CN106790007A - Web attack defending systems and its method based on XSS and CSRF - Google Patents
Web attack defending systems and its method based on XSS and CSRF Download PDFInfo
- Publication number
- CN106790007A CN106790007A CN201611143663.4A CN201611143663A CN106790007A CN 106790007 A CN106790007 A CN 106790007A CN 201611143663 A CN201611143663 A CN 201611143663A CN 106790007 A CN106790007 A CN 106790007A
- Authority
- CN
- China
- Prior art keywords
- module
- token
- html
- user
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of Web attack defending systems and its method based on XSS and CSRF, it is related to network safety filed.The system includes filtering module, white list module and token blocking module.This method is:1. using checking user input legitimacy, spcial character is processed filtering module, and cookie is antitheft and the sensitive four kinds of modes of vocabulary of recurrence purification filter user input;2. white list module is injected for html script, and parsing storehouse using HTML travels through all of node, obtains original tag attributes of wherein data, and HTML element tree is rebuild by the label in white list module, fundamentally takes precautions against html script injection attacks;3. token blocking module is intercepted by Token authentication functions to undesirable HTTP request.The present invention has that accuracy is high, and rate of false alarm is low, the characteristics of scalability.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of Web attack defending systems based on XSS and CSRF and its
Method, with the characteristics of accuracy is high and False Rate is low.
Background technology
Internet industry is developed rapidly, and the importance of Networks and information security strengthens increasingly, big to military affairs, national defence, political affairs
The key industry such as mansion, bank, as low as general enterprise or even individual, all suffer from network attack, and worm is spread unchecked, privacy compromise etc.
Risk.With the increasing system for quoting WEB service of business and government, hacker also rapidly increases for the attack of WEB service
It is long.On the one hand, WEB technologies have convenience, interactivity and versatility, therefore are used by increasing industry;The opposing party
Face, means variation is presented for WEB network attacks, technology is popular, cycle time situation, seriously hinders this again
The development of technology.In all of WEB attacks, the technological attack of CSS and CSRF is the most serious, refers to that attacker is embedded in webpage
The malicious code of client script, typically written in JavaScript, malicious code is embedded into when user is browsed using browser
Webpage when, malicious code will be performed on the browser of user;Using both attacks, attacker can be carried out
The attack such as session is seized on both sides by the arms, data theft, identity are pretended to be, go fishing, it is big to infect to write worm-type virus even with leak
Amount accesses machine.Therefore, the precautionary measures attacked for both are needed badly to put into effect.The present invention as target, to XSS and CSRF
Attack and strick precaution furtherd investigate, propose Web attack defending systems and its method.
The content of the invention
Cross-site scripting attack is one of chief threat that current web application program safety faces, and XSS and CSRF is exactly this kind of
Attack, they have huge harm to website and user, but due to safety product special applications demand, and each tissue
Instrument itself technology and security protection problem, attacked for XSS and CSRF and lack comparison system and detailed documents and materials,
The present invention wishes this kind of attack of further investigation, there is provided a kind of Web attack defending systems and its method based on XSS and CSRF, is
Network security personnel provide reference.
Realizing the object of the invention technical scheme is:
Present invention is generally directed to XSS and CSRF, both script injection attacks propose defence policies, by filtering module, white list
Three kinds of modes of module and token blocking module filter user data layer by layer, realize two kinds of high accuracy identifications of attack, low rate of false alarm
Interception response, to safeguard that network security has established theoretical foundation.
First, based on XSS and CSRF Web attack defending systems (abbreviation system)
The system includes user and Web server;
Attack defending server is provided with, attack defending server includes filtering module, white list module and token blocking module;
Its interactive relation is:
User, filtering module, token blocking module and Web server are interacted successively;
White list module module is interacted with filtering module and token blocking module respectively.
2nd, based on XSS and CSRF Web attack defense methods (abbreviation method)
The Research Thinking of this method be research cross-site scripting attack application foundation on, it is especially this to XSS and CSRF
The larger attack of harm is studied in detail, using Servlet technology static filtering user inputs, white list module purification restructuring
Html data, the illegal HTTP data of token dynamic interception realize the defense function of both attacks of XSS and CSRF.
