CN103023869B - Malicious attack prevention method and browser - Google Patents
Malicious attack prevention method and browser Download PDFInfo
- Publication number
- CN103023869B CN103023869B CN201210434815.1A CN201210434815A CN103023869B CN 103023869 B CN103023869 B CN 103023869B CN 201210434815 A CN201210434815 A CN 201210434815A CN 103023869 B CN103023869 B CN 103023869B
- Authority
- CN
- China
- Prior art keywords
- cookie
- malicious attack
- url
- attribute
- browser
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000002265 prevention Effects 0.000 title claims abstract description 11
- 235000014510 cooky Nutrition 0.000 claims abstract description 179
- 238000007689 inspection Methods 0.000 claims abstract description 20
- 230000006870 function Effects 0.000 description 5
- 230000000875 corresponding effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of malicious attack prevention method and browser, relate to Internet technical field.This browser includes malicious attack and prevents equipment, and this malicious attack prevents equipment from including acquiring unit, inspection unit, adding device and storage unit, and acquiring unit is suitable to when user's Website login, obtains the Cookie of server end generation and is sent to inspection unit;Inspection unit is suitable to check in Cookie whether have selected the attribute preventing malicious attack, if not having the selected attribute preventing malicious attack in this Cookie, this Cookie is sent to adding device;Adding device is suitable to add the attribute preventing malicious attack in Cookie, is then sent to storage unit;Storage unit is suitable to preserve the Cookie received.Adopt technical scheme, can prevent malicious exploitation Cookie from attacking in browser side, thus solve when the network address that user accesses server end for the safety of XSS strong time, information in user Cookie is likely to be stolen, distort, and then the problem that user security is on the hazard.
Description
Technical field
The present invention relates to Internet technical field, be specifically related to a kind of malicious attack prevention method and browser.
Background technology
Cross-site scripting attack (Cross-sitescripting is often referred to simply as XSS) occurs in client, can be used for carrying out stealing privacy, fishing deception, steals password, propagates the aggressive behaviors such as malicious code.Client will be had the code of harm to be put on server as a web page contents by the assailant of malice so that other website users are when watching this webpage, and these code injections have arrived in the browser of user and performed, and make user under attack.It is said that in general, utilize cross-site scripting attack, assailant can steal session cookie thus stealing the privacy of website user, including password.
Cookie refer to number of site in order to distinguish user identity, conversate tracking and be stored in the data on user local terminal, it is common that through encryption.Cookie is generated by server end, is sent to browser end, and the key/value of Cookie can be saved in the text under certain catalogue by browser, asks next time just to send this Cookie to server during same website.Cookie name claims and is worth and can be defined by server end, and can also write direct jsessionid for JSP, and such server is it is known that whether this user is validated user and the need of login again etc..
Cookie is user's authentication mark for specific website, and Cookie contains some sensitive informations, for instance: user name, computer name, the browser of use and the website etc. once accessed.User is not meant to content and lets out, especially in time wherein also including personal information.
But XSS can steal the Cookie of user, thus utilizing this Cookie to steal user's operating right to this website.If the Cookie of a webmaster user is stolen, it will huge harm is caused in website.It addition, when stealing user Cookie thus when getting user identity, assailant can get user's operating right to website, thus checking user privacy information.
Visible, it is desirable to provide a kind of preventing utilizes the Cookie scheme carrying out malicious attack.
Summary of the invention
In view of the above problems, it is proposed that the present invention is to provide a kind of a kind of malicious attack prevention method and browser overcoming the problems referred to above or solving the problems referred to above at least in part.
According to one aspect of the present invention, it is provided that a kind of malicious attack prevention method, including:
When user's Website login, browser obtains the Cookie that server end generates, and checks and whether have selected the attribute preventing malicious attack in this Cookie;
If not having the selected attribute preventing malicious attack in this Cookie, then browser adds the attribute preventing malicious attack in this Cookie, then preserves this Cookie;
If have selected the attribute preventing malicious attack in this Cookie, then browser directly preserves this Cookie.
Alternatively, the method farther includes:
Safeguard a uniform resource position mark URL list;This url list saves the URL of the website that can trouble-freely add the attribute preventing malicious attack;
Browser obtains the URL of corresponding website further when obtaining the Cookie of server end generation, and use acquired URL to inquire about described url list, judging whether to exist in described url list acquired URL, if existed, browser performs whether to have selected in this Cookie of described inspection step and the subsequent step of the attribute preventing malicious attack.
Alternatively, the method farther includes:
If being absent from acquired URL in described url list, then browser does not perform whether to have selected in this Cookie of described inspection step and the subsequent step of the attribute preventing malicious attack, directly preserves this Cookie.
Alternatively, the attribute preventing malicious attack described in includes: " accessing restriction " attribute and/or " safety " attribute.
According to another aspect of the present invention, it is provided that a kind of browser, it includes malicious attack and prevents equipment, and this equipment includes: acquiring unit, inspection unit, adding device, storage unit, wherein:
Described acquiring unit, is suitable to when user's Website login, obtains the Cookie that server end generates, and is sent to inspection unit;
Described inspection unit, is suitable to check in Cookie whether have selected the attribute preventing malicious attack, if not having the selected attribute preventing malicious attack in this Cookie, this Cookie is sent to adding device;
Described adding device, is suitable to add the attribute preventing malicious attack in Cookie, is then sent to storage unit;
Described storage unit, is suitable to preserve the Cookie received.
Alternatively, described inspection unit, it is further adapted for when have selected, in Cookie, the attribute preventing malicious attack, this Cookie is directly transmitted storage unit.
Alternatively, this equipment farther includes: list storage unit and Query List unit;
Described list storage unit, is suitable to preserve uniform resource position mark URL list;This url list saves the URL of the website that can trouble-freely add the attribute preventing malicious attack;
Described acquiring unit, is suitable to when user's Website login, while obtaining the Cookie that server end generates, obtains the URL of corresponding website further, this URL and Cookie is sent to Query List unit in the lump;
Described Query List unit, is adapted in use to the url list in the URL Query List memory element received, it is judged that whether there is the URL received in described url list, if existed, the Cookie received is sent to inspection unit.
Alternatively, described Query List unit, it is further adapted for when being absent from, in described url list, the URL received, the Cookie received is directly transmitted storage unit.
Alternatively, described adding device, be suitable in Cookie, add " accessing restriction " attribute and/or " safety " attribute, be then sent to storage unit.
This when user's Website login according to the present invention, browser obtains the Cookie that server end generates, check and whether this Cookie have selected the attribute preventing malicious attack, if this Cookie does not have the selected attribute preventing malicious attack, then browser adds the attribute preventing malicious attack in this Cookie, then the technical scheme of this Cookie is preserved, can prevent malicious exploitation Cookie from attacking in browser side, thus solve when the network address that user accesses server end for the safety of XSS strong time, information in user Cookie is likely to be stolen, distort, and then the problem that user security is on the hazard.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding.Accompanying drawing is only for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 illustrates the flow chart of a kind of according to an embodiment of the invention malicious attack prevention method;
Fig. 2 illustrates the flow chart of another malicious attack prevention method according to an embodiment of the invention;
Fig. 3 illustrates that a kind of according to an embodiment of the invention malicious attack prevents the structure chart of equipment;
Fig. 4 illustrates that another malicious attack prevents the structure chart of equipment according to an embodiment of the invention;
Fig. 5 illustrates the structure chart of a kind of according to an embodiment of the invention browser.
Detailed description of the invention
Cookie is user's authentication mark for specific website.Server can utilize the Cookies arbitrariness comprising information to screen and regular safeguard these information, to judge the state in HTTP transmits.The most typical application of Cookies is to judge whether registration user has logged on website, and user may be pointed out, if upper once enter this website time retain user profile to simplify and to log in formality, these are all the functions of Cookies.Another important application occasion is that " shopping cart " etc processes.User may select different commodity within a period of time in the different pages of same website, and these information all can write Cookies, in order in the end extracts information during payment.
The log-on message that can keep Cookie arrives the session of user's next time and server, and in other words, when next time accesses same website, user can find that need not input username and password just has logged on.And also have some Cookie to be just deleted when user exits session, so can effectively protect individual privacy.Cookie will be designated an Expire value when generating, here it is the life cycle of Cookie, within this cycle, Cookie is effective, will be eliminated beyond cycle Cookie.
Installing multiple browser in a computer, each browser can deposit Cookie in each independent space.Because Cookie not only can confirm that user, the information of computer and browser can also be comprised, so a user logs in different browsers or logs in different computers, capital obtains different cookie informations, on the other hand, for using the Multiuser of same browser on same computer, Cookie will not distinguish their identity, unless they use different user names to log in.
Below for the Cookie certain operations being correlated with:
1, Cookie is created
Can by creating new Cookie to Response.Cookies set interpolation Cookie.Response.Cookies set comprises all Web server ends and is sent to the Cookie of browser.
Response.Cookies["message"].Value=txtCookiue.Text;
2, Cookie is read
Request.Cookies set can read Cookie.
if(Request.Cookies["message"]!=null)
lblCookiue.Text=Request.Cookies["message"].Value;
3, Cookie attribute is set
HttpCookie class represents Cookie, when creating or read a Cookie, it is possible to use these attributes below such:
Domain " territory ": the domain name of association Cookie is set;
Expires " cycle ": create a persistence Cookie by a given expired time;
HasKeys " cryptographic Hash ": be used for specifying whether a Cookie is a many-valued Cookie;
HttpOnly " accesses restriction ": be used for avoiding Cookie to be accessed by Javascript;
Name " title ": the title of Cookie;
Path " path ": be associated with the path of Cookie, be defaulted as/;
Value " value ": the value of read-write Cookie;
Security " safety ": be used for specifying Cookie to require over safe Socket layer and connect transmission;
Values " particular value ": when using many-valued Cookie, is used for reading and writing specific value.
4, Cookie is deleted
Set the value of Expires of Cookie as time in the past.
XSS can steal the Cookie of user, thus utilizing this Cookie to steal user's operating right to this website.To this; if the attribute of Cookie is set to HttpOnly and Security by the server of the network address that user accesses; so client just cannot read and then usurp Cookie, and only it can be read out by server, thus just can protect the safety of user profile.
It is noted that, many websites are in build-time the safety thinking little of this respect, without arranging such Cookie security attribute.When its Cookie attribute is not set to HttpOnly and Security by server, the danger such as the user profile in this Cookie is just acquired, distort.Now, according to technical scheme, it is possible to protect user information safety at browser end.
Specifically, whenever user log in website generate Cookie, each Cookie to carry out write operation to computer time, check and whether this Cookie have selected HttpOnly and Security attribute.Without, just plus the two attribute in Cookie, thus preventing the malice of Cookie to use, ensure user information safety.
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing showing the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure and should do not limited by embodiments set forth here.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Fig. 1 illustrates the flow chart of a kind of according to an embodiment of the invention malicious attack prevention method.As it is shown in figure 1, the method includes:
Step S102, when user's Website login, browser obtains the Cookie that server end generates.
Step S104, browser checks in acquired Cookie whether have selected the attribute preventing malicious attack, is then perform step S106, otherwise performs step S108.
Step S106, if having selected the attribute preventing malicious attack in this Cookie, then browser directly preserves this Cookie.
Step S108, if not having the selected attribute preventing malicious attack in this Cookie, then browser adds the attribute preventing malicious attack in this Cookie, then preserves this Cookie.
In one embodiment of the invention, it is prevented that the attribute of malicious attack includes: " accessing restriction " attribute and/or " safety " attribute.Wherein, arranging " accessing restriction " attribute and be and arrange HttpOnly in Cookie, setting " safety " attribute is and arranges Security in Cookie.In other embodiments of the invention, it is prevented that the attribute of malicious attack can also include other attributes except above-mentioned attribute.
Method shown in Fig. 1, can prevent malicious exploitation Cookie from attacking in browser side, thus solve when the network address that user accesses server end for the safety of XSS strong time, the information in user Cookie is likely to be stolen, distort, and then the problem that user security is on the hazard.
But, notice owing to a lot of websites arrange disunity between various piece function in building process, if being all that it arranges the attribute (such as HttpOnly and Security) preventing malicious attack by all Cookie not arranging the attribute (such as HttpOnly and Security) preventing malicious attack, then being likely to result in web sites function incomplete, operation is broken down.To this, proposing in the present invention, at one table of background maintenance, to list the url list that can trouble-freely add above-mentioned two attribute, thus the process that realizes of the present invention program is as shown in Figure 2.
Fig. 2 illustrates the flow chart of another malicious attack prevention method according to an embodiment of the invention.As in figure 2 it is shown, the method includes:
Step S202, during user's Website login, browser obtains the Cookie of server end generation and the URL of corresponding website.
Step S204, uses acquired URL to inquire about url list.
Here, url list is a list of background maintenance.Url list saves the URL of the website that can trouble-freely add the attribute preventing malicious attack;
Step S206, it is judged that whether there is acquired URL in url list, is then perform step S208, otherwise directly performs step S212.
Step S208, browser checks in acquired Cookie whether have selected the attribute preventing malicious attack, is directly perform step S212, otherwise performs step S210.
Step S210, browser adds the attribute preventing malicious attack in this Cookie.
Step S212, browser preserves this Cookie.
Method shown in Fig. 2, can prevent malicious exploitation Cookie from attacking in browser side, thus solve when the network address that user accesses server end for the safety of XSS strong time, the information in user Cookie is likely to be stolen, distort, and then the problem that user security is on the hazard.And owing to being provided with url list, therefore it is the Cookie scheme adding the attribute preventing malicious attack in browser side, is not result in web sites function incomplete, runs problems such as breaking down.
Fig. 3 illustrates that a kind of according to an embodiment of the invention malicious attack prevents the structure chart of equipment.This malicious attack prevents equipment 300 from including as shown in Figure 3: acquiring unit 311, inspection unit 312, adding device 313 and storage unit 314, wherein:
Acquiring unit 311, is suitable to when user's Website login, obtains the Cookie that server end generates, and is sent to inspection unit 312;
Inspection unit 312, be suitable to check in Cookie whether have selected the attribute preventing malicious attack, if this Cookie does not have the selected attribute preventing malicious attack, this Cookie is sent to adding device 313, if this Cookie have selected the attribute preventing malicious attack, this Cookie is directly transmitted storage unit 314;
Adding device 313, is suitable to add the attribute preventing malicious attack in the Cookie received, is then sent to storage unit 314;
Storage unit 314, is suitable to preserve the Cookie received.
Wherein, in one embodiment of the invention, adding device 313, be suitable in Cookie, add " accessing restriction " attribute and/or " safety " attribute, be then sent to storage unit 314.
Fig. 4 illustrates that another malicious attack prevents the structure chart of equipment according to an embodiment of the invention.As shown in Figure 4, this malicious attack prevents equipment 400 from including: acquiring unit 411, Query List unit 415, inspection unit 412, adding device 413, storage unit 414 and list storage unit 416, wherein:
List storage unit 416, is suitable to preserve uniform resource position mark URL list;This url list saves the URL of the website that can trouble-freely add the attribute preventing malicious attack.
Acquiring unit 411, is suitable to when user's Website login, while obtaining the Cookie that server end generates, obtains the URL of corresponding website further, this URL and Cookie is sent to Query List unit 415 in the lump.
Query List unit 415, it is adapted in use to the url list in the URL Query List memory element 416 received, judge whether url list exists the URL received, if existing, the Cookie received being sent to inspection unit 412, if there is no then the Cookie received is directly transmitted storage unit 414.
Inspection unit 412, be suitable to check in the Cookie received whether have selected the attribute preventing malicious attack, if this Cookie does not have the selected attribute preventing malicious attack, this Cookie is sent to adding device 413, if this Cookie have selected the attribute preventing malicious attack, this Cookie is directly transmitted storage unit 414;
Adding device 413, is suitable to add the attribute preventing malicious attack in the Cookie received, is then sent to storage unit 414;
Storage unit 414, is suitable to preserve the Cookie received.
Wherein, in one embodiment of the invention, adding device 413, be suitable in Cookie, add " accessing restriction " attribute and/or " safety " attribute, be then sent to storage unit 414.
Fig. 5 illustrates the structure chart of a kind of according to an embodiment of the invention browser.As it is shown in figure 5, this browser 500 includes a malicious attack prevents equipment 501.
Malicious attack prevents equipment 501 from can be that the malicious attack shown in Fig. 3 prevents equipment 300, it is also possible to be that the malicious attack shown in Fig. 4 prevents equipment 400.
In sum, this when user's Website login according to the present invention, browser obtains the Cookie that server end generates, check and whether this Cookie have selected the attribute preventing malicious attack, if this Cookie does not have the selected attribute preventing malicious attack, then browser adds the attribute preventing malicious attack in this Cookie, then the technical scheme of this Cookie is preserved, can prevent malicious exploitation Cookie from attacking in browser side, thus solve when the network address that user accesses server end for the safety of XSS strong time, information in user Cookie is likely to be stolen, distort, and then the problem that user security is on the hazard.
It should be understood that
Not intrinsic to any certain computer, virtual system or miscellaneous equipment relevant in algorithm and the display of this offer.Various general-purpose systems can also with use based on together with this teaching.As described above, the structure constructed required by this kind of system is apparent from.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to utilize various programming language to realize the content of invention described herein, and the description above language-specific done is the preferred forms in order to disclose the present invention.
In description mentioned herein, describe a large amount of detail.It is to be appreciated, however, that embodiments of the invention can be put into practice when not having these details.In some instances, known method, structure and technology it are not shown specifically, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to what simplify that the disclosure helping understands in each inventive aspect, herein above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes.But, the method for the disclosure should be construed to and reflect an intention that namely the present invention for required protection requires feature more more than the feature being expressly recited in each claim.More precisely, as the following claims reflect, inventive aspect is in that all features less than single embodiment disclosed above.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, wherein each claim itself as the independent embodiment of the present invention.
Those skilled in the art are appreciated that, it is possible to carry out the module in the equipment in embodiment adaptively changing and they being arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit excludes each other, it is possible to adopt any combination that all processes or the unit of all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment are combined.Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing purpose identical, equivalent or similar.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can mode use in any combination.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that microprocessor or digital signal processor (DSP) can be used in practice to realize malicious attack according to embodiments of the present invention prevents the some or all functions of the some or all parts in equipment.The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program).The program of such present invention of realization can store on a computer-readable medium, or can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims.In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not exclude the presence of the element or step not arranged in the claims.Word "a" or "an" before being positioned at element does not exclude the presence of multiple such element.The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer.In the unit claim listing some devices, several in these devices can be through same hardware branch and specifically embody.Word first, second and third use do not indicate that any order.Can be title by these word explanations.
Claims (6)
1. a malicious attack prevention method, wherein, including:
Safeguard a uniform resource position mark URL list;This url list saves the URL of the website that can trouble-freely add the attribute preventing malicious attack;
When user's Website login, browser obtains the Cookie that server end generates and the URL obtaining corresponding website, each Cookie to client-side carry out write operation time, browser uses acquired URL to inquire about described url list, judging whether to exist in described url list acquired URL, if existed, browser checks whether have selected the attribute preventing malicious attack in this Cookie;
If not having the selected attribute preventing malicious attack in this Cookie, then browser adds the attribute preventing malicious attack in this Cookie, then preserves this Cookie, thus preventing the malice of Cookie to use;
If have selected the attribute preventing malicious attack in this Cookie, then browser directly preserves this Cookie.
2. the method for claim 1, wherein the method farther includes:
If being absent from acquired URL in described url list, then browser does not perform whether to have selected in this Cookie of described inspection step and the subsequent step of the attribute preventing malicious attack, directly preserves this Cookie.
3. method as claimed in claim 1 or 2, wherein,
The described attribute preventing malicious attack includes: " accessing restriction " attribute and/or " safety " attribute.
4. a browser, prevents equipment including malicious attack, and described malicious attack prevents equipment from including: acquiring unit, inspection unit, adding device, storage unit, list storage unit and Query List unit, wherein:
Described list storage unit, is suitable to preserve uniform resource position mark URL list;This url list saves the URL of the website that can trouble-freely add the attribute preventing malicious attack;
Described acquiring unit, is suitable to when user's Website login, obtain the Cookie that server end generates and the URL, each Cookie obtaining corresponding website to client-side carry out write operation time, this URL and Cookie is sent in the lump Query List unit;
Described Query List unit, is adapted in use to the url list in the URL Query List memory element received, it is judged that whether there is the URL received in described url list, if existed, the Cookie received is sent to inspection unit;
Described inspection unit, is suitable to check in Cookie whether have selected the attribute preventing malicious attack, if not having the selected attribute preventing malicious attack in this Cookie, this Cookie is sent to adding device;If this Cookie have selected the attribute preventing malicious attack, this Cookie is transmitted directly to storage unit;
Described adding device, being suitable to add the attribute preventing malicious attack in Cookie, being then sent to storage unit, thus preventing the malice of Cookie to use;
Described storage unit, is suitable to preserve the Cookie received.
5. browser as claimed in claim 4, wherein,
Described Query List unit, is further adapted for when being absent from, in described url list, the URL received, the Cookie received is directly transmitted storage unit.
6. the browser as described in claim 4 or 5, wherein,
Described adding device, is suitable to add " accessing restriction " attribute and/or " safety " attribute in Cookie, is then sent to storage unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210434815.1A CN103023869B (en) | 2012-11-02 | 2012-11-02 | Malicious attack prevention method and browser |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210434815.1A CN103023869B (en) | 2012-11-02 | 2012-11-02 | Malicious attack prevention method and browser |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103023869A CN103023869A (en) | 2013-04-03 |
| CN103023869B true CN103023869B (en) | 2016-07-06 |
Family
ID=47972000
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210434815.1A Active CN103023869B (en) | 2012-11-02 | 2012-11-02 | Malicious attack prevention method and browser |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103023869B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103618721A (en) * | 2013-12-03 | 2014-03-05 | 彭岸峰 | XSS preventing security service |
| CN105095309A (en) * | 2014-05-21 | 2015-11-25 | 腾讯科技(深圳)有限公司 | Webpage processing method and device |
| CN105282096A (en) * | 2014-06-18 | 2016-01-27 | 腾讯科技(深圳)有限公司 | XSS vulnerability detection method and device |
| CN104536981B (en) * | 2014-12-05 | 2018-01-16 | 北京奇虎科技有限公司 | Realize method, browser client and the device of secure browser |
| CN105049440B (en) * | 2015-08-06 | 2018-04-10 | 福建天晴数码有限公司 | Detect the method and system of cross-site scripting attack injection |
| CN105072109B (en) * | 2015-08-06 | 2018-03-30 | 福建天晴数码有限公司 | Prevent the method and system of cross-site scripting attack |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158493A (en) * | 2011-04-15 | 2011-08-17 | 奇智软件(北京)有限公司 | Cookie analyzing method, device thereof and client |
| CN102932353A (en) * | 2012-11-02 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7359976B2 (en) * | 2002-11-23 | 2008-04-15 | Microsoft Corporation | Method and system for improved internet security via HTTP-only cookies |
| US7571322B2 (en) * | 2004-08-10 | 2009-08-04 | Microsoft Corporation | Enhanced cookie management |
-
2012
- 2012-11-02 CN CN201210434815.1A patent/CN103023869B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158493A (en) * | 2011-04-15 | 2011-08-17 | 奇智软件(北京)有限公司 | Cookie analyzing method, device thereof and client |
| CN102932353A (en) * | 2012-11-02 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for preventing malicious attacks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103023869A (en) | 2013-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11886619B2 (en) | Apparatus and method for securing web application server source code | |
| CN103023869B (en) | Malicious attack prevention method and browser | |
| US8910247B2 (en) | Cross-site scripting prevention in dynamic content | |
| Kirda et al. | Client-side cross-site scripting protection | |
| US8448241B1 (en) | Browser extension for checking website susceptibility to cross site scripting | |
| CN102932353B (en) | A kind of method and apparatus preventing malicious attack | |
| US20140283078A1 (en) | Scanning and filtering of hosted content | |
| US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
| CN105550596A (en) | Access processing method and apparatus | |
| Lundeen et al. | New ways im going to hack your web app | |
| CN104717226A (en) | Method and device for detecting website address | |
| Sadan et al. | WhiteScript: Using social network analysis parameters to balance between browser usability and malware exposure | |
| Mun et al. | Secure short url generation method that recognizes risk of target url | |
| Guan et al. | DangerNeighbor attack: Information leakage via postMessage mechanism in HTML5 | |
| Sentamilselvan et al. | Survey on cross site request forgery | |
| Kavitha et al. | HDTCV: Hybrid detection technique for clickjacking vulnerability | |
| Sun et al. | Secure HybridApp: A detection method on the risk of privacy leakage in HTML5 hybrid applications based on dynamic taint tracking | |
| Thopate et al. | Cross site scripting attack detection & prevention system | |
| Lakhapati et al. | Cross site scripting attack | |
| Nagpal et al. | Additional authentication technique: an efficient approach to prevent cross-site request forgery attack | |
| Grossman | Jeremiah Grossman | |
| Jawhar | Prevention of Cross-Site Scripting using Hash | |
| Grossman | Phishing with super bait | |
| Nagpal et al. | A Substitution Based Encoding Scheme to Mitigate Cross Site Script Vulnerabilities | |
| Haque et al. | A Comparative Analysis of Different Implementation Techniques to Prevent Cross Site Scripting Attack in Web Application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |