CN107819639A

CN107819639A - A kind of method of testing and device

Info

Publication number: CN107819639A
Application number: CN201610826842.1A
Authority: CN
Inventors: 万朔; 李锐
Original assignee: Siemens AG
Current assignee: Siemens AG
Priority date: 2016-09-14
Filing date: 2016-09-14
Publication date: 2018-03-20
Anticipated expiration: 2036-09-14
Also published as: CN107819639B

Abstract

The present embodiments relate to procotol technical field, more particularly to a kind of method of testing and device, for testing whether a browser (104) supports a kind of HTTP HTTP security mechanisms.In this method, test request is received first, then sends a security header to the browser (104), wherein, the security header uses the HTTP security mechanisms for configuring the browser (104)；Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms；Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement.A kind of method of automatic test browser is provided, reduces the operation of people.Whether browser, which supports HTTP security mechanisms to be tested, can be determined to the processing of network service according to browser, judged result is accurate, and it is shorter to test the required time.

Description

A kind of method of testing and device

Technical field

It is clear for testing one the present invention relates to procotol technical field, more particularly to a kind of method of testing and device Whether device of looking at supports a kind of HTTP (HyperText Transfer Protocol, HTTP) security mechanism.

Background technology

HTTP is a kind of important transport layer protocol, and it controls HTTP by the control information in heading (header) The transmission and processing of message.

One of critical function of heading is to realize safety-related processing.It will can be used to realize safe phase in heading The part for closing processing is referred to as " security header (secure header) ".

HTTP security headers have polytype, such as：HTTP strictly transmits safety (HTTP Strict Transport Security, HSTS) head, HTTP public keys nail extension (HTTP Public Key Pinning Extension, HPKP) head, expansion Open up framework option (X-Frame-Options) head, cross site scripting protection (cross-site scripting protection, X- XSS-Protection) head, extension content type option (X-Content-Type-Options) head and content safety strategy (Content-Security-Policy, CSP) is first-class.The HTTP security mechanisms as corresponding to being realized these security headers.

In order to realize a kind of such as any of the above described HTTP security mechanisms, developer not only needs to enter server (server) Row is related to be set, and the browser (Browser) in client (client) is also required to support this kind of HTTP security mechanism.Due to The renewal of HTTP security mechanisms is more frequent, and the browser of most particularly early versions can not support all HTTP safe machines System.

So, how to determine whether a browser supports that a kind of HTTP security mechanisms are a urgent problems to be solved.

The content of the invention

In view of this, the embodiment of the present invention provides a kind of method of testing and device, to test whether a browser props up Hold a kind of HTTP security mechanisms.

In a first aspect, the embodiment of the present invention provides a kind of method of testing, for testing whether a browser supports one kind HTTP security mechanisms.This method can be performed by a test server, wherein, test server is tested to browser When, can send a security header to the browser, the security header be used to configuring the browser use it is to be tested above-mentioned HTTP security mechanisms, test server judge whether the browser is entered using the HTTP security mechanisms to a network service Row processing, and determine whether the browser supports the HTTP security mechanisms according to the result of the judgement.

Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, testing service Device notifies browser to use HTTP security mechanisms to be tested by sending security header to browser, and judges browser to one Whether the processing of network service uses the HTTP security mechanisms, and it is to be tested to determine whether browser is supported according to judged result HTTP security mechanisms.A kind of method of automatic test browser is provided, reduces the operation of people.Can be according to browser to network The processing of service determines whether browser supports HTTP security mechanisms to be tested, and judged result is accurate, when testing required Between it is shorter.

Wherein, test server can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge to browse Whether device employs HTTP security mechanisms and requests a network service.So, the judged result that test server obtains is more accurate Really.

Wherein, some HTTP security mechanisms require that browser asks a network service according to specified mode, here will These HTTP security mechanisms are classified as " type one "；And other HTTP security mechanisms require browser one network of inhibition request These HTTP security mechanisms are classified as " type two " by service here.

No matter for type one or type two, the HTTP that test server indicates browser by security header and should used pacifies Full mechanism, and it is clear to judge according to processing of the browser to the network service by one network service of deployment, test server Whether device of looking at supports the HTTP security mechanisms, there is provided a kind of effective testing scheme.

For type one, the HTTP security mechanisms are that a browser only asks a network to take by specified mode Business；The security header is specifically used for the mode for configuring network service described in the browse request；Described in test server judges Whether browser asks the network service in the way of specified by the security header；If the browser is according to the safety Mode specified by head asks the network service, then test server determines that the browser supports the HTTP safe machines System；Otherwise, test server determines that the browser does not support the HTTP security mechanisms.

Specifically, for type one, the HTTP security mechanisms are a browser only by the hypertext safety of safety One network service of host-host protocol HTTPS request, the security header are that HTTP strictly transmits safe HSTS heads, are had Body is used to configure the browser only by network service described in HTTPS request；Test server controls the network service to ring One HTTP request of browser described in Ying Yu sends a HSTS head；And judge the browser after the HSTS heads are received Whether by network service described in HTTPS request, if browser by HTTPS request network service, it is determined that browser branch Hold the HTTP security mechanisms；Otherwise, it determines browser does not support the HTTP security mechanisms.

Specifically, for type one, the HTTP security mechanisms are that a browser shows one in a manner of a kind of specify The content of individual network service, the security header is extension content type option X-Content-Type-Options heads, specific to use The content of the network service is shown in a specific way in the configuration browser；Test server judges that the browser is The no content that the network service is shown in the way of being specified in the X-Content-Type-Options heads；It is if described clear Device of looking at shows the content of the network service in the way of being specified in the X-Content-Type-Options heads, it is determined that The browser supports the HTTP security mechanisms, otherwise determines that the browser does not support the HTTP security mechanisms.

For type two, the HTTP security mechanisms are to forbid one network service of a browse request；The safety Head is specifically used for configuring the browser according to described one network service of HTTP security mechanisms inhibition request；Test server is sentenced Whether the browser that breaks requests the network service；If network service described in the browse request, it is determined that described clear Device of looking at does not support the HTTP security mechanisms；Otherwise, it determines the browser supports the HTTP security mechanisms.

Specifically, one group made an appointment public affairs have been used only to allow one for type two, the HTTP security mechanisms One network service of browser access of key nail；The security header is HTTP public keys nail extension HPKP heads, specifically for configuring institute Workable one group of public key nail during another network service outside network service described in browse request is stated, wherein another net Network service is identical with the domain name of the network service, but internet protocol address is different；Test server browses described in judging Whether device requests the network service when being redirected to the network service, if requesting the network service, really The fixed browser does not support the HTTP security mechanisms, otherwise, it determines the browser supports the HTTP security mechanisms.

Specifically, for type two, the HTTP security mechanisms are to forbid a browser access one to be embedded in it Webpage in his webpage；The security header is X-Frame-Options, forbids accessing insertion specifically for configuring the browser Webpage；The network service is a webpage in other embedded webpages；

Test server judges the browser when accessing a webpage for being embedded with the network service, if requests The network service；If request network service, it is determined that the browser does not support the HTTP security mechanisms, otherwise, really The fixed browser supports the HTTP security mechanisms.

Specifically, for type two, the HTTP security mechanisms are the pin that a browser only performs a specified sites This document；The security header is content safety strategy CSP heads, the script file institute executable specifically for configuring the browser The website of category；The network service is a script file, and is not belonging to the website specified by the CSP heads；Test server Judge whether the browser performs the script file as the network service, if browser performs the script file, Then determine that browser does not support the HTTP security mechanisms, otherwise determine that browser supports the HTTP security mechanisms.

Specifically, for type two, the HTTP security mechanisms are that a browser is forbidden performing a cross site scripting, institute It is X-XSS-Protection heads to state security header, forbids performing a cross site scripting specifically for configuring the browser；Test Server judge the browser receive network request response content include a cross site scripting and including this across When script of standing indicates network service described in the browse request, if request the network service；If request the net Network service, it is determined that browser does not support the HTTP security mechanisms, otherwise, it determines browser supports the HTTP security mechanisms.

Alternatively, before test server sends the security header to the browser, reception comes from the browser Test request, wherein whether the test request supports the HTTP security mechanisms for browser described in request for test.

In the optional implementation, started by browser to a kind of test of HTTP security mechanisms.

Second aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser supports one kind HTTP HTTP security mechanisms, including：One sending module, for sending a security header to the browser, Wherein, the security header uses the HTTP security mechanisms for configuring the browser；One processing module, for judging State whether browser is handled a network service using the HTTP security mechanisms, and it is true according to the result of the judgement Whether the fixed browser supports the HTTP security mechanisms.

Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.The device is by clear Device of looking at sends security header notice browser and uses HTTP security mechanisms to be tested, and judges browser to network service Whether processing uses the HTTP security mechanisms, determines whether browser supports HTTP safe machines to be tested according to judged result System.A kind of scheme of automatic test browser is provided, reduces the operation of people.Can be according to processing of the browser to network service To determine whether browser supports HTTP security mechanisms to be tested, judged result is accurate, and it is shorter to test the required time.

Wherein, the device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge that browser is The no HTTP security mechanisms that employ are handled a network service.The judged result so obtained is more accurate.

No matter for type one or type two, the device indicates the HTTP safe machines that browser should use by security header System, and by disposing a network service, the device is according to processing of the browser to the network service, whether to judge browser Support the HTTP security mechanisms, there is provided a kind of effective testing scheme.

For type one, the HTTP security mechanisms are that a browser only asks a network to take by specified mode Business；The security header is specifically used for the mode for configuring network service described in the browse request；The device browses described in judging Whether device asks the network service in the way of specified by the security header；If the browser is according to the security header institute The mode specified asks the network service, then the device determines that the browser supports the HTTP security mechanisms；Otherwise, really The fixed browser does not support the HTTP security mechanisms.

Specifically, for type one, the HTTP security mechanisms are that a browser only asks one by specified mode Individual network service；The security header that the sending module is sent is specifically used for the side for configuring network service described in the browse request Formula；The processing module, is specifically used for：It is described to judge whether the browser asks in the way of specified by the security header Network service, and if the browser network service is asked in the way of specified by the security header, it is determined that institute State browser and support the HTTP security mechanisms；Otherwise, it determines the browser does not support the HTTP security mechanisms.

Specifically, for type one, the HTTP security mechanisms are a browser only by the hypertext safety of safety One network service of host-host protocol HTTPS request；The security header that the sending module is sent is tight for HTTP Lattice transmit safe HSTS heads, and the security header is specifically used for the configuration browser and only passes through network service described in HTTPS request； The sending module, specifically for controlling the web services response to send one in a HTTP request of the browser HSTS heads；The processing module, whether pass through HTTPS request after the HSTS heads are received specifically for judging the browser The network service.

Specifically, for type one, the HTTP security mechanisms are that a browser shows one in a manner of a kind of specify The content of individual network service；The security header that the sending module is sent is extension content type option X-Content- Type-Options heads, the security header are specifically used for the configuration browser and show the network service in a specific way Content；The processing module, specifically for judging the browser whether according to the X-Content-Type-Options heads In the mode specified show the content of the network service.

For type two, the HTTP security mechanisms are to forbid one network service of a browse request；The transmission The security header that module is sent is specifically used for configuring the browser according to described one net of HTTP security mechanisms inhibition request Network service；The processing module, is specifically used for：Judge whether the browser requests the network service, and if described Network service described in browse request, it is determined that the browser does not support the HTTP security mechanisms；It is otherwise, it determines described clear Device of looking at supports the HTTP security mechanisms.

Specifically, one group made an appointment public affairs have been used only to allow one for type two, the HTTP security mechanisms One network service of browser access of key nail；The security header that the sending module is sent is HTTP public keys nail extension HPKP Head, the security header are specifically used for can be used when configuring another network service outside network service described in the browse request One group of public key nail, wherein another network service is identical with the domain name of the network service, but internet protocol address It is different；The processing module, whether requested specifically for judging the browser when being redirected to the network service The network service.

Specifically, for type two, the HTTP security mechanisms are to forbid a browser access one to be embedded in it Webpage in his webpage；The security header that the sending module is sent is X-Frame-Options, and the security header is specifically used Forbid accessing embedded webpage in configuring the browser, the network service is a webpage in other embedded webpages；Institute Processing module is stated, specifically for judging the browser when accessing a webpage for being embedded with the network service, if request The network service.

Specifically, for type two, the HTTP security mechanisms are the pin that a browser only performs a specified sites This document；The security header that the sending module is sent is content safety strategy CSP heads, and the security header is specifically used for configuration Website belonging to the executable script file of the browser, the network service is a script file, and is not belonging to described Website specified by CSP heads；The processing module, taken specifically for judging whether the browser performs as the network The script file of business.

Specifically, for type two, the HTTP security mechanisms are that a browser is forbidden performing a cross site scripting；Institute The security header for stating sending module transmission is X-XSS-Protection heads, and the security header is specifically used for browsing described in configuration Device is forbidden performing a cross site scripting；The processing module, specifically for judging that the browser rings in the network request received The content answered include a cross site scripting and including the cross site scripting indicate network service described in the browse request when, Whether the network service is requested.

Alternatively, the device can also include：One receiving module, for being sent in the sending module to the browser Before the security header, the test request from the browser is received, wherein the test request is used for described in request for test Whether browser supports the HTTP security mechanisms.

The third aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser supports one kind HTTP HTTP security mechanisms, including：One memory, for storing computer instruction；One processor, is used for The computer instruction is called to perform the method involved by any possible implementation of first aspect or first aspect.

Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, the device leads to Cross to browser transmission security header notice browser and use HTTP security mechanisms to be tested, and judge browser to a network Whether the processing of service uses the HTTP security mechanisms, determines whether browser supports HTTP to be tested to pacify according to judged result Full mechanism.A kind of scheme of automatic test browser is provided, reduces the operation of people.Can be according to browser to network service Handle to determine whether browser supports HTTP security mechanisms to be tested, judged result is accurate, and it is shorter to test the required time.

The device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge whether browser uses HTTP security mechanisms request a network service.The judged result so obtained is more accurate.

Fourth aspect, there is provided a kind of method of testing, for testing whether a browser supports at least two hypertexts to pass Each in defeated agreement HTTP security mechanisms.This method can be performed by a test server.Wherein, test server is to institute State browser and send a test script file, the test script file, which is used to control, tests whether the browser supports institute State each of at least two HTTP security mechanisms.Test server receives is directed to described at least two from the browser Each test request sent respectively in HTTP security mechanisms, and after each described test request is received, perform such as Lower operation：In response to the test request, a security header is sent to the browser, wherein, the security header is used to configure The browser uses the targeted HTTP security mechanisms of the test request；Judge whether the browser uses the test The targeted HTTP security mechanisms are asked to handle a network service；And determined according to the result of the judgement Whether the browser supports the targeted HTTP security mechanisms of the test request.

Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, testing service Device notifies browser for any of at least two HTTP security mechanisms to be tested by sending security header to browser HTTP security mechanisms, and judge whether processing of the browser to a network service uses the HTTP security mechanisms, according to judgement As a result determine whether browser supports HTTP security mechanisms to be tested.A kind of method of automatic test browser is provided, is subtracted The operation of people is lacked.Whether browser, which supports HTTP safety to be tested, can be determined to the processing of network service according to browser Mechanism, judged result is accurate, and it is shorter to test the required time.

In addition, test server is by the browser testing script file, configuring to be tested described at least two HTTP security mechanisms.The survey of each for subsequently initiating to be directed in HTTP security mechanisms according to test script file by browser Examination, test server are tested for each HTTP security mechanism respectively again.It so can effectively realize a variety of HTTP safety The test of mechanism, testing efficiency are higher.

5th aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser is supported at least Each in two kinds of HTTP HTTP security mechanisms.The device includes：One sending module, for described clear Device of looking at sends a test script file, the test script file be used to control test the browser whether support it is described extremely Each of few two kinds of HTTP security mechanisms.One receiving module, it is described at least for reception being directed to from the browser Each test request sent respectively in two kinds of HTTP security mechanisms.One processing module, in the receiving module After receiving each described test request, following operation is performed：In response to the test request, the sending module is controlled to institute State browser and send a security header, wherein, the security header is targeted using the test request for configuring the browser The HTTP security mechanisms；Judge the browser whether using the targeted HTTP security mechanisms pair of the test request One network service is handled；Determine whether the browser supports that the test request is targeted according to the result of the judgement The HTTP security mechanisms.

Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, the device pin To any of at least two HTTP security mechanisms to be tested, browser HTTP is notified by sending security header to browser Security mechanism, and judge whether processing of the browser to a network service uses the HTTP security mechanisms, according to judged result Determine whether browser supports HTTP security mechanisms to be tested.A kind of scheme of automatic test browser is provided, is reduced The operation of people.Whether browser, which supports HTTP safe machines to be tested, can be determined to the processing of network service according to browser System, judged result is accurate, and it is shorter to test the required time.

Wherein, the device can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, judge that browser is The no HTTP security mechanisms that employ request a network service.The judged result so obtained is more accurate.