This method comprises the following steps:
1. filtering module is using checking user input legitimacy, and spcial character treatment, cookie is antitheft, and recurrence purification is sensitive
Four kinds of modes of vocabulary filter user input;
2. white list module is injected for html script, and parsing storehouse using HTML travels through all of node, acquisition wherein data
Original tag attributes, HTML element tree is rebuild by the label in white list module, fundamentally takes precautions against html script note
Enter to attack;
3. token blocking module is intercepted by Token authentication functions to undesirable HTTP request.
The present invention has following advantages and good effect:
1. accuracy is high:The system uses filtering module, white list module, and three kinds of modes of token blocking module are to XSS and CSRF
Cross-site attack mode is identified defence, and three kinds of technologies complement each other, and the identification accuracy to cross-site scripting attack is high;
2. False Rate is low:The core of cross-site scripting attack is the identity that attacker falsely uses user, Web is initiated to ask, filter module
Block static filtering data, token blocking module dynamic insertion Token, are association of activity and inertia and greatly reduce the False Rate of identification;
3. scalability:For white list module, during constantly accumulation and upgrading, abundant different html tag is had
Attribute, after confirming safety, can be added to white list module, and the size of white list module directly affects defence safety index.
Brief description of the drawings
Fig. 1 is the network topological diagram of the system;
Wherein:
100-user;
200-attack defending server,
210-filtering module, 220-white list module, 230-token blocking module;
300-Web server.
English to Chinese
1、XSS:Cross Site Scripting, cross-site scripting attack;
2、CSRF:Cross Site Request Forgery, across station, request is forged;
3、JS:JavaScript, is a kind of literal translation formula script, is a kind of regime type, weak type, the language based on prototype
Speech, built-in support type;
4、HTML:An application under HTML, standard generalized markup language.
Specific embodiment
Describe in detail with reference to the accompanying drawings and examples:
First, system
1st, it is overall
Such as Fig. 1, the system includes user 100 and Web server 300;
Attack defending server 200 is provided with, attack defending server 200 includes filtering module 210, the and of white list module 220
Token blocking module 230;
Its interactive relation is:
User 100, filtering module 210, token blocking module 230 and Web server 300 are interacted successively;
White list module module 220 is interacted with filtering module 210 and token blocking module 230 respectively.
2nd, functional block
1)User 100
User 100 is mobile terminal, including mobile phone and notebook.
2)Attack defending server 200
It is embedded with filtering module 210, white list module module 220 and token blocking module 230.
(1)Filtering module 210
Filtering module 210 is a kind of method for using Servlet technologies, realizing HTTP request and response filtering.
Servlet is that defined in Java Servlet specifications 2.3, it can be to the request of Servlet containers and sound
Should be to as being checked and being changed.Servlet filtering modules in itself do not ask and response object by generation, and it only provides filtering and makees
With.The Web components that Servlet filtering modules are responsible for filtering can be Servlet, JSP or html file.
Filtering module 210 is by verifying user input legitimacy, spcial character treatment, cookie is antitheft and recurrence is purified
Four kinds of modes of sensitive vocabulary filter user input, to play the effective strick precaution to cross-site scripting attack;
Data after filtering are sent to white list module module 220 if html format, then;Otherwise then send the interception that gives token
Module 230.
2. white list module module 220
White list module module 220 is a kind of method for rearranging html tag and attribute;
For html script injection, parse storehouse using HTML and travel through all of node, obtain original tag attributes of wherein data,
HTML element tree is rebuild by the label in white list module module 220, html script injection attacks are fundamentally taken precautions against;
Data is activation after the treatment of white list module module 220 gives token blocking module 230.
3. token blocking module 230
Token blocking module 230 is a kind of method inserted token and intercept HTTP request;
Data after filtering module 210 or white list module module 220 are processed, token blocking module 230 is HTTP's
Request session adds this random value of Token, and adds authentication mechanism, if there is no the Token in HTTP request, or
The Token is incorrect, then token blocking module refuses the HTTP request, so as to defend CSRF to attack;Successfully pass token interception
The data of module 230 are then directly entered Web server 300.
