CN107819639A - A kind of method of testing and device - Google Patents
A kind of method of testing and device Download PDFInfo
- Publication number
- CN107819639A CN107819639A CN201610826842.1A CN201610826842A CN107819639A CN 107819639 A CN107819639 A CN 107819639A CN 201610826842 A CN201610826842 A CN 201610826842A CN 107819639 A CN107819639 A CN 107819639A
- Authority
- CN
- China
- Prior art keywords
- browser
- network service
- http
- test
- security mechanisms
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The present embodiments relate to procotol technical field, more particularly to a kind of method of testing and device, for testing whether a browser (104) supports a kind of HTTP HTTP security mechanisms.In this method, test request is received first, then sends a security header to the browser (104), wherein, the security header uses the HTTP security mechanisms for configuring the browser (104);Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms;Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement.A kind of method of automatic test browser is provided, reduces the operation of people.Whether browser, which supports HTTP security mechanisms to be tested, can be determined to the processing of network service according to browser, judged result is accurate, and it is shorter to test the required time.
Description
Technical field
It is clear for testing one the present invention relates to procotol technical field, more particularly to a kind of method of testing and device
Whether device of looking at supports a kind of HTTP (HyperText Transfer Protocol, HTTP) security mechanism.
Background technology
HTTP is a kind of important transport layer protocol, and it controls HTTP by the control information in heading (header)
The transmission and processing of message.
One of critical function of heading is to realize safety-related processing.It will can be used to realize safe phase in heading
The part for closing processing is referred to as " security header (secure header) ".
HTTP security headers have polytype, such as:HTTP strictly transmits safety (HTTP Strict Transport
Security, HSTS) head, HTTP public keys nail extension (HTTP Public Key Pinning Extension, HPKP) head, expansion
Open up framework option (X-Frame-Options) head, cross site scripting protection (cross-site scripting protection, X-
XSS-Protection) head, extension content type option (X-Content-Type-Options) head and content safety strategy
(Content-Security-Policy, CSP) is first-class.The HTTP security mechanisms as corresponding to being realized these security headers.
In order to realize a kind of such as any of the above described HTTP security mechanisms, developer not only needs to enter server (server)
Row is related to be set, and the browser (Browser) in client (client) is also required to support this kind of HTTP security mechanism.Due to
The renewal of HTTP security mechanisms is more frequent, and the browser of most particularly early versions can not support all HTTP safe machines
System.
So, how to determine whether a browser supports that a kind of HTTP security mechanisms are a urgent problems to be solved.
The content of the invention
In view of this, the embodiment of the present invention provides a kind of method of testing and device, to test whether a browser props up
Hold a kind of HTTP security mechanisms.
In a first aspect, the embodiment of the present invention provides a kind of method of testing, for testing whether a browser supports one kind
HTTP security mechanisms.This method can be performed by a test server, wherein, test server is tested to browser
When, can send a security header to the browser, the security header be used to configuring the browser use it is to be tested above-mentioned
HTTP security mechanisms, test server judge whether the browser is entered using the HTTP security mechanisms to a network service
Row processing, and determine whether the browser supports the HTTP security mechanisms according to the result of the judgement.
Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, testing service
Device notifies browser to use HTTP security mechanisms to be tested by sending security header to browser, and judges browser to one
Whether the processing of network service uses the HTTP security mechanisms, and it is to be tested to determine whether browser is supported according to judged result
HTTP security mechanisms.A kind of method of automatic test browser is provided, reduces the operation of people.Can be according to browser to network
The processing of service determines whether browser supports HTTP security mechanisms to be tested, and judged result is accurate, when testing required
Between it is shorter.
Wherein, test server can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge to browse
Whether device employs HTTP security mechanisms and requests a network service.So, the judged result that test server obtains is more accurate
Really.
Wherein, some HTTP security mechanisms require that browser asks a network service according to specified mode, here will
These HTTP security mechanisms are classified as " type one ";And other HTTP security mechanisms require browser one network of inhibition request
These HTTP security mechanisms are classified as " type two " by service here.
No matter for type one or type two, the HTTP that test server indicates browser by security header and should used pacifies
Full mechanism, and it is clear to judge according to processing of the browser to the network service by one network service of deployment, test server
Whether device of looking at supports the HTTP security mechanisms, there is provided a kind of effective testing scheme.
For type one, the HTTP security mechanisms are that a browser only asks a network to take by specified mode
Business;The security header is specifically used for the mode for configuring network service described in the browse request;Described in test server judges
Whether browser asks the network service in the way of specified by the security header;If the browser is according to the safety
Mode specified by head asks the network service, then test server determines that the browser supports the HTTP safe machines
System;Otherwise, test server determines that the browser does not support the HTTP security mechanisms.
Specifically, for type one, the HTTP security mechanisms are a browser only by the hypertext safety of safety
One network service of host-host protocol HTTPS request, the security header are that HTTP strictly transmits safe HSTS heads, are had
Body is used to configure the browser only by network service described in HTTPS request;Test server controls the network service to ring
One HTTP request of browser described in Ying Yu sends a HSTS head;And judge the browser after the HSTS heads are received
Whether by network service described in HTTPS request, if browser by HTTPS request network service, it is determined that browser branch
Hold the HTTP security mechanisms;Otherwise, it determines browser does not support the HTTP security mechanisms.
Specifically, for type one, the HTTP security mechanisms are that a browser shows one in a manner of a kind of specify
The content of individual network service, the security header is extension content type option X-Content-Type-Options heads, specific to use
The content of the network service is shown in a specific way in the configuration browser;Test server judges that the browser is
The no content that the network service is shown in the way of being specified in the X-Content-Type-Options heads;It is if described clear
Device of looking at shows the content of the network service in the way of being specified in the X-Content-Type-Options heads, it is determined that
The browser supports the HTTP security mechanisms, otherwise determines that the browser does not support the HTTP security mechanisms.
For type two, the HTTP security mechanisms are to forbid one network service of a browse request;The safety
Head is specifically used for configuring the browser according to described one network service of HTTP security mechanisms inhibition request;Test server is sentenced
Whether the browser that breaks requests the network service;If network service described in the browse request, it is determined that described clear
Device of looking at does not support the HTTP security mechanisms;Otherwise, it determines the browser supports the HTTP security mechanisms.
Specifically, one group made an appointment public affairs have been used only to allow one for type two, the HTTP security mechanisms
One network service of browser access of key nail;The security header is HTTP public keys nail extension HPKP heads, specifically for configuring institute
Workable one group of public key nail during another network service outside network service described in browse request is stated, wherein another net
Network service is identical with the domain name of the network service, but internet protocol address is different;Test server browses described in judging
Whether device requests the network service when being redirected to the network service, if requesting the network service, really
The fixed browser does not support the HTTP security mechanisms, otherwise, it determines the browser supports the HTTP security mechanisms.
Specifically, for type two, the HTTP security mechanisms are to forbid a browser access one to be embedded in it
Webpage in his webpage;The security header is X-Frame-Options, forbids accessing insertion specifically for configuring the browser
Webpage;The network service is a webpage in other embedded webpages;
Test server judges the browser when accessing a webpage for being embedded with the network service, if requests
The network service;If request network service, it is determined that the browser does not support the HTTP security mechanisms, otherwise, really
The fixed browser supports the HTTP security mechanisms.
Specifically, for type two, the HTTP security mechanisms are the pin that a browser only performs a specified sites
This document;The security header is content safety strategy CSP heads, the script file institute executable specifically for configuring the browser
The website of category;The network service is a script file, and is not belonging to the website specified by the CSP heads;Test server
Judge whether the browser performs the script file as the network service, if browser performs the script file,
Then determine that browser does not support the HTTP security mechanisms, otherwise determine that browser supports the HTTP security mechanisms.
Specifically, for type two, the HTTP security mechanisms are that a browser is forbidden performing a cross site scripting, institute
It is X-XSS-Protection heads to state security header, forbids performing a cross site scripting specifically for configuring the browser;Test
Server judge the browser receive network request response content include a cross site scripting and including this across
When script of standing indicates network service described in the browse request, if request the network service;If request the net
Network service, it is determined that browser does not support the HTTP security mechanisms, otherwise, it determines browser supports the HTTP security mechanisms.
Alternatively, before test server sends the security header to the browser, reception comes from the browser
Test request, wherein whether the test request supports the HTTP security mechanisms for browser described in request for test.
In the optional implementation, started by browser to a kind of test of HTTP security mechanisms.
Second aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser supports one kind
HTTP HTTP security mechanisms, including:One sending module, for sending a security header to the browser,
Wherein, the security header uses the HTTP security mechanisms for configuring the browser;One processing module, for judging
State whether browser is handled a network service using the HTTP security mechanisms, and it is true according to the result of the judgement
Whether the fixed browser supports the HTTP security mechanisms.
Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.The device is by clear
Device of looking at sends security header notice browser and uses HTTP security mechanisms to be tested, and judges browser to network service
Whether processing uses the HTTP security mechanisms, determines whether browser supports HTTP safe machines to be tested according to judged result
System.A kind of scheme of automatic test browser is provided, reduces the operation of people.Can be according to processing of the browser to network service
To determine whether browser supports HTTP security mechanisms to be tested, judged result is accurate, and it is shorter to test the required time.
Wherein, the device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge that browser is
The no HTTP security mechanisms that employ are handled a network service.The judged result so obtained is more accurate.
Wherein, some HTTP security mechanisms require that browser asks a network service according to specified mode, here will
These HTTP security mechanisms are classified as " type one ";And other HTTP security mechanisms require browser one network of inhibition request
These HTTP security mechanisms are classified as " type two " by service here.
No matter for type one or type two, the device indicates the HTTP safe machines that browser should use by security header
System, and by disposing a network service, the device is according to processing of the browser to the network service, whether to judge browser
Support the HTTP security mechanisms, there is provided a kind of effective testing scheme.
For type one, the HTTP security mechanisms are that a browser only asks a network to take by specified mode
Business;The security header is specifically used for the mode for configuring network service described in the browse request;The device browses described in judging
Whether device asks the network service in the way of specified by the security header;If the browser is according to the security header institute
The mode specified asks the network service, then the device determines that the browser supports the HTTP security mechanisms;Otherwise, really
The fixed browser does not support the HTTP security mechanisms.
Specifically, for type one, the HTTP security mechanisms are that a browser only asks one by specified mode
Individual network service;The security header that the sending module is sent is specifically used for the side for configuring network service described in the browse request
Formula;The processing module, is specifically used for:It is described to judge whether the browser asks in the way of specified by the security header
Network service, and if the browser network service is asked in the way of specified by the security header, it is determined that institute
State browser and support the HTTP security mechanisms;Otherwise, it determines the browser does not support the HTTP security mechanisms.
Specifically, for type one, the HTTP security mechanisms are a browser only by the hypertext safety of safety
One network service of host-host protocol HTTPS request;The security header that the sending module is sent is tight for HTTP
Lattice transmit safe HSTS heads, and the security header is specifically used for the configuration browser and only passes through network service described in HTTPS request;
The sending module, specifically for controlling the web services response to send one in a HTTP request of the browser
HSTS heads;The processing module, whether pass through HTTPS request after the HSTS heads are received specifically for judging the browser
The network service.
Specifically, for type one, the HTTP security mechanisms are that a browser shows one in a manner of a kind of specify
The content of individual network service;The security header that the sending module is sent is extension content type option X-Content-
Type-Options heads, the security header are specifically used for the configuration browser and show the network service in a specific way
Content;The processing module, specifically for judging the browser whether according to the X-Content-Type-Options heads
In the mode specified show the content of the network service.
For type two, the HTTP security mechanisms are to forbid one network service of a browse request;The transmission
The security header that module is sent is specifically used for configuring the browser according to described one net of HTTP security mechanisms inhibition request
Network service;The processing module, is specifically used for:Judge whether the browser requests the network service, and if described
Network service described in browse request, it is determined that the browser does not support the HTTP security mechanisms;It is otherwise, it determines described clear
Device of looking at supports the HTTP security mechanisms.
Specifically, one group made an appointment public affairs have been used only to allow one for type two, the HTTP security mechanisms
One network service of browser access of key nail;The security header that the sending module is sent is HTTP public keys nail extension HPKP
Head, the security header are specifically used for can be used when configuring another network service outside network service described in the browse request
One group of public key nail, wherein another network service is identical with the domain name of the network service, but internet protocol address
It is different;The processing module, whether requested specifically for judging the browser when being redirected to the network service
The network service.
Specifically, for type two, the HTTP security mechanisms are to forbid a browser access one to be embedded in it
Webpage in his webpage;The security header that the sending module is sent is X-Frame-Options, and the security header is specifically used
Forbid accessing embedded webpage in configuring the browser, the network service is a webpage in other embedded webpages;Institute
Processing module is stated, specifically for judging the browser when accessing a webpage for being embedded with the network service, if request
The network service.
Specifically, for type two, the HTTP security mechanisms are the pin that a browser only performs a specified sites
This document;The security header that the sending module is sent is content safety strategy CSP heads, and the security header is specifically used for configuration
Website belonging to the executable script file of the browser, the network service is a script file, and is not belonging to described
Website specified by CSP heads;The processing module, taken specifically for judging whether the browser performs as the network
The script file of business.
Specifically, for type two, the HTTP security mechanisms are that a browser is forbidden performing a cross site scripting;Institute
The security header for stating sending module transmission is X-XSS-Protection heads, and the security header is specifically used for browsing described in configuration
Device is forbidden performing a cross site scripting;The processing module, specifically for judging that the browser rings in the network request received
The content answered include a cross site scripting and including the cross site scripting indicate network service described in the browse request when,
Whether the network service is requested.
Alternatively, the device can also include:One receiving module, for being sent in the sending module to the browser
Before the security header, the test request from the browser is received, wherein the test request is used for described in request for test
Whether browser supports the HTTP security mechanisms.
The third aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser supports one kind
HTTP HTTP security mechanisms, including:One memory, for storing computer instruction;One processor, is used for
The computer instruction is called to perform the method involved by any possible implementation of first aspect or first aspect.
Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, the device leads to
Cross to browser transmission security header notice browser and use HTTP security mechanisms to be tested, and judge browser to a network
Whether the processing of service uses the HTTP security mechanisms, determines whether browser supports HTTP to be tested to pacify according to judged result
Full mechanism.A kind of scheme of automatic test browser is provided, reduces the operation of people.Can be according to browser to network service
Handle to determine whether browser supports HTTP security mechanisms to be tested, judged result is accurate, and it is shorter to test the required time.
The device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge whether browser uses
HTTP security mechanisms request a network service.The judged result so obtained is more accurate.
Fourth aspect, there is provided a kind of method of testing, for testing whether a browser supports at least two hypertexts to pass
Each in defeated agreement HTTP security mechanisms.This method can be performed by a test server.Wherein, test server is to institute
State browser and send a test script file, the test script file, which is used to control, tests whether the browser supports institute
State each of at least two HTTP security mechanisms.Test server receives is directed to described at least two from the browser
Each test request sent respectively in HTTP security mechanisms, and after each described test request is received, perform such as
Lower operation:In response to the test request, a security header is sent to the browser, wherein, the security header is used to configure
The browser uses the targeted HTTP security mechanisms of the test request;Judge whether the browser uses the test
The targeted HTTP security mechanisms are asked to handle a network service;And determined according to the result of the judgement
Whether the browser supports the targeted HTTP security mechanisms of the test request.
Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, testing service
Device notifies browser for any of at least two HTTP security mechanisms to be tested by sending security header to browser
HTTP security mechanisms, and judge whether processing of the browser to a network service uses the HTTP security mechanisms, according to judgement
As a result determine whether browser supports HTTP security mechanisms to be tested.A kind of method of automatic test browser is provided, is subtracted
The operation of people is lacked.Whether browser, which supports HTTP safety to be tested, can be determined to the processing of network service according to browser
Mechanism, judged result is accurate, and it is shorter to test the required time.
Wherein, test server can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge to browse
Whether device employs HTTP security mechanisms and requests a network service.So, the judged result that test server obtains is more accurate
Really.
In addition, test server is by the browser testing script file, configuring to be tested described at least two
HTTP security mechanisms.The survey of each for subsequently initiating to be directed in HTTP security mechanisms according to test script file by browser
Examination, test server are tested for each HTTP security mechanism respectively again.It so can effectively realize a variety of HTTP safety
The test of mechanism, testing efficiency are higher.
5th aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser is supported at least
Each in two kinds of HTTP HTTP security mechanisms.The device includes:One sending module, for described clear
Device of looking at sends a test script file, the test script file be used to control test the browser whether support it is described extremely
Each of few two kinds of HTTP security mechanisms.One receiving module, it is described at least for reception being directed to from the browser
Each test request sent respectively in two kinds of HTTP security mechanisms.One processing module, in the receiving module
After receiving each described test request, following operation is performed:In response to the test request, the sending module is controlled to institute
State browser and send a security header, wherein, the security header is targeted using the test request for configuring the browser
The HTTP security mechanisms;Judge the browser whether using the targeted HTTP security mechanisms pair of the test request
One network service is handled;Determine whether the browser supports that the test request is targeted according to the result of the judgement
The HTTP security mechanisms.
Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, the device pin
To any of at least two HTTP security mechanisms to be tested, browser HTTP is notified by sending security header to browser
Security mechanism, and judge whether processing of the browser to a network service uses the HTTP security mechanisms, according to judged result
Determine whether browser supports HTTP security mechanisms to be tested.A kind of scheme of automatic test browser is provided, is reduced
The operation of people.Whether browser, which supports HTTP safe machines to be tested, can be determined to the processing of network service according to browser
System, judged result is accurate, and it is shorter to test the required time.
Wherein, the device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge that browser is
The no HTTP security mechanisms that employ request a network service.The judged result so obtained is more accurate.
In addition, the device is by the browser testing script file, configuring at least two HTTP to be tested
Security mechanism.The test of each for subsequently initiating to be directed in HTTP security mechanisms according to test script file by browser, should
Device is tested for each HTTP security mechanism respectively again.It so can effectively realize the survey of a variety of HTTP security mechanisms
Examination, testing efficiency are higher.
6th aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser supports one kind
HTTP HTTP security mechanisms, including:One memory, for storing computer instruction;One processor, is used for
The computer instruction is called to perform the method that fourth aspect provides.
Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, the device pin
To any of at least two HTTP security mechanisms to be tested, browser HTTP is notified by sending security header to browser
Security mechanism, and judge whether processing of the browser to a network service uses the HTTP security mechanisms, according to judged result
Determine whether browser supports HTTP security mechanisms to be tested.A kind of method of automatic test browser is provided, is reduced
The operation of people.Whether browser, which supports HTTP safe machines to be tested, can be determined to the processing of network service according to browser
System, judged result is accurate, and it is shorter to test the required time.
Wherein, the device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge that browser is
The no HTTP security mechanisms that employ request a network service.The judged result so obtained is more accurate.
In addition, the device is by the browser testing script file, configuring at least two HTTP to be tested
Security mechanism.The test of each for subsequently initiating to be directed in HTTP security mechanisms according to test script file by browser, should
Device is tested for each HTTP security mechanism respectively again.It so can effectively realize the survey of a variety of HTTP security mechanisms
Examination, testing efficiency are higher.
7th aspect, the embodiment of the present invention provide a kind of computer-readable medium, stored on the computer-readable medium
There is computer instruction, the computer instruction is when by a computing device, any one of first aspect or first aspect
Possible implementation, or fourth aspect, or the method for the optional implementation offer of any one of fourth aspect.
