CN109347820B - Application security defense method and system - Google Patents
Application security defense method and system Download PDFInfo
- Publication number
- CN109347820B CN109347820B CN201811191644.8A CN201811191644A CN109347820B CN 109347820 B CN109347820 B CN 109347820B CN 201811191644 A CN201811191644 A CN 201811191644A CN 109347820 B CN109347820 B CN 109347820B
- Authority
- CN
- China
- Prior art keywords
- data packet
- parameters
- parameter
- message header
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000007123 defense Effects 0.000 title claims abstract description 53
- 238000012545 processing Methods 0.000 claims description 47
- 238000007781 pre-processing Methods 0.000 claims description 36
- 238000012795 verification Methods 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 13
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 abstract description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 235000014510 cooky Nutrition 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000002203 pretreatment Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an application security defense method and system, relating to the field of application security, wherein the application security defense method operates in a Spring framework, and comprises the following steps: when an HTTP request message is received, analyzing the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters; respectively matching the message header parameters and the request text parameters in a preset blacklist; and when the message header parameter and/or the request text parameter are matched with the blacklist parameter in a preset blacklist, executing security defense operation. The application security defense method is based on the Spring framework setting, and directly carries out security detection on the data packet from the Spring framework level, thereby ensuring the security of data written into a cloud platform (namely a cloud database) and reducing the application security risk.
Description
Technical Field
The invention relates to the field of application security, in particular to an application security defense method and system.
Background
With the continuous development of information technology, information security events show an increasing situation, information security becomes the key point of enterprise information construction, and application security is an important link in a security system. In the prior art, a conventional Web Application security (WAF) system is used to encrypt and transmit a data packet to ensure Application security.
However, when the service system is located on the cloud platform, the conventional WAF cannot be deployed in the cloud network, that is, the cloud platform cannot analyze the encrypted data packet, so that the application security cannot be guaranteed.
Disclosure of Invention
The invention aims to provide an application security defense method and system, which solve the problem of application security when a service system is positioned on a cloud platform.
The technical scheme provided by the invention is as follows:
an application security defense method, which runs in a Spring framework, comprises the following steps: when an HTTP request message is received, analyzing the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters; respectively matching the message header parameters and the request text parameters in a preset blacklist; and when the message header parameter and/or the request text parameter are matched with the blacklist parameter in a preset blacklist, executing security defense operation.
In the technical scheme, the application security defense method is based on Spring framework setting, even if the service system is deployed on the cloud platform, the encrypted data packet can be used in the transmission process, the security detection of the data packet can be directly carried out from the Spring framework level, the security of data written into the cloud platform (namely, the cloud database) is ensured, and the application security risk is reduced.
Further, the process of acquiring the request text parameter specifically includes: when the request text in the HTTP request message is an Ajax-format data packet, directly taking out the request text parameters; and when the request text in the HTTP request message is a JSON format data packet, performing JSON format conversion, and then taking out the request text parameters.
In the technical scheme, the processing and safety judgment of two data packet formats can be compatible, and the compatibility is high.
Further, the security defense operation includes any one or more of: discarding the received HTTP request message; jump to the error interrupt page.
In the technical scheme, more choices are given to various security defense operations.
Further, when receiving the HTTP request packet, parsing the HTTP request packet to obtain a parsed data packet further includes: performing safety preprocessing on the analyzed data packet to obtain a processing result; and when the processing result is that the blacklist is not required to be matched, writing the analyzed data packet after the safety pretreatment into a cloud database.
In the technical scheme, the safety pretreatment further reduces the risk of application safety.
Further, the matching of the message header parameter and the request text parameter in a preset blacklist specifically includes: and when the processing result is that the blacklists need to be matched, matching the message header parameters and the request text parameters which are subjected to the safety preprocessing in a preset blacklist respectively.
In the technical scheme, the safety preprocessing is combined with the preset blacklist matching, so that the application safety is improved in many aspects.
Further, the secure pre-processing comprises: presetting URL verification; and when the analyzed data packet is the preset URL, the processing result is that blacklist matching is not needed.
In the technical scheme, the special URL can be given high authority, and the response speed is improved.
Further, the secure pre-treatment comprises any one or more of: checking message header, checking request body parameter, replacing request body special character, replacing message header special character, and encoding escape format.
In the technical scheme, the selection of various safe preprocessing modes has more flexibility and can adapt to different use occasions.
The invention also provides an application security defense system, comprising: the analysis module is used for analyzing the HTTP request message when the HTTP request message is received to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters; the matching module is used for respectively matching the message header parameters and the request text parameters in a preset blacklist; and the execution module is used for executing security defense operation when the message header parameter and/or the request text parameter are matched with the blacklist parameter in the preset blacklist.
In the technical scheme, the application security defense method is based on Spring framework setting, even if the service system is deployed on the cloud platform, the encrypted data packet can be used in the transmission process, the security detection of the data packet can be directly carried out from the Spring framework level, the security of data written into the cloud platform (namely, the cloud database) is ensured, and the application security risk is reduced.
Further, still include: the preprocessing module is used for carrying out safety preprocessing on the analyzed data packet to obtain a processing result; and the execution module is further used for writing the analyzed data packet after the safety pretreatment into a cloud database when the processing result is that the blacklist is not required to be matched.
Further, the matching module is configured to match the message header parameter and the request text parameter in a preset blacklist, specifically: and the matching module is used for respectively matching the message header parameters and the request text parameters after the safe preprocessing in a preset blacklist when the processing result is that the blacklist needs to be matched.
Compared with the prior art, the application security defense method and the system have the beneficial effects that:
the application security defense method is based on the Spring framework setting, and directly carries out security detection on the data packet from the Spring framework level, thereby ensuring the security of data written into a cloud platform (namely a cloud database) and reducing the application security risk.
Drawings
The above features, technical features, advantages and implementations of an applied security defense method and system will be further described in the following detailed description of preferred embodiments in a clearly understandable manner, in conjunction with the accompanying drawings.
FIG. 1 is a flow diagram of one embodiment of a method of applying security defense in accordance with the present invention;
FIG. 2 is a flow diagram of another embodiment of a method of applying security defense in accordance with the present invention;
FIG. 3 is a flow diagram of yet another embodiment of a method of applying security defense in accordance with the present invention;
FIG. 4 is a schematic structural diagram of an embodiment of the applied security defense system of the present invention;
FIG. 5 is a schematic structural diagram of another embodiment of the applied security defense system of the present invention.
The reference numbers illustrate:
10. the system comprises an analysis module, 20, a matching module, 30, an execution module and 40, a preprocessing module.
Detailed Description
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will be made with reference to the accompanying drawings. It is obvious that the drawings in the following description are only some examples of the invention, and that for a person skilled in the art, other drawings and embodiments can be derived from them without inventive effort.
For the sake of simplicity, the drawings only schematically show the parts relevant to the present invention, and they do not represent the actual structure as a product. In addition, in order to make the drawings concise and understandable, components having the same structure or function in some of the drawings are only schematically illustrated or only labeled. In this document, "one" means not only "only one" but also a case of "more than one".
The application security defense method is developed based on a Spring framework (comprising a Spring MVC framework and a Spring Boot framework), aiming at the problem that a service system positioned on a cloud platform cannot analyze an encrypted data packet, the security judgment is directly carried out on the data packet subjected to encryption transmission from a Spring framework layer, so that the security defense of the service system is improved at the minimum cost, and the method is particularly suitable for the condition that the service system is developed based on the Spring framework and is deployed on the cloud platform.
Fig. 1 shows an embodiment of the present invention, and an application security defense method, which runs on a Spring framework, includes:
s101, when receiving the HTTP request message, analyzing the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters.
Specifically, the HTTP request message is encrypted for security, and therefore, it needs to be parsed to retrieve the parameters in the message header and the request body.
The message header parameters include: values of parameters such as Accept, Host, Referer, Accept-Languge, Accept-Encoding, User-Agent, Connection, Cookie and the like. The request text is divided into Ajax and JSON formats, but a data packet in the JSON format needs to be processed separately. In actual use, the message header parameters and the request body are acquired through Java development technology.
Preferably, the process of acquiring the request text parameter specifically includes:
when the request text in the HTTP request message is an Ajax (a technology for creating a fast dynamic webpage) format data packet, directly taking out the request text parameters; when the request body in the HTTP request message is a JSON (lightweight data exchange mode) format packet, JSON format conversion is performed (for example, JSON format { 'a': 1z ',' c ': rk' } JSON format is converted into the following data: a ═ z & c ═ rk), and then the request body parameter (i.e., a ═ lz & c ═ rk) is fetched.
Ajax and JSON are common data packet formats, and the embodiment can be compatible with processing and safety judgment of the two data packet formats, and is high in compatibility.
S102, the message header parameter and the request text parameter are respectively matched in a preset blacklist.
Specifically, the preset blacklist is preset according to experience, historical attack codes and the like, and a plurality of blacklist parameters exist in the preset blacklist, for example:
1. < string > <! [ CDATA [ \\\ {1,1} ] > ] </string > matches contain characters: contains a symbol: "
2. < string > <! [ CDATA [ < {1,1} ] ] > [ matching contains characters: contains a symbol: ap(s)
3. < string > <! [ CDATA [ > {1,1} ] ] > [ matching contains characters: contains a symbol: < CHEM > A
4. < string > <! [ CDATA [' {1,1} ] ] > [ matching contains characters: contains a symbol: ' < string > <! [ CDATA [% 27{1,1} ] ] > [ matching contains characters: contains a symbol: ' URL coding
5. < string > <! [ CDATA [% 22{1,1} ] ] > [ matching contains characters: contains a symbol: ' URL coding
6. < string > <! [ CDATA [% 3C {1,1} ] > ] </string > matches contain characters: contains a symbol: < URL encoding
7. < string > <! [ CDATA [% 3E {1,1} ] > ] </string > matches contain characters: contains a symbol: > URL encoding
8. < string > <! [ CDATA [ alert ] ] > </string > matches contain characters: alert ()
9. < string > <! [ CDATA [ window ] > ] > </string > matches contain characters: location of window
10. < string > <! [ CDATA [ style ═ x: ex (] > </string > matches contain characters: style ═ x: ex compression ()
11. < string > <! [ CDATA [ document. cookie ] ] > </string > matches contain characters: cookie
12. < string > <! [ CDATA [ eval () ] > </string > matches contain characters: eval ()
13. < string > <! [ CDATA [ unescape (]) </string > match contains a character: unescape ()
14. < string > <! [ CDATA [ execute (]) </string > matches contains characters: execcept ()
15. < string > <! [ CDATA [ msgbox ] ] > </string > matches contain characters: msgbox ()
16. < string > <! [ CDATA [ confirm ] ] > </string > matches contains a character: confirm ()
17. < string > <! [ CDATA [ prompt (] > </string > ] matches contain characters: prompt ()
18. < string > <! [ CDATA [ < script > ] > < String > matches contain characters: containing carriage return and line change < script > </script >
19< string > <! [ CDATA [ update | grant | count | dimension | char | drop | use | by | from | where | column _ name | order | group _ contact | origin | deletion | experience | selection | or | like | create | master | and | delete | network | user | like | recovery | xp _ cmdshell | exec | mid | insert | information _ format _ schema
20. < string > <! [ CDATA [./] ] > [ matching ] contains illegal directories: ../../
The parameters of the blacklist in the preset blacklist can be updated and modified, so that the coverage of the attack code is improved and the safety of the HTTP request message is ensured.
S103, when the message header parameter and/or the request text parameter are matched with the blacklist parameter in the preset blacklist, executing the security defense operation.
Specifically, after the message header parameter and the request text parameter are extracted, the message header parameter and the request text parameter are respectively matched with each blacklist parameter in a preset blacklist, and if the same as the message header parameter is found in the preset blacklist, or the same as the request text parameter and the shuffling header parameter is found in the preset blacklist, the message header parameter and/or the request text parameter are considered to be matched with the blacklist parameter, which indicates that the HTTP request message is offensive and needs special processing.
For example: SQL injection code security threat judgment
Request HTTP packet (i.e. HTTP request message): http:// www.yangshi.com/id 1 unit select
Formatted data (i.e., request text parameters): id is unity select
Hit blacklist parameter:
<string><![CDATA[update|grant|count|sitename|char|drop|use|by|from|where|column_name|order|group_concat|union|delete|execute|select|or|like|create|master|and|declare|net|user|like|truncate|xp_cmdshell|exec|mid|insert|infor mation_schema.columns]]></string>
XSS attack code security threat judgment
Request HTTP data packet (i.e. HTTP request message): http:// www.yangshi.com/id ═ 1< script > alert (/ xss /) </script >
Formatted data (i.e., request text parameters): id 1< script > alert (/ xss /) </script >
Hit blacklist parameter:
<string><![CDATA[<script>*</script>]]></string>
<string><![CDATA[alert*(*)]]></string>
directory traversal security threat determination
Request http packet: http:// www.yangshi.com/id 1.// passswd
Formatted data (i.e., request text parameters): 1././passswd
Hit blacklist parameter:
<string><![CDATA[../../]]></string>
it should be noted that the above are examples of matching the request body parameters, and the matching manner of the message header parameters is the same, and is not illustrated here.
The security defense operation has a plurality of kinds, and is set according to actual needs, for example: discarding the received HTTP request message; jump to the error break page, etc. One of them can be selected as the security defense operation, and a plurality of them can be used in combination.
For example: the two are combined for use, if the received HTTP request message is found to be an aggressive message, the HTTP request message is discarded, and the error interrupt page is skipped.
The error interrupt page includes: custom 404 pages or default 404 pages. If a custom 404 page exists, then jump to the custom 404 page; if there is no custom 404 page, jump to default 404 page.
The jump to the error interrupt page is equivalent to an interrupt request, the interrupt request is selected to be opened and closed according to actual requirements, when the interrupt request is opened, the jump to the error interrupt page can be carried out, and when the interrupt request is closed, the jump to the error interrupt page is not carried out.
S104, when the message header parameter and the request text parameter are not matched, the blacklist parameter in the blacklist is preset, and the analyzed data packet is written into the cloud database.
Specifically, if neither the message header parameter nor the request text parameter matches the blacklist parameter, it indicates that the HTTP request message is a normal message, and the HTTP request message may be written into the cloud database for subsequent normal operation.
Optionally, when the log record is started, the processing procedure of the received HTTP request message is recorded.
Specifically, the log record can be opened or closed according to actual requirements, the log record is carried out during opening, subsequent statistics is facilitated, and the log record is not required during closing.
The application security defense method of the embodiment is based on Spring framework setting, and even if the service system is deployed on a cloud platform, the encrypted data packet can be used in the transmission process, the security detection of the data packet can be directly carried out from the Spring framework layer, the security of data written into the cloud platform (namely a cloud database) is ensured, and the application security risk is reduced.
Fig. 2 shows another embodiment of the present invention, which is an application security defense method, the application security defense method runs in a Spring framework, and the method includes:
s201, when receiving the HTTP request message, analyzing the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters.
Preferably, the process of acquiring the request text parameter specifically includes: when the request text in the HTTP request message is an Ajax-format data packet, directly taking out the request text parameters; and when the request text in the HTTP request message is a JSON format data packet, performing JSON format conversion, and then taking out the request text parameters.
S202, carrying out security preprocessing on the analyzed data packet to obtain a processing result.
Specifically, the safety preprocessing refers to that when the analyzed data packet is obtained, preset blacklist matching is not directly performed, the analyzed data packet is processed first, and specific processing content is executed according to actual setting.
The secure pre-treatment comprises any one or more of: preset URL check, message header special character replacement, request body parameter check, request body special character replacement, and encoding escape format.
Any one of the above-mentioned safety preprocessing modes can be independently controlled to be opened and closed, and only when the safety preprocessing mode is opened, the corresponding processing process can be executed. An engineer can manually adjust the switch of the corresponding safe preprocessing mode according to the actual situation, the safe preprocessing is developed based on a Spring framework, the on-off can be realized within 1-2 seconds, and the response speed is high.
For example: and when the preset URL verification is started, judging whether the analyzed data packet is the preset URL or not, if so, judging that the processing result is that the blacklist matching is not needed, and jumping to S203.
The preset URLs refer to special URLs, and as long as the URLs can enjoy VIP treatment and are directly released, the subsequent preset blacklist matching is not required to be executed. The preset URL verification gives advanced authorities to some special URLs, so that the method can be quickly executed, and the response speed is improved.
The message header check and the message header special character replacement are processed aiming at the message report parameters; the request text parameter check and the request text special character replacement are processed aiming at the request text parameter; the encoding escape format is to process the whole analyzed data packet, and convert the current encoding format into another specified encoding format according to the design requirement.
And S203, writing the analyzed data packet after the safety pretreatment into a cloud database when the processing result is that the blacklist is not required to be matched.
S204, the step of matching the message header parameter and the request text parameter in the preset blacklist specifically includes: s214, when the processing result is that the blacklists need to be matched, the message header parameters and the request text parameters after the safety preprocessing are respectively matched in a preset blacklist.
S205, when the message header parameter and/or the request text parameter match with the blacklist parameter in the preset blacklist, executing the security defense operation. The security defense operation has a plurality of kinds, and is set according to actual needs, for example: discarding the received HTTP request message; jump to the error break page, etc. One of them can be selected as the security defense operation, and a plurality of them can be used in combination.
S206, when the message header parameter and the request text parameter are not matched, the blacklist parameter in the blacklist is preset, and the analyzed data packet after the safety pretreatment is written into the cloud database.
Optionally, when the log record is started, the processing procedure of the received HTTP request message is recorded.
Specifically, for the explanation of the same parts of the present embodiment as those of the above embodiment, refer to the above embodiment, and will not be described in detail here.
In the embodiment, the safety preprocessing is added before the preset blacklist is matched, and the analyzed data packet is preprocessed first, so that the probability of aggressivity is reduced, and the application safety is improved. And the safety pretreatment can be dynamically managed, manual pertinence adjustment is supported, the method can flexibly adapt to actual variable conditions, and the use experience is good.
If the security defense method employs security preprocessing, which includes all the above processing manners, the flow chart of their implementation is shown in fig. 3:
step 1, judging whether the analyzed data packet is a preset URL (uniform resource locator), if so, executing step 13, and if not, executing step 2;
step 4, replacing special characters of the message header;
step 5, checking the request text parameters, if the request text parameters pass, executing step 6, and if the request text parameters do not pass, executing step 7;
and step 13, writing into the database.
It should be noted that if steps 3-6 are started simultaneously, steps 3-4 and steps 5-6 may be performed synchronously, and no specific sequence is specified.
FIG. 4 shows a system embodiment of the present invention, an application security defense system, comprising:
the analysis module 10 is configured to, when receiving the HTTP request message, analyze the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters.
Specifically, the HTTP request message is encrypted for security, and therefore, it needs to be parsed to retrieve the parameters in the message header and the request body.
The message header parameters include: values of parameters such as Accept, Host, Referer, Accept-Languge, Accept-Encoding, User-Agent, Connection, Cookie and the like. The request text is divided into Ajax and JSON formats, but a data packet in the JSON format needs to be processed separately. In actual use, the message header parameters and the request body are acquired through Java development technology.
Preferably, the process of acquiring the request text parameter specifically includes:
the analysis module 10 is used for directly taking out the request text parameters when the request text in the HTTP request message is the Ajax format data packet; and when the request text in the HTTP request message is a JSON format data packet, performing JSON format conversion, and then taking out the request text parameters.
Ajax and JSON are common data packet formats, and the embodiment can be compatible with processing and safety judgment of the two data packet formats, and is high in compatibility.
And the matching module 20 is electrically connected with the analysis module 10 and is used for respectively matching the message header parameters and the request text parameters in a preset blacklist.
Specifically, the preset blacklist is preset according to experience, historical attack codes and the like, and a plurality of blacklist parameters exist in the preset blacklist. For a specific example, please refer to the corresponding method embodiment, which is not described herein again.
The parameters of the blacklist in the preset blacklist can be updated and modified, so that the coverage of the attack code is improved and the safety of the HTTP request message is ensured.
And the execution module 30 is electrically connected with the matching module 20 and is used for executing the security defense operation when the blacklist parameters in the preset blacklist are matched with the message header parameters and/or the request text parameters.
Specifically, after the message header parameter and the request text parameter are extracted, the message header parameter and the request text parameter are respectively matched with each blacklist parameter in a preset blacklist, and if the same as the message header parameter is found in the preset blacklist, or the same as the request text parameter and the shuffling header parameter is found in the preset blacklist, the message header parameter and/or the request text parameter are considered to be matched with the blacklist parameter, which indicates that the HTTP request message is offensive and needs special processing. For a specific example, please refer to the corresponding method embodiment, which is not described herein again.
The security defense operation has a plurality of kinds, and is set according to actual needs, for example: discarding the received HTTP request message; jump to the error break page, etc. One of them can be selected as the security defense operation, and a plurality of them can be used in combination.
For example: the two are combined for use, if the received HTTP request message is found to be an aggressive message, the HTTP request message is discarded, and the error interrupt page is skipped.
The error interrupt page includes: custom 404 pages or default 404 pages. If a custom 404 page exists, then jump to the custom 404 page; if there is no custom 404 page, jump to default 404 page.
The jump to the error interrupt page is equivalent to an interrupt request, the interrupt request is selected to be opened and closed according to actual requirements, when the interrupt request is opened, the jump to the error interrupt page can be carried out, and when the interrupt request is closed, the jump to the error interrupt page is not carried out.
The executing module 30 is further configured to, when the message header parameter and the request text parameter are not matched, write the parsed data packet into the cloud database, where the blacklist parameter in the blacklist is preset.
Specifically, if neither the message header parameter nor the request text parameter matches the blacklist parameter, it indicates that the HTTP request message is a normal message, and the HTTP request message may be written into the cloud database for subsequent normal operation.
Optionally, the system of this embodiment further includes: and the recording module is used for recording the processing process of the received HTTP request message when the log record is started.
Specifically, the log record can be opened or closed according to actual requirements, the log record is carried out during opening, subsequent statistics is facilitated, and the log record is not required during closing.
The application security defense method of the embodiment is based on Spring framework setting, and even if the service system is deployed on a cloud platform, the encrypted data packet can be used in the transmission process, the security detection of the data packet can be directly carried out from the Spring framework layer, the security of data written into the cloud platform (namely a cloud database) is ensured, and the application security risk is reduced.
FIG. 5 shows another embodiment of the system of the present invention, an application security defense system, comprising:
the analysis module 10 is configured to, when receiving the HTTP request message, analyze the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters.
Preferably, the process of acquiring the request text parameter specifically includes:
the analysis module 10 is used for directly taking out the request text parameters when the request text in the HTTP request message is the Ajax format data packet; and when the request text in the HTTP request message is a JSON format data packet, performing JSON format conversion, and then taking out the request text parameters.
And the preprocessing module 40 is electrically connected with the analysis module 10 and the execution module 30 and is used for performing safe preprocessing on the analyzed data packet to obtain a processing result.
Specifically, the safety preprocessing refers to that when the analyzed data packet is obtained, preset blacklist matching is not directly performed, the analyzed data packet is processed first, and specific processing content is executed according to actual setting.
The secure pre-treatment comprises any one or more of: the method comprises the following steps of preset URL verification, message header verification, request body parameter verification, request body special character replacement, message header special character replacement and encoding escape format.
Any one of the above-mentioned safety preprocessing modes can be independently controlled to be opened and closed, and only when the safety preprocessing mode is opened, the corresponding processing process can be executed. An engineer can manually adjust the switch of the corresponding safe preprocessing mode according to the actual situation, the safe preprocessing is developed based on a Spring framework, the on-off can be realized within 1-2 seconds, and the response speed is high.
For example: and the preprocessing module 40 judges whether the analyzed data packet is the preset URL or not when the preset URL verification is started, and if so, the processing result is that the blacklist matching is not required.
The preset URLs refer to special URLs, and as long as the URLs can enjoy VIP treatment and are directly released, the subsequent preset blacklist matching is not required to be executed. The preset URL verification gives advanced authorities to some special URLs, so that the method can be quickly executed, and the response speed is improved.
The message header check and the message header special character replacement are processed aiming at the message report parameters; the request text parameter check and the request text special character replacement are processed aiming at the request text parameter; the encoding escape format is to process the whole analyzed data packet, and convert the current encoding format into another specified encoding format according to the design requirement.
The execution module 30 is further configured to, when the processing result is that the blacklist is not required to be matched, write the analyzed data packet after the security preprocessing into the cloud database.
The matching module 20 is configured to match the message header parameter and the request text parameter in a preset blacklist, specifically: and the matching module 20 is configured to match the message header parameter and the request text parameter after the security preprocessing in a preset blacklist respectively when the processing result is that the blacklist needs to be matched.
The execution module 30 is configured to execute a security defense operation when the blacklist parameter in the preset blacklist is matched with the message header parameter and/or the request text parameter; and when the message header parameter and the request text parameter are not matched, writing the analyzed data packet into a cloud database, wherein the blacklist parameter in the blacklist is preset.
Optionally, the system of this embodiment further includes: and the recording module is used for recording the processing process of the received HTTP request message when the log record is started.
Specifically, the implementation process of this embodiment of the system is the same as that of the corresponding embodiment of the method described above, and will not be described in detail here.
In the embodiment, the safety preprocessing is added before the preset blacklist is matched, and the analyzed data packet is preprocessed first, so that the probability of aggressivity is reduced, and the application safety is improved. And the safety pretreatment can be dynamically managed, manual pertinence adjustment is supported, the method can flexibly adapt to actual variable conditions, and the use experience is good.
It should be noted that the above embodiments can be freely combined as necessary. The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (7)
1. An application security defense method, which is operated in a Spring framework, is characterized by comprising the following steps:
when an HTTP request message is received, analyzing the HTTP request message to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters;
performing safety preprocessing on the analyzed data packet to obtain a processing result;
when the processing result is that the blacklists need to be matched, matching the message header parameters and the request text parameters after the safety preprocessing in a preset blacklist respectively;
when the message header parameter and/or the request text parameter are matched with a blacklist parameter in a preset blacklist, executing a security defense operation;
the safety preprocessing is carried out on the analyzed data packet to obtain a processing result, and the method comprises the following steps:
judging whether the analyzed data packet is a preset URL or not; if not, the processing result is that blacklist matching is required;
carrying out encoding escape format processing on the analyzed data packet;
carrying out message header check on the message header parameters subjected to the encoding escape format processing; if the message header passes the verification, performing message header special character replacement on the message header parameters;
carrying out request text parameter verification on the request text parameters subjected to encoding escape format processing; and if the request text parameter passes the verification, performing request text special character replacement on the request text parameter.
2. The application security defense method of claim 1, wherein the request text parameter acquisition process specifically comprises:
when the request text in the HTTP request message is an Ajax-format data packet, directly taking out the request text parameters;
and when the request text in the HTTP request message is a JSON format data packet, performing JSON format conversion, and then taking out the request text parameters.
3. The application security defense method of claim 1, wherein the security defense operation includes any one or more of:
discarding the received HTTP request message;
jump to the error interrupt page.
4. The method for defending against application security of claim 1, wherein the security preprocessing the parsed data packet to obtain a processing result further comprises:
and when the processing result is that the blacklist is not required to be matched, writing the analyzed data packet after the safety pretreatment into a cloud database.
5. The application security defense method of claim 4, characterized in that:
and when the analyzed data packet is the preset URL, the processing result is that blacklist matching is not needed.
6. An application security defense system, comprising:
the analysis module is used for analyzing the HTTP request message when the HTTP request message is received to obtain an analyzed data packet; the parsed data packet includes: message header parameters and request body parameters;
the preprocessing module is used for carrying out safety preprocessing on the analyzed data packet to obtain a processing result;
the matching module is used for respectively matching the message header parameters and the request text parameters after the safety pretreatment in a preset blacklist when the processing result is that the blacklist needs to be matched;
the execution module is used for executing security defense operation when the message header parameter and/or the request text parameter are matched with a blacklist parameter in a preset blacklist;
the preprocessing module is also used for judging whether the analyzed data packet is a preset URL or not; if not, the processing result is that blacklist matching is required; carrying out encoding escape format processing on the analyzed data packet; carrying out message header check on the message header parameters subjected to the encoding escape format processing; if the message header passes the verification, performing message header special character replacement on the message header parameters; carrying out request text parameter verification on the request text parameters subjected to encoding escape format processing; and if the request text parameter passes the verification, performing request text special character replacement on the request text parameter.
7. The application security defense system of claim 6, characterized in that:
and the execution module is further used for writing the analyzed data packet after the safety pretreatment into a cloud database when the processing result is that the blacklist is not required to be matched.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811191644.8A CN109347820B (en) | 2018-10-12 | 2018-10-12 | Application security defense method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811191644.8A CN109347820B (en) | 2018-10-12 | 2018-10-12 | Application security defense method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109347820A CN109347820A (en) | 2019-02-15 |
CN109347820B true CN109347820B (en) | 2021-10-22 |
Family
ID=65309859
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811191644.8A Active CN109347820B (en) | 2018-10-12 | 2018-10-12 | Application security defense method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109347820B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116861439B (en) * | 2023-06-21 | 2024-04-12 | 三峡高科信息技术有限责任公司 | Method for realizing SQL injection prevention of service system in modular manner |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105072109A (en) * | 2015-08-06 | 2015-11-18 | 福建天晴数码有限公司 | Method and system for preventing cross-site scripting attack |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107003976B (en) * | 2014-12-16 | 2021-05-07 | 微福斯有限责任公司 | Determining a permissible activity based on a permissible activity rule |
US10419451B2 (en) * | 2015-11-09 | 2019-09-17 | Salesforce.Com | Identifying attack patterns in requests received by web applications |
CN107046518A (en) * | 2016-02-05 | 2017-08-15 | 阿里巴巴集团控股有限公司 | The detection method and device of network attack |
CN108259425A (en) * | 2016-12-28 | 2018-07-06 | 阿里巴巴集团控股有限公司 | The determining method, apparatus and server of query-attack |
CN107204982B (en) * | 2017-06-13 | 2019-02-05 | 成都四方伟业软件股份有限公司 | Interactive data system universal safety guard system |
-
2018
- 2018-10-12 CN CN201811191644.8A patent/CN109347820B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105072109A (en) * | 2015-08-06 | 2015-11-18 | 福建天晴数码有限公司 | Method and system for preventing cross-site scripting attack |
Also Published As
Publication number | Publication date |
---|---|
CN109347820A (en) | 2019-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Fielding et al. | Hypertext transfer protocol (HTTP/1.1): Semantics and content | |
US10972573B1 (en) | Browser optimization through user history analysis | |
CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
Fielding et al. | RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): semantics and content | |
US9456050B1 (en) | Browser optimization through user history analysis | |
US8453041B2 (en) | Obscuring information in messages using compression with site-specific prebuilt dictionary | |
CN107026821B (en) | Message processing method and device | |
US20150271202A1 (en) | Method, device, and system for detecting link layer hijacking, user equipment, and analyzing server | |
US20170169100A1 (en) | Web cookie virtualization | |
WO2006020289A2 (en) | Intrusion detection strategies for hypertext transport protocol | |
CN103581130B (en) | data compression processing method, system and device | |
CN109039987A (en) | A kind of user account login method, device, electronic equipment and storage medium | |
CN101964025A (en) | XSS (Cross Site Scripting) detection method and device | |
CN113194058B (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
CN112788270B (en) | Video backtracking method, device, computer equipment and storage medium | |
WO2010003261A1 (en) | Web application security filtering | |
CN107104924B (en) | Verification method and device for website backdoor file | |
CN109862021B (en) | Method and device for acquiring threat information | |
US20140164574A1 (en) | Method and System for Downloading a Font File | |
CN109347820B (en) | Application security defense method and system | |
US9313291B2 (en) | Systems and methods for transparent communication with bandwidth conservation and HTTP caching | |
CN110636076B (en) | Host attack detection method and system | |
KR20100027836A (en) | Method and a system of advanced web log preprocess algorithm for rule based web ids system | |
CN112149068A (en) | Access-based authorization verification method, information generation method and device, and server | |
CN110708308B (en) | Cross-site script vulnerability mining method and system for cloud computing environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |