CN108712367A - A kind of message processing method, device and equipment - Google Patents

A kind of message processing method, device and equipment Download PDF

Info

Publication number
CN108712367A
CN108712367A CN201810264579.0A CN201810264579A CN108712367A CN 108712367 A CN108712367 A CN 108712367A CN 201810264579 A CN201810264579 A CN 201810264579A CN 108712367 A CN108712367 A CN 108712367A
Authority
CN
China
Prior art keywords
address
domain name
http
message
address information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810264579.0A
Other languages
Chinese (zh)
Inventor
岳炳词
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201810264579.0A priority Critical patent/CN108712367A/en
Publication of CN108712367A publication Critical patent/CN108712367A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the present invention provides a kind of message processing method, device and equipment, method includes:Receive the HTTP message that HTTP server is sent, URL in the HTTP message the first address informations carried are compared with the second address information of the HTTP server, if the two is different, which is determined as invalid packet, default processing is carried out for invalid packet;The address information in reference address field in the aggressive code of CSRF attack messages is different from the address information of server of message is sent, address information can be domain name or IP address, the address information for the website Web1 for namely including in " URL of the websites src=Web1 " is different from the address information of website Web2, both is compared, it can identify CSRF attack messages, the processing such as abandoned or alerted for CSRF attack messages, the protection attacked CSRF is realized, security risk is reduced.

Description

A kind of message processing method, device and equipment
Technical field
The present invention relates to fields of communication technology, more particularly to a kind of message processing method, device and equipment.
Background technology
CSRF (Cross-Site Request Forgery, cross-site request is forged, or is abbreviated as XSRF) attack, By the malicious exploitation to website, larger security risk is brought to user.The Attack Theory of CSRF attacks is lifted below Example explanation:
Assuming that user by terminal device browser access legitimate site Web1, had input in the Web1 of website user name, The personal information such as password;Website Web1 generates Cookie according to the personal information, which is added in back message, will The back message is sent to browser;Illegal website Web2 is opened while user opens website Web1 in a browser again, After website Web2 receives the access request of user, the back message for carrying aggressive code is sent to browser, this is attacked Include " the URL of the websites src=Web1 in hitting property codeOperating parameter sequence ", the field after " src=" can be understood as drawing With address field, reference address field includes the address information of reference, and the address information of reference can be IP address, Huo Zheye It can be domain name, the address information of website Web1, the address information are included in " URL (uniform resource locator) of website Web1 " Can be the domain name or IP address of website Web1;It, can be in the unwitting feelings of user after browser receives the aggressiveness code Under condition, according to the request of illegal website Web2, the message for carrying the Cookie is sent to legitimate site Web1;Legitimate site After Web1 receives the message for carrying Cookie, the message can be handled according to the permission of the user, that is to say, that non- Net of justice station Web2 accesses legitimate site Web1 using the permission of user;In this way, larger security risk can be brought to user.
Invention content
The embodiment of the present invention is designed to provide a kind of message processing method, device and equipment, is attacked to CSRF with realizing The protection hit reduces security risk.
In order to achieve the above objectives, an embodiment of the present invention provides a kind of message processing methods, are applied to safeguard, packet It includes:
Receive the HTTP message that HTTP server is sent;
Obtain the first address information that the URL in the HTTP message is carried;
Determine the second address information of the HTTP server;
Judge whether first address information different from second address information;
If it is present the HTTP message is determined as invalid packet, default processing is carried out for the invalid packet.
In order to achieve the above objectives, the embodiment of the present invention additionally provides a kind of message process device, which is characterized in that is applied to Safeguard, including:
First receiving module, the HTTP message for receiving HTTP server transmission;
First acquisition module, the first address information for obtaining the carryings of the URL in the HTTP message;
First determining module, the second address information for determining the HTTP server;
First judgment module, for judging whether first address information different from second address information;
Processing module, it is in the case of for being in the first judgment module judging result, the HTTP message is true It is set to invalid packet, default processing is carried out for the invalid packet.
In order to achieve the above objectives, the embodiment of the present invention additionally provides a kind of electronic equipment, including processor, communication interface, Memory and communication bus, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any of the above-described kind of message processing method.
In order to achieve the above objectives, the embodiment of the present invention additionally provides a kind of computer readable storage medium, the computer Computer program is stored in readable storage medium storing program for executing, the computer program realizes any of the above-described kind of message when being executed by processor Processing method.
Using illustrated embodiment of the present invention, the HTTP message that HTTP server is sent is received, by the URL in the HTTP message The first address information carried is compared with the second address information of the HTTP server for sending the message, if the two is not Together, then the message is determined as invalid packet, default processing is carried out for the invalid packet;The aggressive generation of CSRF attack messages The address information in reference address field in code is different with the transmission address information of server of message, which can be with Address information for the website Web1 that includes in domain name or IP address, that is, " URL of the websites src=Web1 " and website The address information of Web2 is different, both is compared, can identify CSRF attack messages, for the CSRF attack messages It the processing such as is abandoned or is alerted, realize the protection attacked CSRF, reduce security risk.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is the first flow diagram of message processing method provided in an embodiment of the present invention;
Fig. 2 is second of flow diagram of message processing method provided in an embodiment of the present invention;
Fig. 3 is a kind of application scenarios schematic diagram provided in an embodiment of the present invention;
Fig. 4 is that a kind of CSRF detection modules provided in an embodiment of the present invention execute flow diagram;
Fig. 5 is a kind of structural schematic diagram of message process device provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
In order to solve the above-mentioned technical problem, an embodiment of the present invention provides a kind of message processing method, device and electronics to set Standby, this method and device can be applied to safeguard, which can be terminal device, alternatively, the safeguard Can be the other equipment being connect with terminal equipment in communication, which carries out security protection to the terminal device.The terminal Equipment can be the various electronic equipments such as mobile phone, tablet computer, desktop computer, not limit specifically.
A kind of message processing method provided in an embodiment of the present invention is described in detail first below.
Fig. 1 is the first flow diagram of message processing method provided in an embodiment of the present invention, including:
S101:Receive what HTTP (hypertext transfer protocol, HyperText Transfer Protocol) server was sent HTTP message.
For example, terminal device first can send HTTP request message to server, and server is receiving the HTTP After request message, HTTP message is fed back to terminal device, the HTTP message can be handled using the embodiment of the present invention.
S102:Obtain the first address information that the URL in the HTTP message is carried.
For example, the field in URL after " src=" can be understood as reference address field, in reference address field Address information including reference, the address information of reference can be IP address, either or domain name by the IP address or Domain name is as the first address information.If including multiple " src=" in HTTP message, multiple first address letters are got Breath.
S103:Determine the second address information of the HTTP server.
In order to which aspect describes, the address informations carried of the URL in HTTP message are known as the first address information, HTTP is taken The address information of business device is known as the second address information.
If the first address information is IP address, the source IP address of the HTTP message can be determined as to the second address letter Breath.
If the first address information is domain name, the source IP address that the HTTP message can be searched from session entry corresponds to Domain name;The corresponding domain name of the source IP address is determined as the second address information.Wherein, session entry includes IP address and IP The corresponding domain name in address.
In general, IP address is generally included in session entry, further includes that IP address is corresponding in session entry here Domain name.Specifically, the process for establishing session entry may include:Obtain the first HTTP request message that terminal device is sent;Root The first domain name is determined according to the URL in the first HTTP request message;First domain name is added to the first HTTP to ask It asks in the corresponding session entry of message.
For example, securing software can be installed in terminal device, which executes this programme, obtains terminal and sets The standby HTTP request message sent to server, reads the URL in the HTTP request message, determines the domain name that the URL is determined, will Identified domain name is added in session entry;In this way, session entry includes IP address and its corresponding domain name.
As another example, an independent safeguard can be set except terminal device, which executes we Case obtains the HTTP request message that terminal device is sent to server, reads the URL in the HTTP request message, determine the URL Determining domain name, and the domain name determined is added in session entry.
It is understood that if the URL in HTTP request message carries domain name, the domain name is directly added to conversational list Xiang Zhong.If the URL in HTTP request message carries IP address, it can determine that the IP address corresponds to by domain name reverse resolution Domain name, do not limit specifically.
S104:First address information different from second address information is judged whether, if it does, executing S105。
S105:The HTTP message is determined as invalid packet, default processing is carried out for the invalid packet.
As described above, the first address information read can there are one, it is possibility to have it is multiple.There are one if, directly It connects and judges whether the first address information and second address information are identical, if it is different, then the HTTP message is determined as illegally Message, that is, determine that the HTTP message is CSRF attack messages, if identical, it is determined that the HTTP message is legal message.
If there is multiple, then multiple first address informations are compared with second address information respectively, if there is One or more first address informations different from second address information, then be determined as invalid packet by the HTTP message, Just it is to determine that the HTTP message is CSRF attack messages.
The processing mode for invalid packet can be preset, for example abandons, show warning information, etc. to user, It does not limit specifically.If it is determined that HTTP message is invalid packet, then according to the processing mode, at the HTTP message Reason.
It as an implementation, can be first in the protection table pre-established in the case where S104 judging results are to be In, search first address information different from second address information;If found, then execute S105.
It can be easier to the server domain name attacked and/or IP address comprising some in protection list item, for example, bank's net Domain name and IP address, the domain name of shopping website and IP address for standing etc., these websites are related to user's personal information and property peace Entirely, these websites can be directed to and generates protection list item.
For example, input interface can be set, and user can be by these with needing the server domain name protected and/or IP Location is input to the input interface, according to server domain name input by user and/or IP address, generates protection list item.
Alternatively, another way can also be used to establish protection list item, can specifically include:
Obtain the second HTTP request message that terminal device is sent;It is true according to the URL in the second HTTP request message Fixed second domain name;Addition protection list item, the protection list item include in protecting table:The destination IP of the second HTTP request message Address and second domain name.
In order to distinguish description, the above-mentioned list item established that inputted according to user is known as static protection list item, by above-mentioned basis The list item established that interacts of terminal device and second server is known as dynamic protection list item, in other words, above-mentioned to pre-establish Protection table may include static protection table and/or dynamic protection table.
In order to distinguish description, the HTTP request message being related to when establishing dynamic protection list item is known as the second HTTP request report The HTTP request message being related to when establishing session entry is known as the first HTTP request message by text, the first HTTP request message with Second HTTP request message can be identical message, or different messages.
For example, it can be sent to the HTTP request message of server with monitor terminal equipment, read HTTP request message In URL:If carrying domain name in the URL, dynamic protection list item is added in dynamic protection table, in the dynamic protection list item Include the purpose IP address of the domain name and the HTTP request message that are carried in the URL;If carrying IP address in the URL, By domain name reverse resolution, the corresponding domain name of the IP address is determined, dynamic protection list item is added in dynamic protection table, the dynamic Protection list item includes the purpose IP address of the corresponding domain name of the IP address and the HTTP request message determined.
, can be simultaneously in such a way that above two establish protection list item in the case of one kind, in other words, above-mentioned protection table was both Include dynamic protection table again including static state protection table.
In this case, before adding dynamic protection list item in dynamic protection table, it can first protect in table, look into static state Look for the purpose IP address of the second HTTP request message and second domain name;If do not found, then add in dynamic protection table Add dynamic protection list item;If found, dynamic protection list item need not be added in dynamic protection table again.In this way, avoiding Establish the dynamic protection list item repeated.
Alternatively, as another embodiment, after getting the second HTTP request message, described second can be first judged Whether include Cookie in HTTP request message;If including being protected in table in static state, the second HTTP request message is searched Purpose IP address and second domain name;If do not found, then dynamic protection list item is added in dynamic protection table.
It will be understood by those skilled in the art that being tracked to distinguish user identity or carry out session (session), clothes Be engaged in device would generally in terminal device stored cookie, Cookie is what the private data based on user generated, if HTTP is asked Ask in message includes Cookie, then it represents that needs protect the destination address of the request message.In present embodiment, for Including the HTTP request message of Cookie establishes protection list item, protect the specific aim of list item stronger.
As an implementation, another way can also be used to establish static protection list item, it, will in order to distinguish description The above-mentioned static protection list item established that inputted according to user is known as the first static protection list item, quiet by being established using following manner State protection list item is known as the second static protection list item:
Obtain preconfigured domain name;DNS request message is sent to name server, the DNS request carries described pre- The domain name first configured;The DNS response messages that domain name server is sent are received, are pre-configured with described in the response message carrying The corresponding IP address of domain name;The static protection list item of addition second in the static protection table, the described second static protection table Include:The preconfigured domain name and the corresponding IP address of the preconfigured domain name.
Name server i.e. DNS (Domain Name System, domain name system) server, pass through dns server Domain name (domain name) can be converted into corresponding IP address.In present embodiment, user can only configure domain name, and The corresponding IP address of domain name is obtained by dns server, according to the domain name and the static protection list item of corresponding foundation.This embodiment party In formula, user need not be manually entered IP address, and experience is more preferably.
As an implementation, can also include the second HTTP request message pair in the dynamic protection list item of above-mentioned foundation The session identification (ID) answered;In this way, when the corresponding session of the session id is deleted, it includes to be somebody's turn to do that can be deleted from dynamic protection table The dynamic protection list item of session id.
In present embodiment, dynamic protection list item is deleted in time, saves memory space, improves entry lookup efficiency.
Using embodiment illustrated in fig. 1 of the present invention, the HTTP message that HTTP server is sent is received, it will be in the HTTP message The first address information that URL is carried is compared with the second address information of the HTTP server for sending the message, if the two The message is then determined as invalid packet by difference, and default processing is carried out for the invalid packet;The aggressiveness of CSRF attack messages The address information in reference address field in code is different from the address information of server of message is sent, which can Think address information and the website of the website Web1 for including in domain name or IP address, that is, " URL of the websites src=Web1 " The address information of Web2 is different, both is compared, can identify CSRF attack messages, realizes and attacks CSRF Protection, reduces security risk.
Fig. 2 is second of flow diagram of message processing method provided in an embodiment of the present invention, including:
S201:Receive the HTTP message that HTTP server is sent.
S202:Obtain the first address information that the URL in the HTTP message is carried.
For example, the field in URL after " src=" can be understood as reference address field, in reference address field Address information including reference, the address information of reference can be IP address, either or domain name by the IP address or Domain name is as the first address information.If including multiple " src=" in HTTP message, multiple first address letters are got Breath.
S203:Determine the second address information of the HTTP server.
In order to which aspect describes, the address informations carried of the URL in HTTP message are known as the first address information, HTTP is taken The address information of business device is known as the second address information.
If the first address information is IP address, the source IP address of the HTTP message can be determined as to the second address letter Breath.If the first address information is domain name, the corresponding domain of source IP address of the HTTP message can be searched from session entry Name;The corresponding domain name of the source IP address is determined as the second address information.Wherein, session entry includes IP address and IP address Corresponding domain name.
S204:Judge whether first address information different from second address information.If it does, executing S205, if it does not, executing S208.
S205:In the static protection table pre-established, the first address letter different from second address information is searched Breath.If do not found, S206 is executed, if found, executes S207.
There are many modes for establishing static protection table, such as:
As an implementation, input interface, the server domain name that user can protect these needs can be set And/or IP address is input to the input interface, and according to server domain name input by user and/or IP address, it is static to generate first List item is protected, the first of generation the static protection list item is added in static protection table.
As another embodiment, preconfigured domain name can be obtained;DNS request report is sent to name server Text, the DNS request carry the preconfigured domain name;The DNS response messages that domain name server is sent are received, it is described Response message carries the corresponding IP address of the preconfigured domain name;The static protection table of addition second in table is protected in static state , the described second static protection list item includes:The preconfigured domain name and the corresponding IP of the preconfigured domain name Address.
Name server i.e. dns server can translate domain names into corresponding IP address by dns server. In present embodiment, user can only configure domain name, and obtain the corresponding IP address of domain name by dns server, according to the domain Name and the static protection list item of corresponding foundation.In present embodiment, user need not be manually entered IP address, and experience is more preferably.
S206:In the dynamic protection table pre-established, first address information different from second address information is searched. If do not found, S208 is executed, if found, executes S207.
There are many modes for establishing dynamic protection table, such as:
Obtain the second HTTP request message that terminal device is sent;It is true according to the URL in the second HTTP request message Fixed second domain name;Dynamic protection list item is added in dynamic protection table, the dynamic protection list item includes:2nd HTTP is asked Ask the purpose IP address of message and second domain name.
In order to distinguish description, the HTTP request message being related to when establishing dynamic protection list item is known as the second HTTP request report The HTTP request message being related to when establishing session entry is known as the first HTTP request message by text, the first HTTP request message with Second HTTP request message can be identical message, or different messages.
For example, it can be sent to the HTTP request message of server with monitor terminal equipment, read HTTP request message In URL:If carrying domain name in the URL, dynamic protection list item is added in dynamic protection table, in the dynamic protection list item Include the purpose IP address of the domain name and the HTTP request message that are carried in the URL;If carrying IP address in the URL, By domain name reverse resolution, the corresponding domain name of the IP address is determined, dynamic protection list item is added in dynamic protection table, the dynamic It includes the corresponding domain name of the IP address and the purpose IP address of the HTTP request message to protect list item.
S207:The HTTP message is determined as invalid packet, default processing is carried out for the invalid packet.
S208:The HTTP message is determined as legal message.
Fig. 3 is that a kind of application scenarios of the embodiment of the present invention provide a kind of specific embodiment party with reference to Fig. 2 and Fig. 3 Formula:
As shown in figure 3, installing CSRF protectors in terminal device, protection table is established in CSRF protectors, protects table Including static state protection table and dynamic protection table.
The process of establishing of static protection table may include:Server domain name input by user is received, is carried out for the domain name DNS request obtains the corresponding IP address of the domain name, and the domain name and its corresponding IP address constitute a static protection list item, will Static state protection list item is added to static protection table.The structure of static state protection list item can be as follows:
Domain (domain name) IP Address
The message interacted between CSRF protector monitor terminal device navigators and each server.It for example, can be with It is arranged http protocol port (HTTP-Port), source port or destination interface is monitored simultaneously for the message of the HTTP-Port Processing.
CSRF protectors can be directed to the communication between terminal device and server, establish session entry.Session entry can To include server side IP, server side ports, domain name, CSRF warning signs and session status, the structure of session entry can be with As follows:
Server side IP Server side ports Domain name CSRF warning signs Session status
Wherein, domain name is the corresponding domain names of server side IP;CSRF warning signs can include 0,1,2 three kind of state, 0 table Show and CSRF protection is not carried out to the corresponding server of session entry, the domain name for including in 1 expression session entry has been added to dynamic List item, the domain name for including in 2 expression session entries is protected to have been added to static protection list item;Session status and terminal device are to clothes The state of Transmission Control Protocol between business device is identical, and session status is for indicating current TCP connection state in which.
The process for establishing session entry may include:Obtain the HTTP request message that terminal device is sent;According to the HTTP URL in request message determines domain name;Identified domain name is added in the corresponding session entry of HTTP request message.
For example, it can be sent to the HTTP request message of server with monitor terminal equipment, read HTTP request message In URL:If carrying the domain name of server in the URL, the domain of the server carried in the URL is added in session entry Name;If the IP address for carrying server in the URL determines the corresponding domain name of the IP address by domain name reverse resolution, Domain name determined by being added in session entry.
Specifically, when terminal device sends TCP connection to server, session entry is established, when connecting disconnection, is deleted Session entry;The direction for sending HTTP request to server in terminal device, according to the destination IP of HTTP request message, destination Mouthful, search the session entry to match;The direction that HTTP is replied is sent to terminal device in server, according to the source of back message IP, source port search the session entry to match.
Assuming that CSRF protectors listen to terminal device to server A send HTTP request message, CSRF protectors according to The destination IP and destination interface of the HTTP request message, search the session entry to match.If wrapped in the HTTP request message Containing Cookie, and CSRF warning signs are 0 in the session entry found, then CSRF protectors read the HTTP request message In URL:If what is carried in the URL is the IP address of server A, by domain name reverse resolution, the IP address pair is determined The domain name answered;If what is carried in the URL is the domain name of server A, it can determine that the domain name is corresponding by domain name mapping IP address, alternatively, the purpose IP address of the HTTP request message can also directly be determined, as the corresponding IP address of the domain name.
The domain name of server A and its corresponding IP address are searched in list item in static protect, if found, CSRF protection CSRF warning signs in the session entry are set to 2 by device, if do not found, CSRF protectors establish dynamic protection list item, and CSRF warning signs in the session entry are set to 1.
CSRF protectors establish dynamic protection list item include:The domain name of server A, the destination IP of the request message The structure of (namely server side IP), Session ID (session id), dynamic protection list item can be as follows:
Session ID Domain (domain name) IP Address
If session entry is deleted, CSRF protectors delete the corresponding dynamic protection list item of the session entry, should The session entry that Session ID are directed toward is the corresponding session entry of dynamic protection list item.
As an example it is assumed that the browser in terminal device is closed or server disconnects, then terminal device with Conversation end between server first reads the CSRF warning signs in session entry, if CSRF warning signs are 0, directly It connects and deletes the session entry, if CSRF warning signs are 1, read the Session ID in the session entry, lookup includes The dynamic protection list item of the Session ID deletes the dynamic protection list item and the session entry.
It is the process that list item is established and safeguarded above, the process that terminal device carries out CSRF protection is described below:
Assuming that terminal device receives the back message of server transmission, that is, HTTP described in the present embodiment reports Text.The source IP address and source port for reading the HTTP message search the conversational list to match according to the source IP address and source port .Specifically, the source IP address is matched with the server side IP address in session entry, by the source port and conversational list Server side ports in are matched.
If there is no the session entry to match, then the HTTP message can be abandoned, or not to the HTTP message Carry out subsequent processing.If there is the session entry to match, then the HTTP message is parsed, extracts " src=" URL afterwards In include domain name or IP address, as the first address information.By the number for the first address information for including in the HTTP message Amount is denoted as count, and the numerical value of count is identical as the quantity of " src=" in HTTP message.
Establish array AssertUrl[], the initial value of array index i can be 0, and each element is one first in array Address information, that is to say, that each element can be a domain name in array, or can be an IP address.It will AssertUrl[], Session ID, the count of the session entry that match as input, call in CSRF protectors CSRF detection modules.
The flow that CSRF detection modules execute can be as shown in Figure 4:
S401:Judge whether i is less than count, if it is lower, executing S402, if be equal to, flow terminates, by the HTTP Message is determined as legal message.Wherein, the initial value of i is 0.
S402:Judge AssertUrl[]In whether comprising IP address or comprising domain name, if including IP address, executes S403, if including domain name, executes S407.
S403:Judge AssertUrl[]In include IP address and HTTP message source IP address it is whether identical, if phase Together, S404 is executed, if it is different, executing S405.
S404:I=i+1, and return and execute S401.
S405:It judges whether and AssertUrl[]In include the static protection list item that matches of IP address, if In the presence of execution S411, if it does not, executing S406.
S406:It judges whether and AssertUrl[]In include the dynamic protection list item that matches of IP address, if In the presence of execution S411, if it does not, executing S404.
S407:Judge AssertUrl[]In include domain name and the session entry that matches in include domain name whether phase Together, if it is identical, S408 is executed, if it is different, executing S409.
In the case of one kind, if AssertUrl[]In include is IP address, then need not utilize session entry, directly Determine the source IP address of HTTP message, and by AssertUrl[]In include IP address be compared with the source IP address;And If AssertUrl[]In include is domain name, then need to obtain the domain name of server in the matched session entry of slave phase, and By AssertUrl[]In include domain name be compared with the domain name of obtained server.
Alternatively, in another case, the source IP address of HTTP message can also be obtained in the matched session entry of slave phase, this Also it is reasonable.
S408:I=i+1, and return and execute S401.
S409:It judges whether and AssertUrl[]In include the static protection list item that matches of domain name, if deposited S411 is being executed, if it does not, executing S410.
S410:It judges whether and AssertUrl[]In include the dynamic protection list item that matches of domain name, if deposited S411 is being executed, if it does not, executing S408.
S411:The HTTP message is determined as invalid packet, default processing is carried out for the invalid packet.
As shown in Figure 4, the flow that CSRF detection modules execute is circulation process, recycles situation there are two types of terminating, a kind of feelings Condition is i==count, in this case, HTTP message is determined as legal message, flow terminates;Another situation is to execute HTTP message is determined as invalid packet by S411, and after carrying out default processing for the invalid packet, flow terminates.That is, If AssertUrl[]It is middle different from the second address information of HTTP message there are an element and be present in protection table , then HTTP message is determined as invalid packet, carries out default processing for the invalid packet, flow terminates.If AssertUrl[]In each element it is as the second address information of HTTP message identical or be not present in protection list item In the case of, then the HTTP message is determined as legal message, flow terminates.
If the HTTP message is determined as legal message, which can be sent to terminal by CSRF protectors Other processing modules of equipment are handled.CSRF protectors for invalid packet processing mode there are many, such as can be to User shows warning information, generation attack logs etc.;Or other processing can also be carried out, for example the HTTP message is abandoned; Alternatively, multiple options can be provided a user, for example, the option etc. for continuing the option accessed, deleting message, according to user's Selection carries out subsequent processing.
In the more existing scheme protected CSRF attacks, protected in server side, in this scheme, and It cannot be guaranteed that all servers are all protected, security risk when user access server cannot be also reduced, and User is not aware which server can protect, which server cannot be protected, and user experience is poor.
And present embodiment is applied, CSRF attack protection can be carried out to the message that arbitrary server is sent, on the one hand Safety and user experience are improved, on the other hand, the format of message interaction does not limit between server and terminal device, Versatility is preferable.
In addition, in present embodiment, user can add static protection list item, protection effect is more preferably according to self-demand; If there is no the static protection list item that the message matches, but Cookie data is carried in message, in this case, establish dynamic State protects list item, further improves protection effect.
Corresponding with above method embodiment, the embodiment of the present invention also provides a kind of message process device, as shown in figure 5, Including:
First receiving module 501, the HTTP message for receiving HTTP server transmission;
First acquisition module 502, the first address information for obtaining the carryings of the URL in the HTTP message;
First determining module 503, the second address information for determining the HTTP server;
First judgment module 504, for judging whether first address information different from second address information;
Processing module 505, in the case of for being in 504 judging result of the first judgment module, by the HTTP message It is determined as invalid packet, default processing is carried out for the invalid packet.
As an implementation, the first determining module 503, specifically can be used for:If first address information is IP The source IP address of the HTTP message is then determined as second address information by address.
As an implementation, the first determining module 503, specifically can be used for:If first address information is domain Name, then search the corresponding domain name of source IP address of the HTTP message from session entry;By the corresponding domain of the source IP address Name is determined as second address information;
Wherein, session entry includes IP address and the corresponding domain name of IP address.
As an implementation, described device can also include:Second acquisition module, the second determining module and first add Add module (not shown), wherein
Second acquisition module, the first HTTP request message for obtaining terminal device transmission;
Second determining module, for determining the first domain name according to the URL in the first HTTP request message;
First add module, for first domain name to be added to the corresponding conversational list of the first HTTP request message Xiang Zhong.
As an implementation, described device can also include:
First searching module (not shown), in the case of for being in 504 judging result of the first judgment module, In the protection table pre-established, first address information different from second address information is searched;If found, triggering Processing module 505.
As an implementation, the protection table includes dynamic protection table;Described device can also include:Third obtains Module, third determining module and the second add module (not shown), wherein
Third acquisition module, the second HTTP request message for obtaining terminal device transmission;
Third determining module, for determining the second domain name according to the URL in the second HTTP request message;
Second add module, for adding dynamic protection list item, the dynamic protection list item in the dynamic protection table Including:The purpose IP address of the second HTTP request message and second domain name.
As an implementation, the protection table further includes pre-stored static protection table, the static protection table It include the first static protection list item that contents in table is address information input by user;Second add module, can wrap It includes:
Submodule is searched, for being protected in table in the static state, with searching the destination IP of the second HTTP request message Location and second domain name;If do not found, triggering addition submodule;
Submodule is added, for adding dynamic protection list item, the dynamic protection list item packet in the dynamic protection table It includes:The purpose IP address of the second HTTP request message and second domain name.
As an implementation, described device can also include:
Second judgment module (not shown), for judge in the second HTTP request message whether include Cookie;If including triggering the lookup submodule.
As an implementation, the protection table includes static protection table;Described device can also include:4th obtains Module, sending module, the second receiving module and third add module (not shown), wherein
4th acquisition module, for obtaining preconfigured domain name;
Sending module is pre-configured with for sending DNS request message to name server described in the DNS request carrying Domain name;
Second receiving module, the DNS response messages for receiving the transmission of domain name server, the response message carry The corresponding IP address of the preconfigured domain name;
Third add module, for the static protection list item of addition second in the static protection table, described second is static Protection list item include:The preconfigured domain name and the corresponding IP address of the preconfigured domain name.
As an implementation, further include in the dynamic protection list item:The second HTTP request message is corresponding Session id;Described device can also include:
Removing module (not shown) is used for when the corresponding session of the session id is deleted, from the dynamic protection The dynamic protection list item for including the session id is deleted in table.
Using embodiment illustrated in fig. 5 of the present invention, the HTTP message that HTTP server is sent is received, it will be in the HTTP message The first address information that URL is carried is compared with the second address information of the HTTP server for sending the message, if the two The message is then determined as invalid packet by difference, and default processing is carried out for the invalid packet;The aggressiveness of CSRF attack messages The address information in reference address field in code is different from the address information of server of message is sent, which can Think address information and the website of the website Web1 for including in domain name or IP address, that is, " URL of the websites src=Web1 " The address information of Web2 is different, both is compared, can identify CSRF attack messages, realizes and attacks CSRF Protection, reduces security risk.
The embodiment of the present invention additionally provides a kind of electronic equipment, as shown in fig. 6, including processor 601, communication interface 602, Memory 603 and communication bus 604, wherein processor 601, communication interface 602, memory 603 are complete by communication bus 604 At mutual communication,
Memory 603, for storing computer program;
Processor 601 when for executing the program stored on memory 603, realizes any of the above-described kind of Message processing side Method.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), can also include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
The embodiment of the present invention also provides a kind of computer readable storage medium, is stored in the computer readable storage medium There are computer program, the computer program to realize any of the above-described kind of message processing method when being executed by processor.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, identical similar portion between each embodiment Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for Fig. 5 institutes Message process device embodiment, electronic equipment embodiment shown in fig. 6 and the above computer readable storage medium storing program for executing shown is implemented For example, since it is substantially similar to message processing method embodiment shown in Fig. 1-4, so description is fairly simple, it is related Place illustrates referring to the part of message processing method embodiment shown in Fig. 1-4.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (22)

1. a kind of message processing method, which is characterized in that it is applied to safeguard, including:
Receive the HTTP message that HTTP server is sent;
Obtain the first address information that the uniform resource position mark URL in the HTTP message carries;
Determine the second address information of the HTTP server;
Judge whether first address information different from second address information;
If it is present the HTTP message is determined as invalid packet, default processing is carried out for the invalid packet.
2. according to the method described in claim 1, it is characterized in that, the second address information of the determination HTTP server Including:
If first address information is IP address, the source IP address of the HTTP message is determined as second address and is believed Breath.
3. according to the method described in claim 1, it is characterized in that, the second address information of the determination HTTP server Including:
If first address information is domain name, the corresponding domain of source IP address of the HTTP message is searched from session entry Name;
The corresponding domain name of the source IP address is determined as second address information;
Wherein, session entry includes IP address and the corresponding domain name of IP address.
4. according to the method described in claim 3, it is characterized in that, the method further includes:
Obtain the first HTTP request message that terminal device is sent;
The first domain name is determined according to the URL in the first HTTP request message;
First domain name is added in the corresponding session entry of the first HTTP request message.
5. according to the method described in claim 1, it is characterized in that, having different from second address information the in judgement In the case of one address information, the method further includes:
In the protection table pre-established, first address information different from second address information is searched;
If found, execution is described to be determined as invalid packet by the HTTP message, is preset for the invalid packet The step of processing.
6. according to the method described in claim 5, it is characterized in that, the protection table includes dynamic protection table;It is anti-to establish dynamic Shield list item process include:
Obtain the second HTTP request message that terminal device is sent;
The second domain name is determined according to the URL in the second HTTP request message;
Dynamic protection list item is added in the dynamic protection table, the dynamic protection list item includes:Second HTTP request The purpose IP address of message and second domain name.
7. according to the method described in claim 6, it is characterized in that, the protection table further includes pre-stored static protection Table, the static protection table include the first static protection list item that contents in table is address information input by user;
The addition dynamic protection list item in the dynamic protection table, including:
In the static protection table, the purpose IP address of the second HTTP request message and second domain name are searched;
If do not found, the dynamic protection list item is added in the dynamic protection table.
8. the method according to the description of claim 7 is characterized in that in the static protection table, the 2nd HTTP is searched Before the purpose IP address of request message and second domain name, further include:
Judge in the second HTTP request message whether to include Cookie;
If including executing described in the static protection table, the purpose IP address of lookup the second HTTP request message And the step of second domain name.
9. the method according to claim 5 or 7, which is characterized in that the protection table includes static protection table;The method Further include:
Obtain preconfigured domain name;
DNS request message is sent to name server, the DNS request carries the preconfigured domain name;
The DNS response messages that domain name server is sent are received, the response message carries the preconfigured domain name pair The IP address answered;
The static protection list item of addition second in the static protection table, the described second static protection list item include:It is described advance The domain name of configuration and the corresponding IP address of the preconfigured domain name.
10. according to the method described in claim 6, it is characterized in that, further including in the dynamic protection list item:Described second The corresponding session identification ID of HTTP request message;
The method further includes:
When the corresponding session of the session id is deleted, it is anti-that the dynamic comprising the session id is deleted from the dynamic protection table Protect list item.
11. a kind of message process device, which is characterized in that it is applied to safeguard, including:
First receiving module, the HTTP message for receiving HTTP server transmission;
First acquisition module, the first address information for obtaining the carryings of the URL in the HTTP message;
First determining module, the second address information for determining the HTTP server;
First judgment module, for judging whether first address information different from second address information;
Processing module, in the case where the first judgment module judging result is to be, the HTTP message to be determined as Invalid packet carries out default processing for the invalid packet.
12. according to the devices described in claim 11, which is characterized in that first determining module is specifically used for:If described One address information is IP address, then the source IP address of the HTTP message is determined as second address information.
13. according to the devices described in claim 11, which is characterized in that first determining module is specifically used for:If described One address information is domain name, then the corresponding domain name of source IP address of the HTTP message is searched from session entry;By the source The corresponding domain name of IP address is determined as second address information;
Wherein, session entry includes IP address and the corresponding domain name of IP address.
14. device according to claim 13, which is characterized in that described device further includes:
Second acquisition module, the first HTTP request message for obtaining terminal device transmission;
Second determining module, for determining the first domain name according to the URL in the first HTTP request message;
First add module, for first domain name to be added to the corresponding session entry of the first HTTP request message In.
15. according to the devices described in claim 11, which is characterized in that described device further includes:
First searching module, in the case of for being in the first judgment module judging result, in the protection pre-established In table, first address information different from second address information is searched;If found, the processing mould is triggered Block.
16. device according to claim 15, which is characterized in that the protection table includes dynamic protection table;Described device Further include:
Third acquisition module, the second HTTP request message for obtaining terminal device transmission;
Third determining module, for determining the second domain name according to the URL in the second HTTP request message;
Second add module, for adding dynamic protection list item in the dynamic protection table, the dynamic protection list item includes: The purpose IP address of the second HTTP request message and second domain name.
17. device according to claim 16, which is characterized in that the protection table further includes pre-stored static protection Table, the static protection table include the first static protection list item that contents in table is address information input by user;Described Two add modules, including:
Search submodule, purpose IP address in the static protection table, searching the second HTTP request message and Second domain name;If do not found, triggering addition submodule;
Submodule is added, for adding dynamic protection list item in the dynamic protection table, the dynamic protection list item includes:Institute State the purpose IP address of the second HTTP request message and second domain name.
18. device according to claim 17, which is characterized in that described device further includes:
Second judgment module, for judging in the second HTTP request message whether to include Cookie;If including triggering institute State lookup submodule.
19. the device according to claim 15 or 17, which is characterized in that the protection table includes static protection table;It is described Device further includes:
4th acquisition module, for obtaining preconfigured domain name;
Sending module, for sending DNS request message to name server, the DNS request carries the preconfigured domain Name;
Second receiving module, the DNS response messages for receiving the transmission of domain name server, described in the response message carries The corresponding IP address of preconfigured domain name;
Third add module, for the static protection list item of addition second, the described second static protection in the static protection table List item includes:The preconfigured domain name and the corresponding IP address of the preconfigured domain name.
20. device according to claim 16, which is characterized in that further include in the dynamic protection list item:Described second The corresponding session id of HTTP request message;Described device further includes:
Removing module, for when the corresponding session of the session id is deleted, being deleted comprising described from the dynamic protection table The dynamic protection list item of session id.
21. a kind of electronic equipment, which is characterized in that including processor, communication interface, memory and communication bus, wherein processing Device, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and steps of claim 1-10.
22. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium Program realizes claim 1-10 any method and steps when the computer program is executed by processor.
CN201810264579.0A 2018-03-28 2018-03-28 A kind of message processing method, device and equipment Pending CN108712367A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810264579.0A CN108712367A (en) 2018-03-28 2018-03-28 A kind of message processing method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810264579.0A CN108712367A (en) 2018-03-28 2018-03-28 A kind of message processing method, device and equipment

Publications (1)

Publication Number Publication Date
CN108712367A true CN108712367A (en) 2018-10-26

Family

ID=63866501

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810264579.0A Pending CN108712367A (en) 2018-03-28 2018-03-28 A kind of message processing method, device and equipment

Country Status (1)

Country Link
CN (1) CN108712367A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677396A (en) * 2019-09-16 2020-01-10 杭州迪普科技股份有限公司 Security policy configuration method and device
CN111756771A (en) * 2020-07-21 2020-10-09 腾讯科技(深圳)有限公司 Detection method and device for cross-site scripting attack
CN113626736A (en) * 2021-08-10 2021-11-09 迈普通信技术股份有限公司 URL feature learning method and device, electronic equipment and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103207863A (en) * 2012-01-13 2013-07-17 腾讯科技(深圳)有限公司 Page cross-domain interacting method and terminal
CN103312666A (en) * 2012-03-09 2013-09-18 腾讯科技(深圳)有限公司 Method, system and device for preventing CSRF (cross site request forgery) attack
CN104079611A (en) * 2013-03-29 2014-10-01 腾讯科技(深圳)有限公司 Method for preventing cross-site request forgery, related device and system
CN104144142A (en) * 2013-05-07 2014-11-12 阿里巴巴集团控股有限公司 Web vulnerability discovery method and system
CN104301314A (en) * 2014-10-31 2015-01-21 电子科技大学 Intrusion detection method and device based on browser tag attributes
US20170149803A1 (en) * 2015-11-20 2017-05-25 International Business Machines Corporation Guarding against cross-site request forgery (CSRF) attacks

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103207863A (en) * 2012-01-13 2013-07-17 腾讯科技(深圳)有限公司 Page cross-domain interacting method and terminal
CN103312666A (en) * 2012-03-09 2013-09-18 腾讯科技(深圳)有限公司 Method, system and device for preventing CSRF (cross site request forgery) attack
CN104079611A (en) * 2013-03-29 2014-10-01 腾讯科技(深圳)有限公司 Method for preventing cross-site request forgery, related device and system
CN104144142A (en) * 2013-05-07 2014-11-12 阿里巴巴集团控股有限公司 Web vulnerability discovery method and system
CN104301314A (en) * 2014-10-31 2015-01-21 电子科技大学 Intrusion detection method and device based on browser tag attributes
US20170149803A1 (en) * 2015-11-20 2017-05-25 International Business Machines Corporation Guarding against cross-site request forgery (CSRF) attacks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
侯莉: "Web应用安全分析与解决方案研究", 《电脑知识与技术》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677396A (en) * 2019-09-16 2020-01-10 杭州迪普科技股份有限公司 Security policy configuration method and device
CN111756771A (en) * 2020-07-21 2020-10-09 腾讯科技(深圳)有限公司 Detection method and device for cross-site scripting attack
CN111756771B (en) * 2020-07-21 2023-04-18 腾讯科技(深圳)有限公司 Detection method and device for cross-site scripting attack
CN113626736A (en) * 2021-08-10 2021-11-09 迈普通信技术股份有限公司 URL feature learning method and device, electronic equipment and computer readable storage medium
CN113626736B (en) * 2021-08-10 2023-11-17 迈普通信技术股份有限公司 URL feature learning method, device, electronic equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
EP2532136B1 (en) System and method for risk rating and detecting redirection activities
US8621604B2 (en) Evaluating a questionable network communication
CN101304418B (en) Client side protection method and system against drive-by pharming via referrer checking
JP2016532381A (en) Evaluation of suspicious network communication
US20150229609A1 (en) Evaluating a questionable network communication
CN111917705B (en) System and method for automatic intrusion detection
US8522336B2 (en) Gateway device and method for using the same to prevent phishing attacks
CN110768999B (en) Method and device for detecting illegal external connection of equipment
CN107295116B (en) Domain name resolution method, device and system
US20190081952A1 (en) System and Method for Blocking of DNS Tunnels
CN103607385A (en) Method and apparatus for security detection based on browser
US20170237749A1 (en) System and Method for Blocking Persistent Malware
US8959626B2 (en) Detecting a suspicious entity in a communication network
CN108712367A (en) A kind of message processing method, device and equipment
US20210112093A1 (en) Measuring address resolution protocol spoofing success
JP2007200323A (en) Method for protecting sip-based application
CN105100048A (en) WiFi network security identification method, server, client device and system
CN111935123B (en) Method, equipment and storage medium for detecting DNS spoofing attack
JP5699162B2 (en) How to detect hijacking of computer resources
WO2016008212A1 (en) Terminal as well as method for detecting security of terminal data interaction, and storage medium
JP2007310781A (en) Fake website prevention method and intermediate node
CN105939321A (en) DNS (Domain Name System) attack detection method and device
CN107040401A (en) Wired local network user management system and method with safety and function expansion
CN112217770B (en) Security detection method, security detection device, computer equipment and storage medium
JP2014150504A (en) Network monitoring device, network monitoring method, and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181026

RJ01 Rejection of invention patent application after publication