The recognition methods of website firewall and equipment
Technical field
The present invention relates to Internet technical field, recognition methods and equipment more particularly to a kind of website firewall.
Background technology
With the development of Internet technology, network security is also more and more taken seriously, and nowadays, influences network security
Main factor come from the attack of hacker.At present, in order to avoid attack of the hacker to website, most website installation
There is fire wall, this provides favourable guarantee for web portal security to a certain extent.
But in the fire wall that uses of current web, still there is part fire wall due to the leak that itself is designed and peace be present
Full blast danger.Therefore, when user conducts interviews to website, it is necessary to identify whether the website has used fire wall, and use
The species of fire wall, prompt the user with fire wall used in the website again afterwards and whether there is security risk, in order to user
Remedial measure can be used.
Because the mechanism of existing fire wall is not quite similar, result in every kind of fire wall has different recognition methods, because
How this, accurately identify fire wall used in website, and correlation technique is still not implemented.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State the recognition methods suitable for website firewall of problem and correspondingly equipment.
According to one aspect of the present invention, there is provided a kind of recognition methods of website firewall, including:
HTTP request is sent to website;
Receive the response message that website returns;
Obtain the information related to fire wall in response message;
According to the information related to fire wall, fire wall is identified.
Alternatively, HTTP request is sent to website, including:
To the URL of website(Uniform Resource Locator, URL)Send GET request;
The information related to fire wall in response message is obtained, including:
Obtain the information related to fire wall in the head for the response message for GET request that website returns.
Alternatively, HTTP request is sent to website, including:
A link of website is extracted from index database, constructs cross-site scripting attack(XSS)Leak test request;
By cross-site scripting attack(XSS)Leak test request is sent to website;
The information related to fire wall in response message is obtained, including:
Obtain website return is directed to cross-site scripting attack(XSS)The head of the response message of leak test request and/or
The information related to fire wall in content.
Alternatively, HTTP request is sent to website, including:
Leak test request is sent to website with preset frequency;
The information related to fire wall in response message is obtained, including:
Obtain website return the response message for leak test request head and/or content in fire wall phase
The information of pass.
Alternatively, according to the information related to fire wall, fire wall is identified, including:
According to the preset information related to fire wall and the corresponding relation of fire wall, fire wall is identified.
Alternatively, the information related to fire wall includes:
The characteristic information of the specific part extracted from response message.
According to one aspect of the present invention, a kind of identification equipment of fire wall is additionally provided, including:
Transmitter is asked, is configured to send HTTP request to website;
Receiver is responded, is configured to receive the response message that website returns;
Information acquirer, it is configured to obtain the information related to fire wall in response message;
Fire wall identifier, it is configured to, according to the information related to fire wall, identify fire wall.
Alternatively, request transmitter is additionally configured to the URL transmission GET requests of website;
Correspondingly, information acquirer is additionally configured in the head for the response message for GET request that acquisition website returns
The information related to fire wall.
Alternatively, request transmitter is additionally configured to extract a link of website from index database, and construction cross site scripting is attacked
Hit(XSS)Leak test request, and by cross-site scripting attack(XSS)Leak test request is sent to website;
Correspondingly, information acquirer be additionally configured to obtain website return be directed to cross-site scripting attack(XSS)Leak is tested
The information related to fire wall in the head of the response message of request and/or content.
Alternatively, request transmitter is additionally configured to send leak test request to website with preset frequency;
Correspondingly, information acquirer is additionally configured to obtain the head for the response message for leak test request that website returns
The information related to fire wall in portion and/or content.
Alternatively, fire wall identifier is additionally configured to the correspondence according to the preset information related to fire wall and fire wall
Relation, identify fire wall.
Alternatively, the information related to fire wall includes:
The characteristic information of the specific part extracted from response message.
The invention provides a kind of recognition methods of website firewall, by sending HTTP request to website and receiving website
The response message of return, the information related to fire wall in response message is obtained, so as to according to related to fire wall
Information identifies fire wall used in website.The identification method has versatility, can solve due to fire wall mechanism not
Together, the problem of causing to identify inconvenience, fire wall used in website can be identified exactly.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 is a kind of recognition methods flow chart of website firewall according to an embodiment of the invention;
Fig. 2 is the specific recognition methods flow chart of the first website firewall according to an embodiment of the invention;
Fig. 3 is that the response header in the http response information that a website according to an embodiment of the invention returns shows
It is intended to;
Fig. 4 is the specific recognition methods flow chart of second of website firewall according to an embodiment of the invention;
Fig. 5 is the specific recognition methods flow chart of the third website firewall according to an embodiment of the invention;
Fig. 6 is a kind of structured flowchart of the identification equipment of fire wall according to an embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although this public affairs is shown in accompanying drawing
The exemplary embodiment opened, it being understood, however, that may be realized in various forms the disclosure without the reality that should be illustrated here
Example is applied to be limited.Conversely, there is provided these embodiments are to be able to thoroughly understand the disclosure, and can be by the model of the disclosure
Enclose and be completely communicated to those skilled in the art.
Embodiment one
The embodiments of the invention provide a kind of recognition methods of website firewall.This method is to that can identify that fire wall is set
It is standby to be improved.For example, the equipment in the present embodiment can be PC(Personal Computer, personal computer), hand
The subscriber terminal equipments such as machine, HPC.
Fig. 1 is a kind of recognition methods flow chart of website firewall according to an embodiment of the invention, and this method includes
Step S102 to S106.
S102, HTTP request is sent to website.
S104, the response message that website returns is received, and obtain the information related to fire wall in response message.
S106, according to the information related to fire wall, identify fire wall.
The embodiments of the invention provide a kind of recognition methods of website firewall, by sending HTTP request to website and connecing
The response message that website returns is received, the information related to fire wall in response message is obtained, so as to basis and fire wall
Related information identifies fire wall used in website.The identification method has versatility, can solve due to fire wall
Mechanism is different, the problem of causing to identify inconvenience, can identify fire wall used in website exactly.
Embodiment two
The present embodiment is a kind of concrete application scene of above-described embodiment one, being capable of clearer, tool by the present embodiment
Illustrate method provided by the present invention body., can be by identifying setting for fire wall when realizing the method that the present embodiment provides
It is standby to carry out the identification of website firewall.
As the refinement of above-described embodiment one, the specific recognition methods of three kinds of website firewalls is present embodiments provided.Should
Three kinds of methods can perform respectively and mutually it is independent, specifically introduce the specific knowledge of three kinds of website firewalls below in conjunction with the accompanying drawings
Other method.
It should be noted that for part website, a HTTP request is sent toward website, is carried if in its response message
Firewall information, the information is directly taken out, identify corresponding fire wall, for those websites, can only pass through
The first method introduced as follows identifies website firewall.
Fig. 2 is the specific recognition methods flow chart of the first website firewall according to an embodiment of the invention, the party
Method includes step S201 to S204.
First, step S201 is performed by the said equipment, i.e., sends GET request to the website URL of user's current accessed.
Wherein, GET request is one kind in HTTP request, and GET request is to ask for a kind of of data to server to ask.
Generally, the parameter of GET request can be followed and transmitted after URL, and the data of request can be attached to after URL, split URL and biography with " "
Transmission of data, it is connected with " & " between parameter, " XX " in " %XX " is the ASCII that the symbol is represented with 16 systems, if data are
English alphabet/numeral, send as former state, if space, be converted to "+", if Chinese or other characters, then directly word
Symbol string is encrypted with BASE64.
In addition, the data of GET transmission have size limitation, because GET is to submit data by URL, GET can be submitted
Data volume it is relevant with URL length, different browsers are different to URL length limitation.
After Website server receives the GET request, it can be parsed and return to corresponding response message.
Then, identify that the equipment of fire wall continues executing with step S202, receive the GET that is directed to that Website server returns and ask
The response message asked, the response message is parsed, and judge whether include the letter related to fire wall in response message
Breath.If comprising the related information of fire wall, step S203, if not including, end operation are performed.
State code, head response and response text three parts are included in http response information.Generally, the fire wall letter of website
Breath can be write in the head response of http response information, so, whether step S202 includes and prevents fires in response message is judged
, can be directly by judging whether the head of response message includes the information related to fire wall come real during the information of wall correlation
It is existing.Wherein, the information related to fire wall is the characteristic information of the specific part extracted in response message.
Alternatively, if the head of response message includes such as Server:TbGf4/X.X.X、Server:XxxWAF or
Server:The information such as xxxFirewall, then illustrate to contain the information related to fire wall in the header information.
In order to more clearly describe the information related to fire wall mentioned by the present embodiment, the present embodiment additionally provides figure
3, illustrate the response header schematic diagram in the http response information that a website returns.Wherein, included in Fig. 3 with fire prevention
The related information of wall is Server:Safe3Web Firewall.
S203, it is above-mentioned for the response message of the GET request in extract the information related to fire wall.Be extracted with
After the related information of fire wall, step S204 is continued executing with, i.e., according to the information related to fire wall of acquisition, identification fire prevention
The type of wall.
In the present embodiment, the type list of a fire wall can be locally stored with, is presetting the information related to fire wall
With the corresponding relation of fire wall, therefore according to corresponding to the firewall type table can find the information related to fire wall
Firewall type.
For example, the firewall information that step S203 is extracted is Server:TbGf4/X.X.X, then illustrate the fire wall
Type is website bodyguard.
It should also be noted that, when taking the above method not get the related information of website firewall in order to
Enough further ensure that and get the related information of website firewall, the present embodiment institute can also be performed based on the above method
The second method of offer.
In addition, it should also be noted that, for part website, its fire wall primary protection website vulnerability, so construction
One XSS leaks test request sends the past, as carried firewall information in its response message, then can directly take out the information,
And corresponding firewall type is identified, for those websites, only it can be known by the second method introduced as follows
Other website firewall.
Lower mask body introduces the second method that the present embodiment is provided, and Fig. 4 is according to an embodiment of the invention
The specific recognition methods flow chart of two kinds of website firewalls, the method comprising the steps of S301 to S304.
First, step S301 is performed, a link of current accessed website is extracted from index database, constructs XSS(Cross
Site Scripting, cross-site scripting attack)Leak test request, and the XSS leak test requests are sent to the website.
In the present embodiment, the web site url extracted in index database can be any one link under current site.In structure
When making XSS leak test requests, it can utilize<script>…</script>,<iframe>…</iframe>Deng label and
The functions such as alret construct a series of data, then again by the data of the construction and the company under above-mentioned current site in advance
Connect and be combined, be available for testing the test URL of XSS leaks, the URL is XSS leak test requests.
For example, it is linked as under the current site shifted to an earlier date in the present embodiment:
webscan.XXX.cn/a/a.php?a=1
Being configured to XSS tests URL is then:
webscan.XXX.cn/a/a.phpa=1<script>alert(123)</script>).
Wherein, XXX.cn is the domain name of the website.
It should be noted that if website does not install fire wall, be relatively easy to XSS leaks occur, thus easily by
The attack of malicious code.
After Website server receives the XSS leak test requests, it can be parsed and return to corresponding response message.
Then, identify that the equipment of fire wall continues executing with step S302, receive Website server return is directed to XSS leaks
The response message of test request, the response message is parsed, and judge whether include in response message and fire wall phase
The information of pass.If comprising the related information of fire wall, step S303, if not including, end operation are performed.
Unlike above-mentioned first method, whether step S302 includes and fire wall phase in response message is judged
During the information of pass, not only whether can include the information related to fire wall by judging the head of response message to realize,
The information related to fire wall whether can also be included by judging the text of response message to realize.Wherein, as long as in head
The information related to fire wall at least one of portion or text message be present, that is, determine to include fire wall phase in response message
The information of pass.
It should be noted that step S302 searches whether to include the information related to fire wall in the head of response message
Method it is identical with step S202 method.And search whether to include the information related to fire wall in the text of response message
Exactly check whether comprising fire wall interception characteristic information inside the content of return, for example, safety dog intercepts the interior of page return
Appearance includes:Web portal security dog .*www.safedog.cn.
S303, it is above-mentioned for the response message of XSS leak test requests in extract the information related to fire wall.Carrying
After having taken the information related to fire wall, step S304 is continued executing with, i.e., according to the information related to fire wall of acquisition, is known
The type of other fire wall.
Similarly, the type list of a fire wall can be locally stored with, presetting the information related to fire wall and prevent
The corresponding relation of wall with flues, therefore the fire wall according to corresponding to the firewall type table can find the information related to fire wall
Type.
For example, the firewall information that step S303 is extracted is Server:TbGf4/X.X.X, then illustrate the fire wall
Type is website bodyguard.
It should also be noted that, when taking the above method not get the related information of website firewall in order to
Enough further ensure that and get the related information of website firewall, the present embodiment institute can also be performed based on the above method
The third method provided.
It should also be noted that, for part website, its fire wall main function is to prevent DDOS/CC from attacking, if
Frequently it is sent to ask, such as N is have sent within one minute(N is beyond the acceptable access frequency in the website)Secondary HTTP
Request, fire wall then confirms it is the attack to server, at this point it is possible to firewall information directly is taken out from its response message,
Corresponding firewall type is identified, for those websites, only can be identified by the third method introduced as follows
Website firewall.
Lower mask body introduces the third method that the present embodiment is provided, and Fig. 5 is according to an embodiment of the invention
The specific recognition methods flow chart of three kinds of website firewalls, the method comprising the steps of S401 to S407.
First, step S401 is performed, leak test request is sent to the website of current accessed with preset frequency.The present embodiment
In, can be to send 60 leak test requests within one minute, at this moment, server is then considered that website is attacked by DDOS/CC,
Now, fire wall takes self-prevention action to above-mentioned attack, and returns to response message.
Then, identify that the equipment of fire wall continues executing with step S402, receive being sent out for continuous for Website server return
The response message for the leak test request sent, is parsed to the response message, and obtains the state generation in each response message
Code.
It is above-mentioned to refer in http response information comprising state code, head response and response text three parts.Wherein, state generation
Code represents whether request is understood or is satisfied, and different state codes represents different implications.For example, work as state code
For 204 when, represent request and receive, but return information for sky.
S403, whether the state code for judging to obtain is continuous special code, if so, step S404 is then continued executing with,
If it is not, then end operation.
When server thinks to receive DDOS/CC attacks, the state code of return is special code, and expression can not receive
Request, during such as special code 403, statement is forbidden accessing, during special code 500, then it represents that server mistake.
S404, judges whether the continuous number for special state code occur exceedes preset times.If exceeding preset times,
Step S405 is continued executing with, if not less than preset times, end operation.
Alternatively, preset times could be arranged to 20 times, if 30 special codes continuously occurs in this step S404
403, then beyond preset times, now continue executing with step S405.
S405, judge whether include the information related to fire wall in response message.If include the related letter of fire wall
Breath, then perform step S406, if not including, end operation.
It should be noted that whether step S405 when including the information related to fire wall in judging response message,
Not only whether can include the information related to fire wall by judging the head of response message to realize, can also be by sentencing
Whether the text of disconnected response message includes the information related to fire wall to realize.Wherein, as long as believing on head or text
The information related to fire wall at least one of breath be present, that is, determine the information for including fire wall correlation in response message.
Step S405 searches whether to include the method and step of the information related to fire wall in the head of response message
S202 method is identical.And it is exactly to check to return to be searched whether in the text of response message comprising the information related to fire wall
Content inside whether comprising fire wall intercept characteristic information.
S406, the information related to fire wall is extracted in the response message for leak test request.Be extracted with
After the related information of fire wall, step S407 is continued executing with, i.e., according to the information related to fire wall of acquisition, identification fire prevention
The type of wall.
It should be noted that the recognition methods of the above-mentioned three kinds of fire walls provided in embodiment two, can be prevented fires
Wall identifies.Preferable execution sequence is method one, method two and method three, but can also be used alone, or with other order
The identification of fire wall is performed successively.
The embodiments of the invention provide a kind of recognition methods of website firewall, by sending HTTP requests simultaneously to website
The response message that website returns is received, the information related to fire wall in response message is obtained, so as to basis and fire prevention
Wall related information identifies fire wall used in website.The identification method has versatility, can solve due to fire wall
Mechanism it is different, the problem of causing to identify inconvenience, fire wall used in website can be identified exactly.
Embodiment three
Fig. 6 is a kind of structured flowchart of the identification equipment for fire wall that one embodiment of the invention provides, and the equipment 600 is wrapped
Include:
Transmitter 610 is asked, is configured to send HTTP request to website;
Receiver 620 is responded, is configured to receive the response message that website returns;
Information acquirer 630, it is configured to obtain the information related to fire wall in response message;
Fire wall identifier 640, it is configured to, according to the information related to fire wall, identify fire wall.
Alternatively, request transmitter 610 is additionally configured to the uniform resource position mark URL transmission GET request of website;
Correspondingly, information acquirer 630 is additionally configured to obtain the head for the response message for GET request that website returns
In the information related to fire wall.
Alternatively, request transmitter 610 is additionally configured to extract a link of website from index database, constructs cross site scripting
Attack(XSS)Leak test request, and by cross-site scripting attack(XSS)Leak test request is sent to website;
Correspondingly, information acquirer 630 be additionally configured to obtain website return be directed to cross-site scripting attack(XSS)Leak is surveyed
The information related to fire wall in the head of the response message of examination request and/or content.
Alternatively, request transmitter 610 is additionally configured to send leak test request to website with preset frequency;
Correspondingly, information acquirer 630 is additionally configured to obtain the response message for leak test request that website returns
Head and/or content in the information related to fire wall.
Alternatively, fire wall identifier 640 is additionally configured to according to the preset information related to fire wall and fire wall
Corresponding relation, identify fire wall.
Alternatively, the information related to fire wall includes:
The characteristic information of the specific part extracted from response message.
The embodiments of the invention provide a kind of identification equipment of website firewall, by sending HTTP request to website and connecing
The response message that website returns is received, the information related to fire wall in response message is obtained, so as to basis and fire wall
Related information identifies fire wall used in website.The identification equipment has versatility, can solve due to fire wall
Mechanism is different, the problem of causing to identify inconvenience, can identify fire wall used in website exactly.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is to this specification(Including adjoint claim, summary and accompanying drawing)Disclosed in all features and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power
Profit requirement, summary and accompanying drawing)Disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any
Mode it can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor(DSP)To realize one in the identification equipment of fire wall according to embodiments of the present invention
The some or all functions of a little or whole parts.The present invention is also implemented as performing method as described herein
Some or all equipment or program of device(For example, computer program and computer program product).Such realization
The program of the present invention can store on a computer-readable medium, or can have the form of one or more signal.This
The signal of sample can be downloaded from internet website and obtained, and either provided on carrier signal or carried in the form of any other
For.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
So far, although those skilled in the art will appreciate that detailed herein have shown and described multiple showing for the present invention
Example property embodiment, still, still can be direct according to present disclosure without departing from the spirit and scope of the present invention
It is determined that or derive many other variations or modifications for meeting the principle of the invention.Therefore, the scope of the present invention is understood that and recognized
It is set to and covers other all these variations or modifications.