In addition, the device is by the browser testing script file, configuring at least two HTTP to be tested Security mechanism.The test of each for subsequently initiating to be directed in HTTP security mechanisms according to test script file by browser, should Device is tested for each HTTP security mechanism respectively again.It so can effectively realize the survey of a variety of HTTP security mechanisms Examination, testing efficiency are higher.

6th aspect, the embodiment of the present invention provide a kind of test device, for testing whether a browser supports one kind HTTP HTTP security mechanisms, including：One memory, for storing computer instruction；One processor, is used for The computer instruction is called to perform the method that fourth aspect provides.

Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, the device pin To any of at least two HTTP security mechanisms to be tested, browser HTTP is notified by sending security header to browser Security mechanism, and judge whether processing of the browser to a network service uses the HTTP security mechanisms, according to judged result Determine whether browser supports HTTP security mechanisms to be tested.A kind of method of automatic test browser is provided, is reduced The operation of people.Whether browser, which supports HTTP safe machines to be tested, can be determined to the processing of network service according to browser System, judged result is accurate, and it is shorter to test the required time.

7th aspect, the embodiment of the present invention provide a kind of computer-readable medium, stored on the computer-readable medium There is computer instruction, the computer instruction is when by a computing device, any one of first aspect or first aspect Possible implementation, or fourth aspect, or the method for the optional implementation offer of any one of fourth aspect.

Brief description of the drawings

Fig. 1 is a kind of structural representation of test system provided in an embodiment of the present invention；

Fig. 2~Fig. 6 is respectively the flow chart of method of testing provided in an embodiment of the present invention；

Fig. 7~Figure 10 is respectively the structural representation of test device provided in an embodiment of the present invention.

Reference numerals list：

10：Test system 101：Main frame 102：Test server 103：Destination server

104：Browser 105：Test program 106：Network service

S201：Receive test request S202：Send security header

S203：Whether browser 104 employs HTTP security mechanisms

S204：Browser 104 supports HTTP security mechanisms S205：Browser 104 does not support HTTP security mechanisms

S2011：HTTP security mechanisms S2031 to be tested：Service request

S2032：Browser 104 asks network service 106 in the way of security header is specified

S2033：Judged result S2034：Whether browser 104 supports HTTP security mechanisms

S2012：Test has been turned on S2035：Service request

S2036：Whether service request S2037 is received before timer expiry：Judged result

S2038：Whether browser 104 supports HTTP security mechanisms

S2039a：Service response S2039b：Show the content of network service 106

S601：Test starts S602：Test.js S603：HSTS test requests S604：HSTS security headers

S605：Service request S606：XSS test requests S607：XSS security headers S608：Service request

70：Test device 701：Sending module 702：Processing module 703：Receiving module

80：Test device 801：Memory 802：Processor 901：Sending module

902：Processing module 903：Receiving module 100：Test device 1001：Memory

1002：Processor

Embodiment

The species of browser is various, and each browser is also possible to have multiple versions.When one network service of issue When, it is necessary to which browser clearly provided, or more properly, which version of which browser supports that the network service is adopted HTTP security mechanisms.It is therefore desirable to it is directed to one or more browsers, it is also possible to multiple versions of a browser Tested, determine whether they support certain HTTP security mechanism.

In the embodiment of the present invention, a browser is tested based on a kind of principle of HTTP security mechanisms progress safety precaution Whether the HTTP security mechanism is supported.The equipment of testing results program, such as a server indicate that a browser is being asked During some network service (network service can be disposed on that server, can also be deployed on other servers), such as Used in the Webpage pointed by browser access uniform resource locator (Uniform Resoure Locator, URL) The HTTP security mechanisms, then judge whether the browser according to the HTTP security mechanisms has carried out safety precaution to judge that this is clear Whether device of looking at supports the HTTP security mechanisms.

Below, the embodiment of the present invention is described in detail with reference to accompanying drawing.

Fig. 1 shows a kind of test system 10 provided in an embodiment of the present invention.It may include a main frame in test system 10 101st, a test server 102 and a destination server 103.

Wherein, browser 104 to be tested can be arranged on main frame 101.

Test program 105 can be arranged in test server 102, for performing test side provided in an embodiment of the present invention Method, to test whether browser 104 supports a kind of HTTP security mechanisms.Test program 105 is configured used in browser 104 HTTP security mechanisms.

Can on-premise network service 106 on destination server 103.According to different HTTP security mechanisms, test program 105 can The network service 106 on destination server 103 whether is requested according to browser 104, in some cases, further according to clear Device 104 of looking at asks the mode of network service 106, to judge whether browser 104 supports a kind of HTTP security mechanisms.

Alternatively, test program 105 can monitoring objective server 103, or test program is notified by destination server 103 105, thus test program 105 determine browser 104 whether request network service 106, in some cases, can also know clear Whether device 104 of looking at is using a kind of HTTP security mechanisms request network service 106.

Alternatively, test server 102 and destination server 103 can be Apache Server.

The system architecture of test system 10 shown in Fig. 1 is referred to as " system architecture one ".Test system 10 also has other can The variant of choosing, it may include but be not limited to：

System architecture two,

Main frame 101 and test server 102 are same equipment, and test program 105 is operated on main frame 101.Target takes Business device 103 is a single equipment.

System architecture three,

Test server 102 and destination server 103 are same equipment, and main frame 101 is a single equipment.

Wherein, browser 104 is browser to be tested, and its type may include but be not limited to：

Explorer (Internet Explorer, IE), red fox (Firefox, FF) browser, Ou Peng (Opera) Browser, Safari browsers, Google (Chrome) browser, Android (Android) etc..

Browser 104 can segment version again, for example for IE, can also be divided into IE6, IE8, IE10 etc., they are IE's Different editions.

The HTTP security mechanisms of the browser support of different species, versions are typically different.Therefore, just need to browser Whether 104 support that HTTP security mechanisms are tested.

Main frame 101 can be any equipment for running browser, and test server 102 can be any executable test program 105 equipment, destination server 103 can be it is any can on-premise network service equipment.Main frame 101 can be：Notebook computer, put down The various electronic equipments such as plate computer, smart mobile phone；In addition can also be to apply the control instrument, industrial computer, prison in industrial circle Control equipment etc..Test server 102 and destination server 103 can be：Personal computer (Personal Computer, PC) takes The various electronic equipments such as business device, notebook computer；In addition can also be to apply the control instrument, industrial computer, prison in industrial circle Control equipment etc..

Test program 105 can be write using JavaScript (JS) language.Test program 105 may include at least one journey Sequence.Below can the different system architectures of binding test system 10 illustrate the composition of test program 105.

Network service 106 can be a kind of web application.A usual network service is based on the network connection established And provide, a browser is being established with after the network connection of a server, asking the network service on the server.

Fig. 2 shows the flow chart of method of testing provided in an embodiment of the present invention.The method of testing can be by test program 105 Perform.As shown in Fig. 2 this method comprises the following steps：

S201：Receive the test request from browser 104.

Wherein, whether the test request supports a kind of HTTP security mechanisms for request for test browser 104.

S202：A security header is sent to browser 104.

Wherein, the security header is used to configure HTTP security mechanism of the browser (104) using request for test in step S201.

S203：Judge whether browser (104) is located using the HTTP security mechanisms to a network service (106) Reason.

Network service (106) is handled if it is determined that browser (104) employs the HTTP security mechanisms, then performs step Rapid S204, otherwise perform step S205.

S204：Determine that browser (104) supports the HTTP security mechanisms of configuration.

S205：Determine that browser (104) does not support the HTTP security mechanisms of configuration.

Wherein, step S201 is optional step, and test program 105 directly can send a security header to browser 104, with Configure browser 104 and use a kind of HTTP security mechanisms, test request is first initiated without browser 104.

Different HTTP security mechanisms realize that the principle of safety precaution is different, and summary is got up, and is broadly divided into following two class：

Type one,

HTTP security mechanisms specify the mode of one network service of a browse request.

Such as：HSTS heads, which specify browser must pass through HTTPS request network service.

For another example：X-Content-Type-Options heads, which specify browser to be shown according to specified mode The content of network service.

For type one, in the embodiment of the present invention, whether test program 105 judges browser (104) specified by security header Mode ask network service (106), if browser (104) asks network service (106) in the way of specified by security header, Then determine HTTP security mechanisms corresponding to browser (104) support；Otherwise, it determines browser (104) does not support corresponding HTTP Security mechanism.

For type one, Fig. 3 is shown in the embodiment of the present invention, test program 105, browser 104 and network service 106 Between interaction.

For type one, foregoing any system architecture can be used.When using system architecture three, test server 102 and destination server 103 be same equipment, network service 106 is deployed in same equipment with test program 105, or Person, network service 106 are a part of test program 105.

