CN104079611A - Method for preventing cross-site request forgery, related device and system - Google Patents
Method for preventing cross-site request forgery, related device and system Download PDFInfo
- Publication number
- CN104079611A CN104079611A CN201310108023.XA CN201310108023A CN104079611A CN 104079611 A CN104079611 A CN 104079611A CN 201310108023 A CN201310108023 A CN 201310108023A CN 104079611 A CN104079611 A CN 104079611A
- Authority
- CN
- China
- Prior art keywords
- conversion
- page
- cookie information
- request message
- target web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
An embodiment of the invention discloses a method for preventing cross-site request forgery, a terminal, a server and a system. The method comprises the steps that a client-side obtains cookie information of a target webpage initiating page message when receiving a page message of a browser; a page request message including a first conversion basekey and the cookie information is generated if the client-side receives the first conversion basekey arranged on the target webpage and generated by a conversion script; the client-side sends the page request message to the server to enable the server to perform authentication on the page request message according to a user identification and the first conversion basekey included by the cookie information, wherein the first conversion basekey is obtained by transforming the user identification extracted from the cookie information of the target webpage by the conversion script by adopting a conversion algorithm. By adopting the method, CSRF can be effectively prevented, and internet-surfing safety of a user can be ensured well.
Description
Technical field
The present invention relates to a kind of field of computer technology, relate in particular to a kind of method, relevant apparatus and system for preventing that cross-site request from forging.
Background technology
CSRF(Cross-site request forgery, cross-site request forgery) refer to the browser of third party website user cheating, according to the cookie information of user in browser, forge HTTP request and send to a certain targeted sites, thereby reaching sign in the cookie information of utilizing user, log-on message etc. carries out, such as operations such as user name modifications, some information to this user in the unwitting situation of user being modified to the server of targeted sites.
The scheme that prevents at present the prior art employing of CSRF is: server is in advance by the mode of kind of cookie, a sign (being called basekey) in a certain Webpage kind of opening for browser in client, this Webpage of browser is when request respective service, and browser all will be placed on required parameter the inside from this sign of cookie the inside taking-up and send to server.Server, according to the basekey in required parameter, can be known the legitimacy of this request.
Prior art can solve the problem of CSRF preferably, but, inventor finds, the sign basekey of the cookie Information Embedding of server-assignment is that server passes through the directly generation of certain transfer algorithm, it is identical with this banner basekey that rogue program or script etc. still likely calculate a sign according to the identical algorithm of server, this just makes, and CSRF's prevent that function is invalid, brings loss to user.
Summary of the invention
Embodiment of the present invention technical problem to be solved is, a kind of method, relevant apparatus and system for preventing that cross-site request from forging is provided, and can more efficiently prevent CSRF.
In order to solve the problems of the technologies described above, the embodiment of the present invention provides a kind of method for preventing that cross-site request from forging, and comprising:
Client, when receiving the page message of browser, is obtained the cookie information of the target web page of initiating this page message;
If client receives the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that described the first conversion identifies and the page request message of described cookie information;
Client sends to server by described page request message, makes user ID and described the first conversion sign that described server comprises according to described cookie information carry out authentication to described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Wherein, also comprise: if client does not receive the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that the page request message of described cookie information sends to server.
Wherein, the user ID that described server comprises according to described cookie information and described the first conversion sign are carried out authentication to described page request message and are comprised:
Described server is when described page request message comprises cookie information and the first conversion sign, employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID from described cookie information extraction, the second conversion sign and described the first conversion sign are compared, if both couplings, authentication is passed through;
Described server comprises that in described page request message cookie information or described the second conversion sign and described the first conversion identify while not mating, failed authentication.
Wherein, described client, when receiving the page message of browser, before obtaining the cookie information of the target web page of initiating this page message, also comprises:
Client sends connection request to described server;
The cookie information that comprises user ID that described in client, server returns according to described connection request.
Correspondingly, the embodiment of the present invention also provides the another kind of method for preventing that cross-site request from forging, and comprising:
Server is when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, from described cookie information extraction user ID;
The transfer algorithm that is arranged on the conversion script negotiation on the described target web page in employing and client is changed described user ID, obtains the second conversion sign;
If described the second conversion sign is marking matched with described the first conversion, authentication success, responds described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Wherein, also comprise: if described page request message comprises that cookie information or described the second conversion identify and described the first conversion identifies while not mating, determine failed authentication.
Wherein, described server is when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, before described cookie information extraction user ID, also comprise:
Server receives the connection request about the described target web page that described client sends;
Server, after described connection request authentication is passed through, responds described connection request and to described client, returns to the cookie information that comprises user ID.
Correspondingly, the embodiment of the present invention also provides another method for preventing that cross-site request from forging, and comprising:
Client, when receiving the page message of browser, is obtained the cookie information of the target web page of initiating this page message;
If client receives the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that described the first conversion identifies and the page request message of described cookie information; Described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm;
Client sends to server by described page request message;
Server receives after page request message, from the cookie information of described page request message, extracts user ID;
Server employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID of obtaining;
When the first conversion sign of server in judging described the second conversion sign and described page request message matches, respond described page request message.
Correspondingly, the embodiment of the present invention also provides a kind of client for preventing that cross-site request from forging, and comprising:
Acquisition module, for when receiving the page message of browser, obtains the cookie information of the target web page of initiating this page message;
Generation module, if comprise that for receiving the first conversion sign of the conversion script generation being arranged on the described target web page, generating described the first conversion identifies and the page request message of described cookie information;
Sending module, for described page request message is sent to server, makes user ID and the first conversion sign that described server comprises according to described cookie information carry out authentication to described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Wherein, also comprise: described generation module, if also for not receiving the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that the page request message of described cookie information sends to server.
Wherein, described sending module is also for sending connection request to described server;
Described client also comprises: receiver module, the cookie information that comprises user ID of returning according to described connection request for receiving described server.
Correspondingly, the embodiment of the present invention also provides a kind of server for preventing that cross-site request from forging, and comprising:
Extraction module, for when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, from described cookie information extraction user ID;
Modular converter, is arranged on client the transfer algorithm that conversion script on the described target web page consults described user ID is changed for adopting, and obtains the second conversion sign;
Respond module, if marking matched with described the first conversion for described the second conversion sign, authentication success, responds described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Wherein, also comprise:
Receiver module, the connection request about the described target web page sending for receiving described client;
Processing module, for after described connection request authentication is passed through, responds described connection request and to described client, returns to the cookie information that comprises user ID.
Correspondingly, the embodiment of the present invention also provides a kind of system for preventing that cross-site request from forging, and comprising: client and server, wherein,
Described client, for when receiving the page message of browser, obtains the cookie information of the target web page of initiating this page message; If receive, be arranged on the first conversion sign that the conversion script on the described target web page generates, generate the page request message that comprises described the first conversion sign and described cookie information; Described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm; Described page request message is sent to described server;
Described server for receiving after page request message, extracts user ID from the cookie information of described page request message; Employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID of obtaining; When the first conversion sign in judging described the second conversion sign and described page request message matches, respond described page request message.
In the embodiment of the present invention, when user need to initiate the page request about certain Webpage by client, client not only needs to send the cookie message of this Webpage by browser, but also need to adopt transfer algorithm to be converted to conversion sign to the user ID in cookie message, server carries out authentication according to the user ID in conversion sign and cookie to this page request, because conversion sign is that client calculates according to transfer algorithm and user ID combination, rogue program or link are only to obtain conversion sign with transfer algorithm like this, therefore, can effectively prevent CSRF, guaranteed preferably user's Internet Security, meet demand for security.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is that the embodiment of the present invention is a kind of for preventing the schematic flow sheet of the method that cross-site request is forged;
Fig. 2 is that embodiment of the present invention another kind is for preventing the schematic flow sheet of the method that cross-site request is forged;
Fig. 3 be the embodiment of the present invention another for preventing the schematic flow sheet of the method that cross-site request is forged;
Fig. 4 be the embodiment of the present invention another for preventing the schematic flow sheet of the method that cross-site request is forged;
Fig. 5 is that the embodiment of the present invention is a kind of for preventing the structural representation of the terminal that cross-site request is forged;
Fig. 6 is that embodiment of the present invention another kind is for preventing the structural representation of the server that cross-site request is forged.
embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Refer to Fig. 1, the a kind of for preventing the schematic flow sheet of the method that cross-site request is forged of the embodiment of the present invention, the described method of the embodiment of the present invention can be applicable in all kinds of web application of current use, and the realization of being combined with server by client prevents the function of CSRF.Concrete, the described method of the embodiment of the present invention comprises:
S101: client, when receiving the page message of browser, is obtained the cookie information of the target web page of initiating this page message.
S102: if client receives the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that described the first conversion identifies and the page request message of described cookie information.Described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Described conversion script can be service provider by the described target web page of issue when generating the described target web page, be loaded on the described target web page.Can certainly be client when the described target web page of request, by server, be automatically loaded on the described target web page.
Page message in described S101 can be user by click be arranged on the target web page when revising the button of link etc., by this target web page, sent.
In described S102, if page message be user by click be arranged on the target web page when revising the button of link etc., by this target web page, sent, the conversion script being arranged on the described target web page can be when detecting this clicking operation, cookie information extraction user ID from the target web page, and according to preset transfer algorithm, the user ID of extracting is changed, generate the first conversion sign.
User ID in described cookie information can be user name and/or login keyword key, and user logins user name and/or the login keyword key information of certain class application at this target web page.
Described transfer algorithm can comprise Hash HASH algorithm, specifically can take DJB HASH algorithm to carry out Hash translation to the user ID of extracting, and obtains new for the first conversion signs such as character mark information.And the HTTP that generates the cookie information that comprises this first conversion sign and the described target web page asks and page request message.
Further, when CSRF occurs, the page message in described S101 can be also that user is when opening other Webpages, by other webpages, automatically the link of the malice of operation or rogue program trigger that the described target web page sends.
And if page message is that user is when opening other Webpages, by on other webpages, automatically the link of the malice of operation or rogue program trigger that the described target web page sends, so, same source policy from prior art, automatically the malice link moving on other webpages or rogue program are due to its corresponding domain name, agreement, ports etc. are not identical with the described target web page, therefore, the malice link or the rogue program that on other webpages, automatically move can not trigger the conversion script work on the described target web page, can not get user ID in the cookie information of the described target web page to change, therefore, client can not receive the first conversion sign of the conversion script generation being arranged on the described target web page.Now, client, according to page message, only can generate the page request message of the cookie information that comprises the described target web page.
S103: client sends to server by described page request message.
The page request message sending is the page request message that comprises the cookie information of the first conversion sign and the described target web page; Or be the page request message that comprises cookie information.
S104: server receives after page request message extracts user ID from the cookie information of described page request message.
S105: server employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID of obtaining.
S106: when the first conversion sign of server in judging described the second conversion sign and described page request message matches, respond described page request message.
Server is after receiving page request message, according to existing RM to this page request message (HTTP request) identify, determine to initiate on client, browser and the browser of this page request message the target web page with this page request message.
In described S104, if described page request message comprises the first conversion sign and cookie information, in the cookie information from page request message, obtain user ID, S105 adopts the transfer algorithm identical with described conversion script to change user ID, obtains the second conversion sign.The transfer algorithm of consulting with client that can certainly adopt other, so that the conversion that client and server end is converted to sign is checked coupling.
In described S106, obtain after the second conversion sign, from described page request message respective field, extract the first conversion sign, both are compared, if identical, determine that this page request message is legal, respond the operations such as this page request message increases accordingly, deletes, looks into, changes, if it is not and identical, this page request message is illegal operation, refuse the operation that this page request message is asked, can also send warning to respective user if desired, as in advance as described in the report district that arranges on the target web page send warning message.
Certainly, server also can first extract the first conversion sign from the respective field of page request message, and then carries out described S106 and obtain the second conversion sign, finally carries out S107.
If only comprise cookie information in described page request message, can directly judge that this page request message is illegal operation, failed authentication.Can send warning to respective user equally, as in advance as described in the report district that arranges on the target web page send warning message.
In the embodiment of the present invention, when user need to initiate the page request about certain Webpage by client, client not only needs to send the cookie message of this Webpage by browser, but also need to adopt transfer algorithm to be converted to conversion sign to the user ID in cookie message, server carries out authentication according to the user ID in conversion sign and cookie to this page request, because conversion sign is that client calculates according to transfer algorithm and user ID combination, rogue program or link are only to obtain conversion sign with transfer algorithm like this, therefore, can effectively prevent CSRF, guaranteed preferably user's Internet Security, meet demand for security.
Refer to again Fig. 2, that the another kind of the embodiment of the present invention is for preventing the schematic flow sheet of the method that cross-site request is forged, the described method of the embodiment of the present invention can be applied in all kinds of web application with current use, has been combined the function that prevents of CSRF by client with server.Concrete, the described method of the embodiment of the present invention is applied in can install browser and browse in the clients such as the smart mobile phone of the different web pages page, PC, and described method comprises:
S201: client, when receiving the page message of browser, is obtained the cookie information of the target web page of initiating this page message.
Page message in described S201 can be user by click be arranged on the target web page when revising the button of link etc., by this target web page, sent.Or when CSRF occurs, the page message in described S201 can be also that user is when opening other Webpages, by other webpages, automatically the link of the malice of operation or rogue program trigger that the described target web page sends.
In the embodiment of the present invention, before described S201, can also comprise: client sends connection request to described server; The cookie information that comprises user ID that described in client, server returns according to described connection request.
Client can be opened one or more Webpage in browser, it can submit corresponding connection request in a Webpage therein, such as having submitted client user's user name to and/or login the information such as keyword key in social forum page.Browser sends according to the user ID of user's input the connection request (HTTP request) that carries user ID to corresponding server (as social forum server), so that server carries out authentication to connection request, judge whether this user is the validated users such as member user, if so, distribute cookie.
S202: if client receives the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that described the first conversion identifies and the page request message of described cookie information.Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.Forward S204 to.
S203: if client does not receive the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that the page request message of described cookie information sends to server.
If page message can be user by click be arranged on the target web page when revising the button of link etc., by this target web page, sent, carry out described S202.That is: be arranged on conversion script on the described target web page detect user by click be arranged on the target web page when revising the button of link etc., cookie information extraction user ID from the target web page, and according to preset transfer algorithm, the user ID of extracting is changed, generate the first conversion sign.
And if page message be user when opening other Webpages, by other webpages automatically the link of the malice of operation or rogue program trigger that the described target web page sends, carry out described S203.That is: from the same source policy of prior art, automatically the malice link moving on other webpages or rogue program are due to its corresponding domain name, agreement, ports etc. are not identical with the described target web page, therefore, the malice link or the rogue program that on other webpages, automatically move can not trigger the conversion script work on the described target web page, can not get user ID in the cookie information of the described target web page to change, therefore, client can not receive the first conversion sign of the conversion script generation being arranged on the described target web page.Now, client, according to page message, only can generate the page request message of the cookie information that comprises the described target web page.
Carry out in the step whether detection before described S202 or S203 receive the first conversion sign that the conversion script that is arranged on the described target web page generates, specifically can comprise: whether client receives the first conversion sign of the conversion script generation being arranged on the described target web page in default time range threshold value, in Preset Time range threshold, receive, carry out described S202, in Preset Time range threshold, do not receive, carry out described S203.
S204: client sends to server by described page request message, makes user ID and described the first conversion sign that described server comprises according to described cookie information carry out authentication to described page request message.
The user ID that described server comprises according to described cookie information and described the first conversion sign are carried out authentication to described page request message and are comprised:
Described server is when described page request message comprises cookie information and the first conversion sign, employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID from described cookie information extraction, the second conversion sign and described the first conversion sign are compared, if both couplings, authentication is passed through;
Described server comprises that in described page request message cookie information or described the second conversion sign and described the first conversion identify while not mating, failed authentication.
In the embodiment of the present invention, when user need to initiate the page request about certain Webpage by client, client not only needs to send the cookie message of this Webpage by browser, but also need to adopt transfer algorithm to be converted to conversion sign to the user ID in cookie message, server carries out authentication according to the user ID in conversion sign and cookie to this page request, because conversion sign is that client calculates according to transfer algorithm and user ID combination, rogue program or link are only to obtain conversion sign with transfer algorithm like this, therefore, can effectively prevent CSRF, guaranteed preferably user's Internet Security, meet demand for security.
Refer to again Fig. 3, that another of the embodiment of the present invention is for preventing the schematic flow sheet of the method that cross-site request is forged, the described method of the embodiment of the present invention can be applied in all kinds of web application with current use, has been combined the function that prevents of CSRF by client with server.Concrete, the described method of the present embodiment is applied in the application servers such as various social forums, webpage version instant messaging application, and concrete, described method comprises:
S301: server is when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, from described cookie information extraction user ID.
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
As mentioned above, the conversion script being arranged in described client on the target web page can be specifically according to preset transfer algorithm, the user ID of extracting the cookie information from the described target web page to be changed, and obtains the first conversion sign.Described transfer algorithm can comprise Hash HASH algorithm, specifically can take DJB HASH algorithm to carry out Hash translation to the user ID of extracting, and obtains new for the first conversion signs such as character mark information.
Client regeneration comprises the page request message of the cookie information of the first conversion sign and the described target web page, and sends to server.
Equally, because the malice link on other Webpages or rogue program have triggered this page request message, so, the conversion script being arranged in described client on the target web page can't obtain the first conversion sign.And the link of the malice on other Webpages or rogue program can not generate the first conversion sign and offer client, now, in the page request message that client sends, can't comprise the first conversion sign, and it is identical with prior art, the cookie information that only has the described target web page, now described server can directly be carried out following S304.
Further, before described S301, also comprise: server receives the connection request about the described target web page that described client sends; Server, after described connection request authentication is passed through, responds described connection request and to described client, returns to the cookie information that comprises user ID.
S302: the transfer algorithm that is arranged on the conversion script negotiation on the described target web page in employing and client is changed described user ID, obtains the second conversion sign.
Server is after receiving page request message, according to existing RM to this page request message (HTTP request) identify, determine to initiate on client, browser and the browser of this page request message the target web page with this page request message.
Described S302 adopts the transfer algorithm identical with described conversion script to change user ID, obtains the second conversion sign.The transfer algorithm of consulting with client that can certainly adopt other, so that the conversion that client and server end is converted to sign is checked coupling.
Obtain, after the second conversion sign, from described page request message respective field, extracting the first conversion sign, both are compared, if identical, determine that this page request message is legal, carry out following S303, respond the operations such as this page request message increases accordingly, deletes, looks into, changes.If it is not and identical, this page request message is illegal operation, carries out following S304, refuses the operation that this page request message is asked, can also send warning to respective user if desired, as in advance as described in the report district that arranges on the target web page send warning message.
S303: if described the second conversion sign is marking matched with described the first conversion, authentication success, responds described page request message.
Certainly, server also can first extract the first conversion sign from the respective field of page request message, and then carries out described S302 and obtain the second conversion sign, finally carries out S303 or S304.
S304: if only comprise in described page request message when cookie information or described the second conversion sign are not mated with described the first conversion sign, determine failed authentication.
If only comprise cookie information in described page request message, can directly judge that this page request message is illegal operation, failed authentication.Can send warning to respective user equally, as in advance as described in the report district that arranges on the target web page send warning message.
In the embodiment of the present invention, when user need to initiate the page request about certain Webpage by client, client not only needs to send the cookie message of this Webpage by browser, but also need to adopt transfer algorithm to be converted to conversion sign to the user ID in cookie message, server carries out authentication according to the user ID in conversion sign and cookie to this page request, because conversion sign is that client calculates according to transfer algorithm and user ID combination, rogue program or link are only to obtain conversion sign with transfer algorithm like this, therefore, can effectively prevent CSRF, guaranteed preferably user's Internet Security, meet demand for security.
Below prevent terminal and the system that cross-site request is forged of the embodiment of the present invention are described in detail.
Refer to Fig. 4, the structure that prevents the system that cross-site request is forged that is the embodiment of the present invention forms schematic diagram, the described system of the embodiment of the present invention can be applicable in all kinds of web application of current use, and the realization of being combined with server by client prevents the function of CSRF.Concrete, described system comprises: client 1 and server 2.
Described client 1 can be browsed for browser can be installed the equipment of smart mobile phone, PC of the different web pages page etc.2 of described servers can be the application servers such as various social forums, webpage version instant messaging application.
Described client 1, for when receiving the page message of browser, obtains the cookie information of the target web page of initiating this page message; If receive, be arranged on the first conversion sign that the conversion script on the described target web page generates, generate the page request message that comprises described the first conversion sign and described cookie information; Described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm; Described page request message is sent to described server 2;
Described server 2 for receiving after page request message, extracts user ID from the cookie information of described page request message; Employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID of obtaining; When the first conversion sign in judging described the second conversion sign and described page request message matches, respond described page request message.
Concrete, refer to Fig. 5, be a kind of for preventing that the structure of the client that cross-site request is forged from forming schematic diagram of the embodiment of the present invention, the described client 1 of the present embodiment comprises:
Acquisition module 11, for when receiving the page message of browser, obtains the cookie information of the target web page of initiating this page message;
Generation module 12, if comprise that for receiving the first conversion sign of the conversion script generation being arranged on the described target web page, generating described the first conversion identifies and the page request message of described cookie information;
Sending module 13, for described page request message is sent to server, makes user ID and the first conversion sign that described server comprises according to described cookie information carry out authentication to described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Described conversion script can be service provider by the described target web page of issue when generating the described target web page, be loaded on the described target web page.Can certainly be client when the described target web page of request, by server, be automatically loaded on the described target web page.
Described page message can be user by click be arranged on the target web page when revising the button of link etc., by this target web page, sent.
If described page message be user by click be arranged on the target web page when revising the button of link etc., by this target web page, sent, the conversion script being arranged on the described target web page can be when detecting this clicking operation, cookie information extraction user ID from the target web page, and according to preset transfer algorithm, the user ID of extracting is changed, generate the first conversion sign.
User ID in described cookie information can be user name and/or login keyword key, and user logins user name and/or the login keyword key information of certain class application at this target web page.
Described transfer algorithm can comprise Hash HASH algorithm, specifically can take DJB HASH algorithm to carry out Hash translation to the user ID of extracting, and obtains new for the first conversion signs such as character mark information.And the HTTP that generates the cookie information that comprises this first conversion sign and the described target web page asks and page request message.
12 page request message that comprise the cookie information of described the first conversion sign and the described target web page for generation of described generation module.
Further alternatively, the described generation module 12 of the described client of the embodiment of the present invention, if also, for not receiving the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that the page request message of described cookie information sends to server.
Further, when CSRF occurs, described page message can be also that user is when opening other Webpages, by other webpages, automatically the link of the malice of operation or rogue program trigger that the described target web page sends.
And if page message is that user is when opening other Webpages, by on other webpages, automatically the link of the malice of operation or rogue program trigger that the described target web page sends, so, same source policy from prior art, automatically the malice link moving on other webpages or rogue program are due to its corresponding domain name, agreement, ports etc. are not identical with the described target web page, therefore, the malice link or the rogue program that on other webpages, automatically move can not trigger the conversion script work on the described target web page, can not get user ID in the cookie information of the described target web page to change, therefore, client can not receive the first conversion sign of the conversion script generation being arranged on the described target web page.Now, described generation module 12, according to page message, only can generate the page request message of the cookie information that comprises the described target web page.
Before the acquisition module 11 by above-mentioned, generation module 12 and sending module 13 are carried out above-mentioned functions, described sending module 13 is also for sending connection request to described server, further alternatively, as shown in Figure 5, the described terminal of the embodiment of the present invention can also comprise: receiver module 14, the cookie information that comprises user ID of returning according to described connection request for receiving described server.
Referring to Fig. 6, is a kind of for preventing that the structure of the server that cross-site request is forged from forming schematic diagram of the embodiment of the present invention again; The described server 2 of the present embodiment comprises:
Extraction module 21, for when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, from described cookie information extraction user ID;
Modular converter 22, is arranged on client the transfer algorithm that conversion script on the described target web page consults described user ID is changed for adopting, and obtains the second conversion sign;
Respond module 23, if marking matched with described the first conversion for described the second conversion sign, authentication success, responds described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
Server is after receiving page request message, according to existing RM to this page request message (HTTP request) identify, determine to initiate on client, browser and the browser of this page request message the target web page with this page request message.
If the described page request message of respond module 23 comprises the first conversion sign and cookie information, in 21 of the described extraction modules cookie information from page request message, obtain user ID, described modular converter 22 adopts the transfer algorithm identical with described conversion script to change user ID, obtains the second conversion sign.The transfer algorithm of consulting with client that can certainly adopt other, so that the conversion that client and server end is converted to sign is checked coupling.
Obtain after the second conversion sign, described respond module 23 is according to extract the first conversion sign from described page request message respective field, both are compared, if identical, determine that this page request message is legal, respond the operations such as this page request message increases accordingly, deletes, looks into, changes, if it is not and identical, this page request message is illegal operation, refuse the operation that this page request message is asked, can also send warning to respective user if desired, as in advance as described in the report district that arranges on the target web page send warning message.
If only comprise cookie information in described page request message, can directly judge that this page request message is illegal operation, failed authentication.Can send warning to respective user equally, as in advance as described in the report district that arranges on the target web page send warning message.
Further alternative, as shown in Figure 6, the described server of the embodiment of the present invention also comprises:
Receiver module 24, the connection request about the described target web page sending for receiving described client;
Processing module 25, for after described connection request authentication is passed through, responds described connection request and to described client, returns to the cookie information that comprises user ID.
Be described server by described reception 24 and processing module 25, match with sending module 13 and receiver module 15 above-mentioned in client, complete the distribution of the cookie information of the described target web page.
In the embodiment of the present invention, when user need to initiate the page request about certain Webpage by client, client not only needs to send the cookie message of this Webpage by browser, but also need to adopt transfer algorithm to be converted to conversion sign to the user ID in cookie message, server carries out authentication according to the user ID in conversion sign and cookie to this page request, because conversion sign is that client calculates according to transfer algorithm and user ID combination, rogue program or link are only to obtain conversion sign with transfer algorithm like this, therefore, can effectively prevent CSRF, guaranteed preferably user's Internet Security, meet demand for security.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, to come the hardware that instruction is relevant to complete by computer program, described program can be stored in a computer read/write memory medium, this program, when carrying out, can comprise as the flow process of the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
Above disclosed is only preferred embodiment of the present invention, certainly can not limit with this interest field of the present invention, and the equivalent variations of therefore doing according to the claims in the present invention, still belongs to the scope that the present invention is contained.
Claims (14)
1. the method for preventing that cross-site request from forging, is characterized in that, comprising:
Client, when receiving the page message of browser, is obtained the cookie information of the target web page of initiating this page message;
If client receives the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that described the first conversion identifies and the page request message of described cookie information;
Client sends to server by described page request message, makes user ID and described the first conversion sign that described server comprises according to described cookie information carry out authentication to described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
2. the method for claim 1, is characterized in that, also comprises:
If client does not receive the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that the page request message of described cookie information sends to server.
3. method as claimed in claim 2, is characterized in that, the user ID that described server comprises according to described cookie information and described the first conversion sign are carried out authentication to described page request message and comprised:
Described server is when described page request message comprises cookie information and the first conversion sign, employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID from described cookie information extraction, the second conversion sign and described the first conversion sign are compared, if both couplings, authentication is passed through;
Described server only comprises that in described page request message cookie information or described the second conversion identify and described the first conversion identifies while not mating, failed authentication.
4. the method as described in claim 1-3 any one, is characterized in that, described client, when receiving the page message of browser, before obtaining the cookie information of the target web page of initiating this page message, also comprises:
Client sends connection request to described server;
The cookie information that comprises user ID that described in client, server returns according to described connection request.
5. the method for preventing that cross-site request from forging, is characterized in that, comprising:
Server is when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, from described cookie information extraction user ID;
The transfer algorithm that is arranged on the conversion script negotiation on the described target web page in employing and client is changed described user ID, obtains the second conversion sign;
If described the second conversion sign is marking matched with described the first conversion, authentication success, responds described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
6. method as claimed in claim 5, is characterized in that, also comprises:
If described page request message comprises when cookie information or described the second conversion sign are not mated with described the first conversion sign, determines failed authentication.
7. the method as described in claim 5 or 6, it is characterized in that, described server is when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, before described cookie information extraction user ID, also comprise:
Server receives the connection request about the described target web page that described client sends;
Server, after described connection request authentication is passed through, responds described connection request and to described client, returns to the cookie information that comprises user ID.
8. the method for preventing that cross-site request from forging, is characterized in that, comprising:
Client, when receiving the page message of browser, is obtained the cookie information of the target web page of initiating this page message;
If client receives the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that described the first conversion identifies and the page request message of described cookie information; Described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm;
Client sends to server by described page request message;
Server receives after page request message, from the cookie information of described page request message, extracts user ID;
Server employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID of obtaining;
When the first conversion sign of server in judging described the second conversion sign and described page request message matches, respond described page request message.
9. the client for preventing that cross-site request from forging, is characterized in that, comprising:
Acquisition module, for when receiving the page message of browser, obtains the cookie information of the target web page of initiating this page message;
Generation module, if comprise that for receiving the first conversion sign of the conversion script generation being arranged on the described target web page, generating described the first conversion identifies and the page request message of described cookie information;
Sending module, for described page request message is sent to server, makes user ID and the first conversion sign that described server comprises according to described cookie information carry out authentication to described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
10. client as claimed in claim 9, is characterized in that, also comprises:
Described generation module, if also for not receiving the first conversion sign of the conversion script generation being arranged on the described target web page, generate and comprise that the page request message of described cookie information sends to server.
11. clients as described in claim 9 or 10, is characterized in that,
Described sending module is also for sending connection request to described server;
Described client also comprises:
Receiver module, the cookie information that comprises user ID of returning according to described connection request for receiving described server.
12. 1 kinds of servers for preventing that cross-site request from forging, is characterized in that, comprising:
Extraction module, for when receiving the page request message about the target web page of client, if described page request message comprises the cookie information of the first conversion sign and the described target web page, from described cookie information extraction user ID;
Modular converter, is arranged on client the transfer algorithm that conversion script on the described target web page consults described user ID is changed for adopting, and obtains the second conversion sign;
Respond module, if marking matched with described the first conversion for described the second conversion sign, authentication success, responds described page request message;
Wherein, described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm.
13. servers as claimed in claim 12, is characterized in that, also comprise:
Receiver module, the connection request about the described target web page sending for receiving described client;
Processing module, for after described connection request authentication is passed through, responds described connection request and to described client, returns to the cookie information that comprises user ID.
14. 1 kinds of systems for preventing that cross-site request from forging, is characterized in that, comprising: client and server, wherein,
Described client, for when receiving the page message of browser, obtains the cookie information of the target web page of initiating this page message; If receive, be arranged on the first conversion sign that the conversion script on the described target web page generates, generate the page request message that comprises described the first conversion sign and described cookie information; Described the first conversion sign is to obtain described conversion script is changed the user ID of the cookie information extraction from the target web page according to preset transfer algorithm; Described page request message is sent to described server;
Described server for receiving after page request message, extracts user ID from the cookie information of described page request message; Employing is converted to the second conversion sign with the transfer algorithm that the conversion script on the described target web page is consulted to the user ID of obtaining; When the first conversion sign in judging described the second conversion sign and described page request message matches, respond described page request message.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310108023.XA CN104079611A (en) | 2013-03-29 | 2013-03-29 | Method for preventing cross-site request forgery, related device and system |
| PCT/CN2013/086413 WO2014153959A1 (en) | 2013-03-29 | 2013-11-01 | Method, related apparatus and system for preventing cross-site request forgery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310108023.XA CN104079611A (en) | 2013-03-29 | 2013-03-29 | Method for preventing cross-site request forgery, related device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104079611A true CN104079611A (en) | 2014-10-01 |
Family
ID=51600653
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310108023.XA Pending CN104079611A (en) | 2013-03-29 | 2013-03-29 | Method for preventing cross-site request forgery, related device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104079611A (en) |
| WO (1) | WO2014153959A1 (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376264A (en) * | 2015-12-24 | 2016-03-02 | 中国建设银行股份有限公司 | Authentication method and equipment |
| CN106341370A (en) * | 2015-07-07 | 2017-01-18 | 北京京东尚科信息技术有限公司 | Method and device for defending cross-site request forgery attack |
| CN106549760A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | Auth method and device based on cookie |
| CN106549925A (en) * | 2015-09-23 | 2017-03-29 | 阿里巴巴集团控股有限公司 | Prevent method, the apparatus and system of cross-site request forgery |
| CN106657024A (en) * | 2016-11-29 | 2017-05-10 | 珠海市魅族科技有限公司 | Method and device for preventing cookie from being tampered |
| CN107682346A (en) * | 2017-10-19 | 2018-02-09 | 南京大学 | A kind of fast positioning and identifying system and method for CSRF attacks |
| CN108712367A (en) * | 2018-03-28 | 2018-10-26 | 新华三信息安全技术有限公司 | A kind of message processing method, device and equipment |
| CN110912903A (en) * | 2019-11-27 | 2020-03-24 | 支付宝实验室(新加坡)有限公司 | Cross-domain access method and device |
| CN111212016A (en) * | 2018-11-21 | 2020-05-29 | 阿里巴巴集团控股有限公司 | Cross-site request processing method and device and electronic equipment |
| CN112507254A (en) * | 2020-12-10 | 2021-03-16 | 北京达佳互联信息技术有限公司 | Application program authorization method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101594343B (en) * | 2008-05-29 | 2013-01-23 | 国际商业机器公司 | Device and method of safely submitting request as well as device and method of safely processing request |
| US8640216B2 (en) * | 2009-12-23 | 2014-01-28 | Citrix Systems, Inc. | Systems and methods for cross site forgery protection |
| US8813237B2 (en) * | 2010-06-28 | 2014-08-19 | International Business Machines Corporation | Thwarting cross-site request forgery (CSRF) and clickjacking attacks |
| CN102685081B (en) * | 2011-03-17 | 2016-02-17 | 腾讯科技(深圳)有限公司 | A kind of web-page requests security processing and system |
-
2013
- 2013-03-29 CN CN201310108023.XA patent/CN104079611A/en active Pending
- 2013-11-01 WO PCT/CN2013/086413 patent/WO2014153959A1/en active Application Filing
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106341370A (en) * | 2015-07-07 | 2017-01-18 | 北京京东尚科信息技术有限公司 | Method and device for defending cross-site request forgery attack |
| CN106341370B (en) * | 2015-07-07 | 2020-11-24 | 北京京东尚科信息技术有限公司 | Method and device for defending cross-site request forgery attack |
| CN106549760A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | Auth method and device based on cookie |
| CN106549925A (en) * | 2015-09-23 | 2017-03-29 | 阿里巴巴集团控股有限公司 | Prevent method, the apparatus and system of cross-site request forgery |
| CN105376264A (en) * | 2015-12-24 | 2016-03-02 | 中国建设银行股份有限公司 | Authentication method and equipment |
| CN106657024B (en) * | 2016-11-29 | 2020-04-21 | 珠海市魅族科技有限公司 | Method and device for preventing cookie from being tampered |
| CN106657024A (en) * | 2016-11-29 | 2017-05-10 | 珠海市魅族科技有限公司 | Method and device for preventing cookie from being tampered |
| CN107682346A (en) * | 2017-10-19 | 2018-02-09 | 南京大学 | A kind of fast positioning and identifying system and method for CSRF attacks |
| CN108712367A (en) * | 2018-03-28 | 2018-10-26 | 新华三信息安全技术有限公司 | A kind of message processing method, device and equipment |
| CN111212016A (en) * | 2018-11-21 | 2020-05-29 | 阿里巴巴集团控股有限公司 | Cross-site request processing method and device and electronic equipment |
| CN111212016B (en) * | 2018-11-21 | 2022-09-23 | 阿里巴巴集团控股有限公司 | Cross-site request processing method and device and electronic equipment |
| CN110912903A (en) * | 2019-11-27 | 2020-03-24 | 支付宝实验室(新加坡)有限公司 | Cross-domain access method and device |
| CN110912903B (en) * | 2019-11-27 | 2022-01-04 | 支付宝实验室(新加坡)有限公司 | Cross-domain access method and device |
| CN112507254A (en) * | 2020-12-10 | 2021-03-16 | 北京达佳互联信息技术有限公司 | Application program authorization method and device |
| CN112507254B (en) * | 2020-12-10 | 2024-06-11 | 北京达佳互联信息技术有限公司 | Application program authorization method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2014153959A1 (en) | 2014-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104079611A (en) | Method for preventing cross-site request forgery, related device and system | |
| CN108737327B (en) | Method, device and system for intercepting malicious website and memory | |
| CN103020687B (en) | Quick Response Code sharing method and system | |
| CN103065178B (en) | A kind of Quick Response Code sharing apparatus, access means and sharing method | |
| CN106302308B (en) | Trust login method and device | |
| CN102811228B (en) | Network login method, equipment and system | |
| CN107508822B (en) | Access control method and device | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| CN107016074B (en) | Webpage loading method and device | |
| CN104113549A (en) | Platform authorization method, platform server side, application client side and system | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| CN102571846A (en) | Method and device for forwarding hyper text transport protocol (HTTP) request | |
| CN104967597A (en) | Third-party application message authentication method and system based on secure channel | |
| CN109726578B (en) | Dynamic two-dimensional code anti-counterfeiting solution | |
| CN104618369A (en) | Method, device and system for unique authorization of Internet-of-Things equipment based on OAuth | |
| CN102970360B (en) | Browser client is logged in the system being controlled | |
| CN103532912A (en) | Browser service data processing method and apparatus | |
| CN104348789A (en) | Web server and method for preventing cross-site scripting attack | |
| CN103905399A (en) | Account registration management method and apparatus | |
| CN103905194A (en) | Identity traceability authentication method and system | |
| CN104735086A (en) | Method and device for downloading files safely | |
| CN106330817A (en) | Webpage access method, device and terminal | |
| CN104579657A (en) | Method and device for identity authentication | |
| CN114357457A (en) | Vulnerability detection method and device, electronic equipment and storage medium | |
| CN103873493A (en) | Method, device and system for page information verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141001 |