to implement a privileged operation, such as a file operation, a process operation, a registry operation, etc. Of course, the preset type API may also include other types that are predefined or specified, which the present specification is not limited to.
In an embodiment, the verification information may comprise a random string generated for the page content. Wherein the random string may be associated with the page content; or the random character string can be related to the page content, for example, the digital abstract information of the page content can be used as a random seed, and the verification information is generated by a pseudo-random number generator in the related technology, so that the randomness of the verification information can be increased, and illegal molecules can be prevented from being controlled.
And 206, adding the verification information to the header of the page content and the interface parameters of the calling function corresponding to the preset type API in the page content respectively.
And step 208, returning the page content to the client.
In an embodiment, by adding the verification information to the header of the page content and the interface parameters of the calling function of the preset type API, respectively, so that when the client needs to use the calling function of the preset type API, the client can obtain the verification information from the header of the page content and the interface parameters of the calling function of the preset type API, respectively, then: if the two pieces of verification information are consistent, the calling function of the API of the preset type can be considered to be safe and reliable, and is not an XSS vulnerability utilized by lawbreakers, and the calling function of the API of the preset type is allowed to be executed; if the two pieces of verification information are inconsistent, the calling function of the API of the preset type is considered to have abnormality, XSS loopholes which are likely to be utilized by lawbreakers can be refused to execute the calling function of the API of the preset type, so that the safety risk is avoided.
In an embodiment, through the above verification information, the page response scheme of the present specification can realize protection of XSS copper leakage based on the dimension of a single API, and the protection granularity is obviously smaller than that of the CSP mechanism based on the dimension of the code segment in the related art, which is beneficial to realizing a higher protection level.
In one embodiment, the verification information contained in the page content should be returned to the client in the form of an original value, rather than in the form of a variable, so that the client can directly read and use it to determine whether the security risk described above exists.
In one embodiment, the server has a corresponding digital identity, such as a public-private key pair based on an asymmetric algorithm, wherein the server maintains the private key, and the client embeds or otherwise obtains the public key. The server can sign the information related to the page content through the private key, and adds the generated signed information to the head of the page content, so that the client can perform signature verification through the held public key: if the signature verification is successful, the page content received by the client is indicated to be really from the server; if the signature verification fails, the condition that the page content received by the client is abnormal is indicated, and the attack of man-in-the-middle hijacking is likely to be carried out.
In an embodiment, the information related to the page content may include: digital summary information of page content, etc., which is not limiting in this description. The digital digest information may include, for example, a hash value, and the like, which is not limited in this specification.
Fig. 3 is a flow chart of a page request method provided by an exemplary embodiment. As shown in fig. 3, the method is applied to a client (such as the mobile phone 13, the PC14, etc. shown in fig. 1), and may include the following steps:
step 302, a page request is initiated to a server.
In an embodiment, the client may initiate the above page request to the server according to a request manner in the related art, which is not limited in this specification.
Step 304, analyzing the page content returned by the server to obtain first check information contained in the header of the page content and second check information contained in the interface parameters of the calling function corresponding to the preset type API in the page content.
In an embodiment, the preset type of API may include a privileged API, i.e., a system API where the encapsulated js interface object needs to implement a privileged operation, such as a file operation, a process operation, a registry operation, etc. Of course, the preset type API may also include other types that are predefined or specified, which the present specification is not limited to.
In an embodiment, the verification information may comprise a random string generated for the page content. Wherein the random string may be associated with the page content; or the random character string can be related to the page content, for example, the digital abstract information of the page content can be used as a random seed, and the verification information is generated by a pseudo-random number generator in the related technology, so that the randomness of the verification information can be increased, and illegal molecules can be prevented from being controlled.
And step 306, allowing to execute a calling function corresponding to the API of the preset type when the first check information is consistent with the second check information.
In an embodiment, since the server side adds the same check information to the header of the page content and the interface parameter of the calling function of the preset type API, the client side obtains the first check information and the second check information from the header of the page content and the interface parameter of the calling function of the preset type API, respectively: if the two pieces of verification information are consistent, the calling function of the API of the preset type can be considered to be safe and reliable, and is not an XSS vulnerability utilized by lawbreakers, and the calling function of the API of the preset type is allowed to be executed; if the two pieces of verification information are inconsistent, the calling function of the API of the preset type is considered to have abnormality, XSS loopholes which are likely to be utilized by lawbreakers can be refused to execute the calling function of the API of the preset type, so that the safety risk is avoided.
In an embodiment, since the server side adds the same check information to the header of the page content and the interface parameter of the calling function of the preset type API, when the client side calls the calling function of the preset type API, the calling function of the preset type API may obtain the first check information and the second check information, respectively, and perform consistency check on the first check information and the second check information: when the two pieces of verification information are consistent, the calling function of the API of the preset type can be considered to be safe and reliable, and is not an XSS vulnerability utilized by lawbreakers, and the calling function of the API of the preset type can normally run; when the two pieces of verification information are inconsistent, the calling function of the API of the preset type is considered to have abnormality, and is likely to be utilized by lawbreakers, and the calling function of the API of the preset type is stopped to run so as to avoid the occurrence of security risks.
In an embodiment, through the above verification information, the page response scheme of the present specification can realize protection of XSS copper leakage based on the dimension of a single API, and the protection granularity is obviously smaller than that of the CSP mechanism based on the dimension of the code segment in the related art, which is beneficial to realizing a higher protection level.
In an embodiment, the verification information included in the page content is in an original value, rather than a variable form, so that the client can directly read and use the verification information to determine whether the security risk exists.
In one embodiment, the server has a corresponding digital identity, such as a public-private key pair based on an asymmetric algorithm, wherein the server maintains the private key, and the client embeds or otherwise obtains the public key. The server can sign the information related to the page content through the private key, and adds the generated signed information to the head of the page content. Accordingly, the client may obtain the signed information contained in the header of the page content, and when it is determined that the signed information is obtained by the server signing the information related to the page content through its own private key, it may be considered that the signature verification is successful, to indicate that the page content received by the client is actually from the server, and when it is determined that the signed information is not obtained by the server signing the information related to the page content through its own private key, it may be considered that the signature verification fails, to indicate that there is an abnormality in the page content received by the client, such as that the client is likely to be hijacked by a man in the middle, and the client may generate an abnormality notification and/or force exit.
In an embodiment, the information related to the page content may include: digital summary information of page content, etc., which is not limiting in this description. The digital digest information may include, for example, a hash value, and the like, which is not limited in this specification.
For ease of understanding, a page response scheme based on the present specification will be described below taking the interaction procedure between the PC14 and the server 11 shown in fig. 1 as an example. The PC14 is running with a client, for example, the client may include a browser for accessing a page, and the server 11 is running with a server, so that the server 11 may perform response processing of a page request on the client on the PC14 through the server, and the technical solution of the present disclosure may ensure that the page cannot be attacked by XSS vulnerability or man-in-the-middle hijacking attack in the response process, so as to improve security.
FIG. 4 is a schematic diagram of a page interaction process provided by an exemplary embodiment. As shown in fig. 4, the interaction process may include the steps of:
step 401, the pc14 initiates a page request to the server 11.
In an embodiment, the PC14 may initiate a page request to the server 11 based on a request mechanism in the related art, which is not limited in this specification. For example, the page request may be initiated according to a URL entered by the user in the browser address bar, according to a web page link clicked by the user, and the like.
In step 402, the server 11 determines the corresponding page content according to the page request.
In an embodiment, the server 11 may determine the page content corresponding to the page request based on a response mechanism in the related art, which is not limited in this specification. In the related art, the server 11 may return the page content generated in step 402 directly to the PC14 as a response to the page request; in the technical solution of the present disclosure, the server 11 needs to implement the following processing to solve the security risk caused by the XSS vulnerability or man-in-the-middle hijack that may exist.
In step 403, the server 11 redirects the page content to the cache.
In one embodiment, the server 11 may cache the generated page content by redirecting the page content into a cache for subsequent processing.
In step 404, the server 11 adds nonces to the interface parameters of the privileged API call function in the page content.
In an embodiment, the server 11 may check whether a call to a privileged API is involved in the generated page content; for example, when a privileged API call function is included in the page content, the server 11 may determine that there is a call to the privileged API and generate the nonce described above.
In one embodiment, nonce is information generated by the server 11 for performing security check on the above page content; in general, the server 11 may generate different nonces for each page of content separately to avoid the lawless persons from performing manipulations.
In one embodiment, the server 11 may generate a set of random numbers as nonces herein by a random number generation algorithm in the related art. For example, the server 11 may perform hash calculation on the generated page content, and generate the above-described random number using a pseudo-random number generator in the related art with the obtained hash value as a random seed; the random seed is a hash value of the page content, so that the value of the random seed has extremely high unpredictability, the generated random number can be ensured to have true and extremely high randomness, and the illegal molecule is prevented from operating the value of the nonce.
In an embodiment, the server 11 may add a nonce to the interface parameters of the privileged API call function, so that a one-to-one association relationship is generated between the nonce and the privileged API call function, so that in the subsequent verification process, it may be determined whether the privileged API call function is the function originally provided by the server 11 based on the value of the nonce. Of course, the server 11 may also establish an association between nonces and privileged API call functions in other ways, which is not limited by the present description.
In step 405, the server 11 writes the signature and nonce to the http header of the page content.
In an embodiment, the http header of the present specification may add two extension fields: chksum field and nonce field. Server 11 may generate an electronic signature associated with the page content and add the electronic signature to the chksum field; and, the server 11 may add the nonce generated in the above step to the nonce field.
In an embodiment, the server 11 may perform hash calculation on the page content to obtain a corresponding hash value, further generate an electronic signature related to the hash value through a private key corresponding to the server 11, and then add the electronic signature to the chksum field.
In step 406, the server 11 returns the page content to the PC 14.
Step 407, the pc14 performs signature verification on the received page content.
In one embodiment, after receiving the page content returned by the server 11, the PC14 may read the electronic signature in the chksum field from the http header, and verify the electronic signature according to the public key of the server 11: if it is determined that the electronic signature is indeed obtained by signing the hash value of the page content with the private key of the server 11, then it may be determined that the signature verification passed, otherwise the PC14 may determine that the received page content did not indeed originate from the server 11, such as might be subject to a man-in-the-middle hijack attack, and the PC14 may issue a warning prompt or exit the current page directly.
Step 408, the pc14 performs nonce verification on the received page content.
In one embodiment, the PC14 may check whether the page content contains privileged API call functions during processing of the page content by the interpretation engine; when a privileged API call function is checked, PC14 reads nonce1 from the interface parameters of the privileged API call function on the one hand and nonce2 from the nonce field of the http header of the page content on the other hand and compares nonce1 with nonce 2: if the values are consistent, PC14 may determine that the corresponding privileged API call function is reliable, allowing the privileged call to be performed; if the values are inconsistent, PC14 may determine that the corresponding privileged API call function has an XSS vulnerability risk, refuse to execute the privileged API call function, or exit the current page directly.
Fig. 5 is a schematic block diagram of an apparatus according to an exemplary embodiment. Referring to fig. 5, at the hardware level, the device includes a processor 502, an internal bus 504, a network interface 506, a memory 508, and a nonvolatile memory 510, although other hardware may be included as needed for other services. The processor 502 reads the corresponding computer program from the non-volatile memory 510 into the memory 508 and then runs, forming page response means on a logical level. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 6, in a software implementation, the page response device may include:
the acquiring unit 601 acquires corresponding page content according to a page request initiated by a client;
a generating unit 602, configured to generate verification information applied to the page content when the page content relates to a call to a preset type API;
a first adding unit 603, configured to add the verification information to a header of the page content and interface parameters of a calling function corresponding to the preset type API in the page content;
and a returning unit 604 for returning the page content to the client.
Optionally, the preset type API includes: privileged API.
Optionally, the verification information includes: a random string generated for the page content.
Optionally, the verification information is returned to the client in an original value form.