Brief description of the drawings
Fig. 1 is a kind of structural representation of test system provided in an embodiment of the present invention;
Fig. 2~Fig. 6 is respectively the flow chart of method of testing provided in an embodiment of the present invention;
Fig. 7~Figure 10 is respectively the structural representation of test device provided in an embodiment of the present invention.
Reference numerals list:
10:Test system 101:Main frame 102:Test server 103:Destination server
104:Browser 105:Test program 106:Network service
S201:Receive test request S202:Send security header
S203:Whether browser 104 employs HTTP security mechanisms
S204:Browser 104 supports HTTP security mechanisms S205:Browser 104 does not support HTTP security mechanisms
S2011:HTTP security mechanisms S2031 to be tested:Service request
S2032:Browser 104 asks network service 106 in the way of security header is specified
S2033:Judged result S2034:Whether browser 104 supports HTTP security mechanisms
S2012:Test has been turned on S2035:Service request
S2036:Whether service request S2037 is received before timer expiry:Judged result
S2038:Whether browser 104 supports HTTP security mechanisms
S2039a:Service response S2039b:Show the content of network service 106
S601:Test starts S602:Test.js S603:HSTS test requests S604:HSTS security headers
S605:Service request S606:XSS test requests S607:XSS security headers S608:Service request
70:Test device 701:Sending module 702:Processing module 703:Receiving module
80:Test device 801:Memory 802:Processor 901:Sending module
902:Processing module 903:Receiving module 100:Test device 1001:Memory
1002:Processor
Embodiment
The species of browser is various, and each browser is also possible to have multiple versions.When one network service of issue
When, it is necessary to which browser clearly provided, or more properly, which version of which browser supports that the network service is adopted
HTTP security mechanisms.It is therefore desirable to it is directed to one or more browsers, it is also possible to multiple versions of a browser
Tested, determine whether they support certain HTTP security mechanism.
In the embodiment of the present invention, a browser is tested based on a kind of principle of HTTP security mechanisms progress safety precaution
Whether the HTTP security mechanism is supported.The equipment of testing results program, such as a server indicate that a browser is being asked
During some network service (network service can be disposed on that server, can also be deployed on other servers), such as
Used in the Webpage pointed by browser access uniform resource locator (Uniform Resoure Locator, URL)
The HTTP security mechanisms, then judge whether the browser according to the HTTP security mechanisms has carried out safety precaution to judge that this is clear
Whether device of looking at supports the HTTP security mechanisms.
Below, the embodiment of the present invention is described in detail with reference to accompanying drawing.
Fig. 1 shows a kind of test system 10 provided in an embodiment of the present invention.It may include a main frame in test system 10
101st, a test server 102 and a destination server 103.
Wherein, browser 104 to be tested can be arranged on main frame 101.
Test program 105 can be arranged in test server 102, for performing test side provided in an embodiment of the present invention
Method, to test whether browser 104 supports a kind of HTTP security mechanisms.Test program 105 is configured used in browser 104
HTTP security mechanisms.
Can on-premise network service 106 on destination server 103.According to different HTTP security mechanisms, test program 105 can
The network service 106 on destination server 103 whether is requested according to browser 104, in some cases, further according to clear
Device 104 of looking at asks the mode of network service 106, to judge whether browser 104 supports a kind of HTTP security mechanisms.
Alternatively, test program 105 can monitoring objective server 103, or test program is notified by destination server 103
105, thus test program 105 determine browser 104 whether request network service 106, in some cases, can also know clear
Whether device 104 of looking at is using a kind of HTTP security mechanisms request network service 106.
Alternatively, test server 102 and destination server 103 can be Apache Server.
The system architecture of test system 10 shown in Fig. 1 is referred to as " system architecture one ".Test system 10 also has other can
The variant of choosing, it may include but be not limited to:
System architecture two,
Main frame 101 and test server 102 are same equipment, and test program 105 is operated on main frame 101.Target takes
Business device 103 is a single equipment.
System architecture three,
Test server 102 and destination server 103 are same equipment, and main frame 101 is a single equipment.
Wherein, browser 104 is browser to be tested, and its type may include but be not limited to:
Explorer (Internet Explorer, IE), red fox (Firefox, FF) browser, Ou Peng (Opera)
Browser, Safari browsers, Google (Chrome) browser, Android (Android) etc..
Browser 104 can segment version again, for example for IE, can also be divided into IE6, IE8, IE10 etc., they are IE's
Different editions.
The HTTP security mechanisms of the browser support of different species, versions are typically different.Therefore, just need to browser
Whether 104 support that HTTP security mechanisms are tested.
Main frame 101 can be any equipment for running browser, and test server 102 can be any executable test program
105 equipment, destination server 103 can be it is any can on-premise network service equipment.Main frame 101 can be:Notebook computer, put down
The various electronic equipments such as plate computer, smart mobile phone;In addition can also be to apply the control instrument, industrial computer, prison in industrial circle
Control equipment etc..Test server 102 and destination server 103 can be:Personal computer (Personal Computer, PC) takes
The various electronic equipments such as business device, notebook computer;In addition can also be to apply the control instrument, industrial computer, prison in industrial circle
Control equipment etc..
Test program 105 can be write using JavaScript (JS) language.Test program 105 may include at least one journey
Sequence.Below can the different system architectures of binding test system 10 illustrate the composition of test program 105.
Network service 106 can be a kind of web application.A usual network service is based on the network connection established
And provide, a browser is being established with after the network connection of a server, asking the network service on the server.
Fig. 2 shows the flow chart of method of testing provided in an embodiment of the present invention.The method of testing can be by test program 105
Perform.As shown in Fig. 2 this method comprises the following steps:
S201:Receive the test request from browser 104.
Wherein, whether the test request supports a kind of HTTP security mechanisms for request for test browser 104.
S202:A security header is sent to browser 104.
Wherein, the security header is used to configure HTTP security mechanism of the browser (104) using request for test in step S201.
S203:Judge whether browser (104) is located using the HTTP security mechanisms to a network service (106)
Reason.
Network service (106) is handled if it is determined that browser (104) employs the HTTP security mechanisms, then performs step
Rapid S204, otherwise perform step S205.
S204:Determine that browser (104) supports the HTTP security mechanisms of configuration.
S205:Determine that browser (104) does not support the HTTP security mechanisms of configuration.
Wherein, step S201 is optional step, and test program 105 directly can send a security header to browser 104, with
Configure browser 104 and use a kind of HTTP security mechanisms, test request is first initiated without browser 104.
Different HTTP security mechanisms realize that the principle of safety precaution is different, and summary is got up, and is broadly divided into following two class:
Type one,
HTTP security mechanisms specify the mode of one network service of a browse request.
Such as:HSTS heads, which specify browser must pass through HTTPS request network service.
For another example:X-Content-Type-Options heads, which specify browser to be shown according to specified mode
The content of network service.
For type one, in the embodiment of the present invention, whether test program 105 judges browser (104) specified by security header
Mode ask network service (106), if browser (104) asks network service (106) in the way of specified by security header,
Then determine HTTP security mechanisms corresponding to browser (104) support;Otherwise, it determines browser (104) does not support corresponding HTTP
Security mechanism.
For type one, Fig. 3 is shown in the embodiment of the present invention, test program 105, browser 104 and network service 106
Between interaction.
For type one, foregoing any system architecture can be used.When using system architecture three, test server
102 and destination server 103 be same equipment, network service 106 is deployed in same equipment with test program 105, or
Person, network service 106 are a part of test program 105.
Test program 105 is after step S201 receives test request, you can knows that browser 104 will test any HTTP
Security mechanism.Test program 105 can perform step S2011, notice network clothes before or while step S202 sends security header
Business 106:Network service 106 should receive the service request from browser 104 according to any HTTP security mechanisms.
Alternatively, network service 106 is held after the service request from browser 104 is received subsequently through step S2031
Row step S2032, judges whether browser 104 asks network service 106 in the way of security header is specified.Further, net
Network service 106 performs step S2033, and step S2032 judged result is notified to test program 105.Test program 105 can root
According to the judged result received in step S2033, determine whether browser 104 supports above-mentioned HTTP security mechanisms, i.e.,:If browser
104 ask network service 106 in the way of security header is specified, it is determined that browser 104 supports above-mentioned HTTP security mechanisms;It is no
Then determine that browser 104 does not support above-mentioned HTTP security mechanisms.
Or alternatively, network service 106 can only determine that browser 104 asks network clothes when performing step S2032
The mode of business 106.Further, when performing step S2033, the browser 104 that step S2032 is determined is asked into network service
106 mode is notified to test program 105.Test program 105 can ask net according to the browser 104 received in step S2033
The mode of network service 106, determines whether browser 104 supports above-mentioned HTTP security mechanisms, i.e.,:If browser 104 is according to safety
The mode that head is specified asks network service 106, it is determined that browser 104 supports above-mentioned HTTP security mechanisms;Otherwise determine to browse
Device 104 does not support above-mentioned HTTP security mechanisms.
In step S2033, network service 106 can the step S2032 of proactive notification test program 105 judged result or clear
Device 104 of looking at asks the mode of network service 106;Or network service 106 will determine that result or true after step S2032 is performed
Fixed mode stores, and when receiving the result inquiry for carrying out self testing procedure 105, then will determine that result or browser 104 please
The mode of network service 106 is asked to be sent to test program 105.
Type two,
HTTP security mechanisms forbid one network service of a browse request.
Such as:HPKP, it forbids one false network service of a browse request, the false network service with it is real
Network service has identical domain name, but Internet protocol (Internet Protocol, IP) address is different.
For another example:X-Frame-Options, it forbids a browser access to be embedded into the webpage in other webpages.
For another example:CSP, it forbids the script file in a non-designated domain of browser execution.
For another example:X-XSS-Protection, it forbids a browser to perform cross site scripting.
For type two, in the embodiment of the present invention, the network service for being prohibited request is network service 106.Test
Program 105 judges whether browser (104) asks network service (106);If browser (104) requests network service (106),
Then determine that browser (104) does not support HTTP security mechanisms;Otherwise, it determines browser (104) supports HTTP safety to be tested
Mechanism.
For type two, Fig. 4 is shown in the embodiment of the present invention, test program 105, browser 104 and network service 106
Between interaction.
For type two, foregoing any system architecture can be used.According to system architecture three, then need same
Both test program 105 or on-premise network service 106 had been disposed in platform equipment.The meeting after test request is received due to test program 105
Security header is sent to browser 104, therefore it is also considered as a kind of network service, but according to system architecture three, then require
Network service corresponding to test program 105 is different from the IP address of network service 106.
Test program 105 is after step S201 receives test request, you can knows that browser 104 will test any HTTP
Security mechanism.Test program 105 can notify network to take before or while step S202 sends security header by step S2012
The test of business 106 has been turned on.Network service 106 can start a timer, timer after the notice of test program 105 is received
Length can be according in test system 10 between browser 104 and network service 106, between test program 105 and browser 104
Distance, depending on the type of transmission line etc., in addition, it is also possible to consider the processing delay that security header is handled to browser 104, length
The propagation delay time between equipment and the processing delay sum of browser 104 should be not less than.
, can be by step S2035 to network service 106 if test program 105 does not support the HTTP security mechanisms of test
Send service request.Network service 106 can notify test program 105 to have been received by after service request is received by step S2037
The service request of browser 104, or directly notify test program 105:Browser 104 does not support the HTTP safe machines of the test
System.
If test program 105 supports the HTTP security mechanisms of test, network service 106 will not be received from browser
104 service request, timer expiry.Whether network service 106 receives service before judging timer expiry by step S2036
Request, and after timer expiry, the timer expiry of test program 105, or directly notice test journey are notified by step S2037
Sequence 105:Browser 104 supports the HTTP security mechanisms of the test.
In step S2038, whether test program 105 determines browser 104 according to the judged result received in step S2037
Support the HTTP security mechanisms of test.Such as:If network service 106 indicates that network service 106 surpasses in timer in step S2037
Shi Qianwei receives the service request from browser 104, then test program 105 determines that browser 104 supports the HTTP peaces of test
Full mechanism;If being indicated in step S2037 in network service 106, network service 106 receives the service request from browser 104,
Then determine that browser 104 does not support the HTTP security mechanisms of test.
For type two, alternatively, if network service 106 uses timer, and receive to come from before timer expiry and browse
The service request of device 104, the then expiration timer of network service 106.
Illustrate the safety precaution principle of different HTTP security mechanisms, and the testing scheme of the embodiment of the present invention below.
Certainly, the embodiment of the present invention is applicable not only to test HTTP security mechanism, as long as can configure browser by security header makes
Procotol security mechanism, and determine whether browser supports the net according to processing of the browser to a network service
Network protocol security mechanism, it can use scheme provided in an embodiment of the present invention.
First, HSTS
HSTS is used to help server and takes precautions against agreement downgrade attacks and cookie attacks.One server can be by using
HSTS forces browser (or other users agency) that safe hypertext secure transfer protocol (Hypertext is used only
Transfer Protocol Secure, HTTPS) connected with server foundation.Browser can be ensured using HSTS server
It is permanently connected to the HTTPS encryption versions of the server, it is not necessary to which user inputs encryption address in URL address fields manually.
Server can open HSTS in the following way:When browser sends request by HTTP, returned in server
HTTP head response in comprising strict-transmission-safety (Strict-Transport-Security) field,
Indicate that browser uses the network connection disposed on HTTPs request servers by the field.
Therefore, in step S202, test program 105 can control network service 106 receiving the HTTP of the transmission of browser 104
Request (such as:http://xxx) after to browser 104 send security header include following field and parameter:
Strict-Transport-Security:Max-age=31536000;includeSubDomains.
The security header represents:In ensuing 1 year (i.e. 31536000 seconds), as long as receiving the browser of the security header
When sending HTTP request to above-mentioned xxx or its subdomain name, it is necessary to initiate to connect using HTTPS.Such as user's clickable hyperlinks
Or inputted in address field, browser should be automatically by http transcriptions into https, then directly to https://xxx/ is sent please
Ask.
Wherein, the https://xxx/ is network service 106.
Wherein, network service 106 or test program 105 judge that the service request from browser 104 is http://xxx/
Or https://xxx/, if http://xxx/, it is determined that browser 104 does not support HSTS, if https://xxx/,
Then determine that browser 104 supports HSTS.
2nd, X-Content-Type-Options
X-Content-Type-Options can be used for preventing Microsoft Explorer (Microsoft Internet
Explorer, MSIE) or Google's browser (Chrome) by file translation into its beyond the content type specified in HTTP heads
His type.
Server can open X-Content-Type-Options in the following way:When browser sends HTTP request
When, X-Content-Type-Options fields are included in the head response for the HTTP that server returns, are indicated by the field
Browser uses this HTTP security mechanisms of X-Content-Type-Options.
Therefore, in step S202, test program 105 can include following field in the security header sent to browser 104
And parameter:
“X-Content-Type-Options:nosniff”and“Content-Type:text/plain;”
Wherein, nosniff represents to be not listening to.Content-Type:Text/plain represents to show source code text.
Browser 104 is after the security header is received, if X-Content-Type-Options is supported, and the network clothes asked
Business 106 is html web page, then browser 104 can show the source code text of the html web page;If do not support X-Content-
Type-Options, then browser 104 can show html web page.
With reference to the interaction figure shown in figure 5, the interaction figure is slightly different with Fig. 3 because test program 105 need judge be
Whether browser 104 shows the content of network service 106 according to specified mode.It is described as follows:
Step S201, S202, S2035 can be as before, network service 106 be received from browser 104 by step S2035
Service request after, by step S2039a to browser 104 send service response, such as:If network service 106 is HTML nets
Page, then network service 106 returns to the html web page to browser 104.
Browser 104 shows network service 106 after service response is received by step S2039a, by step S2039b
Content.If security header is html web page such as preceding and network service 106, X-Content-Type- is supported in browser 104
In the case of Options, browser 104 shows the source code text of the html web page in step S2039b;In browser 104
In the case of not supporting X-Content-Type-Options, browser 104 directly displays the HTML nets in step S2039b
Page.
In step S2032, content screenshotss that browser 104 will can be shown by screenshotss software in step S2039b, and will
Whether the screen of interception issues test program 105, judge browser 104 in the way of security header is set by test program 105
The content of network service 106 is shown, if, it is determined that browser 104 supports X-Content-Type-Options, otherwise determines
Browser 104 does not support X-Content-Type-Options.
Another optional method is that browser 104 voluntarily judges whether in the way of security header is specified after screenshotss
The content of network service 106 is shown, and will determine that result is sent to test program 105, test program 105 is according to the judgement received
As a result determine whether browser 104 supports X-Content-Type-Options.
3rd, HPKP
HPKP is used to help HTTPS websites refusal attacker and visited using mistake issue or other forgeries certificates
Ask.HTTPS web servers provide one group of public key cryptographic Hash, and when subsequently connecting, web server can use these in certificate chain
One or more of public key cryptographic Hash.HPKP requires that the operation of main frame or tissue are more ripe, because main frame is possible to meeting
Fixed to being become unavailable in one group of public key cryptographic Hash.Using HPKP, host operator can greatly reduce go-between (man-
In-the-middle, MITM) attack and other wrong authentication problems, and excessive risk will not be caused.
Server can open HPKP in the following way:When browser sends HTTP request, returned in server
Comprising public key nail (Public-Key-Pins, PKP) field in HTTP head response, the public affairs wherein indicated in public key nail field
Key nail is public key cryptographic Hash.
Therefore, in step S202, test program 105 can to browser 104 send security header include following field with
Parameter:
Such as:Head response contains:
“Public-Key-Pins:Max-age=4000;Pin-sha256=" abcd01235678WLTUVW " "
This is represented:The time that server specifies browser and has 4000 seconds comes to the public key in certificate project (inside quotation marks
Content) do sha256 Hash operations and do base64 codings again.
After one browser receives HPKP heads, if supporting HPKP, above-mentioned public key cryptographic Hash should be stored.Therefore, can pass through
Judge whether browser stores above-mentioned public key cryptographic Hash to determine whether browser supports HPKP.
In addition, when a browser is redirected on a false network service, the false network service use with it is upper
Server identical domain name is stated, if browser supports HPKP, browser can prevent the request of the network service to vacation.
In the embodiment of the present invention, browser 104 is first established with a network service and connected, and storage of public keys cryptographic Hash, it
Network service changes same domain name but the different network services 106 of IP into afterwards, if subsequent request network service 106 is prevented from, says
The bright browser supports HPKP.
If network service 106 receives the service request from browser 104, test program 105 before timer expiry
Determine that browser 104 does not support HPKP, if timer expiry, test program 105 determines that browser 104 supports HPKP.
4th, X-Frame-Options
X-Frame-Options improves web applications and takes precautions against the ability for clicking on invasion (Clickjacking), and it is provided
From a main frame to the communication mechanism of client browser, sent out available for whether control browser is shown in the frame of other webpages
The content sent.
Server can open X-Frame-Options in the following way:After the service request from browser is received,
The head response that server returns includes X-Frame-Options fields, and sets the value of the field to refuse (deny).
Therefore, in step S202, test program 105 can include following field in the security header sent to browser 104
And parameter:
X-Frame-Options:deny
It is a webpage in other embedded webpages that network service 106, which can be pre-set,.If browser 104 supports X-
Frame-Options, then when browser 104 accesses other webpages, the webpage corresponding to network service 106 will not be asked;If
Browser 104 does not support X-Frame-Options, then when browser 104 accesses other webpages, can ask network service 106
Corresponding webpage.
If network service 106 receives the service request from browser 104, test program 105 before timer expiry
Determine that browser 104 does not support X-Frame-Options, if timer expiry, test program 105 determines browser 104
Hold X-Frame-Options.
5th, X-XSS-Protection
X-XSS-Protection can be used for filtering out cross site scripting (Cross-site scripting, XSS).
Server can open X-XSS-Protection in the following way:Receiving the service request from browser
Afterwards, the head response that server returns includes X-XSS-Protection fields, and it is 1 to set the value of the field, and sets mould
Formula value is block (prevention).
Therefore, in step S202, test program 105 can include following field in the security header sent to browser 104
And parameter:
X-XSS-Protection:1;Mode=block.
Test program 105 can pre-set browser 104 after above-mentioned security header is received, request except network service 106 it
Other outer network services, the network service can be deployed in test server 102.Browser 104 is sent out to the network service
After sending service request, the network request response that the network service returns includes script, and including script instruction browser 104
Ask network service 106.
If the support X-XSS-Protection of browser 104, the script being not carried out in above-mentioned network request response, because
This would not also ask network service 106;If browser 104 does not support X-XSS-Protection, above-mentioned network can be performed
Script in request response, and then ask network service 106.
If network service 106 receives the service request from browser 104, test program 105 before timer expiry
Determine that browser 104 does not support X-XSS-Protection, if timer expiry, test program 105 determines browser 104
Hold X-XSS-Protection.
6th, CSP
CSP has considerable influence to the mode of displaying web page through browser, available for prevent include cross site scripting and other across
The various attacks stood including embedded (injection).
Server can open CSP in the following way:After the service request from browser is received, what server returned
Head response includes Content-Security-Policy fields, and it is script-src'self' to set the value of the field.
Therefore, in step S202, test program 105 can include following field in the security header sent to browser 104
And parameter:Content-Security-Policy:script-src'self'.
It is cross-domain script file that network service 106, which can be pre-set,.Come if network service 106 receives before timer expiry
From the service request of browser 104, then test program 105 determines that browser 104 does not support X-XSS-Protection, if timing
Device is overtime, then test program 105 determines that browser 104 supports X-XSS-Protection.
More than, describe in the embodiment of the present invention, a kind of HTTP security mechanisms whether are supported for a browser 104
Method of testing.In order to realize the efficient of test, it may be considered that a browser 104, test whether the browser 104 is supported respectively
Each in multiple HTTP security mechanisms.Closer, each browser 104 that can be directed in multiple browsers 104,
Test whether the browser 104 supports each in multiple HTTP security mechanisms respectively.
Alternatively, multiple browsers 104 can be installed in test system 10, on main frame 101, than IE as the aforementioned,
Chrome, Firefox, Android, Sarafi and Opera browser etc., the different editions of same browser are considered as different
Browser.
Wherein, test server 102 can support a variety of HTTP security mechanisms to be tested, because test server
102 need to send security header to browser 104, therefore, it is necessary to support each HTTP security mechanism to be tested.Network service
106 can support a variety of HTTP security mechanisms, or, for each HTTP security mechanism, HTTP safety is supported in deployment respectively
The network service 106 of mechanism.
Below, another testing process provided in an embodiment of the present invention is illustrated with reference to figure 6.As shown in fig. 6, the flow can wrap
Include following steps:
S601:Browser 104 sends the order of test beginning to test program 105.
S602:Test program 105 identifies the order that the test from browser 104 starts, and will after the order is received
Test script (Test.js i.e. shown in Fig. 6) is sent to browser 104.
S603:After browser 104 receives Test.js, sent according to the test command in Test.js to test program 105
HSTS test requests.
S604:Test program 105 sends HSTS security headers after HSTS test requests are received, to browser 104.
S605:Browser 104 is after HSTS security headers are received, according to the test command in Test.js, to network service
106 send service request.
S606:Browser 104 sends XSS test requests according to the test command in Test.js to network service 106.
S607:Test program 105 sends XSS security headers after XSS test requests are received, to browser 104.
S608:Browser 104 is after XSS security headers are received, according to the test command in Test.js, to network service 106
Send service request.
Next coming in order are analogized, and are tested successively according to the order set in Test.js, such as:Setting is under in Test.js
The order of face numbering from small to large is tested:
1st, HSTS, 2, HPKP, 3, X-Frame-Options, 4, X-XSS-Protection, 5, X-Content-Type-
Options, 6, Content-Security-Policy.
Wherein, it may include a plurality of test command in above-mentioned test script Test.js.If be mounted with main frame 101 one it is clear
Look at device 104, then the test script is controllable supports a browser 104 a variety of HTTP security mechanisms which of to enter mechanism
Tested.If being mounted with multiple browsers 104 on main frame 101, the test script is controllable in multiple browsers 104
Each browser 104 is tested respectively;And for same browser 104, it can be achieved to a variety of HTTP security mechanisms
Test.
Below, the setting of the test script for same browser 104, the test process of other browsers 104 are illustrated
Similarly.
Such as:Test support situations of the IE7 to various HTTP security mechanisms.According to the order of above-mentioned numbering from small to large
Test successively.
Therefore, the test command group performed by said sequence is may include in Test.js, each test command group corresponds to
A kind of HTTP security mechanisms.
By taking HSTS as an example, the executable following operation of its corresponding test command group:
1st, test command controls browser 104 to send test request to test program 105, and the test request is used to ask to survey
Whether examination browser 104 supports HSTS.The test request can be a service request (step sent to test program 105
S603), by setting the parameter in the service request so that test program 105 can recognize that need test browser 104 be
The no support HSTS (values and HTTP security mechanisms for the service request parameter that can be made an appointment between main frame 101 and test program 105
Corresponding relation between type).
Test program 105 is after the test request is received, it is determined that needing to test whether browser 104 supports HSTS.Test
Program 105 sends HSTS security headers (step S604) to browser 104.
2nd, test command control browser 104 receives the HSTS security headers, obtains the field and ginseng in the HSTS security headers
Number value.
3rd, test command controls browser 104 to send service request to network service 106.
Wherein, the network service 106 to be asked of browser 104 is may specify in test command, and specifies browser 104 to use
This HTTP security mechanisms of HSTS.
If browser 104 supports HSTS, service request is handled according to the field in HSTS security headers and parameter,
And send service request (step S605) to network service 106.
After test command group corresponding to HSTS has been performed, test command group corresponding to HPKP is next performed.Test life
The setting domain HSTS types of group are made, including:Send test request, receive security header, service request is sent to network service 106.
The processing and setting respectively ordered refer to the description of foregoing HPKP method of testings.
For the type one of foregoing safety precaution, no matter whether browser 104 supports HTTP security mechanisms, can be to net
Network service 106 sends service request, and simply the sending method of service request or browser 104 show the content of network service 106
Mode it is different.
For the type two of foregoing safety precaution, it is HTTP security mechanisms institute inhibition request to set network service 106
Network service.If browser 104 does not support HTTP security mechanisms, service request can be sent to network service 106;If support
HTTP security mechanisms, then it will not send service request to network service 106.
For the type one of safety precaution, network service 106 can record the mode that browser 104 sends service request;It is right
In the type two of safety precaution, whether network service 106 is recordable receives the service from browser 104 before timer expiry
Request.
The above of record can be sent to test program 105 by network service 106, and test program 105 is according to receiving
Record determines which HTTP security mechanism browser 104 supports, and/or does not support which HTTP security mechanism.
Below, the example of several test command groups in Test.js is provided.Wherein, target_ip is foregoing network clothes
The IP address of business 106;method:' get' represent network service 106 is asked in a manner of get;Alert represents to provide prompting letter
Breath;success:Function (response, opts) is if represent the HTTP peaces that browser 104 is tested using test command group
Full mechanism is handled network service 106, then the information for prompting browser 104 to support the HTTP security mechanisms;failure:
Function (response, opts) is if represent the HTTP security mechanisms pair that browser 104 is not tested using test command group
Network service 106 is handled, then prompts browser 104 not support the HTTP security mechanisms;failure:function
(response, opts) represents test crash, both supports HTTP security mechanisms without prompting browser 104, also clear without prompting
Device 104 of looking at does not support HTTP security mechanisms, then prompting error.
1st, for HSTS test command group function HSTS_test ()
2nd, for HPKP test command group function HPKP_test ()
3rd, for X-Frame-Options test command group function X-Frame-Options_test ()
4th, for X-XSS-Protection test command group function X-XSS-Protection
5th, for X-Content-Type-Options test command group function X-Content-Type-
Options
6th, for Content-Security-Policy test command group function Content-Security-
Policy
Fig. 7 shows a kind of test device 70 provided in an embodiment of the present invention.The test device 70 can be used for test one
Whether browser 104 supports a kind of HTTP security mechanisms.
As shown in fig. 7, test device 70 may include:
One sending module 701, for sending a security header to browser 104, wherein, security header browses for configuration
Device 104 uses HTTP security mechanisms;
One processing module 702, for judging whether browser 104 uses HTTP security mechanisms to a network service
106 are handled, and determine whether browser 104 supports HTTP security mechanisms according to the result of judgement.
As it was previously stated, HTTP security mechanisms realize that the principle of safety precaution can be divided into " type one " and " type two ".
Wherein, for type one, HTTP security mechanisms are that a browser only asks a network by specified mode
Service;The security header that sending module 701 is sent is specifically used for the mode that configuration browser 104 asks network service 106;Handle mould
Block 702, is specifically used for:Judge whether browser 104 asks network service 106, Yi Jiruo in the way of specified by security header
Browser 104 asks network service 106 in the way of specified by security header, it is determined that browser 104 supports HTTP safe machines
System;Otherwise, it determines browser 104 does not support HTTP security mechanisms.
Alternatively, HTTP security mechanisms are that a browser only please by the hypertext secure transfer protocol HTTPS of safety
Seek a network service;The security header that sending module 701 is sent strictly transmits safe HSTS heads for HTTP, safety
Head is specifically used for configuration browser 104 and only passes through HTTPS request network service 106;Sending module 701, specifically for controlling net
Network service 106 sends a HSTS head in response to a HTTP request of browser 104;Processing module 702, specifically for judging
Whether browser 104 passes through HTTPS request network service 106 after HSTS heads are received.
Alternatively, HTTP security mechanisms are that a browser is shown in a manner of a kind of specify in a network service
Hold;The security header that sending module 701 is sent is extension content type option X-Content-Type-Options heads, and security header has
Body is used to configure the content that browser 104 shows network service 106 in a specific way;Processing module 702, specifically for judging
Whether browser 104 shows the content of network service 106 in the way of being specified in X-Content-Type-Options heads.
Alternatively, HTTP security mechanisms are to forbid one network service of a browse request;What sending module 701 was sent
Security header is specifically used for configuration browser 104 according to one network service 106 of HTTP security mechanisms inhibition request;Processing module
702, it is specifically used for:Judge whether browser 104 requests network service 106, and if the request network service of browser 104
106, it is determined that browser 104 does not support HTTP security mechanisms;Otherwise, it determines browser 104 supports HTTP security mechanisms.
Alternatively, HTTP security mechanisms have used the browser access of the one group of public key made an appointment nail for only permission one
One network service;
The security header that sending module 701 is sent is HTTP public keys nail extension HPKP heads, and security header browses specifically for configuration
Workable one group of public key nail when device 104 asks another network service outside network service 106, wherein another network service with
The domain name of network service 106 is identical, but internet protocol address is different;
Processing module 702, whether requested specifically for judging browser 104 when being redirected to network service 106
Network service 106.
Wherein, for type two, HTTP security mechanisms are to forbid a browser access one to be embedded in other webpages
In webpage;The security header that sending module 701 is sent is X-Frame-Options, and security header is specifically used for configuration browser 104
Forbid accessing embedded webpage, network service 106 is a webpage in other embedded webpages;Processing module 702, is specifically used for
Judge browser 104 when accessing a webpage for being embedded with network service 106, if to request network service 106.
Alternatively, HTTP security mechanisms are the script file that a browser only performs a specified sites;Sending module
701 security headers sent are content safety strategy CSP heads, and security header is specifically used for the executable script text of configuration browser 104
Website belonging to part, network service 106 is a script file, and is not belonging to the website specified by CSP heads;Processing module 702,
Specifically for judging whether browser 104 performs the script file as network service 106.
Alternatively, HTTP security mechanisms are that a browser is forbidden performing a cross site scripting;What sending module 701 was sent
Security header is X-XSS-Protection heads, and security header, which is specifically used for configuration browser 104, to be forbidden performing a cross site scripting;Place
Manage module 702, specifically for judge browser 104 receive network request response content include a cross site scripting and
Including the cross site scripting instruction browser 104 ask network service 106 when, if request network service 106.
Alternatively, test device 70 can also include:One receiving module 703, in sending module 701 to browser
Before 104 send security header, the test request from browser 104 is received, wherein test request is used for request for test browser
Whether 104 support HTTP security mechanisms.
Sending module 701 can be additionally used in other transmission operations for performing test server 106.Processing module 702 also can use
In other processing operations for performing test server 106.Receiving module 703 can be additionally used in other of execution test server 106
Receive operation.Other optional implementations of the device refer to the realization of test server 106, repeat no more here.
Fig. 8 shows a kind of test device 80 provided in an embodiment of the present invention.The test device 70 can be used for test one
Whether browser 104 supports a kind of HTTP security mechanisms.The test device 80 can be located in above-mentioned test server 106, or should
Test device 80 is above-mentioned test server 106.
As shown in figure 8, the test device 80 may include:
One memory 801, for storing computer instruction (than test program 105 as the aforementioned);
One processor 802, performed for calling the above computer stored on memory 801 to instruct shown in Fig. 2~Fig. 6
Any method of testing.
Fig. 9 shows a kind of test device 90 provided in an embodiment of the present invention.The test device 90 can be used for test one
Whether browser 104 supports each at least two HTTP security mechanisms.
As shown in figure 9, the device includes:
One sending module 901, for sending a test script file to browser 104, test script file is used for
Whether control test browser 104 supports each of at least two HTTP security mechanisms;
One receiving module 903, it is every at least two HTTP security mechanisms for reception being directed to from browser 104
A kind of test request sent respectively;
One processing module 902, for after receiving module 903 receives each test request, performing following operation:Ring
In test request sending module 901 should be controlled to send a security header to browser 104, wherein, security header browses for configuration
Device 104 uses the targeted HTTP security mechanisms of the test request;Judge whether browser 104 is targeted using the test request
1001HTTP security mechanisms one network service 106 is handled;Determine whether browser 104 props up according to the result of judgement
Hold the targeted HTTP security mechanisms of the test request.
Sending module 901 can be additionally used in other transmission operations for performing test server 106, receiving module in the device 90
903 may be used to indicate that test server 106 and other receive operation, processing module 903 can be additionally used in perform testing service
Other processing operations of device 106.Other optional implementations of the device 90 refer to the realization of test server 106, here
Repeat no more.
Figure 10 shows a kind of test device 100 provided in an embodiment of the present invention.The test device 100 can be used for test one
Whether individual browser 104 supports each at least two HTTP security mechanisms.The test device can be located at above-mentioned test and take
It is engaged in device 106, or the test device is above-mentioned test server 106.
As shown in Figure 10, the device 100 includes:
One memory 1001, for storing computer instruction (than test program 105 as the aforementioned);
One processor 1002, the above computer instruction for calling memory 1001 to store perform following methods:
A test script file is sent to browser 104, test script file is used to whether control test browser 104
Support each of at least two HTTP security mechanisms;
Receiving each test sent respectively being directed at least two HTTP security mechanisms from browser 104 please
Ask;
After each test request is received, following operation is performed:In response to test request, one is sent to browser 104
Individual security header, wherein, security header uses the targeted HTTP security mechanisms of the test request for configuring browser 104;Judge
Whether browser 104 is handled a network service 106 using the targeted HTTP security mechanisms of the test request;And
Determine whether browser 104 supports the targeted HTTP security mechanisms of the test request according to the result of judgement.
Other optional implementations of the device 100 refer to foregoing test server 106, repeat no more here.
The embodiment of the present invention additionally provides a kind of computer-readable storage medium, stores as described herein for performing a machine
Program code checking method instruction.Specifically, system or device equipped with storage medium can be provided, in the storage
The software program code for realizing the function of any embodiment in above-described embodiment is store on medium, and makes the system or device
Computer (or CPU or MPU) read and perform the program code being stored in storage medium.
In this case, it is real that any one in above-described embodiment can be achieved in the program code read from storage medium in itself
The function of example is applied, therefore the storage medium of program code and store program codes constitutes the part of the present invention.
For provide program code storage medium embodiment include floppy disk, hard disk, magneto-optic disk, CD (such as CD-ROM,
CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), tape, Nonvolatile memory card and ROM.Selectively,
Can by communication network from server computer download program code.
Further, it should be apparent that not only can be by performing the program code read-out by computer, and can pass through
Instruction based on program code makes operating system of calculating hands- operation etc. to complete partly or completely practical operation, so as to
Realize the function of any one embodiment in above-described embodiment.
Further, it is to be appreciated that the program code read by storage medium is write into the expansion board in insertion computer
In in set memory or write in the memory set in the expanding element being connected with computer, then based on journey
CPU that the instruction of sequence code makes to be arranged on expansion board or expanding element etc. comes executable portion and whole practical operations, so as to
Realize the function of any embodiment in above-described embodiment.
To sum up, in the embodiment of the present invention, test server can send one when testing browser to browser
Security header, the security header use HTTP security mechanisms to be tested for configuring browser, and test server judges that browser is
It is no that one network service is handled using HTTP security mechanisms, and determine whether browser is supported according to the result of judgement
HTTP security mechanisms.Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, test
Server notifies browser to use HTTP security mechanisms to be tested by sending security header to browser, and judges browser pair
Whether the processing of one network service is judged using the HTTP security mechanisms, determines whether browser props up according to judged result
Hold HTTP security mechanisms to be tested.A kind of method of automatic test browser is provided, reduces the operation of people.Can be according to clear
Device of looking at determines whether browser supports HTTP security mechanisms to be tested to the processing of network service, and judged result is accurate, surveys
Time needed for examination is shorter.Wherein, test server can carry out the principle of safety precaution according to HTTP security mechanisms to be tested,
Judge whether browser employs HTTP security mechanisms and request a network service.So, the judgement that test server obtains
As a result it is more accurate.
It should be noted that step and module not all in above-mentioned each flow and each system construction drawing is all necessary
, some steps or module can be ignored according to the actual needs.The execution sequence of each step be not it is fixed, can be according to need
It is adjusted.System architecture described in the various embodiments described above can be physical arrangement or logical construction, i.e. have
A little modules may realize by same physical entity, or, some modules may divide to be realized by multiple physical entities, or, can be with
Realized jointly by some parts in multiple autonomous devices.
In various embodiments above, hardware cell mechanically or can be realized electrically.A for example, hardware list
Member can include permanent special circuit or logic (such as special processor, FPGA or ASIC) to complete corresponding operating.Firmly
Part unit can also include FPGA or circuit (such as general processor or other programmable processors), can be entered by software
Interim setting go to complete corresponding operating.Concrete implementation mode (mechanical system or special permanent circuit or is faced
When the circuit that sets) can be determined based on cost and temporal consideration.
Detailed displaying and explanation have been carried out to the present invention above by accompanying drawing and preferred embodiment, but the invention is not restricted to
These embodiments having revealed that, base could be aware that with above-mentioned multiple embodiment those skilled in the art, can combine above-mentioned difference
Code examination & verification means in embodiment obtain the more embodiments of the present invention, these embodiments also protection scope of the present invention it
It is interior.
Claims (25)
- A kind of a kind of 1. method of testing, for testing whether a browser (104) supports HTTP HTTP safety Mechanism, it is characterised in that including:A security header is sent to the browser (104), wherein, the security header makes for configuring the browser (104) With the HTTP security mechanisms;Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms;Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement.
- 2. the method as described in claim 1, it is characterised in that the HTTP security mechanisms are a browser only by specifying Mode ask a network service;The security header is specifically used for configuring browser (104) request network service (106) mode;Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms, wrap Include:Judge whether the browser (104) asks the network service (106) in the way of specified by the security header;Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement, including:It is if described Browser (104) asks the network service (106) in the way of specified by the security header, it is determined that the browser (104) the HTTP security mechanisms are supported;Otherwise, it determines the browser (104) does not support the HTTP security mechanisms.
- 3. method as claimed in claim 2, it is characterised in that the HTTP security mechanisms are that a browser only passes through safety One network service of hypertext secure transfer protocol HTTPS request, the security header be HTTP strictly transmit Safe HSTS heads, only pass through network service described in HTTPS request (106) specifically for configuring the browser (104);A security header is sent to the browser (104), including:The network service (106) is controlled to be browsed in response to described One HTTP request of device (104) sends a HSTS head;Judge whether the browser (104) asks the network service (106) in the way of specified by the security header, wrap Include:Judge the browser (104) after the HSTS heads are received whether by network service described in HTTPS request (106).
- 4. method as claimed in claim 2, it is characterised in that the HTTP security mechanisms are that a browser is specified with one kind Mode show the content of a network service, the security header is extension content type option X-Content-Type- Options heads, show the content of the network service (106) in a specific way specifically for configuring the browser (104);Judge whether the browser (104) asks the network service (106) in the way of specified by the security header, wrap Include:Judge whether the browser (104) in the way of being specified in the X-Content-Type-Options heads shows institute State the content of network service (106).
- 5. the method as described in claim 1, it is characterised in that the HTTP security mechanisms are to forbid a browse request one Individual network service;The security header is specifically used for configuring the browser (104) according to the HTTP security mechanisms inhibition request One network service (106);Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms, wrap Include:Judge whether the browser (104) requests the network service (106);Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement, including:It is if described Browser (104) asks the network service (106), it is determined that the browser (104) does not support the HTTP security mechanisms; Otherwise, it determines the browser (104) supports the HTTP security mechanisms.
- 6. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms have used in advance only to allow one One network service of browser access of one group of public key nail of agreement;The security header is HTTP public keys nail extension HPKP heads, is had Workable one when body is used to configure another network service outside the browser (104) the request network service (106) Group public key nail, wherein another network service is identical with the domain name of the network service (106), but internet protocol address It is different;Judge whether the browser (104) asks the network service (106), including:Judge the browser (104) in quilt Whether the network service (106) is requested when being redirected to the network service (106).
- 7. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms are to forbid a browser access one The individual webpage being embedded in other webpages;The security header is X-Frame-Options, specifically for configuring the browser (104) forbid accessing embedded webpage;The network service (106) is a webpage in other embedded webpages;Judge whether the browser (104) asks the network service (106), including:Judge that the browser (104) is being visited When asking a webpage for being embedded with the network service (106), if request the network service (106).
- 8. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms are that a browser only performs one The script file of specified sites;The security header is content safety strategy CSP heads, specifically for configuring the browser (104) Website belonging to executable script file;The network service (106) is a script file, and is not belonging to the CSP heads Specified website;Judge whether the browser (104) asks the network service (106), including:Whether judge the browser (104) Perform the script file as the network service (106).
- 9. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms are that a browser forbids execution one Individual cross site scripting, the security header are X-XSS-Protection heads, forbid performing specifically for configuring the browser (104) One cross site scripting;Judge whether the browser (104) asks the network service (106), including:Judge that the browser (104) is being received To network request response content include a cross site scripting and including the cross site scripting instruction browser (104) When asking the network service (106), if request the network service (106).
- 10. the method as described in any one of claim 1~9, it is characterised in that described in being sent to the browser (104) Before security header, in addition to:The test request from the browser (104) is received, wherein the test request is used for browser described in request for test (104) the HTTP security mechanisms whether are supported.
- A kind of a kind of 11. test device (70), for testing whether a browser (104) supports HTTP HTTP Security mechanism, it is characterised in that including:One sending module (701), for sending a security header to the browser (104), wherein, the security header is used for Configure the browser (104) and use the HTTP security mechanisms;One processing module (702), for judging whether the browser (104) uses the HTTP security mechanisms to a net Network service (106) is handled, and determines whether the browser (104) supports the HTTP to pacify according to the result of the judgement Full mechanism.
- 12. device (70) as claimed in claim 11, it is characterised in thatThe HTTP security mechanisms are that a browser only asks a network service by specified mode;The security header that the sending module (701) sends is specifically used for configuring browser (104) request network service (106) mode;The processing module (702), is specifically used for:Judge whether the browser (104) asks the network service (106) in the way of specified by the security header, with AndIf the browser (104) asks the network service (106) in the way of specified by the security header, it is determined that institute State browser (104) and support the HTTP security mechanisms;Otherwise, it determines the browser (104) does not support the HTTP safety Mechanism.
- 13. device (70) as claimed in claim 12, it is characterised in thatThe HTTP security mechanisms are that a browser only passes through one net of hypertext secure transfer protocol HTTPS request of safety Network service;The security header that the sending module (701) sends strictly transmits safe HSTS heads for HTTP, described Security header is specifically used for the configuration browser (104) and only passes through network service described in HTTPS request (106);The sending module (701), specifically for controlling the network service (106) in response to the one of the browser (104) Individual HTTP request sends a HSTS head;The processing module (702), whether pass through after the HSTS heads are received specifically for judging the browser (104) Network service described in HTTPS request (106).
- 14. device (70) as claimed in claim 12, it is characterised in thatThe HTTP security mechanisms are the content that a browser shows a network service in a manner of a kind of specify;The security header that the sending module (701) sends is extension content type option X-Content-Type-Options Head, the security header are specifically used for the configuration browser (104) and show the interior of the network service (106) in a specific way Hold;The processing module (702), specifically for judging the browser (104) whether according to the X-Content-Type- The mode specified in Options heads shows the content of the network service (106).
- 15. device (70) as claimed in claim 11, it is characterised in thatThe HTTP security mechanisms are to forbid one network service of a browse request;The security header that the sending module (701) sends is specifically used for configuring the browser (104) according to the HTTP One network service (106) of security mechanism inhibition request;The processing module (702), is specifically used for:Judge whether the browser (104) requests the network service (106), andIf the browser (104) asks the network service (106), it is determined that the browser (104) is not supported described HTTP security mechanisms;Otherwise, it determines the browser (104) supports the HTTP security mechanisms.
- 16. device (70) as claimed in claim 15, it is characterised in thatThe HTTP security mechanisms have used one net of browser access of the one group of public key made an appointment nail for only permission one Network service;The security header that the sending module (701) sends is HTTP public keys nail extension HPKP heads, and the security header is specifically used Workable one group of public affairs when configuring the browser (104) and asking another network service outside the network service (106) Key is followed closely, wherein another network service is identical with the domain name of the network service (106), but internet protocol address is not Together;The processing module (702), specifically for judging that the browser (104) is being redirected to the network service (106) network service (106) whether is requested when.
- 17. device (70) as claimed in claim 15, it is characterised in thatThe HTTP security mechanisms are to forbid one webpage being embedded in other webpages of a browser access;The security header that the sending module (701) sends is X-Frame-Options, and the security header is specifically used for configuration The browser (104) forbids accessing embedded webpage, and the network service (106) is a net in other embedded webpages Page;The processing module (702), specifically for judging that the browser (104) is embedded with the network service for one in access (106) during webpage, if request the network service (106).
- 18. device (70) as claimed in claim 15, it is characterised in thatThe HTTP security mechanisms are the script file that a browser only performs a specified sites;The security header that the sending module (701) sends is content safety strategy CSP heads, and the security header is specifically used for matching somebody with somebody The website belonging to the executable script file of the browser (104) is put, the network service (106) is a script file, And it is not belonging to the website specified by the CSP heads;The processing module (702), specifically for judging whether the browser (104) is performed as the network service (106) script file.
- 19. device (70) as claimed in claim 15, it is characterised in thatThe HTTP security mechanisms are that a browser is forbidden performing a cross site scripting;The security header that the sending module (701) sends is X-XSS-Protection heads, and the security header is specifically used for The browser (104) is configured to forbid performing a cross site scripting;The processing module (702), specifically for judging the browser (104) in the content that the network request received responds Including a cross site scripting and including the cross site scripting indicate that the browser (104) asks network service (106) when, Whether the network service (106) is requested.
- 20. the device (70) as described in any one of claim 11~19, it is characterised in that also include:One receiving module (703), for sending the security header to the browser (104) in the sending module (701) Before, the test request from the browser (104) is received, wherein the test request is used for browser described in request for test (104) the HTTP security mechanisms whether are supported.
- A kind of a kind of 21. test device (80), for testing whether a browser (104) supports HTTP HTTP Security mechanism, it is characterised in that including:One memory (801), for storing computer instruction;One processor (802), for calling the computer instruction to perform the side as described in any one of claim 1~10 Method.
- A kind of 22. method of testing, for testing whether a browser (104) supports at least two HTTP HTTP Each in security mechanism, it is characterised in that including:A test script file is sent to the browser (104), the test script file is used to control test described clear Whether device (104) of looking at supports each of at least two HTTP security mechanisms;Receive what each being directed at least two HTTP security mechanisms from the browser (104) was sent respectively Test request;After each described test request is received, following operation is performed:In response to the test request, a security header is sent to the browser (104), wherein, the security header is used to match somebody with somebody Put the browser (104) and use the targeted HTTP security mechanisms of the test request;Judge whether the browser (104) is taken using the targeted HTTP security mechanisms of the test request to a network Business (106) is handled;Determine whether the browser (104) supports the targeted HTTP of the test request to pacify according to the result of the judgement Full mechanism.
- A kind of 23. test device (90), for testing whether a browser (104) supports at least two HTTP Each in HTTP security mechanisms, it is characterised in that including:One sending module (901), for sending a test script file, the test script to the browser (104) File is used for each for controlling the test browser (104) whether to support at least two HTTP security mechanisms;One receiving module (903), at least two HTTP safe machines are directed to from the browser (104) for receiving Each test request sent respectively in system;One processing module (902), for after the receiving module (903) receives each described test request, performing such as Lower operation:In response to the test request, the sending module (901) is controlled to send a security header to the browser (104), Wherein, the security header uses the targeted HTTP security mechanisms of the test request for configuring the browser (104);Judge whether the browser (104) uses the targeted 1001HTTP security mechanisms of the test request to a net Network service (106) is handled;Determine whether the browser (104) supports the targeted HTTP of the test request to pacify according to the result of the judgement Full mechanism.
- A kind of a kind of 24. test device (100), for testing whether a browser (104) supports HTTP HTTP security mechanisms, it is characterised in that including:One memory (1001), for storing computer instruction;One processor (1002), for calling the computer instruction to perform method as claimed in claim 23.
- 25. a kind of computer-readable medium, computer instruction is stored with the computer-readable medium, it is characterised in that institute Computer instruction is stated when by a computing device, makes any one of described computing device claim 1~10 or right will Seek the method described in 22.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610826842.1A CN107819639B (en) | 2016-09-14 | 2016-09-14 | Test method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610826842.1A CN107819639B (en) | 2016-09-14 | 2016-09-14 | Test method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107819639A true CN107819639A (en) | 2018-03-20 |
CN107819639B CN107819639B (en) | 2021-12-24 |
Family
ID=61601005
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610826842.1A Active CN107819639B (en) | 2016-09-14 | 2016-09-14 | Test method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107819639B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108650257A (en) * | 2018-05-09 | 2018-10-12 | 腾讯音乐娱乐科技(深圳)有限公司 | Safety detection setting method, device and storage medium based on web site contents |
CN110278207A (en) * | 2019-06-21 | 2019-09-24 | 深圳前海微众银行股份有限公司 | Leak detection method, device and computer equipment are kidnapped in a kind of click |
CN110958316A (en) * | 2019-11-29 | 2020-04-03 | 北京丁牛科技有限公司 | Historical record obtaining method and device |
CN108540674B (en) * | 2018-03-22 | 2020-12-29 | 平安科技(深圳)有限公司 | Automatic testing method and device, computer equipment and storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101478755A (en) * | 2009-01-21 | 2009-07-08 | 中兴通讯股份有限公司 | Network security HTTP negotiation method and related apparatus |
EP2430792A2 (en) * | 2009-05-14 | 2012-03-21 | Microsoft Corporation | Http-based authentication |
CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
US20120291129A1 (en) * | 2011-05-13 | 2012-11-15 | Amichai Shulman | Detecting web browser based attacks using browser digest compute tests launched from a remote source |
CN103117897A (en) * | 2013-01-25 | 2013-05-22 | 北京星网锐捷网络技术有限公司 | Method and related device for detecting messages including Cookie information |
CN103390026A (en) * | 2013-06-20 | 2013-11-13 | 中国软件与技术服务股份有限公司 | Mobile intelligent terminal security browser and working method thereof |
US8683193B1 (en) * | 2013-03-01 | 2014-03-25 | Robert Hansen | Strict communications transport security |
US20140337614A1 (en) * | 2013-05-07 | 2014-11-13 | Imperva, Inc. | Selective modification of encrypted application layer data in a transparent security gateway |
CN104573547A (en) * | 2014-10-21 | 2015-04-29 | 江苏通付盾信息科技有限公司 | Information interaction safety protection system and operation realization method thereof |
US9106661B1 (en) * | 2012-04-11 | 2015-08-11 | Artemis Internet Inc. | Computing resource policy regime specification and verification |
CN105187406A (en) * | 2015-08-14 | 2015-12-23 | 安徽新华博信息技术股份有限公司 | Man in the middle monitoring system adopting configurable way for HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) |
-
2016
- 2016-09-14 CN CN201610826842.1A patent/CN107819639B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101478755A (en) * | 2009-01-21 | 2009-07-08 | 中兴通讯股份有限公司 | Network security HTTP negotiation method and related apparatus |
EP2383931A1 (en) * | 2009-01-21 | 2011-11-02 | ZTE Corporation | Network security hypertext transfer protocol negotiation method and correlated devices |
EP2430792A2 (en) * | 2009-05-14 | 2012-03-21 | Microsoft Corporation | Http-based authentication |
CN102480490A (en) * | 2010-11-30 | 2012-05-30 | 国际商业机器公司 | Method for preventing CSRF attack and equipment thereof |
US20120291129A1 (en) * | 2011-05-13 | 2012-11-15 | Amichai Shulman | Detecting web browser based attacks using browser digest compute tests launched from a remote source |
US9106661B1 (en) * | 2012-04-11 | 2015-08-11 | Artemis Internet Inc. | Computing resource policy regime specification and verification |
CN103117897A (en) * | 2013-01-25 | 2013-05-22 | 北京星网锐捷网络技术有限公司 | Method and related device for detecting messages including Cookie information |
US8683193B1 (en) * | 2013-03-01 | 2014-03-25 | Robert Hansen | Strict communications transport security |
US20140337614A1 (en) * | 2013-05-07 | 2014-11-13 | Imperva, Inc. | Selective modification of encrypted application layer data in a transparent security gateway |
CN103390026A (en) * | 2013-06-20 | 2013-11-13 | 中国软件与技术服务股份有限公司 | Mobile intelligent terminal security browser and working method thereof |
CN104573547A (en) * | 2014-10-21 | 2015-04-29 | 江苏通付盾信息科技有限公司 | Information interaction safety protection system and operation realization method thereof |
CN105187406A (en) * | 2015-08-14 | 2015-12-23 | 安徽新华博信息技术股份有限公司 | Man in the middle monitoring system adopting configurable way for HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) |
Non-Patent Citations (1)
Title |
---|
J. HODGES: "HTTP Strict Transport Security (HSTS)", 《IETF-RFC:6797 ISSN: 2070-1721 HTTPS://TOOLS.IETF.ORG/HTML/RFC6797》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108540674B (en) * | 2018-03-22 | 2020-12-29 | 平安科技(深圳)有限公司 | Automatic testing method and device, computer equipment and storage medium |
CN108650257A (en) * | 2018-05-09 | 2018-10-12 | 腾讯音乐娱乐科技(深圳)有限公司 | Safety detection setting method, device and storage medium based on web site contents |
CN108650257B (en) * | 2018-05-09 | 2021-02-02 | 腾讯音乐娱乐科技(深圳)有限公司 | Security detection setting method and device based on website content and storage medium |
CN110278207A (en) * | 2019-06-21 | 2019-09-24 | 深圳前海微众银行股份有限公司 | Leak detection method, device and computer equipment are kidnapped in a kind of click |
CN110278207B (en) * | 2019-06-21 | 2023-04-07 | 深圳前海微众银行股份有限公司 | Click hijacking vulnerability detection method and device and computer equipment |
CN110958316A (en) * | 2019-11-29 | 2020-04-03 | 北京丁牛科技有限公司 | Historical record obtaining method and device |
Also Published As
Publication number | Publication date |
---|---|
CN107819639B (en) | 2021-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Security issues in OAuth 2.0 SSO implementations | |
Stuttard et al. | The web application hacker's handbook: Finding and exploiting security flaws | |
Li et al. | Analysing the Security of Google’s implementation of OpenID Connect | |
Drakonakis et al. | The cookie hunter: Automated black-box auditing for web authentication and authorization flaws | |
Doerfler et al. | Evaluating login challenges as adefense against account takeover | |
EP2810208B1 (en) | Efficiently throttling user authentication | |
US20090216795A1 (en) | System and method for detecting and blocking phishing attacks | |
CN107819639A (en) | A kind of method of testing and device | |
CN107436873A (en) | A kind of network address jump method, device and transferring device | |
Sivakorn et al. | That's the way the Cookie crumbles: Evaluating HTTPS enforcing mechanisms | |
US20210083881A1 (en) | Dynamically analyzing third-party application website certificates across users to detect malicious activity | |
Kaur et al. | Browser fingerprinting as user tracking technology | |
Jammalamadaka et al. | Delegate: A proxy based architecture for secure website access from an untrusted machine | |
Franken et al. | Exposing cookie policy flaws through an extensive evaluation of browsers and their extensions | |
US10803164B2 (en) | Validating sign-out implementation for identity federation | |
Rocchetto et al. | Model-based detection of CSRF | |
Sudhodanan et al. | Pre-hijacked accounts: an empirical study of security failures in user account creation on the web | |
CN109729045A (en) | Single-point logging method, system, server and storage medium | |
US11853109B1 (en) | Securely manipulating and utilizing user credentials | |
Mainka et al. | Automatic recognition, processing and attacking of single sign-on protocols with burp suite | |
CN107294917A (en) | One kind trusts login method and device | |
Wang et al. | A framework for formal analysis of privacy on SSO protocols | |
CN112929388B (en) | Network identity cross-device application rapid authentication method and system, and user agent device | |
CN107168980A (en) | Page display method and device | |
CN114095483A (en) | Password substitution filling method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |