CN108810032B - Web cross-site security processing method based on proxy - Google Patents
Web cross-site security processing method based on proxy Download PDFInfo
- Publication number
- CN108810032B CN108810032B CN201810815958.4A CN201810815958A CN108810032B CN 108810032 B CN108810032 B CN 108810032B CN 201810815958 A CN201810815958 A CN 201810815958A CN 108810032 B CN108810032 B CN 108810032B
- Authority
- CN
- China
- Prior art keywords
- node
- nodes
- request
- module
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
A Web cross-site security processing method based on an agent is based on a system architecture, wherein the system architecture comprises a node marking module, an output stream agent module and a log analysis report module; the node marking module is used for analyzing a template file in an application and adding marks to all vulnerability nodes during compiling before program release; the marking mode is that a user-defined attribute is added to the node, and the value of the user-defined attribute is the name of a request parameter generated by the system; the output stream agent module is divided into two parts, wherein the first part is to replace the request parameter name in the node module with a random number automatically generated by the current request system, the second part is to intercept and agent the response data before the response data is sent to the browser, find out all nodes which are likely to generate loopholes by analyzing the response data into HTML documents, and once unmarked loophole nodes appear, the nodes are transferred and returned to the client in a text form.
Description
Technical Field
The invention belongs to the field of internet security, and discloses a Web cross-site security processing method based on an agent.
Background
With the popularization and development of the domestic internet, anyone can simply log in the internet to obtain information, make comments, buy things and the like, so that the internet changes the life of people, and with the increasing number of internet users and the increasing bulkiness of data, enterprise and user privacy data are more and more emphasized. Even so, there are some enterprise security awareness and preventive measures that are inadequate, and the cost of dealing with these vulnerabilities is a major cause.
CN201510202647.7 provides a WEB security detection method and apparatus, wherein the method includes: detecting task information submitted by a WEB security detection front end is stored in a Web security detection data set; reading at least one piece of detection task information to be processed from a WEB security detection data set, and writing the read detection task information into a cache data set; generating a plurality of detection subtasks aiming at each piece of read detection task information, and respectively distributing each detection subtask to a cluster system at the rear end of WEB security detection; writing information submitted in the process of executing the detection subtask by the cluster system into a cache data set; and after the execution of each detection subtask corresponding to one piece of detection task information is finished, storing the detection result of the piece of detection task information in the cache data set in the Web safety detection data set. The technical scheme provided by the invention improves the safety of Web safety detection and improves the efficiency of the Web safety detection. Web application attack defense method mid-trial and actual-trial
CN201710710670.6 proposes a Web application attack defense method. The method comprises the steps of selecting an access interface of an application to be defended to input a Web attack defense system, and selecting a Web attack type to be defended; all accesses are directed to a Web attack defense system; and intercepting all accesses by the Web attack defense system, and defending according to the selected defense type. The invention can solve the attack defense problem of Web application.
CN201710696264.9 discloses a method and device for security protection based on Nginx. The method comprises the following steps: acquiring log data of an Nginx server; acquiring request related information of a client in the log data; and if the request related information of the client meets a predefined prohibition rule, sending a prohibition instruction to the Nginx server to instruct the Nginx server to prohibit the request authority of the client. Because the Nginx server is not invaded, the influence on the Nginx server is avoided, and the development and maintenance cost is reduced.
Due to the particularity of the cross-site attack, the degree of solution depends on the encoding habits of developers, safety awareness, safety training of enterprises and the like. Even large websites still have such bugs; once enterprise data or user privacy data is included, it has a profound impact on society and individuals.
A Web cross-site security processing method based on an agent is developed, and mainly solves two problems:
1. the processing of cross-site attacks requires a continuous investment of large manpower. The invention only needs to be configured once according to the standard and the requirement, and the manpower is invested once.
2. Missed killing and mistaken killing. The invention summarizes and sorts all possible modes of cross-site attack, and adopts a white list mode, thereby achieving the effect of preventing missed killing and mistaken killing.
The traditional interception cross-site attack scheme is as follows:
1. intercepting the request parameters through an interceptor, and if the request parameters are matched with a self-defined rule, adopting an interception operation if the code contains malicious codes.
2. Some rules are added by configuring Content Security Policy, so that the browser can identify some requests as illegal, and relevant attacks caused by SRC attributes of the nodes are relieved.
3. And matching custom rules for the rendering parameters when the page is rendered by a mode of rendering escape parameters, and intercepting malicious codes by adopting HTML coding operation if the custom rules are matched.
4. The page is rendered after using HTML escape in the server side program. For the attack to the form, the one-time mark Token is adopted for verification, but the development personnel must repeatedly code at multiple places.
The invention develops a new method, because all web pages need to be transmitted from the server end to the browser end in a streaming mode, the output stream is intercepted firstly, then the output stream is analyzed into an HTML document, illegal nodes are analyzed for cross-site scripts, a full-automatic adding mark is adopted for cross-site request forgery, and after special treatment, the cross-site requests are output to the browser. The method also comprises the following characteristics:
1: developers are dedicated to the service, cross-site bugs do not need to be additionally processed, and cost is reduced.
2: the influence on the system performance is small, and the delay is less than 50ms for 5000 lines of web pages. On average around 10 ms.
3: the method provided by the invention can be widely used.
First, there are currently cross-site script interceptors based on request parameters on the basis of the Nginx module ngx _ lua _ waf. The method has the advantages that the deployment and interception principle is simple, but some rules need to be configured, and variants of cross-site script bugs cannot be processed through the rules, so that the bugs are easily missed and mistakenly killed.
The second way is to configure Content Security Policy, so that few companies are used at home and abroad at present, the main problem is that the access is complicated, some rules need to be configured for all pages, for some old systems, the cost for adding the rules on all pages is huge, and the method is stated by the official and can only relieve but not radically cure the system.
The third mode has good effect on single application, but if the system is distributed and multi-system, the probability of missed killing and mistaken killing is increased along with the increase of the system.
The fourth mode is the best method at present, but the time for solving one bug is long, and the continuous input of manpower is needed.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a proxy-based Web cross-site security processing method, which detects cross-site script attack codes and increases an interception cross-site request forgery attack verification mark Token by intercepting an output stream transmitted to a client by a server and utilizing an HTML (hypertext markup language) analysis technology.
The technical scheme of the invention is as follows: a Web cross-site security processing method based on an agent is based on a system architecture, wherein the system architecture comprises a node marking module, an output stream agent module and a log analysis report module; the node marking module is used for analyzing a template file in an application and adding marks to all vulnerability nodes during compiling before program release; the marking mode is that a user-defined attribute is added to the node, and the value of the user-defined attribute is the name of a request parameter generated by the system;
the output stream agent module is divided into two parts, wherein the first part is to replace the request parameter name in the node module with a random number automatically generated by the current request system, the second part is to intercept and agent the response data before the response data is sent to the browser, find out all nodes which can possibly generate bugs by analyzing the response data into HTML documents, and once unmarked bug nodes appear, the nodes are transferred and returned to the client in a text form;
the log analysis report module is used for sending the attack code to the log server when the agent intercepts the attack code, and summarizing and sending the early warning mail to inform a relation person to process the attack code by analyzing the attack code;
the method comprises the following specific steps:
step 1: before the server compiles the page template, checking vulnerability nodes of the page template, and if the vulnerability nodes exist in the template, adding a custom attribute to the vulnerability nodes during compiling; the value of the attribute is the name of the self-defined request parameter;
step 2: after a user initiates a request to a server, the server generates an encryption string, and when parameters are rendered to a page, the value of the added custom attribute in the step 1 is rendered into the encryption string;
and step 3: when the server returns data to the user, intercepting output stream to a local memory and analyzing the output stream into an HTML document;
step 3.1, if the vulnerability node in the HTML document does not contain the current encryption string mark, the vulnerability node is transferred into an HTML format and then returned to the client;
step 3.2, if the HTML document contains form nodes, additionally adding hidden domain marks Token for the nodes;
step 3.3, the HTML document is reassembled and sent to the browser;
and 4, step 4: and recording logs and cleaning the custom attribute of the vulnerability node.
The illegal nodes in the invention refer to all nodes or grammars which are possible to generate cross-site scripting attack vulnerabilities, and generally, the SCRIPT label is the most common label; the encryption string in the invention is an effective encryption string in the current thread, and when the thread is finished, the encryption string is invalid, so that a user is prevented from simulating the encryption string to realize attack.
The Token in the present invention refers to a random code for determining the uniqueness of the request, and once the request passes, the Token is invalid.
Beneficial effect, compare with prior art, its apparent advantage and the effect that forms have:
(1) the invention can play a preventive role in cross-system storage type cross-site script attack injected by parameters through the proxy output stream;
(2) according to the invention, by adopting a white list mode, whether the node is a cross-site script type node is judged from the node, so that the problem of false killing and missed killing caused by interception in a virus library similar manner such as regular matching is avoided.
(3) The method and the system automatically add the mark Token by retrieving the Form in the output stream, and automatically check the mark Token mode when the Form is submitted, so that the mark Token which is irrelevant to the service is not required to be added in the service code, and whether the mark Token is normal or not is not required to be checked in the service code of each submitted request. Thereby achieving the purpose of reducing the labor cost.
Drawings
FIG. 1 is a schematic structural diagram of a system implemented by a processing method for Web cross-site security based on an agent in an embodiment of the present invention;
fig. 2 is a flowchart of an implementation of a processing method for Web cross-site security based on an agent in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
Fig. 1 is a schematic structural diagram of a system implemented by a processing method for Web cross-site security based on an agent in an embodiment of the present invention, where the system architecture specifically includes a node marking module, an output stream agent module, and a log analysis report module.
The node marking module is used for analyzing a template file in an application and adding marks to all vulnerability nodes during compiling before program release; the marking mode is that a user-defined attribute is added to the node, and the value of the user-defined attribute is the name of a request parameter generated by the system;
the output stream agent module is divided into two parts, wherein the first part is to replace the request parameter name in the node module with a random number automatically generated by the current request system, the second part is to intercept and agent the response data before the response data is sent to the browser, find out all nodes which can possibly generate bugs by analyzing the response data into HTML documents, and once unmarked bug nodes appear, the nodes are transferred and returned to the client in a text form;
the log analysis report module is used for sending the attack code to the log server when the agent intercepts the attack code, and summarizing and sending the early warning mail to inform a relation person to process the attack code by analyzing the attack code;
fig. 2 is a flowchart of an implementation of a processing method for Web cross-site security based on an agent in the embodiment of the present invention, which includes the following specific steps:
and (3) during system compiling: and appointing the position of a system view layer template through a configuration file, circularly traversing all files at the position by the system during compiling, analyzing nodes similar to attack codes, and adding appointed attributes to the nodes.
Request entry period: intercepting a request object, generating a random code, storing the random code into the current thread and simultaneously storing the random code into the request object, and replacing a mark generated in a compiling period by the random code when a system analyzes a view.
Responding to the interception agent period: and intercepting the response output stream, analyzing the output stream into an HTML document format, and outputting the HTML document format to the client by the proxy.
Malicious code detection period: and querying the tags in the HTML document, outputting the unmarked nodes capable of generating XSS attack in a coding mode, and recording the node information.
And (3) a later analysis period: summarizing and summarizing the recorded information, and periodically sending a statistical report for analysis and use by a relationship person.
The invention is not to be considered as limited to the particular embodiments shown and described, but is to be understood to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims.
Claims (2)
1. A Web cross-site security processing method based on an agent is characterized by comprising a node marking module, an output stream agent module and a log analysis report module based on the following system architecture;
the node marking module is used for analyzing a template file in an application and adding marks to all vulnerability nodes during compiling before program release; the marking mode is that a user-defined attribute is added to the node, and the value of the user-defined attribute is a request parameter name generated by the system architecture;
the output stream agent module is divided into two parts, firstly, the request parameter names in the node module are replaced by random codes automatically generated by the current request system architecture, secondly, the response data are intercepted and acted before being sent to the browser, the response data are analyzed into HTML documents, all nodes which possibly generate bugs are found out, and once the unmarked bug nodes appear, the nodes are transferred and returned to the client in a text form;
the log analysis report module is used for sending the attack code to the log server when the agent intercepts the attack code, and summarizing and sending the early warning mail to inform a relation person to process the attack code by analyzing the attack code;
the method comprises the following specific steps:
step 1: before the server compiles the page template, checking vulnerability nodes of the page template, and if the vulnerability nodes exist in the page template, adding a custom attribute to the vulnerability nodes during compiling; the value of the custom attribute is the name of the custom request parameter;
step 2: after a user initiates a request to a server, the server generates an encryption string, and when the request parameter is rendered to a page, the value of the added custom attribute in the step 1 is rendered into the encryption string;
and step 3: when the server returns data to the user, intercepting output stream to a local memory and analyzing the output stream into an HTML document;
step 3.1, if the loophole node in the HTML document does not contain the current encryption string, the node is transferred to the meaning;
3.2 if the HTML document contains the vulnerability node, additionally adding a mark of a hidden domain for the node, and marking the mark as Token;
step 3.3, the HTML document is reassembled and sent to the browser;
and 4, step 4: recording logs and cleaning the custom attribute of the vulnerability node;
the vulnerability nodes refer to all nodes or grammars which are possible to generate cross-site scripting attack vulnerabilities;
SCRIPT tags are the most common tags; the encryption string is an effective encryption string in the current thread, and when the thread is finished, the encryption string is invalid, so that a user is prevented from simulating the encryption string to realize attack;
the Token refers to a random code for judging the uniqueness of the request, and once the request passes, the Token marked as Token is invalid.
2. The method for processing Web cross-site security based on the agent as claimed in claim 1, which comprises the following steps:
and (3) during system compiling: the method comprises the steps that the position of a system view layer template is designated through a configuration file, when compiling is carried out, a system circularly traverses all files at the position, vulnerability nodes are analyzed, a self-defined attribute is added to the nodes, and the attribute value is the name of a self-defined request parameter;
request entry period: intercepting a request object, generating a random code, storing the random code into a current thread, and simultaneously storing the random code into the request object, and when a system analyzes a view, replacing a bug node generated in a compiling period with the random code and adding a custom attribute, wherein the value of the custom attribute is the name of a custom request parameter;
responding to the interception agent period: intercepting a response output stream, analyzing the output stream into an HTML document format, and outputting the output stream to a client by an agent;
malicious code detection period: inquiring marks in the HTML document, outputting unmarked vulnerability nodes in an escape mode, and simultaneously recording the node information;
and (3) a later analysis period: summarizing and summarizing the recorded information, and periodically sending a statistical report for analysis and use by a relationship person.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810815958.4A CN108810032B (en) | 2018-07-24 | 2018-07-24 | Web cross-site security processing method based on proxy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810815958.4A CN108810032B (en) | 2018-07-24 | 2018-07-24 | Web cross-site security processing method based on proxy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108810032A CN108810032A (en) | 2018-11-13 |
| CN108810032B true CN108810032B (en) | 2020-05-01 |
Family
ID=64077898
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810815958.4A Active CN108810032B (en) | 2018-07-24 | 2018-07-24 | Web cross-site security processing method based on proxy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108810032B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109740355A (en) * | 2019-01-03 | 2019-05-10 | 深圳前海微众银行股份有限公司 | Vulnerability scanning method, server, system and proxy server |
| CN110808977B (en) * | 2019-10-31 | 2021-09-14 | 重庆佳锐颖科技发展有限公司 | Development system and method for avoiding XSS vulnerability of Web program |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618404A (en) * | 2015-03-10 | 2015-05-13 | 网神信息技术(北京)股份有限公司 | Processing method, device and system for preventing network attack to Web server |
| CN106302445A (en) * | 2016-08-15 | 2017-01-04 | 北京百度网讯科技有限公司 | For the method and apparatus processing request |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110214157A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Securing a network with data flow processing |
| CN102307197B (en) * | 2011-08-29 | 2014-02-19 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| CN102831345B (en) * | 2012-07-30 | 2015-01-28 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN102917360B (en) * | 2012-10-24 | 2015-04-29 | 北京邮电大学 | Device and method for detecting Zigbee protocol vulnerabilities |
| US9124623B1 (en) * | 2013-06-20 | 2015-09-01 | Symantec Corporation | Systems and methods for detecting scam campaigns |
| CN108306867A (en) * | 2018-01-17 | 2018-07-20 | 郑州云海信息技术有限公司 | A kind of XSS detection methods collecting randomization based on instruction |
-
2018
- 2018-07-24 CN CN201810815958.4A patent/CN108810032B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618404A (en) * | 2015-03-10 | 2015-05-13 | 网神信息技术(北京)股份有限公司 | Processing method, device and system for preventing network attack to Web server |
| CN106302445A (en) * | 2016-08-15 | 2017-01-04 | 北京百度网讯科技有限公司 | For the method and apparatus processing request |
Non-Patent Citations (1)
| Title |
|---|
| Web应用程序漏洞检测与防护技术研究;张凡;《中国优秀硕士学位论文全文数据库信息科技辑》;20180215;I139-181 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108810032A (en) | 2018-11-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Melicher et al. | Riding out domsday: Towards detecting and preventing dom cross-site scripting | |
| US10129285B2 (en) | End-to-end taint tracking for detection and mitigation of injection vulnerabilities in web applications | |
| US9712560B2 (en) | Web page and web browser protection against malicious injections | |
| US10728274B2 (en) | Method and system for injecting javascript into a web page | |
| CN110881044B (en) | Computer firewall dynamic defense security platform | |
| US9509714B2 (en) | Web page and web browser protection against malicious injections | |
| Bisht et al. | XSS-GUARD: precise dynamic prevention of cross-site scripting attacks | |
| Wurzinger et al. | SWAP: Mitigating XSS attacks using a reverse proxy | |
| Xu et al. | Jstill: mostly static detection of obfuscated malicious javascript code | |
| US9032516B2 (en) | System and method for detecting malicious script | |
| US20070113282A1 (en) | Systems and methods for detecting and disabling malicious script code | |
| US20090119769A1 (en) | Cross-site scripting filter | |
| DE112009002738T5 (en) | Runtime attack prevention system and method | |
| Gupta et al. | XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications | |
| CN111416818A (en) | Website security protection method and device and server | |
| CN108810032B (en) | Web cross-site security processing method based on proxy | |
| CN111131303A (en) | Request data verification system and method | |
| KR100670209B1 (en) | Device of analyzing web application source code based on parameter status tracing and method thereof | |
| Parimala et al. | Efficient web vulnerability detection tool for sleeping giant-cross site request forgery | |
| CN116451071A (en) | Sample labeling method, device and readable storage medium | |
| Stephen et al. | Prevention of cross site scripting with E-Guard algorithm | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| CN106411879A (en) | Software identification feature acquisition method and apparatus | |
| Criscione et al. | Integrated detection of attacks against browsers, web applications and databases | |
| Wang et al. | XSS attack detection and prevention system based on instruction set randomization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |