CN114969730A - Page display method and device, electronic equipment and computer storage medium - Google Patents

Page display method and device, electronic equipment and computer storage medium Download PDF

Info

Publication number
CN114969730A
CN114969730A CN202110193684.1A CN202110193684A CN114969730A CN 114969730 A CN114969730 A CN 114969730A CN 202110193684 A CN202110193684 A CN 202110193684A CN 114969730 A CN114969730 A CN 114969730A
Authority
CN
China
Prior art keywords
server
target
verification
client
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110193684.1A
Other languages
Chinese (zh)
Inventor
王爱科
盛红利
陈江洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110193684.1A priority Critical patent/CN114969730A/en
Publication of CN114969730A publication Critical patent/CN114969730A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a page display method and device, electronic equipment and a computer storage medium, and belongs to the technical field of cloud security. In the embodiment of the application, in response to the operation of accessing the target server triggered by the target object, the client acquires a target verification identifier corresponding to the target server; the target verification identification is obtained by accessing a third-party verification server through an identification obtaining script file issued by the execution attack protection equipment; sending a first access request containing a target verification identifier to attack protection equipment, and forwarding the first access request to a target server by the attack protection equipment after the target verification identifier is confirmed to pass verification; and receiving response data of the first access request returned by the target server, and displaying a corresponding display page according to the response data. The third-party verification server distributes the server with the unique verification identifier, and the malicious software tool cannot forge the unique verification identifier configured by the third-party verification server, so that the safety of accessing the server is further improved.

Description

Page display method and device, electronic equipment and computer storage medium
Technical Field
The present application relates to the field of cloud security technologies, and in particular, to a page display method and apparatus, an electronic device, and a computer storage medium.
Background
With the rapid development of the internet and cloud technologies, the relationship between the network and people's life is becoming more and more intimate, and many activities are also transferred to the internet, the internet of things, the metropolitan area network or other wide area networks for carrying out, such as online shopping, online banking, online office, e-commerce, e-government affairs, and the like. The user can access different websites through a browser installed on the terminal device, and meanwhile, due to the openness of the network, data stored on the network also faces many security problems.
Under the drive of improper interests, some illegal users usually use malicious software tools to execute a large amount of non-human clicking operations on components in a browser webpage so as to repeatedly submit service requests and attack a server of a website. For example, the malicious attack program may simulate a browser behavior to access a server corresponding to a website, attack the server of the website, and destroy the server of the website. Therefore, a solution for preventing malicious access requests from attacking the server is needed.
Disclosure of Invention
The application provides a page display method, a page display device, electronic equipment and a computer storage medium, which are used for improving the security of accessing a server.
In a first aspect, a first page display method provided in an embodiment of the present application includes:
responding to an operation of accessing a target server triggered by a target object, and acquiring a target verification identifier corresponding to the target server by a client; the target verification identification is obtained by the client accessing a third-party verification server through an identification obtaining script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
the client sends a first access request containing the target verification identifier to the attack protection device, so that the attack protection device forwards the first access request to the target server after determining that the target verification identifier is verified;
and the client receives response data which is returned by the target server and aims at the first access request, and displays a corresponding display page according to the response data.
In a second aspect, a second page display method provided in an embodiment of the present application includes:
the attack protection equipment receives a first access request sent by a client; the first access request is sent by the client after responding to the operation of accessing the target server triggered by the target object; the first access request comprises a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing a third-party verification server through executing an identification acquisition script file issued by the attack protection equipment and is obtained from the third-party verification server;
after the attack protection device determines that the target verification identifier passes verification, the first access request is forwarded to the target server, so that the target server returns response data for the first access request to the client, and the client displays a corresponding display page according to the response data.
In a third aspect, a third page display method provided in an embodiment of the present application includes:
a third party verification server receives a third access request which is sent by a client and contains an intermediate verification identifier corresponding to the third party verification server;
after the third-party verification server determines that the intermediate verification identifier passes verification, a preset identifier transfer script file is issued to the client, so that the client obtains a target verification identifier corresponding to the target server from the third-party verification server by running the identifier transfer script file, responds to the operation of accessing the target server triggered by a target object, obtains response data corresponding to the operation of accessing the target server from the target server according to the target verification identifier, and displays a corresponding display page according to the response data.
In a fourth aspect, a first page display device provided in an embodiment of the present application includes:
the first acquisition unit is used for responding to the operation of accessing the target server triggered by the target object and acquiring a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing a third-party verification server through an identification obtaining script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
a first sending unit, configured to send a first access request including the target verification identifier to the attack protection device, so that the attack protection device forwards the first access request to the target server after determining that the target verification identifier passes verification;
and the first receiving unit is used for receiving response data which is returned by the target server and aims at the first access request, and displaying a corresponding display page according to the response data.
In a fifth aspect, a second page display apparatus provided in an embodiment of the present application includes:
the second receiving unit is used for receiving a first access request sent by the client; the first access request is sent by the client after responding to the operation of accessing the target server triggered by the target object; the first access request comprises a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing a third-party verification server through executing an identification acquisition script file issued by the attack protection equipment and is obtained from the third-party verification server;
and the second sending unit is used for forwarding the first access request to the target server after the target verification identifier is determined to pass the verification, so that the target server returns response data aiming at the first access request to the client, and the client displays a corresponding display page according to the response data.
In a sixth aspect, a third page display device provided in an embodiment of the present application includes:
a third receiving unit, configured to receive a third access request that includes an intermediate verification identifier corresponding to the third-party verification server and is sent by a client;
and the third sending unit is used for issuing a preset identification transfer script file to the client after the intermediate verification identification is confirmed to pass verification, so that the client acquires a target verification identification corresponding to the target server from the third-party verification server by running the identification transfer script file, responds to the operation of accessing the target server triggered by a target object, acquires response data corresponding to the operation of accessing the target server from the target server according to the target verification identification, and displays a corresponding display page according to the response data.
In a seventh aspect, an embodiment of the present application provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the page display method provided by the application.
In an eighth aspect, an embodiment of the present application provides a computer-readable medium, in which computer-executable instructions are stored, where the computer-executable instructions are used to execute the page display method provided in the present application.
The application has the beneficial effects that:
after the target object triggers the operation of accessing the target server, the client sends the first access request to the attack protection device, and the attack protection device verifies the first access request; because the first access request contains the target verification identifier corresponding to the target server, the attack protection device forwards the first access request to the target server after determining that the target verification identifier passes verification. Therefore, when a user accesses the target server through the client, the first access request sent by the client cannot be directly sent to the target server, and the access request needs to be cleaned through the attack protection device, so that the access request triggered by the malicious software tool is prevented from being sent to the target server to acquire data in the target server, and the network security is improved. In addition, a first access request sent by the client in the embodiment of the application needs to include a target verification identifier corresponding to the target server, and the target verification identifier is obtained from the third-party verification server by the client accessing the third-party verification server through an identifier acquisition script file issued by the attack protection device; the third-party verification server is used for distributing the unique verification identifier, the security is high, and a malicious software tool cannot forge the unique verification identifier configured by the third-party verification server, so that the security of accessing the server is further improved.
Drawings
Fig. 1 is a schematic diagram of an optional application scenario in an embodiment of the present application;
fig. 2 is a schematic diagram of another optional application scenario in the embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating a page display method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a display interface of a client in an embodiment of the present application;
fig. 5 is a schematic overall flow chart of a page display method in the embodiment of the present application;
FIG. 6 is a schematic overall flowchart of another page display method in the embodiment of the present application;
FIG. 7 is a schematic diagram of a display interface of a client in an embodiment of the present application;
FIG. 8 is a schematic display interface diagram of a client in an embodiment of the present application;
FIG. 9 is a schematic diagram of a page display flow at a client side in an embodiment of the present application;
fig. 10 is a schematic view of a page display flow at the attack protection device side in the embodiment of the present application;
fig. 11 is a schematic view illustrating a page display flow at the third-party verification server side in the embodiment of the present application;
FIG. 12 is a schematic structural diagram of a page display apparatus according to an embodiment of the present application;
FIG. 13 is a schematic structural diagram of a page display apparatus according to an embodiment of the present application;
FIG. 14 is a schematic structural diagram of a page display apparatus according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 16 is a schematic structural diagram of a computing device in an embodiment of the present application.