Optionally, the method further comprises:
a signature unit 605 that signs information related to the page content with a private key, wherein the client holds a public key corresponding to the private key;
the second adding unit 606 adds the generated signed information to the header of the page content.
Optionally, the information related to the page content includes: digital summary information of the page content.
Fig. 7 is a schematic block diagram of an apparatus according to an exemplary embodiment. Referring to fig. 7, at the hardware level, the device includes a processor 702, an internal bus 704, a network interface 706, a memory 708, and a non-volatile storage 710, although other hardware required by the service is possible. The processor 702 reads the corresponding computer program from the non-volatile memory 710 into the memory 708 and then runs to form the page requesting means at the logic level. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 8, in a software implementation, the page request device may include:
a request unit 801 for initiating a page request to a server;
the parsing unit 802 parses the page content returned by the server to obtain first verification information contained in a header of the page content and second verification information contained in an interface parameter of a calling function corresponding to a preset type API in the page content;
and a control unit 803 which allows execution of a calling function corresponding to the preset type API when the first check information is identical to the second check information.
Optionally, the preset type API includes: privileged API.
Optionally, the method further comprises:
an acquiring unit 804, configured to acquire signed information included in a header of the page content;
and a processing unit 805 configured to generate an exception notification and/or force exit when it is determined that the signed information is not obtained by the server signing the information related to the page content by its private key.
Optionally, the information related to the page content includes: digital summary information of the page content.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.
Claims (20)
1. A page response method, comprising:
acquiring corresponding page content according to a page request initiated by a client;
when the page content relates to the call of the preset type API, generating verification information applied to the page content according to the page content;
respectively adding the verification information into the head of the page content and the interface parameters of the calling function corresponding to the preset type API in the page content;
and returning the page content to the client so that the client compares first check information contained in the header of the received page content with second check information contained in interface parameters of a calling function corresponding to the preset type API in the received page content based on the received page content, and allows the calling function corresponding to the preset type API to be executed under the condition that the first check information is consistent with the second check information.
2. The method of claim 1, wherein the preset type API comprises: privileged API.
3. The method of claim 1, wherein the verification information comprises: a random string generated for the page content.
4. The method of claim 1, wherein the verification information is returned to the client in the form of an original value.
5. The method as recited in claim 1, further comprising:
signing information related to the page content through a private key, wherein the client holds a public key corresponding to the private key;
and adding the generated signed information to the head of the page content.
6. The method of claim 5, wherein the information related to the page content comprises: digital summary information of the page content.
7. A method of requesting a page, comprising:
initiating a page request to a server;
analyzing the page content returned by the server to acquire first check information contained in the head of the page content and second check information contained in interface parameters of calling functions corresponding to the preset type API in the page content;
allowing execution of a calling function corresponding to the preset type API when the first check information is consistent with the second check information; the first check information is consistent with the second check information, and indicates that the check information is generated by the server according to the page content and is added to the head of the page content and the interface parameter respectively.
8. The method of claim 7, wherein the preset type API comprises: privileged API.
9. The method as recited in claim 7, further comprising:
acquiring signed information contained in the head of the page content;
and when the signed information is determined not to be obtained by signing the information related to the page content through the private key of the server side, generating an abnormal notification and/or forcible exit.
10. The method of claim 9, wherein the information related to the page content comprises: digital summary information of the page content.
11. A page response device, comprising:
the acquisition unit acquires corresponding page content according to a page request initiated by the client;
the generation unit is used for generating verification information applied to the page content according to the page content when the page content relates to call of a preset type API;
the first adding unit is used for respectively adding the verification information into the head of the page content and the interface parameters of the calling function corresponding to the preset type API in the page content;
and a return unit for returning the page content to the client so that the client compares first check information contained in the header of the received page content with second check information contained in interface parameters of a calling function corresponding to the preset type API in the received page content based on the received page content, and allows the calling function corresponding to the preset type API to be executed if the first check information is consistent with the second check information.
12. The apparatus of claim 11, wherein the preset type API comprises: privileged API.
13. The apparatus of claim 11, wherein the verification information comprises: a random string generated for the page content.
14. The apparatus of claim 11, wherein the verification information is returned to the client in an original valued form.
15. The apparatus as recited in claim 11, further comprising:
the signature unit is used for signing the information related to the page content through a private key, wherein the client holds a public key corresponding to the private key;
and a second adding unit for adding the generated signed information to the head of the page content.
16. The apparatus of claim 15, wherein the information related to the page content comprises: digital summary information of the page content.
17. A page requesting device, comprising:
a request unit for initiating a page request to a server;
the analysis unit analyzes the page content returned by the server to acquire first check information contained in the head of the page content and second check information contained in interface parameters of calling functions corresponding to the preset type API in the page content;
a control unit that allows execution of a calling function corresponding to the preset type API when the first check information is identical to the second check information; the first check information is consistent with the second check information, and indicates that the check information is generated by the server according to the page content and is added to the head of the page content and the interface parameter respectively.
18. The apparatus of claim 17, wherein the preset type API comprises: privileged API.
19. The apparatus as recited in claim 17, further comprising:
an acquisition unit that acquires signed information contained in a header of the page content;
and the processing unit is used for generating an abnormal notification and/or forcible exit when the signed information is determined not to be obtained by the server through signing the information related to the page content by the private key of the server.
20. The apparatus of claim 19, wherein the information related to the page content comprises: digital summary information of the page content.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811426578.8A CN111222130B (en) | 2018-11-27 | 2018-11-27 | Page response method, page request method and page request device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811426578.8A CN111222130B (en) | 2018-11-27 | 2018-11-27 | Page response method, page request method and page request device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111222130A CN111222130A (en) | 2020-06-02 |
| CN111222130B true CN111222130B (en) | 2023-10-03 |
Family
ID=70832027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811426578.8A Active CN111222130B (en) | 2018-11-27 | 2018-11-27 | Page response method, page request method and page request device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111222130B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| JP2009026010A (en) * | 2007-07-18 | 2009-02-05 | Yahoo Japan Corp | Content distribution device, content distribution control method, and content distribution control program |
| CN101997880A (en) * | 2010-12-01 | 2011-03-30 | 湖南智源信息网络技术开发有限公司 | Method and device for verifying security of network page or interface |
| CN103067343A (en) * | 2011-10-21 | 2013-04-24 | 阿里巴巴集团控股有限公司 | Method and system for preventing tampering of usage of ActiveX control |
| CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
| US8677481B1 (en) * | 2008-09-30 | 2014-03-18 | Trend Micro Incorporated | Verification of web page integrity |
| CN103873493A (en) * | 2012-12-10 | 2014-06-18 | 腾讯科技(深圳)有限公司 | Method, device and system for page information verification |
| CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
| CN104301331A (en) * | 2014-10-31 | 2015-01-21 | 北京思特奇信息技术股份有限公司 | Service interface permissions validation method and device |
| CN105100242A (en) * | 2015-07-24 | 2015-11-25 | 北京奇虎科技有限公司 | Data processing method and system |
| US9426171B1 (en) * | 2014-09-29 | 2016-08-23 | Amazon Technologies, Inc. | Detecting network attacks based on network records |
| CN106033511A (en) * | 2015-03-17 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method and device for preventing website data from leaking |
| CN106330818A (en) * | 2015-06-17 | 2017-01-11 | 腾讯科技(深圳)有限公司 | Method and system for protecting client embedded webpage |
| CN106412024A (en) * | 2016-09-07 | 2017-02-15 | 网易无尾熊(杭州)科技有限公司 | Page acquisition method and device |
| CN106681926A (en) * | 2017-01-05 | 2017-05-17 | 网易(杭州)网络有限公司 | Method and device for testing webpage performances |
| CN107315948A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Data calling method and device |
-
2018
- 2018-11-27 CN CN201811426578.8A patent/CN111222130B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| JP2009026010A (en) * | 2007-07-18 | 2009-02-05 | Yahoo Japan Corp | Content distribution device, content distribution control method, and content distribution control program |
| US8677481B1 (en) * | 2008-09-30 | 2014-03-18 | Trend Micro Incorporated | Verification of web page integrity |
| CN101997880A (en) * | 2010-12-01 | 2011-03-30 | 湖南智源信息网络技术开发有限公司 | Method and device for verifying security of network page or interface |
| CN103067343A (en) * | 2011-10-21 | 2013-04-24 | 阿里巴巴集团控股有限公司 | Method and system for preventing tampering of usage of ActiveX control |
| CN103873493A (en) * | 2012-12-10 | 2014-06-18 | 腾讯科技(深圳)有限公司 | Method, device and system for page information verification |
| CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
| US9426171B1 (en) * | 2014-09-29 | 2016-08-23 | Amazon Technologies, Inc. | Detecting network attacks based on network records |
| CN104239577A (en) * | 2014-10-09 | 2014-12-24 | 北京奇虎科技有限公司 | Method and device for detecting authenticity of webpage data |
| CN104301331A (en) * | 2014-10-31 | 2015-01-21 | 北京思特奇信息技术股份有限公司 | Service interface permissions validation method and device |
| CN106033511A (en) * | 2015-03-17 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method and device for preventing website data from leaking |
| CN106330818A (en) * | 2015-06-17 | 2017-01-11 | 腾讯科技(深圳)有限公司 | Method and system for protecting client embedded webpage |
| CN105100242A (en) * | 2015-07-24 | 2015-11-25 | 北京奇虎科技有限公司 | Data processing method and system |
| CN107315948A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Data calling method and device |
| CN106412024A (en) * | 2016-09-07 | 2017-02-15 | 网易无尾熊(杭州)科技有限公司 | Page acquisition method and device |
| CN106681926A (en) * | 2017-01-05 | 2017-05-17 | 网易(杭州)网络有限公司 | Method and device for testing webpage performances |
Non-Patent Citations (3)
| Title |
|---|
| A Fragile Watermarking Scheme Based on Hash Function for Web Pages;Zulin Zhang等;《2011 International Conference on Network Computing and Information Security》;第417-420页 * |
| 网络终端代码防篡改技术研究;朱毅;《中国优秀硕士学位论文全文数据库》;信息科技辑 I139-49 * |
| 网页防抓取系统的设计与实现;唐华栋;《中国优秀硕士学位论文全文数据库》;信息科技辑 I139-233 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111222130A (en) | 2020-06-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10936727B2 (en) | Detection of second order vulnerabilities in web services | |
| CN112333198B (en) | Secure cross-domain login method, system and server | |
| US11805129B2 (en) | Fictitious account generation on detection of account takeover conditions | |
| US9191411B2 (en) | Protecting against suspect social entities | |
| US9325731B2 (en) | Identification of and countermeasures against forged websites | |
| CN107852412B (en) | System and method, computer readable medium for phishing and brand protection | |
| US9578004B2 (en) | Authentication of API-based endpoints | |
| US10176318B1 (en) | Authentication information update based on fraud detection | |
| US20160004855A1 (en) | Login using two-dimensional code | |
| US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
| JP2010508588A (en) | Detection and prevention of artificial intermediate phishing attacks | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| WO2015109912A1 (en) | Buffer overflow attack detection device and method and security protection system | |
| WO2014114127A1 (en) | Method, apparatus and system for webpage access control | |
| GB2555384A (en) | Preventing phishing attacks | |
| CN113704211B (en) | Data query method and device, electronic equipment and storage medium | |
| US20140208385A1 (en) | Method, apparatus and system for webpage access control | |
| US11496511B1 (en) | Systems and methods for identifying and mitigating phishing attacks | |
| CN111222130B (en) | Page response method, page request method and page request device | |
| Hutchinson et al. | Forensic analysis of spy applications in android devices | |
| CN116484338A (en) | Database access method and device | |
| CN112953958B (en) | Crawler detection method and device and electronic equipment | |
| CN111046440B (en) | Tamper verification method and system for secure area content | |
| Al-Rousan et al. | A New Security Model for Web Browser Local Storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |