CN104038474A - Internet access detection method and device - Google Patents
Internet access detection method and device Download PDFInfo
- Publication number
- CN104038474A CN104038474A CN201410196524.2A CN201410196524A CN104038474A CN 104038474 A CN104038474 A CN 104038474A CN 201410196524 A CN201410196524 A CN 201410196524A CN 104038474 A CN104038474 A CN 104038474A
- Authority
- CN
- China
- Prior art keywords
- specific identifier
- access request
- internet
- browser client
- receiving
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses an internet access detection method which is as follows: when a response message, which is based on a login request of a browser user and sent from an internet server, is received, a specific identification is added into the received response message to generate a new response message, the new response message is sent to the browser user, so that when the browser user sends an internet access request, the specific identification can be inserted; when the internet access request sent from the browser user is received, whether the received internet access request comprises the specific identification can be analyzed; when the received internet access request comprises the specific identification, internet access of the browser user is authorized, the received internet access request can be sent to a corresponding internet server. The invention also discloses a an internet access detection device for realization of internet access control of the browser user to prevent illegal internet access and ensure the security of the internet access of the browser user.
Description
Technical field
The present invention relates to Internet technical field, relate in particular to detection method and the device of internet access.
Background technology
Along with the development of Internet technology, people's live and work more and more be unable to do without the Internet, and because of the continuous expansion of internet, applications scope, so that the fail safe of internet, applications access is more and more subject to people's attention.At present, general employing cookie (being stored in the data in the subscriber's local terminal) technology that logs in of legal browser client identifies browser client, browser client is after legal login, Internet Server can generate a session id (identity information) and identify this user, and this session id is placed on to cookie the inside, in the session request of sending out at next browser, need to carry this session id, in the time that this session id passes through the checking of Internet Server, browser client can be accessed the data on Internet Server, prevent logging in of illegal browser client, reach the effect of internet security access.But in actual use,, assailant is intercepting and capturing after this session id, just can pretend to be legal browser client; Some query-attack is to send in the situation that legal browser client is not known the inside story, such as CSRF attacks.At present, solve the safety problem of the browser access of existence by fire compartment wall being set between browser and Internet Server, concrete settling mode and defect are as follows:
A, be on the defensive according to rule feature: when finding that, after leak, fire compartment wall is analyzed condition code, then extracts leak feature, is on the defensive.The disadvantage of this method is that fire compartment wall can only be defendd disclosed leak, and security breaches potential and internal circulation cannot be defendd, and cannot accomplish to defend in advance, therefore, often occur failing to report;
B, be on the defensive according to Referer (source-information): fire compartment wall is according to the source of Referer analysis request, if source is same area or other website trusty, think that request is legal.But be on the defensive and have following 2 kinds of problem: B1, leak according to Referer, for example, in the IE of lowest version (internet, internet) browser and Firefox (red fox browser), existence can be forged the leak of Referer; B2, yardstick, different browsers is inconsistent to realizing of Referer, and some access request may not carry Referer field.If adopt looser strategy, Referer is that sky thinks legal, has and fails to judge; If adopt strict strategy, erroneous judgement can be obvious.The more difficult judgement of scale ratio that this strategy arranges, even Website development person cannot know which access request must carry Referer completely.
C, add graphical verification code according to specific request and detect: fire compartment wall can be according to user configured specific request, such as, graphical verification code dynamically inserted by subscriber checking for dangerous operation.But, all want input validation code can have a strong impact on user's experience if make any operation a website.This detection mode can only be used for special operational the inside, cannot verify the legitimacy of all operations.
The mode of above-mentioned solution internet access safety, all cannot solve the safety problem of internet access effectively, accurately.
Foregoing only, for auxiliary understanding technical scheme of the present invention, does not represent and admits that foregoing is prior art.
Summary of the invention
Main purpose of the present invention, for detection method and the device of internet access are provided, are intended to realize and control browser client to internet access, to prevent illegal internet access, ensures the safety of browser client internet access.
For achieving the above object, the invention provides a kind of detection method of internet access, the method comprising the steps of:
Receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier;
In the time receiving the internet access request that described browser client sends, analyze the access request receiving and whether comprise described specific identifier;
In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server.
Preferably, after whether the access request that described analysis receives comprises the step of described specific identifier, the method also comprises:
In the time that the access request receiving does not comprise described specific identifier, determine that the access request receiving is illegal request, the access request that refusal response receives.
Whether the access request that preferably, described analysis receives comprises that the step of described specific identifier comprises:
Whether the access request that analysis receives comprises specific identifier;
In the time that the access request receiving does not comprise specific identifier, determine that the access request receiving does not comprise described specific identifier;
In the time that the access request receiving comprises specific identifier, obtain the specific identifier that the access request that receives comprises, and analyze and whether have the specific identifier that prestores consistent with the specific identifier obtaining;
In the time having the specific identifier that prestores consistent with the specific identifier obtaining, determine that the access request receiving comprises described specific identifier;
In the time that the specific identifier that do not prestore is consistent with the specific identifier obtaining, determine that the access request receiving does not comprise described specific identifier.
Preferably, the described browser client accessing Internet of described mandate the step that the access request receiving is sent to corresponding Internet Server is comprised:
The specific identifier carrying in the access request receiving is deleted;
Authorize described browser client accessing Internet and the access request of deleting after specific identifier is sent to corresponding Internet Server.
Preferably, the described specific identifier that adds in the response message receiving is to generate new response message, and the response message of generation is sent to described browser client, before inserting the step of described specific identifier while sending internet access request for described browser client, the method also comprises:
Internet Server sends receiving, and while logging in the response message of request, obtains browser client and logs in landing time and the session id in request based on browser client, calculates unique specific identifier according to hashing algorithm repeatedly.
The present invention further provides a kind of checkout gear of internet access, this device comprises:
Processing module, for receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message,
Data sending and receiving module, for described new response message is sent to described browser client, inserts described specific identifier for described browser client while sending internet access request;
Analysis module, in the time receiving the internet access request that described browser client sends, analyzes the access request receiving and whether comprises described specific identifier;
Respond module, in the time that the access request receiving comprises described specific identifier, authorizes described browser client accessing Internet and by data sending and receiving module, the access request receiving is sent to corresponding Internet Server.
Preferably, described respond module, also in the time that the access request receiving does not comprise described specific identifier, determines that the access request receiving is illegal request, the access request that refusal response receives.
Preferably, whether described analysis module, also comprise specific identifier for analyzing the access request receiving;
Described respond module, also in the time that the access request receiving does not comprise specific identifier, determines that the access request receiving does not comprise described specific identifier;
Whether described processing module, also in the time that the access request receiving comprises specific identifier, obtain the specific identifier that the access request that receives comprises, and analyzed and had the specific identifier that prestores consistent with the specific identifier obtaining by analysis module;
Described respond module, also in the time having the specific identifier that prestores consistent with the specific identifier obtaining, determines that the access request receiving comprises described specific identifier; And
In the time that the specific identifier that do not prestore is consistent with the specific identifier obtaining, determine that the access request receiving does not comprise described specific identifier.
Preferably, described processing module, also deletes for the specific identifier that the access request receiving is carried;
Described respond module, also for authorizing described browser client accessing Internet and by data sending and receiving module, the access request of deleting after specific identifier being sent to corresponding Internet Server.
Preferably, described processing module, also for receive Internet Server send, while logging in the response message of request based on browser client, obtain browser client and log in landing time and the session id in request, calculate unique specific identifier according to hashing algorithm repeatedly.
Prior art relatively, the present invention receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier; In the time receiving the internet access request that described browser client sends, analyze the access request receiving and whether comprise described specific identifier; In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server.Browser client after logging in successfully by checking sends, whether internet access request carries the consistent specific identifier of the specific identifier that prestores, control browser client to internet access, to prevent illegal internet access, ensure the safety of browser client internet access.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of detection method first embodiment of internet access of the present invention;
Fig. 2 is the schematic flow sheet of detection method second embodiment of internet access of the present invention;
Fig. 3 is the high-level schematic functional block diagram of the checkout gear preferred embodiment of internet access of the present invention.
Realization, functional characteristics and the advantage of the object of the invention, in connection with embodiment, are described further with reference to accompanying drawing.
Embodiment
Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
As shown in Figure 1, be the schematic flow sheet of detection method first embodiment of internet access of the present invention.
It is emphasized that: flow chart shown in Fig. 1 is only a preferred embodiment, those skilled in the art is when knowing, any embodiment building around inventive concept should not depart from the scope containing in following technical scheme:
Receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier; In the time receiving the internet access request that described browser client sends, analyze the access request receiving and whether comprise described specific identifier; In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server.
Below that the present embodiment is progressively realized the concrete steps that detect internet access:
Step S11, receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier.
In the present embodiment, in order to get greater functionality access rights, browser client, can be by account and the password login server of the Internet Server that gets in the time accessing Internet Server first.For example, user is in computer end when the 360 browser access Sina website, and user is in order to get in authorities such as Sina website's message or uploading datas, need to be in account of Sina website's server registration, and obtain password corresponding to this account.User is in needs message or uploading data, log in to Sina's server request, certainly, the request of logging in can only forward by the server of 360 browsers, user only, after successfully logging in Sina website's server, can possess the authority of message or uploading data.In order to make user's access safer, conventionally can between browser server and Internet Server, set up fire compartment wall, monitor with the internet access after browser client is logged in, ensure the safety of internet access.In the present embodiment, the main body of carrying out the detection method of internet access of the present invention is preferably SOCKS server, can also be also the watch-dogs such as security gateway.
User sends to Internet Server the request of logging in by browser, SOCKS server is detecting Client-initiated for logging in when request, the request that logs in of browser client is forwarded to corresponding Internet Server, with by the checking of corresponding Internet Server.SOCKS server receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier.Described specific identifier can be one section of unique JS code, Java control, ActiveX control, or the unique identification that generates by hashing algorithm repeatedly according to IP or the MAC Address etc. of the landing time of browser client, session id, browser client of SOCKS server and can obtain that browser supports.
Step S12, in the time receiving the internet access request that described browser client sends, analyzes the access request receiving and whether comprises described specific identifier;
Step S13, in the time that the access request receiving comprises described specific identifier, authorizes described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server.
In the present embodiment, browser server receive that SOCKS server sends log in based on browser client the response message that please look for novelty time, browser server obtains the described specific identifier in new response message, and described specific identifier is joined in the internet access request of each browser client initiation, for example, add in Sina website's access request, in the URL of Sina website, add described specific identifier, the URL of browser client access is upgraded.
Browser client after SOCKS server detecting real-time reception log in successfully sends, internet access request, for example, browser client is successfully logging in after Sina website's server, and SOCKS server detecting real-time also receives the request of browser client access Sina website.SOCKS server, in the time receiving the internet access request that described browser client sends, is analyzed the access request receiving and whether is comprised described specific identifier.Whether the access request that described SOCKS server analysis receives comprises that the process of described specific identifier comprises: whether the access request that described SOCKS server analysis receives comprises specific identifier; In the time that the access request receiving does not comprise specific identifier, determine that the access request receiving does not comprise described specific identifier; In the time that the access request receiving comprises specific identifier, obtain the specific identifier that the access request that receives comprises, and analyze and whether have the specific identifier that prestores consistent with the specific identifier obtaining; In the time having the specific identifier that prestores consistent with the specific identifier obtaining, determine that the access request receiving comprises described specific identifier; In the time that the specific identifier that do not prestore is consistent with the specific identifier obtaining, determine that the access request receiving does not comprise described specific identifier.; first SOCKS server is analyzed the access request receiving and whether is carried mark, and in the situation that carrying mark, more whether the mark that analysis is carried prestores at SOCKS server; in the situation that prestoring, just determine that the access request receiving comprises described specific identifier.
In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server; In the time that the access request receiving does not comprise described specific identifier, determine that the access request receiving is illegal request, the access request that refusal response receives.
In order better to describe technical scheme of the present invention, in the time that described specific identifier is JS code, SOCKS server sends the response message of returning to browser server and intercepts and captures, and in response message, add one section of JS script, and the response message that adds JS script is sent to the browser in client.Browser is in the time receiving the response message that adds JS script, this JS script also can move, and this section of JS script can change the URL of the page, add the preceding paragraph JS code to URL, SOCKS server rewrites the JS interface of browser by its JS parsing module, JS parsing module in SOCKS server is intercepted the accessing page request that browser end JS interface sends, intercept and capture the accessing page request sending by JS interface, obtain the JS code in accessing page request, whether and it is consistent with the JS code prestoring to analyze the JS code obtaining, in the time that the JS code obtaining is consistent with the JS code prestoring, think that the accessing page request of intercepting and capturing is legitimate request, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server, in the time that the JS code obtaining and the JS code prestoring are inconsistent, determine that the access request receiving is illegal request, the access request that refusal response receives.In the time rewriteeing the JS interface of browser, this JS is inserted into the foremost of response HTML, comprises with lower interface:
XMLHttpRequest.prototype.open, window.open, form.submit etc.This does not need the JS logic of website itself to process, and only need to be placed on foremost.Such as: var oriWinOpen=window.open; Window.open=function () var url=arguments[0];
arguments[0]=addToken(url);oriWinOpen.apply(window,arguments)。Each node of traversal browser, the URL that can send out in the html tag of access request is all added to the above JS code, comprise following label: <a><script (script) ><link (link) ><area (region) ><img>LEssT.LTs sT.LTform (form) the embedded framework ><frame of ><iframe (framework) >, after replacement, the request that these labels are sent again also can be with the above JS code.
The present embodiment receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier; In the time receiving the internet access request that described browser client sends, analyze the access request receiving and whether comprise described specific identifier; In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server.Browser client after logging in successfully by checking sends, whether internet access request carries the consistent specific identifier of the specific identifier that prestores, control browser client to internet access, to prevent illegal internet access, ensure the safety of browser client internet access.
As shown in Figure 2, be the schematic flow sheet of detection method second embodiment of internet access of the present invention.
Based on above-mentioned the first embodiment, described step S13 comprises:
Step S131, deletes the specific identifier carrying in the access request receiving;
Step S132, authorizes described browser client accessing Internet and the access request of deleting after specific identifier is sent to corresponding Internet Server.
In the present embodiment, described SOCKS server is in the time determining that the access request receiving comprises described specific identifier,, defining specific identifier that the specific identifier that prestores carries with the access request receiving when consistent, described SOCKS server determines that the access request receiving is legitimate request, the specific identifier carrying in the access request receiving is deleted, authorized described browser client accessing Internet and the access request of deleting after specific identifier is sent to corresponding Internet Server.By the internet access request of deleting after specific identifier is sent to Internet Server, in order to avoid carry the internet access request of specific identifier, be sent to Internet Server and pollute the supplemental characteristic of Internet Server.
As shown in Figure 3, be the high-level schematic functional block diagram of the checkout gear preferred embodiment of internet access of the present invention.This device comprises: processing module 10, data sending and receiving module 20, analysis module 30 and respond module 40.
Described processing module 10, for receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message,
Described data sending and receiving module 20, for described new response message is sent to described browser client, inserts described specific identifier for described browser client while sending internet access request.
In the present embodiment, in order to get greater functionality access rights, browser client, can be by account and the password login server of the Internet Server that gets in the time accessing Internet Server first.For example, user is in computer end when the 360 browser access Sina website, and user is in order to get in authorities such as Sina website's message or uploading datas, need to be in account of Sina website's server registration, and obtain password corresponding to this account.User is in needs message or uploading data, log in to Sina's server request, certainly, the request of logging in can only forward by the server of 360 browsers, user only, after successfully logging in Sina website's server, can possess the authority of message or uploading data.In order to make user's access safer, conventionally can between browser server and Internet Server, set up fire compartment wall, monitor with the internet access after browser client is logged in, ensure the safety of internet access.In the present embodiment, the checkout gear of internet access is preferably SOCKS server, can also be also the watch-dogs such as security gateway.
User sends to Internet Server the request of logging in by browser, SOCKS server is detecting Client-initiated for logging in when request, the request that logs in of browser client is forwarded to corresponding Internet Server, with by the checking of corresponding Internet Server.SOCKS server receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier.Described specific identifier can be one section of unique JS code, Java control, ActiveX control, or the unique identification that generates by hashing algorithm repeatedly according to IP or the MAC Address etc. of the landing time of browser client, session id, browser client of SOCKS server and can obtain that browser supports.
Described analysis module 30, in the time receiving the internet access request that described browser client sends, analyzes the access request receiving and whether comprises described specific identifier;
Described respond module 40, in the time that the access request receiving comprises described specific identifier, authorizes described browser client accessing Internet and by data sending and receiving module, the access request receiving is sent to corresponding Internet Server.
In the present embodiment, browser server receive that SOCKS server sends log in based on browser client the response message that please look for novelty time, browser server obtains the described specific identifier in new response message, and described specific identifier is joined in the internet access request of each browser client initiation, for example, add in Sina website's access request, in the URL of Sina website, add described specific identifier, the URL of browser client access is upgraded.
Browser client after SOCKS server detecting real-time reception log in successfully sends, internet access request, for example, browser client is successfully logging in after Sina website's server, and SOCKS server detecting real-time also receives the request of browser client access Sina website.SOCKS server, in the time receiving the internet access request that described browser client sends, is analyzed the access request receiving and whether is comprised described specific identifier.Whether the access request that described SOCKS server analysis receives comprises that the process of described specific identifier comprises: whether the access request that described SOCKS server analysis receives comprises specific identifier; In the time that the access request receiving does not comprise specific identifier, determine that the access request receiving does not comprise described specific identifier; In the time that the access request receiving comprises specific identifier, obtain the specific identifier that the access request that receives comprises, and analyze and whether have the specific identifier that prestores consistent with the specific identifier obtaining; In the time having the specific identifier that prestores consistent with the specific identifier obtaining, determine that the access request receiving comprises described specific identifier; In the time that the specific identifier that do not prestore is consistent with the specific identifier obtaining, determine that the access request receiving does not comprise described specific identifier.; first SOCKS server is analyzed the access request receiving and whether is carried mark, and in the situation that carrying mark, more whether the mark that analysis is carried prestores at SOCKS server; in the situation that prestoring, just determine that the access request receiving comprises described specific identifier.
In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server; In the time that the access request receiving does not comprise described specific identifier, determine that the access request receiving is illegal request, the access request that refusal response receives.
In order better to describe technical scheme of the present invention, in the time that described specific identifier is JS code, SOCKS server sends the response message of returning to browser server and intercepts and captures, and in response message, add one section of JS script, and the response message that adds JS script is sent to the browser in client.Browser is in the time receiving the response message that adds JS script, this JS script also can move, and this section of JS script can change the URL of the page, add the preceding paragraph JS code to URL, SOCKS server rewrites the JS interface of browser by its JS parsing module, JS parsing module in SOCKS server is intercepted the accessing page request that browser end JS interface sends, intercept and capture the accessing page request sending by JS interface, obtain the JS code in accessing page request, whether and it is consistent with the JS code prestoring to analyze the JS code obtaining, in the time that the JS code obtaining is consistent with the JS code prestoring, think that the accessing page request of intercepting and capturing is legitimate request, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server, in the time that the JS code obtaining and the JS code prestoring are inconsistent, determine that the access request receiving is illegal request, the access request that refusal response receives.In the time rewriteeing the JS interface of browser, this JS is inserted into the foremost of response HTML, comprises with lower interface:
XMLHttpRequest.prototype.open, window.open, form.submit etc.This does not need the JS logic of website itself to process, and only need to be placed on foremost.Such as: var oriWinOpen=window.open; Window.open=function () var url=arguments[0];
arguments[0]=addToken(url);oriWinOpen.apply(window,arguments)。Each node of traversal browser, the URL that can send out in the html tag of access request is all added to the above JS code, comprise following label: <a><script (script) ><link (link) ><area (region) ><img>LEssT.LTs sT.LTform (form) the embedded framework ><frame of ><iframe (framework) >, after replacement, the request that these labels are sent again also can be with the above JS code.
The present embodiment receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier; In the time receiving the internet access request that described browser client sends, analyze the access request receiving and whether comprise described specific identifier; In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and by data sending and receiving module, the access request receiving is sent to corresponding Internet Server.Browser client after logging in successfully by checking sends, whether internet access request carries the consistent specific identifier of the specific identifier that prestores, control browser client to internet access, to prevent illegal internet access, ensure the safety of browser client internet access.
Further, described processing module 10, also deletes for the specific identifier that the access request receiving is carried;
Described respond module 40, also for authorizing described browser client accessing Internet and by data sending and receiving module, the access request of deleting after specific identifier being sent to corresponding Internet Server.
In the present embodiment, described SOCKS server is in the time determining that the access request receiving comprises described specific identifier,, defining specific identifier that the specific identifier that prestores carries with the access request receiving when consistent, described SOCKS server determines that the access request receiving is legitimate request, the specific identifier carrying in the access request receiving is deleted, authorized described browser client accessing Internet and by data sending and receiving module, the access request of deleting after specific identifier is sent to corresponding Internet Server.By the internet access request of deleting after specific identifier is sent to Internet Server, in order to avoid carry the internet access request of specific identifier, be sent to Internet Server and pollute and the supplemental characteristic of Internet Server.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.Through the above description of the embodiments, those skilled in the art can be well understood to the mode that above-described embodiment method can add essential general hardware platform by software and realize, can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in a storage medium (as ROM/RAM, magnetic disc, CD), comprise that some instructions (can be mobile phones in order to make a station terminal equipment, computer, server, or the network equipment etc.) carry out the method described in each embodiment of the present invention.
The foregoing is only the preferred embodiments of the present invention; not thereby limit the scope of the claims of the present invention; every equivalent structure or conversion of equivalent flow process that utilizes specification of the present invention and accompanying drawing content to do; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (10)
1. a detection method for internet access, is characterized in that, the method comprising the steps of:
Receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message, and described new response message is sent to described browser client, while sending internet access request for described browser client, insert described specific identifier;
In the time receiving the internet access request that described browser client sends, analyze the access request receiving and whether comprise described specific identifier;
In the time that the access request receiving comprises described specific identifier, authorize described browser client accessing Internet and the access request receiving is sent to corresponding Internet Server.
2. the detection method of internet access according to claim 1, is characterized in that, after whether the access request that described analysis receives comprises the step of described specific identifier, the method also comprises:
In the time that the access request receiving does not comprise described specific identifier, determine that the access request receiving is illegal request, the access request that refusal response receives.
3. the detection method of internet access according to claim 1 and 2, is characterized in that, whether the access request that described analysis receives comprises that the step of described specific identifier comprises:
Whether the access request that analysis receives comprises specific identifier;
In the time that the access request receiving does not comprise specific identifier, determine that the access request receiving does not comprise described specific identifier;
In the time that the access request receiving comprises specific identifier, obtain the specific identifier that the access request that receives comprises, and analyze and whether have the specific identifier that prestores consistent with the specific identifier obtaining;
In the time having the specific identifier that prestores consistent with the specific identifier obtaining, determine that the access request receiving comprises described specific identifier;
In the time that the specific identifier that do not prestore is consistent with the specific identifier obtaining, determine that the access request receiving does not comprise described specific identifier.
4. the detection method of internet access according to claim 1, is characterized in that, the described browser client accessing Internet of described mandate also comprises the step that the access request receiving is sent to corresponding Internet Server:
The specific identifier carrying in the access request receiving is deleted;
Authorize described browser client accessing Internet and the access request of deleting after specific identifier is sent to corresponding Internet Server.
5. the detection method of internet access according to claim 1, it is characterized in that, the described specific identifier that adds in the response message receiving is to generate new response message, and the response message of generation is sent to described browser client, before inserting the step of described specific identifier while sending internet access request for described browser client, the method also comprises:
Internet Server sends receiving, and while logging in the response message of request, obtains browser client and logs in landing time and the session id in request based on browser client, calculates unique specific identifier according to hashing algorithm repeatedly.
6. a checkout gear for internet access, is characterized in that, this device comprises:
Processing module, for receive Internet Server send, while logging in the response message of request based on browser client, in the response message receiving, add specific identifier to generate new response message,
Data sending and receiving module, for described new response message is sent to described browser client, inserts described specific identifier for described browser client while sending internet access request;
Analysis module, in the time receiving the internet access request that described browser client sends, analyzes the access request receiving and whether comprises described specific identifier;
Respond module, in the time that the access request receiving comprises described specific identifier, authorizes described browser client accessing Internet and by data sending and receiving module, the access request receiving is sent to corresponding Internet Server.
7. the checkout gear of internet access according to claim 6, is characterized in that,
Described respond module, also in the time that the access request receiving does not comprise described specific identifier, determines that the access request receiving is illegal request, the access request that refusal response receives.
8. according to the checkout gear of the internet access described in claim 6 or 7, it is characterized in that,
Whether described analysis module, also comprise specific identifier for analyzing the access request receiving;
Described respond module, also in the time that the access request receiving does not comprise specific identifier, determines that the access request receiving does not comprise described specific identifier;
Whether described processing module, also in the time that the access request receiving comprises specific identifier, obtain the specific identifier that the access request that receives comprises, and analyzed and had the specific identifier that prestores consistent with the specific identifier obtaining by analysis module;
Described respond module, also in the time having the specific identifier that prestores consistent with the specific identifier obtaining, determines that the access request receiving comprises described specific identifier; And
In the time that the specific identifier that do not prestore is consistent with the specific identifier obtaining, determine that the access request receiving does not comprise described specific identifier.
9. the checkout gear of internet access according to claim 6, is characterized in that,
Described processing module, also deletes for the specific identifier that the access request receiving is carried;
Described respond module, also for authorizing described browser client accessing Internet and by data sending and receiving module, the access request of deleting after specific identifier being sent to corresponding Internet Server.
10. the checkout gear of internet access according to claim 6, is characterized in that,
Described processing module, also for receive Internet Server send, while logging in the response message of request based on browser client, obtain browser client and log in landing time and the session id in request, calculate unique specific identifier according to hashing algorithm repeatedly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410196524.2A CN104038474A (en) | 2014-05-09 | 2014-05-09 | Internet access detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410196524.2A CN104038474A (en) | 2014-05-09 | 2014-05-09 | Internet access detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104038474A true CN104038474A (en) | 2014-09-10 |
Family
ID=51469064
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410196524.2A Pending CN104038474A (en) | 2014-05-09 | 2014-05-09 | Internet access detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104038474A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105635064A (en) * | 2014-10-31 | 2016-06-01 | 杭州华三通信技术有限公司 | CSRF attack detection method and device |
| CN106210010A (en) * | 2016-06-30 | 2016-12-07 | 深圳市中北明夷科技有限公司 | A kind of move page surface information transmission method and device |
| CN110266661A (en) * | 2019-06-04 | 2019-09-20 | 东软集团股份有限公司 | A kind of authorization method, device and equipment |
| CN110474809A (en) * | 2019-08-20 | 2019-11-19 | 北京百度网讯科技有限公司 | Method and apparatus for output information |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320567A1 (en) * | 2007-06-20 | 2008-12-25 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
| CN101478396A (en) * | 2008-12-04 | 2009-07-08 | 黄希 | Uni-directional cross-domain identity verification based on low correlation of private cipher key and application thereof |
| CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
| CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
| CN102624720A (en) * | 2012-03-02 | 2012-08-01 | 华为技术有限公司 | Method, device and system for identity authentication |
| CN103428179A (en) * | 2012-05-18 | 2013-12-04 | 阿里巴巴集团控股有限公司 | Method, system and device for logging into multi-domain-name website |
-
2014
- 2014-05-09 CN CN201410196524.2A patent/CN104038474A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080320567A1 (en) * | 2007-06-20 | 2008-12-25 | Imperva, Inc. | System and method for preventing web frauds committed using client-scripting attacks |
| CN101478396A (en) * | 2008-12-04 | 2009-07-08 | 黄希 | Uni-directional cross-domain identity verification based on low correlation of private cipher key and application thereof |
| CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
| CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
| CN102624720A (en) * | 2012-03-02 | 2012-08-01 | 华为技术有限公司 | Method, device and system for identity authentication |
| CN103428179A (en) * | 2012-05-18 | 2013-12-04 | 阿里巴巴集团控股有限公司 | Method, system and device for logging into multi-domain-name website |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105635064A (en) * | 2014-10-31 | 2016-06-01 | 杭州华三通信技术有限公司 | CSRF attack detection method and device |
| CN105635064B (en) * | 2014-10-31 | 2019-12-06 | 新华三技术有限公司 | CSRF attack detection method and device |
| CN106210010A (en) * | 2016-06-30 | 2016-12-07 | 深圳市中北明夷科技有限公司 | A kind of move page surface information transmission method and device |
| CN110266661A (en) * | 2019-06-04 | 2019-09-20 | 东软集团股份有限公司 | A kind of authorization method, device and equipment |
| CN110266661B (en) * | 2019-06-04 | 2021-09-14 | 东软集团股份有限公司 | Authorization method, device and equipment |
| CN110474809A (en) * | 2019-08-20 | 2019-11-19 | 北京百度网讯科技有限公司 | Method and apparatus for output information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107209830B (en) | Method for identifying and resisting network attack | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| CN102685081B (en) | A kind of web-page requests security processing and system | |
| CN104765682B (en) | Detection method and system under the line of cross site scripting leak | |
| US20150271202A1 (en) | Method, device, and system for detecting link layer hijacking, user equipment, and analyzing server | |
| KR101369743B1 (en) | Apparatus and method for verifying referer | |
| US20090119777A1 (en) | Method and system of determining vulnerability of web application | |
| US10419431B2 (en) | Preventing cross-site request forgery using environment fingerprints of a client device | |
| US20140373138A1 (en) | Method and apparatus for preventing distributed denial of service attack | |
| CN102664876A (en) | Method and system for detecting network security | |
| CN107634931A (en) | Processing method, cloud server, gateway and the terminal of abnormal data | |
| CN106161453B (en) | A kind of SSLstrip defence method based on historical information | |
| CN110348210B (en) | Safety protection method and device | |
| CN107046544A (en) | A kind of method and apparatus of the unauthorized access request recognized to website | |
| CN104811462A (en) | Access gateway redirection method and access gateway | |
| CN107832617B (en) | Black box detection method and device for PHP code execution vulnerability | |
| CN104038474A (en) | Internet access detection method and device | |
| CN108282441B (en) | Advertisement blocking method and device | |
| CN103444215A (en) | Methods and apparatuses for avoiding damage in network attacks | |
| CN105635064A (en) | CSRF attack detection method and device | |
| CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session label | |
| CN104660556B (en) | The method and device of request Hole Detection is forged across station | |
| CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
| CN114357457A (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| US8650214B1 (en) | Dynamic frame buster injection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140910 |
|
| RJ01 | Rejection of invention patent application after publication |