Test program 105 is after step S201 receives test request, you can knows that browser 104 will test any HTTP Security mechanism.Test program 105 can perform step S2011, notice network clothes before or while step S202 sends security header Business 106：Network service 106 should receive the service request from browser 104 according to any HTTP security mechanisms.

Alternatively, network service 106 is held after the service request from browser 104 is received subsequently through step S2031 Row step S2032, judges whether browser 104 asks network service 106 in the way of security header is specified.Further, net Network service 106 performs step S2033, and step S2032 judged result is notified to test program 105.Test program 105 can root According to the judged result received in step S2033, determine whether browser 104 supports above-mentioned HTTP security mechanisms, i.e.,：If browser 104 ask network service 106 in the way of security header is specified, it is determined that browser 104 supports above-mentioned HTTP security mechanisms；It is no Then determine that browser 104 does not support above-mentioned HTTP security mechanisms.

Or alternatively, network service 106 can only determine that browser 104 asks network clothes when performing step S2032 The mode of business 106.Further, when performing step S2033, the browser 104 that step S2032 is determined is asked into network service 106 mode is notified to test program 105.Test program 105 can ask net according to the browser 104 received in step S2033 The mode of network service 106, determines whether browser 104 supports above-mentioned HTTP security mechanisms, i.e.,：If browser 104 is according to safety The mode that head is specified asks network service 106, it is determined that browser 104 supports above-mentioned HTTP security mechanisms；Otherwise determine to browse Device 104 does not support above-mentioned HTTP security mechanisms.

In step S2033, network service 106 can the step S2032 of proactive notification test program 105 judged result or clear Device 104 of looking at asks the mode of network service 106；Or network service 106 will determine that result or true after step S2032 is performed Fixed mode stores, and when receiving the result inquiry for carrying out self testing procedure 105, then will determine that result or browser 104 please The mode of network service 106 is asked to be sent to test program 105.

Type two,

HTTP security mechanisms forbid one network service of a browse request.

Such as：HPKP, it forbids one false network service of a browse request, the false network service with it is real Network service has identical domain name, but Internet protocol (Internet Protocol, IP) address is different.

For another example：X-Frame-Options, it forbids a browser access to be embedded into the webpage in other webpages.

For another example：CSP, it forbids the script file in a non-designated domain of browser execution.

For another example：X-XSS-Protection, it forbids a browser to perform cross site scripting.

For type two, in the embodiment of the present invention, the network service for being prohibited request is network service 106.Test Program 105 judges whether browser (104) asks network service (106)；If browser (104) requests network service (106), Then determine that browser (104) does not support HTTP security mechanisms；Otherwise, it determines browser (104) supports HTTP safety to be tested Mechanism.

For type two, Fig. 4 is shown in the embodiment of the present invention, test program 105, browser 104 and network service 106 Between interaction.

For type two, foregoing any system architecture can be used.According to system architecture three, then need same Both test program 105 or on-premise network service 106 had been disposed in platform equipment.The meeting after test request is received due to test program 105 Security header is sent to browser 104, therefore it is also considered as a kind of network service, but according to system architecture three, then require Network service corresponding to test program 105 is different from the IP address of network service 106.

Test program 105 is after step S201 receives test request, you can knows that browser 104 will test any HTTP Security mechanism.Test program 105 can notify network to take before or while step S202 sends security header by step S2012 The test of business 106 has been turned on.Network service 106 can start a timer, timer after the notice of test program 105 is received Length can be according in test system 10 between browser 104 and network service 106, between test program 105 and browser 104 Distance, depending on the type of transmission line etc., in addition, it is also possible to consider the processing delay that security header is handled to browser 104, length The propagation delay time between equipment and the processing delay sum of browser 104 should be not less than.

, can be by step S2035 to network service 106 if test program 105 does not support the HTTP security mechanisms of test Send service request.Network service 106 can notify test program 105 to have been received by after service request is received by step S2037 The service request of browser 104, or directly notify test program 105：Browser 104 does not support the HTTP safe machines of the test System.

If test program 105 supports the HTTP security mechanisms of test, network service 106 will not be received from browser 104 service request, timer expiry.Whether network service 106 receives service before judging timer expiry by step S2036 Request, and after timer expiry, the timer expiry of test program 105, or directly notice test journey are notified by step S2037 Sequence 105：Browser 104 supports the HTTP security mechanisms of the test.

In step S2038, whether test program 105 determines browser 104 according to the judged result received in step S2037 Support the HTTP security mechanisms of test.Such as：If network service 106 indicates that network service 106 surpasses in timer in step S2037 Shi Qianwei receives the service request from browser 104, then test program 105 determines that browser 104 supports the HTTP peaces of test Full mechanism；If being indicated in step S2037 in network service 106, network service 106 receives the service request from browser 104, Then determine that browser 104 does not support the HTTP security mechanisms of test.

For type two, alternatively, if network service 106 uses timer, and receive to come from before timer expiry and browse The service request of device 104, the then expiration timer of network service 106.

Illustrate the safety precaution principle of different HTTP security mechanisms, and the testing scheme of the embodiment of the present invention below. Certainly, the embodiment of the present invention is applicable not only to test HTTP security mechanism, as long as can configure browser by security header makes Procotol security mechanism, and determine whether browser supports the net according to processing of the browser to a network service Network protocol security mechanism, it can use scheme provided in an embodiment of the present invention.

First, HSTS

HSTS is used to help server and takes precautions against agreement downgrade attacks and cookie attacks.One server can be by using HSTS forces browser (or other users agency) that safe hypertext secure transfer protocol (Hypertext is used only Transfer Protocol Secure, HTTPS) connected with server foundation.Browser can be ensured using HSTS server It is permanently connected to the HTTPS encryption versions of the server, it is not necessary to which user inputs encryption address in URL address fields manually.

Server can open HSTS in the following way：When browser sends request by HTTP, returned in server HTTP head response in comprising strict-transmission-safety (Strict-Transport-Security) field, Indicate that browser uses the network connection disposed on HTTPs request servers by the field.

Therefore, in step S202, test program 105 can control network service 106 receiving the HTTP of the transmission of browser 104 Request (such as：http://xxx) after to browser 104 send security header include following field and parameter：

Strict-Transport-Security:Max-age=31536000；includeSubDomains.

The security header represents：In ensuing 1 year (i.e. 31536000 seconds), as long as receiving the browser of the security header When sending HTTP request to above-mentioned xxx or its subdomain name, it is necessary to initiate to connect using HTTPS.Such as user's clickable hyperlinks Or inputted in address field, browser should be automatically by http transcriptions into https, then directly to https://xxx/ is sent please Ask.

Wherein, the https://xxx/ is network service 106.

Wherein, network service 106 or test program 105 judge that the service request from browser 104 is http://xxx/ Or https://xxx/, if http://xxx/, it is determined that browser 104 does not support HSTS, if https://xxx/, Then determine that browser 104 supports HSTS.

2nd, X-Content-Type-Options

X-Content-Type-Options can be used for preventing Microsoft Explorer (Microsoft Internet Explorer, MSIE) or Google's browser (Chrome) by file translation into its beyond the content type specified in HTTP heads His type.

Server can open X-Content-Type-Options in the following way：When browser sends HTTP request When, X-Content-Type-Options fields are included in the head response for the HTTP that server returns, are indicated by the field Browser uses this HTTP security mechanisms of X-Content-Type-Options.

Therefore, in step S202, test program 105 can include following field in the security header sent to browser 104 And parameter：

“X-Content-Type-Options:nosniff”and“Content-Type:text/plain；”

Wherein, nosniff represents to be not listening to.Content-Type:Text/plain represents to show source code text.

Browser 104 is after the security header is received, if X-Content-Type-Options is supported, and the network clothes asked Business 106 is html web page, then browser 104 can show the source code text of the html web page；If do not support X-Content- Type-Options, then browser 104 can show html web page.

With reference to the interaction figure shown in figure 5, the interaction figure is slightly different with Fig. 3 because test program 105 need judge be Whether browser 104 shows the content of network service 106 according to specified mode.It is described as follows：

Step S201, S202, S2035 can be as before, network service 106 be received from browser 104 by step S2035 Service request after, by step S2039a to browser 104 send service response, such as：If network service 106 is HTML nets Page, then network service 106 returns to the html web page to browser 104.

Browser 104 shows network service 106 after service response is received by step S2039a, by step S2039b Content.If security header is html web page such as preceding and network service 106, X-Content-Type- is supported in browser 104 In the case of Options, browser 104 shows the source code text of the html web page in step S2039b；In browser 104 In the case of not supporting X-Content-Type-Options, browser 104 directly displays the HTML nets in step S2039b Page.

In step S2032, content screenshotss that browser 104 will can be shown by screenshotss software in step S2039b, and will Whether the screen of interception issues test program 105, judge browser 104 in the way of security header is set by test program 105 The content of network service 106 is shown, if, it is determined that browser 104 supports X-Content-Type-Options, otherwise determines Browser 104 does not support X-Content-Type-Options.

Another optional method is that browser 104 voluntarily judges whether in the way of security header is specified after screenshotss The content of network service 106 is shown, and will determine that result is sent to test program 105, test program 105 is according to the judgement received As a result determine whether browser 104 supports X-Content-Type-Options.

3rd, HPKP

HPKP is used to help HTTPS websites refusal attacker and visited using mistake issue or other forgeries certificates Ask.HTTPS web servers provide one group of public key cryptographic Hash, and when subsequently connecting, web server can use these in certificate chain One or more of public key cryptographic Hash.HPKP requires that the operation of main frame or tissue are more ripe, because main frame is possible to meeting Fixed to being become unavailable in one group of public key cryptographic Hash.Using HPKP, host operator can greatly reduce go-between (man- In-the-middle, MITM) attack and other wrong authentication problems, and excessive risk will not be caused.

Server can open HPKP in the following way：When browser sends HTTP request, returned in server Comprising public key nail (Public-Key-Pins, PKP) field in HTTP head response, the public affairs wherein indicated in public key nail field Key nail is public key cryptographic Hash.

Therefore, in step S202, test program 105 can to browser 104 send security header include following field with Parameter：

Such as：Head response contains：

“Public-Key-Pins:Max-age=4000；Pin-sha256=" abcd01235678WLTUVW " "

This is represented：The time that server specifies browser and has 4000 seconds comes to the public key in certificate project (inside quotation marks Content) do sha256 Hash operations and do base64 codings again.

After one browser receives HPKP heads, if supporting HPKP, above-mentioned public key cryptographic Hash should be stored.Therefore, can pass through Judge whether browser stores above-mentioned public key cryptographic Hash to determine whether browser supports HPKP.

In addition, when a browser is redirected on a false network service, the false network service use with it is upper Server identical domain name is stated, if browser supports HPKP, browser can prevent the request of the network service to vacation.

In the embodiment of the present invention, browser 104 is first established with a network service and connected, and storage of public keys cryptographic Hash, it Network service changes same domain name but the different network services 106 of IP into afterwards, if subsequent request network service 106 is prevented from, says The bright browser supports HPKP.

If network service 106 receives the service request from browser 104, test program 105 before timer expiry Determine that browser 104 does not support HPKP, if timer expiry, test program 105 determines that browser 104 supports HPKP.

4th, X-Frame-Options

X-Frame-Options improves web applications and takes precautions against the ability for clicking on invasion (Clickjacking), and it is provided From a main frame to the communication mechanism of client browser, sent out available for whether control browser is shown in the frame of other webpages The content sent.

Server can open X-Frame-Options in the following way：After the service request from browser is received, The head response that server returns includes X-Frame-Options fields, and sets the value of the field to refuse (deny).

X-Frame-Options:deny

It is a webpage in other embedded webpages that network service 106, which can be pre-set,.If browser 104 supports X- Frame-Options, then when browser 104 accesses other webpages, the webpage corresponding to network service 106 will not be asked；If Browser 104 does not support X-Frame-Options, then when browser 104 accesses other webpages, can ask network service 106 Corresponding webpage.

If network service 106 receives the service request from browser 104, test program 105 before timer expiry Determine that browser 104 does not support X-Frame-Options, if timer expiry, test program 105 determines browser 104 Hold X-Frame-Options.

5th, X-XSS-Protection

X-XSS-Protection can be used for filtering out cross site scripting (Cross-site scripting, XSS).

Server can open X-XSS-Protection in the following way：Receiving the service request from browser Afterwards, the head response that server returns includes X-XSS-Protection fields, and it is 1 to set the value of the field, and sets mould Formula value is block (prevention).

X-XSS-Protection:1；Mode=block.

Test program 105 can pre-set browser 104 after above-mentioned security header is received, request except network service 106 it Other outer network services, the network service can be deployed in test server 102.Browser 104 is sent out to the network service After sending service request, the network request response that the network service returns includes script, and including script instruction browser 104 Ask network service 106.

If the support X-XSS-Protection of browser 104, the script being not carried out in above-mentioned network request response, because This would not also ask network service 106；If browser 104 does not support X-XSS-Protection, above-mentioned network can be performed Script in request response, and then ask network service 106.

If network service 106 receives the service request from browser 104, test program 105 before timer expiry Determine that browser 104 does not support X-XSS-Protection, if timer expiry, test program 105 determines browser 104 Hold X-XSS-Protection.

6th, CSP

CSP has considerable influence to the mode of displaying web page through browser, available for prevent include cross site scripting and other across The various attacks stood including embedded (injection).

Server can open CSP in the following way：After the service request from browser is received, what server returned Head response includes Content-Security-Policy fields, and it is script-src'self' to set the value of the field.

Therefore, in step S202, test program 105 can include following field in the security header sent to browser 104 And parameter：Content-Security-Policy:script-src'self'.

It is cross-domain script file that network service 106, which can be pre-set,.Come if network service 106 receives before timer expiry From the service request of browser 104, then test program 105 determines that browser 104 does not support X-XSS-Protection, if timing Device is overtime, then test program 105 determines that browser 104 supports X-XSS-Protection.

More than, describe in the embodiment of the present invention, a kind of HTTP security mechanisms whether are supported for a browser 104 Method of testing.In order to realize the efficient of test, it may be considered that a browser 104, test whether the browser 104 is supported respectively Each in multiple HTTP security mechanisms.Closer, each browser 104 that can be directed in multiple browsers 104, Test whether the browser 104 supports each in multiple HTTP security mechanisms respectively.

Alternatively, multiple browsers 104 can be installed in test system 10, on main frame 101, than IE as the aforementioned, Chrome, Firefox, Android, Sarafi and Opera browser etc., the different editions of same browser are considered as different Browser.

Wherein, test server 102 can support a variety of HTTP security mechanisms to be tested, because test server 102 need to send security header to browser 104, therefore, it is necessary to support each HTTP security mechanism to be tested.Network service 106 can support a variety of HTTP security mechanisms, or, for each HTTP security mechanism, HTTP safety is supported in deployment respectively The network service 106 of mechanism.

Below, another testing process provided in an embodiment of the present invention is illustrated with reference to figure 6.As shown in fig. 6, the flow can wrap Include following steps：

S601：Browser 104 sends the order of test beginning to test program 105.

S602：Test program 105 identifies the order that the test from browser 104 starts, and will after the order is received Test script (Test.js i.e. shown in Fig. 6) is sent to browser 104.

S603：After browser 104 receives Test.js, sent according to the test command in Test.js to test program 105 HSTS test requests.

S604：Test program 105 sends HSTS security headers after HSTS test requests are received, to browser 104.

S605：Browser 104 is after HSTS security headers are received, according to the test command in Test.js, to network service 106 send service request.

S606：Browser 104 sends XSS test requests according to the test command in Test.js to network service 106.

S607：Test program 105 sends XSS security headers after XSS test requests are received, to browser 104.

S608：Browser 104 is after XSS security headers are received, according to the test command in Test.js, to network service 106 Send service request.

Next coming in order are analogized, and are tested successively according to the order set in Test.js, such as：Setting is under in Test.js The order of face numbering from small to large is tested：

1st, HSTS, 2, HPKP, 3, X-Frame-Options, 4, X-XSS-Protection, 5, X-Content-Type- Options, 6, Content-Security-Policy.

Wherein, it may include a plurality of test command in above-mentioned test script Test.js.If be mounted with main frame 101 one it is clear Look at device 104, then the test script is controllable supports a browser 104 a variety of HTTP security mechanisms which of to enter mechanism Tested.If being mounted with multiple browsers 104 on main frame 101, the test script is controllable in multiple browsers 104 Each browser 104 is tested respectively；And for same browser 104, it can be achieved to a variety of HTTP security mechanisms Test.

Below, the setting of the test script for same browser 104, the test process of other browsers 104 are illustrated Similarly.

Such as：Test support situations of the IE7 to various HTTP security mechanisms.According to the order of above-mentioned numbering from small to large Test successively.

Therefore, the test command group performed by said sequence is may include in Test.js, each test command group corresponds to A kind of HTTP security mechanisms.

By taking HSTS as an example, the executable following operation of its corresponding test command group：

1st, test command controls browser 104 to send test request to test program 105, and the test request is used to ask to survey Whether examination browser 104 supports HSTS.The test request can be a service request (step sent to test program 105 S603), by setting the parameter in the service request so that test program 105 can recognize that need test browser 104 be The no support HSTS (values and HTTP security mechanisms for the service request parameter that can be made an appointment between main frame 101 and test program 105 Corresponding relation between type).

Test program 105 is after the test request is received, it is determined that needing to test whether browser 104 supports HSTS.Test Program 105 sends HSTS security headers (step S604) to browser 104.

2nd, test command control browser 104 receives the HSTS security headers, obtains the field and ginseng in the HSTS security headers Number value.

3rd, test command controls browser 104 to send service request to network service 106.

Wherein, the network service 106 to be asked of browser 104 is may specify in test command, and specifies browser 104 to use This HTTP security mechanisms of HSTS.

If browser 104 supports HSTS, service request is handled according to the field in HSTS security headers and parameter, And send service request (step S605) to network service 106.

After test command group corresponding to HSTS has been performed, test command group corresponding to HPKP is next performed.Test life The setting domain HSTS types of group are made, including：Send test request, receive security header, service request is sent to network service 106. The processing and setting respectively ordered refer to the description of foregoing HPKP method of testings.

For the type one of foregoing safety precaution, no matter whether browser 104 supports HTTP security mechanisms, can be to net Network service 106 sends service request, and simply the sending method of service request or browser 104 show the content of network service 106 Mode it is different.

For the type two of foregoing safety precaution, it is HTTP security mechanisms institute inhibition request to set network service 106 Network service.If browser 104 does not support HTTP security mechanisms, service request can be sent to network service 106；If support HTTP security mechanisms, then it will not send service request to network service 106.

For the type one of safety precaution, network service 106 can record the mode that browser 104 sends service request；It is right In the type two of safety precaution, whether network service 106 is recordable receives the service from browser 104 before timer expiry Request.

The above of record can be sent to test program 105 by network service 106, and test program 105 is according to receiving Record determines which HTTP security mechanism browser 104 supports, and/or does not support which HTTP security mechanism.

Below, the example of several test command groups in Test.js is provided.Wherein, target_ip is foregoing network clothes The IP address of business 106；method:' get' represent network service 106 is asked in a manner of get；Alert represents to provide prompting letter Breath；success:Function (response, opts) is if represent the HTTP peaces that browser 104 is tested using test command group Full mechanism is handled network service 106, then the information for prompting browser 104 to support the HTTP security mechanisms；failure: Function (response, opts) is if represent the HTTP security mechanisms pair that browser 104 is not tested using test command group Network service 106 is handled, then prompts browser 104 not support the HTTP security mechanisms；failure:function (response, opts) represents test crash, both supports HTTP security mechanisms without prompting browser 104, also clear without prompting Device 104 of looking at does not support HTTP security mechanisms, then prompting error.

1st, for HSTS test command group function HSTS_test ()

2nd, for HPKP test command group function HPKP_test ()

3rd, for X-Frame-Options test command group function X-Frame-Options_test ()

4th, for X-XSS-Protection test command group function X-XSS-Protection

5th, for X-Content-Type-Options test command group function X-Content-Type- Options

6th, for Content-Security-Policy test command group function Content-Security- Policy

Fig. 7 shows a kind of test device 70 provided in an embodiment of the present invention.The test device 70 can be used for test one Whether browser 104 supports a kind of HTTP security mechanisms.

As shown in fig. 7, test device 70 may include：

One sending module 701, for sending a security header to browser 104, wherein, security header browses for configuration Device 104 uses HTTP security mechanisms；

One processing module 702, for judging whether browser 104 uses HTTP security mechanisms to a network service 106 are handled, and determine whether browser 104 supports HTTP security mechanisms according to the result of judgement.

As it was previously stated, HTTP security mechanisms realize that the principle of safety precaution can be divided into " type one " and " type two ".

Wherein, for type one, HTTP security mechanisms are that a browser only asks a network by specified mode Service；The security header that sending module 701 is sent is specifically used for the mode that configuration browser 104 asks network service 106；Handle mould Block 702, is specifically used for：Judge whether browser 104 asks network service 106, Yi Jiruo in the way of specified by security header Browser 104 asks network service 106 in the way of specified by security header, it is determined that browser 104 supports HTTP safe machines System；Otherwise, it determines browser 104 does not support HTTP security mechanisms.

Alternatively, HTTP security mechanisms are that a browser only please by the hypertext secure transfer protocol HTTPS of safety Seek a network service；The security header that sending module 701 is sent strictly transmits safe HSTS heads for HTTP, safety Head is specifically used for configuration browser 104 and only passes through HTTPS request network service 106；Sending module 701, specifically for controlling net Network service 106 sends a HSTS head in response to a HTTP request of browser 104；Processing module 702, specifically for judging Whether browser 104 passes through HTTPS request network service 106 after HSTS heads are received.

Alternatively, HTTP security mechanisms are that a browser is shown in a manner of a kind of specify in a network service Hold；The security header that sending module 701 is sent is extension content type option X-Content-Type-Options heads, and security header has Body is used to configure the content that browser 104 shows network service 106 in a specific way；Processing module 702, specifically for judging Whether browser 104 shows the content of network service 106 in the way of being specified in X-Content-Type-Options heads.

Alternatively, HTTP security mechanisms are to forbid one network service of a browse request；What sending module 701 was sent Security header is specifically used for configuration browser 104 according to one network service 106 of HTTP security mechanisms inhibition request；Processing module 702, it is specifically used for：Judge whether browser 104 requests network service 106, and if the request network service of browser 104 106, it is determined that browser 104 does not support HTTP security mechanisms；Otherwise, it determines browser 104 supports HTTP security mechanisms.

Alternatively, HTTP security mechanisms have used the browser access of the one group of public key made an appointment nail for only permission one One network service；

The security header that sending module 701 is sent is HTTP public keys nail extension HPKP heads, and security header browses specifically for configuration Workable one group of public key nail when device 104 asks another network service outside network service 106, wherein another network service with The domain name of network service 106 is identical, but internet protocol address is different；

Processing module 702, whether requested specifically for judging browser 104 when being redirected to network service 106 Network service 106.

Wherein, for type two, HTTP security mechanisms are to forbid a browser access one to be embedded in other webpages In webpage；The security header that sending module 701 is sent is X-Frame-Options, and security header is specifically used for configuration browser 104 Forbid accessing embedded webpage, network service 106 is a webpage in other embedded webpages；Processing module 702, is specifically used for Judge browser 104 when accessing a webpage for being embedded with network service 106, if to request network service 106.

Alternatively, HTTP security mechanisms are the script file that a browser only performs a specified sites；Sending module 701 security headers sent are content safety strategy CSP heads, and security header is specifically used for the executable script text of configuration browser 104 Website belonging to part, network service 106 is a script file, and is not belonging to the website specified by CSP heads；Processing module 702, Specifically for judging whether browser 104 performs the script file as network service 106.

Alternatively, HTTP security mechanisms are that a browser is forbidden performing a cross site scripting；What sending module 701 was sent Security header is X-XSS-Protection heads, and security header, which is specifically used for configuration browser 104, to be forbidden performing a cross site scripting；Place Manage module 702, specifically for judge browser 104 receive network request response content include a cross site scripting and Including the cross site scripting instruction browser 104 ask network service 106 when, if request network service 106.

Alternatively, test device 70 can also include：One receiving module 703, in sending module 701 to browser Before 104 send security header, the test request from browser 104 is received, wherein test request is used for request for test browser Whether 104 support HTTP security mechanisms.

Sending module 701 can be additionally used in other transmission operations for performing test server 106.Processing module 702 also can use In other processing operations for performing test server 106.Receiving module 703 can be additionally used in other of execution test server 106 Receive operation.Other optional implementations of the device refer to the realization of test server 106, repeat no more here.

Fig. 8 shows a kind of test device 80 provided in an embodiment of the present invention.The test device 70 can be used for test one Whether browser 104 supports a kind of HTTP security mechanisms.The test device 80 can be located in above-mentioned test server 106, or should Test device 80 is above-mentioned test server 106.

As shown in figure 8, the test device 80 may include：

One memory 801, for storing computer instruction (than test program 105 as the aforementioned)；

One processor 802, performed for calling the above computer stored on memory 801 to instruct shown in Fig. 2~Fig. 6 Any method of testing.

Fig. 9 shows a kind of test device 90 provided in an embodiment of the present invention.The test device 90 can be used for test one Whether browser 104 supports each at least two HTTP security mechanisms.

As shown in figure 9, the device includes：

One sending module 901, for sending a test script file to browser 104, test script file is used for Whether control test browser 104 supports each of at least two HTTP security mechanisms；

One receiving module 903, it is every at least two HTTP security mechanisms for reception being directed to from browser 104 A kind of test request sent respectively；

One processing module 902, for after receiving module 903 receives each test request, performing following operation：Ring In test request sending module 901 should be controlled to send a security header to browser 104, wherein, security header browses for configuration Device 104 uses the targeted HTTP security mechanisms of the test request；Judge whether browser 104 is targeted using the test request 1001HTTP security mechanisms one network service 106 is handled；Determine whether browser 104 props up according to the result of judgement Hold the targeted HTTP security mechanisms of the test request.

Sending module 901 can be additionally used in other transmission operations for performing test server 106, receiving module in the device 90 903 may be used to indicate that test server 106 and other receive operation, processing module 903 can be additionally used in perform testing service Other processing operations of device 106.Other optional implementations of the device 90 refer to the realization of test server 106, here Repeat no more.

Figure 10 shows a kind of test device 100 provided in an embodiment of the present invention.The test device 100 can be used for test one Whether individual browser 104 supports each at least two HTTP security mechanisms.The test device can be located at above-mentioned test and take It is engaged in device 106, or the test device is above-mentioned test server 106.

As shown in Figure 10, the device 100 includes：

One memory 1001, for storing computer instruction (than test program 105 as the aforementioned)；

One processor 1002, the above computer instruction for calling memory 1001 to store perform following methods：

A test script file is sent to browser 104, test script file is used to whether control test browser 104 Support each of at least two HTTP security mechanisms；

Receiving each test sent respectively being directed at least two HTTP security mechanisms from browser 104 please Ask；

After each test request is received, following operation is performed：In response to test request, one is sent to browser 104 Individual security header, wherein, security header uses the targeted HTTP security mechanisms of the test request for configuring browser 104；Judge Whether browser 104 is handled a network service 106 using the targeted HTTP security mechanisms of the test request；And Determine whether browser 104 supports the targeted HTTP security mechanisms of the test request according to the result of judgement.

Other optional implementations of the device 100 refer to foregoing test server 106, repeat no more here.

The embodiment of the present invention additionally provides a kind of computer-readable storage medium, stores as described herein for performing a machine Program code checking method instruction.Specifically, system or device equipped with storage medium can be provided, in the storage The software program code for realizing the function of any embodiment in above-described embodiment is store on medium, and makes the system or device Computer (or CPU or MPU) read and perform the program code being stored in storage medium.

In this case, it is real that any one in above-described embodiment can be achieved in the program code read from storage medium in itself The function of example is applied, therefore the storage medium of program code and store program codes constitutes the part of the present invention.

For provide program code storage medium embodiment include floppy disk, hard disk, magneto-optic disk, CD (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), tape, Nonvolatile memory card and ROM.Selectively, Can by communication network from server computer download program code.

Further, it should be apparent that not only can be by performing the program code read-out by computer, and can pass through Instruction based on program code makes operating system of calculating hands- operation etc. to complete partly or completely practical operation, so as to Realize the function of any one embodiment in above-described embodiment.

Further, it is to be appreciated that the program code read by storage medium is write into the expansion board in insertion computer In in set memory or write in the memory set in the expanding element being connected with computer, then based on journey CPU that the instruction of sequence code makes to be arranged on expansion board or expanding element etc. comes executable portion and whole practical operations, so as to Realize the function of any embodiment in above-described embodiment.

To sum up, in the embodiment of the present invention, test server can send one when testing browser to browser Security header, the security header use HTTP security mechanisms to be tested for configuring browser, and test server judges that browser is It is no that one network service is handled using HTTP security mechanisms, and determine whether browser is supported according to the result of judgement HTTP security mechanisms.Whether the program can be supported a kind of HTTP security mechanisms with one browser of Validity Test.Wherein, test Server notifies browser to use HTTP security mechanisms to be tested by sending security header to browser, and judges browser pair Whether the processing of one network service is judged using the HTTP security mechanisms, determines whether browser props up according to judged result Hold HTTP security mechanisms to be tested.A kind of method of automatic test browser is provided, reduces the operation of people.Can be according to clear Device of looking at determines whether browser supports HTTP security mechanisms to be tested to the processing of network service, and judged result is accurate, surveys Time needed for examination is shorter.Wherein, test server can carry out the principle of safety precaution according to HTTP security mechanisms to be tested, Judge whether browser employs HTTP security mechanisms and request a network service.So, the judgement that test server obtains As a result it is more accurate.

It should be noted that step and module not all in above-mentioned each flow and each system construction drawing is all necessary , some steps or module can be ignored according to the actual needs.The execution sequence of each step be not it is fixed, can be according to need It is adjusted.System architecture described in the various embodiments described above can be physical arrangement or logical construction, i.e. have A little modules may realize by same physical entity, or, some modules may divide to be realized by multiple physical entities, or, can be with Realized jointly by some parts in multiple autonomous devices.

In various embodiments above, hardware cell mechanically or can be realized electrically.A for example, hardware list Member can include permanent special circuit or logic (such as special processor, FPGA or ASIC) to complete corresponding operating.Firmly Part unit can also include FPGA or circuit (such as general processor or other programmable processors), can be entered by software Interim setting go to complete corresponding operating.Concrete implementation mode (mechanical system or special permanent circuit or is faced When the circuit that sets) can be determined based on cost and temporal consideration.

Detailed displaying and explanation have been carried out to the present invention above by accompanying drawing and preferred embodiment, but the invention is not restricted to These embodiments having revealed that, base could be aware that with above-mentioned multiple embodiment those skilled in the art, can combine above-mentioned difference Code examination ＆ verification means in embodiment obtain the more embodiments of the present invention, these embodiments also protection scope of the present invention it It is interior.

Claims

A kind of a kind of 1. method of testing, for testing whether a browser (104) supports HTTP HTTP safety Mechanism, it is characterised in that including：

A security header is sent to the browser (104), wherein, the security header makes for configuring the browser (104) With the HTTP security mechanisms；

Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms；

Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement.
2. the method as described in claim 1, it is characterised in that the HTTP security mechanisms are a browser only by specifying Mode ask a network service；The security header is specifically used for configuring browser (104) request network service (106) mode；

Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms, wrap Include：Judge whether the browser (104) asks the network service (106) in the way of specified by the security header；

Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement, including：It is if described Browser (104) asks the network service (106) in the way of specified by the security header, it is determined that the browser (104) the HTTP security mechanisms are supported；Otherwise, it determines the browser (104) does not support the HTTP security mechanisms.
3. method as claimed in claim 2, it is characterised in that the HTTP security mechanisms are that a browser only passes through safety One network service of hypertext secure transfer protocol HTTPS request, the security header be HTTP strictly transmit Safe HSTS heads, only pass through network service described in HTTPS request (106) specifically for configuring the browser (104)；

A security header is sent to the browser (104), including：The network service (106) is controlled to be browsed in response to described One HTTP request of device (104) sends a HSTS head；

Judge whether the browser (104) asks the network service (106) in the way of specified by the security header, wrap Include：Judge the browser (104) after the HSTS heads are received whether by network service described in HTTPS request (106).
4. method as claimed in claim 2, it is characterised in that the HTTP security mechanisms are that a browser is specified with one kind Mode show the content of a network service, the security header is extension content type option X-Content-Type- Options heads, show the content of the network service (106) in a specific way specifically for configuring the browser (104)；

Judge whether the browser (104) asks the network service (106) in the way of specified by the security header, wrap Include：Judge whether the browser (104) in the way of being specified in the X-Content-Type-Options heads shows institute State the content of network service (106).
5. the method as described in claim 1, it is characterised in that the HTTP security mechanisms are to forbid a browse request one Individual network service；The security header is specifically used for configuring the browser (104) according to the HTTP security mechanisms inhibition request One network service (106)；

Judge whether the browser (104) is handled a network service (106) using the HTTP security mechanisms, wrap Include：Judge whether the browser (104) requests the network service (106)；

Determine whether the browser (104) supports the HTTP security mechanisms according to the result of the judgement, including：It is if described Browser (104) asks the network service (106), it is determined that the browser (104) does not support the HTTP security mechanisms； Otherwise, it determines the browser (104) supports the HTTP security mechanisms.
6. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms have used in advance only to allow one One network service of browser access of one group of public key nail of agreement；The security header is HTTP public keys nail extension HPKP heads, is had Workable one when body is used to configure another network service outside the browser (104) the request network service (106) Group public key nail, wherein another network service is identical with the domain name of the network service (106), but internet protocol address It is different；

Judge whether the browser (104) asks the network service (106), including：Judge the browser (104) in quilt Whether the network service (106) is requested when being redirected to the network service (106).
7. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms are to forbid a browser access one The individual webpage being embedded in other webpages；The security header is X-Frame-Options, specifically for configuring the browser (104) forbid accessing embedded webpage；The network service (106) is a webpage in other embedded webpages；

Judge whether the browser (104) asks the network service (106), including：Judge that the browser (104) is being visited When asking a webpage for being embedded with the network service (106), if request the network service (106).
8. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms are that a browser only performs one The script file of specified sites；The security header is content safety strategy CSP heads, specifically for configuring the browser (104) Website belonging to executable script file；The network service (106) is a script file, and is not belonging to the CSP heads Specified website；

Judge whether the browser (104) asks the network service (106), including：Whether judge the browser (104) Perform the script file as the network service (106).
9. method as claimed in claim 5, it is characterised in that the HTTP security mechanisms are that a browser forbids execution one Individual cross site scripting, the security header are X-XSS-Protection heads, forbid performing specifically for configuring the browser (104) One cross site scripting；

Judge whether the browser (104) asks the network service (106), including：Judge that the browser (104) is being received To network request response content include a cross site scripting and including the cross site scripting instruction browser (104) When asking the network service (106), if request the network service (106).
10. the method as described in any one of claim 1~9, it is characterised in that described in being sent to the browser (104) Before security header, in addition to：

The test request from the browser (104) is received, wherein the test request is used for browser described in request for test (104) the HTTP security mechanisms whether are supported.
A kind of a kind of 11. test device (70), for testing whether a browser (104) supports HTTP HTTP Security mechanism, it is characterised in that including：

One sending module (701), for sending a security header to the browser (104), wherein, the security header is used for Configure the browser (104) and use the HTTP security mechanisms；

One processing module (702), for judging whether the browser (104) uses the HTTP security mechanisms to a net Network service (106) is handled, and determines whether the browser (104) supports the HTTP to pacify according to the result of the judgement Full mechanism.
12. device (70) as claimed in claim 11, it is characterised in that

The HTTP security mechanisms are that a browser only asks a network service by specified mode；

The security header that the sending module (701) sends is specifically used for configuring browser (104) request network service (106) mode；

The processing module (702), is specifically used for：

Judge whether the browser (104) asks the network service (106) in the way of specified by the security header, with And

If the browser (104) asks the network service (106) in the way of specified by the security header, it is determined that institute State browser (104) and support the HTTP security mechanisms；Otherwise, it determines the browser (104) does not support the HTTP safety Mechanism.
13. device (70) as claimed in claim 12, it is characterised in that

The HTTP security mechanisms are that a browser only passes through one net of hypertext secure transfer protocol HTTPS request of safety Network service；

The security header that the sending module (701) sends strictly transmits safe HSTS heads for HTTP, described Security header is specifically used for the configuration browser (104) and only passes through network service described in HTTPS request (106)；

The sending module (701), specifically for controlling the network service (106) in response to the one of the browser (104) Individual HTTP request sends a HSTS head；

The processing module (702), whether pass through after the HSTS heads are received specifically for judging the browser (104) Network service described in HTTPS request (106).
14. device (70) as claimed in claim 12, it is characterised in that

The HTTP security mechanisms are the content that a browser shows a network service in a manner of a kind of specify；

The security header that the sending module (701) sends is extension content type option X-Content-Type-Options Head, the security header are specifically used for the configuration browser (104) and show the interior of the network service (106) in a specific way Hold；

The processing module (702), specifically for judging the browser (104) whether according to the X-Content-Type- The mode specified in Options heads shows the content of the network service (106).
15. device (70) as claimed in claim 11, it is characterised in that

The HTTP security mechanisms are to forbid one network service of a browse request；

The security header that the sending module (701) sends is specifically used for configuring the browser (104) according to the HTTP One network service (106) of security mechanism inhibition request；

The processing module (702), is specifically used for：

Judge whether the browser (104) requests the network service (106), and

If the browser (104) asks the network service (106), it is determined that the browser (104) is not supported described HTTP security mechanisms；Otherwise, it determines the browser (104) supports the HTTP security mechanisms.
16. device (70) as claimed in claim 15, it is characterised in that

The HTTP security mechanisms have used one net of browser access of the one group of public key made an appointment nail for only permission one Network service；

The security header that the sending module (701) sends is HTTP public keys nail extension HPKP heads, and the security header is specifically used Workable one group of public affairs when configuring the browser (104) and asking another network service outside the network service (106) Key is followed closely, wherein another network service is identical with the domain name of the network service (106), but internet protocol address is not Together；

The processing module (702), specifically for judging that the browser (104) is being redirected to the network service (106) network service (106) whether is requested when.
17. device (70) as claimed in claim 15, it is characterised in that

The HTTP security mechanisms are to forbid one webpage being embedded in other webpages of a browser access；

The security header that the sending module (701) sends is X-Frame-Options, and the security header is specifically used for configuration The browser (104) forbids accessing embedded webpage, and the network service (106) is a net in other embedded webpages Page；

The processing module (702), specifically for judging that the browser (104) is embedded with the network service for one in access (106) during webpage, if request the network service (106).
18. device (70) as claimed in claim 15, it is characterised in that

The HTTP security mechanisms are the script file that a browser only performs a specified sites；

The security header that the sending module (701) sends is content safety strategy CSP heads, and the security header is specifically used for matching somebody with somebody The website belonging to the executable script file of the browser (104) is put, the network service (106) is a script file, And it is not belonging to the website specified by the CSP heads；

The processing module (702), specifically for judging whether the browser (104) is performed as the network service (106) script file.
19. device (70) as claimed in claim 15, it is characterised in that

The HTTP security mechanisms are that a browser is forbidden performing a cross site scripting；

The security header that the sending module (701) sends is X-XSS-Protection heads, and the security header is specifically used for The browser (104) is configured to forbid performing a cross site scripting；

The processing module (702), specifically for judging the browser (104) in the content that the network request received responds Including a cross site scripting and including the cross site scripting indicate that the browser (104) asks network service (106) when, Whether the network service (106) is requested.
20. the device (70) as described in any one of claim 11~19, it is characterised in that also include：

One receiving module (703), for sending the security header to the browser (104) in the sending module (701) Before, the test request from the browser (104) is received, wherein the test request is used for browser described in request for test (104) the HTTP security mechanisms whether are supported.
A kind of a kind of 21. test device (80), for testing whether a browser (104) supports HTTP HTTP Security mechanism, it is characterised in that including：

One memory (801), for storing computer instruction；

One processor (802), for calling the computer instruction to perform the side as described in any one of claim 1~10 Method.
A kind of 22. method of testing, for testing whether a browser (104) supports at least two HTTP HTTP Each in security mechanism, it is characterised in that including：

A test script file is sent to the browser (104), the test script file is used to control test described clear Whether device (104) of looking at supports each of at least two HTTP security mechanisms；

Receive what each being directed at least two HTTP security mechanisms from the browser (104) was sent respectively Test request；

After each described test request is received, following operation is performed：

In response to the test request, a security header is sent to the browser (104), wherein, the security header is used to match somebody with somebody Put the browser (104) and use the targeted HTTP security mechanisms of the test request；

Judge whether the browser (104) is taken using the targeted HTTP security mechanisms of the test request to a network Business (106) is handled；

Determine whether the browser (104) supports the targeted HTTP of the test request to pacify according to the result of the judgement Full mechanism.
A kind of 23. test device (90), for testing whether a browser (104) supports at least two HTTP Each in HTTP security mechanisms, it is characterised in that including：

One sending module (901), for sending a test script file, the test script to the browser (104) File is used for each for controlling the test browser (104) whether to support at least two HTTP security mechanisms；

One receiving module (903), at least two HTTP safe machines are directed to from the browser (104) for receiving Each test request sent respectively in system；

One processing module (902), for after the receiving module (903) receives each described test request, performing such as Lower operation：

In response to the test request, the sending module (901) is controlled to send a security header to the browser (104), Wherein, the security header uses the targeted HTTP security mechanisms of the test request for configuring the browser (104)；

Judge whether the browser (104) uses the targeted 1001HTTP security mechanisms of the test request to a net Network service (106) is handled；

Determine whether the browser (104) supports the targeted HTTP of the test request to pacify according to the result of the judgement Full mechanism.
A kind of a kind of 24. test device (100), for testing whether a browser (104) supports HTTP HTTP security mechanisms, it is characterised in that including：

One memory (1001), for storing computer instruction；

One processor (1002), for calling the computer instruction to perform method as claimed in claim 23.
25. a kind of computer-readable medium, computer instruction is stored with the computer-readable medium, it is characterised in that institute Computer instruction is stated when by a computing device, makes any one of described computing device claim 1~10 or right will Seek the method described in 22.