3)Web server 300
Web server 300 refers generally to Website server, refers to the program for residing at certain type computer on internet.
3rd, the working mechanism of the system:
When user 100 accesses Web server 300, packet first flows through filtering module 210, and it uses Servlet function libraries
HTTP request bag HttpServletRequest is intercepted, user data legitimate verification is carried out by the input to user, it is special
Character treatment, cookie is antitheft, the sensitive vocabulary of recurrence purification these four technological means, realizes data filtering, resists more than 80%
Cross-site scripting attack.Data after filtering if HTML sentences are then processed by white list module module 220, if attribute mark
Sign and exist in white list module module 220, then do not process, directly transmit the blocking module 230 that gives token;Otherwise HTML sentences
Token blocking module 230 will be then forwarded into new sentence by the rearrangement of white list module, it is to response page script
Label is inserted, and is given to user browser, and after the page reaches browser, token blocking module 230 carries out Token insertion behaviour
Make, page info during user's submission form will be consistent with Token values, if Token values do not exist, or page letter
Breath is inconsistent with Token, and token blocking module 230 will refuse the request of the access, so as to realize defending cross-site scripting attack
Function.
2nd, method
1st, step is 1.:
A, user data legitimate verification, at list end to the text size of user input, data type, form is strictly limited
System, such as text box of input handset number only allows 11 pure digi-tals, and the form of name text box mailbox is correct;
B, spcial character treatment, the core of XSS is all that make use of script to inject, and does not trust user input, to spcial character such as "
<”,”>”,”;", " ' " escape, it is possible to fundamentally prevent this problem;
C, cookie are antitheft, are that cookie is marked plus HttpOnly, and the cookie being labeled is not allow any script to read
Take or change, accordingly even when Web applications generate XSS leaks, cookie information also can be protected preferably, reach mitigation
The purpose of loss;
D, the sensitive vocabulary of recurrence purification, construct scripted code in variable, are brought into input<scr<script>ipt></scr
<script>ipt>, such attack only could be found by recursive lookup script.
2nd, step is 2.:
A, for HTML input by sentence, storehouse traverse node is parsed using HTML;
The sentence of b, label in white list module, is left intact;
The sentence of c, label not in white list module, HTML sentences are rebuild by white list module.
3rd, step is 3.:
A, User logs in Web server, by the HTTP request data that token blocking module is obtained;
B, response page script tag is inserted, and be given to user browser, after the page reaches browser, token blocking module
Token insertion operations are carried out using the JavaScript storehouses jQuery of browser-cross;
Page info when c, user's submission form will be consistent with Token values, and before submission, token intercepts mould
Block can carry out interception and check to HTTP request, if Token values do not exist, or page info is inconsistent with Token, blocker
The request of the access will be refused.
4th, the workflow of filtering module 210 comprises the following steps:
The Web components that filtering module 210 is responsible for filtering can be Servlet, JSP or html file.The principle of Servlet:
Before HttpServletRequest reaches Servlet, the HttpServletRequest of client is intercepted;Check as needed
HttpServletRequest, it is also possible to change HttpServletRequest and data.
Before HttpServletResponse reaches client, HttpServletResponse is intercepted.Check as needed
HttpServletResponse, can change HttpServletResponse and data;
A, user data legitimate verification, at list end to the text size of user input, data type, form is strictly limited
System, such as text box of input handset number only allows 11 pure digi-tals, and the form of name text box mailbox is correct;
B, spcial character treatment, to spcial character such as "<”,”>”,”;", " ' " escape, this aspect carries out, can at least block up
Live in the XSS more than half is attacked.The core of XSS is all that make use of script to inject, therefore our solutions are in fact very simple,
Do not trust user input, " to spcial character such as<”,”>" escape, it is possible to fundamentally prevent this problem;
C, cookie are antitheft, are that cookie is marked plus HttpOnly.HTTP is the agreement that stateless is maintained, but some fields
We need to safeguard status information that cookie and session is then for solving the problems, such as state-maintenance, when user steps on first under scape
Fashionable, server is that the user creates a session ID, while transmitting a cookie to visit device, cookie is preserved
The data used in session connection, session ID are based on the session as session identification, the follow-up request of visit device
ID, attacker obtains the execution authority that session obtains user.Stealing cookie typically can all rely on JavaScript readings
Cookie information, and HttpOnly marks can then tell browser, the cookie being labeled is not allow any script to read
Or modification, accordingly even when Web applications generate XSS leaks, cookie information also can be protected preferably, reached mitigation and damaged
The purpose of mistake;
D, the sensitive vocabulary of recurrence purification, construct scripted code in variable, are brought into input<scr<script>ipt></scr
<script>ipt>, such attack only could be found by recursive lookup script;
5th, the workflow of white list module module 220 comprises the following steps:
Html tag and the attribute of each label that the control of white list module module 220 is allowed, and appointed by customized function pair
Meaning label and its attribute are processed.The editor that user uses is normally provided to, is all some the more commonly used work(
Can, such as video, picture(Expression), word(Overstriking, plus slash, font size, color, segmentation symbol, font), store common function
Label in white list module.When the HTML sentences of user input are processed, parse storehouse using HTML and travel through each node, obtain
Tag attributes therein are taken, if attribute exists in white list module, label substance is constant, does not process;If label
Attribute obtains the wherein original tag attributes of data not in white list module, then, rebuilds HTML element-trees, is building
During, all of tag attributes are only extracted from white list module, and label substance keeps constant;
A, for HTML input by sentence, storehouse traverse node is parsed using HTML;
The sentence of b, label in white list module, is left intact;
The sentence of c, label not in white list module, HTML sentences are rebuild by white list module.
6th, the workflow of token blocking module 230 comprises the following steps:
Why CSRF can succeed if being attacked, because attacker can forge the request of user, all of user in the request
Checking information is all present in cookie, therefore attacker can directly utilize use in the case where these checking informations are not known
The cookie at family oneself comes by safety verification.It follows that resisting it is critical only that for CSRF attacks:Attack is put into the request
The information to be forged of person, and the information is not present among cookie.In consideration of it, in the request of HTTP in the system
Session adds this random value of token Token, and server end sets blocker and verified, if do not had in HTTP request
The value, or the value is incorrect, then server refuses the request, so as to defend CSRF to attack;The design of token blocking module is former
Reason is intercepted with the request of server by for client, and corresponding response treatment is made to information;
A, User logs in Web server, by the HTTP request data that token blocking module is obtained;
B, response page script tag is inserted, and be given to user browser, after the page reaches browser, token blocking module
Token insertion operations are carried out using the JavaScript storehouses jQuery of browser-cross;
Page info when c, user's submission form will be consistent with Token values, and before submission, token intercepts mould
Block can carry out interception and check to HTTP request, if Token values do not exist, or page info is inconsistent with Token, blocker
The request of the access will be refused.
3rd, apply
Cross-site scripting attack is one of current most popular network attack mode, meanwhile, it is as phishing attack for common
User, and harmfulness is bigger.The patent propose system of defense be with act on behalf of in the form of be Web application offer services, this is right
It is a very big improvement for system of defense.The system can apply to the enterprises and institutions such as government, operator, finance, energy list
The official website of position, assists user to reduce the Web application security risks of XSS and CSRF, after Web server and system docking, meeting
Alarm log information is uploaded for safeguarding and updating white list module in real time, is summed up Web attack signatures and protection rule is excellent
Change scheme, in the case where user's mandate is obtained, assists the Safeguard tactics of the quick adjusting device of user, Accurate Interception Web
Attack.
Claims (8)
1. a kind of Web systems of defense based on XSS and CSRF, it is characterised in that:
The system includes user(100)And Web server(300);
It is provided with attack defending server(200), attack defending server(200)Including filtering module(210), white list module
Module(220)With token blocking module(230);
Its interactive relation is:
User(100), filtering module(210), token blocking module(230)And Web server(300)Interact successively;
White list module module(220)Respectively with filtering module(210)With token blocking module(230)Interaction;
Described filtering module(210)It is a kind of method for using Servlet technologies, realizing HTTP request and response filtering;
Described white list module(220)It is a kind of method for rearranging html tag and attribute;
Described token blocking module(230)It is a kind of method inserted token and intercept HTTP request.
2. the Web attack defense methods based on XSS and CSRF of system described in claim 1 are based on, it is characterised in that:
1. filtering module is using checking user input legitimacy, and spcial character treatment, cookie is antitheft, and recurrence purification is sensitive
Four kinds of modes of vocabulary filter user input;
2. white list module is injected for html script, and parsing storehouse using HTML travels through all of node, acquisition wherein data
Original tag attributes, HTML element tree is rebuild by the label in white list module, fundamentally takes precautions against html script note
Enter to attack;
3. token blocking module is intercepted by Token authentication functions to undesirable HTTP request.
3. Web attack defense methods based on XSS and CSRF as described in claim 2, it is characterised in that step is 1.:
A, user data legitimate verification, at list end to the text size of user input, data type, form is strictly limited
System, such as text box of input handset number only allows 11 pure digi-tals, and the form of name text box mailbox is correct;
B, spcial character treatment, the core of XSS is all that make use of script to inject, and does not trust user input, to spcial character such as "
<”,”>”,”;", " ' " escape, it is possible to fundamentally prevent this problem;
C, cookie are antitheft, are that cookie is marked plus HttpOnly, and the cookie being labeled is not allow any script to read
Take or change, accordingly even when Web applications generate XSS leaks, cookie information also can be protected preferably, reach mitigation
The purpose of loss;
D, the sensitive vocabulary of recurrence purification, construct scripted code in variable, are brought into input<scr<script>ipt></scr
<script>ipt>, such attack only could be found by recursive lookup script.
4. Web attack defense methods based on XSS and CSRF as described in claim 2, it is characterised in that step is 2.:
A, for HTML input by sentence, storehouse traverse node is parsed using HTML;
B, label are in white list module(220)In sentence, be left intact;
C, label be not in white list module(220)In sentence, by white list module(220)Again structure
Build HTML sentences.
5. Web attack defense methods based on XSS and CSRF as described in claim 2, it is characterised in that
Step is 3.:
A, User logs in Web server, by token blocking module(230)The HTTP request data of acquisition;
B, response page script tag is inserted, and be given to user browser, after the page reaches browser, token blocking module
(230)Token insertion operations are carried out using the JavaScript storehouses jQuery of browser-cross;
Page info when c, user's submission form will be consistent with Token values, and before submission, token intercepts mould
Block(230)Interception can be carried out to HTTP request to check, if Token values do not exist, or page info is inconsistent with Token,
Token blocking module(230)The request of the access will be refused.
6. Web attack defense methods based on XSS and CSRF as described in claim 2, it is characterised in that filtering module(210)
Workflow comprise the following steps:
Filtering module(210)The Web components for being responsible for filtering can be Servlet, JSP or html file;The principle of Servlet:
Before HttpServletRequest reaches Servlet, the HttpServletRequest of client is intercepted;Check as needed
HttpServletRequest, it is also possible to change HttpServletRequest and data;
Before HttpServletResponse reaches client, HttpServletResponse is intercepted;Check as needed
HttpServletResponse, can change HttpServletResponse and data, that is, intercept HTTP request
Or response, and it is modified;
A, user data legitimate verification, at list end to the text size of user input, data type, form is strictly limited
System, such as text box of input handset number only allows 11 pure digi-tals, and the form of name text box mailbox is correct;
B, spcial character treatment, to spcial character such as "<”,”>”,”;", " ' " escape, this aspect carries out, can at least block up
Live in the XSS more than half is attacked;The core of XSS is all that make use of script to inject, therefore our solutions are in fact very simple,
Do not trust user input, " to spcial character such as<”,”>" escape, it is possible to fundamentally prevent this problem;
C, cookie are antitheft, are that cookie is marked plus HttpOnly;HTTP is the agreement that stateless is maintained, but some fields
We need to safeguard status information that cookie and session is then for solving the problems, such as state-maintenance, when user steps on first under scape
Fashionable, server is that the user creates a session ID, while transmitting a cookie to visit device, cookie is preserved
The data used in session connection, session ID are based on the session as session identification, the follow-up request of visit device
ID, attacker obtains the execution authority that session obtains user;Stealing cookie typically can all rely on JavaScript readings
Cookie information, and HttpOnly marks can then tell browser, the cookie being labeled is not allow any script to read
Or modification, accordingly even when Web applications generate XSS leaks, cookie information also can be protected preferably, reached mitigation and damaged
The purpose of mistake;
D, the sensitive vocabulary of recurrence purification, construct scripted code in variable, are brought into input<scr<script>ipt></scr
<script>ipt>, such attack only could be found by recursive lookup script.
7. Web attack defense methods based on XSS and CSRF as described in claim 2, it is characterised in that white list module
(220)Workflow comprise the following steps:
White list module(220)The attribute of the html tag and each label for allowing is controlled, and it is any by customized function pair
Label and its attribute are processed;The editor that user uses is normally provided to, is all some the more commonly used functions,
Such as video, picture(Expression), word(Overstriking, plus slash, font size, color, segmentation symbol, font), storage common function
Label is in white list module(220)In;When the HTML sentences of user input are processed, parse storehouse using HTML and travel through each section
Point, obtains tag attributes therein, if attribute is in white list module(220)Middle presence, then label substance is constant, does not do and locates
Reason;If tag attributes are not in white list module(220)In, then the wherein original tag attributes of data are obtained, rebuild
HTML element-trees, in building process, all of tag attributes are only extracted from white list module, and label substance keeps constant,
Fundamentally prevent HTML injection attacks;
A, for HTML input by sentence, storehouse traverse node is parsed using HTML;
B, label are in white list module(220)In sentence, be left intact;
C, label be not in white list module(220)In sentence, by white list module(220)Rebuild HTML sentences.
8. Web attack defense methods based on XSS and CSRF as described in claim 2, it is characterised in that token blocking module
(230)Workflow comprise the following steps:
Why CSRF can succeed if being attacked, because attacker can forge the request of user, all of user in the request
Checking information is all present in cookie, therefore attacker can directly utilize use in the case where these checking informations are not known
The cookie at family oneself comes by safety verification;It follows that resisting it is critical only that for CSRF attacks:Attack is put into the request
The information to be forged of person, and the information is not present among cookie;In consideration of it, in the request of HTTP in the system
Session adds this random value of token Token, and server end sets blocker and verified, if do not had in HTTP request
The value, or the value is incorrect, then server refuses the request, so as to defend CSRF to attack;Token blocking module(230)Set
Meter principle is by for user(100)With Web server(300)Between request intercepted, and information is made accordingly
Response treatment;
A, User logs in Web server, by token blocking module(230)The HTTP request data of acquisition;
B, response page script tag is inserted, and be given to user browser, after the page reaches browser, token blocking module
(230)Token insertion operations are carried out using the JavaScript storehouses jQuery of browser-cross;
Page info when c, user's submission form will be consistent with Token values, and before submission, token intercepts mould
Block(230)Interception can be carried out to HTTP request to check, if Token values do not exist, or page info is inconsistent with Token,
Token blocking module(230)The request of the access will be refused.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611143663.4A CN106790007A (en) | 2016-12-13 | 2016-12-13 | Web attack defending systems and its method based on XSS and CSRF |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611143663.4A CN106790007A (en) | 2016-12-13 | 2016-12-13 | Web attack defending systems and its method based on XSS and CSRF |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106790007A true CN106790007A (en) | 2017-05-31 |
Family
ID=58876217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611143663.4A Withdrawn CN106790007A (en) | 2016-12-13 | 2016-12-13 | Web attack defending systems and its method based on XSS and CSRF |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790007A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107204982A (en) * | 2017-06-13 | 2017-09-26 | 成都四方伟业软件股份有限公司 | Interactive data system universal safety guard system |
| CN107682346A (en) * | 2017-10-19 | 2018-02-09 | 南京大学 | A kind of fast positioning and identifying system and method for CSRF attacks |
| CN108345535A (en) * | 2017-12-26 | 2018-07-31 | 阿里巴巴集团控股有限公司 | Mock test methods, device and equipment |
| CN108920950A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of webpage back door detection method, device, equipment and storage medium |
| CN108920955A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of webpage back door detection method, device, equipment and storage medium |
| CN108985059A (en) * | 2018-06-29 | 2018-12-11 | 北京奇虎科技有限公司 | A kind of webpage back door detection method, device, equipment and storage medium |
| CN109218284A (en) * | 2018-07-24 | 2019-01-15 | 百度在线网络技术(北京)有限公司 | XSS leak detection method and device, computer equipment and readable medium |
| CN109471739A (en) * | 2018-10-24 | 2019-03-15 | 百度在线网络技术(北京)有限公司 | Data transmission method and device between local application and webpage kernel |
| CN109960939A (en) * | 2017-12-25 | 2019-07-02 | 航天信息股份有限公司 | Long-range HTML5 page loading method and system |
| CN110858836A (en) * | 2018-08-24 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Network attack defense method and equipment |
| CN110995666A (en) * | 2019-11-18 | 2020-04-10 | 江苏艾佳家居用品有限公司 | Input xss attack-based defense method |
| CN111953668A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112364353A (en) * | 2020-11-03 | 2021-02-12 | 深圳开源互联网安全技术有限公司 | Xss vulnerability detection method and device based on nodejs express application |
| CN112883688A (en) * | 2019-11-29 | 2021-06-01 | 中国电信股份有限公司 | Rich text filtering method, rich text filtering device and computer readable storage medium |
| US11363070B2 (en) | 2020-01-05 | 2022-06-14 | International Business Machines Corporation | Preventing cross-site request forgery |
| CN118075031A (en) * | 2024-04-19 | 2024-05-24 | 三峡高科信息技术有限责任公司 | System and method for realizing system XSS protection in modularized manner |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080222736A1 (en) * | 2007-03-07 | 2008-09-11 | Trusteer Ltd. | Scrambling HTML to prevent CSRF attacks and transactional crimeware attacks |
| CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
| CN103312666A (en) * | 2012-03-09 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method, system and device for preventing CSRF (cross site request forgery) attack |
| CN105100084A (en) * | 2015-07-07 | 2015-11-25 | 中国科学院计算技术研究所 | Method and system for preventing cross-site request forgery attack |
-
2016
- 2016-12-13 CN CN201611143663.4A patent/CN106790007A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080222736A1 (en) * | 2007-03-07 | 2008-09-11 | Trusteer Ltd. | Scrambling HTML to prevent CSRF attacks and transactional crimeware attacks |
| CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
| CN103312666A (en) * | 2012-03-09 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method, system and device for preventing CSRF (cross site request forgery) attack |
| CN105100084A (en) * | 2015-07-07 | 2015-11-25 | 中国科学院计算技术研究所 | Method and system for preventing cross-site request forgery attack |
Non-Patent Citations (1)
| Title |
|---|
| 李宗森: "基于Node.js的XSS和CSRF防御研究与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》 * |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107204982B (en) * | 2017-06-13 | 2019-02-05 | 成都四方伟业软件股份有限公司 | Interactive data system universal safety guard system |
| CN107204982A (en) * | 2017-06-13 | 2017-09-26 | 成都四方伟业软件股份有限公司 | Interactive data system universal safety guard system |
| CN107682346A (en) * | 2017-10-19 | 2018-02-09 | 南京大学 | A kind of fast positioning and identifying system and method for CSRF attacks |
| CN107682346B (en) * | 2017-10-19 | 2021-06-25 | 南京大学 | System and method for rapidly positioning and identifying CSRF attack |
| CN109960939B (en) * | 2017-12-25 | 2021-02-05 | 航天信息股份有限公司 | Remote HTML5 page loading method and system |
| CN109960939A (en) * | 2017-12-25 | 2019-07-02 | 航天信息股份有限公司 | Long-range HTML5 page loading method and system |
| CN108345535A (en) * | 2017-12-26 | 2018-07-31 | 阿里巴巴集团控股有限公司 | Mock test methods, device and equipment |
| CN108920950A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of webpage back door detection method, device, equipment and storage medium |
| CN108920955A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of webpage back door detection method, device, equipment and storage medium |
| CN108985059A (en) * | 2018-06-29 | 2018-12-11 | 北京奇虎科技有限公司 | A kind of webpage back door detection method, device, equipment and storage medium |
| CN109218284A (en) * | 2018-07-24 | 2019-01-15 | 百度在线网络技术(北京)有限公司 | XSS leak detection method and device, computer equipment and readable medium |
| CN109218284B (en) * | 2018-07-24 | 2021-11-23 | 百度在线网络技术(北京)有限公司 | XSS vulnerability detection method and device, computer equipment and readable medium |
| CN110858836A (en) * | 2018-08-24 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Network attack defense method and equipment |
| CN109471739A (en) * | 2018-10-24 | 2019-03-15 | 百度在线网络技术(北京)有限公司 | Data transmission method and device between local application and webpage kernel |
| CN110995666A (en) * | 2019-11-18 | 2020-04-10 | 江苏艾佳家居用品有限公司 | Input xss attack-based defense method |
| CN112883688A (en) * | 2019-11-29 | 2021-06-01 | 中国电信股份有限公司 | Rich text filtering method, rich text filtering device and computer readable storage medium |
| CN112883688B (en) * | 2019-11-29 | 2024-07-02 | 中国电信股份有限公司 | Rich text filtering method, rich text filtering device and computer readable storage medium |
| US11363070B2 (en) | 2020-01-05 | 2022-06-14 | International Business Machines Corporation | Preventing cross-site request forgery |
| CN111953668A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN111953668B (en) * | 2020-07-30 | 2023-04-07 | 中国工商银行股份有限公司 | Network security information processing method and device |
| CN112364353A (en) * | 2020-11-03 | 2021-02-12 | 深圳开源互联网安全技术有限公司 | Xss vulnerability detection method and device based on nodejs express application |
| CN118075031A (en) * | 2024-04-19 | 2024-05-24 | 三峡高科信息技术有限责任公司 | System and method for realizing system XSS protection in modularized manner |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790007A (en) | Web attack defending systems and its method based on XSS and CSRF | |
| Gupta et al. | Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art | |
| Gupta et al. | Hunting for DOM-Based XSS vulnerabilities in mobile cloud-based online social network | |
| CN110881044B (en) | Computer firewall dynamic defense security platform | |
| Nithya et al. | A survey on detection and prevention of cross-site scripting attack | |
| Buchanan et al. | Analysis of the adoption of security headers in HTTP | |
| US20100332837A1 (en) | Web application security filtering | |
| US9032519B1 (en) | Protecting websites from cross-site scripting | |
| CN103532912B (en) | The treating method and apparatus of browser business datum | |
| CN102571846A (en) | Method and device for forwarding hyper text transport protocol (HTTP) request | |
| US20130160132A1 (en) | Cross-site request forgery protection | |
| CN106911684A (en) | A kind of method for authenticating and system | |
| CN107276986B (en) | Method, device and system for protecting website through machine learning | |
| Chaudhary et al. | A novel framework to alleviate dissemination of XSS worms in online social network (OSN) using view segregation. | |
| CN109977673A (en) | A kind of loophole restorative procedure and system based on web site system safety | |
| Cao et al. | Protecting web-based single sign-on protocols against relying party impersonation attacks through a dedicated bi-directional authenticated secure channel | |
| CN106357668A (en) | Method for preventing attack of xss | |
| Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
| CN113645234A (en) | Honeypot-based network defense method, system, medium and device | |
| Toreini et al. | DOMtegrity: ensuring web page integrity against malicious browser extensions | |
| Manjula et al. | Pre-authorization and post-authorization techniques for detecting and preventing the session hijacking | |
| Selvamani et al. | Protection of web applications from cross-site scripting attacks in browser side | |
| KR102449282B1 (en) | Site replication devicefor enhancing website security | |
| Wang et al. | A framework for formal analysis of privacy on SSO protocols | |
| Uddin et al. | File upload security and validation in context of software as a service cloud model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20170531 |