Detailed Description
In order to make the technical solutions disclosed in the present application better understood, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
Some terms appearing herein are explained below:
1. cookie: the type is "small text file", which is data stored on the user's local terminal by some websites for user identification and session tracking, and is usually encrypted. Cookie is generated by a server side and is sent to a browser side, the browser can store key/value of the Cookie in a text file under a certain directory, and the Cookie is sent to the server when the same website is requested next time. Cookie names and values can be defined by a server side, and jsP can also write jsessionid directly, so that the server can know whether the user is a legal user and whether the user needs to log in again, and the like. Cookie is an identity authentication mark of a user for a specific website, and the Cookie contains some sensitive information, such as: user name, computer name, browser used and website once visited, etc.
2. Denial-of-Service attack (DoS attack for short): the flood attack is a network attack technique, which aims to exhaust network or system resources of a target computer, temporarily interrupt or stop service, and prevent normal users from accessing the system. When a hacker uses two or more compromised computers on a network as bots to launch a denial of service attack on a specific target, the hacker is called a distributed denial of service attack, which is referred to as DDoS attack for short. DDoS attacks are the most common way to affect the normal operation of an enterprise network, the biggest damage caused by attacks is service loss caused by unreachable services, and the influence caused by the damage cannot disappear within a long period of time after the attacks are finished, so that the enterprise and organization are disastrous.
3. Challenge black hole (Challenge Collapsar, CC): the method comprises the steps that a plurality of users are simulated to access dynamic pages of a target website through a proxy server or a large number of broilers, a large number of requests which are similar to legality are sent to the target server, so that resources of an attacked server are continuously utilized and are continuously consumed, the users cannot normally access the server to obtain responses of the server when the resources of the server are consumed, and the stability of the server can be continuously deteriorated until the server is paralyzed in a CC (challenge collapsar) attack process.
4. Js (JavaScript): a scripting language executable by a Web browser.
5. User Agent (UA): a Web browser user agent identifier, generally used to identify the browser type used by the user; generally, the same version of browser will have the same UA id.
6. Flow traction: the method refers to a technology of modifying a next hop of a target IP (Internet Protocol) by releasing a BGP (Border Gateway Protocol) route, so as to transmit a target IP traffic to a specific device.
7. A core switch: the three-layer switch is a switch having a function of a part of routers, and operates in a third layer of an OSI (Open System Interconnection) network standard model, that is, a network layer. The three-layer switch has the most important purpose of accelerating data exchange in a large local area network, has a routing function serving the purpose, and can achieve routing once and forwarding for multiple times.
8. Client (Client): or called as the user side, refers to a program corresponding to the server for providing local services to the client. Except for some applications which only run locally, the application is generally installed on a common client and needs to be operated with a server side. After the internet has developed, the more common clients include web browsers used on the world wide web, email clients for receiving and sending emails, and client software for instant messaging. For this kind of application, a corresponding server and a corresponding service program are required in the network to provide corresponding services, such as database services, e-mail services, etc., so that specific TCP connections need to be established at the client and server sides to ensure the normal operation of the application program.
9. The user terminal: the system can be a computer for office work or a mobile electronic device, can log in a data storage center through a virtual machine, obtains data required to be used from the data storage center and uploads the changed data to the data storage center in real time.
10. A server: the cloud server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like.
The following briefly introduces the design concept of the embodiments of the present application:
cloud technology refers to a hosting technology for unifying serial resources such as hardware, software, network and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.
Cloud technology (Cloud technology) is based on a general term of network technology, information technology, integration technology, management platform technology, application technology and the like applied in a Cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
The Cloud technology also includes the technical field of Cloud Security (Cloud Security), and Cloud Security refers to a generic name of Security software, hardware, users, mechanisms and Security Cloud platforms applied based on Cloud computing business models. The cloud security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like, and the application mainly relates to the network attack protection.
Because the current access mode of the website server is that a user directly accesses the website server by operating a webpage of a browser installed on a user terminal; an illegal user usually uses a malicious software tool to perform a large number of non-human click operations on components in a browser webpage so as to repeatedly submit a service request and attack a server of a website. For example, the malicious attack program may simulate a browser behavior to access a server corresponding to a website, attack the server of the website, and destroy the server of the website. In view of this, embodiments of the present application provide a page display method, an apparatus, an electronic device, and a computer storage medium, where in response to an operation of accessing a target server triggered by a target object, a client obtains a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing the third-party verification server through the identification acquisition script file issued by the execution attack protection equipment and is obtained from the third-party verification server; the client sends a first access request containing a target verification identifier to the attack protection device, the attack protection device verifies the target verification identifier in the first access request, and forwards the first access request to the target server after the target verification identifier is confirmed to pass the verification; and the target server generates response data corresponding to the first access request and returns the response data to the client, and the client displays a corresponding display page according to the response data.
After the target object triggers the operation of accessing the target server, the client sends the first access request to the attack protection device, and the attack protection device verifies the first access request; because the first access request contains the target verification identifier corresponding to the target server, the attack protection device forwards the first access request to the target server after determining that the target verification identifier passes verification. Therefore, when a user accesses the target server through the client, the first access request sent by the client cannot be directly sent to the target server, and the access request needs to be cleaned through the attack protection device, so that the access request triggered by the malicious software tool is prevented from being sent to the target server to acquire data in the target server, and the network security is improved. In addition, a first access request sent by the client in the embodiment of the application needs to include a target verification identifier corresponding to the target server, and the target verification identifier is obtained from the third-party verification server by the client accessing the third-party verification server through an identifier acquisition script file issued by the attack protection device; the third-party verification server is used for distributing the unique verification identifier, the security is high, and a malicious software tool cannot forge the unique verification identifier configured by the third-party verification server, so that the security of accessing the server is further improved.
After introducing the design concept of the embodiment of the present application, some simple descriptions are provided below for application scenarios to which the technical solution of the embodiment of the present application can be applied, and it should be noted that the application scenarios described below are only used for describing the embodiment of the present application and are not limited. In a specific implementation process, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
As shown in fig. 1, which is a schematic diagram of an exemplary application scenario in the embodiment of the present application, the application scenario includes a target object 10, a user terminal 11, a core switch 12, an attack protection device 13, a third party verification server 14, and a target server 15;
the user terminal 11 is a terminal device operating on a cloud server, for example, the cloud server may be a private cloud or a public cloud; the user terminal 11 is installed with a client, for example, the client may be a browser, including but not limited to a browser APP, a Web browser; the core switch 12 is configured to perform traffic pulling on an access request sent by a client to a server, and forward the access request initiated by the client to the attack protection device 13; the attack protection device 13 is configured to verify an access request initiated by a client, and forward the access request to the target server 15 after the verification is passed.
Responding to an operation of accessing the target server 15 triggered by the target object 10 in a display interface of the client, and acquiring a target verification identifier corresponding to the target server 15 by the client; the target verification identifier is obtained by the client accessing the third-party verification server 14 through the identifier acquisition script file issued by the execution attack protection device 13 and is obtained from the third-party verification server 14;
it should be noted that, in an optional implementation manner, in response to an operation of accessing the target server 15 triggered by the target object 10, the client obtains a stored target verification identifier corresponding to the target server 15 from the local; the target verification identifier corresponding to the target server 15 locally stored by the client is obtained by the client by executing the identifier issued by the attack protection device 13 to obtain a script file to access the third-party verification server 14 and obtain the script file from the third-party verification server 14 before the client receives the operation of accessing the target server 15 triggered by the target object 10. Another optional implementation manner is that, in response to an operation of accessing the target server 15 triggered by the target object 10, the client sends an access request not including the target verification identifier to the attack protection device 13, the attack protection device 13 issues an identifier obtaining script file to the client, the client runs the identifier to execute the identifier obtaining script file issued by the attack protection device 13 to access the third-party verification server 14, and obtains the target verification identifier from the third-party verification server 14.
The client sends a first access request containing the target verification identifier to the core switch 12, the core switch 12 performs flow traction on the first access request sent by the client, and forwards the access request initiated by the client to the attack protection device 13; the attack protection device 13 verifies the target verification identifier in the first access request, and forwards the first access request to the target server 15 after the verification is determined to be passed. The target server 15 generates response data according to the first access request, the target server 15 sends the generated response data to the core switch 12, and the core switch 12 forwards the response data to the client; and the client displays the corresponding display page according to the received response data.
Fig. 2 is a schematic diagram of another exemplary application scenario according to an embodiment of the present application, and includes a target object 20, a user terminal 21, an attack protection device 22, a third party verification server 23, and a target server 24;
the user terminal 21 is a terminal device operating on a physical machine; the user terminal 11 is installed with a client, for example, the client may be a browser, including but not limited to a browser APP, a Web browser; the attack protection device 22 is configured to authenticate an access request initiated by a client, and forward the access request to the target server 24 after the authentication is passed.
Responding to an operation of accessing the target server 24 triggered by the target object 20 in a display interface of the client, and acquiring a target verification identifier corresponding to the target server 24 by the client; wherein, the target verification identifier is obtained by the client accessing the third-party verification server 23 through executing the identifier acquisition script file issued by the attack protection device 22 and obtained from the third-party verification server 23;
it should be noted that, in an alternative embodiment, in response to an operation of accessing the target server 24 triggered by the target object 20, the client obtains a stored target verification identifier corresponding to the target server 24 from the local; the target verification identifier corresponding to the target server 24 locally stored by the client is obtained by the client accessing the third-party verification server 23 by executing the identifier acquisition script file issued by the attack protection device 22 before receiving the operation of accessing the target server 24 triggered by the target object 20, and obtaining the identifier from the third-party verification server 23. Another optional implementation manner is that, in response to an operation of accessing the target server 24 triggered by the target object 20, the client sends an access request that does not include a target verification identifier to the attack protection device 22, the attack protection device 22 issues an identifier to the client to obtain a script file, the client runs the identifier to execute the identifier obtaining script file issued by the attack protection device 22 to access the third-party verification server 23, and obtains the target verification identifier from the third-party verification server 23.
When the client needs to send the first access request, the domain name resolution address corresponding to the first access request is modified from the address information of the target server 24 to the address information of the attack protection device 22 in a mode of modifying the domain name resolution address; in this way, the client sends a first access request containing the target verification identifier to the attack protection device 22; the attack protection device 22 verifies the target verification identifier in the first access request, and forwards the first access request to the target server 24 after the verification is determined to be passed. The target server 24 generates response data according to the first access request, the target server 24 sends the generated response data to the attack protection device 22, and the attack protection device 22 forwards the response data to the client; and the client displays the corresponding display page according to the received response data.
In combination with the application scenarios described above, the page display method provided by the exemplary embodiment of the present application is described with reference to fig. 2 to 11. It should be noted that the above application scenarios are only presented to facilitate understanding of the spirit and principles of the present application, and the embodiments of the present application are not limited in this respect. Rather, embodiments of the present application may be applied to any scenario where applicable.
As shown in fig. 3, a schematic flow chart of a page display method provided in the embodiment of the present application may include the following steps:
step S31, responding to the operation of accessing the target server triggered by the target object, the client side obtains a target verification identifier corresponding to the target server;
the target verification identification is obtained by the client through executing an identification acquisition script file issued by the attack protection equipment to access the third-party verification server and obtaining the target verification identification from the third-party verification server.
Step S32, the client sends the first access request containing the target verification identifier to the attack protection device.
And step S33, the attack protection equipment verifies the target verification identification in the first access request.
Step S34, after determining that the target verification identifier passes the verification, the attack protection device forwards the first access request to the target server.
Step S35, the target server generates corresponding response data according to the received first access request.
Step S36, the target server returns the response data to the client.
And step S37, the client displays the corresponding display page according to the response data.
In step S31, the target object may trigger an operation of accessing the target server through the display interface of the client; for example, as shown in fig. 4, the target object needs to visit the a site, which is assumed to have an address of www.Aa.com; the target object enters www.Aa.com in the search box of the client's display interface and clicks on the "search" option, triggering operation of the server that accesses the a website.
The client in the embodiment of the present application may be a browser client, and the specific browser client includes, but is not limited to, a browser APP and a Web browser.
The check mark of the embodiment of the application may be a cookie mark.
It should be noted that, in the embodiment of the present application, the client may operate on a cloud server, or the client may operate on an independent physical machine; according to the method and the device, after the client initiates the access request to the target server, the flows of the client in different operating environments for accessing the target server are different. For example, the client running on the cloud server may select the CC protection function, and after a target object initiates a request for accessing the target server through the client, the access request initiated by the client is directed to the attack protection device through the core switch, and the attack protection device verifies the access request initiated by the client and forwards the access request that passes the verification to the target server. The method comprises the steps that a client side running on a physical machine needs to provide a proxy IP for the client side, after a user initiates a request for accessing a target server through the client side, a domain name address is pointed to the proxy server in a mode of modifying a domain name resolution address, a protection tool runs on the proxy server, the proxy server serves as an attack protection device, the attack protection device verifies an access request initiated by the client side, and the verified access request is forwarded to the target server.
Since the flows of accessing the target server through the clients are different for the clients in different operating environments, the following description is respectively given for the clients in different operating environments.
Firstly, a client runs on a cloud server.
Responding to the operation of accessing the target server triggered by the target object, and judging whether a target verification identifier corresponding to the target server is stored locally by the client; if a target verification identifier corresponding to the target server is locally stored, the client sends a first access request containing the target verification identifier; and if the target verification identifier corresponding to the target server is not stored locally, the client sends a second access request which does not contain the target verification identifier.
After receiving the first access request, the core switch forwards the first access request to the attack protection equipment;
after receiving the first access request, the attack protection device verifies a target verification identifier in the first access request; for example, whether the target check mark is in the blacklist is judged, if yes, the verification is determined not to pass, and if not, the verification is determined to pass. After the verification is passed, forwarding the first access request to a target server through a core switch; and if the verification is determined not to be passed, the attack protection device discards the first access request.
After receiving the second access request, the attack protection device issues a preset identification acquisition script file to the client through the core switch; the client runs the identifier to acquire the script file, and in the process of running the identifier to acquire the script file, the client accesses the third-party verification server according to the address information of the third-party verification server contained in the identifier acquisition script file;
in the process that the client accesses the third-party verification server, the client judges whether an intermediate verification identifier corresponding to the third-party verification server exists or not, if so, the client sends a third access request containing the intermediate verification identifier to the third-party verification server, and if not, the client sends a fourth access request not containing the intermediate verification identifier to the third-party verification server;
after the third-party verification server receives a third access request containing the intermediate verification identifier, the verification identifier of the third-party verification server is determined to be planted in the client by the third-party verification server, and then the third-party verification server returns an identifier transfer script file to the client; and after the third-party verification server receives the fourth access request which does not contain the intermediate verification identifier, determining that the third-party verification server does not plant the verification identifier of the third-party verification server in the client, wherein the third verification server needs to generate an initial verification identifier corresponding to the client, returns the initial verification identifier as the intermediate verification identifier corresponding to the third-party verification server to the client, and simultaneously issues an identifier transmission script file to the client.
In implementation, when the third-party verification server generates the initial verification identifier corresponding to the client, the third-party verification server generates the initial verification identifier according to the identification information corresponding to the client and the time information of the fourth access request;
the identification information corresponding to the client may include IP address information and UA information of the terminal device corresponding to the client; the time information of the fourth access request may be time stamp information of the fourth access request;
specifically, the IP address information and UA information of the terminal device corresponding to the client, the time information of the fourth access request, and the backward md5 may be calculated to obtain the initial check identifier.
And after receiving the identification transfer script file, the client operates the identification transfer script file. In the process that the client runs the mark and transmits the script file, a target verification mark of a target server is requested from a third-party verification server, and the third-party verification server takes the generated initial verification mark corresponding to the client as the target verification mark; and the client stores the target verification identification corresponding to the target server.
It should be noted that, because the third-party verification server and the target server are two servers across domains, in the client, data and verification identifiers for the two servers need to be stored separately, and the data and verification identifiers for the two servers are stored in two different storage environments.
As can be seen from the above-mentioned process of obtaining the target verification identifier of the target server by the client according to the embodiment of the present application, when different target servers need to be accessed by the same client, the initial verification identifier corresponding to the client is set as the verification identifiers of the two different target servers by the third-party verification server, so that the verification identifiers carried when different target servers are accessed by the same client are the same.
For example, when the target object needs to access website a, assume that the website corresponding to website a is sitea.com; when the verification identifier corresponding to the server of the website a is requested, the verification identifier may be executed by the following instruction: if the initial verification identifier of the client is "uuid 2134", the target verification identifier of the server of the website a is "uuid 2134", and the following commands are used for returning: PostMessage (uuid 'sitea. com').
For another example, when the target object accesses the website B through the same browser, assume that the website corresponding to the website B is siteb.com; when the verification identifier corresponding to the server of the website B is requested, the verification identifier may be executed by the following instruction: if the initial verification identifier of the client is "uuid" 2134 ", then returning the target verification identifier of the server of the website B as" uuid "2134" through the following commands: PostMessage (uuid, 'siteb.com').
The must mark acquisition script file and the mark transmission script file can be Js type script files.
According to the embodiment of the application, after the client acquires the target verification identifier of the target server from the third-party verification server, the target verification identifier of the target server is stored; when the subsequent client needs to access the target server again, the target verification identifier of the target server can be directly obtained from the local.
The client sends a first access request containing the target verification identifier to the core switch equipment, the core switch equipment forwards the first access request to the attack protection equipment, and the attack protection equipment verifies the first access request;
in implementation, the attack protection device verifies the first access request according to the following manner:
the method comprises the steps that an attack protection device obtains a target verification identifier contained in a first access request, if the attack protection device receives the target verification identifier for the first time, data contained in the first access request are obtained for verification, if the data carried in the first access request are in accordance with expectations, it is determined that the access request sent by a client carrying the target verification identifier passes verification, and the client is marked as a trust request source; otherwise, if the data carried in the first access request is not in accordance with the expectation, determining that the access request sent by the client carrying the target check identifier is not verified, regarding the request source as a machine script and the like, marking the client as an untrusted request source, and adding the untrusted request source into a blacklist. Thus, after subsequently receiving an access request, the attack protection device firstly obtains a target verification identifier of a target server carried in the access request, if the access request sent by the trusted client is determined according to the target verification identifier, the data carried in the access request does not need to be verified again, and the access request is directly forwarded to the target server; in addition, if the access request sent by the client which is not trusted is determined according to the target verification identification, the access request is directly discarded.
It should be noted that, in the embodiment of the present application, since the same target verification identifiers carried by the same client when accessing different target servers are the same, the malicious attack program cannot change the identifier information to obtain trust of the attack protection device, and therefore, interception of an access request sent by the malicious attack program can be avoided.
After determining that the target verification identifier passes verification, the attack protection device forwards the first access request to the core switch device, and the core switch device forwards the first access request to the target server;
the target server generates corresponding response data according to the received first access request, the response data are returned to the core switch device, the core switch device forwards the response data to the client, and the client displays a corresponding display page according to the response data.
As shown in fig. 5, the overall flowchart of the page display method according to the embodiment of the present application includes the following steps:
step S51, responding to the operation of accessing the target server triggered by the target object, sending an access request 1;
the access request 1 does not include the target verification identifier of the target server.
Step S52, after receiving the access request 1, the core switch device forwards the access request 1 to the attack protection device.
Step S53, after determining that the access request 1 does not include the target verification identifier, the attack protection device returns the first Js script file to the core switch device.
And step S54, the core switch device forwards the first Js script file to the client.
Step S55, the client receives and runs the first Js script file, and requests the third verification server to obtain the target verification identifier during the running process.
Step S56, after the third party verification server determines that the client does not carry the intermediate verification identifier corresponding to the third party verification server when accessing, an initial verification identifier corresponding to the client is generated; and the initial verification identifier is used as an intermediate verification identifier corresponding to the third-party verification server.
And step S57, the third-party verification server issues the intermediate verification identification and the second Js script file to the client.
And step S58, the client receives and runs the second Js script file, and accesses the third-party verification server by carrying the middle verification identifier.
And step S59, the third party verifying server takes the initial verifying identification as a target verifying identification corresponding to the target server and returns the target verifying identification to the client.
Step S510, the client sends an access request 2;
the access request 2 carries a target verification identifier corresponding to the target server.
Step S511, after receiving the access request 2, the core switch device forwards the access request 2 to the attack protection device.
Step S512, the attack protection device verifies the target verification identifier in the access request 2.
Step S513, after determining that the target verification identifier is verified, the attack protection device forwards the access request 2 to the core switch device.
Step S514, the core switch device forwards the access request 2 to the target server.
Step S515, the target server generates corresponding response data according to the access request 2.
Step S516, the target server returns the response data to the core switch device.
Step S517, the core switch device forwards the response data to the client.
And S518, the client displays a corresponding display page according to the response data.
And secondly, the client runs on a physical machine.
Responding to the operation of accessing the target server triggered by the target object, and judging whether a target verification identifier corresponding to the target server is stored locally by the client; if a target verification identifier corresponding to the target server is locally stored, the client sends a first access request containing the target verification identifier; and if the target verification identifier corresponding to the target server is not stored locally, the client sends a second access request which does not contain the target verification identifier.
When a client sends an access request needing to access a target server, a domain name resolution address corresponding to the access request is modified from the address information of the target server to the address information of an attack protection device in a mode of modifying the domain name resolution address; and sends the access request to the attack-prevention-device.
It should be noted that, when the client runs on the physical machine, the attack protection device may be an IP proxy server, and a CC protection tool runs on the IP proxy server.
After receiving the first access request, the attack protection device verifies a target verification identifier in the first access request; for example, whether the target check mark is in the blacklist is judged, if yes, the verification is determined not to pass, and if not, the verification is determined to pass. After the verification is passed, forwarding the first access request to a target server; and if the verification is determined not to be passed, the attack protection device discards the first access request.
After receiving the second access request, the attack protection device issues a preset identification acquisition script file to the client; the client runs the identifier to acquire the script file, and in the process of running the identifier to acquire the script file, the client accesses the third-party verification server according to the address information of the third-party verification server contained in the identifier acquisition script file;
in the process that the client accesses the third-party verification server, the client judges whether an intermediate verification identifier corresponding to the third-party verification server exists or not, if so, the client sends a third access request containing the intermediate verification identifier to the third-party verification server, and if not, the client sends a fourth access request not containing the intermediate verification identifier to the third-party verification server;
after the third party verification server receives a third access request containing the intermediate verification identifier, the verification identifier of the third party verification server is determined to be planted in the client by the third party verification server, and then the third party verification server returns an identifier transfer script file to the client; and after the third-party verification server receives the fourth access request which does not contain the intermediate verification identifier, determining that the third-party verification server does not plant the verification identifier of the third-party verification server in the client, wherein the third verification server needs to generate an initial verification identifier corresponding to the client, returns the initial verification identifier as the intermediate verification identifier corresponding to the third-party verification server to the client, and simultaneously issues an identifier transmission script file to the client.
In implementation, when the third-party verification server generates the initial verification identifier corresponding to the client, the third-party verification server generates the initial verification identifier according to the identification information corresponding to the client and the time information of the fourth access request;
the identification information corresponding to the client may include IP address information and UA information of the terminal device corresponding to the client; the time information of the fourth access request may be time stamp information of the fourth access request;
specifically, the IP address information, UA information, time information of the fourth access request, and the reverse md5 of the terminal device corresponding to the client may be calculated to obtain the initial check identifier.
And after receiving the identification transfer script file, the client runs the identification transfer script file. In the process that the client runs the mark and transmits the script file, a target verification mark of a target server is requested from a third-party verification server, and the third-party verification server takes the generated initial verification mark corresponding to the client as the target verification mark; and the client stores the target verification identification corresponding to the target server.
It should be noted that, because the third-party verification server and the target server are two servers across domains, in the client, data and verification identifiers for the two servers need to be stored separately, and the data and verification identifiers for the two servers are stored in two different storage environments.
As can be seen from the above-mentioned process of obtaining the target verification identifier of the target server by the client according to the embodiment of the present application, when different target servers need to be accessed by the same client, the initial verification identifier corresponding to the client is set as the verification identifiers of the two different target servers by the third-party verification server, so that the verification identifiers carried when different target servers are accessed by the same client are the same.
For example, when the target object needs to access a website C, assume that the website corresponding to the website C is sitec.com; when the verification identifier corresponding to the server of the website C is requested, the verification identifier may be executed by the following command: if the initial verification identifier of the client is "uuid" 2134 ", the target verification identifier of the server of the website C is returned by the third party verification server, and the target verification identifier of the server of the website C is" uuid "2134", and the target verification identifier of the server of the website C is returned by the following commands: PostMessage (uuid,' sitec.
For another example, when the target object accesses the website D through the same browser, assume that the website corresponding to the website D is sited.com; when the verification identifier corresponding to the server of the website D is requested, the verification identifier may be executed by the following command: if the initial verification identifier of the client is 2134, the target verification identifier of the server of the website D is returned by the following command: PostMessage (uuid 'sited.com').
The clock mark acquisition script file and the mark transmission script file can be Js type script files.
According to the embodiment of the application, after the client acquires the target verification identifier of the target server from the third-party verification server, the target verification identifier of the target server is stored; when the subsequent client needs to access the target server again, the target verification identifier of the target server can be directly obtained from the local.
The client side attacks a first access request containing a target verification identifier on the protection device, and the attack protection device verifies the first access request;
in implementation, the attack protection device verifies the first access request according to the following modes:
the method comprises the steps that an attack protection device obtains a target verification identification contained in a first access request, if the attack protection device receives the target verification identification for the first time, data contained in the first access request are obtained to be verified, if the data carried in the first access request meet expectations, it is determined that the access request sent by a client carrying the target verification identification passes verification, and the client is marked as a trust request source; otherwise, if the data carried in the first access request is not in accordance with the expectation, determining that the access request sent by the client carrying the target check identifier is not verified, regarding the request source as a machine script and the like, marking the client as an untrusted request source, and adding the untrusted request source into a blacklist. Thus, after receiving the access request subsequently, the attack protection device firstly obtains the target verification identifier of the target server carried in the access request, if the access request sent by the trusted client is determined according to the target verification identifier, the data carried in the access request does not need to be verified again, and the access request is directly forwarded to the target server; in addition, if the access request sent by the client which is not trusted is determined according to the target verification identification, the access request is directly discarded.
It should be noted that, in the embodiment of the present application, since the target verification identifiers carried by the same client when accessing different target servers are the same, the malicious attack program cannot change the identification information to obtain the trust of the attack protection device, and therefore, the access request sent by the malicious attack program can be prevented from being intercepted.
After determining that the target verification identifier passes verification, the attack protection equipment forwards the first access request to a target server;
the target server generates corresponding response data according to the received first access request, the response data are returned to the attack protection device, the attack protection device forwards the response data to the client, and the client displays a corresponding display page according to the response data.
As shown in fig. 6, the overall flowchart of the page display method according to the embodiment of the present application includes the following steps: step S61, responding to the operation of accessing the target server triggered by the target object, sending an access request 1;
the access request 1 does not include the target verification identifier of the target server.
Step S62, after determining that the access request 1 does not include the target verification identifier, the attack protection device issues the first Js script file to the client.
Step S63, the client receives and runs the first Js script file, and requests the third verification server to obtain the target verification identifier during the running process.
Step S64, after the third party verification server determines that the client does not carry the intermediate verification identifier corresponding to the third party verification server when accessing, an initial verification identifier corresponding to the client is generated; and the initial verification identifier is used as an intermediate verification identifier corresponding to the third-party verification server.
And step S65, the third-party verification server issues the intermediate verification identification and the second Js script file to the client.
And step S66, the client receives and runs the second Js script file, and accesses the third-party verification server by carrying the middle verification identifier.
And step S67, the third party verifying server takes the initial verifying identification as a target verifying identification corresponding to the target server and returns the target verifying identification to the client.
Step S68, the client sends an access request 2;
and the access request 2 carries a target verification identifier corresponding to the target server.
Step S69, the attack protection device verifies the target verification identifier in the access request 2.
Step S610, after determining that the target verification identifier is verified, the attack protection device forwards the access request 2 to the target server.
Step S611, the target server generates corresponding response data according to the access request 2.
And step S612, the target server returns the response data to the attack protection equipment.
Step S613, the attack protection device forwards the response data to the client.
And step S614, the client displays the corresponding display page according to the response data.
In the embodiment of the application, the attack protection device issues a first Js script file to the client, the third-party verification server issues a second Js script file to the client, and the client plants a Cookie verification identifier of the third-party verification server and a Cookie verification identifier of the target server by operating the first Js script file and the second Js script file;
since many browser clients are called to continuously refresh to attack the server when a malicious attack tool (e.g., a hacker) attacks the server, the client can solve the rapid and concurrent attack by delaying the implantation of the Cookie, and in the process of delaying the implantation of the Cookie, the display interface of the client is as shown in fig. 7, and the user is prompted in the display interface of the client for the waiting time. And after the client successfully plants the Cookie of the third party verification server or the Cookie of the target server, the client displays an interface as shown in fig. 8.
In addition, since the third-party verification server is provided by the security service provider, the Cookie verification identifier stored in the client cannot be modified and cleared by the script, and therefore the third-party verification server needs to add an option of http only when the Cookie is implanted. In addition, the third party verification server must be an HTTPS-encrypted website, and adds "SameSite ═ None when setting cookies; a Secure; "to follow the client's restrictions on using the third party verification server for cookies.
The third-party verification server can be realized by building a Nginx or other web websites, has the characteristic of high availability, and can deploy a cluster to prevent a certain node from being hung to influence the CC protection effect.
As shown in fig. 9, a schematic page display flow provided in this embodiment of the present application, applied to a client side, includes the following steps:
step S91, responding to the operation of accessing the target server triggered by the target object, the client side obtains a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing the third-party verification server through the identification acquisition script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
step S92, the client sends the first access request containing the target verification identifier to the attack protection device, so that the attack protection device forwards the first access request to the target server after determining that the target verification identifier passes the verification;
step S93, the client receives response data for the first access request returned by the target server, and displays a corresponding display page according to the response data.
Optionally, the obtaining, by the client, a target verification identifier corresponding to the target server specifically includes:
the client sends a second access request to the attack protection device, so that the attack protection device sends a preset identifier to the client to acquire a script file after determining that the second access request does not contain the target verification identifier; the identification acquisition script file comprises address information of a third-party verification server;
the client receives and runs an identifier issued by the attack protection equipment to acquire a script file;
and the client accesses the third-party verification server according to the address information of the third-party verification server contained in the identification acquisition script file, and acquires the target verification identification from the third-party verification server.
Optionally, the client accesses the third-party verification server according to the address information of the third-party verification server included in the identifier acquisition script file, and acquires the target verification identifier from the third-party verification server, which specifically includes:
the client acquires an intermediate verification identifier corresponding to the third-party verification server;
the client acquires address information of the third-party verification server contained in the script file according to the identifier, and sends a third access request containing the intermediate verification identifier to the third-party verification server;
the client receives and runs a preset identification transmission script file issued by a third-party verification server; the identification transmission script file comprises address information of a third-party verification server;
the client accesses the third-party verification server according to the address information of the third-party verification server contained in the identification transfer script file, and acquires a target verification identification from the third-party verification server; the third-party verification server takes the generated initial verification identifier corresponding to the client as a target verification identifier, and the initial verification identifier is generated according to the identification information corresponding to the client and the time information of the first access when the client accesses the third-party verification server for the first time.
Optionally, the obtaining, by the client, the intermediate verification identifier corresponding to the third-party verification server specifically includes:
the client acquires address information of the third-party verification server contained in the script file according to the identifier, and sends a fourth access request to the third-party verification server, so that the third-party verification server takes an initial verification identifier corresponding to the client as an intermediate verification identifier after determining that the fourth access request does not contain the intermediate verification identifier;
and the client receives the intermediate verification identifier returned by the third-party verification server.
Optionally, the sending, by the client, the first access request including the target verification identifier to the attack protection device specifically includes:
if the client runs on the cloud server, the client sends a first access request containing the target verification identifier to the core switch equipment, and the core switch equipment forwards the first access request to the attack protection equipment;
if the client runs on the physical machine, the client modifies the domain name resolution address corresponding to the first access request from the address information of the target server to the address information of the attack protection equipment in a mode of modifying the domain name resolution address; and sending the first access request to the attack protection device.
As shown in fig. 10, a schematic page display flow provided in the embodiment of the present application is applied to an attack protection device side, and includes the following steps:
step S101, an attack protection device receives a first access request sent by a client; the first access request is sent by the client after responding to the operation of accessing the target server triggered by the target object; the first access request comprises a target verification identifier corresponding to the target server; the target verification identification is obtained by the client terminal accessing the third-party verification server through the identification acquisition script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
step S102, after the attack protection device determines that the target verification identifier passes the verification, the first access request is forwarded to the target server, so that the target server returns response data aiming at the first access request to the client, and the client displays a corresponding display page according to the response data.
Optionally, before the attack protection device receives the first access request sent by the client, the method further includes:
the attack protection equipment receives a second access request sent by the client;
and after determining that the second access request does not contain the target verification identifier, the attack protection device issues a preset identifier to the client to acquire the script file, wherein the identifier acquisition script file contains address information of the third-party verification server, so that the client receives and operates the identifier issued by the attack protection device to acquire the script file, accesses the third-party verification server according to the address information of the third-party verification server contained in the identifier acquisition script file, and acquires the target verification identifier from the third-party verification server.
As shown in fig. 11, a schematic page display flow provided in the embodiment of the present application is applied to an attack protection device side, and includes the following steps:
step S111, the third party verification server receives a third access request which is sent by the client and contains an intermediate verification identifier corresponding to the third party verification server;
step S112, after determining that the intermediate verification identifier passes the verification, the third-party verification server issues a preset identifier transfer script file to the client, so that the client obtains a target verification identifier corresponding to the target server from the third-party verification server by running the identifier transfer script file, responds to an operation of accessing the target server triggered by the target object, obtains response data corresponding to the operation of accessing the target server from the target server according to the target verification identifier, and displays a corresponding display page according to the response data.
Optionally, after the third party verifying server receives a third access request containing an intermediate verifying identifier corresponding to the third party verifying server and sent by the client, before issuing a preset identifier transfer script file to the client, the method further includes:
the third party verification server takes the generated initial verification identification corresponding to the client as a target verification identification; when the client accesses the third-party verification server for the first time, the third-party verification server generates the initial verification identifier according to the identification information corresponding to the client and the time information of the first access.
Optionally, before the third party verifying server receives a third access request that includes the intermediate verifying identifier corresponding to the third party verifying server and is sent by the client, the method further includes:
the third party verification server receives a fourth access request sent by the client;
after the third-party verification server determines that the fourth access request does not contain the intermediate verification identifier, taking the initial verification identifier corresponding to the client as the intermediate verification identifier;
and the third-party verification server returns the intermediate verification identifier to the client.
Based on the same inventive concept, the embodiment of the present application further provides a page display apparatus, and as the principle of the apparatus for solving the problem is similar to the page display method at the client side, the implementation of the apparatus may refer to the implementation of the method, and repeated details are not repeated.
As shown in fig. 12, a schematic structural diagram of a page display device 1200 provided in the embodiment of the present application includes:
an obtaining unit 1201, configured to obtain a target verification identifier corresponding to a target server in response to an operation of accessing the target server triggered by a target object; the target verification identification is obtained by the client accessing the third-party verification server through the identification acquisition script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
a first sending unit 1202, configured to send a first access request including a target verification identifier to an attack protection device, so that the attack protection device forwards the first access request to a target server after determining that the target verification identifier passes verification;
the first receiving unit 1203 is configured to receive response data, which is returned by the target server and is used for responding to the first access request, and display a corresponding display page according to the response data.
Optionally, the obtaining unit 1201 is specifically configured to:
sending a second access request to the attack protection device, so that the attack protection device sends a preset identifier to the client to acquire a script file after determining that the second access request does not contain the target verification identifier; the identification acquisition script file comprises address information of a third-party verification server;
receiving and operating an identifier issued by attack protection equipment to acquire a script file;
and accessing the third-party verification server according to the address information of the third-party verification server contained in the identification acquisition script file, and acquiring a target verification identification from the third-party verification server.
Optionally, the obtaining unit 1201 is specifically configured to:
acquiring an intermediate verification identifier corresponding to a third-party verification server;
acquiring address information of a third-party verification server contained in the script file according to the identifier, and sending a third access request containing an intermediate verification identifier to the third-party verification server;
receiving and operating a preset identification transmission script file issued by a third-party verification server; the identification transmission script file comprises address information of a third-party verification server;
accessing a third-party verification server according to address information of the third-party verification server contained in the identification transfer script file, and acquiring a target verification identification from the third-party verification server; the third-party verification server takes the generated initial verification identifier corresponding to the client as a target verification identifier, and the initial verification identifier is generated according to the identification information corresponding to the client and the time information of the first access when the client accesses the third-party verification server for the first time.
Optionally, the obtaining unit 1201 is specifically configured to:
acquiring address information of a third-party verification server contained in the script file according to the identifier, and sending a fourth access request to the third-party verification server, so that the third-party verification server takes an initial verification identifier corresponding to the client as an intermediate verification identifier after determining that the fourth access request does not contain the intermediate verification identifier;
and receiving the intermediate verification identifier returned by the third-party verification server.
Optionally, the first sending unit 1202 is specifically configured to:
if the client runs on the cloud server, sending a first access request containing the target verification identifier to the core switch equipment, and forwarding the first access request to the attack protection equipment by the core switch equipment;
if the client runs on the physical machine, modifying the domain name resolution address corresponding to the first access request from the address information of the target server to the address information of the attack protection equipment in a mode of modifying the domain name resolution address; and sending the first access request to the attack-prevention-device.
Based on the same inventive concept, the embodiment of the present application further provides a page display apparatus, and as the principle of solving the problem of the apparatus is similar to the page display method on the attack protection device side, the implementation of the apparatus may refer to the implementation of the method, and repeated details are not described herein.
As shown in fig. 13, a schematic structural diagram of a page display apparatus 1300 according to an embodiment of the present application includes:
a second receiving unit 1301, configured to receive a first access request sent by a client; the first access request is sent by the client after responding to the operation of accessing the target server triggered by the target object; the first access request comprises a target verification identifier corresponding to the target server; the target verification identification is obtained by the client terminal accessing the third-party verification server through the identification acquisition script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
the second sending unit 1302, configured to forward the first access request to the target server after it is determined that the target verification identifier passes verification, so that the target server returns response data for the first access request to the client, and the client displays a corresponding display page according to the response data.
Optionally, the second receiving unit 1301 is further configured to:
receiving a second access request sent by the client;
and after the second access request is determined not to contain the target verification identification, issuing a preset identification to the client to acquire the script file, wherein the identification acquisition script file contains address information of the third-party verification server, so that the client receives and runs the identification issued by the attack protection equipment to acquire the script file, accesses the third-party verification server according to the address information of the third-party verification server contained in the identification acquisition script file, and acquires the target verification identification from the third-party verification server.
Based on the same inventive concept, the embodiment of the application also provides a page display device, and as the principle of the device for solving the problems is similar to the page display method of the third-party verification server side, the implementation of the device can refer to the implementation of the method, and repeated details are omitted.
As shown in fig. 14, a schematic structural diagram of a page display device 1400 provided in the embodiment of the present application includes:
a third receiving unit 1401, configured to receive a third access request that includes an intermediate verification identifier corresponding to a third-party verification server and is sent by a client;
the third sending unit 1402 is configured to, after it is determined that the intermediate verification identifier passes the verification, issue a preset identifier transfer script file to the client, so that the client obtains a target verification identifier corresponding to the target server from the third-party verification server by running the identifier transfer script file, respond to an operation of accessing the target server triggered by the target object, obtain response data corresponding to the operation of accessing the target server from the target server according to the target verification identifier, and display a corresponding display page according to the response data.
Optionally, the third sending unit 1402 is further configured to:
taking the generated initial verification identifier corresponding to the client as a target verification identifier; when the client accesses the third-party verification server for the first time, the third-party verification server generates the initial verification identifier according to the identification information corresponding to the client and the time information of the first access.
Optionally, the third receiving unit 1401 is further configured to:
before receiving a third access request which is sent by a client and contains an intermediate verification identifier corresponding to a third-party verification server, receiving a fourth access request sent by the client;
after determining that the fourth access request does not contain the intermediate check identifier, taking the initial check identifier corresponding to the client as the intermediate check identifier;
and returning the intermediate check mark to the client.
For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.
As will be appreciated by one skilled in the art, each aspect of the present application may be embodied as a system, method or program product. Accordingly, each aspect of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.), or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
In some possible implementations, embodiments of the present application further provide an electronic device, and referring to fig. 15, an electronic device 1500 may include at least one processor 1501 and at least one memory 1502. In which the memory 1502 stores program code, which, when executed by the processor 1501, causes the processor 1501 to perform the steps in the page display method according to various exemplary embodiments of the present application described above in the present specification, for example, the processor 1501 may perform the steps as shown in fig. 9 or 10 or 11.
In some possible implementations, the present application further provides a computing device, which may include at least one processing unit and at least one storage unit. Wherein the storage unit stores program code which, when executed by the processing unit, causes the processing unit to perform the steps in the data page display according to various exemplary embodiments of the present application described above in this specification, for example, the processor 1401 may perform the steps as shown in fig. 9 or 10 or 11.
A computing device 1600 according to such an embodiment of the present application is described below with reference to fig. 16. The computing device 1600 of fig. 16 is only one example and should not be taken to limit the scope of use and functionality of embodiments of the present application.
As shown in fig. 16, computing device 1600 is in the form of a general purpose computing device. Components of computing device 1600 may include, but are not limited to: the at least one processing unit 1601, the at least one storage unit 1602, and a bus 1603 to which different system components (including the storage unit 1602 and the processing unit 1601) are coupled.
Bus 1603 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.
The storage unit 1602 may include a readable medium in the form of volatile memory, such as Random Access Memory (RAM)1621 or cache memory unit 1622, and may further include Read Only Memory (ROM) 1623.
Storage unit 1602 may also include a program/utility 1625 having a set (at least one) of program modules 1624, such program modules 1624 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The computing apparatus 1600 may also communicate with one or more external devices 1604 (e.g., keyboard, pointing device, etc.), and may also communicate with one or more devices that enable a user to interact with the computing apparatus 1600, or any devices (e.g., router, modem, etc.) that enable the computing apparatus 1600 to communicate with one or more other computing apparatuses. Such communication may occur over an input/output (I/O) interface 1605. Moreover, the computing device 1600 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), or a public network such as the internet) through a network adapter 1606. As shown, the network adapter 1606 communicates with other modules for the computing device 1600 over a bus 1603. It should be understood that although not shown, other hardware or software modules may be used in conjunction with the computing device 1600, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.
In some possible embodiments, each aspect of the page display method provided by the present application may also be implemented in the form of a program product including program code for causing a computer device to perform the steps in the page display method according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device, for example, the computer device may perform the steps as shown in fig. 9 or 10 or 11.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (15)

1. A page display method, characterized in that the method comprises:
responding to an operation of accessing a target server triggered by a target object, and acquiring a target verification identifier corresponding to the target server by a client; the target verification identification is obtained by the client accessing a third-party verification server through an identification obtaining script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
the client sends a first access request containing the target verification identifier to the attack protection device, so that the attack protection device forwards the first access request to the target server after determining that the target verification identifier passes verification;
and the client receives response data which is returned by the target server and aims at the first access request, and displays a corresponding display page according to the response data.
2. The method of claim 1, wherein the obtaining, by the client, the target verification identifier corresponding to the target server specifically includes:
the client sends a second access request to the attack protection device, so that the attack protection device issues a preset identifier to the client to acquire a script file after determining that the second access request does not contain the target verification identifier; the identification acquisition script file comprises address information of the third-party verification server;
the client receives and operates the identification issued by the attack protection equipment to acquire a script file;
and the client accesses the third-party verification server according to the address information of the third-party verification server contained in the identification acquisition script file, and acquires the target verification identification from the third-party verification server.
3. The method according to claim 2, wherein the client accesses the third-party verification server according to the address information of the third-party verification server included in the identifier acquisition script file, and acquires the target verification identifier from the third-party verification server, specifically including:
the client acquires an intermediate verification identifier corresponding to the third-party verification server;
the client acquires address information of the third-party verification server contained in the script file according to the identifier, and sends a third access request containing the intermediate verification identifier to the third-party verification server;
the client receives and operates a preset identification transmission script file issued by the third-party verification server; the identification transmission script file comprises address information of the third-party verification server;
the client accesses the third-party verification server according to the address information of the third-party verification server contained in the identification transfer script file, and acquires the target verification identification from the third-party verification server; the third-party verification server takes the generated initial verification identifier corresponding to the client as the target verification identifier, and the initial verification identifier is generated by the third-party verification server according to the identification information corresponding to the client and the time information of the first access when the client accesses the third-party verification server for the first time.
4. The method of claim 3, wherein the obtaining, by the client, the intermediate verification identifier corresponding to the third-party verification server specifically includes:
the client acquires address information of the third-party verification server contained in the script file according to the identifier, and sends a fourth access request to the third-party verification server, so that the third-party verification server takes an initial verification identifier corresponding to the client as the intermediate verification identifier after determining that the intermediate verification identifier is not contained in the fourth access request;
and the client receives the intermediate verification identifier returned by the third-party verification server.
5. The method according to any one of claims 1 to 4, wherein the sending, by the client, the first access request including the target verification identifier to the attack protection device specifically includes:
if the client runs on a cloud server, the client sends a first access request containing the target verification identifier to core switch equipment, and the core switch equipment forwards the first access request to the attack protection equipment;
if the client runs on a physical machine, the client modifies the domain name resolution address corresponding to the first access request from the address information of the target server to the address information of the attack protection equipment in a mode of modifying the domain name resolution address; and sending the first access request to the attack protection device.
6. A page display method, characterized in that the method comprises:
the attack protection equipment receives a first access request sent by a client; the first access request is sent by the client after responding to the operation of accessing the target server triggered by the target object; the first access request comprises a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing a third-party verification server through executing an identification acquisition script file issued by the attack protection equipment and is obtained from the third-party verification server;
after the attack protection device determines that the target verification identifier passes verification, the first access request is forwarded to the target server, so that the target server returns response data for the first access request to the client, and the client displays a corresponding display page according to the response data.
7. The method of claim 6, wherein prior to the attack protection device receiving the first access request sent by the client, further comprising:
the attack protection equipment receives a second access request sent by the client;
and after determining that the target verification identifier is not included in the second access request, the attack protection device issues a preset identifier acquisition script file to the client, wherein the identifier acquisition script file includes address information of the third-party verification server, so that the client receives and operates the identifier acquisition script file issued by the attack protection device, accesses the third-party verification server according to the address information of the third-party verification server included in the identifier acquisition script file, and acquires the target verification identifier from the third-party verification server.
8. A page display method, characterized in that the method comprises:
a third party verification server receives a third access request which is sent by a client and contains an intermediate verification identifier corresponding to the third party verification server;
after the third-party verification server determines that the intermediate verification identifier passes verification, a preset identifier transfer script file is issued to the client, so that the client obtains a target verification identifier corresponding to the target server from the third-party verification server by running the identifier transfer script file, responds to the operation of accessing the target server triggered by a target object, obtains response data corresponding to the operation of accessing the target server from the target server according to the target verification identifier, and displays a corresponding display page according to the response data.
9. The method of claim 8, wherein after the third party verifying server receives a third access request containing an intermediate verifying identifier corresponding to the third party verifying server and sent by a client, and before issuing a preset identifier transfer script file to the client, the method further comprises:
the third party verification server takes the generated initial verification identifier corresponding to the client as the target verification identifier; and when the client accesses the third-party verification server for the first time, the third-party verification server generates the initial verification identifier according to the identification information corresponding to the client and the time information of the first access.
10. The method of claim 9, wherein before the third party verification server receives a third access request sent by a client and containing an intermediate verification identifier corresponding to the third party verification server, the method further comprises:
the third party verification server receives a fourth access request sent by the client;
after determining that the fourth access request does not include the intermediate verification identifier, the third-party verification server takes an initial verification identifier corresponding to the client as the intermediate verification identifier;
and the third party verification server returns the intermediate verification identification to the client.
11. A page display apparatus, characterized in that the apparatus comprises:
the acquisition unit is used for responding to the operation of accessing the target server triggered by the target object and acquiring a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing a third-party verification server through an identification obtaining script file issued by the execution attack protection equipment and is obtained from the third-party verification server;
a first sending unit, configured to send a first access request that includes the target verification identifier to the attack protection device, so that the attack protection device forwards the first access request to the target server after determining that the target verification identifier is verified;
and the first receiving unit is used for receiving response data which is returned by the target server and aims at the first access request, and displaying a corresponding display page according to the response data.
12. A page display apparatus, characterized in that the apparatus comprises:
the second receiving unit is used for receiving the first access request sent by the client; the first access request is sent by the client after responding to the operation of accessing the target server triggered by the target object; the first access request comprises a target verification identifier corresponding to the target server; the target verification identification is obtained by the client accessing a third-party verification server through executing an identification acquisition script file issued by the attack protection equipment and is obtained from the third-party verification server;
and the second sending unit is used for forwarding the first access request to the target server after the target verification identifier is determined to pass the verification, so that the target server returns response data aiming at the first access request to the client, and the client displays a corresponding display page according to the response data.
13. A page display apparatus, characterized in that the apparatus comprises:
a third receiving unit, configured to receive a third access request that includes an intermediate verification identifier corresponding to the third-party verification server and is sent by a client;
and the third sending unit is used for issuing a preset identification transfer script file to the client after the intermediate verification identification is confirmed to pass verification, so that the client acquires a target verification identification corresponding to the target server from the third-party verification server by running the identification transfer script file, responds to the operation of accessing the target server triggered by a target object, acquires response data corresponding to the operation of accessing the target server from the target server according to the target verification identification, and displays a corresponding display page according to the response data.
14. An electronic device comprising a processor and a memory, wherein the memory stores program code that, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 5, or causes the processor to perform the steps of the method of claim 6 or 7, or causes the processor to perform the steps of the method of any of claims 8 to 10.
15. A computer readable storage medium, characterized in that it comprises program code for causing an electronic device to perform the steps of the method of any of claims 1-5, or to perform the steps of the method of claim 6 or 7, or to perform the steps of the method of any of claims 8-10, when said program code is run on the electronic device.
CN202110193684.1A 2021-02-20 2021-02-20 Page display method and device, electronic equipment and computer storage medium Pending CN114969730A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110193684.1A CN114969730A (en) 2021-02-20 2021-02-20 Page display method and device, electronic equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110193684.1A CN114969730A (en) 2021-02-20 2021-02-20 Page display method and device, electronic equipment and computer storage medium

Publications (1)

Publication Number Publication Date
CN114969730A true CN114969730A (en) 2022-08-30

Family

ID=82954691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110193684.1A Pending CN114969730A (en) 2021-02-20 2021-02-20 Page display method and device, electronic equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN114969730A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115758300A (en) * 2022-11-28 2023-03-07 北京淘友天下技术有限公司 Data processing method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115758300A (en) * 2022-11-28 2023-03-07 北京淘友天下技术有限公司 Data processing method and device, electronic equipment and storage medium
CN115758300B (en) * 2022-11-28 2023-08-01 北京淘友天下技术有限公司 Data processing method, device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
EP3424178B1 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
Chonka et al. Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks
US10666622B2 (en) Automatic placeholder finder-filler
US10356153B2 (en) Transferring session data between network applications accessible via different DNS domains
Lam et al. Puppetnets: Misusing web browsers as a distributed attack infrastructure
JP2020503605A (en) Prevent malicious automatic attacks on web services
US20190394228A1 (en) Mitigating attacks on server computers by enforcing platform policies on client computers
US10911485B2 (en) Providing cross site request forgery protection at an edge server
WO2016173199A1 (en) Mobile application single sign-on method and device
US11968201B2 (en) Per-device single sign-on across applications
US20140282891A1 (en) Method and system for unique computer user identification for the defense against distributed denial of service attacks
US11818149B2 (en) Content delivery network (CDN) edge server-based bot detection with session cookie support handling
CN114902612A (en) Edge network based account protection service
CN110557358A (en) Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device
Masoud et al. On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach
Arnaldy et al. Performance analysis of reverse proxy and web application firewall with telegram bot as attack notification on web server
CN114969730A (en) Page display method and device, electronic equipment and computer storage medium
US11405412B2 (en) Inline anomaly detection for multi-request operations
CN107454050A (en) A kind of method and device for accessing Internet resources
US11848960B2 (en) Content delivery network (CDN)-based bot detection service with stop and reset protocols
US10931713B1 (en) Passive detection of genuine web browsers based on security parameters
Bekeneva et al. Investigation of DDoS attacks by hybrid simulation
US20210034718A1 (en) Mechanism for providing obfuscated code to web application clients
Rafiee et al. A flexible framework for detecting ipv6 vulnerabilities
Ahmed et al. Towards Securing Cloud Computing from DDOS Attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination