CN104954331A - Login authentication configuration device and method - Google Patents

Login authentication configuration device and method Download PDF

Info

Publication number
CN104954331A
CN104954331A CN201410120762.5A CN201410120762A CN104954331A CN 104954331 A CN104954331 A CN 104954331A CN 201410120762 A CN201410120762 A CN 201410120762A CN 104954331 A CN104954331 A CN 104954331A
Authority
CN
China
Prior art keywords
authentication information
authentication
login
response data
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410120762.5A
Other languages
Chinese (zh)
Inventor
黄崇代
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201410120762.5A priority Critical patent/CN104954331A/en
Publication of CN104954331A publication Critical patent/CN104954331A/en
Pending legal-status Critical Current

Links

Abstract

The invention provides a login authentication configuration device and a method. The device comprises a login recording module and an authentication control module, wherein the login recording module is used for recording first authentication information of successful webpage login by a user, and the first authentication information comprises first request data, first response data and a first session identity corresponding to the session; and the authentication control module is used for judging whether the first session identity is effective in the case of login authentication of a web scanning tool, if yes, the first authentication information is used for login authentication configuration, or otherwise, second authentication information is acquired via the first authentication information, and the second authentication information is used for login authentication configuration. Through recording the authentication information and using the recorded authentication information to acquire new authentication information when the session identity fails, login authentication configuration of the web scanning tool can be realized, and effective security protection can be carried out on a web application.

Description

A kind of login authentication inking device and method
Technical field
The present invention relates to communication technical field, particularly relate to a kind of login authentication inking device and method.
Background technology
Along with Internet technology develop rapidly, network application is complexity and diversification day by day, and network application is from original military affairs, science and technology and commercial permeate to the every field of society.Because most web application is not only static web page browsing, more relate to the dynamic process of service end.If developer's awareness of safety of website is not enough, program parameter input etc. is checked not strict, web application safety problem will be caused to emerge in an endless stream.In order to find the leak that web applies, it is unrealistic that armrest moves investigation, and therefore, web scanning technique will play effect important all the more in guaranteeing network security.
Usual web scanning tools, before vulnerability detection, can utilize the link of crawler technology to targeted website to capture, and then carries out a series of vulnerability detection according to the feature of these links.But, nowadays in many government organs, teaching and scientific research unit and enterprise, have various internal information management platform system.These systems generally all can require that user carries out authentication, only have and are served accordingly by could obtaining of certification.In this case, the web scanning tools of automation carries out security evaluation with regard to being difficult to website.Therefore, the login authentication management platform of login authentication realizing web scanning how is needed to be configured as problem demanding prompt solution.
Summary of the invention
In view of this, the invention provides the login authentication configuration that a kind of login authentication inking device and method complete web scanning tools on web page, thus effective security protection is carried out to web application.
To achieve these goals, concrete scheme of the present invention is as follows:
A kind of login authentication inking device, described device comprises:
Log in and record module, for recording first authentication information of user when web page logins successfully, described first authentication information comprises the first session identification corresponding to the first request msg, the first response data and this session;
Certification control module, for judging that whether described first session identification is effective when the login authentication of web scanning tools, if effectively, then uses described first authentication information to carry out login authentication configuration; Otherwise, obtain the second authentication information by described first authentication information, and utilize described second authentication information to carry out login authentication configuration.
Further, the described recording process recording first authentication information of module recording user when web page logins successfully that logs in is specially:
Described login records the layoutprocedure of module by agency service program monitoring user log-in authentication, and records the first session identification corresponding to the first request message, the first response message and this session.
Further, described certification control module obtains the second authentication information by described first authentication information and is specially:
Certification control module retransmits described first request msg to web page, after getting the second response data of described web page feedback, described second response data and described first response data are contrasted, if identical, uses described second authentication information to carry out login authentication configuration
Further, described certification control module also for, if described second response data is different from described first response data, then notify user re-start login authentication configuration.
Further, described first session identification is specially Cookie mark.
Based on same design, the present invention also provides a kind of login authentication collocation method, and described method comprises:
Record first authentication information of user when web page logins successfully, described first authentication information comprises the first session identification corresponding to the first request msg, the first response data and this session;
Judge that when the login authentication of web scanning tools whether described first session identification is effective, if effectively, then use described first authentication information to carry out login authentication configuration; Otherwise, obtain the second authentication information by described first authentication information, and utilize described second authentication information to carry out login authentication configuration
Further, the recording process of first authentication information of described recording user when web page logins successfully is specially:
By the layoutprocedure of agency service program monitoring user log-in authentication, and record the first session identification corresponding to the first request message, the first response message and this session.
Further, describedly obtain the second authentication information by the first authentication information and be specially:
Retransmit described first request msg to web page, after getting the second response data of described web page feedback, described second response data and described first response data are contrasted, if identical, uses described second authentication information to carry out login authentication configuration
Further, described method also comprises: if described second response data is different from described first response data, then notify that user re-starts login authentication configuration.
Further, described first session identification is specially Cookie mark.
Relatively and prior art, the present invention is by recording authentication information and the authentication information of recording can being utilized to obtain new authentication information when session identification loses efficacy, therefore realize the login authentication configuration of web scanning tools, thus effective security protection is carried out to web application.
Accompanying drawing explanation
Fig. 1 is the structural representation of a kind of login authentication inking device provided by the invention;
Fig. 2 is the process chart of a kind of login authentication collocation method in the embodiment of the present invention.
Embodiment
In the prior art scheme, the authenticated configuration for web scanning tools login process mainly contains automatic form filling and logs in recording two kinds.
Wherein a kind of scheme is automatic form filling, be exactly the user name in the login system of manual configuration purpose mark website before web scanning and password, then in the process of web scanning, these two parameters are filled in the corresponding key assignments of request list, thus realize login authentication.But the condition automatically required by form filling is harsher, should require that the login process of targeted website can not have identifying code, meet its user name and password again not through encryption.Once any one in these two conditions is not met, then web scanning tools is when login page carries out login authentication, will cause constructed http request bag can not success identity.
Another scheme is recorded for logging in, before web scanning is carried out, carry out once certification to targeted website exactly to log in, scanning tools can record login process when logging in, thus record the session identification of this login authentication and http request response to and the link of station field signal internal system.By contrast, logging in record does not have those harsh conditions required in automatic list padding scheme, only needs user to simulate once normal certification login process.Because data (Cookie) mark be stored on user local terminal in login process can keep log-on message to arrive the session of user's next time and server, in other words, during the next time of the same website of access, user need not input username and password and just log in.But Cookie will be designated a life cycle when being identified at generation, within this cycle, Cookie mark effectively, and exceeding cycle Cookie mark will be eliminated.The life cycle that Cookie identifies is set to " 0 " or negative value by some page, like this when closing browser, just at once removes Cookie mark, can not recording user information, safer.Nearly all web scanning tools, when carrying out login and recording, only can record the cookie mark of this login sessions, in time scanning next time, probably because this session identification lost efficacy, thus cause certification unsuccessful again.
In order to solve the problem, a kind of login authentication inking device of the present invention, as shown in Figure 1.Wherein,
The basic running environment of described device comprises CPU, nonvolatile memory, internal memory and other hardware, and from logic level, described device comprises:
Log in and record first authentication information of module recording user when web page logins successfully, described first authentication information comprises the first session identification corresponding to the first request msg, the first response data and this session; Because described first session identification can keep log-on message to arrive the session of user's next time and server, when so web scanning tools accesses same website, username and password need not be inputted and just logged in.
Certification control module judges that when the login authentication of web scanning tools whether described first session identification is effective, if effectively, then uses described first authentication information to carry out login authentication configuration; Otherwise, illustrate that the first session identification in the first authentication information lost efficacy, so just can remove acquisition second authentication information by the mode logged in the described first authentication information analog subscriber preserved, and utilize described second authentication information to carry out login authentication configuration.
As can be seen here, the present invention, by recording authentication information and the authentication information of recording can being utilized to obtain new authentication information when session identification loses efficacy, therefore realizes the login authentication configuration of web scanning tools, thus carries out effective security protection to web application.
It should be noted that, login in the present invention is recorded resume module process and is different from login of the prior art recording, the described mode logging in the realization recording of recording module is specially: described login records module by the data interaction in HTTP reverse proxy service routine supervisory user login authentication layoutprocedure, and record in this process the first authentication information including the first session identification corresponding to described first request message, the first response message and this session, and by this distribution of information to certification control module.It should be noted that common agency service, only for acting on behalf of the connection request of internal network to Internet, user side meeting authorized agency server, and will originally will the http request be directly sent on Web server be sent in proxy server.Can't configure due to the main frame on external network and use this proxy server, generic proxy server is also designed to search multiple uncertain server on internet, instead of for the some fixing servers of request access of user side multiple on Internet, the outside access request to internal network do not supported by therefore common proxy server.And the HTTP reverse proxy service routine in the present invention can act on behalf of the host access internal network on external network, external network just can be simply used as it as the Web server of a standard and not need specific configuration.Difference is, this server does not preserve the True Data of any webpage, all static Web pages or CGI scripting, is all kept on inner Web server.Therefore info web can't be made to be destroyed the attack of reverse proxy service routine, which enhances the fail safe of Web server.
In a preferred embodiment, obtaining the second authentication information concrete scheme is: described certification control module retransmits described first request msg to web page, when the background server of web page receives this first request msg, can feed back the second response data; Described device can record the second authentication information comprising the second response data, and also carry effective second session identification in described second authentication information; After described certification control module gets described second response data, in order to prove to ask successfully, then described second response data and described first response data recorded when logining successfully are contrasted, if described second authentication information identical, illustrate and asks successfully, so can be used to carry out login authentication configuration.So, even if session identification lost efficacy, the present invention also the process of analog subscriber login authentication can obtain new session identification again, and then realized login authentication configuration.
But, if described second response data is different from the comparative result of described first response data, then illustrate that the behavior that this analog subscriber logs in is probably unsuccessful, therefore will notify that user re-starts manual login authentication configuration.
In a preferred embodiment, described first session identification is Cookie mark.
Below in conjunction with Figure of description 2, embodiments of the present invention are described in detail.
Suppose that a web scanning tools will carry out security sweep to Taobao's webpage that user logs in, because Taobao website needs the login authentication of user, therefore web scanning tools will carry out login authentication in conjunction with login authentication collocation method of the present invention, and its concrete steps are as follows:
101, carrying out login authentication user is start to record, thus the first authentication information that acquisition user logins successfully, comprising the first request msg, and the first response data that Website server is replied identifies with a Cookie of this session;
102, when before the login authentication of web scanning tools, judge that whether a described Cookie mark is effective, if effectively, then go to step 103, otherwise go to step 104;
103, when a Cookie mark is effective, the first authentication information of recording just can be used to carry out login authentication configuration;
104, when a Cookie indicating failure, just need again to obtain authentication information, therefore the first request msg in described first authentication information will be resend Website server, and receive the second response data that Website server replys;
105, judge that whether described second response data is identical with the first response data, if identical, go to step 106, otherwise go to step 107;
If 106 described second response datas are identical with the first response data, illustrate and ask successfully, therefore obtain the second authentication information comprising the second response data and re-start authenticated configuration;
If 107 described second response datas are different from the first response data, illustrate that request is unsuccessful, therefore will notify that user re-starts manual configuration authentication information, could log in this webpage.
Relatively and prior art, the present invention is by recording authentication information and the authentication information of recording can being utilized to obtain new authentication information when session identification loses efficacy, therefore realize the login authentication configuration of web scanning tools, thus effective security protection is carried out to web application.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.

Claims (10)

1. a login authentication inking device, is characterized in that, described device comprises:
Log in and record module, for recording first authentication information of user when web page logins successfully, described first authentication information comprises the first session identification corresponding to the first request msg, the first response data and this session;
Certification control module, for judging that whether described first session identification is effective when the login authentication of web scanning tools, if effectively, then uses described first authentication information to carry out login authentication configuration; Otherwise, obtain the second authentication information by described first authentication information, and utilize described second authentication information to carry out login authentication configuration.
2. device as claimed in claim 1, is characterized in that, the described recording process recording first authentication information of module recording user when web page logins successfully that logs in is specially:
Described login records the layoutprocedure of module by agency service program monitoring user log-in authentication, and records the first session identification corresponding to the first request message, the first response message and this session.
3. device as claimed in claim 1, it is characterized in that, described certification control module obtains the second authentication information by described first authentication information and is specially:
Certification control module retransmits described first request msg to web page, after getting the second response data of described web page feedback, described second response data and described first response data are contrasted, if identical, uses described second authentication information to carry out login authentication configuration.
4. device as claimed in claim 3, is characterized in that, described certification control module also for, if described second response data is different from described first response data, then notify that user re-starts login authentication and configures.
5. device as claimed in claim 1, is characterized in that, described first session identification is specially Cookie mark.
6. a login authentication collocation method, is characterized in that, described method comprises:
Record first authentication information of user when web page logins successfully, described first authentication information comprises the first session identification corresponding to the first request msg, the first response data and this session;
Judge that when the login authentication of web scanning tools whether described first session identification is effective, if effectively, then use described first authentication information to carry out login authentication configuration; Otherwise, obtain the second authentication information by described first authentication information, and utilize described second authentication information to carry out login authentication configuration.
7. method as claimed in claim 6, is characterized in that, the recording process of first authentication information of described recording user when web page logins successfully is specially:
By the layoutprocedure of agency service program monitoring user log-in authentication, and record the first session identification corresponding to the first request message, the first response message and this session.
8. method as claimed in claim 6, is characterized in that, describedly obtains the second authentication information by the first authentication information and is specially:
Retransmit described first request msg to web page, after getting the second response data of described web page feedback, described second response data and described first response data are contrasted, if identical, uses described second authentication information to carry out login authentication configuration.
9. method as claimed in claim 8, it is characterized in that, described method also comprises: if described second response data is different from described first response data, then notify that user re-starts login authentication configuration.
10. method as claimed in claim 6, is characterized in that, described first session identification is specially Cookie mark.
CN201410120762.5A 2014-03-27 2014-03-27 Login authentication configuration device and method Pending CN104954331A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410120762.5A CN104954331A (en) 2014-03-27 2014-03-27 Login authentication configuration device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410120762.5A CN104954331A (en) 2014-03-27 2014-03-27 Login authentication configuration device and method

Publications (1)

Publication Number Publication Date
CN104954331A true CN104954331A (en) 2015-09-30

Family

ID=54168691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410120762.5A Pending CN104954331A (en) 2014-03-27 2014-03-27 Login authentication configuration device and method

Country Status (1)

Country Link
CN (1) CN104954331A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871660A (en) * 2016-06-06 2016-08-17 北京京东尚科信息技术有限公司 Quality detection method and equipment
CN106453275A (en) * 2016-09-23 2017-02-22 成都知道创宇信息技术有限公司 Method for identifying character verification code in Web loophole scanner
CN110572417A (en) * 2019-10-22 2019-12-13 腾讯科技(深圳)有限公司 Method, apparatus, server and storage medium for providing login ticket
WO2020233059A1 (en) * 2019-05-21 2020-11-26 深圳壹账通智能科技有限公司 Login processing method based on data processing and related apparatus
CN114697055A (en) * 2020-12-28 2022-07-01 中国移动通信集团终端有限公司 Method, device, equipment and system for service access

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001086543A1 (en) * 2000-05-09 2001-11-15 Yodlee.Com, Inc. System and method for syndicated transactions
CN101916283A (en) * 2010-08-17 2010-12-15 奇诺光瑞电子(深圳)有限公司 Method for acquiring link information from dynamic webpage and server thereof
CN102946334A (en) * 2012-11-28 2013-02-27 中国移动(深圳)有限公司 Method and system for acquiring valid image verification code
CN103152406A (en) * 2013-02-19 2013-06-12 人民搜索网络股份公司 Website access method and device
CN103186670A (en) * 2013-03-27 2013-07-03 中金数据系统有限公司 Method and system for integrally acquiring webpage information
CN103634159A (en) * 2012-08-24 2014-03-12 百度在线网络技术(北京)有限公司 Registration simulation-based flow playback method and apparatus

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001086543A1 (en) * 2000-05-09 2001-11-15 Yodlee.Com, Inc. System and method for syndicated transactions
CN101916283A (en) * 2010-08-17 2010-12-15 奇诺光瑞电子(深圳)有限公司 Method for acquiring link information from dynamic webpage and server thereof
CN103634159A (en) * 2012-08-24 2014-03-12 百度在线网络技术(北京)有限公司 Registration simulation-based flow playback method and apparatus
CN102946334A (en) * 2012-11-28 2013-02-27 中国移动(深圳)有限公司 Method and system for acquiring valid image verification code
CN103152406A (en) * 2013-02-19 2013-06-12 人民搜索网络股份公司 Website access method and device
CN103186670A (en) * 2013-03-27 2013-07-03 中金数据系统有限公司 Method and system for integrally acquiring webpage information

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
借筏度岸: "使用 Wget 完成自动 Web 认证", 《博客园HTTP://WWW.CNBLOGS.COM/LOOKBACKINSIDE/ARCHIVE/2012/07/21/2603050.HTML》 *
前端花园: "谈谈Fiddler", 《前端花园,HTTP://ZXHFIGHTER.GITHUB.IO/BLOG/JAVASCRIPT/2013/05/10/TALK-ABOUT-FIDDLER.HTML》 *
肖国一: "Web 应用安全利器:IBM Rational AppScan", 《IBM DEVELOPERWORKS,HTTPS://WWW.IBM.COM/DEVELOPERWORKS/CN/RATIONAL/R-CN-APPSCANUSAGE/》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105871660A (en) * 2016-06-06 2016-08-17 北京京东尚科信息技术有限公司 Quality detection method and equipment
CN106453275A (en) * 2016-09-23 2017-02-22 成都知道创宇信息技术有限公司 Method for identifying character verification code in Web loophole scanner
WO2020233059A1 (en) * 2019-05-21 2020-11-26 深圳壹账通智能科技有限公司 Login processing method based on data processing and related apparatus
CN110572417A (en) * 2019-10-22 2019-12-13 腾讯科技(深圳)有限公司 Method, apparatus, server and storage medium for providing login ticket
CN114697055A (en) * 2020-12-28 2022-07-01 中国移动通信集团终端有限公司 Method, device, equipment and system for service access

Similar Documents

Publication Publication Date Title
CN103607385B (en) Method and apparatus for security detection based on browser
CN102685081B (en) A kind of web-page requests security processing and system
CN104954331A (en) Login authentication configuration device and method
CN106856434A (en) The method and apparatus of access request conversion
CN106936853A (en) A kind of system-oriented integrated cross-domain single login system and method
CN103634399B (en) Method and device for realizing cross-domain data transmission
CN105302707B (en) The leak detection method and device of application program
CN106453303A (en) Method and system for storing user login status for IOS client
US11792221B2 (en) Rest API scanning for security testing
CN106685973A (en) Method and device for remembering log in information, log in control method and device
Sivakorn et al. That's the way the Cookie crumbles: Evaluating HTTPS enforcing mechanisms
CN103634111B (en) Single-point logging method and system and single sign-on client-side
CN105099676A (en) User login method, user terminal and server
CN103490896B (en) Multi-user website automatic logger and achieving method thereof
CN107168850B (en) URL page monitoring method and device
CN107104924A (en) The verification method and device of website backdoor file
Kaur et al. Browser fingerprinting as user tracking technology
CN110099129A (en) A kind of data transmission method and equipment
CN107819639B (en) Test method and device
CN105516066A (en) Method and device for identifying existence of intermediary
CN108462671A (en) A kind of authentication protection method and system based on reverse proxy
CN104243488B (en) A kind of login authentication method of inter-network site server
CN109495458A (en) A kind of method, system and the associated component of data transmission
CN109450990A (en) A kind of cloud storage implementation method and electronic equipment based on educational system
CN104468794A (en) Login simulating method and device for website

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150930