CN114884730A - Request detection method, device, equipment and readable storage medium - Google Patents

Request detection method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN114884730A
CN114884730A CN202210492914.9A CN202210492914A CN114884730A CN 114884730 A CN114884730 A CN 114884730A CN 202210492914 A CN202210492914 A CN 202210492914A CN 114884730 A CN114884730 A CN 114884730A
Authority
CN
China
Prior art keywords
request
detection
target
field
intranet terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210492914.9A
Other languages
Chinese (zh)
Other versions
CN114884730B (en
Inventor
伍光兴
张志良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202210492914.9A priority Critical patent/CN114884730B/en
Publication of CN114884730A publication Critical patent/CN114884730A/en
Application granted granted Critical
Publication of CN114884730B publication Critical patent/CN114884730B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a request detection method, a request detection device, request detection equipment and a readable storage medium. In the application, after acquiring a target request of an intranet terminal for accessing a target end, a safety detection device sends a response message aiming at the target request to the intranet terminal; the intranet terminal executes the detection script in the response message to obtain a target field which is used for representing browser information and is encapsulated in the request header, and the target field is used as a URL parameter to send a detection request to the safety detection equipment; the safety detection equipment analyzes the detection request to obtain a target field and a head field of the detection request; and comparing the target field with the header field so as to determine whether to allow the access request of the intranet terminal. According to the scheme, various access requests sent by the intranet terminal are subjected to security detection in a unified mode, the security protection of an intranet is enhanced, and the intranet security is improved. The application also provides a request detection device, equipment and a readable storage medium, which have the technical effects.

Description

Request detection method, device, equipment and readable storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a request detection method, apparatus, device, and readable storage medium.
Background
Currently, a security gateway can be used to secure an intranet. In practical situations, the request sent by the intranet terminal may be tampered, and since the destination terminals accessed by the intranet terminal are various and the detection modes of the destination terminals are different, the security gateway is difficult to integrate the request detection modes of the destination terminals, and is also difficult to detect the request sent by the intranet terminal, thereby reducing the intranet security.
Therefore, how to strengthen the safety protection of the intranet is a problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a request detection method, apparatus, device and readable storage medium to enhance security protection for an intranet. The specific scheme is as follows:
in a first aspect, the present application provides a request detection method applied to a security detection device, including:
acquiring a target request of an intranet terminal for accessing a target end;
sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is encapsulated in a request header, and sends a detection request to the safety detection equipment by taking the target field as a URL (uniform resource locator) parameter;
analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a head field contained in the detection request;
and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
Optionally, the method further comprises:
if the target request meets a preset detection condition, executing the step of sending a response message aiming at the target request to the intranet terminal;
wherein the preset detection condition is as follows: and ensuring the condition that the response message can be responded by the intranet terminal.
Optionally, the preset detection condition includes: the resource requested by the target request is a script resource, and/or a User-Agent field in the target request is known, and/or the target request carries a referrer field, and/or the target end is a Web master station.
Optionally, after encrypting the target field, the intranet terminal uses a ciphertext of the target field as the URL parameter;
correspondingly, the parsing the URL of the detection request to obtain the target field includes:
and analyzing the URL of the detection request to obtain a ciphertext of the target field, and decrypting the ciphertext to obtain the target field.
Optionally, the detection script is further configured to, when executed, enable the intranet terminal to obtain the original target request, and send the original target request again after sending the detection request;
correspondingly, the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, including:
and comparing the target field with the head field to obtain a comparison result, and determining whether to put through a subsequently received target request according to the comparison result.
Optionally, the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, includes:
if the target field is consistent with the head field, allowing the access request of the intranet terminal;
and if the target field is inconsistent with the head field, not allowing the access request of the intranet terminal.
Optionally, after the allowing of the access request of the intranet terminal, the method further includes:
adding the IP address of the intranet terminal to a trusted list;
correspondingly, after the access request of the intranet terminal is not allowed, the method further includes:
and blocking the IP address of the intranet terminal.
In another aspect, the present application provides a request detection apparatus applied to a security detection device, including:
the acquisition module is used for acquiring a target request of the intranet terminal for accessing a target end;
the sending module is used for sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is encapsulated in a request header, and sends a detection request to the safety detection equipment by taking the target field as a URL (uniform resource locator) parameter;
the analysis module is used for analyzing the URL of the detection request to obtain the target field and analyzing the detection request to obtain the head field contained in the detection request;
and the detection module is used for comparing the target field with the head field to obtain a comparison result and determining whether to allow the access request of the intranet terminal according to the comparison result.
In yet another aspect, the present application provides an electronic device comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the request detection method disclosed in the foregoing.
In yet another aspect, the present application provides a readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the request detection method disclosed in the foregoing.
According to the scheme, the application provides a request detection method, which is applied to safety detection equipment and comprises the following steps: acquiring a target request of an intranet terminal for accessing a target end; sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is encapsulated in a request header, and sends a detection request to the safety detection equipment by taking the target field as a URL (uniform resource locator) parameter; analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a head field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
Therefore, the target request of the internal network terminal for accessing the target terminal can be detected by utilizing the safety detection equipment. Specifically, when the security detection device obtains a target request of the intranet terminal for accessing the target terminal, the security detection device sends a response message aiming at the target request to the intranet terminal; because the response message contains the detection script, the intranet terminal can execute the detection script to obtain a target field which is used for representing browser information and is encapsulated in the request header, and the subsequent intranet terminal takes the target field as a URL parameter and sends a detection request to the safety detection equipment, so that the safety detection equipment can analyze the URL of the detection request to obtain the target field and analyze the detection request to obtain the header field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, so that the safety detection equipment realizes safety detection aiming at the target request. According to the scheme, the request detection modes of all destination terminals do not need to be integrated, and various access requests sent by the intranet terminals are subjected to security detection in a unified mode, so that the security protection of the intranet is enhanced, and the security of the intranet is improved.
Accordingly, the request detection device, the request detection equipment and the readable storage medium provided by the application also have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a request detection method disclosed herein;
FIG. 2 is a flow chart of another request detection method disclosed herein;
FIG. 3 is a schematic diagram of a request detection scheme disclosed herein;
FIG. 4 is a flow chart of a request detection system disclosed herein;
FIG. 5 is a schematic view of an IP management page disclosed herein;
FIG. 6 is a schematic diagram of a request detection apparatus disclosed herein;
FIG. 7 is a schematic diagram of an electronic device disclosed herein;
fig. 8 is a schematic view of another electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, the requests sent by the intranet terminals are possibly tampered, and as the destination terminals accessed by the intranet terminals are various and the detection modes of the destination terminals are different, the security gateway is difficult to integrate the request detection modes of the destination terminals, and is also difficult to detect the requests sent by the intranet terminals, so that the intranet safety is reduced. Therefore, the application provides a request detection scheme, which can detect various access requests sent by an intranet terminal and strengthen the safety protection of the intranet.
Referring to fig. 1, an embodiment of the present application discloses a request detection method applied to a security detection device, including:
s101, acquiring a target request of the intranet terminal for accessing a target end.
In this embodiment, the security detection device may be a gateway device or other devices for performing security protection on the intranet. The target request may be an HTTP (Hyper Text Transfer Protocol) request.
S102, sending a response message aiming at the target request to the intranet terminal; the response message contains a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for expressing browser information and is encapsulated in the request header, and the target field is used as a URL parameter to send a detection request to the safety detection equipment.
The target field obtained by the intranet terminal executing the detection script needs to satisfy two conditions: (1) browser information used for sending a target request by a terminal can be represented; (2) can be encapsulated in the header of the target request. On the premise that the two conditions are met, the following conditions are provided: the head field of the request sent by the terminal of the intranet by using the corresponding browser comprises a target field. And then, the intranet terminal takes the target field as a URL parameter, and in a detection request sent to the safety detection equipment, the header field of the detection request comprises the target field, and the load URL parameter also comprises the target field. Because the target field as the URL parameter is a local browser parameter obtained by the intranet terminal executing the detection script, if the target field in the head field of the detection request is consistent with the target field in the URL parameter, the detection request is not tampered in the process of being transmitted from the intranet terminal to the safety detection equipment; on the contrary, the detection request is tampered in the process of being transmitted from the intranet terminal to the safety detection device. This also states: the HTTP request issued by the corresponding browser in the terminal will reach the security detection device directly without being intercepted or tampered.
In an embodiment, the detection script in the response message is data set in this embodiment and spoofing a response of the target request, so that the detection script needs to be matched with a resource requested by the target request, so that the response message can be responded by the terminal in the intranet, and the terminal side can execute the detection script. Therefore, the preset detection condition can judge whether the resource requested by the target request is matched with the detection script. That is, if the resource requested by the target request does not match the detection script, the terminal side cannot execute the detection script, and therefore the request is released directly without performing a subsequent detection step. And if the target request meets the preset detection condition, executing the step of sending a response message aiming at the target request to the intranet terminal so as to execute the subsequent steps. Wherein, the preset detection conditions are as follows: and ensuring the condition that the response message can be responded by the intranet terminal. Such as: and judging whether the resource requested by the target request is matched with the detection script.
In one embodiment, if the resource requested by the target request is a script resource, the resource requested by the target request is considered to match the detection script. Therefore, in one embodiment, the matching of the resource requested by the target request with the detection script includes: if the resource requested by the target request is a script resource, matching the resource requested by the target request with the detection script; the script resources include at least one or a combination of: js resources and html resources.
Since the present embodiment detects the HTTP request, the preset detection condition further needs to be determined: whether a User-Agent field in the target request is known, whether the target request carries a referrer field, and whether the target end is a Web master station, wherein only at least one of the 3 judgment items is yes, and the detection condition is considered to be met.
It can be seen that, the case that the target request satisfies the preset detection condition is: the resource requested by the target request is matched with the detection script, and the User-Agent field in the target request is known, and/or the target request carries a referrer field, and/or the target end is a Web master station. Accordingly, the case where the target request does not satisfy the preset detection condition is: "the resource requested by the target request does not match the detection script" or "the User-Agent field in the target request is unknown, and/or the target request does not carry the referrer field, and/or the target is not the Web master". In a specific embodiment, the method further comprises the following steps: and if the target request does not meet the preset detection condition, releasing the target request.
S103, analyzing the URL of the detection request to obtain a target field, and analyzing the detection request to obtain a head field contained in the detection request.
It should be noted that the detection script functions as: and acquiring information of a browser used for sending the HTTP request in the intranet terminal. If the HTTP request sent by the intranet terminal is tampered in the process of being transmitted to the security detection device, when the request reaches the security detection device, the header information may be different from the local browser information of the terminal. Of course, if the original request sent by the intranet terminal is not tampered in the process of transmitting to the security detection device, the target request obtained by the security detection device is the original request sent by the intranet terminal.
In this embodiment, in order to detect whether the target request acquired by the security detection device is an original request sent by the intranet terminal, the intranet terminal executes the detection script, so that the local browser information of the intranet terminal can be obtained. Since the browser information in the header field of the request is changed correspondingly after the request is tampered, whether the request is tampered can be detected only by detecting whether the header field of the request contains the browser information local to the terminal.
Therefore, after the intranet terminal executes the detection script to obtain the target field which is used for representing the browser information and can be encapsulated in the request header, the detection script enables the intranet terminal to send a detection request (still an HTTP request) taking the target field as a load. If the header field in the detection request is consistent with the target field serving as the load in the current request, it indicates that the detection request is not tampered in a transmission path from the intranet terminal to the security detection device.
Since the header fields of the HTTP request include: the User-Agent field, the referrer field, the identification information of the target terminal and the like, so that the target field which is used for representing the browser information and can be encapsulated in the request header can be selected from the header field of the HTTP request for subsequent comparison. The target field is used as a URL parameter in the detection request, and the URL can be consistent with the URL in the target request or can be randomly designated. The User-Agent field contains a characteristic character string, which is used for the opposite end of the network protocol to identify the application type, operating system, software developer and version number of the User Agent software which initiates the request, and these are the browser information.
The header fields of the HTTP request may indicate: identity information of the browser (e.g., version, etc.), address of the web server, port, etc. The browser and the web server being accessed can thus be identified with header fields, such as: the characteristics supported by the browser of the client side are judged through the User-Agent field, so that the User experience is improved. Whether the User-Agent type under a certain IP address is changed or not is judged by counting the number of the User-Agent types under the IP address, so that whether unsafe network sharing behaviors exist or not is deduced.
And S104, comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
In a specific embodiment, after the target field is encrypted by the intranet terminal, the ciphertext of the target field is used as a URL parameter; correspondingly, the analyzing the URL of the detection request to obtain the target field includes: and analyzing the URL of the detection request to obtain a ciphertext of the target field, and decrypting the ciphertext to obtain the target field. Therefore, the URL parameter (namely the target field) in the detection request exists in a ciphertext form, so that the URL parameter can be guaranteed not to be tampered. Wherein, comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, comprising: if the target field is consistent with the head field, allowing the access request of the intranet terminal; and if the target field is not consistent with the header field, not allowing the access request of the intranet terminal.
In a specific embodiment, after the access request of the intranet terminal is allowed, the method further includes: adding the IP address of the intranet terminal to a trusted list; correspondingly, after the access request of the intranet terminal is not allowed, the method further comprises the following steps: and blocking the IP address of the internal network terminal.
The security detection device may lose the target request acquired in step S101 during the detection process. If the situation happens, the intranet terminal can send a request for accessing the target terminal once again, so that the security detection equipment can determine whether the newly received request is released or intercepted according to the comparison result. Of course, if the security detection device does not lose the target request acquired in step S101, it may directly determine whether to release the request or intercept the request according to the comparison result. In one embodiment, the detection script is further configured to, when executed, perform the following functions: enabling the intranet terminal to acquire an original target request, and sending the original target request again after sending the detection request; correspondingly, comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, wherein the comparison result comprises the following steps: and comparing the target field with the header field to obtain a comparison result, and determining whether to put through the subsequently received target request according to the comparison result.
Therefore, the embodiment can detect the target request of the intranet terminal for accessing the target terminal by using the security detection device. Specifically, when the security detection device obtains a target request of the intranet terminal for accessing the target terminal, the security detection device sends a response message aiming at the target request to the intranet terminal; because the response message contains the detection script, the intranet terminal can execute the detection script to obtain a target field which is used for representing browser information and is encapsulated in the request header, and the subsequent intranet terminal takes the target field as a URL parameter and sends a detection request to the safety detection equipment, so that the safety detection equipment can analyze the URL of the detection request to obtain the target field and analyze the detection request to obtain the header field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, so that the safety detection equipment realizes safety detection aiming at the target request. According to the scheme, the request detection modes of all destination terminals do not need to be integrated, and various access requests sent by the intranet terminals are subjected to security detection in a unified mode, so that the security protection of the intranet is enhanced, and the security of the intranet is improved.
Referring to fig. 2, the embodiment of the present application discloses another request detection method, which is applied to an intranet terminal, and includes:
s201, sending a target request for accessing a target end to a safety detection device, so that the safety detection device sends a response message aiming at the target request to an intranet terminal; wherein the response message includes a detection script.
S202, executing the detection script to obtain a target field which is used for representing browser information and is packaged in a request header.
In one embodiment, executing the detection script to obtain a target field representing browser information and encapsulated in a request header includes: and executing the detection script to acquire the target field through environment variable location.
S203, the target field is used as a URL parameter, a detection request is sent to the safety detection equipment, so that the safety detection equipment analyzes the URL of the detection request to obtain the target field, and analyzes the detection request to obtain a head field contained in the detection request; and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
In this embodiment, the detection request is an HTTP detection packet configured by the detection script to control the intranet terminal and used to detect whether the HTTP request is tampered. The detection request is also an HTTP request. In order to avoid tampering of a target field in the detection request in the transmission process, the ciphertext of the target field is used as a parameter to fill in the URL of the detection request. In one embodiment, before sending the detection request to the security detection device, the method includes: and encrypting the target field to obtain a ciphertext, and filling the ciphertext serving as a parameter into the URL for detection to obtain a detection request. In one embodiment, the URLs used for detection are: URL extracted from the request sent by the terminal of the intranet; or a randomly designated URL.
In a specific embodiment, when the intranet terminal executes the detection script, the intranet terminal starts to count time by using a timer; and if the timer finishes timing, sending the target request to the safety detection equipment again, so that the safety detection equipment can release or intercept the newly received target request according to the comparison result. Wherein, the timing duration of the timer should not be less than: and the terminal of the intranet executes the detection script, constructs the detection request and sends the total time required by the detection request. Of course, instead of using the timer, the terminal in the intranet may send the detection request and a target request at the same time. Therefore, the target request can be released or intercepted under the condition that the previous target request is lost by the safety detection equipment.
Of course, if the previous target request is not lost by the security detection device, whether the target request is released or intercepted can be directly determined according to the comparison result, and a new target request does not need to be waited. If the security detection device does not lose the previous target request and receives a new target request, the security detection device can randomly select one target request to pass or intercept.
Therefore, the embodiment can detect the target request of the intranet terminal for accessing the target end by using the safety detection equipment, does not need to integrate the request detection modes of all the target ends, and uses a unified mode to perform safety detection on various access requests sent by the intranet terminal, thereby enhancing the safety protection of the intranet and improving the safety of the intranet.
Referring to fig. 3, the embodiment of the present application discloses a request detection scheme, which includes 5 processes, and the following mainly describes the working mechanism of each process.
Scheme 1: an internet terminal of the intranet sends an original request to a security gateway;
and (2) a flow scheme: after receiving the request packet, the security gateway determines whether the packet can be detected using the js code (i.e., the detection script). Since it is necessary to execute the js code on the terminal side, if one gif picture is requested, the terminal does not execute the js code replied by the security gateway, and thus the js code does not match the gif picture. If the request is html resource or js resource, the terminal executes js code replied by the security gateway, so that the terminal considers that the request sent by the terminal is responded, and therefore: the js code is matched with the html resource and the js resource, and the purpose of detection is achieved.
If the js code can be used for detection, the security gateway can further judge whether a User-Agent field of the received request is known, whether the request is a request for a Web site, whether the type of an operating system is known, whether a referrer field is carried, and the like, so as to improve the probability of response of a detection packet returned by the security gateway to a client. When these conditions are met, the security gateway replies that the HTTP status code is 200, and sends a detection packet carrying the js code to the terminal.
And (3) a flow path: the js code is executed on the terminal to implement: obtaining information of a local browser of the terminal through location.href, and constructing and reporting a request for detection; a timer is registered through the setTimeout method to let the terminal send out an original HTTP request again within a specified time.
Wherein constructing a request for detection comprises: original information such as a User-Agent field of a local browser of the terminal, a referrer field of a current page and the like is obtained through js codes, field names and field values are encrypted, an encryption result is used as a parameter and is spliced into a URL (the URL is appointed to be the URL of an original HTTP request sent by the terminal in the embodiment), and a request for detection is obtained. This request is then accessed through the js code and must flow through the security gateway. In this embodiment, the request has the same URL to access as the original HTTP request issued by the terminal, except that the request has more encrypted original information than the original HTTP request.
And (4) a flow chart: after the timer of the terminal finishes counting, the terminal will revisit the original URL, that is, send an original HTTP request again, and the original HTTP request will also flow through the security gateway.
And (5) a flow chart: the security gateway will receive the request for detection, as well as a new original HTTP request.
The security gateway analyzes the header of the request for detection and the encrypted original information, then decrypts the encrypted original information to obtain a plaintext, compares the plaintext with the header of the request for detection, and if the plaintext is different from the header of the request for detection, the HTTP request can be considered as being tampered in a transmission path from the terminal to the security gateway. Otherwise, the HTTP request is considered not tampered in the transmission path from the terminal to the security gateway, and the newly received original HTTP request can be passed to the Web site.
In this embodiment, the security gateway may reply to an HTTP request that needs to be detected, the HTTP status code of the reply packet is set to 200, and is provided with a js detection code, and the terminal loads the detection code after receiving the reply packet, so that a detection request may be constructed for reporting. And detecting a ciphertext containing the information of the local browser of the terminal in the request. The security gateway can compare the terminal local browser information included in the detection request with the header fields of the detection request, and if some fields are changed, it can consider that the HTTP request received by the security gateway is tampered by other devices in the network transmission process, otherwise, it indicates that the HTTP request is not tampered in the middle of sending from the client to the detection device.
The embodiment can detect the HTTP header field, thereby detecting whether the HTTP request is tampered. The scheme adopts a url jump mechanism of JavaScript to detect whether the HTTP data packet of the terminal is tampered. This is achieved by deploying detection devices in the network (this embodiment can detect directly with the security gateway). The network connection relationship between the detection device and the internet access terminal can be seen in fig. 4.
It can be seen that, the security gateway in this embodiment can detect the HTTP request tampering condition of the intranet without affecting the service, and if a tampered HTTP request is identified, it is considered that the terminal IP that issued the request has a behavior of a private device.
As shown in fig. 5, the function of detecting the terminal private connection prevention can be started on the security gateway, so that whether there is a tampered device with private access in the intranet can be detected according to this embodiment, and for an IP address with private connection (for example, the internet access terminal B in fig. 4), the IP address can be blocked, and in addition, a trusted IP address can be added according to needs. To achieve better detection, security gateways are typically deployed in a concatenated manner in the network, as shown in fig. 4.
In the following, a request detection apparatus provided by an embodiment of the present application is introduced, and a request detection apparatus described below and a request detection method described above may be referred to each other.
Referring to fig. 6, an embodiment of the present application discloses and provides a request detection apparatus, which is applied to a security detection device, and includes:
an obtaining module 601, configured to obtain a target request for an intranet terminal to access a target end;
a sending module 602, configured to send a response packet for the target request to the intranet terminal; the response message contains a detection script so that the intranet terminal executes the detection script to obtain a target field which is used for expressing browser information and is encapsulated in the request header, and the target field is used as a URL (uniform resource locator) parameter to send a detection request to the safety detection equipment;
the parsing module 603 is configured to parse the URL of the detection request to obtain a target field, and parse the detection request to obtain a header field included in the detection request;
and the detection module 604 is configured to compare the target field with the header field to obtain a comparison result, and determine whether to allow the access request of the intranet terminal according to the comparison result.
In a specific embodiment, the method further comprises the following steps:
the judging module is used for executing the step of sending a response message aiming at the target request to the intranet terminal if the target request meets the preset detection condition; wherein, the preset detection conditions are as follows: and ensuring the condition that the response message can be responded by the intranet terminal.
In one embodiment, the preset detection condition includes: the resource requested by the target request is a script resource, and/or a User-Agent field in the target request is known, and/or the target request carries a referrer field, and/or the target end is a Web master station.
In a specific embodiment, after the target field is encrypted by the intranet terminal, the ciphertext of the target field is used as a URL parameter; correspondingly, the safety detection equipment analyzes the URL of the detection request to obtain the ciphertext of the target field, and decrypts the ciphertext to obtain the target field.
In one embodiment, the detection script is further configured to, when executed, perform the following functions: enabling the intranet terminal to acquire an original target request, and sending the original target request again after sending the detection request; correspondingly, the safety detection equipment compares the target field with the head field to obtain a comparison result, and determines whether to put through the subsequently received target request according to the comparison result.
In a specific embodiment, the detection module is specifically configured to: if the target field is consistent with the head field, allowing the access request of the intranet terminal; and if the target field is not consistent with the header field, not allowing the access request of the intranet terminal.
In a specific embodiment, the method further comprises the following steps:
the adding module is used for adding the IP address of the intranet terminal to the trusted list;
correspondingly, the method further comprises the following steps:
and the blocking module is used for blocking the IP address of the intranet terminal.
For more specific working processes of each module and unit in this embodiment, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
Therefore, the embodiment provides a request detection device, which can detect various access requests sent by an intranet terminal and strengthen the security protection of the intranet. In addition, the virtual device may be deployed in a cloud computing platform, such as a software module deployed in a hypervisor (virtual machine monitor) layer of the cloud computing platform.
In the following, an electronic device provided by an embodiment of the present application is introduced, and an electronic device described below and a request detection method and apparatus described above may be referred to each other.
Referring to fig. 7, an embodiment of the present application discloses an electronic device, including:
a memory 701 for storing a computer program;
a processor 702 for executing the computer program to implement the method disclosed in any of the embodiments above.
Referring to fig. 8, fig. 8 is a schematic diagram of another electronic device provided in this embodiment, which may have a larger difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
In fig. 8, the application 342 may be a program that performs the request detection method, and the data 344 may be data required or generated to perform the request detection method.
The steps in the request detection method described above may be implemented by the structure of the electronic device.
The electronic device may be a single hardware device, or may be a hardware device in the form of a cluster, such as a cloud computing platform. The cloud computing platform is a service form that a plurality of independent server physical hardware resources are organized into pooled resources by adopting computing virtualization, network virtualization and storage virtualization technologies, is a software defined resource structure based on virtualization technology development, and can provide resource capacity in forms of virtual machines, containers and the like. The fixed relation between hardware and an operating system is eliminated, the communication of a network is relied on to unify resource scheduling, and then required virtual resources and services are provided.
A readable storage medium provided in the embodiments of the present application is introduced below, and a readable storage medium described below and a request detection method, apparatus, and device described above may be referred to each other.
A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the request detection method disclosed in the foregoing embodiments. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
References in this application to "first," "second," "third," "fourth," etc., if any, are intended to distinguish between similar elements and not necessarily to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, or apparatus.
It should be noted that the descriptions in this application referring to "first", "second", etc. are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A request detection method is applied to a safety detection device and comprises the following steps:
acquiring a target request of an intranet terminal for accessing a target end;
sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is encapsulated in a request header, and sends a detection request to the safety detection equipment by taking the target field as a URL (uniform resource locator) parameter;
analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a head field contained in the detection request;
and comparing the target field with the head field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result.
2. The request detection method of claim 1, further comprising:
if the target request meets a preset detection condition, executing the step of sending a response message aiming at the target request to the intranet terminal;
wherein the preset detection condition is as follows: and ensuring the condition that the response message can be responded by the intranet terminal.
3. The request detection method according to claim 2, wherein the preset detection condition comprises: the resource requested by the target request is a script resource, and/or a User-Agent field in the target request is known, and/or the target request carries a referrer field, and/or the target end is a Web master station.
4. The request detection method according to claim 1, wherein after the target field is encrypted by the intranet terminal, a ciphertext of the target field is used as the URL parameter;
correspondingly, the parsing the URL of the detection request to obtain the target field includes:
and analyzing the URL of the detection request to obtain a ciphertext of the target field, and decrypting the ciphertext to obtain the target field.
5. The request detection method according to claim 1, wherein the detection script is further configured to, when executed, cause the intranet terminal to obtain the original target request, and after sending the detection request, send the original target request again;
correspondingly, the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result, including:
and comparing the target field with the head field to obtain a comparison result, and determining whether to put through a subsequently received target request according to the comparison result.
6. The request detection method according to any one of claims 1 to 5, wherein the comparing the target field with the header field to obtain a comparison result, and determining whether to allow the access request of the intranet terminal according to the comparison result includes:
if the target field is consistent with the head field, allowing the access request of the intranet terminal;
and if the target field is inconsistent with the head field, not allowing the access request of the intranet terminal.
7. The request detection method according to claim 6, further comprising, after the allowing of the access request of the intranet terminal:
adding the IP address of the intranet terminal to a trusted list;
correspondingly, after the access request of the intranet terminal is not allowed, the method further includes:
and blocking the IP address of the intranet terminal.
8. A request detection device is applied to a safety detection device and comprises:
the acquisition module is used for acquiring a target request of the intranet terminal for accessing a target end;
the sending module is used for sending a response message aiming at the target request to the intranet terminal; the response message comprises a detection script, so that the intranet terminal executes the detection script to obtain a target field which is used for representing browser information and is encapsulated in a request header, and the target field is used as a URL parameter to send a detection request to the safety detection equipment;
the analysis module is used for analyzing the URL of the detection request to obtain the target field, and analyzing the detection request to obtain a head field contained in the detection request;
and the detection module is used for comparing the target field with the head field to obtain a comparison result and determining whether to allow the access request of the intranet terminal according to the comparison result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the request detection method of any of claims 1 to 7.
10. A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the request detection method of any one of claims 1 to 7.
CN202210492914.9A 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium Active CN114884730B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210492914.9A CN114884730B (en) 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210492914.9A CN114884730B (en) 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN114884730A true CN114884730A (en) 2022-08-09
CN114884730B CN114884730B (en) 2023-12-29

Family

ID=82673268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210492914.9A Active CN114884730B (en) 2022-05-07 2022-05-07 Request detection method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN114884730B (en)

Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015715A1 (en) * 2000-03-22 2004-01-22 Comscore Networks, Inc. Systems for and methods of placing user indentification in the header of data packets usable in user demographic reporting and collecting usage data
CN1801824A (en) * 2006-01-16 2006-07-12 北京北方烽火科技有限公司 Anti-theft chain method for WEB service
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN102098331A (en) * 2010-12-29 2011-06-15 北京锐安科技有限公司 Method and system for reducing WEB type application contents
US20110239300A1 (en) * 2010-11-01 2011-09-29 Trusteer Ltd. Web based remote malware detection
CN103051976A (en) * 2013-01-22 2013-04-17 中兴通讯股份有限公司 Method, system and equipment for distributing HLS (HyperText Transfer Protocol Living Steaming) content by CDN (Content Distribute Network)
CN105871845A (en) * 2016-03-31 2016-08-17 深圳市深信服电子科技有限公司 Method and device for detecting Web vulnerability scanning behavior
CN106998335A (en) * 2017-06-13 2017-08-01 深信服科技股份有限公司 A kind of leak detection method, gateway device, browser and system
KR20170114423A (en) * 2016-04-04 2017-10-16 주식회사 케이티 Method and system for providing interactive response message service
CN107404486A (en) * 2017-08-04 2017-11-28 厦门市美亚柏科信息股份有限公司 Parse method, apparatus, terminal device and the storage medium of Http data
CN108696481A (en) * 2017-04-07 2018-10-23 北京京东尚科信息技术有限公司 leak detection method and device
CN109033885A (en) * 2017-06-09 2018-12-18 腾讯科技(深圳)有限公司 A kind of data response method, terminal device and server
CN109120603A (en) * 2018-07-25 2019-01-01 平安科技(深圳)有限公司 A kind of injection loophole detection method and device
CN109698863A (en) * 2018-12-20 2019-04-30 杭州迪普科技股份有限公司 A kind of method, apparatus, equipment and the storage medium of determining HTTP message safety
WO2019218845A1 (en) * 2018-05-17 2019-11-21 中兴通讯股份有限公司 Hypertext transfer protocol redirecting method, device, routing device and storage medium
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN111200499A (en) * 2019-12-03 2020-05-26 云深互联(北京)科技有限公司 System data access method and device based on PC (personal computer) end enterprise browser
CN111953761A (en) * 2020-08-04 2020-11-17 Oppo广东移动通信有限公司 Data processing method and device, electronic equipment and storage medium
WO2020253351A1 (en) * 2019-06-21 2020-12-24 深圳前海微众银行股份有限公司 Click hijacking vulnerability detection method, device and computer apparatus
CN112242972A (en) * 2019-07-16 2021-01-19 腾讯科技(武汉)有限公司 Network request processing method, device, storage medium and terminal
CN112583807A (en) * 2020-12-04 2021-03-30 锐捷网络股份有限公司 Verification method, verification device, electronic equipment and storage medium
CN112699374A (en) * 2020-12-28 2021-04-23 山东鲁能软件技术有限公司 Integrity checking vulnerability security protection method and system
CN113328972A (en) * 2020-02-28 2021-08-31 浙江宇视科技有限公司 Equipment monitoring method, device, equipment and storage medium
CN114124476A (en) * 2021-11-05 2022-03-01 苏州浪潮智能科技有限公司 Sensitive information leakage vulnerability detection method, system and device for Web application

Patent Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015715A1 (en) * 2000-03-22 2004-01-22 Comscore Networks, Inc. Systems for and methods of placing user indentification in the header of data packets usable in user demographic reporting and collecting usage data
CN1801824A (en) * 2006-01-16 2006-07-12 北京北方烽火科技有限公司 Anti-theft chain method for WEB service
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
US20110239300A1 (en) * 2010-11-01 2011-09-29 Trusteer Ltd. Web based remote malware detection
CN102098331A (en) * 2010-12-29 2011-06-15 北京锐安科技有限公司 Method and system for reducing WEB type application contents
CN103051976A (en) * 2013-01-22 2013-04-17 中兴通讯股份有限公司 Method, system and equipment for distributing HLS (HyperText Transfer Protocol Living Steaming) content by CDN (Content Distribute Network)
CN105871845A (en) * 2016-03-31 2016-08-17 深圳市深信服电子科技有限公司 Method and device for detecting Web vulnerability scanning behavior
KR20170114423A (en) * 2016-04-04 2017-10-16 주식회사 케이티 Method and system for providing interactive response message service
CN108696481A (en) * 2017-04-07 2018-10-23 北京京东尚科信息技术有限公司 leak detection method and device
CN109033885A (en) * 2017-06-09 2018-12-18 腾讯科技(深圳)有限公司 A kind of data response method, terminal device and server
CN106998335A (en) * 2017-06-13 2017-08-01 深信服科技股份有限公司 A kind of leak detection method, gateway device, browser and system
CN107404486A (en) * 2017-08-04 2017-11-28 厦门市美亚柏科信息股份有限公司 Parse method, apparatus, terminal device and the storage medium of Http data
WO2019218845A1 (en) * 2018-05-17 2019-11-21 中兴通讯股份有限公司 Hypertext transfer protocol redirecting method, device, routing device and storage medium
CN109120603A (en) * 2018-07-25 2019-01-01 平安科技(深圳)有限公司 A kind of injection loophole detection method and device
CN109698863A (en) * 2018-12-20 2019-04-30 杭州迪普科技股份有限公司 A kind of method, apparatus, equipment and the storage medium of determining HTTP message safety
WO2020253351A1 (en) * 2019-06-21 2020-12-24 深圳前海微众银行股份有限公司 Click hijacking vulnerability detection method, device and computer apparatus
CN112242972A (en) * 2019-07-16 2021-01-19 腾讯科技(武汉)有限公司 Network request processing method, device, storage medium and terminal
CN110881043A (en) * 2019-11-29 2020-03-13 杭州迪普科技股份有限公司 Method and device for detecting web server vulnerability
CN111200499A (en) * 2019-12-03 2020-05-26 云深互联(北京)科技有限公司 System data access method and device based on PC (personal computer) end enterprise browser
CN113328972A (en) * 2020-02-28 2021-08-31 浙江宇视科技有限公司 Equipment monitoring method, device, equipment and storage medium
CN111953761A (en) * 2020-08-04 2020-11-17 Oppo广东移动通信有限公司 Data processing method and device, electronic equipment and storage medium
CN112583807A (en) * 2020-12-04 2021-03-30 锐捷网络股份有限公司 Verification method, verification device, electronic equipment and storage medium
CN112699374A (en) * 2020-12-28 2021-04-23 山东鲁能软件技术有限公司 Integrity checking vulnerability security protection method and system
CN114124476A (en) * 2021-11-05 2022-03-01 苏州浪潮智能科技有限公司 Sensitive information leakage vulnerability detection method, system and device for Web application

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘国卿;: "基于MD5的URL防篡改算法设计", 科技信息, no. 03, pages 504 - 505 *

Also Published As

Publication number Publication date
CN114884730B (en) 2023-12-29

Similar Documents

Publication Publication Date Title
US10904277B1 (en) Threat intelligence system measuring network threat levels
CN103607385B (en) Method and apparatus for security detection based on browser
EP1872241B1 (en) System and method for detecting a proxy between a client and a server
CN105430011B (en) A kind of method and apparatus detecting distributed denial of service attack
CN111400722B (en) Method, apparatus, computer device and storage medium for scanning small program
CN111193716B (en) Service data calling method and device, computer equipment and storage medium
CN108768960B (en) Virus detection method, device, storage medium and computer equipment
CN111866124B (en) Method, device, server and machine-readable storage medium for accessing webpage
CN111176941B (en) Data processing method, device and storage medium
US8661456B2 (en) Extendable event processing through services
CN108076003B (en) Session hijacking detection method and device
Suriadi et al. Validating denial of service vulnerabilities in web services
CN111224952B (en) Network resource acquisition method and device for directional flow and storage medium
CN109361574B (en) JavaScript script-based NAT detection method, system, medium and equipment
CN112243002A (en) Data forwarding method and device, electronic equipment and computer readable medium
CN111182537A (en) Network access method, device and system for mobile application
Imamura et al. Web access monitoring mechanism for Android webview
CN110691139A (en) Data transmission method, device, equipment and storage medium
CN113938474A (en) Virtual machine access method and device, electronic equipment and storage medium
CN110968400B (en) Application program execution method and device, computer equipment and storage medium
US10360379B2 (en) Method and apparatus for detecting exploits
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN110191203B (en) Method for realizing dynamic access of server and electronic equipment
JP2002182942A (en) Content authentication system
CN114884730B (en) Request detection method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant