Summary of the invention
In view of the above problems, the present invention has been proposed to a kind of overcome the problems referred to above or the recognition methods that is suitable for website fire compartment wall addressing the above problem at least in part and equipment are correspondingly provided.
According to one aspect of the present invention, the recognition methods of a kind of website fire compartment wall is provided, comprising:
To website, send HTTP request;
Receive the response message that website is returned;
Obtain the information relevant to fire compartment wall in response message;
According to the information relevant to fire compartment wall, identification fire compartment wall.
Alternatively, to website, send HTTP request, comprising:
To the URL(Uniform Resource Locator of website, URL(uniform resource locator)) transmission GET request;
Obtain the information relevant to fire compartment wall in response message, comprising:
Obtain the information relevant to fire compartment wall in the head of the response message for GET request that website returns.
Alternatively, to website, send HTTP request, comprising:
From index database, extract a link of website, structure cross-site scripting attack (XSS) leak test request;
Cross-site scripting attack (XSS) leak test request is sent to website;
Obtain the information relevant to fire compartment wall in response message, comprising:
Obtain the head of the response message for cross-site scripting attack (XSS) leak test request of returning website and/or the information relevant to fire compartment wall in content.
Alternatively, to website, send HTTP request, comprising:
With preset frequency, to website, send leak test request;
Obtain the information relevant to fire compartment wall in response message, comprising:
Obtain the head of the response message for leak test request of returning website and/or the information relevant to fire compartment wall in content.
Alternatively, according to the information relevant to fire compartment wall, identification fire compartment wall, comprising:
According to the preset information relevant to fire compartment wall and the corresponding relation of fire compartment wall, identification fire compartment wall.
Alternatively, the information relevant to fire compartment wall comprises:
The characteristic information of the specific part extracting from response message.
According to one aspect of the present invention, a kind of identification equipment of fire compartment wall is also provided, comprising:
Request transmitter, is configured to send to website HTTP request;
Response receiver, is configured to receive the response message that website is returned;
Acquisition of information device, is configured to obtain the information relevant to fire compartment wall in response message;
Fire compartment wall identifier, is configured to according to the information relevant to fire compartment wall, identification fire compartment wall.
Alternatively, request transmitter is also configured to the URL transmission GET request of website;
Correspondingly, acquisition of information device is also configured to obtain the information relevant to fire compartment wall in the head of the response message for GET request of returning website.
Alternatively, request transmitter is also configured to extract a link of website from index database, structure cross-site scripting attack (XSS) leak test request, and cross-site scripting attack (XSS) leak test request is sent to website;
Correspondingly, acquisition of information device is also configured to obtain the head of the response message for cross-site scripting attack (XSS) leak test request of returning website and/or the information relevant to fire compartment wall in content.
Alternatively, request transmitter is also configured to send to website with preset frequency leak test request;
Correspondingly, acquisition of information device is also configured to obtain the head of the response message for leak test request of returning website and/or the information relevant to fire compartment wall in content.
Alternatively, fire compartment wall identifier is also configured to according to the preset information relevant to fire compartment wall and the corresponding relation of fire compartment wall, identification fire compartment wall.
Alternatively, the information relevant to fire compartment wall comprises:
The characteristic information of the specific part extracting from response message.
The invention provides the recognition methods of a kind of website fire compartment wall, by send HTTP to website, ask and receive the response message that website is returned, obtain the information relevant to fire compartment wall in response message, thereby can identify the fire compartment wall that website is used according to the information relevant to fire compartment wall.This RM has versatility, can solve because the mechanism of fire compartment wall is different, causes identifying inconvenient problem, can identify exactly the fire compartment wall that website is used.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
Embodiment mono-
The embodiment of the present invention provides the recognition methods of a kind of website fire compartment wall.The method is improved identifying the equipment of fire compartment wall.For example, the equipment in the present embodiment can be PC(Personal Computer, personal computer), mobile phone, the subscriber terminal equipments such as Hand Personal Computer.
Fig. 1 is the recognition methods flow chart of a kind of according to an embodiment of the invention website fire compartment wall, the method comprising the steps of S102 to S106.
S102, sends HTTP request to website.
S104, receives the response message that website is returned, and obtains the information relevant to fire compartment wall in response message.
S106, according to the information relevant to fire compartment wall, identification fire compartment wall.
The embodiment of the present invention provides the recognition methods of a kind of website fire compartment wall, by send HTTP to website, ask and receive the response message that website is returned, obtain the information relevant to fire compartment wall in response message, thereby can identify the fire compartment wall that website is used according to the information relevant to fire compartment wall.This RM has versatility, can solve because the mechanism of fire compartment wall is different, causes identifying inconvenient problem, can identify exactly the fire compartment wall that website is used.
Embodiment bis-
The present embodiment is a kind of concrete application scenarios of above-described embodiment one, by the present embodiment, can set forth clearer, particularly method provided by the present invention.When realizing the method that the present embodiment provides, can carry out the identification of website fire compartment wall by the equipment of identification fire compartment wall.
As the refinement of above-described embodiment one, the present embodiment provides the concrete recognition methods of three kinds of website fire compartment walls.These three kinds of methods are can carry out respectively and mutually independently, specifically introduce the concrete recognition methods of these three kinds of website fire compartment walls below in conjunction with accompanying drawing.
It should be noted that, for part website, toward website, send a HTTP request, as in its response message just with firewall information, directly take out this information, identify corresponding fire compartment wall, for those websites, can only by the first method of following introduction, identify website fire compartment wall.
Fig. 2 is the concrete recognition methods flow chart of the first website fire compartment wall according to an embodiment of the invention, the method comprising the steps of S201 to S204.
First, by the said equipment, perform step S201, the website URL to user's current accessed sends GET request.
Wherein, GET request is a kind of in HTTP request, and GET request is a kind of request of data of asking for to server.Conventionally, the parameter of GET request can be followed after URL and be transmitted, and after the data of request can be attached to URL, with " ", cuts apart URL and transmission data, between parameter, with " & ", be connected, the ASCII that " XX " in " %XX " represents with 16 systems for this symbol, if data are English alphabet/numerals, former state sends, if space, be converted to "+", if Chinese or other characters are directly encrypted character string with BASE64.
In addition, the data of GET transmission have size restriction, because GET submits data to by URL, so the data volume that GET can submit to is relevant with the length of URL, different browsers is different to the length restriction of URL.
Corresponding response message can be resolved and return to Website server after receiving this GET request.
Then, the equipment of identification fire compartment wall continues execution step S202, receives the response message for this GET request that Website server returns, and this response message is resolved, and judge in response message, whether to include the information relevant to fire compartment wall.If comprise the information that fire compartment wall is relevant, perform step S203, if do not comprise, end operation.
In http response information, comprise state code, head response and response text three parts.Conventionally, the firewall information of website can write in the head response of http response information, so, when whether step S202 includes the information relevant to fire compartment wall in judging response message, can be directly by judging whether the head of response message includes the information relevant to fire compartment wall and realize.Wherein, the information relevant to fire compartment wall is the characteristic information of the specific part extracting in response message.
Alternatively, if the head of response message comprises as information such as Server:TbGf4/X.X.X, Server:xxxWAF or Server:xxxFirewall, illustrate and in this header information, comprised the information relevant to fire compartment wall.
In order more clearly to describe the mentioned information relevant to fire compartment wall of the present embodiment, the present embodiment also provides Fig. 3, has shown the head response information schematic diagram in the http response information of returning a website.Wherein, the information relevant to fire compartment wall comprising in Fig. 3 is Server:Safe3Web Firewall.
S203 extracts the information relevant to fire compartment wall in the above-mentioned response message for this GET request.After having extracted the information relevant to fire compartment wall, continue execution step S204, according to the information relevant to fire compartment wall of obtaining, the type of identification fire compartment wall.
In the present embodiment, in this locality, can store the type list of a fire compartment wall, preset the information relevant to fire compartment wall and the corresponding relation of fire compartment wall, therefore can find the corresponding fire compartment wall type of the information relevant to fire compartment wall according to this fire compartment wall type table.
For example, the firewall information that step S203 extracts is Server:TbGf4/X.X.X, and the type that this fire compartment wall is described is website bodyguard.
Also it should be noted that; when taking said method not get the relevant information of website fire compartment wall, in order further to guarantee to get the information that website fire compartment wall is relevant, can also carry out based on the above method the second method that the present embodiment provides.
In addition, also it should be noted that, for part website, its fire compartment wall mainly protects website leak, so construct XSS leak test request, send in the past, as in its response message with firewall information, can directly take out this information, and identify corresponding fire compartment wall type, for those websites, can only by the second method of following introduction, identify website fire compartment wall.
Lower mask body is introduced the second method that the present embodiment provides, and Fig. 4 is the concrete recognition methods flow chart of the second website fire compartment wall according to an embodiment of the invention, the method comprising the steps of S301 to S304.
First, perform step S301, from index database, extract a link of current accessed website, structure XSS(Cross Site Scripting, cross-site scripting attack) leak test request, and this XSS leak test request is sent to this website.
In the present embodiment, the web site url extracting in index database can be any link under current site.When structure XSS leak test request, can utilize <script> ... </script>, <iframe> ... the functions such as the labels such as </iframe> and alret are constructed a series of data, and then the data of this structure and being connected under the above-mentioned current site shifting to an earlier date are combined, can obtain for testing the test URL of XSS leak, this URL is XSS leak test request.
For example, being linked as under the current site, shifting to an earlier date in the present embodiment:
webscan.XXX.cn/a/a.php?a=1
Be configured to XSS test URL:
webscan.XXX.cn/a/a.php?a=1<script>alert(123)</script>)。
Wherein, XXX.cn is the domain name of this website.
It should be noted that, if fire compartment wall is not installed in website, comparatively easily occur XSS leak, so that be easily subject to the attack of malicious code.
Corresponding response message can be resolved and return to Website server after receiving this XSS leak test request.
Then, the equipment of identification fire compartment wall continues execution step S302, receives the response message for XSS leak test request that Website server returns, and this response message is resolved, and judge in response message, whether to include the information relevant to fire compartment wall.If comprise the information that fire compartment wall is relevant, perform step S303, if do not comprise, end operation.
Different from above-mentioned first method is, when whether step S302 includes the information relevant to fire compartment wall in judging response message, not only can by judging whether the head of response message includes the information relevant to fire compartment wall and realize, also can be by judging whether the text of response message includes the information relevant to fire compartment wall and realize.Wherein, as long as there is the information relevant to fire compartment wall in head or text message at least one, determine in response message and comprise the information that fire compartment wall is relevant.
It should be noted that, step S302 searches in the head of response message whether to comprise the method for the information relevant with fire compartment wall identical with the method for step S202.And search in the text of response message, whether to comprise the information relevant to fire compartment wall be exactly to check whether the content the inside return comprises fire compartment wall interception characteristic information, for example, the content that the safety dog interception page returns comprises: web portal security dog .*www.safedog.cn.
S303, extracts the information relevant to fire compartment wall above-mentioned in for the response message of XSS leak test request.After having extracted the information relevant to fire compartment wall, continue execution step S304, according to the information relevant to fire compartment wall of obtaining, the type of identification fire compartment wall.
Similarly, in this locality, can store the type list of a fire compartment wall, preset the information relevant to fire compartment wall and the corresponding relation of fire compartment wall, therefore can find the corresponding fire compartment wall type of the information relevant to fire compartment wall according to this fire compartment wall type table.
For example, the firewall information that step S303 extracts is Server:TbGf4/X.X.X, and the type that this fire compartment wall is described is website bodyguard.
Also it should be noted that; when taking said method not get the relevant information of website fire compartment wall, in order further to guarantee to get the information that website fire compartment wall is relevant, can also carry out based on the above method the third method that the present embodiment provides.
Also it should be noted that, for part website, its fire compartment wall Main Function is to prevent that DDOS/CC from attacking, if frequently sent request to it, for example within one minute, sent N(N and exceeded the access frequency that this website can be accepted) inferior HTTP request, fire compartment wall is confirmed to be the attack to server, now, can directly from its response message, take out firewall information, identify corresponding fire compartment wall type, for those websites, can only by the third method of following introduction, identify website fire compartment wall.
Lower mask body is introduced the third method that the present embodiment provides, and Fig. 5 is the concrete recognition methods flow chart of the third website fire compartment wall according to an embodiment of the invention, the method comprising the steps of S401 to S407.
First, execution step S401, the website transmission leak test request with preset frequency to current accessed.In the present embodiment, can within one minute, send leak test request 60 times, at this moment, server thinks that website is subject to DDOS/CC and attacks, and now, fire compartment wall is taked protection behavior to above-mentioned attack, and returns to response message.
Then, the equipment of identification fire compartment wall continues execution step S402, and the response message of the leak test request for continuous transmission that reception Website server returns, resolves this response message, and obtain the state code in each response message.
Above-mentioned mentioning comprises state code, head response and response text three parts in http response information.Wherein, state code has represented whether request is understood or is satisfied, and different state codes has represented different implications.For example, when state code is 204, the request of having represented is received, but return information is empty.
S403, whether the state code that obtains of judgement is continuous special code, if so, continues execution step S404, if not, end operation.
When server, think that while receiving that DDOS/CC attacks, the state code returning is special code, expression can not accept request, and during as special code 403, statement disable access, during special code 500, represents server error.
S404, judgement occurs whether the number of times of special state code surpasses preset times continuously.If exceed preset times, continue execution step S405, if do not surpass preset times, end operation.
Alternatively, preset times can be set to 20 times, if special code 403 has appearred 30 times in this step S404 continuously, has exceeded preset times, now continues execution step S405.
S405, judges in response message, whether to include the information relevant to fire compartment wall.If comprise the information that fire compartment wall is relevant, perform step S406, if do not comprise, end operation.
It should be noted that, when whether step S405 includes the information relevant to fire compartment wall in judging response message, not only can by judging whether the head of response message includes the information relevant to fire compartment wall and realize, also can be by judging whether the text of response message includes the information relevant to fire compartment wall and realize.Wherein, as long as there is the information relevant to fire compartment wall in head or text message at least one, determine in response message and comprise the information that fire compartment wall is relevant.
Step S405 searches in the head of response message whether to comprise the method for the information relevant with fire compartment wall identical with the method for step S202.And search in the text of response message, whether to comprise the information relevant to fire compartment wall be exactly to check whether the content the inside return comprises fire compartment wall interception characteristic information.
S406 extracts the information relevant to fire compartment wall in the response message for leak test request.After having extracted the information relevant to fire compartment wall, continue execution step S407, according to the information relevant to fire compartment wall of obtaining, the type of identification fire compartment wall.
It should be noted that the recognition methods of the above-mentioned three kinds of fire compartment walls that provide in embodiment bis-all can be carried out fire compartment wall identification.Preferred execution sequence is method one, method two and method three, but also can use separately, or with other order, carries out successively the identification of fire compartment wall.
The embodiment of the present invention provides the recognition methods of a kind of website fire compartment wall, by send HTTP to website, ask and receive the response message that website is returned, obtain the information relevant to fire compartment wall in response message, thereby can identify the fire compartment wall that website is used according to the information relevant to fire compartment wall.This RM has versatility, can solve because the mechanism of fire compartment wall is different, causes identifying inconvenient problem, can identify exactly the fire compartment wall that website is used.
Embodiment tri-
Fig. 6 is the structured flowchart of the identification equipment of a kind of fire compartment wall of providing of one embodiment of the invention, and this equipment 600 comprises:
Request transmitter 610, is configured to send to website HTTP request;
Response receiver 620, is configured to receive the response message that website is returned;
Acquisition of information device 630, is configured to obtain the information relevant to fire compartment wall in response message;
Fire compartment wall identifier 640, is configured to according to the information relevant to fire compartment wall, identification fire compartment wall.
Alternatively, request transmitter 610 is also configured to the uniform resource position mark URL transmission GET request of website;
Correspondingly, acquisition of information device 630 is also configured to obtain the information relevant to fire compartment wall in the head of the response message for GET request of returning website.
Alternatively, request transmitter 610 is also configured to extract a link of website from index database, structure cross-site scripting attack (XSS) leak test request, and cross-site scripting attack (XSS) leak test request is sent to website;
Correspondingly, acquisition of information device 630 is also configured to obtain the head of the response message for cross-site scripting attack (XSS) leak test request of returning website and/or the information relevant to fire compartment wall in content.
Alternatively, request transmitter 610 is also configured to send to website with preset frequency leak test request;
Correspondingly, acquisition of information device 630 is also configured to obtain the head of the response message for leak test request of returning website and/or the information relevant to fire compartment wall in content.
Alternatively, fire compartment wall identifier 640 is also configured to according to the preset information relevant to fire compartment wall and the corresponding relation of fire compartment wall, identification fire compartment wall.
Alternatively, the information relevant to fire compartment wall comprises:
The characteristic information of the specific part extracting from response message.
The embodiment of the present invention provides the identification equipment of a kind of website fire compartment wall, by send HTTP to website, ask and receive the response message that website is returned, obtain the information relevant to fire compartment wall in response message, thereby can identify the fire compartment wall that website is used according to the information relevant to fire compartment wall.This identification equipment has versatility, can solve because the mechanism of fire compartment wall is different, causes identifying inconvenient problem, can identify exactly the fire compartment wall that website is used.
C11. according to the equipment described in any one in 7-10, wherein, described fire compartment wall identifier is also configured to, according to the corresponding relation of the relevant information of preset described and fire compartment wall and described fire compartment wall, identify described fire compartment wall.
C12. according to the equipment described in any one in 7-10, wherein, the described information relevant to fire compartment wall comprises: the characteristic information of the specific part extracting from response message.
In the specification that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this specification (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize the some or all functions according to the some or all parts in the identification equipment of the fire compartment wall of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
So far, those skilled in the art will recognize that, although detailed, illustrate and described a plurality of exemplary embodiment of the present invention herein, but, without departing from the spirit and scope of the present invention, still can directly determine or derive many other modification or the modification that meets the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or modifications.