CN116566694A - Access request processing method and device - Google Patents

Access request processing method and device Download PDF

Info

Publication number
CN116566694A
CN116566694A CN202310571774.9A CN202310571774A CN116566694A CN 116566694 A CN116566694 A CN 116566694A CN 202310571774 A CN202310571774 A CN 202310571774A CN 116566694 A CN116566694 A CN 116566694A
Authority
CN
China
Prior art keywords
object data
target object
address
identification information
browser
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310571774.9A
Other languages
Chinese (zh)
Inventor
周剑锋
王超
熊苍明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Happly Sunshine Interactive Entertainment Media Co Ltd
Original Assignee
Hunan Happly Sunshine Interactive Entertainment Media Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Happly Sunshine Interactive Entertainment Media Co Ltd filed Critical Hunan Happly Sunshine Interactive Entertainment Media Co Ltd
Priority to CN202310571774.9A priority Critical patent/CN116566694A/en
Publication of CN116566694A publication Critical patent/CN116566694A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

In the application, when it is determined that target object data to be requested by an object access request belongs to object data with a script attack risk, a forced downloading instruction is returned to a browser while the target object data is sent to the browser, and the browser can be instructed to store the target object data on a terminal of the browser through the forced downloading instruction, so that a user can display the target object data stored in a target storage area by adopting other applications, and the target object data is prevented from being directly previewed through the browser.

Description

Access request processing method and device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and an apparatus for processing an access request.
Background
With the development of computer technology, people use various multimedia data in the course of work or study, such as: PDF, word documents, audio, video, etc. To facilitate information sharing, one would upload some data to a server for continued use by the user in need.
However, some lawbreakers often use vulnerabilities of the website, and the uploaded data carries attack scripts, so that the attack scripts are used for attacking the website or acquiring information of the website. Such as: when other users access the PDF document through a browser, the browser directly opens the PDF document to preview, so that the attack script carried in the PDF can be automatically triggered, and the lawless persons can acquire relevant information of the website. Based on this, how to reduce the attack of the website by the attack script carried in the data is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of this, the present application provides a method and apparatus for processing an access request, so as to reduce the attack situation of a website by an attack script carried in data.
In order to achieve the above object, the following solutions have been proposed:
in one aspect, the present application provides an access request processing method, including:
obtaining an object access request sent by a browser, wherein the object access request comprises address identification information for indicating target object data to be requested;
acquiring the target object data based on the address identification information;
and under the condition that the target object data belongs to the object data with the risk of script attack, sending the target object data and a forced downloading instruction to the browser, wherein the forced downloading instruction is used for indicating the browser to store the target object data into a target storage area of a terminal where the browser is located, so that a user can display the target object data stored in the target storage area by adopting an application outside the browser, and the target storage area does not belong to a storage area corresponding to the browser.
In a possible implementation manner, the determining that the target object data belongs to object data at risk of script attack includes at least one of the following:
if the address identification information belongs to a set data address with the risk of script attack, determining that the target object data belongs to object data with the risk of script attack;
And if the target object data belongs to object data of a target type, determining that the target object data belongs to object data with script attack risk, wherein the object data of the target type is set to be the object data capable of carrying an attack script.
In yet another possible implementation manner, the obtaining the target object data based on the address identification information includes:
if the address identification information is encrypted address information, determining an actual storage address of the target object data based on the encrypted address information;
acquiring the target object data based on the actual storage address;
and if the address identification information belongs to a set data address with a script attack risk, determining that the target object data belongs to object data with the script attack risk comprises the following steps:
and if the address identification information belongs to the encrypted address information, determining that the target object data belongs to the object data with the risk of script attack.
In yet another possible implementation manner, the method further includes:
and if the address identification information does not belong to the encrypted address information and the address identification information belongs to the marked access prohibition address, not responding to the object access request, wherein the address identification information belongs to the access prohibition address, and the address identification information indicates that the object data pointed by the address identification information is the object data capable of carrying the attack script.
In yet another possible implementation manner, the determining, based on the encrypted address information, an actual storage address of the target object data includes:
decrypting the encrypted address information to obtain actual identification information contained in the encrypted address information, wherein the actual identification information is used for uniquely identifying an actual storage address of the target object data;
and determining the actual storage address of the target object data based on the actual identification information.
In yet another possible implementation manner, before the obtaining the object access request sent by the browser, the method further includes:
obtaining target object data sent by a user terminal;
and if the target object data belongs to the object data with the risk of script attack, storing the target object data, and setting the target object data as the object data which needs forced downloading.
In yet another possible implementation manner, the setting the target object data as object data that needs to be forcedly downloaded includes:
determining address identification information of the target object data;
and setting the address identification information of the target object data as a data address with the risk of script attack.
In yet another possible implementation manner, the determining address identification information of the target object data includes:
determining an actual storage address of the target object data;
the setting the address identification information of the target object data as a data address with a script attack risk includes:
and constructing encrypted encryption address information based on the actual storage address of the target object data, wherein the encryption address information is used for indicating that the target object data belongs to the object data with the risk of script attack.
In another possible implementation manner, the setting the address identification information of the target object data to be a data address with a risk of script attack further includes:
and storing the actual storage address of the target object data into an access prohibition directory, wherein the access prohibition directory is used for storing the storage address which prohibits direct access.
In yet another aspect, the present application further provides an access request processing apparatus, including:
a request obtaining unit, configured to obtain an object access request sent by a browser, where the object access request includes address identification information for indicating target object data to be requested;
A data determining unit for obtaining the target object data based on the address identification information;
and the information sending unit is used for sending the target object data and a forced downloading instruction to the browser under the condition that the target object data is determined to belong to the object data with the risk of script attack, wherein the forced downloading instruction is used for instructing the browser to store the target object data into a target storage area of a terminal where the browser is located, so that a user can display the target object data stored in the target storage area by adopting an application outside the browser, and the target storage area does not belong to a storage area corresponding to the browser.
As can be seen from the above, in the embodiment of the present application, if it is determined that the target object data to be requested by the object access request belongs to the object data having the risk of script attack, the mandatory download instruction is returned to the browser while the target object data is sent to the browser. The forced downloading instruction can instruct the browser to store the target object data on the terminal of the browser, so that a user can open and display the target object data through other applications, and the target object data is prevented from being previewed through the browser directly.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic flow chart of an access request processing method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of storing object data according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a method for processing an access request according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an access request processing apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
An access request processing method provided in the embodiment of the present application is described below.
Fig. 1 is a schematic flow chart of an access request processing method according to an embodiment of the present application, which may be applied to a server that provides a data access service, for example, a server that provides various multimedia data access and storage services, without limitation.
