CN112039913A - Server API calling method, device and storage medium - Google Patents
Server API calling method, device and storage medium Download PDFInfo
- Publication number
- CN112039913A CN112039913A CN202010929536.7A CN202010929536A CN112039913A CN 112039913 A CN112039913 A CN 112039913A CN 202010929536 A CN202010929536 A CN 202010929536A CN 112039913 A CN112039913 A CN 112039913A
- Authority
- CN
- China
- Prior art keywords
- api
- calling
- server
- access request
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000004458 analytical method Methods 0.000 claims abstract description 18
- 238000012545 processing Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 abstract description 5
- 230000004083 survival effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 208000028257 Joubert syndrome with oculorenal defect Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method, a device and a storage medium for calling a server API (application program interface), wherein the method comprises the following steps: the client sends an API access request; the server receives the API access request and analyzes the API access request to obtain corresponding analysis data; judging whether a repeated calling event exists or not according to the analyzed data, if so, terminating the API calling process and outputting corresponding warning information to the client; otherwise, setting API calling information based on the expiration time in the configuration file so as to call the API of the server side and return a calling result to the client side. Compared with the prior art, the method and the device adopt a mode of combining the redis transaction with the lua script to carry out idempotent verification on the API, can effectively prevent malicious repeated operation of an attacker, and ensure the safety of data.
Description
Technical Field
The invention relates to the technical field of Internet API security, in particular to a server side API calling method, a server side API calling device and a storage medium.
Background
Kong is an API gateway that forwards API communications between clients and (micro) services, primarily extending functionality through plug-ins, and has two main components:
1. kong Server, a nginx based Server, is used to receive API requests.
2. Apache Cassandra-used to store operational data.
In practical applications, a user can horizontally expand Kong services through multiple KongServer machines and distribute requests to these machines through a load balancer placed in front, and two Cassandra nodes are sufficient to support most cases, and it is considered appropriate to add more nodes unless the network is very congested.
One of the most attractive features of Kong for an open source community is that existing functions can be extended by plug-ins that are executed during the life of the API request response loop, which are written in Lua, and Kong can also have several basic functions: http basic authentication, key authentication, CORS, TCP, UDP, file logging, API request throttling, request forwarding, and nginx monitoring. In order to ensure the security of API call, at present, a signature process is usually performed on a message by means of the HAMC technology of Kong to prevent the message from being modified by a person during the transmission process, and specifically, the process is to perform a MAC algorithm on the message to obtain a digest string, then perform the same calculation after the message is obtained by a receiver, and finally compare whether the MAC strings are consistent to ensure the security of data and prevent replay attack. However, in practical applications, if an attacker obtains the client request information, the attacker can repeatedly invoke the interface within a certain time, which causes a potential safety hazard in the API invoking process.
Disclosure of Invention
The present invention is directed to overcome the above-mentioned drawbacks of the prior art, and provides a method, an apparatus, and a storage medium for calling a server API, which can prevent malicious repetitive operations of an attacker and provide security for data.
The purpose of the invention can be realized by the following technical scheme: a service side API calling method comprises the following steps:
s1, the client sends an API access request;
s2, the server receives the API access request and analyzes the API access request to obtain corresponding analysis data;
s3, judging whether a repeated calling event exists according to the analysis data, if so, executing a step S4, otherwise, executing a step S5;
s4, terminating the API calling process and outputting corresponding warning information to the client;
and S5, setting API calling information based on the expiration time in the configuration file to call the API of the server side, and returning the calling result to the client side.
Further, the specific process of step S1 is as follows: the client sends an API access request and sets a unique value in the request header.
Further, the step S2 specifically includes the following steps:
s21, the server receives the API access request;
and S22, analyzing the API access request to obtain the unique value in the request header, namely the analyzed data.
Further, the step S3 is to check the idempotency to determine whether there is a repeat call event.
Further, the step S3 specifically includes the following steps:
s31, judging whether a unique value exists in the redis transaction in a lua script mode;
s32, if yes, indicating that the repeated calling event exists, and then executing a step S4;
s33, if not, indicating that no repeated calling event exists, and then executing step S5.
Further, the warning message in step S4 is specifically "do not need to be repeatedly submitted".
Further, the step S5 specifically includes the following steps:
s51, acquiring the expiration time in the configuration file;
s52, setting corresponding API call information in the redis transaction according to the expiration time;
and S53, calling the API from the server side according to the set API calling information, and returning the calling result to the client side.
Further, the API call information includes a unique value and its survival time.
A server API calling apparatus, comprising:
the receiving module is used for receiving an API access request sent by a client;
the analysis module is used for analyzing the received API access request to acquire analysis data;
the processing module is used for judging whether a repeated calling event exists according to the analysis data and setting corresponding API calling information according to the expiration time in the configuration file;
and the calling module is used for calling the corresponding API from the server side according to the API calling information.
A storage medium having stored thereon a computer program which, when executed by a processor, implements a server API calling method as claimed in any one of the preceding claims.
Compared with the prior art, the unique value is set in the API access request header sent by the client, the unique value is judged whether to exist in the redis transaction or not in a mode of combining the redis transaction with the lua script, so that the idempotency verification of the API is realized, even if an attacker obtains the request information of the client, the repeated calling attack of the interface cannot be carried out, namely, the malicious repeated operation of the attacker can be prevented, the repeated calling attack of the interface is avoided, and the safety of data is effectively ensured.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic flow chart of an embodiment;
FIG. 3 is a schematic structural diagram of an API call apparatus according to the present invention;
the notation in the figure is: 201. the device comprises a receiving module 202, an analyzing module 203, a processing module 204 and a calling module.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments.
Examples
As shown in fig. 1, a method for calling a service API includes the following steps:
s1, the client sends an API access request, and a unique value is set in the API access request head;
s2, the server receives the API access request and analyzes the API access request to obtain corresponding analysis data, wherein the analysis data is the unique value in the API access request header;
s3, according to the analysis data, by checking idempotent, judging whether a repeated calling event exists, if so, executing a step S4, otherwise, executing a step S5, specifically:
judging whether a unique value exists in the redis transaction in a lua script mode;
if yes, indicating that the repeated calling event exists, and then executing the step S4;
if not, indicating that no repeated calling event exists, and then executing the step S5;
s4, terminating the API call process, and outputting corresponding warning information to the client, in this embodiment, the warning information is set as "don't repeat submission";
s5, based on the expiration time in the configuration file, API call information is set in the redis transaction to call the API of the server side, and a call result is returned to the client side, wherein the API call information comprises a unique value and the survival time of the unique value.
The embodiment applies the method, and the specific application flow is shown in fig. 2:
the client transmits a unique value key at a request head;
the server obtains the unique value key in the request header and then checks the idempotency of the redis transaction using lua: judging whether the unique value key exists in the redis transaction or not in the lua script, and if so, returning a request of no repeated submission to the client;
if the unique value key does not exist, acquiring the expiration time in the configuration file to set the unique value key and the survival time in the redis transaction, then calling the API of the server side, and returning the calling result to the client side.
The embodiment of the invention also provides a server API calling device, which comprises a receiving module 201, an analysis module 202, a processing module 203 and a calling module 204 which are connected in sequence, wherein the input end of the receiving module 201 is connected with the client, and the output end of the calling module 204 is connected with the client, specifically, the receiving module 201 is used for receiving an API access request sent by the client;
the analysis module 202 is configured to analyze the received API access request to obtain analysis data;
the processing module 203 is configured to determine whether a repeated calling event exists according to the analysis data, and set corresponding API calling information according to expiration time in the configuration file;
and the calling module 204 is used for calling the corresponding API from the server according to the API calling information.
Another embodiment of the present invention also provides a storage medium storing computer-readable instructions, which when executed by one or more processors, enable the one or more processors to execute the above-mentioned server API calling method.
In summary, the present invention adopts redis + lua to ensure the idempotency of API, and can provide security assurance for data, and effectively prevent malicious repeated operations of an attacker, for example, when a user needs to perform a refund operation, a unique value is set in a request header sent by a client, a server checks whether the unique value exists in a redis transaction, that is, performs the idempotency verification of the refund API, if the verification is successful, that is, the unique value does not exist in the redis transaction, a subsequent refund flow is executed, and if the verification fails, that is, the unique value exists in the redis transaction, it indicates that repeated calling has occurred, so that repeated calling attack of the attacker can be prevented, and the security of API calling is improved.
Claims (10)
1. A server side API calling method is characterized by comprising the following steps:
s1, the client sends an API access request;
s2, the server receives the API access request and analyzes the API access request to obtain corresponding analysis data;
s3, judging whether a repeated calling event exists according to the analysis data, if so, executing a step S4, otherwise, executing a step S5;
s4, terminating the API calling process and outputting corresponding warning information to the client;
and S5, setting API calling information based on the expiration time in the configuration file to call the API of the server side, and returning the calling result to the client side.
2. The method for calling the API of the server according to claim 1, wherein the specific process of step S1 is as follows: the client sends an API access request and sets a unique value in the request header.
3. The method for calling the API of the server according to claim 2, wherein the step S2 specifically includes the following steps:
s21, the server receives the API access request;
and S22, analyzing the API access request to obtain the unique value in the request header, namely the analyzed data.
4. The method as claimed in claim 3, wherein the step S3 is implemented by checking idempotent to determine whether there is a repeat call event.
5. The server API calling method according to claim 4, wherein the step S3 specifically includes the following steps:
s31, judging whether a unique value exists in the redis transaction in a lua script mode;
s32, if yes, indicating that the repeated calling event exists, and then executing a step S4;
s33, if not, indicating that no repeated calling event exists, and then executing step S5.
6. The method as claimed in claim 1, wherein the warning message in step S4 is "don't repeat submission".
7. The method for calling the API of the server according to claim 2, wherein the step S5 specifically includes the following steps:
s51, acquiring the expiration time in the configuration file;
s52, setting corresponding API call information in the redis transaction according to the expiration time;
and S53, calling the API from the server side according to the set API calling information, and returning the calling result to the client side.
8. The server-side API calling method of claim 2, wherein the API call information includes a unique value and its time-to-live.
9. A server API calling apparatus, comprising:
a receiving module 201, configured to receive an API access request sent by a client;
the analysis module 202 is configured to analyze the received API access request to obtain analysis data;
the processing module 203 is configured to determine whether a repeated calling event exists according to the analysis data, and set corresponding API calling information according to expiration time in the configuration file;
and the calling module 204 is used for calling the corresponding API from the server according to the API calling information.
10. A storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the server API calling method according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010929536.7A CN112039913A (en) | 2020-09-07 | 2020-09-07 | Server API calling method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010929536.7A CN112039913A (en) | 2020-09-07 | 2020-09-07 | Server API calling method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112039913A true CN112039913A (en) | 2020-12-04 |
Family
ID=73584106
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010929536.7A Pending CN112039913A (en) | 2020-09-07 | 2020-09-07 | Server API calling method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039913A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113553214A (en) * | 2021-07-30 | 2021-10-26 | 国网电子商务有限公司 | Idempotent checking method and device |
| CN113608893A (en) * | 2021-07-23 | 2021-11-05 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for preventing repeated issuing of strategy to RabbitMQ |
| CN115065503A (en) * | 2022-05-11 | 2022-09-16 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
| CN116112558A (en) * | 2022-11-21 | 2023-05-12 | 上海浦东发展银行股份有限公司 | Interface interception method and system based on axios |
| CN115065503B (en) * | 2022-05-11 | 2024-05-31 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110113405A1 (en) * | 2006-06-16 | 2011-05-12 | Microsoft Corporation | Automated method and system for collecting and reporting api performance profiles |
| CN107463588A (en) * | 2016-06-03 | 2017-12-12 | 北京京东尚科信息技术有限公司 | Data submit judging method |
| CN108650093A (en) * | 2018-03-30 | 2018-10-12 | 深圳市富途网络科技有限公司 | A kind of interface realizing method based on idempotence |
| CN109325196A (en) * | 2018-07-27 | 2019-02-12 | 四川长虹电器股份有限公司 | The method for preventing interface repetitive requests based on redis |
-
2020
- 2020-09-07 CN CN202010929536.7A patent/CN112039913A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110113405A1 (en) * | 2006-06-16 | 2011-05-12 | Microsoft Corporation | Automated method and system for collecting and reporting api performance profiles |
| CN107463588A (en) * | 2016-06-03 | 2017-12-12 | 北京京东尚科信息技术有限公司 | Data submit judging method |
| CN108650093A (en) * | 2018-03-30 | 2018-10-12 | 深圳市富途网络科技有限公司 | A kind of interface realizing method based on idempotence |
| CN109325196A (en) * | 2018-07-27 | 2019-02-12 | 四川长虹电器股份有限公司 | The method for preventing interface repetitive requests based on redis |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113608893A (en) * | 2021-07-23 | 2021-11-05 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for preventing repeated issuing of strategy to RabbitMQ |
| CN113608893B (en) * | 2021-07-23 | 2023-08-25 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for preventing repeated issuing strategy to RabbitMQ |
| CN113553214A (en) * | 2021-07-30 | 2021-10-26 | 国网电子商务有限公司 | Idempotent checking method and device |
| CN113553214B (en) * | 2021-07-30 | 2024-04-02 | 国网数字科技控股有限公司 | Idempotent verification method and device |
| CN115065503A (en) * | 2022-05-11 | 2022-09-16 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
| CN115065503B (en) * | 2022-05-11 | 2024-05-31 | 浪潮云信息技术股份公司 | Method for preventing replay attack of API gateway |
| CN116112558A (en) * | 2022-11-21 | 2023-05-12 | 上海浦东发展银行股份有限公司 | Interface interception method and system based on axios |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112039913A (en) | Server API calling method, device and storage medium | |
| US9432389B1 (en) | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object | |
| CN109309685B (en) | Information transmission method and device | |
| US10165004B1 (en) | Passive detection of forged web browsers | |
| CN104954386B (en) | A kind of network anti-hijacking method and device | |
| US20040267878A1 (en) | Method, system and program product for providing a status of a transaction with an application on a server | |
| US8201248B2 (en) | Authenticating a web page with embedded javascript | |
| US8813237B2 (en) | Thwarting cross-site request forgery (CSRF) and clickjacking attacks | |
| US20090300359A1 (en) | Apparatus and method for securely submitting and processing a request | |
| US10869198B2 (en) | Wireless system access control method and device | |
| US20170054640A1 (en) | Device and method for establishing connection in load-balancing system | |
| CN107465693B (en) | Request message processing method and device | |
| Falkenberg et al. | A new approach towards DoS penetration testing on web services | |
| AU2020276198B2 (en) | Webpage integrity monitoring | |
| Seo et al. | SIPAD: SIP–VoIP anomaly detection using a stateful rule tree | |
| CN111314358A (en) | Attack protection method, device, system, computer storage medium and electronic equipment | |
| CN111447184A (en) | Single sign-on method, device, system and computer readable storage medium | |
| JP2018518127A (en) | Passive security analysis with inline active security devices | |
| CN112243002A (en) | Data forwarding method and device, electronic equipment and computer readable medium | |
| CN113660250B (en) | Defense method, device and system based on WEB application firewall and electronic device | |
| CN112910915A (en) | Trusted connection authentication method, device, equipment and computer readable storage medium | |
| CN113347184A (en) | Method, device, equipment and medium for testing network flow security detection engine | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| US10581905B2 (en) | Detection of manipulation of applications | |
| López et al. | Effective analysis of secure web response time |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201204 |