The method of the embodiment comprises the following steps:
step S101, obtaining an object access request sent by a browser.
The object access request includes address identification information for indicating target object data to be requested.
Wherein the object access request is a request for requesting acquisition of certain object data. In this application, these object data are in various forms, such as: documents, pictures, video, audio, etc.
In order to identify target object data to be accessed, the object access request includes address identification information of the target object data. The target object data may be understood as a target object to be accessed by a user, such as: a document named a. The address identification information is identification information for locating the target object data, for example, the address identification information may be an actual storage address of the target object data, or may be identification information of the processed actual storage address of the target object data, which will be described in connection with different situations, and will not be described herein.
Step S102, obtaining target object data based on the address identification information.
As is apparent from the above description, since the address identification information is used to locate the target object data, the server can obtain the target object data to be accessed by the browser based on the address identification information.
Step S103, when it is determined that the target object data belongs to the object data having the risk of script attack, the target object data and the forced download instruction are transmitted to the browser.
In order to reduce the attack by the attack script before sending the target object data to the browser, it is necessary to determine whether the target object data is the object data at risk of the attack script. And when the target object data is determined to belong to the object data with the risk of script attack, sending the target object data and a forced downloading instruction to the browser.
The forced downloading instruction is used for instructing the browser to store the target object data in a target storage area of the terminal of the browser, so that a user can display the target object data stored in the target storage area by using an application outside the browser, and the target object data can be prevented from being directly previewed through the browser.
The target storage area does not belong to a storage area corresponding to the browser, and the storage area corresponding to the browser is a storage space allocated to the browser, such as a cache area allocated to the browser, a hard disk storage area and the like.
It can be understood that after the server issues the forced download instruction to the browser, the browser will save the target object data to the local terminal where the browser is located, without directly opening and displaying the target object data through the browser. After the target object data is stored in the terminal of the browser, the user can directly open the target object data stored in the target storage area, for example, the target object data is PDF data, and the target object data can also be opened and displayed through a PDF reader and the like; the method can also be used for outputting identification information for prompting that the downloading of the target object data is completed, and when the user clicks on the application, the browser calls the application for presenting the target object data, and the target object data is displayed. Of course, other ways of displaying the target object data by an application other than a browser may be implemented, without limitation.
In the application, if it is determined that the target object data to be requested by the object access request belongs to object data with risk of script attack, a forced downloading instruction is returned to the browser while the target object data is sent to the browser. The forced downloading instruction can instruct the browser to store the target object data on the terminal of the browser, so that a user can open and display the target object data through other applications, and the target object data is prevented from being previewed directly through the browser, therefore, even if the target object data carries an attack script, the attack script cannot be naturally operated through the browser because the target object data script is not directly opened and displayed through the browser, and the attack script cannot attack the server, and naturally, the situation that the attack script is operated and the server is attacked by the browser because the attack script is carried in the data can be reduced.
In the present application, there are various possible specific implementations of determining whether the target object data belongs to the object data that has a risk of script attack, and several possible implementations are described below as examples.
In one possible implementation, considering that the object data capable of carrying the attack script is a data type of a specific type, the type of the target object data may be determined first, and if the target object data belongs to the object data of the target type, it is determined that the target object data belongs to the object data having a risk of script attack. The object data of the target type is set object data capable of carrying attack scripts.
The object data of the target type may be set according to actual needs, and the target type may include one or more types, which is not limited. For example, it is found through research that an attack script can be carried in a PDF document, and then the PDF document can be set as object data of a target type, and if the target object data belongs to the PDF document, the target object data belongs to the object data capable of carrying the attack script.
In yet another possible implementation manner, in view of the relatively high complexity of identifying the type of the object data, in order to be able to more efficiently identify the object data that needs to be indicated to be forcedly downloaded, the present application may further set address identification information of the target object data to a data address having a risk of script attack when the server stores the target object data. On the basis, if the server determines that the address identification information in the object access request belongs to the set data address with the script attack risk, the target object data is determined to be the object data with the script attack risk.
If the address identification information belongs to the address information recorded in the forced download directory, it is determined that the target object data pointed to by the address identification information belongs to the object data capable of carrying the attack script, that is, the object data having the risk of script attack.
For another example, the server may also perform special processing on address information of the object data in advance for the object data capable of carrying the attack script, so that if the server determines that the address identification information is address identification information of a specific type, it determines that the target object data requested to be accessed by the object access request is the object data having the risk of script attack. The specific type of address identification information is not the actual storage address of the data object, but encrypted address information, which will be described in detail later, and will not be described herein.
It is understood that in the present application, the address identification information included in the object access request may be the actual storage address of the target object data.
Particularly, under the condition that the target object data belongs to the object data capable of carrying the attack script, in order to reduce the actual storage address of the target object data obtained by other people through malicious polling access and other modes, and the attack script carried in the target object data attacks the server due to failure of a forced downloading mechanism and the like; or, in order to enable the server to identify that the object data requested by the object access request is the object data with attack risk, so as to distinguish the object data from the conventional object access request, the address identification information in the application may also be encrypted address information. On the basis, if the address identification information is encrypted address information, determining an actual storage address of the target object data based on the encrypted address information; based on the actual storage address, target object data is obtained.
Further, in the case that the address identification information is encrypted address information, the server determines that the address identification information is not a conventional actual address, and the server can identify that the target object data requested to be accessed by the address identification information belongs to object data having a risk of script attack.
In order to facilitate understanding of different situations of address identification information and specific processing of an object access request for accessing object data with risk of script attack in the present application, a process of storing object data after a server obtains object data uploaded by a user in the present application is described below. It can be appreciated that the user can upload the object data to be stored to the server at any time, so the sequence of storing the object data and processing the object access request may not be limited.
For convenience of description and understanding, the server obtains object data uploaded by the user as the target object data, and in this case, the process of uploading the target object data is before the browser obtains an object access request for the target object data.
In the application, after the server obtains the target object data sent by the user terminal, it may be determined whether the target object data belongs to object data having a risk of script attack, for example, if the target object data belongs to object data of a set target type, it is determined that the target object data belongs to object data having a risk of script attack or capable of carrying an attack script. Correspondingly, when the server determines that the target object data belongs to the object data with the risk of script attack, the server stores the target object data, determines the address identification information of the target object data, and simultaneously sets the target object data as the object data which needs to be forcedly downloaded.
There are also a plurality of possible implementations for setting the target object data as the object data to be forcedly downloaded, and the following are two possible ways for illustration:
in one possible way: setting the target object data as object data requiring forced download may be adding a forced download flag to the target object data, the forced download flag indicating that a forced download instruction needs to be returned to the user's browser when the user requests the target object data.
In still another possible manner, setting the target object data as the object data that needs to be forcedly downloaded may further be setting the address identification information of the target object data as the data address having a risk of script attack after determining the address identification information of the target object data. For example, the address identification information is stored in a forced download directory for storing address information corresponding to object data to be instructed to be forced downloaded. For example, after determining the actual storage address of the target object data, the actual storage address is stored in the forced download directory, or the encrypted address information is generated based on the actual storage address and then stored in the forced download directory.
The following describes a specific implementation by taking setting address identification information of target object data as a data address having a risk of script attack to identify the target object data as object data to be forcedly downloaded as an example.
Fig. 2 is a schematic flow chart of storing a data object in an embodiment of the present application, where the embodiment may be applied to a server, and the embodiment may include:
step S201, obtaining target object data sent by a user terminal.
For example, a user transmits target object data to a server through a user terminal to request storage of the target object data by the server.
The server may obtain the target object data uploaded by the user in various data forms, such as: documents, pictures, audio, video, etc., without limitation.
Step S202, if the target object data belongs to object data with script attack risk, storing the target object data, determining an actual storage address of the target object data, and storing the actual storage address into an access forbidden directory.
There are various ways to determine whether the target object data belongs to the object data having the risk of script attack. Such as: and judging whether the target object data is the object data of the preset target type, and if so, determining that the target object data belongs to the object data with the risk of script attack. The object type is a type of object data that may carry a risk of script attack, e.g., the object data of the object type may be PDF data. For example, it is also possible to identify whether the target object data belongs to object data having a risk of script attack by means of a data risk classifier or identifier or the like trained or constructed in advance.
The target object data may be stored in a database or a storage area associated with a server, and may be specifically set according to needs, which is not limited.
It can be understood that the types of object data uploaded to the server by different users are various, some object data belong to data which cannot carry attack scripts, in order to distinguish the object data with the risk of script attack from the object data without the risk of script attack, so that the browser needs to be instructed to perform forced downloading processing for the object data with the risk of script attack, and meanwhile, in order to further improve the security of the server, the application stores the actual storage address of the object data with the risk of script attack into the forbidden access directory.
Wherein the access prohibition directory is used for storing a storage address which prohibits direct access.
It will be appreciated that if the target object data does not belong to object data at risk of scripting attack, then the target object data may be stored directly and its actual storage address determined.
Of course, adding the actual storage address of the target object data to the access-prohibited directory is only an alternative, and this step may not be performed in a scenario where the security requirement is not particularly high.
It will be appreciated that if the target object data does not belong to object data having a risk of scripting attack, after storing the target object data and determining the actual storage address, further operations and subsequent operations related to steps S203 and S204 need to be performed.
Step S203, based on the actual storage address of the target object data, constructing encrypted address information to obtain the address identification information of the target object data.
The purpose of locating the target object data by adopting the encryption address information is to indicate that the target object data belongs to the object data with the risk of script attack through the encryption address information.
It can be understood that the target object data is a data type capable of carrying an attack script, but the target object data does not necessarily truly include the attack script, so that all data capable of carrying the attack script cannot be set to be inaccessible, based on this, in order to ensure normal access of a user to the object data and reduce the risk of the server being attacked by the attack script, the embodiment needs to regenerate a new address identifier based on an actual storage address of the object data for the object data with the risk of the attack script, so that the user can only access the target object data by using the encrypted address, and therefore, whether the target object data requested to be accessed in the object access request belongs to the object data with the risk of the attack script can be identified by the server based on whether the address identifier information carried in the object access request is encrypted address information or not.
The construction of the encrypted address information is described in one possible way as follows: after determining the actual storage address of the target object data, encrypting the actual storage address to obtain the generated address identification information so that the user can access the target object data by using the address identification information.
Further, in order to avoid that the actual storage address of the target object data is decrypted, the present application may further store the actual storage address of the target object data into the address list after determining the actual storage address of the target object data, where each actual storage address in the geographic list corresponds to a unique label, such as an ID in the address list. On the basis, the method and the device can encrypt the unique label corresponding to the actual storage address of the target object data to obtain the address identification information of the target object data. The encryption algorithm for encrypting the unique label of the actual storage address can be selected according to the requirement, and is not limited to the above.
For example: the only mark of the actual storage address of the H document in the address list is abc, and the abc can be encrypted by utilizing an RSA encryption algorithm, so that encrypted address identification information is obtained.
Step S204, the encryption address information of the target object data is stored in the forced downloading catalog.
The forced downloading directory is a pre-designated file directory, and is used for storing address information corresponding to object data which needs to be indicated to be forced downloaded. On the basis, if the server obtains that the address identification information in the object access request belongs to the address information in the forced downloading directory, then the forced downloading instruction is returned to the browser while the data object corresponding to the address identification information is returned to the browser.
Of course, this step S204 is just one implementation way of setting the address identification information to be a data address with risk of script attack, and in practical application, a specific association flag may be added to the address identification, which is not limited.
In practical application, the target object data pointed to by the encrypted address information can be indicated to be the object data (such as PDF document type data) capable of carrying the risk of script attack by the encrypted address information, so that after the obtained object access request, the server can determine that a forced downloading instruction needs to be issued to the browser when the target object data requested by the object access request is returned to the browser as long as the address identification information carried in the object access request is identified as the encrypted address information. Based on this, this step S204 may also be just a preferable way to more reliably identify the target object data pointed to by the encrypted address information as the data at risk of script attack, and a forced download is required.
In addition, in the embodiment, the address identification information is described as encrypted address information, but the address identification information may also directly adopt the actual storage address of the target object, and on this basis, the actual storage address may not be set as an address for prohibiting access, but may be stored in the forced download directory, which will not be described again.
The following describes a method for processing an access request according to the present application, taking a possible case as an example. As shown in fig. 3, a further flowchart of the access request processing method provided in the embodiment of the present application is shown. The present embodiment may include:
step S301, obtaining an object access request sent by a browser.
The object access request includes address identification information for indicating target object data to be requested.
Wherein, this step can be referred to the description of the related steps, and will not be repeated here.
Step S302, if the address identification information is encrypted address information, determining the actual storage address of the target object data based on the encrypted address information.
If the address identification information carried in the object access request is encrypted address information, the server may determine that the target object data requested to be accessed by the object access request belongs to the object data of the target type, or is the object data capable of carrying the attack script.
The process of determining the actual storage address based on the encrypted address information is the reverse process of generating the encrypted address information based on the actual storage address, and when the process of generating the encrypted address information is different, the process of obtaining the actual storage address based on the encrypted address information is also different. For example, in one possible implementation, if the encrypted address information is generated based on the actual identification information corresponding to the actual storage address of the target object data, the encrypted address information may be decrypted first to obtain the actual identification information. The real identification information is used to uniquely identify the real storage address of the target object data. Accordingly, the actual storage address of the target object data may be determined based on the actual identification information.
If the actual identification information may be an ID of the actual storage address of the target object data in the address list, then the actual storage address corresponding to the ID in the address list may be queried to obtain the actual storage address of the target object data. For example: the decrypted actual identification information in the encrypted address information is 123, and then the actual storage address www.a b.123 is obtained, so that the target object data stored in the storage area corresponding to the actual storage address is based on the actual storage address.
Step S303, obtaining the target object data based on the actual storage address.
The actual storage addresses are in one-to-one correspondence with the target object data, so that the target object data can be determined according to the actual storage addresses.
Step S304, sending target object data and forced downloading instructions to the browser.
The forced downloading instruction is used for indicating the browser to store the target object data into a target storage area of a terminal where the browser is located, so that a user can display the target object data stored in the target storage area by adopting an application outside the browser, and the target storage area does not belong to a storage area corresponding to the browser.
It can be understood that, because the server recognizes that the address carried in the object access request is taken as the encrypted address information, the server can determine that the target object data requested to be accessed by the object access request belongs to the object data capable of carrying the attack script, so that the server can execute the steps S302 to S304 to instruct the browser to download the target object data, so that the target object data can be opened by adopting other applications on the terminal where the browser is located later, the target object data is prevented from being directly opened and displayed on the browser side, and the attack script can be operated on the browser under the condition that the target object data carries the attack script, thereby reducing the condition that the attack script attacks the server.
Of course, in the case where the address identification information in the object access request is taken as the encrypted address information in step S302, the server may return the mandatory download instruction at the same time as returning the target object data to the browser. In practical application, if the server stores the encrypted address information capable of carrying the target object data in the forced download directory when storing the object data, the server may further detect whether the encrypted address information belongs to an address in the forced download directory after obtaining the encrypted address information, and if so, perform the related operations of steps S302 to S304.
Step S305, if the address identification information does not belong to the encrypted address information, confirming that the address identification information is the actual storage address of the target object data, detecting whether the address identification information belongs to the calibrated forbidden access address, and if so, not responding to the object access request; if not, step S306 is performed.
The address identification information belongs to object data which can carry attack scripts and is indicated by the forbidden access address.
It will be appreciated that, as known from the previous storage of the target object data, if the address identification information does not belong to the encrypted address information, it is explained that the address identification information is the actual storage address of the target object data. In this case, if the target object data is object data having a risk of script attack (for example, whether the target object data is of a target type), the server marks the actual storage address of the target object data as an access prohibition address after storing the target object data, so that other people cannot directly access the target object data using the actual storage address.
If the server stores the actual storage address of the target object data with the risk of script attack into the access prohibition directory, after the server obtains the object access request, if the address identification information in the object access request is the actual storage address, whether the actual storage address belongs to the address in the access prohibition directory can be reduced, and if so, the object access request is not responded; if not, then step S306 is performed.
S306, obtaining target object data based on the address identification information, and returning the target object data to the browser.
For example, if the address identification information in the object access request is a real actual storage address and the actual storage address does not belong to the forbidden access address, it is indicated that the target object data required to be accessed by the object access request is the object data incapable of carrying the attack script, if it is assumed that the attack script will be carried by the PDF document, it is indicated that the target object required to be accessed by the object access request is the object data other than the PDF document data. In this case, the server may obtain the target object data based on the address identification information (i.e., the actual storage address) according to the conventional object access request and directly return the target object data to the flow.
Accordingly, the browser can still directly open the target object data because the browser does not receive the forced download instruction.
From the above, the server processes the actual storage address of the object data at risk of script attack as encrypted address information, and at the same time, sets the actual storage address of the object data as an access prohibition address. On the basis, for target object data with script attack risk, a user cannot directly access the target object data by using an actual storage address, so that the situation that an attack script carried in the target object data is operated after the target object data is obtained in a polling mode or the like rather than the situation that the target object data is illegally obtained through a browser is reduced.
Moreover, even if the access prohibition mechanism of the actual storage address fails, the actual storage address of the data object with the risk of script attack is not disclosed outside, so that the object access request can only be initiated by using the encryption address information of the target object data, and the risk of script attack possibly caused by the failure of the access prohibition mechanism of the actual storage address can be further reduced.
The following describes an access request processing apparatus provided in an embodiment of the present application, and the access request processing apparatus described below and the above access request processing method may be referred to correspondingly to each other.
Referring to fig. 4, a schematic diagram of a composition structure of an access request processing apparatus in the present application is shown, where the apparatus may include:
a request obtaining unit 401, configured to obtain an object access request sent by a browser, where the object access request includes address identification information for indicating target object data to be requested;
a data determining unit 402, configured to obtain the target object data based on the address identification information;
an information sending unit 403, configured to send, when it is determined that the target object data belongs to object data that has a risk of script attack, the target object data and a forced download instruction to the browser, where the forced download instruction is used to instruct the browser to save the target object data to a target storage area of a terminal where the browser is located, so that a user displays, by using an application other than the browser, the target object data stored in the target storage area, where the target storage area does not belong to a storage area corresponding to the browser.
In one possible implementation manner, the information sending unit may include at least one of the following:
the first information sending unit is used for determining that the target object data belongs to the object data with the script attack risk when the address identification information belongs to the set data address with the script attack risk, and sending the target object data and the forced downloading instruction to the browser;
And the second information sending unit is used for determining that the target object data belongs to object data with script attack risk if the target object data belongs to object data of a target type, and sending the target object data and a forced downloading instruction to the browser, wherein the object data of the target type is set object data capable of carrying an attack script.
In one possible implementation, the data determining unit includes:
an address processing unit configured to determine an actual storage address of the target object data based on the encrypted address information if the address identification information is the encrypted address information;
a data acquisition unit configured to acquire the target object data based on the actual storage address;
the second information transmitting unit includes:
and the second information sending subunit is used for determining that the target object data belongs to the object data with the risk of script attack if the address identification information belongs to the encrypted address information, and sending the target object data and the forced downloading instruction to the browser.
In yet another possible implementation manner, the address processing unit includes:
An address decryption subunit, configured to decrypt the encrypted address information to obtain actual identification information contained in the encrypted address information, where the actual identification information is used to uniquely identify an actual storage address of the target object data;
and the address determination subunit is used for determining the actual storage address of the target object data based on the actual identification information.
In yet another possible implementation, the apparatus further includes:
and the access prohibition unit is used for not responding to the object access request if the address identification information does not belong to the encrypted address information and the address identification information belongs to the calibrated access prohibition address, wherein the address identification information belongs to the access prohibition address, and the address identification information indicates that the object data pointed by the address identification information is the object data capable of carrying the attack script.
In yet another possible implementation, the apparatus further includes:
the data acquisition unit is used for acquiring target object data sent by the user terminal before the request acquisition unit acquires the object access request sent by the browser;
and the storage processing unit is used for storing the target object data and setting the target object data as the object data which needs to be forcedly downloaded if the target object data belongs to the object data with the risk of script attack.
In yet another possible implementation, the storage processing unit includes:
a data storage unit, configured to store the target object data if the target object data belongs to object data having a risk of script attack, and determine address identification information of the target object data;
and the address setting unit is used for setting the address identification information of the target object data as a data address with the risk of script attack.
In a further possible implementation manner, the data storage unit is specifically configured to determine an actual storage address of the target object data when determining the address identification information of the target object data;
the address setting unit includes:
and the address encryption unit is used for constructing encrypted encryption address information based on the actual storage address of the target object data, wherein the encryption address information is used for indicating that the target object data belongs to the object data with the risk of script attack.
In yet another possible implementation manner, the address setting unit further includes:
an address disable setting unit for storing the actual storage address of the target object data into an access-prohibited directory for storing the storage address for which direct access is prohibited.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. Meanwhile, the features described in the embodiments of the present specification may be replaced with or combined with each other to enable those skilled in the art to make or use the present application. For the apparatus class embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference is made to the description of the method embodiments for relevant points.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims (10)

1. An access request processing method, comprising:
obtaining an object access request sent by a browser, wherein the object access request comprises address identification information for indicating target object data to be requested;
acquiring the target object data based on the address identification information;
and under the condition that the target object data belongs to the object data with the risk of script attack, sending the target object data and a forced downloading instruction to the browser, wherein the forced downloading instruction is used for indicating the browser to store the target object data into a target storage area of a terminal where the browser is located, so that a user can display the target object data stored in the target storage area by adopting an application outside the browser, and the target storage area does not belong to a storage area corresponding to the browser.
2. The method of claim 1, wherein the determining that the target object data belongs to object data at risk of scripting attack comprises at least one of:
if the address identification information belongs to a set data address with the risk of script attack, determining that the target object data belongs to object data with the risk of script attack;
and if the target object data belongs to object data of a target type, determining that the target object data belongs to object data with script attack risk, wherein the object data of the target type is set to be the object data capable of carrying an attack script.
3. The method of claim 2, wherein the obtaining the target object data based on the address identification information comprises:
if the address identification information is encrypted address information, determining an actual storage address of the target object data based on the encrypted address information;
acquiring the target object data based on the actual storage address;
and if the address identification information belongs to a set data address with a script attack risk, determining that the target object data belongs to object data with the script attack risk comprises the following steps:
And if the address identification information belongs to the encrypted address information, determining that the target object data belongs to the object data with the risk of script attack.
4. A method according to claim 3, further comprising:
and if the address identification information does not belong to the encrypted address information and the address identification information belongs to the marked access prohibition address, not responding to the object access request, wherein the address identification information belongs to the access prohibition address, and the address identification information indicates that the object data pointed by the address identification information is the object data capable of carrying the attack script.
5. A method according to claim 3, wherein said determining the actual storage address of the target object data based on the encrypted address information comprises:
decrypting the encrypted address information to obtain actual identification information contained in the encrypted address information, wherein the actual identification information is used for uniquely identifying an actual storage address of the target object data;
and determining the actual storage address of the target object data based on the actual identification information.
6. The method of claim 1, further comprising, prior to said obtaining the object access request sent by the browser:
Obtaining target object data sent by a user terminal;
and if the target object data belongs to the object data with the risk of script attack, storing the target object data, and setting the target object data as the object data which needs forced downloading.
7. The method according to claim 6, wherein the setting the target object data as object data that needs to be forcedly downloaded includes:
determining address identification information of the target object data;
and setting the address identification information of the target object data as a data address with the risk of script attack.
8. The method of claim 7, wherein said determining address identification information of said target object data comprises:
determining an actual storage address of the target object data;
the setting the address identification information of the target object data as a data address with a script attack risk includes:
and constructing encrypted encryption address information based on the actual storage address of the target object data, wherein the encryption address information is used for indicating that the target object data belongs to the object data with the risk of script attack.
9. The method according to claim 8, wherein the setting address identification information of the target object data as a data address having a risk of script attack, further comprises:
and storing the actual storage address of the target object data into an access prohibition directory, wherein the access prohibition directory is used for storing the storage address which prohibits direct access.
10. An access request processing apparatus, comprising:
a request obtaining unit, configured to obtain an object access request sent by a browser, where the object access request includes address identification information for indicating target object data to be requested;
a data determining unit for obtaining the target object data based on the address identification information;
and the information sending unit is used for sending the target object data and a forced downloading instruction to the browser under the condition that the target object data is determined to belong to the object data with the risk of script attack, wherein the forced downloading instruction is used for instructing the browser to store the target object data into a target storage area of a terminal where the browser is located, so that a user can display the target object data stored in the target storage area by adopting an application outside the browser, and the target storage area does not belong to a storage area corresponding to the browser.
CN202310571774.9A 2023-05-19 2023-05-19 Access request processing method and device Pending CN116566694A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310571774.9A CN116566694A (en) 2023-05-19 2023-05-19 Access request processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310571774.9A CN116566694A (en) 2023-05-19 2023-05-19 Access request processing method and device

Publications (1)

Publication Number Publication Date
CN116566694A true CN116566694A (en) 2023-08-08

Family

ID=87499867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310571774.9A Pending CN116566694A (en) 2023-05-19 2023-05-19 Access request processing method and device

Country Status (1)

Country Link
CN (1) CN116566694A (en)

Similar Documents

Publication Publication Date Title
US8204233B2 (en) Administration of data encryption in enterprise computer systems
JP2015181010A (en) System and method for protecting user privacy in multimedia uploaded to internet sites
US20070136202A1 (en) Personal-information managing apparatus, method of providing personal information, computer product, and personal-information-providing system
US8595497B2 (en) Electronic file sending method
EP3007061A1 (en) Application execution program, application execution method, and information processing terminal device in which application is executed
CN111737752B (en) Monitoring data access control method, device and equipment and storage medium
US8065743B2 (en) Content use management system, content-providing system, content-using device and computer readable medium
US20200278948A1 (en) Method, apparatus and system for managing electronic fingerprint of electronic file
US20150347719A1 (en) Digital rights management system implemented on a scanner
JP2007233796A (en) Data protection system and data protection method for data protection system
CN110753257A (en) Data display method, display terminal, server, display system, and storage medium
JP5737116B2 (en) Information provision system
CN110955909B (en) Personal data protection method and block link point
JP2014106690A (en) Terminal equipment, server, content distribution system, content distribution method and program
JP6471698B2 (en) Information processing apparatus, information processing method, program, and server
US10068065B2 (en) Assignment of a machine-readable link to content as a payoff
JP3809495B1 (en) Software management system
CN116566694A (en) Access request processing method and device
JP4607023B2 (en) Log collection system and log collection method
CN110532792B (en) Method and system for checking privacy information
KR102016051B1 (en) Main server providing video export service capable of tracing an leaking point and operation method thereof
WO2021158778A1 (en) Systems and methods for encoding executable code in barcodes
JP2005032109A (en) Document data managing device, document data access program, and document data managing program
JP6319675B1 (en) Information processing system
JP6179328B2 (en) Information processing apparatus and information processing program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination